mdio_bus: Fix use-after-free on device_register fails
KASAN has found use-after-free in fixed_mdio_bus_init,
commit 0c692d07842a ("drivers/net/phy/mdio_bus.c: call
put_device on device_register() failure") call put_device()
while device_register() fails,give up the last reference
to the device and allow mdiobus_release to be executed
,kfreeing the bus. However in most drives, mdiobus_free
be called to free the bus while mdiobus_register fails.
use-after-free occurs when access bus again, this patch
revert it to let mdiobus_free free the bus.
KASAN report details as below:
BUG: KASAN: use-after-free in mdiobus_free+0x85/0x90 drivers/net/phy/mdio_bus.c:482
Read of size 4 at addr ffff8881dc824d78 by task syz-executor.0/3524
The buggy address belongs to the object at ffff8881dc824c80
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 248 bytes inside of
2048-byte region [ffff8881dc824c80, ffff8881dc825480)
The buggy address belongs to the page:
page:ffffea0007720800 count:1 mapcount:0 mapping:ffff8881f6c02800 index:0x0 compound_mapcount: 0
flags: 0x2fffc0000010200(slab|head)
raw: 02fffc0000010200 0000000000000000 0000000500000001 ffff8881f6c02800
raw: 0000000000000000 00000000800f000f 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881dc824c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8881dc824c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881dc824d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^
ffff8881dc824d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881dc824e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Fixes: 0c692d07842a ("drivers/net/phy/mdio_bus.c: call put_device on device_register() failure")
Signed-off-by: YueHaibing <email address hidden>
Reviewed-by: Andrew Lunn <email address hidden>
Signed-off-by: David S. Miller <email address hidden>
(cherry picked from commit 6ff7b060535e87c2ae14dd8548512abfdda528fb)
CVE-2019-12819
Signed-off-by: Benjamin M Romer <email address hidden>
Acked-by: Tyler Hicks <email address hidden>
Acked-by: Po-Hsu Lin <email address hidden>
Signed-off-by: Khalid Elmously <email address hidden>
The QCA Rome USB Bluetooth controller has several issues once LPM gets
enabled:
- Fails to get enumerated in coldboot. [1]
- Drains more power (~ 0.2W) when the system is in S5. [2]
- Disappears after a warmboot. [2]
The issue happens because the device lingers at LPM L1 in S5, so device
can't get enumerated even after a reboot.
ICMP6 neighbor solicitation messages will be discard by the Hip06
chips, because of not setting forwarding pool. Enable promisc mode
has the same problem.
This patch fix the wrong forwarding table configs for the multicast
vague matching when enable promisc mode, and add forwarding pool
for the forwarding table.
Signed-off-by: Yonglong Liu <email address hidden>
Signed-off-by: David S. Miller <email address hidden>
(cherry picked from commit f058e46855dcbc28edb2ed4736f38a71fd19cadb)
Signed-off-by: dann frazier <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Marcelo Henrique Cerri <email address hidden>
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>
Every time the call trace is not the same, but the overwrite address
is always the same:
Unable to handle kernel paging request at virtual address 0000000200000040
The root cause is, when write the reg XGMAC_MAC_TX_LF_RF_CONTROL_REG,
didn't use the io_base offset.
Signed-off-by: Yonglong Liu <email address hidden>
Signed-off-by: David S. Miller <email address hidden>
(cherry picked from commit c0b0984426814f3a9251873b689e67d34d8ccd84)
Signed-off-by: dann frazier <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Marcelo Henrique Cerri <email address hidden>
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>
This patch is trying to fix the issue due to:
[27237.844750] BUG: KASAN: use-after-free in hns_nic_net_xmit_hw+0x708/0xa18[hns_enet_drv]
After hnae_queue_xmit() in hns_nic_net_xmit_hw(), can be
interrupted by interruptions, and than call hns_nic_tx_poll_one()
to handle the new packets, and free the skb. So, when turn back to
hns_nic_net_xmit_hw(), calling skb->len will cause use-after-free.
This patch update tx ring statistics in hns_nic_tx_poll_one() to
fix the bug.
Signed-off-by: Liubin Shu <email address hidden>
Signed-off-by: Zhen Lei <email address hidden>
Signed-off-by: Yonglong Liu <email address hidden>
Signed-off-by: Peng Li <email address hidden>
Signed-off-by: David S. Miller <email address hidden>
(cherry picked from commit 3a39a12ad364a9acd1038ba8da67cd8430f30de4)
Signed-off-by: dann frazier <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Marcelo Henrique Cerri <email address hidden>
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>