lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <03658d2b-04c8-43f8-a486-33572a2e61df@lunn.ch>
Date: Fri, 27 Jun 2025 09:40:44 +0200
From: Andrew Lunn <andrew@...n.ch>
To: "Peter GJ. Park" <gyujoon.park@...sung.com>
Cc: 'Paolo Abeni' <pabeni@...hat.com>, 'Oliver Neukum' <oneukum@...e.com>,
	'Andrew Lunn' <andrew+netdev@...n.ch>,
	"'David S. Miller'" <davem@...emloft.net>,
	'Eric Dumazet' <edumazet@...gle.com>,
	'Jakub Kicinski' <kuba@...nel.org>, netdev@...r.kernel.org,
	linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH net] net: usb: usbnet: fix use-after-free in race on
 workqueue

On Fri, Jun 27, 2025 at 03:11:55PM +0900, Peter GJ. Park wrote:
> >On 6/25/25 11:33 AM, Peter GJ. Park wrote:
> >> When usbnet_disconnect() queued while usbnet_probe() processing, it 
> >> results to free_netdev before kevent gets to run on workqueue, thus 
> >> workqueue does assign_work() with referencing freeed memory address.
> >> 
> >> For graceful disconnect and to prevent use-after-free of netdev 
> >> pointer, the fix adds canceling work and timer those are placed by 
> >> usbnet_probe()
> >> 
> >> Signed-off-by: Peter GJ. Park <gyujoon.park@...sung.com>
> >
> >You should include a suitable fixes tag, and you should have specified the target tree ('net' in this case) in the prefix subjext
> Prefix net added to subject, but for fixes tag, by looking git blame, the last line of usbnet_disconnect()are based on initial commit,
> thus I couldn't put the fixes tag for it. Please let me know how can I handle this.

By initial commit, do you mean:

commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (tag: v2.6.12-rc2)
Author: Linus Torvalds <torvalds@...970.osdl.org>
Date:   Sat Apr 16 15:20:36 2005 -0700

    Linux-2.6.12-rc2
    
    Initial git repository build. I'm not bothering with the full history,
    even though we have it. We can create a separate "historical" git
    archive of that later if we want to, and in the meantime it's about
    3.2GB when imported into git - space that would just make the early
    git days unnecessarily complicated, when we don't have a lot of good
    infrastructure for it.
    
    Let it rip!

Then use that as the Fixes: tag. The Fixes: tag is a guide to
developers who do the backport. Nobody is going to backport this to
2.6.12, but it does make it clear that LTS 5.4.294 could get this
patch.

	Andrew

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