linux/drivers/misc
Ola Jeppsson 96b328d119 misc: fastrpc: Fix use-after-free race condition for maps
It is possible that in between calling fastrpc_map_get() until
map->fl->lock is taken in fastrpc_free_map(), another thread can call
fastrpc_map_lookup() and get a reference to a map that is about to be
deleted.

Rewrite fastrpc_map_get() to only increase the reference count of a map
if it's non-zero. Propagate this to callers so they can know if a map is
about to be deleted.

Fixes this warning:
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 5 PID: 10100 at lib/refcount.c:25 refcount_warn_saturate
...
Call trace:
 refcount_warn_saturate
 [fastrpc_map_get inlined]
 [fastrpc_map_lookup inlined]
 fastrpc_map_create
 fastrpc_internal_invoke
 fastrpc_device_ioctl
 __arm64_sys_ioctl
 invoke_syscall

Fixes: c68cfb718c ("misc: fastrpc: Add support for context Invoke method")
Cc: stable <stable@kernel.org>
Signed-off-by: Ola Jeppsson <ola@snap.com>
Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Link: https://lore.kernel.org/r/20221124174941.418450-4-srinivas.kandagatla@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-01-20 13:23:11 +01:00
..
altera-stapl misc: move from strlcpy with unused retval to strscpy 2022-09-01 16:29:42 +02:00
bcm-vk misc: bcm_vk: Remove usage of deprecated functions 2022-09-01 16:29:32 +02:00
c2port
cardreader Merge 5.19-rc6 into char-misc-next 2022-07-11 08:32:58 +02:00
cb710
cxl powerpc updates for 6.2 2022-12-19 07:13:33 -06:00
echo
eeprom misc: eeprom/idt_89hpesx: Convert to i2c's .probe_new() 2022-11-23 19:56:39 +01:00
genwqe Driver Core changes for 6.2-rc1 2022-12-16 03:54:54 -08:00
habanalabs Char/Misc driver changes for 6.2-rc1 2022-12-16 03:49:24 -08:00
ibmasm
lis3lv02d misc: lis3lv02d/lis3lv02d_i2c: Convert to i2c's .probe_new() 2022-11-23 19:56:01 +01:00
lkdtm lkdtm: cfi: Make PAC test work with GCC 7 and 8 2022-12-14 16:05:09 -08:00
mchp_pci1xxxx misc: microchip: pci1xxxx: Fix a memory leak in the error handling of gp_aux_bus_probe() 2022-09-22 16:54:35 +02:00
mei mei: me: add meteor lake point M DID 2023-01-20 13:21:48 +01:00
ocxl Driver Core changes for 6.2-rc1 2022-12-16 03:54:54 -08:00
pvpanic misc/pvpanic: Convert regular spinlock into trylock on panic path 2022-04-29 16:54:59 +02:00
sgi-gru misc: sgi-gru: fix use-after-free error in gru_set_context_option, gru_fault and gru_handle_user_call_os 2022-11-23 19:55:48 +01:00
sgi-xp drivers/misc/sgi-xp: Remove orphan declarations from drivers/misc/sgi-xp/xp.h 2022-09-24 14:57:19 +02:00
ti-st
uacce iommu: Remove SVM_FLAG_SUPERVISOR_MODE support 2022-11-03 15:47:45 +01:00
vmw_vmci use less confusing names for iov_iter direction initializers 2022-11-25 13:01:55 -05:00
ad525x_dpot-i2c.c i2c: Make remove callback return void 2022-08-16 12:46:26 +02:00
ad525x_dpot-spi.c spi: make remove callback a void function 2022-02-09 13:00:45 +00:00
ad525x_dpot.c
ad525x_dpot.h
apds990x.c misc: apds990x: Convert to i2c's .probe_new() 2022-11-23 19:56:39 +01:00
apds9802als.c misc: apds9802als: Convert to i2c's .probe_new() 2022-11-23 19:56:39 +01:00
atmel-ssc.c misc: update maintainer email address and description for atmel-ssc 2022-08-03 11:03:03 +02:00
bh1770glc.c misc: bh1770glc: Convert to i2c's .probe_new() 2022-11-23 19:56:39 +01:00
cs5535-mfgpt.c
ds1682.c misc: ds1682: Convert to i2c's .probe_new() 2022-11-23 19:56:39 +01:00
dummy-irq.c
dw-xdata-pcie.c
enclosure.c
fastrpc.c misc: fastrpc: Fix use-after-free race condition for maps 2023-01-20 13:23:11 +01:00
gehc-achc.c
hi6421v600-irq.c misc: hi6421-spmi-pmic: Use generic_handle_irq_safe(). 2022-03-02 22:28:50 +01:00
hisi_hikey_usb.c
hmc6352.c misc: hmc6352: Convert to i2c's .probe_new() 2022-11-23 19:56:38 +01:00
hpilo.c
hpilo.h
ibmvmc.c ibmvmc: don't open-code file_inode() 2022-09-01 17:42:27 -04:00
ibmvmc.h
ics932s401.c misc: ics932s401: Convert to i2c's .probe_new() 2022-11-23 19:56:39 +01:00
isl29003.c misc: isl29003: Convert to i2c's .probe_new() 2022-11-23 19:56:39 +01:00
isl29020.c misc: isl29020: Convert to i2c's .probe_new() 2022-11-23 19:56:07 +01:00
Kconfig misc: smpro-misc: Add Ampere's Altra SMpro misc driver 2022-11-10 19:03:03 +01:00
kgdbts.c kgdbts: fix return value of __setup handler 2022-03-18 14:17:56 +01:00
lattice-ecp3-config.c spi: make remove callback a void function 2022-02-09 13:00:45 +00:00
Makefile misc: smpro-misc: Add Ampere's Altra SMpro misc driver 2022-11-10 19:03:03 +01:00
open-dice.c misc: open-dice: Add driver to expose DICE data to userspace 2022-02-04 16:45:39 +01:00
pch_phub.c
pci_endpoint_test.c misc: pci_endpoint_test: Fix pci_endpoint_test_{copy,write,read}() panic 2022-09-09 10:24:12 +02:00
phantom.c
qcom-coincell.c
smpro-errmon.c misc: smpro-errmon: Add Ampere's SMpro error monitor driver 2022-11-10 19:02:43 +01:00
smpro-misc.c misc: smpro-misc: Add Ampere's Altra SMpro misc driver 2022-11-10 19:03:03 +01:00
sram-exec.c mm: Introduce set_memory_rox() 2022-12-15 10:37:26 -08:00
sram.c
sram.h
tifm_7xx1.c misc: tifm: fix possible memory leak in tifm_7xx1_switch_media() 2022-11-23 19:55:26 +01:00
tifm_core.c
tsl2550.c misc: tsl2550: Convert to i2c's .probe_new() 2022-11-23 19:56:05 +01:00
vcpu_stall_detector.c misc: Add a mechanism to detect stalls on guest vCPUs 2022-07-14 16:54:17 +02:00
vmw_balloon.c - The usual batches of cleanups from Baoquan He, Muchun Song, Miaohe 2022-08-05 16:32:45 -07:00
xilinx_sdfec.c misc/xilinx_sdfec: Replace kmap() with kmap_local_page() 2022-09-09 10:22:36 +02:00