From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Lv Yunlong <lyl2019@mail.ustc.edu.cn>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH AUTOSEL 4.14 02/33] misc/libmasm/module: Fix two use after free in ibmasm_init_one
Date: Fri, 9 Jul 2021 22:34:44 -0400 [thread overview]
Message-ID: <20210710023516.3172075-2-sashal@kernel.org> (raw)
In-Reply-To: <20210710023516.3172075-1-sashal@kernel.org>
From: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
[ Upstream commit 7272b591c4cb9327c43443f67b8fbae7657dd9ae ]
In ibmasm_init_one, it calls ibmasm_init_remote_input_dev().
Inside ibmasm_init_remote_input_dev, mouse_dev and keybd_dev are
allocated by input_allocate_device(), and assigned to
sp->remote.mouse_dev and sp->remote.keybd_dev respectively.
In the err_free_devices error branch of ibmasm_init_one,
mouse_dev and keybd_dev are freed by input_free_device(), and return
error. Then the execution runs into error_send_message error branch
of ibmasm_init_one, where ibmasm_free_remote_input_dev(sp) is called
to unregister the freed sp->remote.mouse_dev and sp->remote.keybd_dev.
My patch add a "error_init_remote" label to handle the error of
ibmasm_init_remote_input_dev(), to avoid the uaf bugs.
Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
Link: https://lore.kernel.org/r/20210426170620.10546-1-lyl2019@mail.ustc.edu.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/misc/ibmasm/module.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/misc/ibmasm/module.c b/drivers/misc/ibmasm/module.c
index c5a456b0a564..5bd62eebbb8a 100644
--- a/drivers/misc/ibmasm/module.c
+++ b/drivers/misc/ibmasm/module.c
@@ -123,7 +123,7 @@ static int ibmasm_init_one(struct pci_dev *pdev, const struct pci_device_id *id)
result = ibmasm_init_remote_input_dev(sp);
if (result) {
dev_err(sp->dev, "Failed to initialize remote queue\n");
- goto error_send_message;
+ goto error_init_remote;
}
result = ibmasm_send_driver_vpd(sp);
@@ -143,8 +143,9 @@ static int ibmasm_init_one(struct pci_dev *pdev, const struct pci_device_id *id)
return 0;
error_send_message:
- disable_sp_interrupts(sp->base_address);
ibmasm_free_remote_input_dev(sp);
+error_init_remote:
+ disable_sp_interrupts(sp->base_address);
free_irq(sp->irq, (void *)sp);
error_request_irq:
iounmap(sp->base_address);
--
2.30.2
next prev parent reply other threads:[~2021-07-10 2:39 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-10 2:34 [PATCH AUTOSEL 4.14 01/33] tty: serial: fsl_lpuart: fix the potential risk of division or modulo by zero Sasha Levin
2021-07-10 2:34 ` Sasha Levin [this message]
2021-07-10 2:34 ` [PATCH AUTOSEL 4.14 03/33] Revert "ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro" Sasha Levin
2021-07-10 2:34 ` Sasha Levin
2021-07-10 2:34 ` [PATCH AUTOSEL 4.14 04/33] w1: ds2438: fixing bug that would always get page0 Sasha Levin
2021-07-10 2:34 ` [PATCH AUTOSEL 4.14 05/33] scsi: hisi_sas: Propagate errors in interrupt_init_v1_hw() Sasha Levin
2021-07-10 9:14 ` Sergey Shtylyov
2021-07-10 2:34 ` [PATCH AUTOSEL 4.14 06/33] scsi: lpfc: Fix "Unexpected timeout" error in direct attach topology Sasha Levin
2021-07-10 2:34 ` [PATCH AUTOSEL 4.14 07/33] scsi: lpfc: Fix crash when lpfc_sli4_hba_setup() fails to initialize the SGLs Sasha Levin
