• Chun-Yi Lee's avatar
    aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts · f98364e9
    Chun-Yi Lee authored
    This patch is against CVE-2023-6270. The description of cve is:
    
      A flaw was found in the ATA over Ethernet (AoE) driver in the Linux
      kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on
      `struct net_device`, and a use-after-free can be triggered by racing
      between the free on the struct and the access through the `skbtxq`
      global queue. This could lead to a denial of service condition or
      potential code execution.
    
    In aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial
    code is finished. But the net_device ifp will still be used in
    later tx()->dev_queue_xmit() in kthread. Which means that the
    dev_put(ifp) should NOT be called in the success path of skb
    initial code in aoecmd_cfg_pkts(). Otherwise tx() may run into
    use-after-free because the net_device is freed.
    
    This patch removed the dev_put(ifp) in the success path in
    aoecmd_cfg_pkts(), and added dev_put() after skb xmit in tx().
    
    Link: https://nvd.nist.gov/vuln/detail/CVE-2023-6270
    Fixes: 7562f876 ("[NET]: Rework dev_base via list_head (v3)")
    Signed-off-by: default avatarChun-Yi Lee <jlee@suse.com>
    Link: https://lore.kernel.org/r/20240305082048.25526-1-jlee@suse.comSigned-off-by: default avatarJens Axboe <axboe@kernel.dk>
    f98364e9
aoecmd.c 35.1 KB