From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Hulk Robot <hulkci@huawei.com>,
Baokun Li <libaokun1@huawei.com>,
Sergei Shtylyov <sergei.shtylyov@gmail.com>,
Damien Le Moal <damien.lemoal@opensource.wdc.com>
Subject: [PATCH 5.4 30/70] sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl
Date: Mon, 6 Dec 2021 15:56:34 +0100 [thread overview]
Message-ID: <20211206145552.964106221@linuxfoundation.org> (raw)
In-Reply-To: <20211206145551.909846023@linuxfoundation.org>
From: Baokun Li <libaokun1@huawei.com>
commit 6c8ad7e8cf29eb55836e7a0215f967746ab2b504 upstream.
When the `rmmod sata_fsl.ko` command is executed in the PPC64 GNU/Linux,
a bug is reported:
==================================================================
BUG: Unable to handle kernel data access on read at 0x80000800805b502c
Oops: Kernel access of bad area, sig: 11 [#1]
NIP [c0000000000388a4] .ioread32+0x4/0x20
LR [80000000000c6034] .sata_fsl_port_stop+0x44/0xe0 [sata_fsl]
Call Trace:
.free_irq+0x1c/0x4e0 (unreliable)
.ata_host_stop+0x74/0xd0 [libata]
.release_nodes+0x330/0x3f0
.device_release_driver_internal+0x178/0x2c0
.driver_detach+0x64/0xd0
.bus_remove_driver+0x70/0xf0
.driver_unregister+0x38/0x80
.platform_driver_unregister+0x14/0x30
.fsl_sata_driver_exit+0x18/0xa20 [sata_fsl]
.__se_sys_delete_module+0x1ec/0x2d0
.system_call_exception+0xfc/0x1f0
system_call_common+0xf8/0x200
==================================================================
The triggering of the BUG is shown in the following stack:
driver_detach
device_release_driver_internal
__device_release_driver
drv->remove(dev) --> platform_drv_remove/platform_remove
drv->remove(dev) --> sata_fsl_remove
iounmap(host_priv->hcr_base); <---- unmap
kfree(host_priv); <---- free
devres_release_all
release_nodes
dr->node.release(dev, dr->data) --> ata_host_stop
ap->ops->port_stop(ap) --> sata_fsl_port_stop
ioread32(hcr_base + HCONTROL) <---- UAF
host->ops->host_stop(host)
The iounmap(host_priv->hcr_base) and kfree(host_priv) functions should
not be executed in drv->remove. These functions should be executed in
host_stop after port_stop. Therefore, we move these functions to the
new function sata_fsl_host_stop and bind the new function to host_stop.
Fixes: faf0b2e5afe7 ("drivers/ata: add support to Freescale 3.0Gbps SATA Controller")
Cc: stable@vger.kernel.org
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Sergei Shtylyov <sergei.shtylyov@gmail.com>
Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ata/sata_fsl.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
--- a/drivers/ata/sata_fsl.c
+++ b/drivers/ata/sata_fsl.c
@@ -1394,6 +1394,14 @@ static int sata_fsl_init_controller(stru
return 0;
}
+static void sata_fsl_host_stop(struct ata_host *host)
+{
+ struct sata_fsl_host_priv *host_priv = host->private_data;
+
+ iounmap(host_priv->hcr_base);
+ kfree(host_priv);
+}
+
/*
* scsi mid-layer and libata interface structures
*/
@@ -1426,6 +1434,8 @@ static struct ata_port_operations sata_f
.port_start = sata_fsl_port_start,
.port_stop = sata_fsl_port_stop,
+ .host_stop = sata_fsl_host_stop,
+
.pmp_attach = sata_fsl_pmp_attach,
.pmp_detach = sata_fsl_pmp_detach,
};
@@ -1558,8 +1568,6 @@ static int sata_fsl_remove(struct platfo
ata_host_detach(host);
irq_dispose_mapping(host_priv->irq);
- iounmap(host_priv->hcr_base);
- kfree(host_priv);
return 0;
}
next prev parent reply other threads:[~2021-12-06 15:25 UTC|newest]
Thread overview: 77+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-06 14:56 [PATCH 5.4 00/70] 5.4.164-rc1 review Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 01/70] NFSv42: Fix pagecache invalidation after COPY/CLONE Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 02/70] of: clk: Make <linux/of_clk.h> self-contained Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 03/70] arm64: dts: mcbin: support 2W SFP modules Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 04/70] can: j1939: j1939_tp_cmd_recv(): check the dst address of TP.CM_BAM Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 05/70] gfs2: Fix length of holes reported at end-of-file Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 06/70] drm/sun4i: fix unmet dependency on RESET_CONTROLLER for PHY_SUN6I_MIPI_DPHY Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 07/70] mac80211: do not access the IV when it was stripped Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 08/70] net/smc: Transfer remaining wait queue entries during fallback Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 09/70] atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 10/70] net: return correct error code Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 11/70] platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3 deep Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 12/70] s390/setup: avoid using memblock_enforce_memory_limit Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 13/70] btrfs: check-integrity: fix a warning on write caching disabled disk Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 14/70] thermal: core: Reset previous low and high trip during thermal zone init Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 15/70] scsi: iscsi: Unblock session then wake up error handler Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 16/70] ata: ahci: Add Green Sardine vendor ID as board_ahci_mobile Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 17/70] ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port() Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 18/70] net: tulip: de4x5: fix the problem that the array lp->phy[8] may be out of bound Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 19/70] net: ethernet: dec: tulip: de4x5: fix possible array overflows in type3_infoblock() Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 20/70] perf hist: Fix memory leak of a perf_hpp_fmt Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 21/70] perf report: Fix memory leaks around