www.infradead.org Git - nvme.git/commit

author	Chun-Yi Lee <jlee@suse.com>
	Tue, 5 Mar 2024 08:20:48 +0000 (16:20 +0800)
committer	Jens Axboe <axboe@kernel.dk>
	Wed, 6 Mar 2024 15:32:46 +0000 (08:32 -0700)
commit	f98364e926626c678fb4b9004b75cacf92ff0662
tree	5c74cb0123a7db87e631d35e05fa05e3682a1a03	tree
parent	b9355185d2aeef11f6e365dd98def82212637936	commit \| diff

aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts

This patch is against CVE-2023-6270. The description of cve is:

  A flaw was found in the ATA over Ethernet (AoE) driver in the Linux
  kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on
  `struct net_device`, and a use-after-free can be triggered by racing
  between the free on the struct and the access through the `skbtxq`
  global queue. This could lead to a denial of service condition or
  potential code execution.

In aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial
code is finished. But the net_device ifp will still be used in
later tx()->dev_queue_xmit() in kthread. Which means that the
dev_put(ifp) should NOT be called in the success path of skb
initial code in aoecmd_cfg_pkts(). Otherwise tx() may run into
use-after-free because the net_device is freed.

This patch removed the dev_put(ifp) in the success path in
aoecmd_cfg_pkts(), and added dev_put() after skb xmit in tx().

Link: https://nvd.nist.gov/vuln/detail/CVE-2023-6270
Fixes: 7562f876cd93 ("[NET]: Rework dev_base via list_head (v3)")
Signed-off-by: Chun-Yi Lee <jlee@suse.com>
Link: https://lore.kernel.org/r/20240305082048.25526-1-jlee@suse.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>

drivers/block/aoe/aoecmd.c		diff \| blob \| history
drivers/block/aoe/aoenet.c		diff \| blob \| history