Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp13475770ybl; Sun, 29 Dec 2019 12:49:06 -0800 (PST) X-Google-Smtp-Source: APXvYqx26/UBmtFmsu2nncy7tY/yj6pI8uGH6rtQIimDnEEpxbVx6A9VUNT1F4kFOLszd+KlrCBl X-Received: by 2002:a9d:7586:: with SMTP id s6mr69756001otk.342.1577652546760; Sun, 29 Dec 2019 12:49:06 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1577652546; cv=none; d=google.com; s=arc-20160816; b=lk6E8dJjT9iCxxjcqgmZamWiSat7AyDUeHLo767miwNUVcoQ06TPhZtn2w8yU1nvjl //tIXD1J89h29cNOyehyE7Y6fbwnMxro33LTcWyNIkRuT1aRu7QuXA9J9OE2999KJTT+ AVz0PyNManD3PKXJYTsXEUtFCzPk5jBvs9QGRvPCC+V61vz4QdoUO4YDSFGO6cBR62nt RyDHfFHHL/qVJXllNm2FudJ0Nn0dyHMsbgQIvPc+GyvsAKra3dEcDxHvCGQpsEo3iOyW Cm7oZC7r2zrJj2ZLGRPSS5B1IyiZH3ajSjFWuUCTg4K3HO3f6m/dnx63VM1CncS4uLvC q3Mw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=6Qfvz3QP31DU+vevxDAuFQVk3vxIT/e7KN07f5EZz9M=; b=ZqTldbAYRTneT1WYdnihXoCpC6OXGEZG4x4lDH43mMwyeIqmV+Wpr5pHzx7NAbxn4d njSqTHt0iqasA30jbsMjXV+Fs9ZyQvPFfnwt5LoXNjjW8Oy+Gtqhc49vHZ6PHzrGA9/x 5QRggJX4P89voSPDMhJpeZpyr04dxSkmc3vPi8hR3Vl6vaULnJJYKCWndUN66twRHTVP 6nRJWeEYWqp/v2uvZt728tohCMOhsDe3Krrfnb9u8giuhbTVTjFwUMEH9V7jBzE920DS wPiFa4pqOjtouAbmTpUgz4O1PUqOdjreBMD6YpuMbm6sDqGky5oNHXgmQFe6sV4TJXHZ PcCQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=NQ4RoMPh; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x24si20702013oto.255.2019.12.29.12.48.56; Sun, 29 Dec 2019 12:49:06 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=NQ4RoMPh; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733034AbfL2R4L (ORCPT + 99 others); Sun, 29 Dec 2019 12:56:11 -0500 Received: from mail.kernel.org ([198.145.29.99]:45320 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732723AbfL2R4F (ORCPT ); Sun, 29 Dec 2019 12:56:05 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E5198208C4; Sun, 29 Dec 2019 17:56:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1577642165; bh=5pN0LP0+rabHyB/A/H0CgO5PTb6Xqph+/bQbJyuN+a8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=NQ4RoMPhQVzIdZeEGKi9uiO6k0mjACyPvA+ddYvX1UuT5a4bmmxdrm4RHszTzfDKH n5yS1U/dQCX85vPECnfFbHM/oHFFwhLHbCgI6BIKggNd1GRbzqDOspa7yxqliX+Hh/ 5BAdirXqhaPokGt45syQV13HGU6TFKdilHG0LoYk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Auger , Qian Cai , Jerry Snitselaar , Linus Torvalds Subject: [PATCH 5.4 367/434] iommu: fix KASAN use-after-free in iommu_insert_resv_region Date: Sun, 29 Dec 2019 18:27:00 +0100 Message-Id: <20191229172726.351162300@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20191229172702.393141737@linuxfoundation.org> References: <20191229172702.393141737@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric Auger commit 4c80ba392bf603d468ea827d902f8e7b2505fbf4 upstream. In case the new region gets merged into another one, the nr list node is freed. Checking its type while completing the merge algorithm leads to a use-after-free. Use new->type instead. Fixes: 4dbd258ff63e ("iommu: Revisit iommu_insert_resv_region() implementation") Signed-off-by: Eric Auger Reported-by: Qian Cai Reviewed-by: Jerry Snitselaar Cc: Stable #v5.3+ Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- drivers/iommu/iommu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/drivers/iommu/iommu.c +++ b/drivers/iommu/iommu.c @@ -312,8 +312,8 @@ int iommu_insert_resv_region(struct iomm list_for_each_entry_safe(iter, tmp, regions, list) { phys_addr_t top_end, iter_end = iter->start + iter->length - 1; - /* no merge needed on elements of different types than @nr */ - if (iter->type != nr->type) { + /* no merge needed on elements of different types than @new */ + if (iter->type != new->type) { list_move_tail(&iter->list, &stack); continue; }