This is a note to let you know that I've just added the patch titled
staging: vme_user: Fix possible UAF in tsi148_dma_list_add
to the 6.0-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
staging-vme_user-fix-possible-uaf-in-tsi148_dma_list.patch
and it can be found in the queue-6.0 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
commit ca8b9ab83ca57dbddcf952dd9147c190317cd3cd
Author: Gaosheng Cui <cuigaosheng1@xxxxxxxxxx>
Date: Thu Nov 17 11:59:14 2022 +0800
staging: vme_user: Fix possible UAF in tsi148_dma_list_add
[ Upstream commit 357057ee55d3c99a5de5abe8150f7bca04f8e53b ]
Smatch report warning as follows:
drivers/staging/vme_user/vme_tsi148.c:1757 tsi148_dma_list_add() warn:
'&entry->list' not removed from list
In tsi148_dma_list_add(), the error path "goto err_dma" will not
remove entry->list from list->entries, but entry will be freed,
then list traversal may cause UAF.
Fix by removeing it from list->entries before free().
Fixes: b2383c90a9d6 ("vme: tsi148: fix first DMA item mapping")
Signed-off-by: Gaosheng Cui <cuigaosheng1@xxxxxxxxxx>
Link: https://lore.kernel.org/r/20221117035914.2954454-1-cuigaosheng1@xxxxxxxxxx
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
diff --git a/drivers/staging/vme_user/vme_tsi148.c b/drivers/staging/vme_user/vme_tsi148.c
index 956476213241..b741514e938b 100644
--- a/drivers/staging/vme_user/vme_tsi148.c
+++ b/drivers/staging/vme_user/vme_tsi148.c
@@ -1765,6 +1765,7 @@ static int tsi148_dma_list_add(struct vme_dma_list *list,
return 0;
err_dma:
+ list_del(&entry->list);
err_dest:
err_source:
err_align:
