From: Greg Kroah-Hartman Date: Mon, 9 Sep 2024 16:22:19 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v4.19.322~50 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b440557f93fcf523c51cd48c7b2405d73b95cb50;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: clocksource-drivers-imx-tpm-fix-next-event-not-taking-effect-sometime.patch clocksource-drivers-imx-tpm-fix-return-etime-when-delta-exceeds-int_max.patch drivers-hv-vmbus-fix-rescind-handling-in-uio_hv_generic.patch iio-buffer-dmaengine-fix-releasing-dma-channel-on-error.patch iio-fix-scale-application-in-iio_convert_raw_to_processed_unlocked.patch nvmem-fix-return-type-of-devm_nvmem_device_get-in-kerneldoc.patch uio_hv_generic-fix-kernel-null-pointer-dereference-in-hv_uio_rescind.patch uprobes-use-kzalloc-to-allocate-xol-area.patch vmci-fix-use-after-free-when-removing-resource-in-vmci_resource_remove.patch --- diff --git a/queue-4.19/clocksource-drivers-imx-tpm-fix-next-event-not-taking-effect-sometime.patch b/queue-4.19/clocksource-drivers-imx-tpm-fix-next-event-not-taking-effect-sometime.patch new file mode 100644 index 00000000000..e68b6393c67 --- /dev/null +++ b/queue-4.19/clocksource-drivers-imx-tpm-fix-next-event-not-taking-effect-sometime.patch @@ -0,0 +1,46 @@ +From 3d5c2f8e75a55cfb11a85086c71996af0354a1fb Mon Sep 17 00:00:00 2001 +From: Jacky Bai +Date: Thu, 25 Jul 2024 15:33:55 -0400 +Subject: clocksource/drivers/imx-tpm: Fix next event not taking effect sometime + +From: Jacky Bai + +commit 3d5c2f8e75a55cfb11a85086c71996af0354a1fb upstream. + +The value written into the TPM CnV can only be updated into the hardware +when the counter increases. Additional writes to the CnV write buffer are +ignored until the register has been updated. Therefore, we need to check +if the CnV has been updated before continuing. This may require waiting for +1 counter cycle in the worst case. + +Cc: stable@vger.kernel.org +Fixes: 059ab7b82eec ("clocksource/drivers/imx-tpm: Add imx tpm timer support") +Signed-off-by: Jacky Bai +Reviewed-by: Peng Fan +Reviewed-by: Ye Li +Reviewed-by: Jason Liu +Signed-off-by: Frank Li +Link: https://lore.kernel.org/r/20240725193355.1436005-2-Frank.Li@nxp.com +Signed-off-by: Daniel Lezcano +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clocksource/timer-imx-tpm.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/clocksource/timer-imx-tpm.c ++++ b/drivers/clocksource/timer-imx-tpm.c +@@ -104,6 +104,14 @@ static int tpm_set_next_event(unsigned l + now = tpm_read_counter(); + + /* ++ * Need to wait CNT increase at least 1 cycle to make sure ++ * the C0V has been updated into HW. ++ */ ++ if ((next & 0xffffffff) != readl(timer_base + TPM_C0V)) ++ while (now == tpm_read_counter()) ++ ; ++ ++ /* + * NOTE: We observed in a very small probability, the bus fabric + * contention between GPU and A7 may results a few cycles delay + * of writing CNT registers which may cause the min_delta event got diff --git a/queue-4.19/clocksource-drivers-imx-tpm-fix-return-etime-when-delta-exceeds-int_max.patch b/queue-4.19/clocksource-drivers-imx-tpm-fix-return-etime-when-delta-exceeds-int_max.patch new file mode 100644 index 00000000000..ee43de1602f --- /dev/null +++ b/queue-4.19/clocksource-drivers-imx-tpm-fix-return-etime-when-delta-exceeds-int_max.patch @@ -0,0 +1,70 @@ +From 5b8843fcd49827813da80c0f590a17ae4ce93c5d Mon Sep 17 00:00:00 2001 +From: Jacky Bai +Date: Thu, 25 Jul 2024 15:33:54 -0400 +Subject: clocksource/drivers/imx-tpm: Fix return -ETIME when delta exceeds INT_MAX + +From: Jacky Bai + +commit 