6.3-stable patches

added patches:
	firewire-net-fix-unexpected-release-of-object-for-asynchronous-request-packet.patch

diff --git a/queue-6.3/firewire-net-fix-unexpected-release-of-object-for-asynchronous-request-packet.patch b/queue-6.3/firewire-net-fix-unexpected-release-of-object-for-asynchronous-request-packet.patch
new file mode 100644 (file)
index 0000000..afe2018
--- /dev/null
+++ b/queue-6.3/firewire-net-fix-unexpected-release-of-object-for-asynchronous-request-packet.patch
@@ -0,0 +1,65 @@
+From f7dcc5e33c1e4b0d278a30f7d2f0c9a63d7b40ca Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Wed, 10 May 2023 10:35:33 +0900
+Subject: firewire: net: fix unexpected release of object for asynchronous request packet
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit f7dcc5e33c1e4b0d278a30f7d2f0c9a63d7b40ca upstream.
+
+The lifetime of object for asynchronous request packet is now maintained
+by reference counting, while current implementation of firewire-net
+releases the passed object in the handler.
+
+This commit fixes the bug.
+
+Reported-by: Dan Carpenter <error27@gmail.com>
+Link: https://lore.kernel.org/lkml/Y%2Fymx6WZIAlrtjLc@workstation/
+Fixes: 13a55d6bb15f ("firewire: core: use kref structure to maintain lifetime of data for fw_request structure")
+Link: https://lore.kernel.org/lkml/20230510031205.782032-1-o-takashi@sakamocchi.jp/
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firewire/net.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/firewire/net.c b/drivers/firewire/net.c
+index af22be84034b..538bd677c254 100644
+--- a/drivers/firewire/net.c
++++ b/drivers/firewire/net.c
+@@ -706,21 +706,22 @@ static void fwnet_receive_packet(struct fw_card *card, struct fw_request *r,
+       int rcode;
+ 
+       if (destination == IEEE1394_ALL_NODES) {
+-              kfree(r);
+-
+-              return;
+-      }
+-
+-      if (offset != dev->handler.offset)
++              // Although the response to the broadcast packet is not necessarily required, the
++              // fw_send_response() function should still be called to maintain the reference
++              // counting of the object. In the case, the call of function just releases the
++              // object as a result to decrease the reference counting.
++              rcode = RCODE_COMPLETE;
++      } else if (offset != dev->handler.offset) {
+               rcode = RCODE_ADDRESS_ERROR;
+-      else if (tcode != TCODE_WRITE_BLOCK_REQUEST)
++      } else if (tcode != TCODE_WRITE_BLOCK_REQUEST) {
+               rcode = RCODE_TYPE_ERROR;
+-      else if (fwnet_incoming_packet(dev, payload, length,
+-                                     source, generation, false) != 0) {
++      } else if (fwnet_incoming_packet(dev, payload, length,
++                                       source, generation, false) != 0) {
+               dev_err(&dev->netdev->dev, "incoming packet failure\n");
+               rcode = RCODE_CONFLICT_ERROR;
+-      } else
++      } else {
+               rcode = RCODE_COMPLETE;
++      }
+ 
+       fw_send_response(card, r, rcode);
+ }
+-- 
+2.40.1
+

diff --git a/queue-6.3/series b/queue-6.3/series
index 35e6cb4f6486e20cb1cbb4959390b1e80d726ad8..9db01fef8066c3c984d5be1a9c56f51c90adfba4 100644 (file)
--- a/queue-6.3/series
+++ b/queue-6.3/series
@@ -206,3 +206,4 @@ drm-amd-pm-parse-pp_handle-under-appropriate-conditions.patch
 drm-amdgpu-drop-gfx_v11_0_cp_ecc_error_irq_funcs.patch
 drm-amdgpu-disable-sdma-ecc-irq-only-when-sdma-ras-is-enabled-in-suspend.patch
 drm-amd-pm-avoid-potential-ubsan-issue-on-legacy-asics.patch
+firewire-net-fix-unexpected-release-of-object-for-asynchronous-request-packet.patch