archives/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-03-08 05:24:39 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
linux/drivers
History
Duoming Zhou bae8a5d2e7 net: wan: farsync: Fix use-after-free bugs caused by unfinished tasklets 
When the FarSync T-series card is being detached, the fst_card_info is
deallocated in fst_remove_one(). However, the fst_tx_task or fst_int_task
may still be running or pending, leading to use-after-free bugs when the
already freed fst_card_info is accessed in fst_process_tx_work_q() or
fst_process_int_work_q().

A typical race condition is depicted below:

CPU 0 (cleanup)           | CPU 1 (tasklet)
                          | fst_start_xmit()
fst_remove_one()          |   tasklet_schedule()
  unregister_hdlc_device()|
                          | fst_process_tx_work_q() //handler
  kfree(card) //free      |   do_bottom_half_tx()
                          |     card-> //use

The following KASAN trace was captured:

==================================================================
 BUG: KASAN: slab-use-after-free in do_bottom_half_tx+0xb88/0xd00
 Read of size 4 at addr ffff88800aad101c by task ksoftirqd/3/32
 ...
 Call Trace:
  <IRQ>
  dump_stack_lvl+0x55/0x70
  print_report+0xcb/0x5d0
  ? do_bottom_half_tx+0xb88/0xd00
  kasan_report+0xb8/0xf0
  ? do_bottom_half_tx+0xb88/0xd00
  do_bottom_half_tx+0xb88/0xd00
  ? _raw_spin_lock_irqsave+0x85/0xe0
  ? __pfx__raw_spin_lock_irqsave+0x10/0x10
  ? __pfx___hrtimer_run_queues+0x10/0x10
  fst_process_tx_work_q+0x67/0x90
  tasklet_action_common+0x1fa/0x720
  ? hrtimer_interrupt+0x31f/0x780
  handle_softirqs+0x176/0x530
  __irq_exit_rcu+0xab/0xe0
  sysvec_apic_timer_interrupt+0x70/0x80
 ...

 Allocated by task 41 on cpu 3 at 72.330843s:
  kasan_save_stack+0x24/0x50
  kasan_save_track+0x17/0x60
  __kasan_kmalloc+0x7f/0x90
  fst_add_one+0x1a5/0x1cd0
  local_pci_probe+0xdd/0x190
  pci_device_probe+0x341/0x480
  really_probe+0x1c6/0x6a0
  __driver_probe_device+0x248/0x310
  driver_probe_device+0x48/0x210
  __device_attach_driver+0x160/0x320
  bus_for_each_drv+0x101/0x190
  __device_attach+0x198/0x3a0
  device_initial_probe+0x78/0xa0
  pci_bus_add_device+0x81/0xc0
  pci_bus_add_devices+0x7e/0x190
  enable_slot+0x9b9/0x1130
  acpiphp_check_bridge.part.0+0x2e1/0x460
  acpiphp_hotplug_notify+0x36c/0x3c0
  acpi_device_hotplug+0x203/0xb10
  acpi_hotplug_work_fn+0x59/0x80
 ...

 Freed by task 41 on cpu 1 at 75.138639s:
  kasan_save_stack+0x24/0x50
  kasan_save_track+0x17/0x60
  kasan_save_free_info+0x3b/0x60
  __kasan_slab_free+0x43/0x70
  kfree+0x135/0x410
  fst_remove_one+0x2ca/0x540
  pci_device_remove+0xa6/0x1d0
  device_release_driver_internal+0x364/0x530
  pci_stop_bus_device+0x105/0x150
  pci_stop_and_remove_bus_device+0xd/0x20
  disable_slot+0x116/0x260
  acpiphp_disable_and_eject_slot+0x4b/0x190
  acpiphp_hotplug_notify+0x230/0x3c0
  acpi_device_hotplug+0x203/0xb10
  acpi_hotplug_work_fn+0x59/0x80
 ...

 The buggy address belongs to the object at ffff88800aad1000
  which belongs to the cache kmalloc-1k of size 1024
 The buggy address is located 28 bytes inside of
  freed 1024-byte region
 The buggy address belongs to the physical page:
 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xaad0
 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
 flags: 0x100000000000040(head|node=0|zone=1)
 page_type: f5(slab)
 raw: 0100000000000040 ffff888007042dc0 dead000000000122 0000000000000000
 raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
 head: 0100000000000040 ffff888007042dc0 dead000000000122 0000000000000000
 head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
 head: 0100000000000003 ffffea00002ab401 00000000ffffffff 00000000ffffffff
 head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
 page dumped because: kasan: bad access detected

 Memory state around the buggy address:
  ffff88800aad0f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  ffff88800aad0f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 >ffff88800aad1000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                             ^
  ffff88800aad1080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff88800aad1100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ==================================================================

Fix this by ensuring that both fst_tx_task and fst_int_task are properly
canceled before the fst_card_info is released. Add tasklet_kill() in
fst_remove_one() to synchronize with any pending or running tasklets.
Since unregister_hdlc_device() stops data transmission and reception,
and fst_disable_intr() prevents further interrupts, it is appropriate
to place tasklet_kill() after these calls.

The bugs were identified through static analysis. To reproduce the issue
and validate the fix, a FarSync T-series card was simulated in QEMU and
delays(e.g., mdelay()) were introduced within the tasklet handler to
increase the likelihood of triggering the race condition.

Fixes: 2f623aaf9f ("net: farsync: Fix kmemleak when rmmods farsync")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Reviewed-by: Jijie Shao <shaojijie@huawei.com>
Link: https://patch.msgid.link/20260219124637.72578-1-duoming@zju.edu.cn
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2026-02-24 10:31:52 +01:00
..
accel Char/Misc/IIO driver changes for 7.0-rc1 2026-02-17 09:11:04 -08:00
accessibility
acpi More ACPI support updates for 7.0-rc1 2026-02-18 14:28:57 -08:00
amba
android Char/Misc/IIO driver changes for 7.0-rc1 2026-02-17 09:11:04 -08:00
ata ATA changes for 6.20 2026-02-12 17:12:43 -08:00
atm Including fixes from Netfilter. 2026-02-19 10:39:08 -08:00
auxdisplay mm.git review status for linus..mm-nonmm-stable 2026-02-12 12:13:01 -08:00
base More power management updates for 7.0-rc1 2026-02-18 14:11:47 -08:00
bcma
block block-7.0-20260216 2026-02-17 08:48:45 -08:00
bluetooth TTY / Serial driver updates for 7.0-rc1 2026-02-17 09:30:52 -08:00
bus Char/Misc/IIO driver changes for 7.0-rc1 2026-02-17 09:11:04 -08:00
cache
cdrom
cdx cdx: Use mutex guard to simplify error handling 2026-02-03 20:58:13 -06:00
char mm.git review status for linus..mm-stable 2026-02-18 20:50:32 -08:00
clk cleanups and fixes 2026-02-16 09:30:44 -08:00
clocksource - A nice cleanup to the paravirt code containing a unification of the paravirt 2026-02-10 19:01:45 -08:00
comedi Char/Misc/IIO driver changes for 7.0-rc1 2026-02-17 09:11:04 -08:00
connector
counter
cpufreq Devicetree updates for v7.0: 2026-02-11 18:27:08 -08:00
cpuidle More power management updates for 7.0-rc1 2026-02-18 14:11:47 -08:00
crypto platform-drivers-x86 for v7.0-1 2026-02-13 15:39:15 -08:00
cxl cxl changes for v7.0 2026-02-12 16:33:05 -08:00
dax mm.git review status for linus..mm-stable 2026-02-18 20:50:32 -08:00
dca
devfreq
dibs
dio
dma dmaengine updates for v7.0 2026-02-17 11:47:17 -08:00
dma-buf VFIO updates for v7.0-rc1 2026-02-12 15:52:39 -08:00
dpll dpll: zl3073x: fix REF_PHASE_OFFSET_COMP register width for some chip IDs 2026-02-23 17:35:39 -08:00
edac - Remove two drivers for obsolete hardware: i82443bxgx_edac and r82600_edac 2026-02-10 18:14:36 -08:00
eisa
extcon
firewire SCSI misc on 20260212 2026-02-12 15:43:02 -08:00
firmware Char/Misc/IIO driver changes for 7.0-rc1 2026-02-17 09:11:04 -08:00
fpga
fsi
fwctl
gnss
gpib
gpio virtio,vhost,vdpa: features, fixes 2026-02-13 12:02:18 -08:00
gpu mm.git review status for linus..mm-stable 2026-02-18 20:50:32 -08:00
greybus
hid Input updates for v7.0-rc0 2026-02-15 08:24:19 -08:00
hsi
hte
hv drivers: hv: vmbus_drv: Remove reference to hpyerv_fb 2026-02-14 11:07:12 +01:00
hwmon mm.git review status for linus..mm-nonmm-stable 2026-02-12 12:13:01 -08:00
hwspinlock soc: driver updates for 7.0 2026-02-10 20:45:30 -08:00
hwtracing Char/Misc/IIO driver changes for 7.0-rc1 2026-02-17 09:11:04 -08:00
i2c Char/Misc/IIO driver changes for 7.0-rc1 2026-02-17 09:11:04 -08:00
i3c i3c: dw-i3c-master: fix SIR reject bit mapping for dynamic addresses 2026-01-31 00:05:22 +01:00
idle
iio IIO: New device support, features and cleanup for the 6.20/7.0 cycle. 2026-02-02 17:08:30 +01:00
infiniband RDMA v7.0 merge window 2026-02-12 17:05:20 -08:00
input Input updates for v7.0-rc0 2026-02-15 08:24:19 -08:00
interconnect interconnect changes for 6.20 2026-01-30 16:46:45 +01:00
iommu RISC-V updates for v7.0 2026-02-12 19:17:44 -08:00
ipack
irqchip cleanups and fixes 2026-02-16 09:30:44 -08:00
isdn
leds LEDS for v6.20 2026-02-16 11:15:19 -08:00
macintosh
mailbox soc: driver updates for 7.0 2026-02-10 20:45:30 -08:00
mcb
md block-7.0-20260216 2026-02-17 08:48:45 -08:00
media mm.git review status for linus..mm-nonmm-stable 2026-02-12 12:13:01 -08:00
memory
memstick
message
mfd MFD for v6.20 2026-02-16 11:05:44 -08:00
misc Char/Misc/IIO driver changes for 7.0-rc1 2026-02-17 09:11:04 -08:00
mmc cleanups and fixes 2026-02-16 09:30:44 -08:00
most
mtd * MTD 2026-02-13 15:06:58 -08:00
mux mux: mmio: fix regmap leak on probe failure 2026-02-05 17:07:37 +01:00
net net: wan: farsync: Fix use-after-free bugs caused by unfinished tasklets 2026-02-24 10:31:52 +01:00
nfc nfc: nxp-nci: remove interrupt trigger type 2026-02-06 20:54:50 -08:00
ntb
nubus
nvdimm nvdimm: virtio_pmem: serialize flush requests 2026-02-04 13:16:40 -06:00
nvme block-7.0-20260216 2026-02-17 08:48:45 -08:00
nvmem Char/Misc/IIO driver changes for 7.0-rc1 2026-02-17 09:11:04 -08:00
of mm.git review status for linus..mm-nonmm-stable 2026-02-12 12:13:01 -08:00
opp
parisc parisc architecture fixes and updates for kernel v7.0-rc1: 2026-02-10 21:42:10 -08:00
parport
pci cxl changes for v7.0 2026-02-12 16:33:05 -08:00
pcmcia
peci
perf perf/arm-cmn: Reject unsupported hardware configurations 2026-02-03 19:43:52 +00:00
phy phy-for-7.0 2026-02-17 11:40:04 -08:00
pinctrl Pin control changes for the v7.0 kernel cycle: 2026-02-16 09:35:24 -08:00
platform USB / Thunderbolt changes for 7.0-rc1 2026-02-17 09:36:43 -08:00
pmdomain pmdomain providers: 2026-02-06 10:10:39 -08:00
pnp
power power supply and reset changes for the 7.0 series 2026-02-12 18:24:37 -08:00
powercap powercap: intel_rapl_tpmi: Remove FW_BUG from invalid version check 2026-02-12 14:49:14 +01:00
pps
ps3
ptp mm.git review status for linus..mm-nonmm-stable 2026-02-12 12:13:01 -08:00
pwm Driver core changes for 7.0-rc1 2026-02-11 17:43:59 -08:00
rapidio rapidio: replace rio_free_net() with kfree() in rio_scan_alloc_net() 2026-01-31 16:16:07 -08:00
ras - Remove two drivers for obsolete hardware: i82443bxgx_edac and r82600_edac 2026-02-10 18:14:36 -08:00
regulator MFD for v6.20 2026-02-16 11:05:44 -08:00
remoteproc remoteproc: imx_rproc: Fix invalid loaded resource table detection 2026-02-03 09:23:12 -07:00
resctrl
reset
rpmsg
rtc cleanups and fixes 2026-02-16 09:30:44 -08:00
s390 SCSI misc on 20260212 2026-02-12 15:43:02 -08:00
sbus
scsi virtio,vhost,vdpa: features, fixes 2026-02-13 12:02:18 -08:00
sh
siox
slimbus
soc phy-for-7.0 2026-02-17 11:40:04 -08:00
soundwire soundwire updates for 7.0 2026-02-17 10:07:13 -08:00
spi Char/Misc/IIO driver changes for 7.0-rc1 2026-02-17 09:11:04 -08:00
spmi
ssb
staging Staging driver updates for 7.0-rc1 2026-02-17 09:20:58 -08:00
target SCSI misc on 20260212 2026-02-12 15:43:02 -08:00
tc
tee
thermal Additional thermal control update for 7.0-rc1 2026-02-18 14:33:18 -08:00
thunderbolt USB / Thunderbolt changes for 7.0-rc1 2026-02-17 09:36:43 -08:00
tty TTY / Serial driver updates for 7.0-rc1 2026-02-17 09:30:52 -08:00
ufs SCSI misc on 20260212 2026-02-12 15:43:02 -08:00
uio
usb USB / Thunderbolt changes for 7.0-rc1 2026-02-17 09:36:43 -08:00
vdpa vduse: avoid adding implicit padding 2026-02-09 12:21:32 -05:00
vfio VFIO updates for v7.0-rc1 2026-02-12 15:52:39 -08:00
vhost virtio,vhost,vdpa: features, fixes 2026-02-13 12:02:18 -08:00
video Backlight for v6.20 2026-02-16 11:10:33 -08:00
virt tsm for 7.0 2026-02-15 10:20:37 -08:00
virtio virtio,vhost,vdpa: features, fixes 2026-02-13 12:02:18 -08:00
w1
watchdog linux-watchdog 6.20-rc1 tag 2026-02-16 12:21:22 -08:00
xen - A nice cleanup to the paravirt code containing a unification of the paravirt 2026-02-10 19:01:45 -08:00
zorro
Kconfig
Makefile phy: enter drivers/phy/Makefile even without CONFIG_GENERIC_PHY 2026-02-04 20:45:26 +05:30