Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp528362pxb; Wed, 3 Mar 2021 08:57:01 -0800 (PST) X-Google-Smtp-Source: ABdhPJy3kgqOyXrVUD0a2rq9or6Q4Q099COO9e8j6enxuAA5G0qauvfg3Vw8lu2riZKCwG1Vgfyc X-Received: by 2002:a17:906:1712:: with SMTP id c18mr27047118eje.417.1614790621752; Wed, 03 Mar 2021 08:57:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614790621; cv=none; d=google.com; s=arc-20160816; b=DPLrKcvVcX1t090Mz1ztO9HaTy9H9PEBbXVzbIhjbic3rV8DVzrdbTyF/qTpGv52gE t9aYl1ldFabsap8Xiu3i3Wh0IIMz5cCnlji5LcnDEz3+RXb+TvDw+yxip3TKcaDiqPTc 5ItbW7r1wJttBPeo0S0u1JJKdFib6y3vYmdpa0bkL35AkMqMZI5f1ImA5frQJavdSMZ+ pPUnNhEoIgwVGbRSojnT5jsJA6+YQxTb904Cy+rF5eXKdZfAehHpl8wBKIUqF0IpLu6y fssnYjaMSoTZrrLUO92kIA7K/JuZEcF52PCHmMeB1Z/HZ1rBLC+2NlZ0UetmHdvUV+4S Qimg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Xw3LObc2CJIH2IhfzmYRA7+US4PoGt+y6FiU+hNZ8bo=; b=txwh2EH9DMX9ufNK9myj0Dy9BTiqZ+APOYDCEUwGKqES+BYOaUVu6R7Vnd4Kcwp+qv k1KzuP1dkAv4neADtkPABvEYUcpd6wN6goAVj3HFnDIu1WJH7XnkGYUn5wtg11N9zMJF Gw2mTelNgNeV8B1teHO768u3eG+pBw49o4tOYnLfyouxkaSG82pnMCFt5yfmhUg0qGPa u9QaUgGjHYD001ZxfW3QWTu/hgPj283eOtknBwfZc4glkc6pGJWQR2m/36UWjQ9zdl2Z 2njS0+pZr7+GLCPLssFlS6H2BqCjmT9aZ+C0uLY3IZxzthwGFX5Le4/DhZ+uWUEHfia0 uIHA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=JV02ABfy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b14si5312021eds.379.2021.03.03.08.56.36; Wed, 03 Mar 2021 08:57:01 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=JV02ABfy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1376464AbhCBA3F (ORCPT + 99 others); Mon, 1 Mar 2021 19:29:05 -0500 Received: from mail.kernel.org ([198.145.29.99]:43166 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239414AbhCASau (ORCPT ); Mon, 1 Mar 2021 13:30:50 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id C5E9B651DE; Mon, 1 Mar 2021 17:19:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1614619150; bh=za8EdQ/t5PSQ4vUBu+pQG1IXy1/URJZkNPyVRLTta5g=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=JV02ABfyRD8vHGfBcIsmDt4sbtAjHB0WloIbLLgBUgu4J7ZclUXrUgRgKDRShYZe+ cZIPGkcY3pG5zbzF40ihJSoGRxy/8bR+DM0Ff5ZbH9BIVWFHlnI0y4MtC1wBSrWEE6 f37jZy+4mU4VTenfjt6MqWTUSj4fTbTSmejs0b74= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dan Carpenter , Charles Keepax , Lee Jones , Sasha Levin Subject: [PATCH 5.10 350/663] mfd: wm831x-auxadc: Prevent use after free in wm831x_auxadc_read_irq() Date: Mon, 1 Mar 2021 17:09:58 +0100 Message-Id: <20210301161159.167329715@linuxfoundation.org> X-Mailer: git-send-email 2.30.1 In-Reply-To: <20210301161141.760350206@linuxfoundation.org> References: <20210301161141.760350206@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Dan Carpenter [ Upstream commit 26783d74cc6a440ee3ef9836a008a697981013d0 ] The "req" struct is always added to the "wm831x->auxadc_pending" list, but it's only removed from the list on the success path. If a failure occurs then the "req" struct is freed but it's still on the list, leading to a use after free. Fixes: 78bb3688ea18 ("mfd: Support multiple active WM831x AUXADC conversions") Signed-off-by: Dan Carpenter Acked-by: Charles Keepax Signed-off-by: Lee Jones Signed-off-by: Sasha Levin --- drivers/mfd/wm831x-auxadc.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/mfd/wm831x-auxadc.c b/drivers/mfd/wm831x-auxadc.c index 8a7cc0f86958b..65b98f3fbd929 100644 --- a/drivers/mfd/wm831x-auxadc.c +++ b/drivers/mfd/wm831x-auxadc.c @@ -93,11 +93,10 @@ static int wm831x_auxadc_read_irq(struct wm831x *wm831x, wait_for_completion_timeout(&req->done, msecs_to_jiffies(500)); mutex_lock(&wm831x->auxadc_lock); - - list_del(&req->list); ret = req->val; out: + list_del(&req->list); mutex_unlock(&wm831x->auxadc_lock); kfree(req); -- 2.27.0