Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp507862yba; Wed, 15 May 2019 05:21:07 -0700 (PDT) X-Google-Smtp-Source: APXvYqx8lGYK8aN3CmXgOOQoyD4Z5ltkKJ4J8SCgDXXNyOPS5Aj5PbZz8+Ib0RTw/aPPELxDJSBR X-Received: by 2002:a65:610e:: with SMTP id z14mr43286120pgu.238.1557922867067; Wed, 15 May 2019 05:21:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557922867; cv=none; d=google.com; s=arc-20160816; b=gmXjMJdXTFer2bSIATaCf3RG9N0qrxVGJJ1J4UFVERYViMCTv2vfmee2RZ2XlREs0z /5ABizZHDTe5VlInisMybQKsJviTjawbjYdY9Uv16BCwQ1dXQGYfE0zHE0+wfDGPudPQ +LpRdjz0XhA7tGD1Uqn+mn3HiwQAKBaUWWPZvdiz9Ht3G2Wx9CNS7omEL9lQsQyyHJ1Q qhvAT/vMn2K3jirnBoHHkOBk7BSO80yGrfPN/acsnfmsjw24og72MOFbEvLb4BipsxkZ eauH5c7XPunIyc+VudRxwLMCNtlqWRV13pwQEqOGjJA2gNJ57OvkZ1040DAuT+7coFPO m3MQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=j1F7hhtzNFOxE70cW4sGZoHv+R6fLBcofUnInadEo30=; b=Da3LXy1RhQr+PfQiPe1NmFGL3Dxl5H1z6xu0QEykjQv3U/JXfuyyVkrPUZIisXCoJW C1m0MBphMqNKgfBEdkINzIWmkpiLiQm/1u5DY4cUSKu06IBDER7AnWEr9iUJ6Wo6P1Ud Yq2mTjiikPOvlDxnBjfniCLem1T7wCGLSti/lPHAzfmK9tIMfmEKdHSDq2BaO1sRla2i sYZq0xqCV88X2Va4L/7sp2fraUZXis8vq0diDOXG2/kTZk8hhmV7AM/Va+qSOTSAsXeW my0HiCLN7lB3+BWKfNFziiWl3XXA7+nWMMeVgvzxeCAfHKh9kZiw3aSfAG2PpX7uqfLZ 9HPQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Zb9+HrRJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f14si1726488pfd.228.2019.05.15.05.20.52; Wed, 15 May 2019 05:21:07 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Zb9+HrRJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727749AbfEOMTm (ORCPT + 99 others); Wed, 15 May 2019 08:19:42 -0400 Received: from mail.kernel.org ([198.145.29.99]:57328 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726917AbfEOLAa (ORCPT ); Wed, 15 May 2019 07:00:30 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5C35C2084F; Wed, 15 May 2019 11:00:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1557918029; bh=Omne4r+s1g/2qzaYihCg5sc49UBqUWfWids8nK21U2c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Zb9+HrRJMg0oekM9SB32C+1ZIaFCn1ezEdMB45HoRRl4TfR3cNpq0dEh0pNIM705D 3N0OhLVjrbq7JxoBjLh7wtpPn+q1uBN9pwc1nhZnoBaF5Nz7YyCuUToQ9Tv3o0fZUG rtv2VtPQbk6gwCSfyEsFg4uKyJxsrU6+DoZ62bdA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Prasad Sodagudi , Thomas Gleixner , marc.zyngier@arm.com, Sasha Levin Subject: [PATCH 3.18 58/86] genirq: Prevent use-after-free and work list corruption Date: Wed, 15 May 2019 12:55:35 +0200 Message-Id: <20190515090653.859366861@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190515090642.339346723@linuxfoundation.org> References: <20190515090642.339346723@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Upstream commit 59c39840f5abf4a71e1810a8da71aaccd6c17d26 ] When irq_set_affinity_notifier() replaces the notifier, then the reference count on the old notifier is dropped which causes it to be freed. But nothing ensures that the old notifier is not longer queued in the work list. If it is queued this results in a use after free and possibly in work list corruption. Ensure that the work is canceled before the reference is dropped. Signed-off-by: Prasad Sodagudi Signed-off-by: Thomas Gleixner Cc: marc.zyngier@arm.com Link: https://lkml.kernel.org/r/1553439424-6529-1-git-send-email-psodagud@codeaurora.org Signed-off-by: Sasha Levin --- kernel/irq/manage.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/kernel/irq/manage.c +++ b/kernel/irq/manage.c @@ -307,8 +307,10 @@ irq_set_affinity_notifier(unsigned int i desc->affinity_notify = notify; raw_spin_unlock_irqrestore(&desc->lock, flags); - if (old_notify) + if (old_notify) { + cancel_work_sync(&old_notify->work); kref_put(&old_notify->kref, old_notify->release); + } return 0; }