CVE-2021-47549

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl<br /> <br /> When the `rmmod sata_fsl.ko` command is executed in the PPC64 GNU/Linux,<br /> a bug is reported:<br /> ==================================================================<br /> BUG: Unable to handle kernel data access on read at 0x80000800805b502c<br /> Oops: Kernel access of bad area, sig: 11 [#1]<br /> NIP [c0000000000388a4] .ioread32+0x4/0x20<br /> LR [80000000000c6034] .sata_fsl_port_stop+0x44/0xe0 [sata_fsl]<br /> Call Trace:<br /> .free_irq+0x1c/0x4e0 (unreliable)<br /> .ata_host_stop+0x74/0xd0 [libata]<br /> .release_nodes+0x330/0x3f0<br /> .device_release_driver_internal+0x178/0x2c0<br /> .driver_detach+0x64/0xd0<br /> .bus_remove_driver+0x70/0xf0<br /> .driver_unregister+0x38/0x80<br /> .platform_driver_unregister+0x14/0x30<br /> .fsl_sata_driver_exit+0x18/0xa20 [sata_fsl]<br /> .__se_sys_delete_module+0x1ec/0x2d0<br /> .system_call_exception+0xfc/0x1f0<br /> system_call_common+0xf8/0x200<br /> ==================================================================<br /> <br /> The triggering of the BUG is shown in the following stack:<br /> <br /> driver_detach<br /> device_release_driver_internal<br /> __device_release_driver<br /> drv-&gt;remove(dev) --&gt; platform_drv_remove/platform_remove<br /> drv-&gt;remove(dev) --&gt; sata_fsl_remove<br /> iounmap(host_priv-&gt;hcr_base); data) --&gt; ata_host_stop<br /> ap-&gt;ops-&gt;port_stop(ap) --&gt; sata_fsl_port_stop<br /> ioread32(hcr_base + HCONTROL) ops-&gt;host_stop(host)<br /> <br /> The iounmap(host_priv-&gt;hcr_base) and kfree(host_priv) functions should<br /> not be executed in drv-&gt;remove. These functions should be executed in<br /> host_stop after port_stop. Therefore, we move these functions to the<br /> new function sata_fsl_host_stop and bind the new function to host_stop.