Patch "thunderbolt: Fix double free of drom buffer" has been added to the 4.5-stable tree

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

* Patch "thunderbolt: Fix double free of drom buffer" has been added to the 4.5-stable tree
@ 2016-05-30 20:22 gregkh
  0 siblings, 0 replies; only message in thread
From: gregkh @ 2016-05-30 20:22 UTC (permalink / raw)
  To: andreas.noever, bhelgaas, gregkh, lukas; +Cc: stable, stable-commits


This is a note to let you know that I've just added the patch titled

    thunderbolt: Fix double free of drom buffer

to the 4.5-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     thunderbolt-fix-double-free-of-drom-buffer.patch
and it can be found in the queue-4.5 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 2ffa9a5d76a75abbc1f95c17959fced666095bdd Mon Sep 17 00:00:00 2001
From: Andreas Noever <andreas.noever@gmail.com>
Date: Sun, 10 Apr 2016 12:48:27 +0200
Subject: thunderbolt: Fix double free of drom buffer

From: Andreas Noever <andreas.noever@gmail.com>

commit 2ffa9a5d76a75abbc1f95c17959fced666095bdd upstream.

If tb_drom_read() fails, sw->drom is freed but not set to NULL.  sw->drom
is then freed again in the error path of tb_switch_alloc().

The bug can be triggered by unplugging a thunderbolt device shortly after
it is detected by the thunderbolt driver.

Clear sw->drom if tb_drom_read() fails.

[bhelgaas: add Fixes:, stable versions of interest]
Fixes: 343fcb8c70d7 ("thunderbolt: Fix nontrivial endpoint devices.")
Signed-off-by: Andreas Noever <andreas.noever@gmail.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
CC: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/thunderbolt/eeprom.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/thunderbolt/eeprom.c
+++ b/drivers/thunderbolt/eeprom.c
@@ -444,6 +444,7 @@ int tb_drom_read(struct tb_switch *sw)
 	return tb_drom_parse_entries(sw);
 err:
 	kfree(sw->drom);
+	sw->drom = NULL;
 	return -EIO;
 
 }


Patches currently in stable-queue which might be from andreas.noever@gmail.com are

queue-4.5/thunderbolt-fix-double-free-of-drom-buffer.patch

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2016-05-30 20:22 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-05-30 20:22 Patch "thunderbolt: Fix double free of drom buffer" has been added to the 4.5-stable tree gregkh

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox