diff options
| author | Gaosheng Cui <cuigaosheng1@huawei.com> | 2022-11-17 11:59:14 +0800 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2023-01-18 11:30:25 +0100 |
| commit | e6b0adff99edf246ba1f8d464530a0438cb1cbda (patch) | |
| tree | 3d720aaa5ba864088b233d0c0aa28202b859944d /drivers/vme | |
| parent | b5e479e6d365b6401751a0fa8bdaa03f018cc023 (diff) | |
| download | linux-stable-e6b0adff99edf246ba1f8d464530a0438cb1cbda.tar.gz linux-stable-e6b0adff99edf246ba1f8d464530a0438cb1cbda.tar.bz2 linux-stable-e6b0adff99edf246ba1f8d464530a0438cb1cbda.zip | |
staging: vme_user: Fix possible UAF in tsi148_dma_list_add
[ Upstream commit 357057ee55d3c99a5de5abe8150f7bca04f8e53b ]
Smatch report warning as follows:
drivers/staging/vme_user/vme_tsi148.c:1757 tsi148_dma_list_add() warn:
'&entry->list' not removed from list
In tsi148_dma_list_add(), the error path "goto err_dma" will not
remove entry->list from list->entries, but entry will be freed,
then list traversal may cause UAF.
Fix by removeing it from list->entries before free().
Fixes: b2383c90a9d6 ("vme: tsi148: fix first DMA item mapping")
Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
Link: https://lore.kernel.org/r/20221117035914.2954454-1-cuigaosheng1@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'drivers/vme')
| -rw-r--r-- | drivers/vme/bridges/vme_tsi148.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/vme/bridges/vme_tsi148.c b/drivers/vme/bridges/vme_tsi148.c index 647d231d4422..b1be12dc61eb 100644 --- a/drivers/vme/bridges/vme_tsi148.c +++ b/drivers/vme/bridges/vme_tsi148.c @@ -1775,6 +1775,7 @@ static int tsi148_dma_list_add(struct vme_dma_list *list, return 0; err_dma: + list_del(&entry->list); err_dest: err_source: err_align: |