linux-stable/drivers
Petr Pavlu f91f7ac900 refcount: Report UAF for refcount_sub_and_test(0) when counter==0
When a reference counter is at zero and refcount_sub_and_test() is invoked
to subtract zero, the function accepts this request without any warning and
returns true. This behavior does not seem ideal because the counter being
already at zero indicates a use-after-free. Furthermore, returning true by
refcount_sub_and_test() in this case potentially results in a double-free
done by its caller.

Modify the underlying function __refcount_sub_and_test() to warn about this
case as a use-after-free and have it return false to avoid the potential
double-free.

Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lore.kernel.org/r/20240717130023.5675-1-petr.pavlu@suse.com
Signed-off-by: Kees Cook <kees@kernel.org>
2024-08-05 14:34:23 -07:00
..
accel
accessibility
acpi RISC-V Patches for the 6.11 Merge Window, Part 2 2024-07-27 10:14:34 -07:00
amba driver core: have match() callback in struct bus_type take a const * 2024-07-03 15:16:54 +02:00
android binder: fix hang of unregistered readers 2024-07-12 11:31:37 +02:00
ata Char/Misc and other driver changes for 6.11-rc1 2024-07-19 15:55:08 -07:00
atm
auxdisplay auxdisplay updates for v6.11 2024-07-26 11:04:28 -07:00
base regmap: Fix for v6.11 2024-07-27 12:26:09 -07:00
bcma driver core: have match() callback in struct bus_type take a const * 2024-07-03 15:16:54 +02:00
block block-6.11-20240726 2024-07-27 15:28:53 -07:00
bluetooth Bluetooth: btmtk: remove #ifdef around declarations 2024-07-26 10:56:54 -04:00
bus Devicetree fixes for 6.11, part 1 2024-07-27 12:46:16 -07:00
cache cache: StarFive: Require a 64-bit system 2024-08-01 07:15:02 -07:00
cdrom sysctl: treewide: constify the ctl_table argument of proc_handlers 2024-07-24 20:59:29 +02:00
cdx driver core: have match() callback in struct bus_type take a const * 2024-07-03 15:16:54 +02:00
char sysctl: treewide: constify the ctl_table argument of proc_handlers 2024-07-24 20:59:29 +02:00
clk Devicetree fixes for 6.11, part 1 2024-07-27 12:46:16 -07:00
clocksource of: remove internal arguments from of_property_for_each_u32() 2024-07-25 06:53:47 -05:00
comedi
connector
counter Char/Misc and other driver changes for 6.11-rc1 2024-07-19 15:55:08 -07:00
cpufreq Power management updates for 6.11-rc1 2024-07-16 15:54:03 -07:00
cpuidle
crypto ARM: 2024-07-20 12:41:03 -07:00
cxl CXL for v6.11 merge window 2024-07-28 09:33:28 -07:00
dax Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
dca Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
devfreq
dio dio: Have dio_bus_match() callback take a const * 2024-07-10 15:38:14 +02:00
dma Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
dma-buf - 875fa64577da ("mm/hugetlb_vmemmap: fix race with speculative PFN 2024-07-21 17:15:46 -07:00
dpll
edac minmax: make generic MIN() and MAX() macros available everywhere 2024-07-28 15:49:18 -07:00
eisa driver core: have match() callback in struct bus_type take a const * 2024-07-03 15:16:54 +02:00
extcon
firewire Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
firmware ARM updates for v6.11-rc1 2024-07-29 10:33:51 -07:00
fpga Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
fsi Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
gnss
gpio gpio fixes for v6.11-rc1 2024-07-27 12:54:06 -07:00
gpu drm fixes for 6.11-rc2 2024-08-02 08:59:09 -07:00
greybus Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
hid for-linus-2024072901 2024-07-29 13:07:05 -07:00
hsi Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
hte
hv Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
hwmon minmax: make generic MIN() and MAX() macros available everywhere 2024-07-28 15:49:18 -07:00
hwspinlock
hwtracing Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
i2c Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
i3c I3C for 6.11 2024-07-27 10:53:06 -07:00
idle
iio of: remove internal arguments from of_property_for_each_u32() 2024-07-25 06:53:47 -05:00
infiniband IOMMU Updates for Linux v6.11 2024-07-19 09:59:58 -07:00
input Input: MT - limit max slots 2024-07-29 10:44:48 -07:00
interconnect Char/Misc and other driver changes for 6.11-rc1 2024-07-19 15:55:08 -07:00
iommu IOMMU Fixes for Linux v6.11-rc1 2024-07-27 12:39:55 -07:00
ipack driver core: have match() callback in struct bus_type take a const * 2024-07-03 15:16:54 +02:00
irqchip A couple of fixes for interrupt chip drivers: 2024-08-04 08:36:57 -07:00
isdn mISDN: Fix a use after free in hfcmulti_tx() 2024-07-25 08:05:05 -07:00
leds - Core Frameworks 2024-07-17 17:51:30 -07:00
macintosh sysctl: treewide: constify the ctl_table argument of proc_handlers 2024-07-25 12:58:36 -07:00
mailbox mailbox: mtk-cmdq: Move devm_mbox_controller_register() after devm_pm_runtime_enable() 2024-07-19 21:25:23 -05:00
