[ Sasha's backport helper bot ]
Hi,
The upstream commit SHA1 provided is correct: 02f6b0e1ec7e0e7d059dddc893645816552039da
WARNING: Author mismatch between patch and upstream commit: Backport author: hsimeliere.opensource@witekio.com Commit author: Zhongqiu Hanquic_zhonhan@quicinc.com
Status in newer kernel trees: 6.12.y | Present (exact SHA1) 6.6.y | Present (different SHA1: 95ca7c90eaf5) 6.1.y | Not found
Note: The patch differs from the upstream commit: --- 1: 02f6b0e1ec7e0 ! 1: 55e55db29a40e gpiolib: cdev: Fix use after free in lineinfo_changed_notify @@ Metadata ## Commit message ## gpiolib: cdev: Fix use after free in lineinfo_changed_notify
+ [ Upstream commit 02f6b0e1ec7e0e7d059dddc893645816552039da ] + The use-after-free issue occurs as follows: when the GPIO chip device file is being closed by invoking gpio_chrdev_release(), watched_lines is freed by bitmap_free(), but the unregistration of lineinfo_changed_nb notifier @@ Commit message Signed-off-by: Zhongqiu Han quic_zhonhan@quicinc.com Link: https://lore.kernel.org/r/20240505141156.2944912-1-quic_zhonhan@quicinc.com Signed-off-by: Bartosz Golaszewski bartosz.golaszewski@linaro.org + Signed-off-by: Bruno VERNAY bruno.vernay@se.com + Signed-off-by: Hugo SIMELIERE hsimeliere.opensource@witekio.com
## drivers/gpio/gpiolib-cdev.c ## @@ drivers/gpio/gpiolib-cdev.c: static int gpio_chrdev_release(struct inode *inode, struct file *file) @@ drivers/gpio/gpiolib-cdev.c: static int gpio_chrdev_release(struct inode *inode, struct gpio_device *gdev = cdev->gdev;
- bitmap_free(cdev->watched_lines); - blocking_notifier_chain_unregister(&gdev->device_notifier, - &cdev->device_unregistered_nb); - blocking_notifier_chain_unregister(&gdev->line_state_notifier, + blocking_notifier_chain_unregister(&gdev->notifier, &cdev->lineinfo_changed_nb); + bitmap_free(cdev->watched_lines); - gpio_device_put(gdev); + put_device(&gdev->dev); kfree(cdev);
---
Results of testing on various branches:
| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-6.1.y | Success | Success | | stable/linux-5.10.y | Success | Success |