From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 6 Feb 2023 12:48:57 +0000 (+0100)
Subject: 6.1-stable patches
X-Git-Tag: v5.15.93~59
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8ffd6aa1ab32d82318539cfea32a516545939a47;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	firewire-fix-memory-leak-for-payload-of-request-subaction-to-iec-61883-1-fcp-region.patch
	series
---

diff --git a/queue-6.1/firewire-fix-memory-leak-for-payload-of-request-subaction-to-iec-61883-1-fcp-region.patch b/queue-6.1/firewire-fix-memory-leak-for-payload-of-request-subaction-to-iec-61883-1-fcp-region.patch
new file mode 100644
index 00000000000..2f314f835f0
--- /dev/null
+++ b/queue-6.1/firewire-fix-memory-leak-for-payload-of-request-subaction-to-iec-61883-1-fcp-region.patch
@@ -0,0 +1,57 @@
+From 531390a243ef47448f8bad01c186c2787666bf4d Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Tue, 17 Jan 2023 18:06:10 +0900
+Subject: firewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit 531390a243ef47448f8bad01c186c2787666bf4d upstream.
+
+This patch is fix for Linux kernel v2.6.33 or later.
+
+For request subaction to IEC 61883-1 FCP region, Linux FireWire subsystem
+have had an issue of use-after-free. The subsystem allows multiple
+user space listeners to the region, while data of the payload was likely
+released before the listeners execute read(2) to access to it for copying
+to user space.
+
+The issue was fixed by a commit 281e20323ab7 ("firewire: core: fix
+use-after-free regression in FCP handler"). The object of payload is
+duplicated in kernel space for each listener. When the listener executes
+ioctl(2) with FW_CDEV_IOC_SEND_RESPONSE request, the object is going to
+be released.
+
+However, it causes memory leak since the commit relies on call of
+release_request() in drivers/firewire/core-cdev.c. Against the
+expectation, the function is never called due to the design of
+release_client_resource(). The function delegates release task
+to caller when called with non-NULL fourth argument. The implementation
+of ioctl_send_response() is the case. It should release the object
+explicitly.
+
+This commit fixes the bug.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 281e20323ab7 ("firewire: core: fix use-after-free regression in FCP handler")
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Link: https://lore.kernel.org/r/20230117090610.93792-2-o-takashi@sakamocchi.jp
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firewire/core-cdev.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/firewire/core-cdev.c
++++ b/drivers/firewire/core-cdev.c
+@@ -819,8 +819,10 @@ static int ioctl_send_response(struct cl
+ 
+ 	r = container_of(resource, struct inbound_transaction_resource,
+ 			 resource);
+-	if (is_fcp_request(r->request))
++	if (is_fcp_request(r->request)) {
++		kfree(r->data);
+ 		goto out;
++	}
+ 
+ 	if (a->length != fw_get_response_length(r->request)) {
+ 		ret = -EINVAL;
diff --git a/queue-6.1/series b/queue-6.1/series
new file mode 100644
index 00000000000..e8e31cc7adc
--- /dev/null
+++ b/queue-6.1/series
@@ -0,0 +1 @@
+firewire-fix-memory-leak-for-payload-of-request-subaction-to-iec-61883-1-fcp-region.patch