From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Hulk Robot <hulkci@huawei.com>,
Baokun Li <libaokun1@huawei.com>,
Sergei Shtylyov <sergei.shtylyov@gmail.com>,
Damien Le Moal <damien.lemoal@opensource.wdc.com>
Subject: [PATCH 4.19 20/48] sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl
Date: Mon, 6 Dec 2021 15:56:37 +0100 [thread overview]
Message-ID: <20211206145549.543472127@linuxfoundation.org> (raw)
In-Reply-To: <20211206145548.859182340@linuxfoundation.org>
From: Baokun Li <libaokun1@huawei.com>
commit 6c8ad7e8cf29eb55836e7a0215f967746ab2b504 upstream.
When the `rmmod sata_fsl.ko` command is executed in the PPC64 GNU/Linux,
a bug is reported:
==================================================================
BUG: Unable to handle kernel data access on read at 0x80000800805b502c
Oops: Kernel access of bad area, sig: 11 [#1]
NIP [c0000000000388a4] .ioread32+0x4/0x20
LR [80000000000c6034] .sata_fsl_port_stop+0x44/0xe0 [sata_fsl]
Call Trace:
.free_irq+0x1c/0x4e0 (unreliable)
.ata_host_stop+0x74/0xd0 [libata]
.release_nodes+0x330/0x3f0
.device_release_driver_internal+0x178/0x2c0
.driver_detach+0x64/0xd0
.bus_remove_driver+0x70/0xf0
.driver_unregister+0x38/0x80
.platform_driver_unregister+0x14/0x30
.fsl_sata_driver_exit+0x18/0xa20 [sata_fsl]
.__se_sys_delete_module+0x1ec/0x2d0
.system_call_exception+0xfc/0x1f0
system_call_common+0xf8/0x200
==================================================================
The triggering of the BUG is shown in the following stack:
driver_detach
device_release_driver_internal
__device_release_driver
drv->remove(dev) --> platform_drv_remove/platform_remove
drv->remove(dev) --> sata_fsl_remove
iounmap(host_priv->hcr_base); <---- unmap
kfree(host_priv); <---- free
devres_release_all
release_nodes
dr->node.release(dev, dr->data) --> ata_host_stop
ap->ops->port_stop(ap) --> sata_fsl_port_stop
ioread32(hcr_base + HCONTROL) <---- UAF
host->ops->host_stop(host)
The iounmap(host_priv->hcr_base) and kfree(host_priv) functions should
not be executed in drv->remove. These functions should be executed in
host_stop after port_stop. Therefore, we move these functions to the
new function sata_fsl_host_stop and bind the new function to host_stop.
Fixes: faf0b2e5afe7 ("drivers/ata: add support to Freescale 3.0Gbps SATA Controller")
Cc: stable@vger.kernel.org
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Sergei Shtylyov <sergei.shtylyov@gmail.com>
Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ata/sata_fsl.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
--- a/drivers/ata/sata_fsl.c
+++ b/drivers/ata/sata_fsl.c
@@ -1399,6 +1399,14 @@ static int sata_fsl_init_controller(stru
return 0;
}
+static void sata_fsl_host_stop(struct ata_host *host)
+{
+ struct sata_fsl_host_priv *host_priv = host->private_data;
+
+ iounmap(host_priv->hcr_base);
+ kfree(host_priv);
+}
+
/*
* scsi mid-layer and libata interface structures
*/
@@ -1431,6 +1439,8 @@ static struct ata_port_operations sata_f
.port_start = sata_fsl_port_start,
.port_stop = sata_fsl_port_stop,
+ .host_stop = sata_fsl_host_stop,
+
.pmp_attach = sata_fsl_pmp_attach,
.pmp_detach = sata_fsl_pmp_detach,
};
@@ -1563,8 +1573,6 @@ static int sata_fsl_remove(struct platfo
ata_host_detach(host);
irq_dispose_mapping(host_priv->irq);
- iounmap(host_priv->hcr_base);
- kfree(host_priv);
return 0;
}
next prev parent reply other threads:[~2021-12-06 15:24 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-06 14:56 [PATCH 4.19 00/48] 4.19.220-rc1 review Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 01/48] shm: extend forced shm destroy to support objects from several IPC nses Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 02/48] NFSv42: Fix pagecache invalidation after COPY/CLONE Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 03/48] of: clk: Make <linux/of_clk.h> self-contained Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 04/48] gfs2: Fix length of holes reported at end-of-file Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 05/48] atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 06/48] net: return correct error code Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 07/48] platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3 deep Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 08/48] s390/setup: avoid using memblock_enforce_memory_limit Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 09/48] btrfs: check-integrity: fix a warning on write caching disabled disk Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 10/48] thermal: core: Reset previous low and high trip during thermal zone init Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 11/48] scsi: iscsi: Unblock session then wake up error