linux-stable/drivers/greybus
Sicong Huang 5c9c5d7f26 greybus: Fix use-after-free bug in gb_interface_release due to race condition.
In gb_interface_create, &intf->mode_switch_completion is bound with
gb_interface_mode_switch_work. Then it will be started by
gb_interface_request_mode_switch. Here is the relevant code.
if (!queue_work(system_long_wq, &intf->mode_switch_work)) {
	...
}

If we call gb_interface_release to make cleanup, there may be an
unfinished work. This function will call kfree to free the object
"intf". However, if gb_interface_mode_switch_work is scheduled to
run after kfree, it may cause use-after-free error as
gb_interface_mode_switch_work will use the object "intf".
The possible execution flow that may lead to the issue is as follows:

CPU0                            CPU1

                            |   gb_interface_create
                            |   gb_interface_request_mode_switch
gb_interface_release        |
kfree(intf) (free)          |
                            |   gb_interface_mode_switch_work
                            |   mutex_lock(&intf->mutex) (use)

Fix it by canceling the work before kfree.

Signed-off-by: Sicong Huang <congei42@163.com>
Link: https://lore.kernel.org/r/20240416080313.92306-1-congei42@163.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-05-04 18:59:41 +02:00
..
arpc.h greybus: Replace zero-length array with flexible-array 2020-05-13 13:59:13 +02:00
bundle.c greybus: constify the struct device_type usage 2024-03-06 14:13:10 +00:00
connection.c greybus: Use alloc_ordered_workqueue() to create ordered workqueues 2023-05-08 13:52:27 -10:00
control.c greybus: constify the struct device_type usage 2024-03-06 14:13:10 +00:00
core.c greybus: move is_gb_* functions out of greybus.h 2024-03-07 21:42:38 +00:00
debugfs.c staging: greybus: move the greybus core to drivers/greybus 2019-08-27 19:03:04 +02:00
es2.c greybus: Remove usage of the deprecated ida_simple_xx() API 2024-03-07 21:41:38 +00:00
gb-beagleplay.c treewide, serdev: change receive_buf() return type to size_t 2024-01-27 18:13:53 -08:00
greybus_trace.h greybus: remove h from printk format specifier 2021-01-05 15:18:23 +01:00
hd.c greybus: Remove usage of the deprecated ida_simple_xx() API 2024-03-07 21:41:38 +00:00
interface.c greybus: Fix use-after-free bug in gb_interface_release due to race condition. 2024-05-04 18:59:41 +02:00
Kconfig greybus: BeaglePlay driver needs CRC_CCITT 2023-12-04 08:16:50 +01:00
Makefile greybus: Add BeaglePlay Linux Driver 2023-10-27 13:19:04 +02:00
manifest.c staging: greybus: move the greybus core to drivers/greybus 2019-08-27 19:03:04 +02:00
module.c greybus: constify the struct device_type usage 2024-03-06 14:13:10 +00:00
operation.c staging: greybus: move the greybus core to drivers/greybus 2019-08-27 19:03:04 +02:00
svc_watchdog.c staging: greybus: move the greybus core to drivers/greybus 2019-08-27 19:03:04 +02:00
svc.c greybus: constify the struct device_type usage 2024-03-06 14:13:10 +00:00