Description
In the Linux kernel, the following vulnerability has been resolved: PM: runtime: Fix a race condition related to device removal The following code in pm_runtime_work() may dereference the dev->parent pointer after the parent device has been freed: /* Maybe the parent is now able to suspend. */ if (parent && !parent->power.ignore_children) { spin_unlock(&dev->power.lock); spin_lock(&parent->power.lock); rpm_idle(parent, RPM_ASYNC); spin_unlock(&parent->power.lock); spin_lock(&dev->power.lock); } Fix this by inserting a flush_work() call in pm_runtime_remove(). Without this patch blktest block/001 triggers the following complaint sporadically: BUG: KASAN: slab-use-after-free in lock_acquire+0x70/0x160 Read of size 1 at addr ffff88812bef7198 by task kworker/u553:1/3081 Workqueue: pm pm_runtime_work Call Trace: <TASK> dump_stack_lvl+0x61/0x80 print_address_description.constprop.0+0x8b/0x310 print_report+0xfd/0x1d7 kasan_report+0xd8/0x1d0 __kasan_check_byte+0x42/0x60 lock_acquire.part.0+0x38/0x230 lock_acquire+0x70/0x160 _raw_spin_lock+0x36/0x50 rpm_suspend+0xc6a/0xfe0 rpm_idle+0x578/0x770 pm_runtime_work+0xee/0x120 process_one_work+0xde3/0x1410 worker_thread+0x5eb/0xfe0 kthread+0x37b/0x480 ret_from_fork+0x6cb/0x920 ret_from_fork_asm+0x11/0x20 </TASK> Allocated by task 4314: kasan_save_stack+0x2a/0x50 kasan_save_track+0x18/0x40 kasan_save_alloc_info+0x3d/0x50 __kasan_kmalloc+0xa0/0xb0 __kmalloc_noprof+0x311/0x990 scsi_alloc_target+0x122/0xb60 [scsi_mod] __scsi_scan_target+0x101/0x460 [scsi_mod] scsi_scan_channel+0x179/0x1c0 [scsi_mod] scsi_scan_host_selected+0x259/0x2d0 [scsi_mod] store_scan+0x2d2/0x390 [scsi_mod] dev_attr_store+0x43/0x80 sysfs_kf_write+0xde/0x140 kernfs_fop_write_iter+0x3ef/0x670 vfs_write+0x506/0x1470 ksys_write+0xfd/0x230 __x64_sys_write+0x76/0xc0 x64_sys_call+0x213/0x1810 do_syscall_64+0xee/0xfc0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Freed by task 4314: kasan_save_stack+0x2a/0x50 kasan_save_track+0x18/0x40 kasan_save_free_info+0x3f/0x50 __kasan_slab_free+0x67/0x80 kfree+0x225/0x6c0 scsi_target_dev_release+0x3d/0x60 [scsi_mod] device_release+0xa3/0x220 kobject_cleanup+0x105/0x3a0 kobject_put+0x72/0xd0 put_device+0x17/0x20 scsi_device_dev_release+0xacf/0x12c0 [scsi_mod] device_release+0xa3/0x220 kobject_cleanup+0x105/0x3a0 kobject_put+0x72/0xd0 put_device+0x17/0x20 scsi_device_put+0x7f/0xc0 [scsi_mod] sdev_store_delete+0xa5/0x120 [scsi_mod] dev_attr_store+0x43/0x80 sysfs_kf_write+0xde/0x140 kernfs_fop_write_iter+0x3ef/0x670 vfs_write+0x506/0x1470 ksys_write+0xfd/0x230 __x64_sys_write+0x76/0xc0 x64_sys_call+0x213/0x1810
Product status
5e928f77a09a07f9dd595bb8a489965d69a83458 (git) before 20f6e2e22a9c6234113812d5f300d3e952a82721
5e928f77a09a07f9dd595bb8a489965d69a83458 (git) before b6dd1a562ca8ba96c8ecb247c62b73f9fa02d47e
5e928f77a09a07f9dd595bb8a489965d69a83458 (git) before 5649b46af8b167259e8a8e4e7eb3667ce74554b5
5e928f77a09a07f9dd595bb8a489965d69a83458 (git) before 39f2d86f2ddde8d1beda05732f30c7cd945e0b5a
5e928f77a09a07f9dd595bb8a489965d69a83458 (git) before c6febaacfb8a0aec7d771a0e6c21cd68102d5679
5e928f77a09a07f9dd595bb8a489965d69a83458 (git) before bb081fd37f8312651140d7429557258afe51693d
5e928f77a09a07f9dd595bb8a489965d69a83458 (git) before cf65a77c0f9531eb6cfb97cc040974d2d8fff043
5e928f77a09a07f9dd595bb8a489965d69a83458 (git) before 29ab768277617452d88c0607c9299cdc63b6e9ff
2.6.32
Any version before 2.6.32
5.10.253 (semver)
5.15.203 (semver)
6.1.167 (semver)
6.6.130 (semver)
6.12.78 (semver)
6.18.20 (semver)
6.19.10 (semver)
7.0 (original_commit_for_fix)
References
git.kernel.org/...c/20f6e2e22a9c6234113812d5f300d3e952a82721
git.kernel.org/...c/b6dd1a562ca8ba96c8ecb247c62b73f9fa02d47e
git.kernel.org/...c/5649b46af8b167259e8a8e4e7eb3667ce74554b5
git.kernel.org/...c/39f2d86f2ddde8d1beda05732f30c7cd945e0b5a
git.kernel.org/...c/c6febaacfb8a0aec7d771a0e6c21cd68102d5679
git.kernel.org/...c/bb081fd37f8312651140d7429557258afe51693d
git.kernel.org/...c/cf65a77c0f9531eb6cfb97cc040974d2d8fff043
git.kernel.org/...c/29ab768277617452d88c0607c9299cdc63b6e9ff