handler Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 12/48] ata: ahci: Add Green Sardine vendor ID as board_ahci_mobile Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 13/48] ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port() Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 14/48] net: tulip: de4x5: fix the problem that the array lp->phy[8] may be out of bound Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 15/48] net: ethernet: dec: tulip: de4x5: fix possible array overflows in type3_infoblock() Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 16/48] perf hist: Fix memory leak of a perf_hpp_fmt Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 17/48] vrf: Reset IPCB/IP6CB when processing outbound pkts in vrf dev xmit Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 18/48] kprobes: Limit max data_size of the kretprobe instances Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 19/48] ipmi: Move remove_work to dedicated workqueue Greg Kroah-Hartman
2021-12-06 14:56 ` Greg Kroah-Hartman [this message]
2021-12-06 14:56 ` [PATCH 4.19 21/48] sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 22/48] fs: add fget_many() and fput_many() Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 23/48] fget: check that the fd still exists after getting a ref to it Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 24/48] i2c: stm32f7: recover the bus on access timeout Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 25/48] i2c: stm32f7: stop dma transfer in case of NACK Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 26/48] natsemi: xtensa: fix section mismatch warnings Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 27/48] net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 28/48] net: mpls: Fix notifications when deleting a device Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 29/48] siphash: use _unaligned version by default Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 30/48] net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources() Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 31/48] rxrpc: Fix rxrpc_local leak in rxrpc_lookup_peer() Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 32/48] net: usb: lan78xx: lan78xx_phy_init(): use PHY_POLL instead of "0" if no IRQ is available Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 33/48] net: annotate data-races on txq->xmit_lock_owner Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 34/48] net/rds: correct socket tunable error in rds_tcp_tune() Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 35/48] net/smc: Keep smc_close_final rc during active close Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 36/48] drm/msm: Do hw_init() before capturing GPU state Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 37/48] parisc: Fix KBUILD_IMAGE for self-extracting kernel Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 38/48] parisc: Fix "make install" on newer debian releases Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 39/48] vgacon: Propagate console boot parameters before calling `vc_resize Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 40/48] xhci: Fix commad ring abort, write all 64 bits to CRCR register Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 41/48] USB: NO_LPM quirk Lenovo Powered USB-C Travel Hub Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 4.19 42/48] usb: typec: tcpm: Wait in SNK_DEBOUNCED until disconnect Greg Kroah-Hartman
2021-12-06 14:57 ` [PATCH 4.19 43/48] x86/64/mm: Map all kernel memory into trampoline_pgd Greg Kroah-Hartman
2021-12-06 14:57 ` [PATCH 4.19 44/48] tty: serial: msm_serial: Deactivate RX DMA for polling support Greg Kroah-Hartman
2021-12-06 14:57 ` [PATCH 4.19 45/48] serial: pl011: Add ACPI SBSA UART match id Greg Kroah-Hartman
2021-12-06 14:57 ` [PATCH 4.19 46/48] serial: core: fix transmit-buffer reset and memleak Greg Kroah-Hartman
2021-12-06 14:57 ` [PATCH 4.19 47/48] parisc: Mark cr16 CPU clocksource unstable on all SMP machines Greg Kroah-Hartman
2021-12-06 14:57 ` [PATCH 4.19 48/48] ipmi: msghandler: Make symbol remove_work_wq static Greg Kroah-Hartman
2021-12-06 19:38 ` [PATCH 4.19 00/48] 4.19.220-rc1 review Pavel Machek
2021-12-06 21:57 ` Shuah Khan
2021-12-07 9:39 ` Naresh Kamboju
2021-12-07 20:41 ` Guenter Roeck
2021-12-08 10:27 ` Sudip Mukherjee
2021-12-09 1:14 ` Samuel Zou
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211206145549.543472127@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=damien.lemoal@opensource.wdc.com \
--cc=hulkci@huawei.com \
--cc=libaokun1@huawei.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sergei.shtylyov@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox