Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp4024888ybc; Tue, 26 Nov 2019 02:32:38 -0800 (PST) X-Google-Smtp-Source: APXvYqwlEaq743uImjpGnIOL5CdpbaZtzEHSxyJQOtEVnMeHwP6g6oSIUYJzi4roFgc4xzZPAFwr X-Received: by 2002:a17:906:3019:: with SMTP id 25mr42567202ejz.280.1574764358302; Tue, 26 Nov 2019 02:32:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574764358; cv=none; d=google.com; s=arc-20160816; b=fz8mRQCUBLRQb7h1FQB64dZNRuRiCLfJc6r2dCjmAXg1iMPf9ZhfVIRrUZ0jZUWy3+ Y2YLjyeBr9pXJ44eIrc7/P+pI8Nqo4QZbCksj/2IitEMvvJMAYeyCtSXF9yOJAC4lvgq aMvKBr4iPFoFVeYn5YLEnM30N+/x34NTsuEr6o/63mNbcwHlH7nGk8+U6b7wQBBwgq+l p330YQL8UFHC+QAy64x6R/4MOk0+fLuJUVIVO5oQm6JVhS0sN6YjMdYeB3kV7CyprZOz Di/OOm2Y6VjdYRXCV1+hynCrxei1DXx5jrBTUeEccrMCMQvLnW/EbbPipmNldB6NSAw3 B4/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:to:from:dkim-signature; bh=tTo+z7GRdEpyDEyvmGX1mKfcZRDUg8TD8VPVW7nr34c=; b=X2LMrHpiCh/ztsrHzVXepkh3cGJ1dMa9PmQ29Ucw/bgd8n/OosUKmQUcHNSY3y0hK5 FItHkdpei8HYtW00RSq9PnnJZcMu2wcQTyWbSEcWH1xE1cktzEIdX2wyJf+yYy8dDaWS Dpm04ImWYfMGkLfiCx2ePG5liMZA8WMFsYX+uymzwy7gtP4wInP0tRZUjUbCn7p79FWS mMHp7XXjkeru/9IEmSYloFvzCecLymcxm6Y3hFeYW8VnrGuy9k9kqTC6DpZPTy/yZAIk 22uJ5f7H0rPQv46atb9J6xRucvtkygBXE+USIZ8dO7EFVWHxKD4rTqpS4mNPq/lLRMRh FBdw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=hBPtyFST; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i14si7169139edr.68.2019.11.26.02.32.13; Tue, 26 Nov 2019 02:32:38 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=hBPtyFST; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727820AbfKZK14 (ORCPT + 99 others); Tue, 26 Nov 2019 05:27:56 -0500 Received: from us-smtp-1.mimecast.com ([205.139.110.61]:43703 "EHLO us-smtp-delivery-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727724AbfKZK14 (ORCPT ); Tue, 26 Nov 2019 05:27:56 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1574764074; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=tTo+z7GRdEpyDEyvmGX1mKfcZRDUg8TD8VPVW7nr34c=; b=hBPtyFSTQCIlnUrfFM3BaKNlqWx543PzOaOlvmE4YPWdhzM5zOThUFNGlVWHN5SUEypZ0l DR23qYGBJm+qvuzrdqC8pkyL94tzYCamdlBtBEoMBcI79COjAmCuDomupMR07PJAkZBn1Z uFeXmlzDxh2NjuylrZ0fdtymgZHo13I= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-324-Ns7fCixZMkCzNmMzbMTBrw-1; Tue, 26 Nov 2019 05:27:53 -0500 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 57F468017CC; Tue, 26 Nov 2019 10:27:52 +0000 (UTC) Received: from laptop.redhat.com (ovpn-116-37.ams2.redhat.com [10.36.116.37]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5E7165D6BE; Tue, 26 Nov 2019 10:27:47 +0000 (UTC) From: Eric Auger To: eric.auger.pro@gmail.com, eric.auger@redhat.com, joro@8bytes.org, hch@lst.de, cai@lca.pw, iommu@lists.linux-foundation.org, linux-kernel@vger.kernel.org Subject: [PATCH v3] iommu: fix KASAN use-after-free in iommu_insert_resv_region Date: Tue, 26 Nov 2019 11:27:43 +0100 Message-Id: <20191126102743.3269-1-eric.auger@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-MC-Unique: Ns7fCixZMkCzNmMzbMTBrw-1 X-Mimecast-Spam-Score: 0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In case the new region gets merged into another one, the nr list node is freed. Checking its type while completing the merge algorithm leads to a use-after-free. Use new->type instead. Fixes: 4dbd258ff63e ("iommu: Revisit iommu_insert_resv_region() implementation") Signed-off-by: Eric Auger Reported-by: Qian Cai Cc: Stable #v5.3+ --- v2 -> v3: - directly use new->type v1 -> v2: - remove spurious new line --- drivers/iommu/iommu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c index d658c7c6a2ab..285ad4a4c7f2 100644 --- a/drivers/iommu/iommu.c +++ b/drivers/iommu/iommu.c @@ -313,7 +313,7 @@ int iommu_insert_resv_region(struct iommu_resv_region *= new, =09=09phys_addr_t top_end, iter_end =3D iter->start + iter->length - 1; =20 =09=09/* no merge needed on elements of different types than @nr */ -=09=09if (iter->type !=3D nr->type) { +=09=09if (iter->type !=3D new->type) { =09=09=09list_move_tail(&iter->list, &stack); =09=09=09continue; =09=09} --=20 2.20.1