From: Greg Kroah-Hartman Date: Fri, 30 Aug 2024 13:04:09 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v4.19.321~58 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b45649e0d3ccdd1b167dd067400107517d23b5b0;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: ata-libata-core-fix-null-pointer-dereference-on-error.patch --- diff --git a/queue-6.1/ata-libata-core-fix-null-pointer-dereference-on-error.patch b/queue-6.1/ata-libata-core-fix-null-pointer-dereference-on-error.patch new file mode 100644 index 00000000000..f9b5fc291c9 --- /dev/null +++ b/queue-6.1/ata-libata-core-fix-null-pointer-dereference-on-error.patch @@ -0,0 +1,73 @@ +From 5d92c7c566dc76d96e0e19e481d926bbe6631c1e Mon Sep 17 00:00:00 2001 +From: Niklas Cassel +Date: Sat, 29 Jun 2024 14:42:11 +0200 +Subject: ata: libata-core: Fix null pointer dereference on error + +From: Niklas Cassel + +commit 5d92c7c566dc76d96e0e19e481d926bbe6631c1e upstream. + +If the ata_port_alloc() call in ata_host_alloc() fails, +ata_host_release() will get called. + +However, the code in ata_host_release() tries to free ata_port struct +members unconditionally, which can lead to the following: + +BUG: unable to handle page fault for address: 0000000000003990 +PGD 0 P4D 0 +Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI +CPU: 10 PID: 594 Comm: (udev-worker) Not tainted 6.10.0-rc5 #44 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 +RIP: 0010:ata_host_release.cold+0x2f/0x6e [libata] +Code: e4 4d 63 f4 44 89 e2 48 c7 c6 90 ad 32 c0 48 c7 c7 d0 70 33 c0 49 83 c6 0e 41 +RSP: 0018:ffffc90000ebb968 EFLAGS: 00010246 +RAX: 0000000000000041 RBX: ffff88810fb52e78 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: ffff88813b3218c0 RDI: ffff88813b3218c0 +RBP: ffff88810fb52e40 R08: 0000000000000000 R09: 6c65725f74736f68 +R10: ffffc90000ebb738 R11: 73692033203a746e R12: 0000000000000004 +R13: 0000000000000000 R14: 0000000000000011 R15: 0000000000000006 +FS: 00007f6cc55b9980(0000) GS:ffff88813b300000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000003990 CR3: 00000001122a2000 CR4: 0000000000750ef0 +PKRU: 55555554 +Call Trace: + + ? __die_body.cold+0x19/0x27 + ? page_fault_oops+0x15a/0x2f0 + ? exc_page_fault+0x7e/0x180 + ? asm_exc_page_fault+0x26/0x30 + ? ata_host_release.cold+0x2f/0x6e [libata] + ? ata_host_release.cold+0x2f/0x6e [libata] + release_nodes+0x35/0xb0 + devres_release_group+0x113/0x140 + ata_host_alloc+0xed/0x120 [libata] + ata_host_alloc_pinfo+0x14/0xa0 [libata] + ahci_init_one+0x6c9/0xd20 [ahci] + +Do not access ata_port struct members unconditionally. + +Fixes: 633273a3ed1c ("libata-pmp: hook PMP support and enable it") +Cc: stable@vger.kernel.org +Reviewed-by: Damien Le Moal +Reviewed-by: Hannes Reinecke +Reviewed-by: John Garry +Link: https://lore.kernel.org/r/20240629124210.181537-7-cassel@kernel.org +Signed-off-by: Niklas Cassel +Signed-off-by: Oleksandr Tymoshenko +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -5471,6 +5471,9 @@ static void ata_host_release(struct kref + for (i = 0; i < host->n_ports; i++) { + struct ata_port *ap = host->ports[i]; + ++ if (!ap) ++ continue; ++ + kfree(ap->pmp_link); + kfree(ap->slave_link); + kfree(ap); diff --git a/queue-6.1/series b/queue-6.1/series index a1c7c9e7a97..d542cfe6dce 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -17,3 +17,4 @@ mptcp-pm-do-not-remove-already-closed-subflows.patch mptcp-pm-add_addr-0-is-not-a-new-address.patch drm-amdgpu-align-pp_power_profile_mode-with-kernel-docs.patch drm-amdgpu-swsmu-always-force-a-state-reprogram-on-init.patch +ata-libata-core-fix-null-pointer-dereference-on-error.patch