Florent Revest 8175dad2ad team: Fix use-after-free when an option instance allocation fails ... commit c12296bbec upstream. In __team_options_register, team_options are allocated and appended to the team's option_list. If one option instance allocation fails, the "inst_rollback" cleanup path frees the previously allocated options but doesn't remove them from the team's option_list. This leaves dangling pointers that can be dereferenced later by other parts of the team driver that iterate over options. This patch fixes the cleanup path to remove the dangling pointers from the list. As far as I can tell, this uaf doesn't have much security implications since it would be fairly hard to exploit (an attacker would need to make the allocation of that specific small object fail) but it's still nice to fix. Cc: stable@vger.kernel.org Fixes: 80f7c6683f ("team: add support for per-port options") Signed-off-by: Florent Revest <revest@chromium.org> Reviewed-by: Jiri Pirko <jiri@nvidia.com> Reviewed-by: Hangbin Liu <liuhangbin@gmail.com> Link: https://lore.kernel.org/r/20231206123719.1963153-1-revest@chromium.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2023-12-20 15:17:41 +01:00
..
accessibility
acpi	ACPI: resource: Skip IRQ override on ASUS ExpertBook B1402CVA	2023-12-03 07:31:24 +01:00
amba	amba: bus: fix refcount leak	2023-09-19 12:22:47 +02:00
android	binder: fix memory leaks of spam and pending work	2023-12-13 18:36:44 +01:00
ata	ata: pata_isapnp: Add missing error check for devm_ioport_map()	2023-12-03 07:31:21 +01:00
atm	atm: solos-pci: Fix potential deadlock on &tx_queue_lock	2023-12-20 15:17:35 +01:00
auxdisplay
base	devcoredump: Send uevent once devcd is ready	2023-12-13 18:36:50 +01:00
bcma
block	virtio-blk: fix implicit overflow on virtio_max_dma_size	2023-11-28 16:56:20 +00:00
bluetooth	Bluetooth: btusb: Add 0bda:b85b for Fn-Link RTL8852BE	2023-11-28 16:56:33 +00:00
bus	bus: ti-sysc: Fix SYSC_QUIRK_SWSUP_SIDLE_ACT handling for uart wake-up	2023-10-06 13:18:13 +02:00
cdrom
char	hwrng: geode - fix accessing registers	2023-11-20 11:08:22 +01:00
clk	clk: qcom: ipq6018: drop the CLK_SET_RATE_PARENT flag from PLL clocks	2023-11-28 16:56:28 +00:00
clocksource	clocksource/drivers/timer-atmel-tcb: Fix initialization on SAM9 hardware	2023-11-28 16:56:15 +00:00
comedi
connector
counter	counter: microchip-tcb-capture: Fix the use of internal GCLK logic	2023-10-19 23:05:37 +02:00
cpufreq	cpufreq: imx6q: Don't disable 792 Mhz OPP unnecessarily	2023-12-08 08:48:04 +01:00
cpuidle	powerpc/pseries: Rework lppaca_shared_proc() to avoid DEBUG_PREEMPT	2023-09-19 12:22:42 +02:00
crypto	crypto: qat - fix deadlock in backlog processing	2023-11-20 11:08:24 +01:00
cxl	cxl/mem: Fix shutdown order	2023-11-20 11:08:27 +01:00
dax	dax/kmem: Pass valid argument to memory_group_register_static	2023-07-23 13:47:17 +02:00
dca
devfreq	PM / devfreq: rockchip-dfi: Make pmu regmap mandatory	2023-11-20 11:08:15 +01:00
dio
dma	dmaengine: stm32-mdma: correct desc prep when channel running	2023-11-28 16:56:31 +00:00
dma-buf	dma-buf/sw_sync: Avoid recursive lock during fence signal	2023-08-30 16:18:21 +02:00
edac	EDAC/igen6: Fix the issue of no error events	2023-09-19 12:22:40 +02:00
eisa
extcon	extcon: usbc-tusb320: Convert to i2c's .probe_new()	2023-07-23 13:47:31 +02:00
firewire	firewire: core: fix possible memory leak in create_units()	2023-12-08 08:48:00 +01:00
firmware	firmware: qcom_scm: use 64-bit calling convention only when client is 64-bit	2023-11-28 16:56:29 +00:00
fpga
fsi	fsi: aspeed: Reset master errors after CFAM reset	2023-09-19 12:22:46 +02:00
gnss
gpio	gpiolib: sysfs: Fix error handling on failed export	2023-12-13 18:36:47 +01:00
gpu	drm/mediatek: Add spinlock for setting vblank event in atomic_begin	2023-12-20 15:17:38 +01:00
greybus
hid	HID: hid-asus: add const to read-only outgoing usb buffer	2023-12-20 15:17:41 +01:00
hsi
hv	Drivers: hv: vmbus: Fix vmbus_wait_for_unload() to scan present CPUs	2023-06-28 10:29:42 +02:00
hwmon	hwmon: (nzxt-kraken2) Fix error handling path in kraken2_probe()	2023-12-13 18:36:40 +01:00
hwspinlock
hwtracing	coresight: etm4x: Remove bogous __exit annotation for some functions	2023-12-13 18:36:45 +01:00
i2c	i2c: designware: Fix corrupted memory seen in the ISR	2023-12-13 18:36:32 +01:00
i3c	i3c: master: svc: fix SDA keep low when polling IBIWON timeout happen	2023-11-28 16:56:32 +00:00
idle
iio	iio: afe: rescale: Accept only offset channels	2023-11-08 17:26:42 +01:00
infiniband	RDMA/irdma: Avoid free the non-cqp_request scratch	2023-12-13 18:36:40 +01:00
input	Input: xpad - add HyperX Clutch Gladiate Support	2023-12-08 08:48:02 +01:00
interconnect	Fix up backport of 1361917030 ("interconnect: Teach lockdep about icc_bw_lock order")	2023-10-06 13:18:09 +02:00
iommu	iommu/vt-d: Make context clearing consistent with context mapping	2023-12-08 08:48:05 +01:00
ipack
irqchip	irqchip/stm32-exti: add missing DT IRQ flag translation	2023-11-08 17:26:45 +01:00
isdn	mISDN: Update parameter type of dsp_cmx_send()	2023-08-16 18:22:01 +02:00
leds	leds: trigger: ledtrig-cpu:: Fix 'output may be truncated' issue for 'cpu'	2023-11-20 11:08:25 +01:00
macintosh
mailbox	mailbox: ti-msgmgr: Fill non-message tx data fields with 0x0	2023-07-23 13:47:28 +02:00
mcb	mcb: fix error handling for different scenarios when parsing	2023-11-28 16:56:31 +00:00
md	bcache: avoid NULL checking to c->root in run_cache_set()	2023-12-20 15:17:40 +01:00
media	media: qcom: camss: Fix csid-gen2 for test pattern generator	2023-12-03 07:31:23 +01:00
memory	memory: brcmstb_dpfe: fix testing array offset after use	2023-07-23 13:47:03 +02:00
memstick	memstick r592: make memstick_debug_get_tpc_name() static	2023-07-23 13:46:52 +02:00
message
mfd	mfd: arizona-spi: Set pdata.hpdet_channel for ACPI enumerated devs	2023-11-20 11:08:24 +01:00
misc	misc: mei: client.c: fix problem of return '-EOVERFLOW' in mei_cl_write	2023-12-13 18:36:45 +01:00
mmc	mmc: sdhci-sprd: Fix vqmmc not shutting down after the card was pulled	2023-12-08 08:48:05 +01:00
most
mtd	mtd: cfi_cmdset_0001: Byte swap OTP info	2023-11-28 16:56:31 +00:00
mux
net	team: Fix use-after-free when an option instance allocation fails	2023-12-20 15:17:41 +01:00
nfc	nfcsim.c: Fix error checking for debugfs_create_dir	2023-06-28 10:29:51 +02:00
ntb	ntb: Fix calculation ntb_transport_tx_free_entry()	2023-09-19 12:22:51 +02:00
nubus	nubus: Partially revert proc_create_single_data() conversion	2023-07-05 18:25:05 +01:00
nvdimm	nd_btt: Make BTT lanes preemptible	2023-11-20 11:08:22 +01:00
nvme	nvme-pci: Add sleep quirk for Kingston drives	2023-12-13 18:36:42 +01:00
nvmem	nvmem: imx: correct nregs for i.MX6UL	2023-11-08 17:26:41 +01:00
of	of: dynamic: Fix of_reconfig_get_state_change() return value documentation	2023-12-13 18:36:33 +01:00
opp	OPP: Fix passing 0 to PTR_ERR in _opp_attach_genpd()	2023-09-19 12:22:31 +02:00
parisc	parisc: iosapic.c: Fix sparse warnings	2023-10-06 13:18:15 +02:00
parport	parport: Add support for Brainboxes IX/UC/PX parallel cards	2023-12-13 18:36:48 +01:00
pci	PCI: loongson: Limit MRRS to 256	2023-12-20 15:17:38 +01:00
pcmcia	pcmcia: ds: fix possible name leak in error path in pcmcia_device_add()	2023-11-20 11:08:27 +01:00
perf	perf: hisi: Fix use-after-free when register pmu fails	2023-11-20 11:08:21 +01:00
phy	phy: mapphone-mdm6600: Fix pinctrl_pm handling for sleep pins	2023-10-25 11:59:03 +02:00
pinctrl	pinctrl: avoid reload of p state in list iteration	2023-12-08 08:48:00 +01:00
platform	platform/x86: intel_telemetry: Fix kernel doc descriptions	2023-12-20 15:17:40 +01:00
pnp
power	power: supply: ucs1002: fix error code in ucs1002_get_property()	2023-10-06 13:18:13 +02:00
powercap	powercap: RAPL: Fix CONFIG_IOSF_MBI dependency	2023-07-23 13:46:46 +02:00
pps
ps3
ptp	ptp: annotate data-race around q->head and q->tail	2023-11-28 16:56:23 +00:00
pwm	pwm: brcmstb: Utilize appropriate clock APIs in suspend/resume	2023-11-20 11:08:28 +01:00
rapidio
ras
regulator	regulator/core: Revert "fix kobject release warning and memory leak in regulator_register()"	2023-10-25 11:59:00 +02:00
remoteproc
reset
rpmsg	rpmsg: Fix possible refcount leak in rpmsg_register_device_override()	2023-11-08 17:26:44 +01:00
rtc	rtc: pcf85363: fix wrong mask/val parameters in regmap_update_bits call	2023-11-20 11:08:27 +01:00
s390	s390/dasd: protect device queue against concurrent access	2023-12-03 07:31:24 +01:00
sbus
scsi	scsi: be2iscsi: Fix a memleak in beiscsi_init_wrb_handle()	2023-12-13 18:36:41 +01:00
sh
siox
slimbus
soc	soc: qcom: llcc: Handle a second device without data corruption	2023-11-20 11:08:21 +01:00
soundwire	soundwire: stream: fix NULL pointer dereference for multi_link	2023-12-20 15:17:41 +01:00
spi	spi: spi-zynq-qspi: add spi-mem to driver kconfig dependencies	2023-11-20 11:08:30 +01:00
spmi
ssb
staging	net: vlan: introduce skb_vlan_eth_hdr()	2023-12-20 15:17:35 +01:00
target	scsi: target: core: Fix deadlock due to recursive locking	2023-10-10 21:59:07 +02:00
tc
tee	tee: optee: Fix supplicant based device enumeration	2023-12-13 18:36:38 +01:00
thermal	thermal: core: prevent potential string overflow	2023-11-20 11:08:15 +01:00
thunderbolt	thunderbolt: Check that lane 1 is in CL0 before enabling lane bonding	2023-10-19 23:05:36 +02:00
tty	serial: 8250_omap: Add earlycon support for the AM654 UART controller	2023-12-13 18:36:49 +01:00
uio
usb	usb: typec: class: fix typec_altmode_put_partner to put plugs	2023-12-13 18:36:48 +01:00
vdpa	vdpa/mlx5: preserve CVQ vringh index	2023-12-13 18:36:31 +01:00
vfio	vfio/type1: fix cap_migration information leak	2023-09-19 12:22:41 +02:00
vhost	vhost: Allow null msg.size on VHOST_IOTLB_INVALIDATE	2023-11-08 17:26:36 +01:00
video	fbdev: stifb: Make the STI next font pointer a 32-bit signed offset	2023-12-08 08:48:04 +01:00
virt
virtio	virtio-mmio: fix memory leak of vm_dev	2023-11-08 17:26:36 +01:00
visorbus
vlynq
vme
w1	w1: fix loop in w1_fini()	2023-07-23 13:47:20 +02:00
watchdog	sbsa_gwdt: Calculate timeout with 64-bit math	2023-11-28 16:56:33 +00:00
xen	swiotlb-xen: provide the "max_mapping_size" method	2023-12-03 07:31:24 +01:00
zorro
Kconfig
Makefile