5.10-stable patches

added patches:
	thermal-core-fix-a-uaf-bug-in-__thermal_cooling_device_register.patch
	thermal-core-fix-memory-leak-in-the-error-path.patch

diff --git a/queue-5.10/series b/queue-5.10/series
index 4ff88a04937c8c732f3e1f165623ed9abf8c456a..777beaae7fe3d50c5d1167cb396fb90700941f43 100644 (file)
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -436,3 +436,5 @@ xfs-force-log-and-push-ail-to-clear-pinned-inodes-when-aborting-mount.patch
 xfs-consider-shutdown-in-bmapbt-cursor-delete-assert.patch
 xfs-assert-in-xfs_btree_del_cursor-should-take-into-account-error.patch
 kseltest-cgroup-make-test_stress.sh-work-if-run-interactively.patch
+thermal-core-fix-a-uaf-bug-in-__thermal_cooling_device_register.patch
+thermal-core-fix-memory-leak-in-the-error-path.patch

diff --git a/queue-5.10/thermal-core-fix-a-uaf-bug-in-__thermal_cooling_device_register.patch b/queue-5.10/thermal-core-fix-a-uaf-bug-in-__thermal_cooling_device_register.patch
new file mode 100644 (file)
index 0000000..903348c
--- /dev/null
+++ b/queue-5.10/thermal-core-fix-a-uaf-bug-in-__thermal_cooling_device_register.patch
@@ -0,0 +1,90 @@
+From 0a5c26712f963f0500161a23e0ffff8d29f742ab Mon Sep 17 00:00:00 2001
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+Date: Fri, 15 Oct 2021 10:45:04 +0800
+Subject: thermal/core: fix a UAF bug in __thermal_cooling_device_register()
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+commit 0a5c26712f963f0500161a23e0ffff8d29f742ab upstream.
+
+When device_register() return failed, program will goto out_kfree_type
+to release 'cdev->device' by put_device(). That will call thermal_release()
+to free 'cdev'. But the follow-up processes access 'cdev' continually.
+That trggers the UAF bug.
+
+====================================================================
+BUG: KASAN: use-after-free in __thermal_cooling_device_register+0x75b/0xa90
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
+Call Trace:
+ dump_stack_lvl+0xe2/0x152
+ print_address_description.constprop.0+0x21/0x140
+ ? __thermal_cooling_device_register+0x75b/0xa90
+ kasan_report.cold+0x7f/0x11b
+ ? __thermal_cooling_device_register+0x75b/0xa90
+ __thermal_cooling_device_register+0x75b/0xa90
+ ? memset+0x20/0x40
+ ? __sanitizer_cov_trace_pc+0x1d/0x50
+ ? __devres_alloc_node+0x130/0x180
+ devm_thermal_of_cooling_device_register+0x67/0xf0
+ max6650_probe.cold+0x557/0x6aa
+......
+
+Freed by task 258:
+ kasan_save_stack+0x1b/0x40
+ kasan_set_track+0x1c/0x30
+ kasan_set_free_info+0x20/0x30
+ __kasan_slab_free+0x109/0x140
+ kfree+0x117/0x4c0
+ thermal_release+0xa0/0x110
+ device_release+0xa7/0x240
+ kobject_put+0x1ce/0x540
+ put_device+0x20/0x30
+ __thermal_cooling_device_register+0x731/0xa90
+ devm_thermal_of_cooling_device_register+0x67/0xf0
+ max6650_probe.cold+0x557/0x6aa [max6650]
+
+Do not use 'cdev' again after put_device() to fix the problem like doing
+in thermal_zone_device_register().
+
+[dlezcano]: as requested by Rafael, change the affectation into two statements.
+
+Fixes: 584837618100 ("thermal/drivers/core: Use a char pointer for the cooling device name")
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Reported-by: kernel test robot <lkp@intel.com>
+Link: https://lore.kernel.org/r/20211015024504.947520-1-william.xuanziyang@huawei.com
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thermal/thermal_core.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/thermal/thermal_core.c
++++ b/drivers/thermal/thermal_core.c
+@@ -1092,7 +1092,7 @@ __thermal_cooling_device_register(struct
+ {
+       struct thermal_cooling_device *cdev;
+       struct thermal_zone_device *pos = NULL;
+-      int ret;
++      int id, ret;
+ 
+       if (!ops || !ops->get_max_state || !ops->get_cur_state ||
+           !ops->set_cur_state)
+@@ -1106,6 +1106,7 @@ __thermal_cooling_device_register(struct
+       if (ret < 0)
+               goto out_kfree_cdev;
+       cdev->id = ret;
++      id = ret;
+ 
+       cdev->type = kstrdup(type ? type : "", GFP_KERNEL);
+       if (!cdev->type) {
+@@ -1147,8 +1148,9 @@ out_kfree_type:
+       thermal_cooling_device_destroy_sysfs(cdev);
+       kfree(cdev->type);
+       put_device(&cdev->device);
++      cdev = NULL;
+ out_ida_remove:
+-      ida_simple_remove(&thermal_cdev_ida, cdev->id);
++      ida_simple_remove(&thermal_cdev_ida, id);
+ out_kfree_cdev:
+       return ERR_PTR(ret);
+ }

diff --git a/queue-5.10/thermal-core-fix-memory-leak-in-the-error-path.patch b/queue-5.10/thermal-core-fix-memory-leak-in-the-error-path.patch
new file mode 100644 (file)
index 0000000..fa3393c
--- /dev/null
+++ b/queue-5.10/thermal-core-fix-memory-leak-in-the-error-path.patch
@@ -0,0 +1,36 @@
+From d44616c6cc3e35eea03ecfe9040edfa2b486a059 Mon Sep 17 00:00:00 2001
+From: Daniel Lezcano <daniel.lezcano@linaro.org>
+Date: Fri, 19 Mar 2021 21:22:57 +0100
+Subject: thermal/core: Fix memory leak in the error path
+
+From: Daniel Lezcano <daniel.lezcano@linaro.org>
+
+commit d44616c6cc3e35eea03ecfe9040edfa2b486a059 upstream.
+
+Fix the following error:
+
+ smatch warnings:
+ drivers/thermal/thermal_core.c:1020 __thermal_cooling_device_register() warn: possible memory leak of 'cdev'
+
+by freeing the cdev when exiting the function in the error path.
+
+Fixes: 584837618100 ("thermal/drivers/core: Use a char pointer for the cooling device name")
+Reported-by: kernel test robot <lkp@intel.com>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://lore.kernel.org/r/20210319202257.890848-1-daniel.lezcano@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thermal/thermal_core.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/thermal/thermal_core.c
++++ b/drivers/thermal/thermal_core.c
+@@ -1152,6 +1152,7 @@ out_kfree_type:
+ out_ida_remove:
+       ida_simple_remove(&thermal_cdev_ida, id);
+ out_kfree_cdev:
++      kfree(cdev);
+       return ERR_PTR(ret);
+ }
+