diff options
| author |   Arthur Kiyanovski <akiyano@amazon.com> | 2026-05-08 06:21:21 +0000 |
|---|---|---|
| committer |   Jakub Kicinski <kuba@kernel.org> | 2026-05-10 10:05:50 -0700 |
| commit | e42c755582f0960e684298762f0ab927b3778376 (patch) | |
| tree | 103559262a17cdca03b92fb904f72a891212ebec /include/linux/clk/ssh:/git@git.zx2c4.com | |
| parent | tools/ynl: add missing uapi header deps in Makefile.deps (diff) | |
net: ena: PHC: Fix potential use-after-free in get_timestamp
Move the phc->active check and resp pointer assignment to after
acquiring the spinlock. Previously, phc->active was checked without
holding the lock, and resp was cached from ena_dev->phc.virt_addr
before the lock was acquired.
If ena_com_phc_destroy() runs between the lockless active check and
the lock acquisition, it sets active=false, releases the lock, frees
the DMA memory, and sets virt_addr=NULL. The get_timestamp path would
then read a NULL virt_addr and dereference it.
With both the active check and the pointer read under the lock,
destroy cannot free the memory while get_timestamp is using it.
Fixes: e0ea34158ee8 ("net: ena: Add PHC support in the ENA driver")
Cc: stable@vger.kernel.org
Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Link: https://patch.msgid.link/20260508062126.7273-1-akiyano@amazon.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'include/linux/clk/ssh:/git@git.zx2c4.com')
0 files changed, 0 insertions, 0 deletions