5b8843fcd49827813da80c0f590a17ae4ce93c5d upstream. + +In tpm_set_next_event(delta), return -ETIME by wrong cast to int when delta +is larger than INT_MAX. + +For example: + +tpm_set_next_event(delta = 0xffff_fffe) +{ + ... + next = tpm_read_counter(); // assume next is 0x10 + next += delta; // next will 0xffff_fffe + 0x10 = 0x1_0000_000e + now = tpm_read_counter(); // now is 0x10 + ... + + return (int)(next - now) <= 0 ? -ETIME : 0; + ^^^^^^^^^^ + 0x1_0000_000e - 0x10 = 0xffff_fffe, which is -2 when + cast to int. So return -ETIME. +} + +To fix this, introduce a 'prev' variable and check if 'now - prev' is +larger than delta. + +Cc: stable@vger.kernel.org +Fixes: 059ab7b82eec ("clocksource/drivers/imx-tpm: Add imx tpm timer support") +Signed-off-by: Jacky Bai +Reviewed-by: Peng Fan +Reviewed-by: Ye Li +Reviewed-by: Jason Liu +Signed-off-by: Frank Li +Link: https://lore.kernel.org/r/20240725193355.1436005-1-Frank.Li@nxp.com +Signed-off-by: Daniel Lezcano +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clocksource/timer-imx-tpm.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/clocksource/timer-imx-tpm.c ++++ b/drivers/clocksource/timer-imx-tpm.c +@@ -96,10 +96,10 @@ static int __init tpm_clocksource_init(u + static int tpm_set_next_event(unsigned long delta, + struct clock_event_device *evt) + { +- unsigned long next, now; ++ unsigned long next, prev, now; + +- next = tpm_read_counter(); +- next += delta; ++ prev = tpm_read_counter(); ++ next = prev + delta; + writel(next, timer_base + TPM_C0V); + now = tpm_read_counter(); + +@@ -109,7 +109,7 @@ static int tpm_set_next_event(unsigned l + * of writing CNT registers which may cause the min_delta event got + * missed, so we need add a ETIME check here in case it happened. + */ +- return (int)(next - now) <= 0 ? -ETIME : 0; ++ return (now - prev) >= delta ? -ETIME : 0; + } + + static int tpm_set_state_oneshot(struct clock_event_device *evt) diff --git a/queue-4.19/drivers-hv-vmbus-fix-rescind-handling-in-uio_hv_generic.patch b/queue-4.19/drivers-hv-vmbus-fix-rescind-handling-in-uio_hv_generic.patch new file mode 100644 index 00000000000..2652cf5f81f --- /dev/null +++ b/queue-4.19/drivers-hv-vmbus-fix-rescind-handling-in-uio_hv_generic.patch @@ -0,0 +1,57 @@ +From 6fd28941447bf2c8ca0f26fda612a1cabc41663f Mon Sep 17 00:00:00 2001 +From: Naman Jain +Date: Thu, 29 Aug 2024 12:43:12 +0530 +Subject: Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic + +From: Naman Jain + +commit 6fd28941447bf2c8ca0f26fda612a1cabc41663f upstream. + +Rescind offer handling relies on rescind callbacks for some of the +resources cleanup, if they are registered. It does not unregister +vmbus device for the primary channel closure, when callback is +registered. Without it, next onoffer does not come, rescind flag +remains set and device goes to unusable state. + +Add logic to unregister vmbus for the primary channel in rescind callback +to ensure channel removal and relid release, and to ensure that next +onoffer can be received and handled properly. + +Cc: stable@vger.kernel.org +Fixes: ca3cda6fcf1e ("uio_hv_generic: add rescind support") +Signed-off-by: Naman Jain +Reviewed-by: Saurabh Sengar +Link: https://lore.kernel.org/r/20240829071312.1595-3-namjain@linux.microsoft.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hv/vmbus_drv.c | 1 + + drivers/uio/uio_hv_generic.c | 8 ++++++++ + 2 files changed, 9 insertions(+) + +--- a/drivers/hv/vmbus_drv.c ++++ b/drivers/hv/vmbus_drv.c +@@ -1973,6 +1973,7 @@ acpi_walk_err: + vmbus_acpi_remove(device); + return ret_val; + } ++EXPORT_SYMBOL_GPL(vmbus_device_unregister); + + static const struct acpi_device_id vmbus_acpi_device_ids[] = { + {"VMBUS", 0}, +--- a/drivers/uio/uio_hv_generic.c ++++ b/drivers/uio/uio_hv_generic.c +@@ -119,6 +119,14 @@ static void hv_uio_rescind(struct vmbus_ + + /* Wake up reader */ + uio_event_notify(&pdata->info); ++ ++ /* ++ * With rescind callback registered, rescind path will not unregister the device ++ * from vmbus when the primary channel is rescinded. ++ * Without it, rescind handling is incomplete and next onoffer msg does not come. ++ * Unregister the device from vmbus here. ++ */ ++ vmbus_device_unregister(channel->device_obj); + } + + /* Sysfs API to allow mmap of the ring buffers diff --git a/queue-4.19/iio-buffer-dmaengine-fix-releasing-dma-channel-on-error.patch b/queue-4.19/iio-buffer-dmaengine-fix-releasing-dma-channel-on-error.patch new file mode 100644 index 00000000000..1a35250e66f --- /dev/null +++ b/queue-4.19/iio-buffer-dmaengine-fix-releasing-dma-channel-on-error.patch @@ -0,0 +1,42 @@ +From 84c65d8008764a8fb4e627ff02de01ec4245f2c4 Mon Sep 17 00:00:00 2001 +From: David Lechner +Date: Tue, 23 Jul 2024 11:32:21 -0500 +Subject: iio: buffer-dmaengine: fix releasing dma channel on error + +From: David Lechner + +commit 84c65d8008764a8fb4e627ff02de01ec4245f2c4 upstream. + +If dma_get_slave_caps() fails, we need to release the dma channel before +returning an error to avoid leaking the channel. + +Fixes: 2d6ca60f3284 ("iio: Add a DMAengine framework based buffer") +Signed-off-by: David Lechner +Link: https://patch.msgid.link/20240723-iio-fix-dmaengine-free-on-error-v1-1-2c7cbc9b92ff@baylibre.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/buffer/industrialio-buffer-dmaengine.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/iio/buffer/industrialio-buffer-dmaengine.c ++++ b/drivers/iio/buffer/industrialio-buffer-dmaengine.c +@@ -159,7 +159,7 @@ struct iio_buffer *iio_dmaengine_buffer_ + + ret = dma_get_slave_caps(chan, &caps); + if (ret < 0) +- goto err_free; ++ goto err_release; + + /* Needs to be aligned to the maximum of the minimums */ + if (caps.src_addr_widths) +@@ -184,6 +184,8 @@ struct iio_buffer *iio_dmaengine_buffer_ + + return &dmaengine_buffer->queue.buffer; + ++err_release: ++ dma_release_channel(chan); + err_free: + kfree(dmaengine_buffer); + return ERR_PTR(ret); diff --git a/queue-4.19/iio-fix-scale-application-in-iio_convert_raw_to_processed_unlocked.patch b/queue-4.19/iio-fix-scale-application-in-iio_convert_raw_to_processed_unlocked.patch new file mode 100644 index 00000000000..0f04855320e --- /dev/null +++ b/queue-4.19/iio-fix-scale-application-in-iio_convert_raw_to_processed_unlocked.patch @@ -0,0 +1,48 @@ +From 8a3dcc970dc57b358c8db2702447bf0af4e0d83a Mon Sep 17 00:00:00 2001 +From: Matteo Martelli +Date: Tue, 30 Jul 2024 10:11:53 +0200 +Subject: iio: fix scale application in iio_convert_raw_to_processed_unlocked + +From: Matteo Martelli + +commit 8a3dcc970dc57b358c8db2702447bf0af4e0d83a upstream. + +When the scale_type is IIO_VAL_INT_PLUS_MICRO or IIO_VAL_INT_PLUS_NANO +the scale passed as argument is only applied to the fractional part of +the value. Fix it by also multiplying the integer part by the scale +provided. + +Fixes: 48e44ce0f881 ("iio:inkern: Add function to read the processed value") +Signed-off-by: Matteo Martelli +Link: https://patch.msgid.link/20240730-iio-fix-scale-v1-1-6246638c8daa@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/inkern.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/iio/inkern.c ++++ b/drivers/iio/inkern.c +@@ -640,17 +640,17 @@ static int iio_convert_raw_to_processed_ + break; + case IIO_VAL_INT_PLUS_MICRO: + if (scale_val2 < 0) +- *processed = -raw64 * scale_val; ++ *processed = -raw64 * scale_val * scale; + else +- *processed = raw64 * scale_val; ++ *processed = raw64 * scale_val * scale; + *processed += div_s64(raw64 * (s64)scale_val2 * scale, + 1000000LL); + break; + case IIO_VAL_INT_PLUS_NANO: + if (scale_val2 < 0) +- *processed = -raw64 * scale_val; ++ *processed = -raw64 * scale_val * scale; + else +- *processed = raw64 * scale_val; ++ *processed = raw64 * scale_val * scale; + *processed += div_s64(raw64 * (s64)scale_val2 * scale, + 1000000000LL); + break; diff --git a/queue-4.19/nvmem-fix-return-type-of-devm_nvmem_device_get-in-kerneldoc.patch b/queue-4.19/nvmem-fix-return-type-of-devm_nvmem_device_get-in-kerneldoc.patch new file mode 100644 index 00000000000..a3874f1b536 --- /dev/null +++ b/queue-4.19/nvmem-fix-return-type-of-devm_nvmem_device_get-in-kerneldoc.patch @@ -0,0 +1,40 @@ +From c69f37f6559a8948d70badd2b179db7714dedd62 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Mon, 2 Sep 2024 15:25:09 +0100 +Subject: nvmem: Fix return type of devm_nvmem_device_get() in kerneldoc + +From: Geert Uytterhoeven + +commit c69f37f6559a8948d70badd2b179db7714dedd62 upstream. + +devm_nvmem_device_get() returns an nvmem device, not an nvmem cell. + +Fixes: e2a5402ec7c6d044 ("nvmem: Add nvmem_device based consumer apis.") +Cc: stable +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20240902142510.71096-3-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvmem/core.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/nvmem/core.c ++++ b/drivers/nvmem/core.c +@@ -794,13 +794,13 @@ void nvmem_device_put(struct nvmem_devic + EXPORT_SYMBOL_GPL(nvmem_device_put); + + /** +- * devm_nvmem_device_get() - Get nvmem cell of device form a given id ++ * devm_nvmem_device_get() - Get nvmem device of device form a given id + * + * @dev: Device that requests the nvmem device. + * @id: name id for the requested nvmem device. + * +- * Return: ERR_PTR() on error or a valid pointer to a struct nvmem_cell +- * on success. The nvmem_cell will be freed by the automatically once the ++ * Return: ERR_PTR() on error or a valid pointer to a struct nvmem_device ++ * on success. The nvmem_device will be freed by the automatically once the + * device is freed. + */ + struct nvmem_device *devm_nvmem_device_get(struct device *dev, const char *id) diff --git a/queue-4.19/series b/queue-4.19/series index 87c1ef5b2f1..6af95436fac 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -70,3 +70,12 @@ usbnet-ipheth-race-between-ipheth_close-and-error-ha.patch squashfs-sanity-check-symbolic-link-size.patch of-irq-prevent-device-address-out-of-bounds-read-in-.patch ata-pata_macio-use-warn-instead-of-bug.patch +iio-buffer-dmaengine-fix-releasing-dma-channel-on-error.patch +iio-fix-scale-application-in-iio_convert_raw_to_processed_unlocked.patch +nvmem-fix-return-type-of-devm_nvmem_device_get-in-kerneldoc.patch +uio_hv_generic-fix-kernel-null-pointer-dereference-in-hv_uio_rescind.patch +drivers-hv-vmbus-fix-rescind-handling-in-uio_hv_generic.patch +vmci-fix-use-after-free-when-removing-resource-in-vmci_resource_remove.patch +clocksource-drivers-imx-tpm-fix-return-etime-when-delta-exceeds-int_max.patch +clocksource-drivers-imx-tpm-fix-next-event-not-taking-effect-sometime.patch +uprobes-use-kzalloc-to-allocate-xol-area.patch diff --git a/queue-4.19/uio_hv_generic-fix-kernel-null-pointer-dereference-in-hv_uio_rescind.patch b/queue-4.19/uio_hv_generic-fix-kernel-null-pointer-dereference-in-hv_uio_rescind.patch new file mode 100644 index 00000000000..ec889256c43 --- /dev/null +++ b/queue-4.19/uio_hv_generic-fix-kernel-null-pointer-dereference-in-hv_uio_rescind.patch @@ -0,0 +1,41 @@ +From fb1adbd7e50f3d2de56d0a2bb0700e2e819a329e Mon Sep 17 00:00:00 2001 +From: Saurabh Sengar +Date: Thu, 29 Aug 2024 12:43:11 +0530 +Subject: uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind + +From: Saurabh Sengar + +commit fb1adbd7e50f3d2de56d0a2bb0700e2e819a329e upstream. + +For primary VM Bus channels, primary_channel pointer is always NULL. This +pointer is valid only for the secondary channels. Also, rescind callback +is meant for primary channels only. + +Fix NULL pointer dereference by retrieving the device_obj from the parent +for the primary channel. + +Cc: stable@vger.kernel.org +Fixes: ca3cda6fcf1e ("uio_hv_generic: add rescind support") +Signed-off-by: Saurabh Sengar +Signed-off-by: Naman Jain +Link: https://lore.kernel.org/r/20240829071312.1595-2-namjain@linux.microsoft.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/uio/uio_hv_generic.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/uio/uio_hv_generic.c ++++ b/drivers/uio/uio_hv_generic.c +@@ -104,10 +104,11 @@ static void hv_uio_channel_cb(void *cont + + /* + * Callback from vmbus_event when channel is rescinded. ++ * It is meant for rescind of primary channels only. + */ + static void hv_uio_rescind(struct vmbus_channel *channel) + { +- struct hv_device *hv_dev = channel->primary_channel->device_obj; ++ struct hv_device *hv_dev = channel->device_obj; + struct hv_uio_private_data *pdata = hv_get_drvdata(hv_dev); + + /* diff --git a/queue-4.19/uprobes-use-kzalloc-to-allocate-xol-area.patch b/queue-4.19/uprobes-use-kzalloc-to-allocate-xol-area.patch new file mode 100644 index 00000000000..8ad55cbc4d9 --- /dev/null +++ b/queue-4.19/uprobes-use-kzalloc-to-allocate-xol-area.patch @@ -0,0 +1,41 @@ +From e240b0fde52f33670d1336697c22d90a4fe33c84 Mon Sep 17 00:00:00 2001 +From: Sven Schnelle +Date: Tue, 3 Sep 2024 12:23:12 +0200 +Subject: uprobes: Use kzalloc to allocate xol area + +From: Sven Schnelle + +commit e240b0fde52f33670d1336697c22d90a4fe33c84 upstream. + +To prevent unitialized members, use kzalloc to allocate +the xol area. + +Fixes: b059a453b1cf1 ("x86/vdso: Add mremap hook to vm_special_mapping") +Signed-off-by: Sven Schnelle +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Oleg Nesterov +Link: https://lore.kernel.org/r/20240903102313.3402529-1-svens@linux.ibm.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/events/uprobes.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/kernel/events/uprobes.c ++++ b/kernel/events/uprobes.c +@@ -1187,7 +1187,7 @@ static struct xol_area *__create_xol_are + uprobe_opcode_t insn = UPROBE_SWBP_INSN; + struct xol_area *area; + +- area = kmalloc(sizeof(*area), GFP_KERNEL); ++ area = kzalloc(sizeof(*area), GFP_KERNEL); + if (unlikely(!area)) + goto out; + +@@ -1197,7 +1197,6 @@ static struct xol_area *__create_xol_are + goto free_area; + + area->xol_mapping.name = "[uprobes]"; +- area->xol_mapping.fault = NULL; + area->xol_mapping.pages = area->pages; + area->pages[0] = alloc_page(GFP_HIGHUSER); + if (!area->pages[0]) diff --git a/queue-4.19/vmci-fix-use-after-free-when-removing-resource-in-vmci_resource_remove.patch b/queue-4.19/vmci-fix-use-after-free-when-removing-resource-in-vmci_resource_remove.patch new file mode 100644 index 00000000000..a953b611855 --- /dev/null +++ b/queue-4.19/vmci-fix-use-after-free-when-removing-resource-in-vmci_resource_remove.patch @@ -0,0 +1,75 @@ +From 48b9a8dabcc3cf5f961b2ebcd8933bf9204babb7 Mon Sep 17 00:00:00 2001 +From: David Fernandez Gonzalez +Date: Wed, 28 Aug 2024 15:43:37 +0000 +Subject: VMCI: Fix use-after-free when removing resource in vmci_resource_remove() + +From: David Fernandez Gonzalez + +commit 48b9a8dabcc3cf5f961b2ebcd8933bf9204babb7 upstream. + +When removing a resource from vmci_resource_table in +vmci_resource_remove(), the search is performed using the resource +handle by comparing context and resource fields. + +It is possible though to create two resources with different types +but same handle (same context and resource fields). + +When trying to remove one of the resources, vmci_resource_remove() +may not remove the intended one, but the object will still be freed +as in the case of the datagram type in vmci_datagram_destroy_handle(). +vmci_resource_table will still hold a pointer to this freed resource +leading to a use-after-free vulnerability. + +BUG: KASAN: use-after-free in vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline] +BUG: KASAN: use-after-free in vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147 +Read of size 4 at addr ffff88801c16d800 by task syz-executor197/1592 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x82/0xa9 lib/dump_stack.c:106 + print_address_description.constprop.0+0x21/0x366 mm/kasan/report.c:239 + __kasan_report.cold+0x7f/0x132 mm/kasan/report.c:425 + kasan_report+0x38/0x51 mm/kasan/report.c:442 + vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline] + vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147 + vmci_qp_broker_detach+0x89a/0x11b9 drivers/misc/vmw_vmci/vmci_queue_pair.c:2182 + ctx_free_ctx+0x473/0xbe1 drivers/misc/vmw_vmci/vmci_context.c:444 + kref_put include/linux/kref.h:65 [inline] + vmci_ctx_put drivers/misc/vmw_vmci/vmci_context.c:497 [inline] + vmci_ctx_destroy+0x170/0x1d6 drivers/misc/vmw_vmci/vmci_context.c:195 + vmci_host_close+0x125/0x1ac drivers/misc/vmw_vmci/vmci_host.c:143 + __fput+0x261/0xa34 fs/file_table.c:282 + task_work_run+0xf0/0x194 kernel/task_work.c:164 + tracehook_notify_resume include/linux/tracehook.h:189 [inline] + exit_to_user_mode_loop+0x184/0x189 kernel/entry/common.c:187 + exit_to_user_mode_prepare+0x11b/0x123 kernel/entry/common.c:220 + __syscall_exit_to_user_mode_work kernel/entry/common.c:302 [inline] + syscall_exit_to_user_mode+0x18/0x42 kernel/entry/common.c:313 + do_syscall_64+0x41/0x85 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x6e/0x0 + +This change ensures the type is also checked when removing +the resource from vmci_resource_table in vmci_resource_remove(). + +Fixes: bc63dedb7d46 ("VMCI: resource object implementation.") +Cc: stable@vger.kernel.org +Reported-by: George Kennedy +Signed-off-by: David Fernandez Gonzalez +Link: https://lore.kernel.org/r/20240828154338.754746-1-david.fernandez.gonzalez@oracle.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/vmw_vmci/vmci_resource.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/misc/vmw_vmci/vmci_resource.c ++++ b/drivers/misc/vmw_vmci/vmci_resource.c +@@ -152,7 +152,8 @@ void vmci_resource_remove(struct vmci_re + spin_lock(&vmci_resource_table.lock); + + hlist_for_each_entry(r, &vmci_resource_table.entries[idx], node) { +- if (vmci_handle_is_equal(r->handle, resource->handle)) { ++ if (vmci_handle_is_equal(r->handle, resource->handle) && ++ resource->type == r->type) { + hlist_del_init_rcu(&r->node); + break; + }