[linux] 02/03: [x86] thunderbolt: Fix double free of drom buffer

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Mon Jul 4 18:09:45 UTC 2016 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch jessie
in repository linux.

commit 1f6b03a29b14d366fc8a62ed17af8cc98e5e4df6
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Sun Jul 3 23:17:50 2016 +0200

    [x86] thunderbolt: Fix double free of drom buffer
---
 debian/changelog                                   |  1 +
 ...hunderbolt-fix-double-free-of-drom-buffer.patch | 33 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 35 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index e91e32d..7ff6488 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -383,6 +383,7 @@ linux (3.16.36-1) UNRELEASED; urgency=medium
     ceph filesystem
   * migrate, sched: Fix ABI changes
   * batman-adv: Fix double-put of vlan object
+  * [x86] thunderbolt: Fix double free of drom buffer
 
   [ Aurelien Jarno ]
   * [mips*] Emulate unaligned LDXC1 and SDXC1 instructions.
diff --git a/debian/patches/features/x86/apple-tb/thunderbolt-fix-double-free-of-drom-buffer.patch b/debian/patches/features/x86/apple-tb/thunderbolt-fix-double-free-of-drom-buffer.patch
new file mode 100644
index 0000000..b46f373
--- /dev/null
+++ b/debian/patches/features/x86/apple-tb/thunderbolt-fix-double-free-of-drom-buffer.patch
@@ -0,0 +1,33 @@
+From: Andreas Noever <andreas.noever at gmail.com>
+Date: Sun, 10 Apr 2016 12:48:27 +0200
+Subject: thunderbolt: Fix double free of drom buffer
+Origin: https://git.kernel.org/linus/2ffa9a5d76a75abbc1f95c17959fced666095bdd
+
+If tb_drom_read() fails, sw->drom is freed but not set to NULL.  sw->drom
+is then freed again in the error path of tb_switch_alloc().
+
+The bug can be triggered by unplugging a thunderbolt device shortly after
+it is detected by the thunderbolt driver.
+
+Clear sw->drom if tb_drom_read() fails.
+
+[bhelgaas: add Fixes:, stable versions of interest]
+Fixes: 343fcb8c70d7 ("thunderbolt: Fix nontrivial endpoint devices.")
+Signed-off-by: Andreas Noever <andreas.noever at gmail.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas at google.com>
+CC: stable at vger.kernel.org	# v3.17+
+CC: Lukas Wunner <lukas at wunner.de>
+---
+ drivers/thunderbolt/eeprom.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/thunderbolt/eeprom.c
++++ b/drivers/thunderbolt/eeprom.c
+@@ -444,6 +444,7 @@ int tb_drom_read(struct tb_switch *sw)
+ 	return tb_drom_parse_entries(sw);
+ err:
+ 	kfree(sw->drom);
++	sw->drom = NULL;
+ 	return -EIO;
+ 
+ }
diff --git a/debian/patches/series b/debian/patches/series
index e9fc5c8..2341f9c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -566,6 +566,7 @@ features/x86/apple-tb/0030-thunderbolt-Use-kcalloc.patch
 features/x86/apple-tb/0031-thunderbolt-Clear-hops-before-overwriting.patch
 features/x86/apple-tb/pci-add-pci_fixup_suspend_late-quirk-pass.patch
 features/x86/apple-tb/pci-suspend-resume-quirks-for-apple-thunderbolt.patch
+features/x86/apple-tb/thunderbolt-fix-double-free-of-drom-buffer.patch
 
 # Add iwlwifi firmware monitor from 3.17
 features/all/iwlwifi-debug/iwlwifi-add-device-firmware-to-fw-error-dump-file.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list