perf_tip() Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 22/70] net/smc: Avoid warning of possible recursive locking Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 23/70] vrf: Reset IPCB/IP6CB when processing outbound pkts in vrf dev xmit Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 24/70] kprobes: Limit max data_size of the kretprobe instances Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 25/70] rt2x00: do not mark device gone on EPROTO errors during start Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 26/70] ipmi: Move remove_work to dedicated workqueue Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 27/70] cpufreq: Fix get_cpu_device() failure in add_cpu_dev_symlink() Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 28/70] s390/pci: move pseudo-MMIO to prevent MIO overlap Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 29/70] fget: check that the fd still exists after getting a ref to it Greg Kroah-Hartman
2021-12-06 14:56 ` Greg Kroah-Hartman [this message]
2021-12-06 14:56 ` [PATCH 5.4 31/70] sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 32/70] i2c: stm32f7: flush TX FIFO upon transfer errors Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 33/70] i2c: stm32f7: recover the bus on access timeout Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 34/70] i2c: stm32f7: stop dma transfer in case of NACK Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 35/70] i2c: cbus-gpio: set atomic transfer callback Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 36/70] natsemi: xtensa: fix section mismatch warnings Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 37/70] net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 38/70] net: mpls: Fix notifications when deleting a device Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 39/70] siphash: use _unaligned version by default Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 40/70] net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources() Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 41/70] selftests: net: Correct case name Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 42/70] rxrpc: Fix rxrpc_local leak in rxrpc_lookup_peer() Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 43/70] net: usb: lan78xx: lan78xx_phy_init(): use PHY_POLL instead of "0" if no IRQ is available Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 44/70] net: marvell: mvpp2: Fix the computation of shared CPUs Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 45/70] net: annotate data-races on txq->xmit_lock_owner Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 46/70] ipv4: convert fib_num_tclassid_users to atomic_t Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 47/70] net/rds: correct socket tunable error in rds_tcp_tune() Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 48/70] net/smc: Keep smc_close_final rc during active close Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 49/70] drm/msm: Do hw_init() before capturing GPU state Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 50/70] ipv6: fix memory leak in fib6_rule_suppress Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 51/70] KVM: x86/pmu: Fix reserved bits for AMD PerfEvtSeln register Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 52/70] sched/uclamp: Fix rq->uclamp_max not set on first enqueue Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 53/70] parisc: Fix KBUILD_IMAGE for self-extracting kernel Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 54/70] parisc: Fix "make install" on newer debian releases Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 55/70] vgacon: Propagate console boot parameters before calling `vc_resize Greg Kroah-Hartman
2021-12-06 14:57 ` [PATCH 5.4 56/70] xhci: Fix commad ring abort, write all 64 bits to CRCR register Greg Kroah-Hartman
2021-12-06 14:57 ` [PATCH 5.4 57/70] USB: NO_LPM quirk Lenovo Powered USB-C Travel Hub Greg Kroah-Hartman
2021-12-06 14:57 ` [PATCH 5.4 58/70] usb: typec: tcpm: Wait in SNK_DEBOUNCED until disconnect Greg Kroah-Hartman
2021-12-06 14:57 ` [PATCH 5.4 59/70] x86/tsc: Add a timer to make sure TSC_adjust is always checked Greg Kroah-Hartman
2021-12-06 14:57 ` [PATCH 5.4 60/70] x86/tsc: Disable clocksource watchdog for TSC on qualified platorms Greg Kroah-Hartman
2021-12-06 14:57 ` [PATCH 5.4 61/70] x86/64/mm: Map all kernel memory into trampoline_pgd Greg Kroah-Hartman
2021-12-06 14:57 ` [PATCH 5.4 62/70] tty: serial: msm_serial: Deactivate RX DMA for polling support Greg Kroah-Hartman
2021-12-06 14:57 ` [PATCH 5.4 63/70] serial: pl011: Add ACPI SBSA UART match id Greg Kroah-Hartman
2021-12-06 14:57 ` [PATCH 5.4 64/70] serial: core: fix transmit-buffer reset and memleak Greg Kroah-Hartman
2021-12-06 14:57 ` [PATCH 5.4 65/70] serial: 8250_pci: Fix ACCES entries in pci_serial_quirks array Greg Kroah-Hartman
2021-12-06 14:57 ` [PATCH 5.4 66/70] serial: 8250_pci: rewrite pericom_do_set_divisor() Greg Kroah-Hartman
2021-12-06 14:57 ` [PATCH 5.4 67/70] iwlwifi: mvm: retry init flow if failed Greg Kroah-Hartman
2021-12-06 14:57 ` [PATCH 5.4 68/70] parisc: Mark cr16 CPU clocksource unstable on all SMP machines Greg Kroah-Hartman
2021-12-06 14:57 ` [PATCH 5.4 69/70] net/tls: Fix authentication failure in CCM mode Greg Kroah-Hartman
2021-12-06 14:57 ` [PATCH 5.4 70/70] ipmi: msghandler: Make symbol remove_work_wq static Greg Kroah-Hartman
2021-12-06 18:57 ` [PATCH 5.4 00/70] 5.4.164-rc1 review Florian Fainelli
2021-12-06 21:57 ` Shuah Khan
2021-12-07 2:19 ` Samuel Zou
2021-12-07 9:16 ` Naresh Kamboju
2021-12-07 20:41 ` Guenter Roeck
2021-12-08 10:29 ` Sudip Mukherjee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211206145552.964106221@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=damien.lemoal@opensource.wdc.com \
--cc=hulkci@huawei.com \
--cc=libaokun1@huawei.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sergei.shtylyov@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox