lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20220105093052.258791-1-vilhelm.gray@gmail.com>
Date:   Wed,  5 Jan 2022 18:30:52 +0900
From:   William Breathitt Gray <vilhelm.gray@...il.com>
To:     gregkh@...uxfoundation.org
Cc:     linux-iio@...r.kernel.org, Jonathan.Cameron@...wei.com,
        linux-kernel@...r.kernel.org, u.kleine-koenig@...gutronix.de,
        William Breathitt Gray <vilhelm.gray@...il.com>,
        Syed Nayyar Waris <syednwaris@...il.com>
Subject: [PATCH] counter: 104-quad-8: Fix use-after-free by quad8_irq_handler

On unbind an irq might be pending which results in quad8_irq_handler()
calling counter_push_event() for a counter that is already unregistered.
This patch fixes that situation by passing the struct counter_device dev
to devm_request_irq() rather than the parent's so that the irq handler
is cleaned before the counter is unregistered.

Fixes: 7aa2ba0df651 ("counter: 104-quad-8: Add IRQ support for the ACCES 104-QUAD-8")
Reported-by: Uwe Kleine-König <u.kleine-koenig@...gutronix.de>
Cc: Syed Nayyar Waris <syednwaris@...il.com>
Signed-off-by: William Breathitt Gray <vilhelm.gray@...il.com>
---
 drivers/counter/104-quad-8.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/counter/104-quad-8.c b/drivers/counter/104-quad-8.c
index 1fbb3923797c..a17e51d65aca 100644
--- a/drivers/counter/104-quad-8.c
+++ b/drivers/counter/104-quad-8.c
@@ -1188,8 +1188,8 @@ static int quad8_probe(struct device *dev, unsigned int id)
 	/* Enable all counters and enable interrupt function */
 	outb(QUAD8_CHAN_OP_ENABLE_INTERRUPT_FUNC, base[id] + QUAD8_REG_CHAN_OP);
 
-	err = devm_request_irq(dev, irq[id], quad8_irq_handler, IRQF_SHARED,
-			       counter->name, counter);
+	err = devm_request_irq(&counter->dev, irq[id], quad8_irq_handler,
+			       IRQF_SHARED, counter->name, counter);
 	if (err)
 		return err;
 

base-commit: 8f2cade5da97713e77ca5be576438f194b8873d7
-- 
2.33.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