Patch "can: sja1000: fix use after free in ems_pcmcia_add_card()" has been added to the 5.10-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Fri, 10 Dec 2021 13:06:40 +0100

This is a note to let you know that I've just added the patch titled

    can: sja1000: fix use after free in ems_pcmcia_add_card()

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     can-sja1000-fix-use-after-free-in-ems_pcmcia_add_card.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 3ec6ca6b1a8e64389f0212b5a1b0f6fed1909e45 Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Date: Wed, 24 Nov 2021 17:50:41 +0300
Subject: can: sja1000: fix use after free in ems_pcmcia_add_card()

From: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

commit 3ec6ca6b1a8e64389f0212b5a1b0f6fed1909e45 upstream.

If the last channel is not available then "dev" is freed.  Fortunately,
we can just use "pdev->irq" instead.

Also we should check if at least one channel was set up.

Fixes: fd734c6f25ae ("can/sja1000: add driver for EMS PCMCIA card")
Link: https://lore.kernel.org/all/20211124145041.GB13656@kili
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Acked-by: Oliver Hartkopp <socketcan@xxxxxxxxxxxx>
Tested-by: Oliver Hartkopp <socketcan@xxxxxxxxxxxx>
Signed-off-by: Marc Kleine-Budde <mkl@xxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 drivers/net/can/sja1000/ems_pcmcia.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/drivers/net/can/sja1000/ems_pcmcia.c
+++ b/drivers/net/can/sja1000/ems_pcmcia.c
@@ -235,7 +235,12 @@ static int ems_pcmcia_add_card(struct pc
 			free_sja1000dev(dev);
 	}
 
-	err = request_irq(dev->irq, &ems_pcmcia_interrupt, IRQF_SHARED,
+	if (!card->channels) {
+		err = -ENODEV;
+		goto failure_cleanup;
+	}
+
+	err = request_irq(pdev->irq, &ems_pcmcia_interrupt, IRQF_SHARED,
 			  DRV_NAME, card);
 	if (!err)
 		return 0;


Patches currently in stable-queue which might be from dan.carpenter@xxxxxxxxxx are

queue-5.10/can-sja1000-fix-use-after-free-in-ems_pcmcia_add_card.patch






