Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp4505801ybc; Tue, 26 Nov 2019 09:58:41 -0800 (PST) X-Google-Smtp-Source: APXvYqz2D4JCH8c8SEEoUKBJBhv8LalSTxkjcjCeFwhq/u6v0OymkVYbuO8/pC15VdIhFmLWSfIg X-Received: by 2002:aa7:d391:: with SMTP id x17mr26532675edq.43.1574791121243; Tue, 26 Nov 2019 09:58:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574791121; cv=none; d=google.com; s=arc-20160816; b=ls8wBimsVndJ8vmUMvgyz17+XohJs+WW3BOhdgG9dbqFLEI0X9Ld9KMU5KtIhDiiAp sVmSDN9NDdJvyhkp98E+cdm3aEiFIMD8lzGQzjJDLNGKPW1z4LBYctmXMTkhtj42jmXm FyOxML6iWmWkLat9O+eFX78ufWFDSggwi7oUNUccHTWQkI/aalKSFRaUDYqC6NTZ7+bx fdhEuopM935INNHFYnj30vM3MOyDc0BKy7skdsjcaRiMx7bnqTNyIGoze7Xn95wYgar5 Q+SckXXgHF7OcoINla1gekkRk0Kj1bqG/cBJHBxRygO0cc/oq3m4zzK4QImWeQ/v+SCw 44xA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=jH4n5LJEgEFoXEBsyDUNpdLdyn9LnH0pqtbnZfED+0w=; b=MGxBWu9xv093HhSiUoIrx1tLjr+Sqdx8wr3w6z6QVw/Cpy7CeavuCJONfokBKOfITc JJBU8RKfoWaEFhgH25LiAogk0cHGQnUbiJC831bvQOTI6I5G7hHaCgSSA3xri/gKhaE5 iTUSLT/HeTBy4YzL8NJAHB6LtjHh0tIlpTGpV3vGY22k23++AZSv4HTMfrO3rtgq2zd2 /JviDGQ5qqcLibpmpzTebfE/3lvvQpuw/aczG1iNFpUL3t9hqO+Oyw3JqXLrjcA9Afyr kCISngqSfaYWf9UVOwDn/NEa5MUI1CareCdfnLB4wk+ngUOJxzVqdaTDN3nSCZRcTVB2 qNrg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=bFY1BB+N; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r19si7713717edy.130.2019.11.26.09.58.17; Tue, 26 Nov 2019 09:58:41 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=bFY1BB+N; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727111AbfKZRy0 (ORCPT + 99 others); Tue, 26 Nov 2019 12:54:26 -0500 Received: from us-smtp-2.mimecast.com ([205.139.110.61]:56577 "EHLO us-smtp-delivery-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727090AbfKZRy0 (ORCPT ); Tue, 26 Nov 2019 12:54:26 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1574790865; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=jH4n5LJEgEFoXEBsyDUNpdLdyn9LnH0pqtbnZfED+0w=; b=bFY1BB+NFlpotlh3KRBnoxxOjQy0bnnDW7UKY8Iy2uMFb6QQG28FunIgRcYU62YKttVwSy MnOAf2TZm4DyFhUODhwKRbYnE7Hgt8eHKuhXtW++CxGgt4fSU80jFzm7KJI1Pc3bE4YpP7 imu2hBfrUjErsLaKlbh7a+PnwNNZlkA= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-198-Z58OA4CgNMa5aUinv2X9WA-1; Tue, 26 Nov 2019 12:54:24 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 9A72F80183C; Tue, 26 Nov 2019 17:54:22 +0000 (UTC) Received: from laptop.redhat.com (ovpn-116-37.ams2.redhat.com [10.36.116.37]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6EC5E5D9CD; Tue, 26 Nov 2019 17:54:17 +0000 (UTC) From: Eric Auger To: eric.auger.pro@gmail.com, eric.auger@redhat.com, joro@8bytes.org, hch@lst.de, cai@lca.pw, iommu@lists.linux-foundation.org, linux-kernel@vger.kernel.org Cc: jsnitsel@redhat.com Subject: [PATCH v4] iommu: fix KASAN use-after-free in iommu_insert_resv_region Date: Tue, 26 Nov 2019 18:54:13 +0100 Message-Id: <20191126175413.4350-1-eric.auger@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-MC-Unique: Z58OA4CgNMa5aUinv2X9WA-1 X-Mimecast-Spam-Score: 0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In case the new region gets merged into another one, the nr list node is freed. Checking its type while completing the merge algorithm leads to a use-after-free. Use new->type instead. Fixes: 4dbd258ff63e ("iommu: Revisit iommu_insert_resv_region() implementation") Signed-off-by: Eric Auger Reported-by: Qian Cai Reviewed-by: Jerry Snitselaar Cc: Stable #v5.3+ --- v3 -> v4: - s/nr/new in the comment - Added Jerry's R-b v2 -> v3: - directly use new->type v1 -> v2: - remove spurious new line --- drivers/iommu/iommu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c index d658c7c6a2ab..dea1069334a4 100644 --- a/drivers/iommu/iommu.c +++ b/drivers/iommu/iommu.c @@ -312,8 +312,8 @@ int iommu_insert_resv_region(struct iommu_resv_region *= new, =09list_for_each_entry_safe(iter, tmp, regions, list) { =09=09phys_addr_t top_end, iter_end =3D iter->start + iter->length - 1; =20 -=09=09/* no merge needed on elements of different types than @nr */ -=09=09if (iter->type !=3D nr->type) { +=09=09/* no merge needed on elements of different types than @new */ +=09=09if (iter->type !=3D new->type) { =09=09=09list_move_tail(&iter->list, &stack); =09=09=09continue; =09=09} --=20 2.20.1