A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. ZDI security advisory (possibly yet to be published): https://www.zerodayinitiative.com/advisories/ZDI-CAN-22236/
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2256787]
Is this handled upstream? Do you by chance have a reference to the upstream proposed fix? To the best of my knowledge, there is no recent commit in drivers/block/aoe/ area upstream in mainline which might go in that direction.
In reply to comment #5: > Is this handled upstream? Do you by chance have a reference to the upstream > proposed fix? We've got this from ZDI, the Linux kernel security team (security) should be aware of this bug too. > To the best of my knowledge, there is no recent commit in drivers/block/aoe/ > area upstream in mainline which might go in that direction. I couldn't find any relevant upstream discussion or commit either, hopefully ZDI will publish their advisory soon and we'll get more information there.