Home Home > GIT Browse > stable
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiri Slaby <jslaby@suse.cz>2019-05-17 06:38:43 +0200
committerJiri Slaby <jslaby@suse.cz>2019-05-17 06:38:52 +0200
commit71355bb36ecbe5c275dda911c12248d771b70e0a (patch)
treefcd06d3667dd39e274d401dceb62f4e58bbc9fd5
parent806227a297b1e41b21ad136b32584bbaf8be566e (diff)
drivers/virt/fsl_hypervisor.c: dereferencing error pointers
in ioctl (bnc#1012628).
-rw-r--r--patches.kernel.org/5.1.3-034-drivers-virt-fsl_hypervisor.c-dereferencing-err.patch110
-rw-r--r--series.conf1
2 files changed, 111 insertions, 0 deletions
diff --git a/patches.kernel.org/5.1.3-034-drivers-virt-fsl_hypervisor.c-dereferencing-err.patch b/patches.kernel.org/5.1.3-034-drivers-virt-fsl_hypervisor.c-dereferencing-err.patch
new file mode 100644
index 0000000000..926bc2ee74
--- /dev/null
+++ b/patches.kernel.org/5.1.3-034-drivers-virt-fsl_hypervisor.c-dereferencing-err.patch
@@ -0,0 +1,110 @@
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 14 May 2019 15:47:00 -0700
+Subject: [PATCH] drivers/virt/fsl_hypervisor.c: dereferencing error pointers
+ in ioctl
+References: bnc#1012628
+Patch-mainline: 5.1.3
+Git-commit: c8ea3663f7a8e6996d44500ee818c9330ac4fd88
+
+commit c8ea3663f7a8e6996d44500ee818c9330ac4fd88 upstream.
+
+strndup_user() returns error pointers on error, and then in the error
+handling we pass the error pointers to kfree(). It will cause an Oops.
+
+Link: http://lkml.kernel.org/r/20181218082003.GD32567@kadam
+Fixes: 6db7199407ca ("drivers/virt: introduce Freescale hypervisor management driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Timur Tabi <timur@freescale.com>
+Cc: Mihai Caraman <mihai.caraman@freescale.com>
+Cc: Kumar Gala <galak@kernel.crashing.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/virt/fsl_hypervisor.c | 26 +++++++++++++-------------
+ 1 file changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/virt/fsl_hypervisor.c b/drivers/virt/fsl_hypervisor.c
+index 8ba726e600e9..7b7f8e9a2801 100644
+--- a/drivers/virt/fsl_hypervisor.c
++++ b/drivers/virt/fsl_hypervisor.c
+@@ -331,8 +331,8 @@ static long ioctl_dtprop(struct fsl_hv_ioctl_prop __user *p, int set)
+ struct fsl_hv_ioctl_prop param;
+ char __user *upath, *upropname;
+ void __user *upropval;
+- char *path = NULL, *propname = NULL;
+- void *propval = NULL;
++ char *path, *propname;
++ void *propval;
+ int ret = 0;
+
+ /* Get the parameters from the user. */
+@@ -344,32 +344,30 @@ static long ioctl_dtprop(struct fsl_hv_ioctl_prop __user *p, int set)
+ upropval = (void __user *)(uintptr_t)param.propval;
+
+ path = strndup_user(upath, FH_DTPROP_MAX_PATHLEN);
+- if (IS_ERR(path)) {
+- ret = PTR_ERR(path);
+- goto out;
+- }
++ if (IS_ERR(path))
++ return PTR_ERR(path);
+
+ propname = strndup_user(upropname, FH_DTPROP_MAX_PATHLEN);
+ if (IS_ERR(propname)) {
+ ret = PTR_ERR(propname);
+- goto out;
++ goto err_free_path;
+ }
+
+ if (param.proplen > FH_DTPROP_MAX_PROPLEN) {
+ ret = -EINVAL;
+- goto out;
++ goto err_free_propname;
+ }
+
+ propval = kmalloc(param.proplen, GFP_KERNEL);
+ if (!propval) {
+ ret = -ENOMEM;
+- goto out;
++ goto err_free_propname;
+ }
+
+ if (set) {
+ if (copy_from_user(propval, upropval, param.proplen)) {
+ ret = -EFAULT;
+- goto out;
++ goto err_free_propval;
+ }
+
+ param.ret = fh_partition_set_dtprop(param.handle,
+@@ -388,7 +386,7 @@ static long ioctl_dtprop(struct fsl_hv_ioctl_prop __user *p, int set)
+ if (copy_to_user(upropval, propval, param.proplen) ||
+ put_user(param.proplen, &p->proplen)) {
+ ret = -EFAULT;
+- goto out;
++ goto err_free_propval;
+ }
+ }
+ }
+@@ -396,10 +394,12 @@ static long ioctl_dtprop(struct fsl_hv_ioctl_prop __user *p, int set)
+ if (put_user(param.ret, &p->ret))
+ ret = -EFAULT;
+
+-out:
+- kfree(path);
++err_free_propval:
+ kfree(propval);
++err_free_propname:
+ kfree(propname);
++err_free_path:
++ kfree(path);
+
+ return ret;
+ }
+--
+2.21.0
+
diff --git a/series.conf b/series.conf
index 093a9b124f..8bcb85b709 100644
--- a/series.conf
+++ b/series.conf
@@ -119,6 +119,7 @@
patches.kernel.org/5.1.3-031-net-phy-fix-phy_validate_pause.patch
patches.kernel.org/5.1.3-032-flow_dissector-disable-preemption-around-BPF-ca.patch
patches.kernel.org/5.1.3-033-isdn-bas_gigaset-use-usb_fill_int_urb-properly.patch
+ patches.kernel.org/5.1.3-034-drivers-virt-fsl_hypervisor.c-dereferencing-err.patch
########################################################
# Build fixes that apply to the vanilla kernel too.