ACK/Cmnt: [SRU][Jammy][PATCH 00/11] CVE-2023-6039

Tue Nov 21 16:27:05 UTC 2023

On 11/21/23 03:54, Stefan Bader wrote:
> On 18.11.23 00:52, Yuxuan Luo wrote:
>> [Impact]
>> A use-after-free flaw was found in lan78xx_disconnect in
>> drivers/net/usb/lan78xx.c in the network sub-component, net/usb/lan78xx
>> in the Linux Kernel. This flaw allows a local attacker to crash the
>> system when the LAN78XX USB device detaches.
>>
>> [Backport]
>> The fix commit has a conflict at the netif_napi_del(&dev->napi); line,
>> which can be ignored since this API (introduced at ec4c7e12396b 
>> (“lan78xx:
>> Introduce NAPI polling support”)) is irrelevant to this fix.
>>
>> It also depends on a kernel clock function, timer_shutdown_sync(). Since
>> this function might be used widely in the future given it is under
>> include/linux directory, backporting the new kernel function is
>> preferred over expanding it.
>>
>> Additionally, there were some namespace conflicts when building armhf
>> and arm64 kernels, three commits authored by Steven Rostedt are needed
>> to address the issue.
>>
>> [Test]
>> Compile and boot tested.
>>
>> [Potential Regression]
>> It is not an easy task to assess the regression potential as 9 more
>> out-of-scope patches are introduced, proceed with caution.
>>
>> Duoming Zhou (1):
>>    net: usb: lan78xx: reorder cleanup operations to avoid UAF bugs
>>
>> Steven Rostedt (Google) (3):
>>    clocksource/drivers/arm_arch_timer: Do not use timer namespace for
>>      timer_shutdown() function
>>    clocksource/drivers/sp804: Do not use timer namespace for
>>      timer_shutdown() function
>>    ARM: spear: Do not use timer namespace for timer_shutdown() function
>>
>> Thomas Gleixner (7):
>>    timers: Use del_timer_sync() even on UP
>>    timers: Update kernel-doc for various functions
>>    timers: Rename del_timer_sync() to timer_delete_sync()
>>    timers: Rename del_timer() to timer_delete()
>>    timers: Split [try_to_]del_timer[_sync]() to prepare for shutdown 
>> mode
>>    timers: Add shutdown mechanism to the internal functions
>>    timers: Provide timer_shutdown[_sync]()
>>
>>   arch/arm/mach-spear/time.c           |   8 +-
>>   drivers/clocksource/arm_arch_timer.c |  12 +-
>>   drivers/clocksource/timer-sp804.c    |   6 +-
>>   drivers/net/usb/lan78xx.c            |   7 +-
>>   include/linux/timer.h                |  35 ++-
>>   kernel/time/timer.c                  | 365 ++++++++++++++++++++-------
>>   6 files changed, 318 insertions(+), 115 deletions(-)
>>
>
> The larger change is in comments only. 
Indeed, but since it's backporting a kernel function I would prefer 
clean cherry pick as many as possible, so some documentation commits are 
included as well.
> The rest tries from what I understand to avoid visible changes to 
> interfaces. One nitpick maybe: is this really the order from upstream? 
> To me this reads as the new timer_shutdown() is added first and then 
> clashing static functions getting renamed. That would cause issues to 
> bisect. Though probably nothing would bisect into the middle of that 
> sequence.
IIRC, yes, it is the order from upstream.
>
> Acked-by: Stefan Bader <stefan.bader at canonical.com>
>