--- /dev/null
+From a3a8784454692dd72e5d5d34dcdab17b4420e74c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sasha.levin@oracle.com>
+Date: Mon, 29 Dec 2014 09:39:01 -0500
+Subject: KEYS: close race between key lookup and freeing
+
+From: Sasha Levin <sasha.levin@oracle.com>
+
+commit a3a8784454692dd72e5d5d34dcdab17b4420e74c upstream.
+
+When a key is being garbage collected, it's key->user would get put before
+the ->destroy() callback is called, where the key is removed from it's
+respective tracking structures.
+
+This leaves a key hanging in a semi-invalid state which leaves a window open
+for a different task to try an access key->user. An example is
+find_keyring_by_name() which would dereference key->user for a key that is
+in the process of being garbage collected (where key->user was freed but
+->destroy() wasn't called yet - so it's still present in the linked list).
+
+This would cause either a panic, or corrupt memory.
+
+Fixes CVE-2014-9529.
+
+Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/keys/gc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/security/keys/gc.c
++++ b/security/keys/gc.c
+@@ -157,12 +157,12 @@ static noinline void key_gc_unused_keys(
+ if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
+ atomic_dec(&key->user->nikeys);
+
+- key_user_put(key->user);
+-
+ /* now throw away the key memory */
+ if (key->type->destroy)
+ key->type->destroy(key);
+
++ key_user_put(key->user);
++
+ kfree(key->description);
+
+ #ifdef KEY_DEBUGGING
--- /dev/null
+From 4aaa71873ddb9faf4b0c4826579e2f6d18ff9ab4 Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Wed, 7 Jan 2015 15:24:19 +0200
+Subject: sata_dwc_460ex: fix resource leak on error path
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+commit 4aaa71873ddb9faf4b0c4826579e2f6d18ff9ab4 upstream.
+
+DMA mapped IO should be unmapped on the error path in probe() and
+unconditionally on remove().
+
+Fixes: 62936009f35a ([libata] Add 460EX on-chip SATA driver, sata_dwc_460ex)
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/sata_dwc_460ex.c | 26 ++++++++++++--------------
+ 1 file changed, 12 insertions(+), 14 deletions(-)
+
+--- a/drivers/ata/sata_dwc_460ex.c
++++ b/drivers/ata/sata_dwc_460ex.c
+@@ -799,7 +799,7 @@ static int dma_dwc_init(struct sata_dwc_
+ if (err) {
+ dev_err(host_pvt.dwc_dev, "%s: dma_request_interrupts returns"
+ " %d\n", __func__, err);
+- goto error_out;
++ return err;
+ }
+
+ /* Enabe DMA */
+@@ -810,11 +810,6 @@ static int dma_dwc_init(struct sata_dwc_
+ sata_dma_regs);
+
+ return 0;
+-
+-error_out:
+- dma_dwc_exit(hsdev);
+-
+- return err;
+ }
+
+ static int sata_dwc_scr_read(struct ata_link *link, unsigned int scr, u32 *val)
+@@ -1664,7 +1659,7 @@ static int sata_dwc_probe(struct platfor
+ char *ver = (char *)&versionr;
+ u8 *base = NULL;
+ int err = 0;
+- int irq, rc;
++ int irq;
+ struct ata_host *host;
+ struct ata_port_info pi = sata_dwc_port_info[0];
+ const struct ata_port_info *ppi[] = { &pi, NULL };
+@@ -1727,7 +1722,7 @@ static int sata_dwc_probe(struct platfor
+ if (irq == NO_IRQ) {
+ dev_err(&ofdev->dev, "no SATA DMA irq\n");
+ err = -ENODEV;
+- goto error_out;
++ goto error_iomap;
+ }
+
+ /* Get physical SATA DMA register base address */
+@@ -1736,14 +1731,16 @@ static int sata_dwc_probe(struct platfor
+ dev_err(&ofdev->dev, "ioremap failed for AHBDMA register"
+ " address\n");
+ err = -ENODEV;
+- goto error_out;
++ goto error_iomap;
+ }
+
+ /* Save dev for later use in dev_xxx() routines */
+ host_pvt.dwc_dev = &ofdev->dev;
+
+ /* Initialize AHB DMAC */
+- dma_dwc_init(hsdev, irq);
++ err = dma_dwc_init(hsdev, irq);
++ if (err)
++ goto error_dma_iomap;
+
+ /* Enable SATA Interrupts */
+ sata_dwc_enable_interrupts(hsdev);
+@@ -1761,9 +1758,8 @@ static int sata_dwc_probe(struct platfor
+ * device discovery process, invoking our port_start() handler &
+ * error_handler() to execute a dummy Softreset EH session
+ */
+- rc = ata_host_activate(host, irq, sata_dwc_isr, 0, &sata_dwc_sht);
+-
+- if (rc != 0)
++ err = ata_host_activate(host, irq, sata_dwc_isr, 0, &sata_dwc_sht);
++ if (err)
+ dev_err(&ofdev->dev, "failed to activate host");
+
+ dev_set_drvdata(&ofdev->dev, host);
+@@ -1772,7 +1768,8 @@ static int sata_dwc_probe(struct platfor
+ error_out:
+ /* Free SATA DMA resources */
+ dma_dwc_exit(hsdev);
+-
++error_dma_iomap:
++ iounmap((void __iomem *)host_pvt.sata_dma_regs);
+ error_iomap:
+ iounmap(base);
+ error_kmalloc:
+@@ -1793,6 +1790,7 @@ static int sata_dwc_remove(struct platfo
+ /* Free SATA DMA resources */
+ dma_dwc_exit(hsdev);
+
++ iounmap((void __iomem *)host_pvt.sata_dma_regs);
+ iounmap(hsdev->reg_base);
+ kfree(hsdev);
+ kfree(host);
projects / thirdparty / kernel / stable-queue.git / commitdiff
