From nobody Mon Feb 9 12:59:37 2026 Received: from mail-gw02.astralinux.ru (mail-gw02.astralinux.ru [195.16.41.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5201C8479; Fri, 7 Feb 2025 16:56:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.16.41.108 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738947402; cv=none; b=tkKMeVJJLEAzynPJ5JC/gGCdrI5ol6+7lQeRDxvd50wva0NOafdJ/9dt9RKa9TuAhruyoD0wte1AnQZ6/lAsQ85nTZmZZ6VO3Ej+b6VShdNscDlGwz6zMjvDb2oa3q/M9zRIasW/vMWFsHKforc0e97ZI+DaoMg8ZjcjGXS/nK8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738947402; c=relaxed/simple; bh=z6p+xXsdP6d0YhJO8/1d/2zgQvIQ8YA65u6/y76KPzU=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=Ll2PVltJqIs4O8JOScNcrQ7fsvJ02D/OGEf/4BXCxKQ3uXfbKjJm1Xd4cIUJOTsidf0Tc1+9pcL51arjNtmv4QAQuL298SgNObRsdi6R0IjX7hSNJqlufZuo14uXgSFQAj6SVLxkwSYUY96geUiw01ZkjP/zqUatrL8/E8o1zzo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=astralinux.ru; spf=pass smtp.mailfrom=astralinux.ru; arc=none smtp.client-ip=195.16.41.108 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=astralinux.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=astralinux.ru Received: from gca-msk-a-srv-ksmg02.astralinux.ru (localhost [127.0.0.1]) by mail-gw02.astralinux.ru (Postfix) with ESMTP id 2293E1F9BA; Fri, 7 Feb 2025 19:56:36 +0300 (MSK) Received: from new-mail.astralinux.ru (gca-yc-ruca-srv-mail04.astralinux.ru [10.177.185.109]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail-gw02.astralinux.ru (Postfix) with ESMTPS; Fri, 7 Feb 2025 19:56:35 +0300 (MSK) Received: from rbta-msk-lt-156703.astralinux.ru (unknown [10.177.20.117]) by new-mail.astralinux.ru (Postfix) with ESMTPA id 4YqKr32PvFzkWxV; Fri, 7 Feb 2025 19:56:35 +0300 (MSK) From: Alexey Panov To: stable@vger.kernel.org, Greg Kroah-Hartman Cc: Alexey Panov , Alexandre Belloni , linux-i3c@lists.infradead.org, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org, Kaixin Wang Subject: [PATCH 5.10/5.15] i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition Date: Fri, 7 Feb 2025 19:56:01 +0300 Message-Id: <20250207165601.30094-1-apanov@astralinux.ru> X-Mailer: git-send-email 2.30.2 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-KSMG-AntiPhishing: NotDetected, bases: 2025/02/07 15:20:00 X-KSMG-AntiSpam-Auth: dkim=none X-KSMG-AntiSpam-Envelope-From: apanov@astralinux.ru X-KSMG-AntiSpam-Info: LuaCore: 50 0.3.50 df4aeb250ed63fd3baa80a493fa6caee5dd9e10f, {Tracking_uf_ne_domains}, {Tracking_internal2}, {Tracking_from_domain_doesnt_match_to}, new-mail.astralinux.ru:7.1.1;d41d8cd98f00b204e9800998ecf8427e.com:7.1.1;127.0.0.199:7.1.2;lore.kernel.org:7.1.1;astralinux.ru:7.1.1, FromAlignment: s X-KSMG-AntiSpam-Interceptor-Info: scan successful X-KSMG-AntiSpam-Lua-Profiles: 190876 [Feb 07 2025] X-KSMG-AntiSpam-Method: none X-KSMG-AntiSpam-Rate: 0 X-KSMG-AntiSpam-Status: not_detected X-KSMG-AntiSpam-Version: 6.1.1.7 X-KSMG-AntiVirus: Kaspersky Secure Mail Gateway, version 2.1.0.7854, bases: 2025/02/07 12:24:00 #27143140 X-KSMG-AntiVirus-Status: NotDetected, skipped X-KSMG-LinksScanning: NotDetected, bases: 2025/02/07 15:21:00 X-KSMG-Message-Action: skipped X-KSMG-Rule-ID: 1 Content-Type: text/plain; charset="utf-8" From: Kaixin Wang [ Upstream commit 609366e7a06d035990df78f1562291c3bf0d4a12 ] In the cdns_i3c_master_probe function, &master->hj_work is bound with cdns_i3c_master_hj. And cdns_i3c_master_interrupt can call cnds_i3c_master_demux_ibis function to start the work. If we remove the module which will call cdns_i3c_master_remove to make cleanup, it will free master->base through i3c_master_unregister while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | cdns_i3c_master_hj cdns_i3c_master_remove | i3c_master_unregister(&master->base) | device_unregister(&master->dev) | device_release | //free master->base | | i3c_master_do_daa(&master->base) | //use master->base Fix it by ensuring that the work is canceled before proceeding with the cleanup in cdns_i3c_master_remove. Signed-off-by: Kaixin Wang Link: https://lore.kernel.org/r/20240911153544.848398-1-kxwang23@m.fudan.ed= u.cn Signed-off-by: Alexandre Belloni Signed-off-by: Alexey Panov --- Backport fix for CVE-2024-50061 drivers/i3c/master/i3c-master-cdns.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/i3c/master/i3c-master-cdns.c b/drivers/i3c/master/i3c-= master-cdns.c index b9cfda6ae9ae..4473c0b1ae2e 100644 --- a/drivers/i3c/master/i3c-master-cdns.c +++ b/drivers/i3c/master/i3c-master-cdns.c @@ -1668,6 +1668,7 @@ static int cdns_i3c_master_remove(struct platform_dev= ice *pdev) struct cdns_i3c_master *master =3D platform_get_drvdata(pdev); int ret; =20 + cancel_work_sync(&master->hj_work); ret =3D i3c_master_unregister(&master->base); if (ret) return ret; --=20 2.30.2