ee3921735a
[ Upstream commit f98364e926626c678fb4b9004b75cacf92ff0662 ] This patch is against CVE-2023-6270. The description of cve is: A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution. In aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial code is finished. But the net_device ifp will still be used in later tx()->dev_queue_xmit() in kthread. Which means that the dev_put(ifp) should NOT be called in the success path of skb initial code in aoecmd_cfg_pkts(). Otherwise tx() may run into use-after-free because the net_device is freed. This patch removed the dev_put(ifp) in the success path in aoecmd_cfg_pkts(), and added dev_put() after skb xmit in tx(). Link: https://nvd.nist.gov/vuln/detail/CVE-2023-6270 Fixes: 7562f876cd93 ("[NET]: Rework dev_base via list_head (v3)") Signed-off-by: Chun-Yi Lee <jlee@suse.com> Link: https://lore.kernel.org/r/20240305082048.25526-1-jlee@suse.com Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
---|---|---|
.. | ||
aoe | ||
drbd | ||
mtip32xx | ||
null_blk | ||
paride | ||
rnbd | ||
rsxx | ||
xen-blkback | ||
zram | ||
amiflop.c | ||
ataflop.c | ||
brd.c | ||
cryptoloop.c | ||
floppy.c | ||
Kconfig | ||
loop.c | ||
loop.h | ||
Makefile | ||
nbd.c | ||
pktcdvd.c | ||
ps3disk.c | ||
ps3vram.c | ||
rbd.c | ||
rbd_types.h | ||
skd_main.c | ||
skd_s1120.h | ||
sunvdc.c | ||
swim.c | ||
swim3.c | ||
swim_asm.S | ||
umem.c | ||
umem.h | ||
virtio_blk.c | ||
xen-blkfront.c | ||
xsysace.c | ||
z2ram.c |