summarylogtreecommitdiffstats
path: root/0015-ptp-free-ptp-device-pin-descriptors-properly.patch
diff options
context:
space:
mode:
Diffstat (limited to '0015-ptp-free-ptp-device-pin-descriptors-properly.patch')
-rw-r--r--0015-ptp-free-ptp-device-pin-descriptors-properly.patch50
1 files changed, 50 insertions, 0 deletions
diff --git a/0015-ptp-free-ptp-device-pin-descriptors-properly.patch b/0015-ptp-free-ptp-device-pin-descriptors-properly.patch
new file mode 100644
index 000000000000..6298fa443499
--- /dev/null
+++ b/0015-ptp-free-ptp-device-pin-descriptors-properly.patch
@@ -0,0 +1,50 @@
+From b89e9f6a3ec61a96b5abced31813ad043bda3827 Mon Sep 17 00:00:00 2001
+From: Vladis Dronov <vdronov@redhat.com>
+Date: Mon, 13 Jan 2020 14:00:09 +0100
+Subject: [PATCH 15/16] ptp: free ptp device pin descriptors properly
+
+There is a bug in ptp_clock_unregister(), where ptp_cleanup_pin_groups()
+first frees ptp->pin_{,dev_}attr, but then posix_clock_unregister() needs
+them to destroy a related sysfs device.
+
+These functions can not be just swapped, as posix_clock_unregister() frees
+ptp which is needed in the ptp_cleanup_pin_groups(). Fix this by calling
+ptp_cleanup_pin_groups() in ptp_clock_release(), right before ptp is freed.
+
+This makes this patch fix an UAF bug in a patch which fixes an UAF bug.
+
+Reported-by: Antti Laakso <antti.laakso@intel.com>
+Fixes: a33121e5487b ("ptp: fix the race between the release of ptp_clock and cdev")
+Link: https://lore.kernel.org/netdev/3d2bd09735dbdaf003585ca376b7c1e5b69a19bd.camel@intel.com/
+Signed-off-by: Vladis Dronov <vdronov@redhat.com>
+Acked-by: Richard Cochran <richardcochran@gmail.com>
+---
+ drivers/ptp/ptp_clock.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/ptp/ptp_clock.c b/drivers/ptp/ptp_clock.c
+index 61fafe0374ce..b84f16bbd6f2 100644
+--- a/drivers/ptp/ptp_clock.c
++++ b/drivers/ptp/ptp_clock.c
+@@ -170,6 +170,7 @@ static void ptp_clock_release(struct device *dev)
+ {
+ struct ptp_clock *ptp = container_of(dev, struct ptp_clock, dev);
+
++ ptp_cleanup_pin_groups(ptp);
+ mutex_destroy(&ptp->tsevq_mux);
+ mutex_destroy(&ptp->pincfg_mux);
+ ida_simple_remove(&ptp_clocks_map, ptp->index);
+@@ -302,9 +303,8 @@ int ptp_clock_unregister(struct ptp_clock *ptp)
+ if (ptp->pps_source)
+ pps_unregister_source(ptp->pps_source);
+
+- ptp_cleanup_pin_groups(ptp);
+-
+ posix_clock_unregister(&ptp->clock);
++
+ return 0;
+ }
+ EXPORT_SYMBOL(ptp_clock_unregister);
+--
+2.25.0
+