--- /dev/null
+From 3f4093e2bf4673f218c0bf17d8362337c400e77b Mon Sep 17 00:00:00 2001
+From: Duoming Zhou <duoming@zju.edu.cn>
+Date: Fri, 5 Aug 2022 15:00:08 +0800
+Subject: atm: idt77252: fix use-after-free bugs caused by tst_timer
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+commit 3f4093e2bf4673f218c0bf17d8362337c400e77b upstream.
+
+There are use-after-free bugs caused by tst_timer. The root cause
+is that there are no functions to stop tst_timer in idt77252_exit().
+One of the possible race conditions is shown below:
+
+ (thread 1) | (thread 2)
+ | idt77252_init_one
+ | init_card
+ | fill_tst
+ | mod_timer(&card->tst_timer, ...)
+idt77252_exit | (wait a time)
+ | tst_timer
+ |
+ | ...
+ kfree(card) // FREE |
+ | card->soft_tst[e] // USE
+
+The idt77252_dev is deallocated in idt77252_exit() and used in
+timer handler.
+
+This patch adds del_timer_sync() in idt77252_exit() in order that
+the timer handler could be stopped before the idt77252_dev is
+deallocated.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Link: https://lore.kernel.org/r/20220805070008.18007-1-duoming@zju.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/atm/idt77252.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/atm/idt77252.c
++++ b/drivers/atm/idt77252.c
+@@ -3767,6 +3767,7 @@ static void __exit idt77252_exit(void)
+ card = idt77252_chain;
+ dev = card->atmdev;
+ idt77252_chain = card->next;
++ del_timer_sync(&card->tst_timer);
+
+ if (dev->phy->stop)
+ dev->phy->stop(dev);
--- /dev/null
+From 45e1058b77feade4e36402828bfe3e0d3363177b Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 20 Jul 2022 21:28:18 +0300
+Subject: NTB: ntb_tool: uninitialized heap data in tool_fn_write()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 45e1058b77feade4e36402828bfe3e0d3363177b upstream.
+
+The call to:
+
+ ret = simple_write_to_buffer(buf, size, offp, ubuf, size);
+
+will return success if it is able to write even one byte to "buf".
+The value of "*offp" controls which byte. This could result in
+reading uninitialized data when we do the sscanf() on the next line.
+
+This code is not really desigined to handle partial writes where
+*offp is non-zero and the "buf" is preserved and re-used between writes.
+Just ban partial writes and replace the simple_write_to_buffer() with
+copy_from_user().
+
+Fixes: 578b881ba9c4 ("NTB: Add tool test client")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ntb/test/ntb_tool.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/ntb/test/ntb_tool.c
++++ b/drivers/ntb/test/ntb_tool.c
+@@ -367,14 +367,16 @@ static ssize_t tool_fn_write(struct tool
+ u64 bits;
+ int n;
+
++ if (*offp)
++ return 0;
++
+ buf = kmalloc(size + 1, GFP_KERNEL);
+ if (!buf)
+ return -ENOMEM;
+
+- ret = simple_write_to_buffer(buf, size, offp, ubuf, size);
+- if (ret < 0) {
++ if (copy_from_user(buf, ubuf, size)) {
+ kfree(buf);
+- return ret;
++ return -EFAULT;
+ }
+
+ buf[size] = 0;
vsock-fix-memory-leak-in-vsock_connect.patch
vsock-set-socket-state-back-to-ss_unconnected-in-vsock_connect_timeout.patch
tools-build-switch-to-new-openssl-api-for-test-libcrypto.patch
+ntb-ntb_tool-uninitialized-heap-data-in-tool_fn_write.patch
+xen-xenbus-fix-return-type-in-xenbus_file_read.patch
+atm-idt77252-fix-use-after-free-bugs-caused-by-tst_timer.patch
--- /dev/null
+From 32ad11127b95236dfc52375f3707853194a7f4b4 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 4 Aug 2022 10:11:33 +0300
+Subject: xen/xenbus: fix return type in xenbus_file_read()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 32ad11127b95236dfc52375f3707853194a7f4b4 upstream.
+
+This code tries to store -EFAULT in an unsigned int. The
+xenbus_file_read() function returns type ssize_t so the negative value
+is returned as a positive value to the user.
+
+This change forces another change to the min() macro. Originally, the
+min() macro used "unsigned" type which checkpatch complains about. Also
+unsigned type would break if "len" were not capped at MAX_RW_COUNT. Use
+size_t for the min(). (No effect on runtime for the min_t() change).
+
+Fixes: 2fb3683e7b16 ("xen: Add xenbus device driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com>
+Link: https://lore.kernel.org/r/YutxJUaUYRG/VLVc@kili
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/xen/xenbus/xenbus_dev_frontend.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/xen/xenbus/xenbus_dev_frontend.c
++++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
+@@ -128,7 +128,7 @@ static ssize_t xenbus_file_read(struct f
+ {
+ struct xenbus_file_priv *u = filp->private_data;
+ struct read_buffer *rb;
+- unsigned i;
++ ssize_t i;
+ int ret;
+
+ mutex_lock(&u->reply_mutex);
+@@ -148,7 +148,7 @@ again:
+ rb = list_entry(u->read_buffers.next, struct read_buffer, list);
+ i = 0;
+ while (i < len) {
+- unsigned sz = min((unsigned)len - i, rb->len - rb->cons);
++ size_t sz = min_t(size_t, len - i, rb->len - rb->cons);
+
+ ret = copy_to_user(ubuf + i, &rb->msg[rb->cons], sz);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
