WSL2-Linux-Kernel/drivers/block
Chun-Yi Lee 7dd09fa80b aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts
[ Upstream commit f98364e926626c678fb4b9004b75cacf92ff0662 ]

This patch is against CVE-2023-6270. The description of cve is:

  A flaw was found in the ATA over Ethernet (AoE) driver in the Linux
  kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on
  `struct net_device`, and a use-after-free can be triggered by racing
  between the free on the struct and the access through the `skbtxq`
  global queue. This could lead to a denial of service condition or
  potential code execution.

In aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial
code is finished. But the net_device ifp will still be used in
later tx()->dev_queue_xmit() in kthread. Which means that the
dev_put(ifp) should NOT be called in the success path of skb
initial code in aoecmd_cfg_pkts(). Otherwise tx() may run into
use-after-free because the net_device is freed.

This patch removed the dev_put(ifp) in the success path in
aoecmd_cfg_pkts(), and added dev_put() after skb xmit in tx().

Link: https://nvd.nist.gov/vuln/detail/CVE-2023-6270
Fixes: 7562f876cd ("[NET]: Rework dev_base via list_head (v3)")
Signed-off-by: Chun-Yi Lee <jlee@suse.com>
Link: https://lore.kernel.org/r/20240305082048.25526-1-jlee@suse.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-03-26 18:21:15 -04:00
..
aoe aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts 2024-03-26 18:21:15 -04:00
drbd drbd: correctly submit flush bio on barrier 2023-05-17 11:50:31 +02:00
mtip32xx block: fix surprise removal for drivers calling blk_set_queue_dying 2022-02-23 12:03:15 +01:00
null_blk null_blk: don't cap max_hw_sectors to BLK_DEF_MAX_SECTORS 2024-01-25 14:52:40 -08:00
paride pcd: fix error codes in pcd_init_unit() 2023-09-19 12:23:04 +02:00
rnbd block/rnbd-srv: Check for unlikely string overflow 2024-02-23 08:54:43 +01:00
rsxx block: handle bio_split_to_limits() NULL return 2023-01-18 11:48:58 +01:00
xen-blkback xen-blkback: Advertise feature-persistent as user requested 2022-09-08 12:28:05 +02:00
zram zram: do not lookup algorithm in backends table 2022-08-25 11:40:34 +02:00
Kconfig remove the sx8 block driver 2023-06-14 11:12:59 +02:00
Makefile remove the sx8 block driver 2023-06-14 11:12:59 +02:00
amiflop.c block: drop unused includes in <linux/genhd.h> 2022-03-16 14:23:46 +01:00
ataflop.c block: drop unused includes in <linux/genhd.h> 2022-03-16 14:23:46 +01:00
brd.c brd: mark as nowait compatible 2023-03-17 08:48:51 +01:00
cryptoloop.c cryptoloop: add a deprecation warning 2021-08-27 10:44:54 -06:00
floppy.c floppy: Fix memory leak in do_floppy_init() 2022-12-31 13:14:47 +01:00
loop.c block: rename GENHD_FL_NO_PART_SCAN to GENHD_FL_NO_PART 2023-09-19 12:23:02 +02:00
loop.h loop: reduce the loop_ctl_mutex scope 2021-09-03 22:14:40 -06:00
n64cart.c block: rename GENHD_FL_NO_PART_SCAN to GENHD_FL_NO_PART 2023-09-19 12:23:02 +02:00
nbd.c nbd: null check for nla_nest_start 2024-03-26 18:21:14 -04:00
pktcdvd.c block: handle bio_split_to_limits() NULL return 2023-01-18 11:48:58 +01:00
ps3disk.c ps3disk: use memcpy_{from,to}_bvec 2021-08-02 13:37:27 -06:00
ps3vram.c block: handle bio_split_to_limits() NULL return 2023-01-18 11:48:58 +01:00
rbd.c rbd: don't move requests to the running list on errors 2024-02-23 08:54:31 +01:00
rbd_types.h
sunvdc.c block: sunvdc: add check for mdesc_grab() returning NULL 2023-03-22 13:31:27 +01:00
swim.c block: drop unused includes in <linux/genhd.h> 2022-03-16 14:23:46 +01:00
swim3.c swim3: use blk_mq_alloc_disk 2021-06-11 11:53:02 -06:00
swim_asm.S
virtio_blk.c virtio-blk: Ensure no requests in virtqueues before deleting vqs. 2024-03-01 13:21:47 +01:00
xen-blkfront.c xen/blkfront: Only check REQ_FUA for writes 2023-06-21 15:59:13 +02:00
z2ram.c for-5.14/drivers-2021-06-29 2021-06-30 12:21:16 -07:00