2021-07-10 2:34 ` [PATCH AUTOSEL 4.14 08/33] scsi: core: Cap scsi_host cmd_per_lun at can_queue Sasha Levin
2021-07-10 2:34 ` [PATCH AUTOSEL 4.14 09/33] tty: serial: 8250: serial_cs: Fix a memory leak in error handling path Sasha Levin
2021-07-10 2:34 ` [PATCH AUTOSEL 4.14 10/33] fs/jfs: Fix missing error code in lmLogInit() Sasha Levin
2021-07-10 2:34 ` [PATCH AUTOSEL 4.14 11/33] scsi: iscsi: Add iscsi_cls_conn refcount helpers Sasha Levin
2021-07-10 2:34 ` [PATCH AUTOSEL 4.14 12/33] scsi: iscsi: Fix shost->max_id use Sasha Levin
2021-07-10 2:34 ` [PATCH AUTOSEL 4.14 13/33] scsi: qedi: Fix null ref during abort handling Sasha Levin
2021-07-10 2:34 ` [PATCH AUTOSEL 4.14 14/33] mfd: da9052/stmpe: Add and modify MODULE_DEVICE_TABLE Sasha Levin
2021-07-10 2:34 ` Sasha Levin
2021-07-10 2:34 ` [PATCH AUTOSEL 4.14 15/33] s390/sclp_vt220: fix console name to match device Sasha Levin
2021-07-10 2:34 ` [PATCH AUTOSEL 4.14 16/33] USB: core: Avoid WARNings for 0-length descriptor requests Sasha Levin
2021-07-10 2:34 ` [PATCH AUTOSEL 4.14 17/33] ALSA: sb: Fix potential double-free of CSP mixer elements Sasha Levin
2021-07-10 2:35 ` [PATCH AUTOSEL 4.14 18/33] powerpc/ps3: Add dma_mask to ps3_dma_region Sasha Levin
2021-07-10 2:35 ` Sasha Levin
2021-07-10 2:35 ` [PATCH AUTOSEL 4.14 19/33] gpio: zynq: Check return value of pm_runtime_get_sync Sasha Levin
2021-07-10 2:35 ` Sasha Levin
2021-07-10 2:35 ` [PATCH AUTOSEL 4.14 20/33] ALSA: ppc: fix error return code in snd_pmac_probe() Sasha Levin
2021-07-10 2:35 ` Sasha Levin
2021-07-10 2:35 ` [PATCH AUTOSEL 4.14 21/33] selftests/powerpc: Fix "no_handler" EBB selftest Sasha Levin
2021-07-10 2:35 ` Sasha Levin
2021-07-10 2:35 ` [PATCH AUTOSEL 4.14 22/33] ASoC: soc-core: Fix the error return code in snd_soc_of_parse_audio_routing() Sasha Levin
2021-07-10 2:35 ` Sasha Levin
2021-07-10 2:35 ` [PATCH AUTOSEL 4.14 23/33] ALSA: bebob: add support for ToneWeal FW66 Sasha Levin
2021-07-10 2:35 ` Sasha Levin
2021-07-10 2:35 ` [PATCH AUTOSEL 4.14 24/33] usb: gadget: f_hid: fix endianness issue with descriptors Sasha Levin
2021-07-10 2:35 ` [PATCH AUTOSEL 4.14 25/33] usb: gadget: hid: fix error return code in hid_bind() Sasha Levin
2021-07-10 2:35 ` [PATCH AUTOSEL 4.14 26/33] powerpc/boot: Fixup device-tree on little endian Sasha Levin
2021-07-10 2:35 ` Sasha Levin
2021-07-10 2:35 ` [PATCH AUTOSEL 4.14 27/33] backlight: lm3630a: Fix return code of .update_status() callback Sasha Levin
2021-07-10 2:35 ` Sasha Levin
2021-07-10 2:35 ` [PATCH AUTOSEL 4.14 28/33] ALSA: hda: Add IRQ check for platform_get_irq() Sasha Levin
2021-07-10 2:35 ` Sasha Levin
2021-07-10 2:35 ` [PATCH AUTOSEL 4.14 29/33] jfs: fix GPF in diFree Sasha Levin
2021-07-10 2:35 ` [PATCH AUTOSEL 4.14 30/33] staging: rtl8723bs: fix macro value for 2.4Ghz only device Sasha Levin
2021-07-10 2:35 ` [PATCH AUTOSEL 4.14 31/33] intel_th: Wait until port is in reset before programming it Sasha Levin
2021-07-10 2:35 ` [PATCH AUTOSEL 4.14 32/33] i2c: core: Disable client irq on reboot/shutdown Sasha Levin
2021-07-10 2:35 ` [PATCH AUTOSEL 4.14 33/33] lib/decompress_unlz4.c: correctly handle zero-padding around initrds Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210710023516.3172075-2-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lyl2019@mail.ustc.edu.cn \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.