Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp5401015pxb; Mon, 7 Feb 2022 00:50:23 -0800 (PST) X-Google-Smtp-Source: ABdhPJzVOpa3YAFxucVYwwlg4FcE4TZ01tggneuJBkQOQ1TJ4E66FwTQmr6RNV61ZAc/CUxOT1wj X-Received: by 2002:aa7:d949:: with SMTP id l9mr12871272eds.348.1644223823097; Mon, 07 Feb 2022 00:50:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644223823; cv=none; d=google.com; s=arc-20160816; b=Qcedc1EdwQiSwRQn0Q0edKsHyXXwOzicptRXBxF74m4M9sUTcBWR51RtrWjbh1/vvM o7fZ8F6n9rSzPHQoW5agr0j6vOmMth1y1Ae51EHC+WFKz5pGHbNWbq3FTqfJrMZGyS01 7P/Ql29uXxtj00uWRP4/usaypSdeN+CSdSLQxEr6N7Z5jVonxGxlxGpPSrbhMOeX1Zst kj0cMxB4eoTpoT6tdBOVGRot8YU+pFvq0cHTjU7mJG/sTV23W9ka6IYbIN7dqHWKRZg5 MuxLcc0KzyWKE9cr7QD+aw6efAxuCGLbuZUGB/hAV2eBMg1bHoP+g6oZ1wH3BSP/DlIL lsag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=J+ZH8y4st7wgbUCTQOeQ0XutFf0QQlD/MMpYSbSyg+E=; b=X9GI9N0SZ6neFER6vylcY2udMIX5NQHNUcqlTVoqbpM2rw+mfPgOndeX6rxG/n260x 5vjs7thargviQ+s46K+yb2Uxs69rv+OPUNHGPKPT2AUIvenEchcE79zLAKa/EJOOjyIS I66anGjTmcL3Q4JdUmdsv8jZRNh2cp/1rWRlKvCGF7XaoAKEF2Ece2HqRnd7YpvLfu8R BAw6Wwh3/81CpnSrxeSuw5oGK01CPNtHIJ0tjTh8XhcvmuYEH5PlNtZtCmxiUjtSB7Ak E5vNH+9KDgRxTxFGv3iN9Y5EQnB+pH+IsrmWjLYPFV/fgQWKbIxfeNs6aXbCus1dUl9I aEGQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=iInIVnX5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id sb16si7178637ejc.863.2022.02.07.00.49.58; Mon, 07 Feb 2022 00:50:23 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=iInIVnX5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346222AbiBDG7O (ORCPT + 99 others); Fri, 4 Feb 2022 01:59:14 -0500 Received: from dfw.source.kernel.org ([139.178.84.217]:53370 "EHLO dfw.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232696AbiBDG7M (ORCPT ); Fri, 4 Feb 2022 01:59:12 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 4B10261BE6; Fri, 4 Feb 2022 06:59:12 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C3A3DC004E1; Fri, 4 Feb 2022 06:59:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1643957951; bh=Koi6Ulse5Mt1x9E/6G83EtttZvteqNiRxcv4XbKC0gQ=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=iInIVnX53IjXnbRnc2NnzTmNPJjgRJRB+Y4whbOk40RJrRDWhBioUzK4+izrWEZ3J 24Z03UEKuY05rcv328bgkCDgd5MoY6AajvufXAbr5DGzBwRXMfPXEOGLd0kmCFXQyl ASY1ydN3Jt89R6Vh14ji+XPjxiEkZ5lvll3ZH37E= Date: Fri, 4 Feb 2022 07:59:01 +0100 From: Greg Kroah-Hartman To: Pavel Machek Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org, syzbot+5ca851459ed04c778d1d@syzkaller.appspotmail.com, Ziyang Xuan , Oliver Hartkopp Subject: Re: [PATCH 4.14 2/2] can: bcm: fix UAF of bcm op Message-ID: References: <20220127180256.764665162@linuxfoundation.org> <20220127180256.840826051@linuxfoundation.org> <20220203204518.GA18824@duo.ucw.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220203204518.GA18824@duo.ucw.cz> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Feb 03, 2022 at 09:45:18PM +0100, Pavel Machek wrote: > Hi! > > > > From: Ziyang Xuan > > > > Stopping tasklet and hrtimer rely on the active state of tasklet and > > hrtimer sequentially in bcm_remove_op(), the op object will be freed > > if they are all unactive. Assume the hrtimer timeout is short, the > > hrtimer cb has been excuted after tasklet conditional judgment which > > must be false after last round tasklet_kill() and before condition > > hrtimer_active(), it is false when execute to hrtimer_active(). Bug > > is triggerd, because the stopping action is end and the op object > > will be freed, but the tasklet is scheduled. The resources of the op > > object will occur UAF bug. > > > > Move hrtimer_cancel() behind tasklet_kill() and switch 'while () {...}' > > to 'do {...} while ()' to fix the op UAF problem. > > I don't see this commit in mainline or next kernels. What is going on > here? Is it one of those "only needed in -stable" things? Or do we > still need to fix it in the mainline? Please see the stable list discussion of this commit for other branches, it should answer your question. thanks, greg k-h