Commit 5cc4eea7 authored Nov 17, 2022 by Gaosheng Cui Committed by Greg Kroah-Hartman Jan 07, 2023

staging: vme_user: Fix possible UAF in tsi148_dma_list_add



[ Upstream commit 357057ee55d3c99a5de5abe8150f7bca04f8e53b ]

Smatch report warning as follows:

drivers/staging/vme_user/vme_tsi148.c:1757 tsi148_dma_list_add() warn:
  '&entry->list' not removed from list

In tsi148_dma_list_add(), the error path "goto err_dma" will not
remove entry->list from list->entries, but entry will be freed,
then list traversal may cause UAF.

Fix by removeing it from list->entries before free().

Fixes: b2383c90 ("vme: tsi148: fix first DMA item mapping")
Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
Link: https://lore.kernel.org/r/20221117035914.2954454-1-cuigaosheng1@huawei.com


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

parent 92a0e909

drivers/vme/bridges/vme_tsi148.c

+1 −0

Original line number	Original line	Diff line number	Diff line
	@@ -1778,6 +1778,7 @@ static int tsi148_dma_list_add(struct vme_dma_list *list,
	return 0;		return 0;

	err_dma:		err_dma:
			list_del(&entry->list);
	err_dest:		err_dest:
	err_source:		err_source:
	err_align:		err_align: