[PATCH 5.1 12/30] genirq: Prevent use-after-free and work list corruption

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Prasad Sodagudi <psodagud@codeaurora.org>,
	Thomas Gleixner <tglx@linutronix.de>,
	marc.zyngier@arm.com
Subject: [PATCH 5.1 12/30] genirq: Prevent use-after-free and work list corruption
Date: Thu,  9 May 2019 20:42:44 +0200	[thread overview]
Message-ID: <20190509181253.320625162@linuxfoundation.org> (raw)
In-Reply-To: <20190509181250.417203112@linuxfoundation.org>

From: Prasad Sodagudi <psodagud@codeaurora.org>

commit 59c39840f5abf4a71e1810a8da71aaccd6c17d26 upstream.

When irq_set_affinity_notifier() replaces the notifier, then the
reference count on the old notifier is dropped which causes it to be
freed. But nothing ensures that the old notifier is not longer queued
in the work list. If it is queued this results in a use after free and
possibly in work list corruption.

Ensure that the work is canceled before the reference is dropped.

Signed-off-by: Prasad Sodagudi <psodagud@codeaurora.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: marc.zyngier@arm.com
Link: https://lkml.kernel.org/r/1553439424-6529-1-git-send-email-psodagud@codeaurora.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/irq/manage.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/kernel/irq/manage.c
+++ b/kernel/irq/manage.c
@@ -357,8 +357,10 @@ irq_set_affinity_notifier(unsigned int i
 	desc->affinity_notify = notify;
 	raw_spin_unlock_irqrestore(&desc->lock, flags);
 
-	if (old_notify)
+	if (old_notify) {
+		cancel_work_sync(&old_notify->work);
 		kref_put(&old_notify->kref, old_notify->release);
+	}
 
 	return 0;
 }

next prev parent reply	other threads:[~2019-05-09 18:54 UTC|newest]

Thread overview: 41+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-09 18:42 [PATCH 5.1 00/30] 5.1.1-stable review Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 01/30] Drivers: hv: vmbus: Remove the undesired put_cpu_ptr() in hv_synic_cleanup() Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 02/30] ubsan: Fix nasty -Wbuiltin-declaration-mismatch GCC-9 warnings Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 03/30] staging: greybus: power_supply: fix prop-descriptor request size Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 04/30] staging: wilc1000: Avoid GFP_KERNEL allocation from atomic context Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 05/30] staging: most: cdev: fix chrdev_region leak in mod_exit Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 06/30] staging: most: sound: pass correct device when creating a sound card Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 07/30] usb: dwc3: Allow building USB_DWC3_QCOM without EXTCON Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 08/30] usb: dwc3: Fix default lpm_nyet_threshold value Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 09/30] USB: serial: f81232: fix interrupt worker not stop Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 10/30] USB: cdc-acm: fix unthrottle races Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 11/30] usb-storage: Set virt_boundary_mask to avoid SG overflows Greg Kroah-Hartman
2019-05-09 18:42 ` Greg Kroah-Hartman [this message]
2019-05-09 18:42 ` [PATCH 5.1 13/30] intel_th: pci: Add Comet Lake support Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 14/30] iio: adc: qcom-spmi-adc5: Fix of-based module autoloading Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 15/30] cpufreq: armada-37xx: fix frequency calculation for opp Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 16/30] ACPI / LPSS: Use acpi_lpss_* instead of acpi_subsys_* functions for hibernate Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 17/30] soc: sunxi: Fix missing dependency on REGMAP_MMIO Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 18/30] scsi: lpfc: change snprintf to scnprintf for possible overflow Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 19/30] scsi: qla2xxx: Fix incorrect region-size setting in optrom SYSFS routines Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 20/30] scsi: qla2xxx: Set remote port devloss timeout to 0 Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 21/30] scsi: qla2xxx: Fix device staying in blocked state Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 22/30] Bluetooth: hidp: fix buffer overflow Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 23/30] Bluetooth: Align minimum encryption key size for LE and BR/EDR connections Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 24/30] Bluetooth: Fix not initializing L2CAP tx_credits Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 25/30] Bluetooth: hci_bcm: Fix empty regulator supplies for Intel Macs Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 26/30] UAS: fix alignment of scatter/gather segments Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 5.1 27/30] ASoC: Intel: avoid Oops if DMA setup fails Greg Kroah-Hartman
2019-05-09 18:43 ` [PATCH 5.1 28/30] i3c: Fix a shift wrap bug in i3c_bus_set_addr_slot_status() Greg Kroah-Hartman
2019-05-09 18:43 ` [PATCH 5.1 29/30] locking/futex: Allow low-level atomic operations to return -EAGAIN Greg Kroah-Hartman
2019-05-09 18:43 ` [PATCH 5.1 30/30] arm64: futex: Bound number of LDXR/STXR loops in FUTEX_WAKE_OP Greg Kroah-Hartman
2019-05-10 10:18 ` [PATCH 5.1 00/30] 5.1.1-stable review Jon Hunter
2019-05-10 15:50   ` Greg Kroah-Hartman
2019-05-10 16:27 ` Dan Rue
2019-05-11  5:48   ` Greg Kroah-Hartman
2019-05-10 16:46 ` Guenter Roeck
2019-05-11  5:47   ` Greg Kroah-Hartman
2019-05-10 17:23 ` Vandana BN
2019-05-11  5:49   ` Greg Kroah-Hartman
2019-05-10 21:14 ` shuah
2019-05-11  5:49   ` Greg Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190509181253.320625162@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=marc.zyngier@arm.com \
    --cc=psodagud@codeaurora.org \
    --cc=stable@vger.kernel.org \
    --cc=tglx@linutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox