On Tue, Jan 11, 2022 at 10:02:09AM +0800, Ziyang Xuan (William) wrote:
On Mon, Jan 10, 2022 at 09:23:22PM +0800, Ziyang Xuan wrote:
From: Thomas Gleixner tglx@linutronix.de
[ commit bf74aa86e111aa3b2fbb25db37e3a3fab71b5b68 upstream ]
Stop tx/rx cycle rely on the active state of tasklet and hrtimer sequentially in bcm_remove_op(), the op object will be freed if they are all unactive. Assume the hrtimer timeout is short, the hrtimer cb has been excuted after tasklet conditional judgment which must be false after last round tasklet_kill() and before condition hrtimer_active(), it is false when execute to hrtimer_active(). Bug is triggerd, because the stopping action is end and the op object will be freed, but the tasklet is scheduled. The resources of the op object will occur UAF bug.
That is not the changelog text of this commit. Why modify it?
Above statement is the reason why I want to backport the patch to stable tree. Maybe I could give an extra cover-letter to explain the details of the problem, but modify the original changelog. Is it?
This patch switches the timer to HRTIMER_MODE_SOFT, which executed the timer callback in softirq context and removes the hrtimer_tasklet.
Reported-by: syzbot+652023d5376450cc8516@syzkaller.appspotmail.com
This is the public problem reporter. Do I need to move it to cover-letter but here?
Cc: stable@vger.kernel.org # 4.19
I want to backport the patch to linux-4.19.y stable tree. How do I need to modify?
No need, I can take it like this, thanks.
greg k-h