kernel-packages team mailing list archive

Thread
Date

[Bug 1584828] Re: s390/pci: fix use after free in dma_init

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: Tim Gardner <tim.gardner@xxxxxxxxxxxxx>
Date: Mon, 23 May 2016 17:16:13 -0000
Reply-to: Bug 1584828 <1584828@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

released with 4.6

** Also affects: linux (Ubuntu Yakkety)
   Importance: Undecided
     Assignee: Skipper Bug Screeners (skipper-screen-team)
       Status: New

** Also affects: linux (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Changed in: linux (Ubuntu Yakkety)
       Status: New => Fix Released

** Changed in: linux (Ubuntu Yakkety)
     Assignee: Skipper Bug Screeners (skipper-screen-team) => (unassigned)

** Changed in: linux (Ubuntu Xenial)
       Status: New => In Progress

** Changed in: linux (Ubuntu Xenial)
     Assignee: (unassigned) => Tim Gardner (timg-tpi)

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1584828

Title:
  s390/pci: fix use after free in dma_init

Status in Ubuntu on IBM z Systems:
  Triaged
Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  In Progress
Status in linux source package in Yakkety:
  Fix Released

Bug description:
  == Comment: #0 - Hendrik Brueckner <brueckner@xxxxxxxxxx> - 2016-05-23 09:09:00 ==
  Please backport upstream Linux commit ID:

  commit dba599091c191d209b1499511a524ad9657c0e5a
  Author: Sebastian Ott <sebott@xxxxxxxxxxxxxxxxxx>
  Date:   Fri Apr 15 09:41:35 2016 +0200

      s390/pci: fix use after free in dma_init
      
      After a failure during registration of the dma_table (because of the
      function being in error state) we free its memory but don't reset the
      associated pointer to zero.
      
      When we then receive a notification from firmware (about the function
      being in error state) we'll try to walk and free the dma_table again.
      
      Fix this by resetting the dma_table pointer. In addition to that make
      sure that we free the iommu_bitmap when appropriate.
      
      Signed-off-by: Sebastian Ott <sebott@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Gerald Schaefer <gerald.schaefer@xxxxxxxxxx>
      Signed-off-by: Martin Schwidefsky <schwidefsky@xxxxxxxxxx>

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1584828/+subscriptions