From f1965040539fb43bf640944e1d0ae2c70814fc08 Mon Sep 17 00:00:00 2001 From: Denis Kirjanov Date: Mar 01 2021 15:26:35 +0000 Subject: Merge branch 'users/ohering/SLE12-SP5/for-next' into SLE12-SP5 Pull a hyperv fix from Olaf Hering --- diff --git a/patches.suse/msft-hv-2226-Drivers-hv-vmbus-Avoid-use-after-free-in-vmbus_onoff.patch b/patches.suse/msft-hv-2226-Drivers-hv-vmbus-Avoid-use-after-free-in-vmbus_onoff.patch new file mode 100644 index 0000000..57a648d --- /dev/null +++ b/patches.suse/msft-hv-2226-Drivers-hv-vmbus-Avoid-use-after-free-in-vmbus_onoff.patch @@ -0,0 +1,39 @@ +From: "Andrea Parri (Microsoft)" +Date: Wed, 9 Dec 2020 08:08:25 +0100 +Patch-mainline: v5.12-rc1 +Subject: Drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind() +Git-commit: e3fa4b747f085d2cda09bba0533b86fa76038635 +References: git-fixes + +When channel->device_obj is non-NULL, vmbus_onoffer_rescind() could +invoke put_device(), that will eventually release the device and free +the channel object (cf. vmbus_device_release()). However, a pointer +to the object is dereferenced again later to load the primary_channel. +The use-after-free can be avoided by noticing that this load/check is +redundant if device_obj is non-NULL: primary_channel must be NULL if +device_obj is non-NULL, cf. vmbus_add_channel_work(). + +Fixes: 54a66265d6754b ("Drivers: hv: vmbus: Fix rescind handling") +Reported-by: Juan Vazquez +Signed-off-by: Andrea Parri (Microsoft) +Reviewed-by: Michael Kelley +Link: https://lore.kernel.org/r/20201209070827.29335-5-parri.andrea@gmail.com +Signed-off-by: Wei Liu +Acked-by: Olaf Hering +--- + drivers/hv/channel_mgmt.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c +--- a/drivers/hv/channel_mgmt.c ++++ b/drivers/hv/channel_mgmt.c +@@ -1116,8 +1116,7 @@ static void vmbus_onoffer_rescind(struct vmbus_channel_message_header *hdr) + vmbus_device_unregister(channel->device_obj); + put_device(dev); + } +- } +- if (channel->primary_channel != NULL) { ++ } else if (channel->primary_channel != NULL) { + /* + * Sub-channel is being rescinded. Following is the channel + * close sequence when initiated from the driveri (refer to diff --git a/series.conf b/series.conf index 5c94c3b..fab0dfb 100644 --- a/series.conf +++ b/series.conf @@ -57987,6 +57987,7 @@ patches.suse/ACPI-property-Satisfy-kernel-doc-validator-part-1.patch patches.suse/ACPI-configfs-add-missing-check-after-configfs_regis.patch patches.suse/xfs-reduce-quota-reservation-when-doing-a-dax-unwrit.patch + patches.suse/msft-hv-2226-Drivers-hv-vmbus-Avoid-use-after-free-in-vmbus_onoff.patch patches.suse/media-vsp1-Fix-an-error-handling-path-in-the-probe-f.patch patches.suse/media-media-pci-Fix-memleak-in-empress_init.patch patches.suse/media-tm6000-Fix-memleak-in-tm6000_start_stream.patch