Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp2596195rwd; Fri, 2 Jun 2023 11:36:12 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6MLJgBgfye9JvMWF4TcJB0rtNo8uYhhH7OuN6Uscj2tTsC/WBDju90aowdnYLeeNfR+pGJ X-Received: by 2002:a05:6a00:10c4:b0:646:663a:9d60 with SMTP id d4-20020a056a0010c400b00646663a9d60mr10617512pfu.10.1685730971997; Fri, 02 Jun 2023 11:36:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1685730971; cv=none; d=google.com; s=arc-20160816; b=LNgx1ywSBo++YuDAtSTpyIdFIGSxY3eaCim3q+TXD6KxkZQMPNh+ZDq+j/c5Nb00CN o1DYXhcM9mE4ofIC3bgtrVNGDQNiibDhRcOcOfY3zZH1/w0vYt4oOLvEXQOWaf5w8wiH om7as64Xn4Pd1Qt+0xeIp16BM4bN4ipTQGuwUiS1lAnkCSUu9MmYv78TPuicBKxVT1mM 1+PDTMHRON7x0B/XL8SqosCRx8tIGRWWgOmu+8sEYnrwHOOgyxNwZ+l4poMrggNsyS6K NxAzOtVkw5AA0brmly6mlA9YxpFEMQCLMRaztkEwjyemM+VqvsMmEN4lp4xWQ2KPhgkR pWNA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-disposition:mime-version:message-id :subject:cc:to:from:date; bh=9kqgTZnfBpaYtpRKiIJXIVGzm9kjErrU2Yzc3R8cUmQ=; b=fmRDM6kc7Ypudkll0YyF5ftKyt8tMJV/9l7AFwi+2MmTQCUut1KNkE67Bp1OfoCrZT DIDg7nbUD5ytyarp7rJfGcuHFQte7HNs015b3GEYRdY4l142iqsfpPXnLbRQ2CWyTBjy Wmxz2GFcWSrKsg6h3/x9l/1WwLHwP6DPTzZjKrYAKmRAhy4+jE/1npQnTJub3vMHOnc0 cyV/wvaICyVxylBv7+QbAx1bfDaJ3LDHccyaHk6sLol+B+neErFDH/tU2hS0JcEo5H8Z a+20YbiJntDXoPhhdd0S0pp4lPVQLxwjOEoVp+xKMA/R3F+uWkrTzQVK9SuJcB/9afKV 89CQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i134-20020a639d8c000000b0053fb64b2590si1374604pgd.163.2023.06.02.11.35.58; Fri, 02 Jun 2023 11:36:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236979AbjFBS2a (ORCPT + 99 others); Fri, 2 Jun 2023 14:28:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42888 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237010AbjFBS2Z (ORCPT ); Fri, 2 Jun 2023 14:28:25 -0400 Received: from maynard.decadent.org.uk (maynard.decadent.org.uk [95.217.213.242]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BA1B8E73; Fri, 2 Jun 2023 11:28:17 -0700 (PDT) Received: from [213.219.167.32] (helo=deadeye) by maynard with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1q59VX-0004v2-LU; Fri, 02 Jun 2023 20:28:15 +0200 Received: from ben by deadeye with local (Exim 4.96) (envelope-from ) id 1q59VX-001CYV-09; Fri, 02 Jun 2023 20:28:15 +0200 Date: Fri, 2 Jun 2023 20:28:15 +0200 From: Ben Hutchings To: netdev@vger.kernel.org Cc: Thomas Gleixner , linux-kernel@vger.kernel.org, Eli Cohen Subject: [PATCH net] lib: cpu_rmap: Fix potential use-after-free in irq_cpu_rmap_release() Message-ID: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="m0Nv01qLvHn7PZAp" Content-Disposition: inline X-SA-Exim-Connect-IP: 213.219.167.32 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on maynard); SAEximRunCond expanded to false X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --m0Nv01qLvHn7PZAp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable irq_cpu_rmap_release() calls cpu_rmap_put(), which may free the rmap. So we need to clear the pointer to our glue structure in rmap before doing that, not after. Fixes: 4e0473f1060a ("lib: cpu_rmap: Avoid use after free on rmap->obj ...") Signed-off-by: Ben Hutchings --- I noticed this issue when reviewing stable changes. I haven't tested the change. Ben. lib/cpu_rmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/cpu_rmap.c b/lib/cpu_rmap.c index 73c1636b927b..4c348670da31 100644 --- a/lib/cpu_rmap.c +++ b/lib/cpu_rmap.c @@ -280,8 +280,8 @@ static void irq_cpu_rmap_release(struct kref *ref) struct irq_glue *glue =3D container_of(ref, struct irq_glue, notify.kref); =20 - cpu_rmap_put(glue->rmap); glue->rmap->obj[glue->index] =3D NULL; + cpu_rmap_put(glue->rmap); kfree(glue); } =20 --m0Nv01qLvHn7PZAp Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAmR6NLkACgkQ57/I7JWG EQm8BQ/+IhHzfoOBpkoqD8Ru0N4tPO9nVB2TgpPcCMJvAMAUM/p9NsiaDcjqs2m5 aqLw0cdgT8zwqQomfsZQFoYlrZ3bzxWQkTPq6p7c0pDdQ7SFdTZDnBjAd/P7MNzd zWn17BjNDCsnn2F65nkX//4oyRdM7mTJssyOW1nfmycGWPh7Rhm8o2Ha7vYD9NTC 9Q1daRjZDkA6asoW2oZo5v71ojX2TG1JiMh5M3VfdEH2/zy5GHyIbSv2p/PpzoPn qIN+ZlIrT8tLT1tSGHVhuumf3ASWDEZaNnrVPY4VZ5jtSk2tQrlrUYNzMwqwL8ab e99zorg3m4tIwnX+ReL3AcvVKEaq1cJGtpSAzGCizp4gs2mULLdacVCGXCg+iBvt o8c+7MiF8hiSY4wqtJPismxg5m+kD1nwJ8to1L6Kjqvjya/Nk3/qJZ65lMr+TCH1 vlTvLt+6MDcIi29SxNSwKNR1++f8p8MXWKUmADTXPpU8hn68oMpYQJS48ib5gNjs CPWolExGVot3ydtXgXbppUfaMBmowPDurxR/nRjbg8TzterCXpPmu+3tnQ7lVa/5 HJtflKq1kVJZVandFP8r5yBFGr9utOCBouyXcS830O0XA/x3GqVuqD5/dT196wdY dicpAOMIuu5OtgC7LCleVJXeV8TpJcbnCJvO5mBXQa9ddSXejyc= =BRu5 -----END PGP SIGNATURE----- --m0Nv01qLvHn7PZAp--