4.14-stable patches

added patches:
	firewire-fix-memory-leak-for-payload-of-request-subaction-to-iec-61883-1-fcp-region.patch
	series

diff --git a/queue-4.14/firewire-fix-memory-leak-for-payload-of-request-subaction-to-iec-61883-1-fcp-region.patch b/queue-4.14/firewire-fix-memory-leak-for-payload-of-request-subaction-to-iec-61883-1-fcp-region.patch
new file mode 100644 (file)
index 0000000..258831e
--- /dev/null
+++ b/queue-4.14/firewire-fix-memory-leak-for-payload-of-request-subaction-to-iec-61883-1-fcp-region.patch
@@ -0,0 +1,57 @@
+From 531390a243ef47448f8bad01c186c2787666bf4d Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Tue, 17 Jan 2023 18:06:10 +0900
+Subject: firewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit 531390a243ef47448f8bad01c186c2787666bf4d upstream.
+
+This patch is fix for Linux kernel v2.6.33 or later.
+
+For request subaction to IEC 61883-1 FCP region, Linux FireWire subsystem
+have had an issue of use-after-free. The subsystem allows multiple
+user space listeners to the region, while data of the payload was likely
+released before the listeners execute read(2) to access to it for copying
+to user space.
+
+The issue was fixed by a commit 281e20323ab7 ("firewire: core: fix
+use-after-free regression in FCP handler"). The object of payload is
+duplicated in kernel space for each listener. When the listener executes
+ioctl(2) with FW_CDEV_IOC_SEND_RESPONSE request, the object is going to
+be released.
+
+However, it causes memory leak since the commit relies on call of
+release_request() in drivers/firewire/core-cdev.c. Against the
+expectation, the function is never called due to the design of
+release_client_resource(). The function delegates release task
+to caller when called with non-NULL fourth argument. The implementation
+of ioctl_send_response() is the case. It should release the object
+explicitly.
+
+This commit fixes the bug.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 281e20323ab7 ("firewire: core: fix use-after-free regression in FCP handler")
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Link: https://lore.kernel.org/r/20230117090610.93792-2-o-takashi@sakamocchi.jp
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firewire/core-cdev.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/firewire/core-cdev.c
++++ b/drivers/firewire/core-cdev.c
+@@ -831,8 +831,10 @@ static int ioctl_send_response(struct cl
+ 
+       r = container_of(resource, struct inbound_transaction_resource,
+                        resource);
+-      if (is_fcp_request(r->request))
++      if (is_fcp_request(r->request)) {
++              kfree(r->data);
+               goto out;
++      }
+ 
+       if (a->length != fw_get_response_length(r->request)) {
+               ret = -EINVAL;

diff --git a/queue-4.14/series b/queue-4.14/series
new file mode 100644 (file)
index 0000000..e8e31cc
--- /dev/null
+++ b/queue-4.14/series
@@ -0,0 +1 @@
+firewire-fix-memory-leak-for-payload-of-request-subaction-to-iec-61883-1-fcp-region.patch