Fixed
Created: Oct 10, 2025
Updated: Oct 22, 2025
Resolved Date: Oct 22, 2025
Found In Version: 10.24.33.1
Fix Version: 10.24.33.13
Severity: Standard
Applicable for: Wind River Linux LTS 24
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]octeontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp()[EOL][EOL]The original code relies on cancel_delayed_work() in otx2_ptp_destroy(),[EOL]which does not ensure that the delayed work item synctstamp_work has fully[EOL]completed if it was already running. This leads to use-after-free scenarios[EOL]where otx2_ptp is deallocated by otx2_ptp_destroy(), while synctstamp_work[EOL]remains active and attempts to dereference otx2_ptp in otx2_sync_tstamp().[EOL]Furthermore, the synctstamp_work is cyclic, the likelihood of triggering[EOL]the bug is nonnegligible.[EOL][EOL]A typical race condition is illustrated below:[EOL][EOL]CPU 0 (cleanup) ( CPU 1 (delayed work callback)[EOL)otx2_remove() |EOL] otx2_ptp_destroy() ( otx2_sync_tstamp()[EOL) cancel_delayed_work() |EOL] kfree(ptp) ([EOL) | ptp = container_of(...); //UAFEOL] ( ptp-> //UAF[EOL)[EOL]This is confirmed by a KASAN report:[EOL][EOL]BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0[EOL]Write of size 8 at addr ffff88800aa09a18 by task bash/136[EOL]...[EOL]Call Trace:[EOL] <IRQ>[EOL] dump_stack_lvl+0x55/0x70[EOL] print_report+0xcf/0x610[EOL] ? __run_timer_base.part.0+0x7d7/0x8c0[EOL] kasan_report+0xb8/0xf0[EOL] ? __run_timer_base.part.0+0x7d7/0x8c0[EOL] __run_timer_base.part.0+0x7d7/0x8c0[EOL] ? __pfx___run_timer_base.part.0+0x10/0x10[EOL] ? __pfx_read_tsc+0x10/0x10[EOL] ? ktime_get+0x60/0x140[EOL] ? lapic_next_event+0x11/0x20[EOL] ? clockevents_program_event+0x1d4/0x2a0[EOL] run_timer_softirq+0xd1/0x190[EOL] handle_softirqs+0x16a/0x550[EOL] irq_exit_rcu+0xaf/0xe0[EOL] sysvec_apic_timer_interrupt+0x70/0x80[EOL] </IRQ>[EOL]...[EOL]Allocated by task 1:[EOL] kasan_save_stack+0x24/0x50[EOL] kasan_save_track+0x14/0x30[EOL] __kasan_kmalloc+0x7f/0x90[EOL] otx2_ptp_init+0xb1/0x860[EOL] otx2_probe+0x4eb/0xc30[EOL] local_pci_probe+0xdc/0x190[EOL] pci_device_probe+0x2fe/0x470[EOL] really_probe+0x1ca/0x5c0[EOL] __driver_probe_device+0x248/0x310[EOL] driver_probe_device+0x44/0x120[EOL] __driver_attach+0xd2/0x310[EOL] bus_for_each_dev+0xed/0x170[EOL] bus_add_driver+0x208/0x500[EOL] driver_register+0x132/0x460[EOL] do_one_initcall+0x89/0x300[EOL] kernel_init_freeable+0x40d/0x720[EOL] kernel_init+0x1a/0x150[EOL] ret_from_fork+0x10c/0x1a0[EOL] ret_from_fork_asm+0x1a/0x30[EOL][EOL]Freed by task 136:[EOL] kasan_save_stack+0x24/0x50[EOL] kasan_save_track+0x14/0x30[EOL] kasan_save_free_info+0x3a/0x60[EOL] __kasan_slab_free+0x3f/0x50[EOL] kfree+0x137/0x370[EOL] otx2_ptp_destroy+0x38/0x80[EOL] otx2_remove+0x10d/0x4c0[EOL] pci_device_remove+0xa6/0x1d0[EOL] device_release_driver_internal+0xf8/0x210[EOL] pci_stop_bus_device+0x105/0x150[EOL] pci_stop_and_remove_bus_device_locked+0x15/0x30[EOL] remove_store+0xcc/0xe0[EOL] kernfs_fop_write_iter+0x2c3/0x440[EOL] vfs_write+0x871/0xd70[EOL] ksys_write+0xee/0x1c0[EOL] do_syscall_64+0xac/0x280[EOL] entry_SYSCALL_64_after_hwframe+0x77/0x7f[EOL]...[EOL][EOL]Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure[EOL]that the delayed work item is properly canceled before the otx2_ptp is[EOL]deallocated.[EOL][EOL]This bug was initially identified through static analysis. To reproduce[EOL]and test it, I simulated the OcteonTX2 PCI device in QEMU and introduced[EOL]artificial delays within the otx2_sync_tstamp() function to increase the[EOL]likelihood of triggering the bug.
