From: Sasha Levin Date: Thu, 9 May 2019 01:16:21 +0000 (-0400) Subject: fixes for 4.4 X-Git-Tag: v4.9.175~26 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=76601227ff2676ce93a1c923802906cbebf68db3;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/genirq-prevent-use-after-free-and-work-list-corrupti.patch b/queue-4.4/genirq-prevent-use-after-free-and-work-list-corrupti.patch new file mode 100644 index 00000000000..c91271b610b --- /dev/null +++ b/queue-4.4/genirq-prevent-use-after-free-and-work-list-corrupti.patch @@ -0,0 +1,43 @@ +From b51a257b5c3c7634ef27e881e9ad80e5407c0dc0 Mon Sep 17 00:00:00 2001 +From: Prasad Sodagudi +Date: Sun, 24 Mar 2019 07:57:04 -0700 +Subject: genirq: Prevent use-after-free and work list corruption + +[ Upstream commit 59c39840f5abf4a71e1810a8da71aaccd6c17d26 ] + +When irq_set_affinity_notifier() replaces the notifier, then the +reference count on the old notifier is dropped which causes it to be +freed. But nothing ensures that the old notifier is not longer queued +in the work list. If it is queued this results in a use after free and +possibly in work list corruption. + +Ensure that the work is canceled before the reference is dropped. + +Signed-off-by: Prasad Sodagudi +Signed-off-by: Thomas Gleixner +Cc: marc.zyngier@arm.com +Link: https://lkml.kernel.org/r/1553439424-6529-1-git-send-email-psodagud@codeaurora.org +Signed-off-by: Sasha Levin +--- + kernel/irq/manage.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c +index 83cea913983c5..92c7eb1aeded9 100644 +--- a/kernel/irq/manage.c ++++ b/kernel/irq/manage.c +@@ -319,8 +319,10 @@ irq_set_affinity_notifier(unsigned int irq, struct irq_affinity_notify *notify) + desc->affinity_notify = notify; + raw_spin_unlock_irqrestore(&desc->lock, flags); + +- if (old_notify) ++ if (old_notify) { ++ cancel_work_sync(&old_notify->work); + kref_put(&old_notify->kref, old_notify->release); ++ } + + return 0; + } +-- +2.20.1 + diff --git a/queue-4.4/series b/queue-4.4/series index 2a0c7b06a53..87ae2e04383 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -148,3 +148,4 @@ perf-x86-intel-fix-handling-of-wakeup_events-for-mul.patch xtensa-fix-initialization-of-pt_regs-syscall-in-star.patch scsi-csiostor-fix-missing-data-copy-in-csio_scsi_err.patch iommu-amd-set-exclusion-range-correctly.patch +genirq-prevent-use-after-free-and-work-list-corrupti.patch