AcoSail/kernel_optimize_test
8
0
Fork 0
forked from luck/tmp_suning_uos_patched
Code Pull Requests Activity
9a45e08636
kernel_optimize_test/drivers
History
Lv Yunlong 594205b493 drbd: Fix five use after free bugs in get_initial_state 
[ Upstream commit aadb22ba2f656581b2f733deb3a467c48cc618f6 ]

In get_initial_state, it calls notify_initial_state_done(skb,..) if
cb->args[5]==1. If genlmsg_put() failed in notify_initial_state_done(),
the skb will be freed by nlmsg_free(skb).
Then get_initial_state will goto out and the freed skb will be used by
return value skb->len, which is a uaf bug.

What's worse, the same problem goes even further: skb can also be
freed in the notify_*_state_change -> notify_*_state calls below.
Thus 4 additional uaf bugs happened.

My patch lets the problem callee functions: notify_initial_state_done
and notify_*_state_change return an error code if errors happen.
So that the error codes could be propagated and the uaf bugs can be avoid.

v2 reports a compilation warning. This v3 fixed this warning and built
successfully in my local environment with no additional warnings.
v2: https://lore.kernel.org/patchwork/patch/1435218/

Fixes: a29728463b ("drbd: Backport the "events2" command")
Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
Reviewed-by: Christoph Böhmwalder <christoph.boehmwalder@linbit.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-04-13 21:01:06 +02:00
..
accessibility speakup-dectlk: Restore pitch setting 2022-02-16 12:54:30 +01:00
acpi ACPI: CPPC: Avoid out of bounds access when parsing _CPC data 2022-04-08 14:40:42 +02:00
amba amba: Make the remove callback return void 2022-04-08 14:40:02 +02:00
android binder: fix handling of error during copy 2022-01-27 10:54:06 +01:00
ata ata: pata_hpt37x: fix PCI clock detection 2022-03-08 19:09:31 +01:00
atm atm: eni: Add check for dma_map_single 2022-03-23 09:13:27 +01:00
auxdisplay auxdisplay: ht16k33: Fix frame buffer device blanking 2021-11-18 14:04:24 +01:00
base PM: core: keep irq flags in device_pm_check_callbacks() 2022-04-08 14:40:32 +02:00
bcma
block drbd: Fix five use after free bugs in get_initial_state 2022-04-13 21:01:06 +02:00
bluetooth Bluetooth: btmtksdio: Fix kernel oops in btmtksdio_interrupt 2022-04-08 14:40:22 +02:00
bus mips: cdmm: Fix refcount leak in mips_cdmm_phys_base 2022-04-08 14:40:20 +02:00
cdrom
char virtio_console: eliminate anonymous module_init & module_exit 2022-04-13 21:01:02 +02:00
clk clk: Enforce that disjoints limits are invalid 2022-04-13 21:01:02 +02:00
clocksource clocksource: acpi_pm: fix return value of __setup handler 2022-04-08 14:40:03 +02:00
connector
counter counter: stm32-lptimer-cnt: remove iio counter abi 2022-01-27 10:54:08 +01:00
cpufreq cpufreq: qcom-cpufreq-nvmem: fix reading of PVS Valid fuse 2022-04-08 14:40:24 +02:00
cpuidle cpuidle: Fix kobject memory leaks in error paths 2021-11-18 14:04:05 +01:00
crypto crypto: ccree - Fix use after free in cc_cipher_exit() 2022-04-08 14:40:02 +02:00
dax dax: make sure inodes are flushed before destroy cache 2022-04-08 14:40:16 +02:00
dca
devfreq
dio
dma dmaengine: hisi_dma: fix MSI allocate fail when reload hisi_dma 2022-04-08 14:40:26 +02:00
dma-buf udmabuf: validate ubuf->pagecount 2022-04-08 14:40:12 +02:00
edac EDAC: Fix calculation of returned address and next offset in edac_align_ptr() 2022-02-23 12:01:07 +01:00
eisa
extcon
firewire
firmware firmware: google: Properly state IOMEM dependency 2022-04-08 14:40:28 +02:00
fpga
fsi fsi: Aspeed: Fix a potential double free 2022-04-08 14:40:23 +02:00
gnss
gpio Revert "gpio: Revert regression in sysfs-gpio (gpiolib.c)" 2022-04-08 14:39:48 +02:00
gpu drm/imx: Fix memory leak in imx_pd_connector_get_modes 2022-04-13 21:01:04 +02:00
greybus greybus: svc: fix an error handling bug in gb_svc_hello() 2022-04-08 14:39:50 +02:00
hid HID: i2c-hid: fix GET/SET_REPORT for unnumbered reports 2022-04-08 14:40:15 +02:00
hsi HSI: core: Fix return freed object in hsi_new_client 2022-01-27 10:54:12 +01:00
hv Drivers: hv: vmbus: Fix potential crash on module unload 2022-04-13 21:01:04 +02:00
hwmon hwmon: (pmbus) Add Vin unit off handling 2022-04-08 14:40:02 +02:00
hwspinlock
hwtracing amba: Make the remove callback return void 2022-04-08 14:40:02 +02:00
i2c i2c: mux: demux-pinctrl: do not deactivate a master that is not active 2022-04-08 14:40:22 +02:00
i3c
ide
idle
iio iio: adc: Add check for devm_request_threaded_irq 2022-04-08 14:40:25 +02:00
infiniband IB/rdmavt: add lock to call to rvt_error_qp to prevent a race condition 2022-04-13 21:01:05 +02:00
input amba: Make the remove callback return void 2022-04-08 14:40:02 +02:00
interconnect
iommu iommu/arm-smmu-v3: fix event handling soft lockup 2022-04-13 21:00:56 +02:00
ipack
irqchip irqchip/nvic: Release nvic_base upon failure 2022-04-08 14:40:31 +02:00
isdn isdn: hfcpci: check the return value of dma_set_mask() in setup_hw() 2022-03-16 14:15:57 +01:00
leds
lightnvm
macintosh
mailbox mailbox: imx: fix wakeup failure from freeze mode 2022-04-08 14:40:41 +02:00
mcb
md dm: requeue IO if mapping table not yet available 2022-04-13 21:00:57 +02:00
media media: hdpvr: initialize dev->worker at hdpvr_register_videodev 2022-04-08 14:40:36 +02:00
memory memory: emif: check the pointer temp in get_device_details() 2022-04-08 14:40:09 +02:00
memstick memstick: jmb38x_ms: use appropriate free function in jmb38x_ms_alloc_host() 2021-11-18 14:04:07 +01:00
message
mfd mfd: asic3: Add missing iounmap() on error asic3_mfd_probe 2022-04-08 14:40:23 +02:00
misc kgdbts: fix return value of __setup handler 2022-04-08 14:40:28 +02:00
mmc mmc: host: Return an error when ->enable_sdio_irq() ops is missing 2022-04-08 14:40:36 +02:00
most most: fix control-message timeouts 2021-11-18 14:03:51 +01:00
mtd ubi: fastmap: Return error code if memory allocation fails in add_aeb() 2022-04-08 14:40:43 +02:00
mux
net qede: confirm skb is allocated before using 2022-04-13 21:01:06 +02:00
nfc nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION 2022-03-28 09:57:07 +02:00
ntb ntb: intel: fix port config status offset for SPR 2022-03-08 19:09:32 +01:00
nubus
nvdimm nvdimm/region: Fix default alignment for small regions 2022-04-08 14:40:26 +02:00
nvme nvme-tcp: lockdep: annotate in-kernel sockets 2022-04-08 14:40:32 +02:00
nvmem nvmem: core: set size for sysfs bin file 2022-01-27 10:54:22 +01:00
of of: base: Improve argument length mismatch error 2022-01-27 10:54:28 +01:00
opp opp: Fix return in _opp_add_static_v2() 2021-11-18 14:04:22 +01:00
oprofile
