Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp3278612imm; Tue, 17 Jul 2018 01:59:52 -0700 (PDT) X-Google-Smtp-Source: AAOMgpfeYVEFOvUCGy5iawxs2M9WmfMxEWV3J6d5BJRbr/SbVIoQZ5LlZoT3+rqCTQRdwKrebypF X-Received: by 2002:a17:902:aa46:: with SMTP id c6-v6mr750792plr.313.1531817992668; Tue, 17 Jul 2018 01:59:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531817992; cv=none; d=google.com; s=arc-20160816; b=b9FlYZLBU+ZyKtpEhu8KneWU8IVo03gThbE7lkpj7zX4apoBhlcwvBRudfX0cpXZSr 7BQ23UZRw5tQZjY9AGmijdxWA4PWF+yPB0PyjNxkQHbn+FsJ/upawRQtHxVSKzw0EPZK w7H4GJgbx2HKEPBqBmxWKkiXARsovpMqz/KwL8j3fnHlniRZN6ktuCrtOpInjkZXm2LU vEk2OyJ+oQqw5LWHnYKt5cZ/L+1YXKR9vaLn3G8r3gZZUTuxIo8cVDpq+WYAgXQirDZE fqc5roT7eJHkHhRbEUU6VeLBLGFUgiCwdobfmUWAoIeMuLpC7ljrZOtOM99hytyiwjOb sJAA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :arc-authentication-results; bh=oEFxnP2SqOd/BvQB/ax6FQqjx+6siv09SOqY6lKyFHU=; b=l9A3AXyTAZH/x2Bm/jY/R3i0ECQCIVjNYwq1uFiMwhDlN8hBLoOat6w1I5kT/5SJAh /BSGqKdadN6gh1b+dYvhxCa30+Rj8o3WwdxjAz6jnJo20Jo8TyP7SNRabHLga2uibP/D +xDahyDzkL/RwZrjxckL+GIAhd2YwIcklsQH3UbqHhydI6dMEJpEGcgwoTeYXNdP2Xfx 592dK7ULN6I1xNUU1jL3EkO03oPp5V230W57bckL6mTIGC/MRJDGJmWUbiQX/dwhDXVW 2BT/DB39PQ15Eu6ZeHfi1sJIFBGyYa5MB/7Y9qSEpjzLPZdyinGb+76laUIT8fKYnQsW ROwg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c25-v6si425254pgm.523.2018.07.17.01.59.37; Tue, 17 Jul 2018 01:59:52 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729732AbeGQJ3s (ORCPT + 99 others); Tue, 17 Jul 2018 05:29:48 -0400 Received: from baptiste.telenet-ops.be ([195.130.132.51]:40094 "EHLO baptiste.telenet-ops.be" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729716AbeGQJ3s (ORCPT ); Tue, 17 Jul 2018 05:29:48 -0400 Received: from ramsan.of.borg ([84.194.111.163]) by baptiste.telenet-ops.be with bizsmtp id BkyC1y0073XaVaC01kyCCu; Tue, 17 Jul 2018 10:58:13 +0200 Received: from rox.of.borg ([192.168.97.57]) by ramsan.of.borg with esmtp (Exim 4.86_2) (envelope-from ) id 1ffLoC-0008UX-0A; Tue, 17 Jul 2018 10:58:12 +0200 Received: from geert by rox.of.borg with local (Exim 4.90_1) (envelope-from ) id 1ffLoB-00067o-UI; Tue, 17 Jul 2018 10:58:11 +0200 From: Geert Uytterhoeven To: Chris Brandt , Greg Kroah-Hartman , Jiri Slaby Cc: linux-serial@vger.kernel.org, linux-renesas-soc@vger.kernel.org, linux-kernel@vger.kernel.org, Geert Uytterhoeven Subject: [PATCH] serial: sh-sci: Fix use-after-free on subsequent port startup Date: Tue, 17 Jul 2018 10:58:10 +0200 Message-Id: <20180717085810.23502-1-geert+renesas@glider.be> X-Mailer: git-send-email 2.17.1 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org sci_request_irq() checks port->irqstr[j] for a NULL pointer, to decide if a fallback interrupt name string should be allocated or not. While this string is freed during port shutdown, the pointer is not zeroed. Hence on a subsequent startup of the port, it will still be pointing to the freed memory, leading to e.g. WARNING: CPU: 0 PID: 404 at fs/proc/generic.c:388 __proc_create+0xbc/0x260 name len 0 or to a crash (the latter is more likely with CONFIG_DEBUG_SLAB=y, due to the poisoning of freed memory). Instead of zeroeing the pointer at multiple places, preinitialize port->irqstr[j] to zero to fix this. Fixes: 8b0bbd956228ae87 ("serial: sh-sci: Add support for R7S9210") Signed-off-by: Geert Uytterhoeven --- drivers/tty/serial/sh-sci.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c index 5808edfe3f7be404..f8e53ac5c17dfb94 100644 --- a/drivers/tty/serial/sh-sci.c +++ b/drivers/tty/serial/sh-sci.c @@ -1872,6 +1872,7 @@ static int sci_request_irq(struct sci_port *port) } desc = sci_irq_desc + i; + port->irqstr[j] = NULL; if (SCIx_TEIDRI_IRQ_EXISTS(port)) { /* * ERI and BRI are muxed, just register ERI and -- 2.17.1