pm24.git, branch v5.12-rc6 Unnamed repository; edit this file 'description' to name the repository. https://git.kobert.dev/pm24.git/atom?h=v5.12-rc6 2021-04-04T21:15:36Z Linux 5.12-rc6 2021-04-04T21:15:36Z Linus Torvalds torvalds@linux-foundation.org 2021-04-04T21:15:36Z urn:sha1:e49d033bddf5b565044e2abe4241353959bc9120 firewire: nosy: Fix a use-after-free bug in nosy_ioctl() 2021-04-04T21:05:45Z Zheyu Ma zheyuma97@gmail.com 2021-04-03T06:58:36Z urn:sha1:829933ef05a951c8ff140e814656d73e74915faf For each device, the nosy driver allocates a pcilynx structure. A use-after-free might happen in the following scenario: 1. Open nosy device for the first time and call ioctl with command NOSY_IOC_START, then a new client A will be malloced and added to doubly linked list. 2. Open nosy device for the second time and call ioctl with command NOSY_IOC_START, then a new client B will be malloced and added to doubly linked list. 3. Call ioctl with command NOSY_IOC_START for client A, then client A will be readded to the doubly linked list. Now the doubly linked list is messed up. 4. Close the first nosy device and nosy_release will be called. In nosy_release, client A will be unlinked and freed. 5. Close the second nosy device, and client A will be referenced, resulting in UAF. The root cause of this bug is that the element in the doubly linked list is reentered into the list. Fix this bug by adding a check before inserting a client. If a client is already in the linked list, don't insert it. The following KASAN report reveals it: BUG: KASAN: use-after-free in nosy_release+0x1ea/0x210 Write of size 8 at addr ffff888102ad7360 by task poc CPU: 3 PID: 337 Comm: poc Not tainted 5.12.0-rc5+ #6 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 Call Trace: nosy_release+0x1ea/0x210 __fput+0x1e2/0x840 task_work_run+0xe8/0x180 exit_to_user_mode_prepare+0x114/0x120 syscall_exit_to_user_mode+0x1d/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xae Allocated by task 337: nosy_open+0x154/0x4d0 misc_open+0x2ec/0x410 chrdev_open+0x20d/0x5a0 do_dentry_open+0x40f/0xe80 path_openat+0x1cf9/0x37b0 do_filp_open+0x16d/0x390 do_sys_openat2+0x11d/0x360 __x64_sys_open+0xfd/0x1a0 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 337: kfree+0x8f/0x210 nosy_release+0x158/0x210 __fput+0x1e2/0x840 task_work_run+0xe8/0x180 exit_to_user_mode_prepare+0x114/0x120 syscall_exit_to_user_mode+0x1d/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff888102ad7300 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 96 bytes inside of 128-byte region [ffff888102ad7300, ffff888102ad7380) [ Modified to use 'list_empty()' inside proper lock - Linus ] Link: https://lore.kernel.org/lkml/1617433116-5930-1-git-send-email-zheyuma97@gmail.com/ Reported-and-tested-by: 马哲宇 (Zheyu Ma) <zheyuma97@gmail.com> Signed-off-by: Zheyu Ma <zheyuma97@gmail.com> Cc: Greg Kroah-Hartman <greg@kroah.com> Cc: Stefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Merge tag 'for-linus' of git://github.com/openrisc/linux 2021-04-03T22:42:45Z Linus Torvalds torvalds@linux-foundation.org 2021-04-03T22:42:45Z urn:sha1:2023a53bdf41b7646b1d384b6816af06309f73a5 Pull OpenRISC fix from Stafford Horne: "Fix duplicate header include in Litex SOC driver" * tag 'for-linus' of git://github.com/openrisc/linux: soc: litex: Remove duplicated header file inclusion Merge tag 'io_uring-5.12-2021-04-03' of git://git.kernel.dk/linux-block 2021-04-03T21:26:47Z Linus Torvalds torvalds@linux-foundation.org 2021-04-03T21:26:47Z urn:sha1:d83e98f9d8c88cbae1b05fa5751bddfcf0e222b2 POull io_uring fix from Jens Axboe: "Just fixing a silly braino in a previous patch, where we'd end up failing to compile if CONFIG_BLOCK isn't enabled. Not that a lot of people do that, but kernel bot spotted it and it's probably prudent to just flush this out now before -rc6. Sorry about that, none of my test compile configs have !CONFIG_BLOCK" * tag 'io_uring-5.12-2021-04-03' of git://git.kernel.dk/linux-block: io_uring: fix !CONFIG_BLOCK compilation failure soc: litex: Remove duplicated header file inclusion 2021-04-03T20:46:46Z Zhen Lei thunder.leizhen@huawei.com 2021-03-31T13:06:43Z urn:sha1:1683f7de65dbf0a2c6a7d639173fe92430a28930 The header file <linux/errno.h> is already included above and can be removed here. Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com> Signed-off-by: Mateusz Holenko <mholenko@antmicro.com> Signed-off-by: Stafford Horne <shorne@gmail.com> Merge tag 'gfs2-v5.12-rc2-fixes2' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2 2021-04-03T19:15:01Z Linus Torvalds torvalds@linux-foundation.org 2021-04-03T19:15:01Z urn:sha1:8e29be3468d4565dd95fbb098df0d7a79ee60d71 Pull gfs2 fixes from Andreas Gruenbacher: "Two more gfs2 fixes" * tag 'gfs2-v5.12-rc2-fixes2' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2: gfs2: report "already frozen/thawed" errors gfs2: Flag a withdraw if init_threads() fails Merge tag 'riscv-for-linus-5.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux 2021-04-03T18:52:18Z Linus Torvalds torvalds@linux-foundation.org 2021-04-03T18:52:18Z urn:sha1:7fd7d5c20129d2227b95cbe567b24559f144b77c Pull RISC-V fixes from Palmer Dabbelt: "A handful of fixes for 5.12: - fix a stack tracing regression related to "const register asm" variables, which have unexpected behavior. - ensure the value to be written by put_user() is evaluated before enabling access to userspace memory.. - align the exception vector table correctly, so we don't rely on the firmware's handling of unaligned accesses. - build fix to make NUMA depend on MMU, which triggered on some randconfigs" * tag 'riscv-for-linus-5.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux: riscv: Make NUMA depend on MMU riscv: remove unneeded semicolon riscv,entry: fix misaligned base for excp_vect_table riscv: evaluate put_user() arg before enabling user access riscv: Drop const annotation for sp Merge tag 'powerpc-5.12-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux 2021-04-03T17:49:38Z Linus Torvalds torvalds@linux-foundation.org 2021-04-03T17:49:38Z urn:sha1:9c2ef23e4dae122d2b18e834d90f8bd4dda48fe6 Pull powerpc fixes from Michael Ellerman: "Fix a bug on pseries where spurious wakeups from H_PROD would prevent partition migration from succeeding. Fix oopses seen in pcpu_alloc(), caused by parallel faults of the percpu mapping causing us to corrupt the protection key used for the mapping, and cause a fatal key fault. Thanks to Aneesh Kumar K.V, Murilo Opsfelder Araujo, and Nathan Lynch" * tag 'powerpc-5.12-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: powerpc/mm/book3s64: Use the correct storage key value when calling H_PROTECT powerpc/pseries/mobility: handle premature return from H_JOIN powerpc/pseries/mobility: use struct for shared state Merge tag 'hyperv-fixes-signed-20210402' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux 2021-04-03T17:42:20Z Linus Torvalds torvalds@linux-foundation.org 2021-04-03T17:42:20Z urn:sha1:fa16199500c8863da145870f01d61617d967b6c3 Pull Hyper-V fixes from Wei Liu: "One fix from Lu Yunlong for a double free in hvfb_probe" * tag 'hyperv-fixes-signed-20210402' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux: video: hyperv_fb: Fix a double free in hvfb_probe Merge tag 'driver-core-5.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core 2021-04-03T17:14:47Z Linus Torvalds torvalds@linux-foundation.org 2021-04-03T17:14:47Z urn:sha1:f5664825fc2055ed9a0e4988cfc3aeb199dce520 Pull driver core fix from Greg KH: "Here is a single driver core fix for a reported problem with differed probing. It has been in linux-next for a while with no reported problems" * tag 'driver-core-5.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core: driver core: clear deferred probe reason on probe retry