mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-20 01:20:54 +00:00
Code Issues Releases Wiki Activity
linux-stable/drivers
History
Alexandra Winter db6343a5b0 s390/qeth: fix use-after-free in hsci 
[ Upstream commit ebaaadc332 ]

KASAN found that addr was dereferenced after br2dev_event_work was freed.

==================================================================
BUG: KASAN: use-after-free in qeth_l2_br2dev_worker+0x5ba/0x6b0
Read of size 1 at addr 00000000fdcea440 by task kworker/u760:4/540
CPU: 17 PID: 540 Comm: kworker/u760:4 Tainted: G            E      6.1.0-20221128.rc7.git1.5aa3bed4ce83.300.fc36.s390x+kasan #1
Hardware name: IBM 8561 T01 703 (LPAR)
Workqueue: 0.0.8000_event qeth_l2_br2dev_worker
Call Trace:
 [<000000016944d4ce>] dump_stack_lvl+0xc6/0xf8
 [<000000016942cd9c>] print_address_description.constprop.0+0x34/0x2a0
 [<000000016942d118>] print_report+0x110/0x1f8
 [<0000000167a7bd04>] kasan_report+0xfc/0x128
 [<000000016938d79a>] qeth_l2_br2dev_worker+0x5ba/0x6b0
 [<00000001673edd1e>] process_one_work+0x76e/0x1128
 [<00000001673ee85c>] worker_thread+0x184/0x1098
 [<000000016740718a>] kthread+0x26a/0x310
 [<00000001672c606a>] __ret_from_fork+0x8a/0xe8
 [<00000001694711da>] ret_from_fork+0xa/0x40
Allocated by task 108338:
 kasan_save_stack+0x40/0x68
 kasan_set_track+0x36/0x48
 __kasan_kmalloc+0xa0/0xc0
 qeth_l2_switchdev_event+0x25a/0x738
 atomic_notifier_call_chain+0x9c/0xf8
 br_switchdev_fdb_notify+0xf4/0x110
 fdb_notify+0x122/0x180
 fdb_add_entry.constprop.0.isra.0+0x312/0x558
 br_fdb_add+0x59e/0x858
 rtnl_fdb_add+0x58a/0x928
 rtnetlink_rcv_msg+0x5f8/0x8d8
 netlink_rcv_skb+0x1f2/0x408
 netlink_unicast+0x570/0x790
 netlink_sendmsg+0x752/0xbe0
 sock_sendmsg+0xca/0x110
 ____sys_sendmsg+0x510/0x6a8
 ___sys_sendmsg+0x12a/0x180
 __sys_sendmsg+0xe6/0x168
 __do_sys_socketcall+0x3c8/0x468
 do_syscall+0x22c/0x328
 __do_syscall+0x94/0xf0
 system_call+0x82/0xb0
Freed by task 540:
 kasan_save_stack+0x40/0x68
 kasan_set_track+0x36/0x48
 kasan_save_free_info+0x4c/0x68
 ____kasan_slab_free+0x14e/0x1a8
 __kasan_slab_free+0x24/0x30
 __kmem_cache_free+0x168/0x338
 qeth_l2_br2dev_worker+0x154/0x6b0
 process_one_work+0x76e/0x1128
 worker_thread+0x184/0x1098
 kthread+0x26a/0x310
 __ret_from_fork+0x8a/0xe8
 ret_from_fork+0xa/0x40
Last potentially related work creation:
 kasan_save_stack+0x40/0x68
 __kasan_record_aux_stack+0xbe/0xd0
 insert_work+0x56/0x2e8
 __queue_work+0x4ce/0xd10
 queue_work_on+0xf4/0x100
 qeth_l2_switchdev_event+0x520/0x738
 atomic_notifier_call_chain+0x9c/0xf8
 br_switchdev_fdb_notify+0xf4/0x110
 fdb_notify+0x122/0x180
 fdb_add_entry.constprop.0.isra.0+0x312/0x558
 br_fdb_add+0x59e/0x858
 rtnl_fdb_add+0x58a/0x928
 rtnetlink_rcv_msg+0x5f8/0x8d8
 netlink_rcv_skb+0x1f2/0x408
 netlink_unicast+0x570/0x790
 netlink_sendmsg+0x752/0xbe0
 sock_sendmsg+0xca/0x110
 ____sys_sendmsg+0x510/0x6a8
 ___sys_sendmsg+0x12a/0x180
 __sys_sendmsg+0xe6/0x168
 __do_sys_socketcall+0x3c8/0x468
 do_syscall+0x22c/0x328
 __do_syscall+0x94/0xf0
 system_call+0x82/0xb0
Second to last potentially related work creation:
 kasan_save_stack+0x40/0x68
 __kasan_record_aux_stack+0xbe/0xd0
 kvfree_call_rcu+0xb2/0x760
 kernfs_unlink_open_file+0x348/0x430
 kernfs_fop_release+0xc2/0x320
 __fput+0x1ae/0x768
 task_work_run+0x1bc/0x298
 exit_to_user_mode_prepare+0x1a0/0x1a8
 __do_syscall+0x94/0xf0
 system_call+0x82/0xb0
The buggy address belongs to the object at 00000000fdcea400
 which belongs to the cache kmalloc-96 of size 96
The buggy address is located 64 bytes inside of
 96-byte region [00000000fdcea400, 00000000fdcea460)
The buggy address belongs to the physical page:
page:000000005a9c26e8 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xfdcea
flags: 0x3ffff00000000200(slab|node=0|zone=1|lastcpupid=0x1ffff)
raw: 3ffff00000000200 0000000000000000 0000000100000122 000000008008cc00
raw: 0000000000000000 0020004100000000 ffffffff00000001 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
 00000000fdcea300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 00000000fdcea380: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
>00000000fdcea400: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
                                           ^
 00000000fdcea480: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 00000000fdcea500: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
==================================================================

Fixes: f7936b7b26 ("s390/qeth: Update MACs of LEARNING_SYNC device")
Reported-by: Thorsten Winkler <twinkler@linux.ibm.com>
Signed-off-by: Alexandra Winter <wintera@linux.ibm.com>
Reviewed-by: Wenjia Zhang <wenjia@linux.ibm.com>
Reviewed-by: Thorsten Winkler <twinkler@linux.ibm.com>
Link: https://lore.kernel.org/r/20221207105304.20494-1-wintera@linux.ibm.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-12-14 11:37:30 +01:00
..
accessibility speakup: fix a segfault caused by switching consoles 2022-11-26 09:24:44 +01:00
acpi ACPI: HMAT: Fix initiator registration for single-initiator systems 2022-12-08 11:28:45 +01:00
amba
android binder: validate alloc->mm in ->mmap() handler 2022-12-02 17:41:00 +01:00
ata ata: libata-core: do not issue non-internal commands once EH is pending 2022-12-02 17:41:00 +01:00
atm atm: idt77252: fix use-after-free bugs caused by tst_timer 2022-08-25 11:40:15 +02:00
auxdisplay
base PM: domains: Fix handling of unavailable/disabled idle states 2022-11-03 23:59:18 +09:00
bcma
block drbd: use after free in drbd_create_device() 2022-11-26 09:24:40 +01:00
bluetooth Bluetooth: btusb: Add debug message for CSR controllers 2022-12-14 11:37:20 +01:00
bus bus: ixp4xx: Don't touch bit 7 on IXP42x 2022-12-02 17:41:08 +01:00
cdrom
char char: tpm: Protect tpm_pm_suspend with locks 2022-12-08 11:28:45 +01:00
clk clk: Fix pointer casting to prevent oops in devm_clk_release() 2022-12-14 11:37:22 +01:00
clocksource Revert "clocksource/drivers/riscv: Events are stopped during CPU suspend" 2022-12-08 11:28:45 +01:00
comedi
connector
counter counter: microchip-tcb-capture: Handle Signal1 read and Synapse 2022-11-03 23:59:13 +09:00
cpufreq cpufreq: intel_pstate: hybrid: Use known scaling factor for P-cores 2022-11-03 23:59:12 +09:00
cpuidle
crypto crypto: cavium - prevent integer overflow loading firmware 2022-10-26 12:35:28 +02:00
cxl
dax devdax: Fix soft-reservation memory description 2022-09-28 11:11:57 +02:00
dca
devfreq
dio
dma dmaengine: at_hdmac: Check return code of dma_async_device_register 2022-11-16 09:58:30 +01:00
dma-buf dma-buf: fix racing conflict of dma_heap_add() 2022-12-02 17:41:06 +01:00
edac EDAC/ghes: Set the DIMM label unconditionally 2022-08-03 12:03:55 +02:00
eisa
extcon
firewire
firmware firmware: coreboot: Register bus in module init 2022-11-26 09:24:48 +01:00
fpga fpga: prevent integer overflow in dfl_feature_ioctl_set_irq() 2022-10-26 12:35:07 +02:00
fsi fsi: core: Check error number after calling ida_simple_get 2022-10-26 12:35:17 +02:00
gnss
gpio gpio/rockchip: fix refcount leak in rockchip_gpiolib_register() 2022-12-14 11:37:27 +01:00
gpu drm: bridge: dw_hdmi: fix preference of RGB modes over YUV420 2022-12-14 11:37:24 +01:00
greybus
hid HID: ite: Enable QUIRK_TOUCHPAD_ON_OFF_REPORT on Acer Aspire Switch V 10 2022-12-14 11:37:21 +01:00
hsi HSI: omap_ssi_port: Fix dma_map_sg error check 2022-10-26 12:35:05 +02:00
hv Drivers: hv: vmbus: fix possible memory leak in vmbus_device_register() 2022-12-02 17:41:05 +01:00
hwmon hwmon: (coretemp) fix pci device refcount leak in nv1a_ram_new() 2022-12-08 11:28:42 +01:00
hwspinlock hwspinlock: qcom: correct MMIO max register for newer SoCs 2022-11-16 09:58:13 +01:00
hwtracing coresight: cti: Fix hang in cti_disable_hw() 2022-11-03 23:59:13 +09:00
i2c i2c: imx: Only DMA messages with I2C_M_DMA_SAFE flag set 2022-12-08 11:28:45 +01:00
i3c
idle
iio iio: light: rpr0521: add missing Kconfig dependencies 2022-12-08 11:28:38 +01:00
infiniband RDMA/efa: Add EFA 0xefa2 PCI ID 2022-11-26 09:24:31 +01:00
input Input: raydium_ts_i2c - fix memory leak in raydium_i2c_send() 2022-12-08 11:28:45 +01:00
interconnect interconnect: imx: fix max_node_id 2022-08-17 14:23:53 +02:00
iommu iommu/vt-d: Fix PCI device refcount leak in dmar_dev_scope_init() 2022-12-08 11:28:44 +01:00
ipack
irqchip irqchip/gic-v3: Always trust the managed affinity provided by the core code 2022-12-02 17:41:11 +01:00
isdn mISDN: fix misuse of put_device() in mISDN_register_device() 2022-11-26 09:24:39 +01:00
leds leds: lm3601x: Don't use mutex after it was destroyed 2022-10-26 12:34:39 +02:00
macintosh macintosh/adb: fix oob read in do_adb_query() function 2022-08-11 13:07:54 +02:00
mailbox mailbox: bcm-ferxrm-mailbox: Fix error check for dma_map_sg 2022-10-26 12:35:21 +02:00
mcb
md dm integrity: clear the journal on suspend 2022-12-02 17:41:11 +01:00
media media: v4l2-dv-timings.c: fix too strict blanking sanity checks 2022-12-14 11:37:19 +01:00
memory memory: of: Fix refcount leak bug in of_lpddr3_get_ddr_timings() 2022-10-26 12:34:58 +02:00
memstick memstick/ms_block: Fix a memory leak 2022-08-17 14:23:50 +02:00
message
mfd mtd: spi-nor: intel-spi: Disable write protection only if asked 2022-11-26 09:24:32 +01:00
misc misc/vmw_vmci: fix an infoleak in vmci_host_do_receive_datagram() 2022-11-26 09:24:48 +01:00
mmc mmc: mtk-sd: Fix missing clk_disable_unprepare in msdc_of_clock_parse() 2022-12-14 11:37:14 +01:00
most
mtd spi: intel: Use correct mask for flash and protected regions 2022-11-26 09:24:32 +01:00
mux
net macsec: add missing attribute validation for offload 2022-12-14 11:37:30 +01:00
nfc nfc: st-nci: fix incorrect sizing calculations in EVT_TRANSACTION 2022-12-02 17:41:07 +01:00
ntb NTB: ntb_tool: uninitialized heap data in tool_fn_write() 2022-08-25 11:40:14 +02:00
nubus
nvdimm
nvme nvme initialize core quirks before calling nvme_init_subsystem 2022-12-14 11:37:27 +01:00
nvmem nvmem: rmem: Fix return value check in rmem_read() 2022-12-08 11:28:39 +01:00
of of: property: decrement node refcount in of_fwnode_get_reference_args() 2022-12-08 11:28:39 +01:00
opp opp: Fix error check in dev_pm_opp_attach_genpd() 2022-08-17 14:24:01 +02:00