mcb Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
md minmax: add a few more MIN_T/MAX_T users 2024-07-28 13:41:14 -07:00
media media fixes for v6.11-rc2 2024-08-04 08:12:33 -07:00
memory
memstick Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
message
mfd Devicetree fixes for 6.11, part 1 2024-07-27 12:46:16 -07:00
misc refcount: Report UAF for refcount_sub_and_test(0) when counter==0 2024-08-05 14:34:23 -07:00
mmc Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
most Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
mtd This pull request contains updates (actually, just fixes) for UBI and UBIFS: 2024-07-28 11:51:51 -07:00
mux
net Including fixes from wireless, bleutooth, BPF and netfilter. 2024-08-01 09:42:09 -07:00
nfc minmax: make generic MIN() and MAX() macros available everywhere 2024-07-28 15:49:18 -07:00
ntb Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
nubus
nvdimm Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
nvme nvme fixes for Linux 6.11 2024-07-26 08:06:15 -06:00
nvmem Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
of IOMMU Updates for Linux v6.11 2024-07-19 09:59:58 -07:00
opp Merge branches 'pm-opp' and 'pm-tools' 2024-07-15 18:55:14 +02:00
parisc
parport sysctl: treewide: constify the ctl_table argument of proc_handlers 2024-07-25 12:58:36 -07:00
pci PCI: pciehp: Retain Power Indicator bits for userspace indicators 2024-08-01 12:58:03 -05:00
pcmcia Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
peci Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
perf perf: riscv: Fix selecting counters in legacy mode 2024-08-01 07:15:13 -07:00
phy phy-for-6.11 2024-07-24 13:11:28 -07:00
pinctrl of: remove internal arguments from of_property_for_each_u32() 2024-07-25 06:53:47 -05:00
platform chrome-platform fixes for v6.11-rc2 2024-07-30 12:53:52 -07:00
pmdomain mdomain: Merge branch fixes into next 2024-07-09 13:12:41 +02:00
pnp driver core: have match() callback in struct bus_type take a const * 2024-07-03 15:16:54 +02:00
power power supply and reset changes for the 6.11 series 2024-07-23 09:38:27 -07:00
powercap
pps Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
ps3
ptp Networking changes for 6.11. Not much excitement - a handful of large 2024-07-16 19:28:34 -07:00
pwm of: remove internal arguments from of_property_for_each_u32() 2024-07-25 06:53:47 -05:00
rapidio driver core: have match() callback in struct bus_type take a const * 2024-07-03 15:16:54 +02:00
ras - The AMD memory controllers data fabric version 4.5 supports 2024-07-15 18:20:24 -07:00
regulator regulator: Fixes for v6.11 2024-07-27 12:27:52 -07:00
remoteproc rpmsg updates for v6.11 2024-07-23 13:41:59 -07:00
reset Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
rpmsg Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
rtc rtc: stm32: add new st,stm32mp25-rtc compatible and check RIF configuration 2024-07-10 17:15:33 +02:00
s390 s390/cio: Add missing MODULE_DESCRIPTION() macros 2024-07-31 16:30:20 +02:00
sbus sbus: add missing MODULE_DESCRIPTION() macros 2024-07-11 15:42:03 +02:00
scsi SCSI fixes on 20240803 2024-08-03 15:12:56 -07:00
sh driver core: have match() callback in struct bus_type take a const * 2024-07-03 15:16:54 +02:00
siox Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
slimbus Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
soc Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
soundwire Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
spi spi: Fixes for v6.11 2024-07-27 12:29:10 -07:00
spmi Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
ssb driver core: have match() callback in struct bus_type take a const * 2024-07-03 15:16:54 +02:00
staging minmax: make generic MIN() and MAX() macros available everywhere 2024-07-28 15:49:18 -07:00
target
tc driver core: have match() callback in struct bus_type take a const * 2024-07-03 15:16:54 +02:00
tee Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
thermal Merge branch 'thermal-intel' 2024-07-31 12:31:27 +02:00
thunderbolt Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
tty Devicetree fixes for 6.11, part 1 2024-07-27 12:46:16 -07:00
ufs Merge branch '6.11/scsi-queue' into 6.11/scsi-fixes 2024-07-29 21:46:16 -04:00
uio
usb Devicetree fixes for 6.11, part 1 2024-07-27 12:46:16 -07:00
vdpa virtio: fixes 2024-07-29 12:53:37 -07:00
vfio Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
vhost virtio: features, fixes, cleanups 2024-07-19 11:57:55 -07:00
video - 875fa64577da ("mm/hugetlb_vmemmap: fix race with speculative PFN 2024-07-21 17:15:46 -07:00
virt ARM: 2024-07-20 12:41:03 -07:00
virtio virtio: fixes 2024-07-29 12:53:37 -07:00
w1
watchdog linux-watchdog 6.11-rc1 tag 2024-07-25 10:18:35 -07:00
xen Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
zorro Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
Kconfig
Makefile