From: Dinghao Liu dinghao.liu@zju.edu.cn
stable inclusion from stable-v4.19.297 commit cdb46be93c1f7bbf2c4649e9fc5fb147cfb5245d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I95ASM CVE: CVE-2023-52510
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit f990874b1c98fe8e57ee9385669f501822979258 ]
If of_clk_add_provider() fails in ca8210_register_ext_clock(), it calls clk_unregister() to release priv->clk and returns an error. However, the caller ca8210_probe() then calls ca8210_remove(), where priv->clk is freed again in ca8210_unregister_ext_clock(). In this case, a use-after-free may happen in the second time we call clk_unregister().
Fix this by removing the first clk_unregister(). Also, priv->clk could be an error code on failure of clk_register_fixed_rate(). Use IS_ERR_OR_NULL to catch this case in ca8210_unregister_ext_clock().
Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver") Signed-off-by: Dinghao Liu dinghao.liu@zju.edu.cn Message-ID: 20231007033049.22353-1-dinghao.liu@zju.edu.cn Signed-off-by: Stefan Schmidt stefan@datenfreihafen.org Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Yu Liao liaoyu15@huawei.com --- drivers/net/ieee802154/ca8210.c | 17 +++-------------- 1 file changed, 3 insertions(+), 14 deletions(-)
diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c index 38a41651e451..324ce317b864 100644 --- a/drivers/net/ieee802154/ca8210.c +++ b/drivers/net/ieee802154/ca8210.c @@ -2779,7 +2779,6 @@ static int ca8210_register_ext_clock(struct spi_device *spi) struct device_node *np = spi->dev.of_node; struct ca8210_priv *priv = spi_get_drvdata(spi); struct ca8210_platform_data *pdata = spi->dev.platform_data; - int ret = 0;
if (!np) return -EFAULT; @@ -2796,18 +2795,8 @@ static int ca8210_register_ext_clock(struct spi_device *spi) dev_crit(&spi->dev, "Failed to register external clk\n"); return PTR_ERR(priv->clk); } - ret = of_clk_add_provider(np, of_clk_src_simple_get, priv->clk); - if (ret) { - clk_unregister(priv->clk); - dev_crit( - &spi->dev, - "Failed to register external clock as clock provider\n" - ); - } else { - dev_info(&spi->dev, "External clock set as clock provider\n"); - }
- return ret; + return of_clk_add_provider(np, of_clk_src_simple_get, priv->clk); }
/** @@ -2819,8 +2808,8 @@ static void ca8210_unregister_ext_clock(struct spi_device *spi) { struct ca8210_priv *priv = spi_get_drvdata(spi);
- if (!priv->clk) - return + if (IS_ERR_OR_NULL(priv->clk)) + return;
of_clk_del_provider(spi->dev.of_node); clk_unregister(priv->clk);
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I8OSNK CVE: NA
--------------------------------
This reverts commit 48725c8f5d6e2457ef00f3bc46b5fb38c9389d50.
Signed-off-by: Yu Liao liaoyu15@huawei.com --- include/linux/cpuhotplug.h | 1 + include/linux/hrtimer.h | 2 +- include/linux/smp.h | 1 - kernel/cpu.c | 19 ++++++------------- kernel/smp.c | 8 -------- 5 files changed, 8 insertions(+), 23 deletions(-)
diff --git a/include/linux/cpuhotplug.h b/include/linux/cpuhotplug.h index d67c0035165c..a17bb2c393d4 100644 --- a/include/linux/cpuhotplug.h +++ b/include/linux/cpuhotplug.h @@ -137,6 +137,7 @@ enum cpuhp_state { CPUHP_AP_ARM_CORESIGHT_STARTING, CPUHP_AP_ARM64_ISNDEP_STARTING, CPUHP_AP_SMPCFD_DYING, + CPUHP_AP_HRTIMERS_DYING, CPUHP_AP_X86_TBOOT_DYING, CPUHP_AP_ARM_CACHE_B15_RAC_DYING, CPUHP_AP_ONLINE, diff --git a/include/linux/hrtimer.h b/include/linux/hrtimer.h index 290345a0b605..3bdaa92a2cab 100644 --- a/include/linux/hrtimer.h +++ b/include/linux/hrtimer.h @@ -510,7 +510,7 @@ int hrtimers_prepare_cpu(unsigned int cpu); #ifdef CONFIG_HOTPLUG_CPU int hrtimers_cpu_dying(unsigned int cpu); #else -static inline int hrtimers_cpu_dying(unsigned int cpu) { return 0; } +#define hrtimers_cpu_dying NULL #endif
#endif diff --git a/include/linux/smp.h b/include/linux/smp.h index 634659d48a5f..9fb239e12b82 100644 --- a/include/linux/smp.h +++ b/include/linux/smp.h @@ -220,6 +220,5 @@ int smp_call_on_cpu(unsigned int cpu, int (*func)(void *), void *par, int smpcfd_prepare_cpu(unsigned int cpu); int smpcfd_dead_cpu(unsigned int cpu); int smpcfd_dying_cpu(unsigned int cpu); -int smpcfd_and_hrtimer_dying_cpu(unsigned int cpu);
#endif /* __LINUX_SMP_H */ diff --git a/kernel/cpu.c b/kernel/cpu.c index cfed9b994e62..83f6cc6f6c61 100644 --- a/kernel/cpu.c +++ b/kernel/cpu.c @@ -1452,23 +1452,16 @@ static struct cpuhp_step cpuhp_hp_states[] = { .startup.single = NULL, .teardown.single = rcutree_dying_cpu, }, - /* - * In order to fix the kabi breakage, we had to move the hrtimers:dying - * step into smpcfd:dying and create a new function smpcfd_and_hrtimer_dying_cpu(). - * Please ensure that there are no other steps with teardown handler - * between smpcfd:dying and cpu:teardown. - */ [CPUHP_AP_SMPCFD_DYING] = { .name = "smpcfd:dying", .startup.single = NULL, - .teardown.single = smpcfd_and_hrtimer_dying_cpu, + .teardown.single = smpcfd_dying_cpu, + }, + [CPUHP_AP_HRTIMERS_DYING] = { + .name = "hrtimers:dying", + .startup.single = NULL, + .teardown.single = hrtimers_cpu_dying, }, - - /* - * Attention: Please do not add steps between smpcfd:dying - * and ap:online. Please refer to the above for specific - * reasons. - */
/* Entry state on starting. Interrupts enabled from here on. Transient * state for synchronsization */ diff --git a/kernel/smp.c b/kernel/smp.c index 979b3b13e741..be15d3a57954 100644 --- a/kernel/smp.c +++ b/kernel/smp.c @@ -71,14 +71,6 @@ int smpcfd_dead_cpu(unsigned int cpu) return 0; }
-int smpcfd_and_hrtimer_dying_cpu(unsigned int cpu) -{ - hrtimers_cpu_dying(cpu); - smpcfd_dying_cpu(cpu); - - return 0; -} - int smpcfd_dying_cpu(unsigned int cpu) { /*
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/4945 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/R...
FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/4945 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/R...
-
patchwork bot -
Yu Liao