parisc parisc: Export iosapic_serial_irq() symbol for serial port driver 2022-11-10 18:15:40 +01:00
parport parport_pc: Avoid FIFO port location truncation 2022-11-26 09:24:36 +01:00
pci PCI: Sanitise firmware BAR assignments behind a PCI-PCI bridge 2022-10-26 12:34:24 +02:00
pcmcia
perf perf/arm_pmu_platform: fix tests for platform_get_irq() failure 2022-09-20 12:39:45 +02:00
phy phy: ralink: mt7621-pci: add sentinel to quirks table 2022-11-16 09:58:17 +01:00
pinctrl pinctrl: single: Fix potential division by zero 2022-12-08 11:28:44 +01:00
platform platform/x86: ideapad-laptop: Fix interrupt storm on fn-lock toggle on some Yoga laptops 2022-12-02 17:41:11 +01:00
pnp
power power: supply: adp5061: fix out-of-bounds read in adp5061_get_chg_type() 2022-10-26 12:35:47 +02:00
powercap powercap: intel_rapl: fix UBSAN shift-out-of-bounds issue 2022-10-26 12:35:30 +02:00
pps
ps3
ptp
pwm pwm: lpc18xx: Fix period handling 2022-08-17 14:23:16 +02:00
rapidio
ras
regulator regulator: twl6030: fix get status of twl6032 regulators 2022-12-14 11:37:16 +01:00
remoteproc remoteproc: sysmon: Wait for SSCTL service to come up 2022-08-17 14:24:09 +02:00
reset reset: imx7: Fix the iMX8MP PCIe PHY PERST support 2022-10-05 10:39:40 +02:00
rpmsg rpmsg: qcom: glink: replace strncpy() with strscpy_pad() 2022-10-12 09:53:28 +02:00
rtc rtc: cmos: avoid UIP when reading alarm time 2022-12-14 11:37:18 +01:00
s390 s390/qeth: fix use-after-free in hsci 2022-12-14 11:37:30 +01:00
sbus
scsi scsi: iscsi: Fix possible memory leak when device_register() failed 2022-12-02 17:41:11 +01:00
sh
siox siox: fix possible memory leak in siox_device_add() 2022-11-26 09:24:36 +01:00
slimbus slimbus: stream: correct presence rate frequencies 2022-11-26 09:24:44 +01:00
soc soc: imx8m: Enable OCOTP clock before reading the register 2022-11-26 09:24:39 +01:00
soundwire soundwire: intel: Initialize clock stop timeout 2022-12-14 11:37:19 +01:00
spi spi: mediatek: Fix DEVAPC Violation at KO Remove 2022-12-14 11:37:15 +01:00
spmi spmi: pmic-arb: correct duplicate APID to PPID mapping logic 2022-10-26 12:35:19 +02:00
ssb
staging media: meson: vdec: fix possible refcount leak in vdec_probe() 2022-11-10 18:15:34 +01:00
target scsi: target: tcm_loop: Fix possible name leak in tcm_loop_setup_hba_bus() 2022-11-26 09:24:49 +01:00
tc
tee tee: optee: fix possible memory leak in optee_register_device() 2022-12-02 17:41:03 +01:00
thermal thermal: intel_powerclamp: Use first online CPU as control_cpu 2022-10-26 12:35:56 +02:00
thunderbolt thunderbolt: Add DP OUT resource when DP tunnel is discovered 2022-11-16 09:58:13 +01:00
tty serial: stm32: Deassert Transmit Enable on ->rs485_config() 2022-12-08 11:28:45 +01:00
uio
usb usb: dwc3: gadget: Disable GUSB2PHYCFG.SUSPHY for End Transfer 2022-12-14 11:37:17 +01:00
vdpa vdpa/ifcvf: fix the calculation of queuepair 2022-10-05 10:39:43 +02:00
vfio vfio/type1: Unpin zero pages 2022-09-15 11:30:02 +02:00
vhost vhost/vsock: Use kvmalloc/kvfree for larger packets. 2022-10-26 12:34:47 +02:00
video fbcon: Use kzalloc() in fbcon_prepare_logo() 2022-12-14 11:37:17 +01:00
virt vboxguest: Do not use devm for irq 2022-08-25 11:40:33 +02:00
virtio
visorbus
vlynq
vme
w1
watchdog watchdog: armada_37xx_wdt: check the return value of devm_ioremap() in armada_37xx_wdt_probe() 2022-08-17 14:24:11 +02:00
xen xen/platform-pci: add missing free_irq() in error path 2022-12-02 17:41:10 +01:00
zorro
Kconfig
Makefile