parisc parisc: Fix CPU affinity for Lasi, WAX and Dino chips 2022-04-13 21:01:03 +02:00
parport
pci PCI: endpoint: Fix misused goto label 2022-04-13 21:00:59 +02:00
pcmcia pcmcia: fix setting of kthread task states 2022-01-27 10:54:03 +01:00
perf
phy phy: amlogic: meson8b-usb2: Use dev_err_probe() 2022-04-13 21:01:01 +02:00
pinctrl pinctrl: nuvoton: npcm7xx: Use %zu printk format for ARRAY_SIZE() 2022-04-08 14:40:41 +02:00
platform platform/chrome: cros_ec_typec: Check for EC device 2022-04-08 14:40:42 +02:00
pnp
power power: supply: axp288-charger: Set Vhold to 4.4V 2022-04-13 21:00:57 +02:00
powercap
pps
ps3
ptp ptp: replace snprintf with sysfs_emit 2022-04-13 21:00:55 +02:00
pwm pwm: lpc18xx-sct: Initialize driver data and hardware before pwmchip_add() 2022-04-08 14:40:23 +02:00
rapidio
ras
regulator regulator: rpi-panel: Handle I2C errors/timing to the Atmel 2022-04-08 14:40:30 +02:00
remoteproc remoteproc: qcom_q6v5_mss: Fix some leaks in q6v5_alloc_memory_region 2022-04-08 14:40:26 +02:00
reset reset: socfpga: add empty driver allowing consumers to probe 2021-11-18 14:03:42 +01:00
rpmsg rpmsg: char: Fix race between the release of rpmsg_eptdev and cdev 2022-02-01 17:25:43 +01:00
rtc rtc: wm8350: Handle error for wm8350_register_irq 2022-04-13 21:00:54 +02:00
s390 scsi: zfcp: Fix failed recovery on gone remote port with non-NPIV FCP devices 2022-02-01 17:25:39 +01:00
sbus
scsi scsi: zorro7xx: Fix a resource leak in zorro7xx_remove_one() 2022-04-13 21:01:04 +02:00
sfi
sh maple: fix wrong return value of maple_bus_init(). 2021-11-26 10:39:12 +01:00
siox
slimbus
soc soc: ti: wkup_m3_ipc: Fix IRQ check in wkup_m3_ipc_probe 2022-04-08 14:40:07 +02:00
soundwire soundwire: intel: fix wrong register name in intel_shim_wake 2022-04-08 14:40:24 +02:00
spi spi: bcm-qspi: fix MSPI only access with bcm_qspi_exec_mem_op() 2022-04-13 21:01:06 +02:00
spmi
ssb
staging staging: wfx: fix an error handling in wfx_init_common() 2022-04-13 21:01:01 +02:00
target scsi: target: iscsi: Make sure the np under each tpg is unique 2022-02-16 12:54:19 +01:00
tc
tee optee: use driver internal tee_context for some rpc 2022-03-02 11:42:47 +01:00
thermal thermal: int340x: Check for NULL after calling kmemdup() 2022-04-08 14:39:59 +02:00
thunderbolt thunderbolt: Runtime PM activate both ends of the device link 2022-01-27 10:54:14 +01:00
tty serial: samsung_tty: do not unlock port->lock for uart_write_wakeup() 2022-04-13 21:01:02 +02:00
uio
usb usb: dwc3: omap: fix "unbalanced disables for smps10_out1" on omap5evm 2022-04-13 21:01:00 +02:00
vdpa vdpa/mlx5: should verify CTRL_VQ feature exists for MQ 2022-04-08 14:39:47 +02:00
vfio amba: Make the remove callback return void 2022-04-08 14:40:02 +02:00
vhost tuntap: add sanity checks about msg_controllen in sendmsg 2022-04-13 21:00:59 +02:00
video video: fbdev: sm712fb: Fix crash in smtcfb_write() 2022-04-08 14:40:36 +02:00
virt
virtio virtio: acknowledge all features before access 2022-03-16 14:16:02 +01:00
visorbus
vlynq
vme
w1 w1: w1_therm: fixes w1_seq for ds28ea00 sensors 2022-04-13 21:01:01 +02:00
watchdog watchdog: rti-wdt: Add missing pm_runtime_disable() in probe function 2022-04-08 14:40:41 +02:00
xen xen/gnttab: fix gnttab_end_foreign_access() without page specified 2022-03-11 12:11:54 +01:00
zorro
Kconfig
Makefile