6.11-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eddie James eajames@linux.ibm.com
[ Upstream commit a0ffa68c70b367358b2672cdab6fa5bc4c40de2c ]
The work function can run after the ncsi device is freed, resulting in use-after-free bugs or kernel panic.
Fixes: 2d283bdd079c ("net/ncsi: Resource management") Signed-off-by: Eddie James eajames@linux.ibm.com Link: https://patch.msgid.link/20240925155523.1017097-1-eajames@linux.ibm.com Signed-off-by: Paolo Abeni pabeni@redhat.com Signed-off-by: Sasha Levin sashal@kernel.org --- net/ncsi/ncsi-manage.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/net/ncsi/ncsi-manage.c b/net/ncsi/ncsi-manage.c index 5ecf611c88200..5cf55bde366d1 100644 --- a/net/ncsi/ncsi-manage.c +++ b/net/ncsi/ncsi-manage.c @@ -1954,6 +1954,8 @@ void ncsi_unregister_dev(struct ncsi_dev *nd) list_del_rcu(&ndp->node); spin_unlock_irqrestore(&ncsi_dev_lock, flags);
+ disable_work_sync(&ndp->work); + kfree(ndp); } EXPORT_SYMBOL_GPL(ncsi_unregister_dev);