From patchwork Thu May 4 16:52:00 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sumit Semwal X-Patchwork-Id: 98549 Delivered-To: patch@linaro.org Received: by 10.140.89.200 with SMTP id v66csp698282qgd; Thu, 4 May 2017 09:52:35 -0700 (PDT) X-Received: by 10.84.210.43 with SMTP id z40mr58586049plh.155.1493916755505; Thu, 04 May 2017 09:52:35 -0700 (PDT) Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n5si2533622pgk.367.2017.05.04.09.52.35; Thu, 04 May 2017 09:52:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755929AbdEDQwe (ORCPT + 6 others); Thu, 4 May 2017 12:52:34 -0400 Received: from mail-pf0-f180.google.com ([209.85.192.180]:36781 "EHLO mail-pf0-f180.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755699AbdEDQwd (ORCPT ); Thu, 4 May 2017 12:52:33 -0400 Received: by mail-pf0-f180.google.com with SMTP id q66so10361105pfi.3 for ; Thu, 04 May 2017 09:52:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=sf9c2xsI4mkH1Cm2ug8D8R2+zfNCxPk50zK5N5Ftx3s=; b=M23AGeIIJJoOmhs2Yubr50CWonKeKdvz9Cs6wCXWLs8Hn5/VkFVkCYafDUluklhs3N T1HiwFClYUvihewLO8NbkGAda6qQvpQpHEcmrrfjrCQk4cDKCoLDspxQ/xzWaxa1azC/ FMNFMOtTiB9Hb5pR1oLnc6kxcoFHFP2LQTIck= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=sf9c2xsI4mkH1Cm2ug8D8R2+zfNCxPk50zK5N5Ftx3s=; b=TjeDkMv5Y9xo/oV0yn13nSFO8Ya+gFbsC9j4PoVrmcPEP99ldpIVyf/9n4ZIDd5ayg 6yCf8cTpq6LHxfIzccj+p+UA+ptj2ajOKMMo1o7dt9jb6zPcO/fVTo3JfDPYyF0WByzz 48uTJDPh1/+2/9qVKdvTSo72PfOZVL1RkYvXt9mfI3KlJuDzALI+lEzTxbIkjC70u9Du nBmixH3bsnPIlnL7MF79WY8DEJLOQReIj/v2WoaFqaV0G5UcilbP3dwc67Uo67kEApU5 m44ShckVBdGm/1kTM+DkCNUD4MeaXMTgLjw+n9bCmQQaZzq5eKSO+GAcFLAK3TXE0goB Ydbg== X-Gm-Message-State: AN3rC/4UQpY7zAz4qzuPk8kiD33+M5cvk+Fr4nlES50rVSDc1PUc6hNW uRo7b2mW/Q4gudwB X-Received: by 10.84.175.132 with SMTP id t4mr19431990plb.180.1493916752509; Thu, 04 May 2017 09:52:32 -0700 (PDT) Received: from phantom.lan ([106.51.225.38]) by smtp.gmail.com with ESMTPSA id w85sm4946121pfk.62.2017.05.04.09.52.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 04 May 2017 09:52:31 -0700 (PDT) From: Sumit Semwal To: stable@vger.kernel.org Cc: Gabriel Krisman Bertazi , "Guilherme G . Piccoli" , Greg Kroah-Hartman , Sumit Semwal Subject: [PATCH for-4.4 4/4] 8250_pci: Fix potential use-after-free in error path Date: Thu, 4 May 2017 22:22:00 +0530 Message-Id: <1493916720-8819-5-git-send-email-sumit.semwal@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1493916720-8819-1-git-send-email-sumit.semwal@linaro.org> References: <1493916720-8819-1-git-send-email-sumit.semwal@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Gabriel Krisman Bertazi [ Upstream commit c130b666a9a711f985a0a44b58699ebe14bb7245 ] Commit f209fa03fc9d ("serial: 8250_pci: Detach low-level driver during PCI error recovery") introduces a potential use-after-free in case the pciserial_init_ports call in serial8250_io_resume fails, which may happen if a memory allocation fails or if the .init quirk failed for whatever reason). If this happen, further pci_get_drvdata will return a pointer to freed memory. This patch reworks the PCI recovery resume hook to restore the old priv structure in this case, which should be ok, since the ports were already detached. Such error during recovery causes us to give up on the recovery. Fixes: f209fa03fc9d ("serial: 8250_pci: Detach low-level driver during PCI error recovery") Reported-by: Michal Suchanek Signed-off-by: Gabriel Krisman Bertazi Signed-off-by: Guilherme G. Piccoli Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sumit Semwal --- drivers/tty/serial/8250/8250_pci.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) -- 2.7.4 diff --git a/drivers/tty/serial/8250/8250_pci.c b/drivers/tty/serial/8250/8250_pci.c index 83ff172..cf3da51 100644 --- a/drivers/tty/serial/8250/8250_pci.c +++ b/drivers/tty/serial/8250/8250_pci.c @@ -5850,17 +5850,15 @@ static pci_ers_result_t serial8250_io_slot_reset(struct pci_dev *dev) static void serial8250_io_resume(struct pci_dev *dev) { struct serial_private *priv = pci_get_drvdata(dev); - const struct pciserial_board *board; + struct serial_private *new; if (!priv) return; - board = priv->board; - kfree(priv); - priv = pciserial_init_ports(dev, board); - - if (!IS_ERR(priv)) { - pci_set_drvdata(dev, priv); + new = pciserial_init_ports(dev, priv->board); + if (!IS_ERR(new)) { + pci_set_drvdata(dev, new); + kfree(priv); } }