From: Lee Jones <lee@kernel.org>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: stable@vger.kernel.org,
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>,
Bjorn Andersson <bjorn.andersson@linaro.org>
Subject: Re: [PATCH v5.15.y 3/3] rpmsg: Fix kfree() of static memory on setting driver_override
Date: Mon, 23 Oct 2023 10:39:03 +0100 [thread overview]
Message-ID: <20231023093903.GD8909@google.com> (raw)
In-Reply-To: <2023102325-untie-divisibly-8b97@gregkh>
On Mon, 23 Oct 2023, Greg Kroah-Hartman wrote:
> On Wed, Oct 18, 2023 at 01:04:34PM +0100, Lee Jones wrote:
> > From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
> >
> > commit 42cd402b8fd4672b692400fe5f9eecd55d2794ac upstream.
> >
> > The driver_override field from platform driver should not be initialized
> > from static memory (string literal) because the core later kfree() it,
> > for example when driver_override is set via sysfs.
> >
> > Use dedicated helper to set driver_override properly.
> >
> > Fixes: 950a7388f02b ("rpmsg: Turn name service into a stand alone driver")
> > Fixes: c0cdc19f84a4 ("rpmsg: Driver for user space endpoint interface")
> > Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
> > Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
> > Link: https://lore.kernel.org/r/20220419113435.246203-13-krzysztof.kozlowski@linaro.org
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > Signed-off-by: Lee Jones <lee@kernel.org>
> > ---
> > drivers/rpmsg/rpmsg_internal.h | 13 +++++++++++--
> > include/linux/rpmsg.h | 6 ++++--
> > 2 files changed, 15 insertions(+), 4 deletions(-)
>
> Any specific reason why you missed the fixes for this commit as well?
> Turned out to need some more things after this :(
No reason not to. I didn't notice them.
> Why are these needed at all for the stable kernels anyway? It's good to
> have in the tree, but who is using manual overrides for the rpmsg driver
> in the first place?
UAF.
> I'm going to drop all of these from the stable queues now and wait for a
> fixed up set of patches with a good reason to justify their existence in
> the stable trees.
As per our SOP, I'd like to avoid spelling it out.
Ping me for details if you really want to know.
Which patches have you dropped? Just these 3 or all branches?
--
Lee Jones [李琼斯]
next prev parent reply other threads:[~2023-10-23 9:39 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-18 12:04 [PATCH v5.15.y 1/3] driver: platform: Add helper for safer setting of driver_override Lee Jones
2023-10-18 12:04 ` [PATCH v5.15.y 2/3] rpmsg: Constify local variable in field store macro Lee Jones
2023-10-18 12:04 ` [PATCH v5.15.y 3/3] rpmsg: Fix kfree() of static memory on setting driver_override Lee Jones
2023-10-23 8:55 ` Greg Kroah-Hartman
2023-10-23 9:39 ` Lee Jones [this message]
2023-10-23 9:53 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231023093903.GD8909@google.com \
--to=lee@kernel.org \
--cc=bjorn.andersson@linaro.org \
--cc=gregkh@linuxfoundation.org \
--cc=krzysztof.kozlowski@linaro.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox