--- /dev/null
+From b51a257b5c3c7634ef27e881e9ad80e5407c0dc0 Mon Sep 17 00:00:00 2001
+From: Prasad Sodagudi <psodagud@codeaurora.org>
+Date: Sun, 24 Mar 2019 07:57:04 -0700
+Subject: genirq: Prevent use-after-free and work list corruption
+
+[ Upstream commit 59c39840f5abf4a71e1810a8da71aaccd6c17d26 ]
+
+When irq_set_affinity_notifier() replaces the notifier, then the
+reference count on the old notifier is dropped which causes it to be
+freed. But nothing ensures that the old notifier is not longer queued
+in the work list. If it is queued this results in a use after free and
+possibly in work list corruption.
+
+Ensure that the work is canceled before the reference is dropped.
+
+Signed-off-by: Prasad Sodagudi <psodagud@codeaurora.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: marc.zyngier@arm.com
+Link: https://lkml.kernel.org/r/1553439424-6529-1-git-send-email-psodagud@codeaurora.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/irq/manage.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c
+index 83cea913983c5..92c7eb1aeded9 100644
+--- a/kernel/irq/manage.c
++++ b/kernel/irq/manage.c
+@@ -319,8 +319,10 @@ irq_set_affinity_notifier(unsigned int irq, struct irq_affinity_notify *notify)
+ desc->affinity_notify = notify;
+ raw_spin_unlock_irqrestore(&desc->lock, flags);
+
+- if (old_notify)
++ if (old_notify) {
++ cancel_work_sync(&old_notify->work);
+ kref_put(&old_notify->kref, old_notify->release);
++ }
+
+ return 0;
+ }
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
