diff options
| author | Björn Bidar | 2022-06-24 20:03:01 +0300 |
|---|---|---|
| committer | Björn Bidar | 2022-06-25 16:46:45 +0300 |
| commit | 657059c03d46120dea746abb196d9d622e21fe5f (patch) | |
| tree | 2ae07d28cd858ef0cda12e3c8af27932d06c0fbb /0117-bus-fsl-mc-bus-fix-KASAN-use-after-free-in-fsl_mc_bu.patch | |
| parent | 034adcf2fd3311bba3f58b8575b0be699ab3bd70 (diff) | |
| download | aur-657059c03d46120dea746abb196d9d622e21fe5f.tar.gz | |
Update to 5.18.6.p2-1
- New upstream release based on 5.18.5
- Add MGLRU Zen patch
- Add linux-5.18.6 patches
- Move System.map from -headers into the base package to avoid
external modules having wrong bpf symbols when running optimized
builds. Fixes #5
- Remove M/m from CPUSUFFIXES_KBUILD and LCPU, fixes build failing
when selecting an optimized build architecture that is not genering.
Fixes #6.
Signed-off-by: Björn Bidar <bjorn.bidar@thaodan.de>
Diffstat (limited to '0117-bus-fsl-mc-bus-fix-KASAN-use-after-free-in-fsl_mc_bu.patch')
| -rw-r--r-- | 0117-bus-fsl-mc-bus-fix-KASAN-use-after-free-in-fsl_mc_bu.patch | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/0117-bus-fsl-mc-bus-fix-KASAN-use-after-free-in-fsl_mc_bu.patch b/0117-bus-fsl-mc-bus-fix-KASAN-use-after-free-in-fsl_mc_bu.patch new file mode 100644 index 000000000000..379267d6b8a4 --- /dev/null +++ b/0117-bus-fsl-mc-bus-fix-KASAN-use-after-free-in-fsl_mc_bu.patch @@ -0,0 +1,48 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com> +Date: Wed, 1 Jun 2022 19:51:59 +0900 +Subject: [PATCH] bus: fsl-mc-bus: fix KASAN use-after-free in + fsl_mc_bus_remove() + +commit 928ea98252ad75118950941683893cf904541da9 upstream. + +In fsl_mc_bus_remove(), mc->root_mc_bus_dev->mc_io is passed to +fsl_destroy_mc_io(). However, mc->root_mc_bus_dev is already freed in +fsl_mc_device_remove(). Then reference to mc->root_mc_bus_dev->mc_io +triggers KASAN use-after-free. To avoid the use-after-free, keep the +reference to mc->root_mc_bus_dev->mc_io in a local variable and pass to +fsl_destroy_mc_io(). + +This patch needs rework to apply to kernels older than v5.15. + +Fixes: f93627146f0e ("staging: fsl-mc: fix asymmetry in destroy of mc_io") +Cc: stable@vger.kernel.org # v5.15+ +Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com> +Link: https://lore.kernel.org/r/20220601105159.87752-1-shinichiro.kawasaki@wdc.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/bus/fsl-mc/fsl-mc-bus.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/bus/fsl-mc/fsl-mc-bus.c b/drivers/bus/fsl-mc/fsl-mc-bus.c +index 8fd4a356a86ec0b1cff2b830c6c1bf78924682f0..74593a1722fe0898fffbf19eb34673b10bd64ca3 100644 +--- a/drivers/bus/fsl-mc/fsl-mc-bus.c ++++ b/drivers/bus/fsl-mc/fsl-mc-bus.c +@@ -1236,14 +1236,14 @@ static int fsl_mc_bus_probe(struct platform_device *pdev) + static int fsl_mc_bus_remove(struct platform_device *pdev) + { + struct fsl_mc *mc = platform_get_drvdata(pdev); ++ struct fsl_mc_io *mc_io; + + if (!fsl_mc_is_root_dprc(&mc->root_mc_bus_dev->dev)) + return -EINVAL; + ++ mc_io = mc->root_mc_bus_dev->mc_io; + fsl_mc_device_remove(mc->root_mc_bus_dev); +- +- fsl_destroy_mc_io(mc->root_mc_bus_dev->mc_io); +- mc->root_mc_bus_dev->mc_io = NULL; ++ fsl_destroy_mc_io(mc_io); + + bus_unregister_notifier(&fsl_mc_bus_type, &fsl_mc_nb); + |