All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 0/1] s390/dasd: fix use after free
@ 2021-08-04 15:17 Stefan Haberland
  2021-08-04 15:18 ` [PATCH 1/1] s390/dasd: fix use after free in dasd path handling Stefan Haberland
  2021-08-04 15:20 ` [PATCH 0/1] s390/dasd: fix use after free Jens Axboe
  0 siblings, 2 replies; 3+ messages in thread
From: Stefan Haberland @ 2021-08-04 15:17 UTC (permalink / raw)
  To: Jens Axboe
  Cc: linux-block, Jan Hoeppner, linux-s390, Heiko Carstens,
	Vasily Gorbik, Christian Borntraeger

Hi Jens,

please apply the following patch that fixes an use after free error in
the DASD driver.

Stefan Haberland (1):
  s390/dasd: fix use after free in dasd path handling

 drivers/s390/block/dasd_eckd.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

-- 
2.25.1


^ permalink raw reply	[flat|nested] 3+ messages in thread
* [PATCH 1/1] s390/dasd: fix use after free in dasd path handling
  2021-08-04 15:17 [PATCH 0/1] s390/dasd: fix use after free Stefan Haberland
@ 2021-08-04 15:18 ` Stefan Haberland
  2021-08-04 15:20 ` [PATCH 0/1] s390/dasd: fix use after free Jens Axboe
  1 sibling, 0 replies; 3+ messages in thread
From: Stefan Haberland @ 2021-08-04 15:18 UTC (permalink / raw)
  To: Jens Axboe
  Cc: linux-block, Jan Hoeppner, linux-s390, Heiko Carstens,
	Vasily Gorbik, Christian Borntraeger

When new configuration data is obtained after a path event it is stored
in the per path array. The old data needs to be freed.
The first valid configuration data is also referenced in the device
private structure to identify the device.
When the old per path configuration data was freed the device still
pointed to the already freed data leading to a use after free.

Fix by replacing also the device configuration data with the newly
obtained one before the old data gets freed.

Fixes: 460181217a24 ("s390/dasd: Store path configuration data during path handling")
Cc: stable@vger.kernel.org # 5.11+
Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com>
---
 drivers/s390/block/dasd_eckd.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c
index 0de1a463c509..fb5d8152652d 100644
--- a/drivers/s390/block/dasd_eckd.c
+++ b/drivers/s390/block/dasd_eckd.c
@@ -1004,15 +1004,23 @@ static unsigned char dasd_eckd_path_access(void *conf_data, int conf_len)
 static void dasd_eckd_store_conf_data(struct dasd_device *device,
 				      struct dasd_conf_data *conf_data, int chp)
 {
+	struct dasd_eckd_private *private = device->private;
 	struct channel_path_desc_fmt0 *chp_desc;
 	struct subchannel_id sch_id;
+	void *cdp;
 
-	ccw_device_get_schid(device->cdev, &sch_id);
 	/*
 	 * path handling and read_conf allocate data
 	 * free it before replacing the pointer
+	 * also replace the old private->conf_data pointer
+	 * with the new one if this points to the same data
 	 */
-	kfree(device->path[chp].conf_data);
+	cdp = device->path[chp].conf_data;
+	if (private->conf_data == cdp) {
+		private->conf_data = (void *)conf_data;
+		dasd_eckd_identify_conf_parts(private);
+	}
+	ccw_device_get_schid(device->cdev, &sch_id);
 	device->path[chp].conf_data = conf_data;
 	device->path[chp].cssid = sch_id.cssid;
 	device->path[chp].ssid = sch_id.ssid;
@@ -1020,6 +1028,7 @@ static void dasd_eckd_store_conf_data(struct dasd_device *device,
 	if (chp_desc)
 		device->path[chp].chpid = chp_desc->chpid;
 	kfree(chp_desc);
+	kfree(cdp);
 }
 
 static void dasd_eckd_clear_conf_data(struct dasd_device *device)
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH 0/1] s390/dasd: fix use after free
  2021-08-04 15:17 [PATCH 0/1] s390/dasd: fix use after free Stefan Haberland
  2021-08-04 15:18 ` [PATCH 1/1] s390/dasd: fix use after free in dasd path handling Stefan Haberland
@ 2021-08-04 15:20 ` Jens Axboe
  1 sibling, 0 replies; 3+ messages in thread
From: Jens Axboe @ 2021-08-04 15:20 UTC (permalink / raw)
  To: Stefan Haberland
  Cc: linux-block, Jan Hoeppner, linux-s390, Heiko Carstens,
	Vasily Gorbik, Christian Borntraeger

On 8/4/21 9:17 AM, Stefan Haberland wrote:
> Hi Jens,
> 
> please apply the following patch that fixes an use after free error in
> the DASD driver.
> 
> Stefan Haberland (1):
>   s390/dasd: fix use after free in dasd path handling
> 
>  drivers/s390/block/dasd_eckd.c | 13 +++++++++++--
>  1 file changed, 11 insertions(+), 2 deletions(-)

Applied, thanks.

-- 
Jens Axboe


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-08-04 15:20 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-04 15:17 [PATCH 0/1] s390/dasd: fix use after free Stefan Haberland
2021-08-04 15:18 ` [PATCH 1/1] s390/dasd: fix use after free in dasd path handling Stefan Haberland
2021-08-04 15:20 ` [PATCH 0/1] s390/dasd: fix use after free Jens Axboe

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.