kernel_optimize_test

Go to file

Zekun Shen 7525876750 rsi: Fix use-after-free in rsi_rx_done_handler() [ Upstream commit b07e3c6ebc0c20c772c0f54042e430acec2945c3 ] When freeing rx_cb->rx_skb, the pointer is not set to NULL, a later rsi_rx_done_handler call will try to read the freed address. This bug will very likley lead to double free, although detected early as use-after-free bug. The bug is triggerable with a compromised/malfunctional usb device. After applying the patch, the same input no longer triggers the use-after-free. Attached is the kasan report from fuzzing. BUG: KASAN: use-after-free in rsi_rx_done_handler+0x354/0x430 [rsi_usb] Read of size 4 at addr ffff8880188e5930 by task modprobe/231 Call Trace: <IRQ> dump_stack+0x76/0xa0 print_address_description.constprop.0+0x16/0x200 ? rsi_rx_done_handler+0x354/0x430 [rsi_usb] ? rsi_rx_done_handler+0x354/0x430 [rsi_usb] __kasan_report.cold+0x37/0x7c ? dma_direct_unmap_page+0x90/0x110 ? rsi_rx_done_handler+0x354/0x430 [rsi_usb] kasan_report+0xe/0x20 rsi_rx_done_handler+0x354/0x430 [rsi_usb] __usb_hcd_giveback_urb+0x1e4/0x380 usb_giveback_urb_bh+0x241/0x4f0 ? __usb_hcd_giveback_urb+0x380/0x380 ? apic_timer_interrupt+0xa/0x20 tasklet_action_common.isra.0+0x135/0x330 __do_softirq+0x18c/0x634 ? handle_irq_event+0xcd/0x157 ? handle_edge_irq+0x1eb/0x7b0 irq_exit+0x114/0x140 do_IRQ+0x91/0x1e0 common_interrupt+0xf/0xf </IRQ> Reported-by: Brendan Dolan-Gavitt <brendandg@nyu.edu> Signed-off-by: Zekun Shen <bruceshenzk@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/YXxQL/vIiYcZUu/j@10-18-43-117.dynapool.wireless.nyu.edu Signed-off-by: Sasha Levin <sashal@kernel.org>		2022-01-27 10:54:13 +01:00
arch	ARM: imx: rename DEBUG_IMX21_IMX27_UART to DEBUG_IMX27_UART	2022-01-27 10:54:11 +01:00
block	scsi: block: pm: Always set request queue runtime active in blk_post_runtime_resume()	2022-01-27 10:54:08 +01:00
certs
crypto	crypto: jitter - consider 32 LSB for APT	2022-01-27 10:54:12 +01:00
Documentation	counter: stm32-lptimer-cnt: remove iio counter abi	2022-01-27 10:54:08 +01:00
drivers	rsi: Fix use-after-free in rsi_rx_done_handler()	2022-01-27 10:54:13 +01:00
fs	fs: dlm: filter user dlm messages for kernel locks	2022-01-27 10:54:10 +01:00
include	scsi: block: pm: Always set request queue runtime active in blk_post_runtime_resume()	2022-01-27 10:54:08 +01:00
init
ipc
kernel	clocksource: Avoid accidental unstable marking of clocksources	2022-01-27 10:54:06 +01:00
lib	lib/mpi: Add the return value check of kcalloc()	2022-01-27 10:54:02 +01:00
LICENSES
mm
net	batman-adv: allow netlink usage in unprivileged containers	2022-01-27 10:54:11 +01:00
samples
scripts
security	selinux: fix potential memleak in selinux_add_opt()	2022-01-27 10:53:58 +01:00
sound	ASoC: fsl_asrc: refine the check of available clock divider	2022-01-27 10:54:09 +01:00
tools	selftests/bpf: Fix bpf_object leak in skb_ctx selftest	2022-01-27 10:54:10 +01:00
usr
virt
.clang-format
.cocciconfig
.get_maintainer.ignore
.gitattributes
.gitignore
.mailmap
COPYING
CREDITS
Kbuild
Kconfig
MAINTAINERS
Makefile
README

README

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.