CVE-2022-48796

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu: Fix potential use-after-free during probe<br /> <br /> Kasan has reported the following use after free on dev-&gt;iommu.<br /> when a device probe fails and it is in process of freeing dev-&gt;iommu<br /> in dev_iommu_free function, a deferred_probe_work_func runs in parallel<br /> and tries to access dev-&gt;iommu-&gt;fwspec in of_iommu_configure path thus<br /> causing use after free.<br /> <br /> BUG: KASAN: use-after-free in of_iommu_configure+0xb4/0x4a4<br /> Read of size 8 at addr ffffff87a2f1acb8 by task kworker/u16:2/153<br /> <br /> Workqueue: events_unbound deferred_probe_work_func<br /> Call trace:<br /> dump_backtrace+0x0/0x33c<br /> show_stack+0x18/0x24<br /> dump_stack_lvl+0x16c/0x1e0<br /> print_address_description+0x84/0x39c<br /> __kasan_report+0x184/0x308<br /> kasan_report+0x50/0x78<br /> __asan_load8+0xc0/0xc4<br /> of_iommu_configure+0xb4/0x4a4<br /> of_dma_configure_id+0x2fc/0x4d4<br /> platform_dma_configure+0x40/0x5c<br /> really_probe+0x1b4/0xb74<br /> driver_probe_device+0x11c/0x228<br /> __device_attach_driver+0x14c/0x304<br /> bus_for_each_drv+0x124/0x1b0<br /> __device_attach+0x25c/0x334<br /> device_initial_probe+0x24/0x34<br /> bus_probe_device+0x78/0x134<br /> deferred_probe_work_func+0x130/0x1a8<br /> process_one_work+0x4c8/0x970<br /> worker_thread+0x5c8/0xaec<br /> kthread+0x1f8/0x220<br /> ret_from_fork+0x10/0x18<br /> <br /> Allocated by task 1:<br /> ____kasan_kmalloc+0xd4/0x114<br /> __kasan_kmalloc+0x10/0x1c<br /> kmem_cache_alloc_trace+0xe4/0x3d4<br /> __iommu_probe_device+0x90/0x394<br /> probe_iommu_group+0x70/0x9c<br /> bus_for_each_dev+0x11c/0x19c<br /> bus_iommu_probe+0xb8/0x7d4<br /> bus_set_iommu+0xcc/0x13c<br /> arm_smmu_bus_init+0x44/0x130 [arm_smmu]<br /> arm_smmu_device_probe+0xb88/0xc54 [arm_smmu]<br /> platform_drv_probe+0xe4/0x13c<br /> really_probe+0x2c8/0xb74<br /> driver_probe_device+0x11c/0x228<br /> device_driver_attach+0xf0/0x16c<br /> __driver_attach+0x80/0x320<br /> bus_for_each_dev+0x11c/0x19c<br /> driver_attach+0x38/0x48<br /> bus_add_driver+0x1dc/0x3a4<br /> driver_register+0x18c/0x244<br /> __platform_driver_register+0x88/0x9c<br /> init_module+0x64/0xff4 [arm_smmu]<br /> do_one_initcall+0x17c/0x2f0<br /> do_init_module+0xe8/0x378<br /> load_module+0x3f80/0x4a40<br /> __se_sys_finit_module+0x1a0/0x1e4<br /> __arm64_sys_finit_module+0x44/0x58<br /> el0_svc_common+0x100/0x264<br /> do_el0_svc+0x38/0xa4<br /> el0_svc+0x20/0x30<br /> el0_sync_handler+0x68/0xac<br /> el0_sync+0x160/0x180<br /> <br /> Freed by task 1:<br /> kasan_set_track+0x4c/0x84<br /> kasan_set_free_info+0x28/0x4c<br /> ____kasan_slab_free+0x120/0x15c<br /> __kasan_slab_free+0x18/0x28<br /> slab_free_freelist_hook+0x204/0x2fc<br /> kfree+0xfc/0x3a4<br /> __iommu_probe_device+0x284/0x394<br /> probe_iommu_group+0x70/0x9c<br /> bus_for_each_dev+0x11c/0x19c<br /> bus_iommu_probe+0xb8/0x7d4<br /> bus_set_iommu+0xcc/0x13c<br /> arm_smmu_bus_init+0x44/0x130 [arm_smmu]<br /> arm_smmu_device_probe+0xb88/0xc54 [arm_smmu]<br /> platform_drv_probe+0xe4/0x13c<br /> really_probe+0x2c8/0xb74<br /> driver_probe_device+0x11c/0x228<br /> device_driver_attach+0xf0/0x16c<br /> __driver_attach+0x80/0x320<br /> bus_for_each_dev+0x11c/0x19c<br /> driver_attach+0x38/0x48<br /> bus_add_driver+0x1dc/0x3a4<br /> driver_register+0x18c/0x244<br /> __platform_driver_register+0x88/0x9c<br /> init_module+0x64/0xff4 [arm_smmu]<br /> do_one_initcall+0x17c/0x2f0<br /> do_init_module+0xe8/0x378<br /> load_module+0x3f80/0x4a40<br /> __se_sys_finit_module+0x1a0/0x1e4<br /> __arm64_sys_finit_module+0x44/0x58<br /> el0_svc_common+0x100/0x264<br /> do_el0_svc+0x38/0xa4<br /> el0_svc+0x20/0x30<br /> el0_sync_handler+0x68/0xac<br /> el0_sync+0x160/0x180<br /> <br /> Fix this by setting dev-&gt;iommu to NULL first and<br /> then freeing dev_iommu structure in dev_iommu_free<br /> function.