From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Eli Cohen <elic@nvidia.com>, Thomas Gleixner <tglx@linutronix.de>,
Saeed Mahameed <saeedm@nvidia.com>,
Jacob Keller <jacob.e.keller@intel.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH AUTOSEL 4.14 06/13] lib: cpu_rmap: Avoid use after free on rmap->obj array entries
Date: Thu, 4 May 2023 15:51:58 -0400 [thread overview]
Message-ID: <20230504195207.3809116-6-sashal@kernel.org> (raw)
In-Reply-To: <20230504195207.3809116-1-sashal@kernel.org>
From: Eli Cohen <elic@nvidia.com>
[ Upstream commit 4e0473f1060aa49621d40a113afde24818101d37 ]
When calling irq_set_affinity_notifier() with NULL at the notify
argument, it will cause freeing of the glue pointer in the
corresponding array entry but will leave the pointer in the array. A
subsequent call to free_irq_cpu_rmap() will try to free this entry again
leading to possible use after free.
Fix that by setting NULL to the array entry and checking that we have
non-zero at the array entry when iterating over the array in
free_irq_cpu_rmap().
The current code does not suffer from this since there are no cases
where irq_set_affinity_notifier(irq, NULL) (note the NULL passed for the
notify arg) is called, followed by a call to free_irq_cpu_rmap() so we
don't hit and issue. Subsequent patches in this series excersize this
flow, hence the required fix.
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Eli Cohen <elic@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
lib/cpu_rmap.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/lib/cpu_rmap.c b/lib/cpu_rmap.c
index f610b2a10b3ed..f52389054a24f 100644
--- a/lib/cpu_rmap.c
+++ b/lib/cpu_rmap.c
@@ -235,7 +235,8 @@ void free_irq_cpu_rmap(struct cpu_rmap *rmap)
for (index = 0; index < rmap->used; index++) {
glue = rmap->obj[index];
- irq_set_affinity_notifier(glue->notify.irq, NULL);
+ if (glue)
+ irq_set_affinity_notifier(glue->notify.irq, NULL);
}
cpu_rmap_put(rmap);
@@ -271,6 +272,7 @@ static void irq_cpu_rmap_release(struct kref *ref)
container_of(ref, struct irq_glue, notify.kref);
cpu_rmap_put(glue->rmap);
+ glue->rmap->obj[glue->index] = NULL;
kfree(glue);
}
@@ -300,6 +302,7 @@ int irq_cpu_rmap_add(struct cpu_rmap *rmap, int irq)
rc = irq_set_affinity_notifier(irq, &glue->notify);
if (rc) {
cpu_rmap_put(glue->rmap);
+ rmap->obj[glue->index] = NULL;
kfree(glue);
}
return rc;
--
2.39.2
next prev parent reply other threads:[~2023-05-04 20:09 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-04 19:51 [PATCH AUTOSEL 4.14 01/13] wifi: brcmfmac: pcie: Provide a buffer of random bytes to the device Sasha Levin
2023-05-04 19:51 ` [PATCH AUTOSEL 4.14 02/13] wifi: brcmfmac: cfg80211: Pass the PMK in binary instead of hex Sasha Levin
2023-05-04 19:51 ` [PATCH AUTOSEL 4.14 03/13] ext2: Check block size validity during mount Sasha Levin
2023-05-04 19:51 ` [PATCH AUTOSEL 4.14 04/13] net: pasemi: Fix return type of pasemi_mac_start_tx() Sasha Levin
2023-05-04 19:51 ` [PATCH AUTOSEL 4.14 05/13] net: Catch invalid index in XPS mapping Sasha Levin
2023-05-04 19:51 ` Sasha Levin [this message]
2023-05-04 19:51 ` [PATCH AUTOSEL 4.14 07/13] scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition Sasha Levin
2023-05-04 19:52 ` [PATCH AUTOSEL 4.14 08/13] gfs2: Fix inode height consistency check Sasha Levin
2023-05-04 19:52 ` [Cluster-devel] " Sasha Levin
2023-05-04 19:52 ` [PATCH AUTOSEL 4.14 09/13] ext4: set goal start correctly in ext4_mb_normalize_request Sasha Levin
2023-05-04 19:52 ` [PATCH AUTOSEL 4.14 10/13] ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa() Sasha Levin
2023-05-04 19:52 ` [PATCH AUTOSEL 4.14 11/13] null_blk: Always check queue mode setting from configfs Sasha Levin
2023-05-04 19:52 ` [PATCH AUTOSEL 4.14 12/13] wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace Sasha Levin
2023-05-04 19:52 ` [PATCH AUTOSEL 4.14 13/13] Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230504195207.3809116-6-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=elic@nvidia.com \
--cc=jacob.e.keller@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=saeedm@nvidia.com \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.