Re: [PATCH v0] nfc: nci: add flush_workqueue to prevent uaf

From: patchwork-bot+netdevbpf
Date: Wed Apr 13 2022 - 09:51:04 EST

Next message: patchwork-bot+netdevbpf: "Re: [PATCH net] net: dsa: realtek: don't parse compatible string for RTL8366S"
Previous message: Catalin Marinas: "[PATCH RFC 4/4] arm64: Select ARCH_ENABLE_DENY_WRITE_EXEC"
In reply to: Krzysztof Kozlowski: "Re: [PATCH v0] nfc: nci: add flush_workqueue to prevent uaf"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello:

This patch was applied to netdev/net.git (master)
by David S. Miller <davem@xxxxxxxxxxxxx>:

On Wed, 13 Apr 2022 00:04:30 +0800 you wrote:
> Our detector found a concurrent use-after-free bug when detaching an
> NCI device. The main reason for this bug is the unexpected scheduling
> between the used delayed mechanism (timer and workqueue).
>
> The race can be demonstrated below:
>
> Thread-1 Thread-2
> | nci_dev_up()
> | nci_open_device()
> | __nci_request(nci_reset_req)
> | nci_send_cmd
> | queue_work(cmd_work)
> nci_unregister_device() |
> nci_close_device() | ...
> del_timer_sync(cmd_timer)[1] |
> ... | Worker
> nci_free_device() | nci_cmd_work()
> kfree(ndev)[3] | mod_timer(cmd_timer)[2]
>
> [...]

Here is the summary with links:
- [v0] nfc: nci: add flush_workqueue to prevent uaf
https://git.kernel.org/netdev/net/c/ef27324e2cb7

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

Next message: patchwork-bot+netdevbpf: "Re: [PATCH net] net: dsa: realtek: don't parse compatible string for RTL8366S"
Previous message: Catalin Marinas: "[PATCH RFC 4/4] arm64: Select ARCH_ENABLE_DENY_WRITE_EXEC"
In reply to: Krzysztof Kozlowski: "Re: [PATCH v0] nfc: nci: add flush_workqueue to prevent uaf"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]