korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2025-01-17 03:14:12 +08:00
Code Issues Packages Projects Releases Wiki Activity
5f4543c938
linux/drivers
History
Takashi Sakamoto 5f4543c938 firewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region 
commit 531390a243 upstream.

This patch is fix for Linux kernel v2.6.33 or later.

For request subaction to IEC 61883-1 FCP region, Linux FireWire subsystem
have had an issue of use-after-free. The subsystem allows multiple
user space listeners to the region, while data of the payload was likely
released before the listeners execute read(2) to access to it for copying
to user space.

The issue was fixed by a commit 281e20323a ("firewire: core: fix
use-after-free regression in FCP handler"). The object of payload is
duplicated in kernel space for each listener. When the listener executes
ioctl(2) with FW_CDEV_IOC_SEND_RESPONSE request, the object is going to
be released.

However, it causes memory leak since the commit relies on call of
release_request() in drivers/firewire/core-cdev.c. Against the
expectation, the function is never called due to the design of
release_client_resource(). The function delegates release task
to caller when called with non-NULL fourth argument. The implementation
of ioctl_send_response() is the case. It should release the object
explicitly.

This commit fixes the bug.

Cc: <stable@vger.kernel.org>
Fixes: 281e20323a ("firewire: core: fix use-after-free regression in FCP handler")
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Link: https://lore.kernel.org/r/20230117090610.93792-2-o-takashi@sakamocchi.jp
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-02-09 11:26:32 +01:00
..
accessibility tty: fix possible null-ptr-defer in spk_ttyio_release 2023-01-24 07:22:46 +01:00
acpi ACPI: processor idle: Practically limit "Dummy wait" workaround to old Intel systems 2023-02-06 07:59:01 +01:00
amba
android binder: validate alloc->mm in ->mmap() handler 2022-12-02 17:41:00 +01:00
ata ata: ahci: Fix PCS quirk application for suspend 2023-01-12 11:58:43 +01:00
atm
auxdisplay
base driver core: Fix test_async_probe_init saves device in wrong array 2023-02-01 08:27:14 +01:00
bcma
block block: handle bio_split_to_limits() NULL return 2023-01-18 11:48:58 +01:00
bluetooth Bluetooth: hci_qca: Fix driver shutdown on closed serdev 2023-01-24 07:22:42 +01:00
bus bus: mhi: host: Fix race between channel preparation and M0 event 2023-01-18 11:48:52 +01:00
cdrom
char ipmi: fix use after free in _ipmi_destroy_user() 2023-01-12 11:58:57 +01:00
clk clk: st: Fix memory leak in st_of_quadfs_setup() 2022-12-31 13:14:43 +01:00
clocksource clocksource/drivers/timer-ti-dm: Fix missing clk_disable_unprepare in dmtimer_systimer_init_clock() 2022-12-31 13:14:04 +01:00
comedi comedi: adv_pci1760: Fix PWM instruction handling 2023-01-24 07:22:45 +01:00
connector
counter counter: stm32-lptimer-cnt: fix the check on arr and cmp registers update 2022-12-31 13:14:30 +01:00
cpufreq cpufreq: governor: Use kobject release() method to free dbs_data 2023-02-01 08:27:29 +01:00
cpuidle cpuidle: dt: Return the correct numbers of parsed idle states 2022-12-31 13:14:01 +01:00
crypto crypto: ccp - Add support for TEE for PCI ID 0x14CA 2023-01-12 11:58:58 +01:00
cxl
dax devdax: Fix soft-reservation memory description 2022-09-28 11:11:57 +02:00
dca
devfreq PM/devfreq: governor: Add a private governor_data for governor 2023-01-12 11:58:51 +01:00
dio drivers: dio: fix possible memory leak in dio_init() 2022-12-31 13:14:27 +01:00
dma dmaengine: imx-sdma: Fix a possible memory leak in sdma_transfer_init 2023-02-06 07:59:00 +01:00
dma-buf dma-buf: fix racing conflict of dma_heap_add() 2022-12-02 17:41:06 +01:00
edac EDAC/qcom: Do not pass llcc_driv_data as edac_device_ctl_info's pvt_info 2023-02-01 08:27:25 +01:00
eisa
extcon extcon: usbc-tusb320: fix kernel-doc warning 2023-02-06 07:59:01 +01:00
firewire firewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region 2023-02-09 11:26:32 +01:00
firmware firmware: arm_scmi: Clear stale xfer->hdr.status 2023-02-06 07:59:00 +01:00
fpga fpga: prevent integer overflow in dfl_feature_ioctl_set_irq() 2022-10-26 12:35:07 +02:00
fsi fsi: core: Check error number after calling ida_simple_get 2022-10-26 12:35:17 +02:00
gnss
gpio gpio: mxc: Unlock on error path in mxc_flip_edge() 2023-02-01 08:27:28 +01:00
gpu treewide: fix up files incorrectly marked executable 2023-02-01 08:27:29 +01:00
greybus
hid HID: playstation: sanity check DualSense calibration data. 2023-02-06 07:59:00 +01:00
hsi HSI: omap_ssi_core: Fix error handling in ssi_init() 2022-12-31 13:14:32 +01:00
hv video: hyperv_fb: Avoid taking busy spinlock on panic path 2022-12-31 13:14:39 +01:00
hwmon hwmon: (jc42) Fix missing unlock on error in jc42_write() 2022-12-31 13:14:44 +01:00
hwspinlock hwspinlock: qcom: correct MMIO max register for newer SoCs 2022-11-16 09:58:13 +01:00
hwtracing coresight: trbe: remove cpuhp instance node before remove cpuhp state 2022-12-31 13:14:30 +01:00
i2c i2c: designware: use casting of u64 in clock multiplication to avoid overflow 2023-02-01 08:27:26 +01:00
i3c
idle
iio iio: adc128s052: add proper .data members in adc128_of_match table 2022-12-31 13:14:47 +01:00
infiniband IB/hfi1: Remove user expected buffer invalidate race 2023-02-01 08:27:06 +01:00
input Revert "Input: synaptics - switch touchpad on HP Laptop 15-da3001TU to RMI mode" 2023-02-01 08:27:29 +01:00
interconnect
iommu iommu/mediatek-v1: Fix an error handling path in mtk_iommu_v1_probe() 2023-01-18 11:48:52 +01:00
ipack
irqchip irqchip/wpcm450: Fix memory leak in wpcm450_aic_of_init() 2022-12-31 13:14:03 +01:00
isdn mISDN: hfcmulti: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave() 2022-12-31 13:14:37 +01:00
leds leds: lm3601x: Don't use mutex after it was destroyed 2022-10-26 12:34:39 +02:00
macintosh macintosh/macio-adb: check the return value of ioremap() 2022-12-31 13:14:35 +01:00
mailbox mailbox: zynq-ipi: fix error handling while device_register() fails 2022-12-31 13:14:39 +01:00
mcb mcb: mcb-parse: fix error handing in chameleon_parse_gdd() 2022-12-31 13:14:30 +01:00
md block: handle bio_split_to_limits() NULL return 2023-01-18 11:48:58 +01:00
media media: s5p-mfc: Fix in register read and write for H264 2023-01-12 11:59:06 +01:00
memory memory: mvebu-devbus: Fix missing clk_disable_unprepare in mvebu_devbus_probe() 2023-02-01 08:27:03 +01:00
memstick memstick/ms_block: Add check for alloc_ordered_workqueue 2022-12-31 13:14:17 +01:00
message
mfd mfd: mt6360: Add bounds checking in Regmap read/write call-backs 2023-01-12 11:58:47 +01:00
misc mei: me: add meteor lake point M DID 2023-01-24 07:22:47 +01:00
mmc mmc: sdhci-esdhc-imx: correct the tuning start tap and step setting 2023-01-24 07:22:45 +01:00
most
mtd mtd: spi-nor: Check for zero erase size in spi_nor_find_best_erase_type() 2023-01-12 11:58:57 +01:00
mux
net net: mdio-mux-meson-g12a: force internal PHY off on mux switch 2023-02-01 08:27:29 +01:00
nfc nfc: pn533: Wait for out_urb's completion in pn533_usb_send_frame() 2023-01-18 11:48:54 +01:00
ntb
nubus
nvdimm
nvme nvme: fix passthrough csi check 2023-02-01 08:27:28 +01:00
nvmem nvmem: rmem: Fix return value check in rmem_read() 2022-12-08 11:28:39 +01:00
of of/kexec: Fix reading 32-bit "linux,initrd-{start,end}" values 2023-01-12 11:58:53 +01:00
opp
parisc parisc: led: Fix potential null-ptr-deref in start_task() 2023-01-12 11:58:59 +01:00
parport parport_pc: Avoid FIFO port location truncation 2022-11-26 09:24:36 +01:00
pci PCI/sysfs: Fix double free in error path 2023-01-12 11:58:58 +01:00
pcmcia
perf perf/smmuv3: Fix hotplug callback leak in arm_smmu_pmu_init() 2022-12-31 13:13:58 +01:00
phy phy: phy-can-transceiver: Skip warning if no "max-bitrate" 2023-02-01 08:27:13 +01:00
pinctrl pinctrl: rockchip: fix mux route data for rk3568 2023-02-01 08:27:11 +01:00
platform platform/x86: asus-nb-wmi: Add alternate mapping for KEY_SCREENLOCK 2023-02-01 08:27:18 +01:00
pnp PNP: fix name memory leak in pnp_alloc_dev() 2022-12-31 13:14:02 +01:00
power power: supply: fix null pointer dereferencing in power_supply_get_battery_info 2022-12-31 13:14:33 +01:00
powercap powercap: intel_rapl: fix UBSAN shift-out-of-bounds issue 2022-10-26 12:35:30 +02:00
pps
ps3
ptp
pwm pwm: tegra: Fix 32 bit build 2022-12-31 13:14:48 +01:00
rapidio rapidio: devices: fix missing put_device in mport_cdev_open 2022-12-31 13:14:05 +01:00
ras
regulator regulator: da9211: Use irq handler when ready 2023-01-18 11:48:53 +01:00
remoteproc remoteproc: core: Do pm_relax when in RPROC_OFFLINE state 2023-01-12 11:58:59 +01:00
reset reset: uniphier-glue: Fix possible null-ptr-deref 2023-02-01 08:27:04 +01:00
rpmsg rpmsg: qcom: glink: replace strncpy() with strscpy_pad() 2022-10-12 09:53:28 +02:00
rtc rtc: ds1347: fix value written to century register 2023-01-12 11:58:56 +01:00
s390 block: handle bio_split_to_limits() NULL return 2023-01-18 11:48:58 +01:00
sbus
scsi scsi: ufs: core: Fix devfreq deadlocks 2023-02-01 08:27:26 +01:00
sh
siox siox: fix possible memory leak in siox_device_add() 2022-11-26 09:24:36 +01:00
slimbus slimbus: stream: correct presence rate frequencies 2022-11-26 09:24:44 +01:00
soc PM: AVS: qcom-cpr: Fix an error handling path in cpr_probe() 2023-02-01 08:27:06 +01:00
soundwire ASoC/SoundWire: dai: expand 'stream' concept beyond SoundWire 2023-01-12 11:58:49 +01:00
spi spi: spidev: remove debug messages that access spidev->spi without locking 2023-02-01 08:27:18 +01:00
spmi spmi: pmic-arb: correct duplicate APID to PPID mapping logic 2022-10-26 12:35:19 +02:00
ssb
staging staging: mt7621-dts: change some node hex addresses to lower case 2023-01-24 07:22:46 +01:00
target scsi: target: tcm_loop: Fix possible name leak in tcm_loop_setup_hba_bus() 2022-11-26 09:24:49 +01:00
tc
tee tee: optee: fix possible memory leak in optee_register_device() 2022-12-02 17:41:03 +01:00
thermal thermal: intel: int340x: Add locking to int340x_thermal_get_trip_type() 2023-02-01 08:27:28 +01:00
thunderbolt thunderbolt: Use correct function to calculate maximum USB3 link rate 2023-01-24 07:22:46 +01:00
tty serial: atmel: fix incorrect baudrate setup 2023-01-24 07:22:47 +01:00
uio uio: uio_dmem_genirq: Fix deadlock between irq config and handling 2022-12-31 13:14:27 +01:00
usb usb: gadget: f_fs: Ensure ep0req is dequeued before free_request 2023-02-01 08:27:11 +01:00
vdpa vduse: Validate vq_num in vduse_validate_config() 2023-01-24 07:22:41 +01:00
vfio vfio: platform: Do not pass return buffer to ACPI _RST method 2022-12-31 13:14:27 +01:00
vhost vhost: fix range used in translate_desc() 2023-01-12 11:59:11 +01:00
video fbdev: omapfb: avoid stack overflow warning 2023-01-24 07:22:42 +01:00
virt
virtio virtio_pci: modify ENOENT to EINVAL 2023-01-24 07:22:41 +01:00
visorbus
vlynq
vme vme: Fix error not catched in fake_init() 2022-12-31 13:14:30 +01:00
w1 w1: fix WARNING after calling w1_process() 2023-02-01 08:27:14 +01:00
watchdog
xen xen/privcmd: Fix a possible warning in privcmd_ioctl_mmap_resource() 2022-12-31 13:14:04 +01:00
zorro
Kconfig
Makefile