From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 28 Aug 2023 09:58:51 +0000 (+0200)
Subject: 5.15-stable patches
X-Git-Tag: v6.4.13~5
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a04d9c64fa14233ebc486896706a6be558486b82;p=thirdparty%2Fkernel%2Fstable-queue.git

5.15-stable patches

added patches:
	mm-ima-kexec-of-use-memblock_free_late-from-ima_free_kexec_buffer.patch
---

diff --git a/queue-5.15/mm-ima-kexec-of-use-memblock_free_late-from-ima_free_kexec_buffer.patch b/queue-5.15/mm-ima-kexec-of-use-memblock_free_late-from-ima_free_kexec_buffer.patch
new file mode 100644
index 00000000000..05ac7d95dc8
--- /dev/null
+++ b/queue-5.15/mm-ima-kexec-of-use-memblock_free_late-from-ima_free_kexec_buffer.patch
@@ -0,0 +1,44 @@
+From f0362a253606e2031f8d61c74195d4d6556e12a4 Mon Sep 17 00:00:00 2001
+From: Rik van Riel <riel@surriel.com>
+Date: Thu, 17 Aug 2023 13:57:59 -0400
+Subject: mm,ima,kexec,of: use memblock_free_late from ima_free_kexec_buffer
+
+From: Rik van Riel <riel@surriel.com>
+
+commit f0362a253606e2031f8d61c74195d4d6556e12a4 upstream.
+
+The code calling ima_free_kexec_buffer runs long after the memblock
+allocator has already been torn down, potentially resulting in a use
+after free in memblock_isolate_range.
+
+With KASAN or KFENCE, this use after free will result in a BUG
+from the idle task, and a subsequent kernel panic.
+
+Switch ima_free_kexec_buffer over to memblock_free_late to avoid
+that issue.
+
+Fixes: fee3ff99bc67 ("powerpc: Move arch independent ima kexec functions to drivers/of/kexec.c")
+Cc: stable@kernel.org
+Signed-off-by: Rik van Riel <riel@surriel.com>
+Suggested-by: Mike Rappoport <rppt@kernel.org>
+Link: https://lore.kernel.org/r/20230817135759.0888e5ef@imladris.surriel.com
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Mike Rappoport (IBM) <rppt@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/kexec.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/of/kexec.c
++++ b/drivers/of/kexec.c
+@@ -187,8 +187,8 @@ int ima_free_kexec_buffer(void)
+ 	if (ret)
+ 		return ret;
+ 
+-	return memblock_free(addr, size);
+-
++	memblock_free_late(addr, size);
++	return 0;
+ }
+ 
+ /**
diff --git a/queue-5.15/series b/queue-5.15/series
index 92906d03ec3..e7c0266b929 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -88,3 +88,4 @@ pinctrl-renesas-rza2-add-lock-around-pinctrl_generic.patch
 dma-buf-sw_sync-avoid-recursive-lock-during-fence-si.patch
 mm-memory-failure-kill-soft_offline_free_page.patch
 mm-memory-failure-fix-unexpected-return-value-in-sof.patch
+mm-ima-kexec-of-use-memblock_free_late-from-ima_free_kexec_buffer.patch