From: Sasha Levin Date: Thu, 9 May 2019 01:16:21 +0000 (-0400) Subject: fixes for 4.14 X-Git-Tag: v4.9.175~28 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=739f0471ff34e54fabb78a1f07d11ebe5f4c46f6;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/genirq-prevent-use-after-free-and-work-list-corrupti.patch b/queue-4.14/genirq-prevent-use-after-free-and-work-list-corrupti.patch new file mode 100644 index 00000000000..9517bd55067 --- /dev/null +++ b/queue-4.14/genirq-prevent-use-after-free-and-work-list-corrupti.patch @@ -0,0 +1,43 @@ +From 8363daa92a0808963997800ab6393f114fa96c38 Mon Sep 17 00:00:00 2001 +From: Prasad Sodagudi +Date: Sun, 24 Mar 2019 07:57:04 -0700 +Subject: genirq: Prevent use-after-free and work list corruption + +[ Upstream commit 59c39840f5abf4a71e1810a8da71aaccd6c17d26 ] + +When irq_set_affinity_notifier() replaces the notifier, then the +reference count on the old notifier is dropped which causes it to be +freed. But nothing ensures that the old notifier is not longer queued +in the work list. If it is queued this results in a use after free and +possibly in work list corruption. + +Ensure that the work is canceled before the reference is dropped. + +Signed-off-by: Prasad Sodagudi +Signed-off-by: Thomas Gleixner +Cc: marc.zyngier@arm.com +Link: https://lkml.kernel.org/r/1553439424-6529-1-git-send-email-psodagud@codeaurora.org +Signed-off-by: Sasha Levin +--- + kernel/irq/manage.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c +index 6c877d28838f2..9c86a3e451101 100644 +--- a/kernel/irq/manage.c ++++ b/kernel/irq/manage.c +@@ -323,8 +323,10 @@ irq_set_affinity_notifier(unsigned int irq, struct irq_affinity_notify *notify) + desc->affinity_notify = notify; + raw_spin_unlock_irqrestore(&desc->lock, flags); + +- if (old_notify) ++ if (old_notify) { ++ cancel_work_sync(&old_notify->work); + kref_put(&old_notify->kref, old_notify->release); ++ } + + return 0; + } +-- +2.20.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 85fa3a18c37..83bd53baaff 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -27,3 +27,4 @@ asoc-intel-kbl-fix-wrong-number-of-channels.patch virtio-blk-limit-number-of-hw-queues-by-nr_cpu_ids.patch platform-x86-pmc_atom-drop-__initconst-on-dmi-table.patch iommu-amd-set-exclusion-range-correctly.patch +genirq-prevent-use-after-free-and-work-list-corrupti.patch