Commit b53d6e81 authored Nov 12, 2024 by Eddie James Committed by Zhang Changzhong Nov 12, 2024

net/ncsi: Disable the ncsi work before freeing the associated structure

mainline inclusion
from mainline-v6.12-rc2
commit a0ffa68c70b367358b2672cdab6fa5bc4c40de2c
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRA5
CVE: CVE-2024-49945

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a0ffa68c70b367358b2672cdab6fa5bc4c40de2c



--------------------------------

The work function can run after the ncsi device is freed, resulting
in use-after-free bugs or kernel panic.

Fixes: 2d283bdd ("net/ncsi: Resource management")
Signed-off-by: Eddie James <eajames@linux.ibm.com>
Link: https://patch.msgid.link/20240925155523.1017097-1-eajames@linux.ibm.com


Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Conflicts:
	net/ncsi/ncsi-manage.c
[commit 86898fa6b8cd ("workqueue: Implement disable/enable for (delayed)
work items") not merged]
Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>

parent 0ba9236d

net/ncsi/ncsi-manage.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -1949,6 +1949,8 @@ void ncsi_unregister_dev(struct ncsi_dev *nd)
		list_del_rcu(&ndp->node);
		spin_unlock_irqrestore(&ncsi_dev_lock, flags);

		cancel_work_sync(&ndp->work);

		kfree(ndp);
		}
		EXPORT_SYMBOL_GPL(ncsi_unregister_dev);