From: Sasha Levin Date: Thu, 9 May 2019 01:16:21 +0000 (-0400) Subject: fixes for 3.18 X-Git-Tag: v4.9.175~25 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=692f3377406d972dc397cc99058c0f0795925250;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 3.18 Signed-off-by: Sasha Levin --- diff --git a/queue-3.18/genirq-prevent-use-after-free-and-work-list-corrupti.patch b/queue-3.18/genirq-prevent-use-after-free-and-work-list-corrupti.patch new file mode 100644 index 00000000000..652f41245a3 --- /dev/null +++ b/queue-3.18/genirq-prevent-use-after-free-and-work-list-corrupti.patch @@ -0,0 +1,43 @@ +From 05f847b44b027018141bcc7f0ddbc6b8fd759ef9 Mon Sep 17 00:00:00 2001 +From: Prasad Sodagudi +Date: Sun, 24 Mar 2019 07:57:04 -0700 +Subject: genirq: Prevent use-after-free and work list corruption + +[ Upstream commit 59c39840f5abf4a71e1810a8da71aaccd6c17d26 ] + +When irq_set_affinity_notifier() replaces the notifier, then the +reference count on the old notifier is dropped which causes it to be +freed. But nothing ensures that the old notifier is not longer queued +in the work list. If it is queued this results in a use after free and +possibly in work list corruption. + +Ensure that the work is canceled before the reference is dropped. + +Signed-off-by: Prasad Sodagudi +Signed-off-by: Thomas Gleixner +Cc: marc.zyngier@arm.com +Link: https://lkml.kernel.org/r/1553439424-6529-1-git-send-email-psodagud@codeaurora.org +Signed-off-by: Sasha Levin +--- + kernel/irq/manage.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c +index e7ef539c56d97..749280b58080f 100644 +--- a/kernel/irq/manage.c ++++ b/kernel/irq/manage.c +@@ -307,8 +307,10 @@ irq_set_affinity_notifier(unsigned int irq, struct irq_affinity_notify *notify) + desc->affinity_notify = notify; + raw_spin_unlock_irqrestore(&desc->lock, flags); + +- if (old_notify) ++ if (old_notify) { ++ cancel_work_sync(&old_notify->work); + kref_put(&old_notify->kref, old_notify->release); ++ } + + return 0; + } +-- +2.20.1 + diff --git a/queue-3.18/series b/queue-3.18/series index 6126df8824b..43693a2f667 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -56,3 +56,4 @@ asoc-tlv320aic32x4-fix-common-pins.patch xtensa-fix-initialization-of-pt_regs-syscall-in-star.patch scsi-csiostor-fix-missing-data-copy-in-csio_scsi_err.patch iommu-amd-set-exclusion-range-correctly.patch +genirq-prevent-use-after-free-and-work-list-corrupti.patch