ntb: ntb_hw_switchtec: Fix use after free vulnerability in switchtec_ntb_remove due...

In the switchtec_ntb_add function, it can call switchtec_ntb_init_sndev
function, then &sndev->check_link_status_work is bound with
check_link_status_work. switchtec_ntb_link_notification may be called
to start the work.

If we remove the module which will call switchtec_ntb_remove to make
cleanup, it will free sndev through kfree(sndev), while the work
mentioned above will be used. The sequence of operations that may lead
to a UAF bug is as follows:

CPU0                                 CPU1

                        | check_link_status_work
switchtec_ntb_remove    |
kfree(sndev);           |
                        | if (sndev->link_force_down)
                        | // use sndev

Fix it by ensuring that the work is canceled before proceeding with
the cleanup in switchtec_ntb_remove.

Signed-off-by: Kaixin Wang <[email protected]>
Reviewed-by: Logan Gunthorpe <[email protected]>
Signed-off-by: Jon Mason <[email protected]>

diff --git a/drivers/ntb/hw/mscc/ntb_hw_switchtec.c b/drivers/ntb/hw/mscc/ntb_hw_switchtec.c
index 31946387badf0e1dbdcbe0be71c3077b5abc6dd0..ad1786be2554b34c5abe08f96b8b62dd98012c26 100644 (file)
--- a/drivers/ntb/hw/mscc/ntb_hw_switchtec.c
+++ b/drivers/ntb/hw/mscc/ntb_hw_switchtec.c
@@ -1554,6 +1554,7 @@ static void switchtec_ntb_remove(struct device *dev)
        switchtec_ntb_deinit_db_msg_irq(sndev);
        switchtec_ntb_deinit_shared_mw(sndev);
        switchtec_ntb_deinit_crosslink(sndev);
+       cancel_work_sync(&sndev->check_link_status_work);
        kfree(sndev);
        dev_info(dev, "ntb device unregistered\n");
 }