ACK/Cmnt: [SRU][Jammy][PATCH 00/11] CVE-2023-6039

Stefan Bader stefan.bader at canonical.com
Tue Nov 21 08:54:07 UTC 2023 

On 18.11.23 00:52, Yuxuan Luo wrote:
> [Impact]
> A use-after-free flaw was found in lan78xx_disconnect in
> drivers/net/usb/lan78xx.c in the network sub-component, net/usb/lan78xx
> in the Linux Kernel. This flaw allows a local attacker to crash the
> system when the LAN78XX USB device detaches.
> 
> [Backport]
> The fix commit has a conflict at the netif_napi_del(&dev->napi); line,
> which can be ignored since this API (introduced at ec4c7e12396b (“lan78xx:
> Introduce NAPI polling support”)) is irrelevant to this fix.
> 
> It also depends on a kernel clock function, timer_shutdown_sync(). Since
> this function might be used widely in the future given it is under
> include/linux directory, backporting the new kernel function is
> preferred over expanding it.
> 
> Additionally, there were some namespace conflicts when building armhf
> and arm64 kernels, three commits authored by Steven Rostedt are needed
> to address the issue.
> 
> [Test]
> Compile and boot tested.
> 
> [Potential Regression]
> It is not an easy task to assess the regression potential as 9 more
> out-of-scope patches are introduced, proceed with caution.
> 
> Duoming Zhou (1):
>    net: usb: lan78xx: reorder cleanup operations to avoid UAF bugs
> 
> Steven Rostedt (Google) (3):
>    clocksource/drivers/arm_arch_timer: Do not use timer namespace for
>      timer_shutdown() function
>    clocksource/drivers/sp804: Do not use timer namespace for
>      timer_shutdown() function
>    ARM: spear: Do not use timer namespace for timer_shutdown() function
> 
> Thomas Gleixner (7):
>    timers: Use del_timer_sync() even on UP
>    timers: Update kernel-doc for various functions
>    timers: Rename del_timer_sync() to timer_delete_sync()
>    timers: Rename del_timer() to timer_delete()
>    timers: Split [try_to_]del_timer[_sync]() to prepare for shutdown mode
>    timers: Add shutdown mechanism to the internal functions
>    timers: Provide timer_shutdown[_sync]()
> 
>   arch/arm/mach-spear/time.c           |   8 +-
>   drivers/clocksource/arm_arch_timer.c |  12 +-
>   drivers/clocksource/timer-sp804.c    |   6 +-
>   drivers/net/usb/lan78xx.c            |   7 +-
>   include/linux/timer.h                |  35 ++-
>   kernel/time/timer.c                  | 365 ++++++++++++++++++++-------
>   6 files changed, 318 insertions(+), 115 deletions(-)
> 

The larger change is in comments only. The rest tries from what I 
understand to avoid visible changes to interfaces. One nitpick maybe: is 
this really the order from upstream? To me this reads as the new 
timer_shutdown() is added first and then clashing static functions 
getting renamed. That would cause issues to bisect. Though probably 
nothing would bisect into the middle of that sequence.

Acked-by: Stefan Bader <stefan.bader at canonical.com>

-- 
- Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 44613 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20231121/950a1df0/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20231121/950a1df0/attachment-0001.sig>

More information about the kernel-team mailing list