From nobody Mon Feb 9 19:54:46 2026 Received: from mail-yx1-f100.google.com (mail-yx1-f100.google.com [74.125.224.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 225E61487E9 for ; Tue, 23 Dec 2025 07:48:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.224.100 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766476138; cv=none; b=PphpJDiJPhwBzk2negclfwZY5ivBIn6rFLq3/QLlr4qwtsij6O9VizR64cIO7MH7OsHY/p5fy4NiCzn507wq9bDCZFWa81r4bkLQZ6doZsvtCWYekUDiaoefycxfj05wV26w6hNIY792A6AWsi2ge73eMHMvRYzvBiwOfZLQSuw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766476138; c=relaxed/simple; bh=rcMivwbpLDSuRQiPAY1S5YZ/j3nyXSgNms8MUEjIS20=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=Fy+jXGgRbwglmpQ0YhpYx+wsGn5wBUngLxUBIuwAo30SZ9yIT+qghsWp5o9lctLhB3K9akFbH6zQWvCzg04++79DiZHoVHR9f7Nxrn0zxuQg3f2jYNeE9PjER/65NAim00ST/Wl8g98deB7xKicJMfpyyvF8iInuHxIKCzHaSDs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=broadcom.com; spf=fail smtp.mailfrom=broadcom.com; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b=M+CLeqrW; arc=none smtp.client-ip=74.125.224.100 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=broadcom.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=broadcom.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b="M+CLeqrW" Received: by mail-yx1-f100.google.com with SMTP id 956f58d0204a3-644752b3105so636541d50.3 for ; Mon, 22 Dec 2025 23:48:56 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766476136; x=1767080936; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:dkim-signature:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=9MB5/klIZLcRdn29G8MESTTyUAHutoCNjLyvX9pZr2o=; b=eE7l4Tjmg9um3rAWMQEyPhcR1wTv6TpaAr7DmC7CHcOat4AKPl1GUajednKkKXgjiK RTk37kcISYtZZl2aJZcCPLfAk/wdHij8MWqwf8SbUeUJNO8Hjz6JgzQN1XIHcVy9uDUb UzFiGrlsuThPpmjpyR+WRPQI8D0IAOt1hNnK/Aw+diY2yukr2a27XGeaTfPmLMpFOp09 FYaejsc0ytjaZQHWFmUR+IzLLhvTHduQpD1JgOSC/BaqyGzcKleM24xw2WSMDKrR29LM 18IGPOgxQBE9oKvne3nVign9dmH9Stdguky+3pNQi7+BhZYVOsTdU+fJDytCkzcjxK2B oe3g== X-Forwarded-Encrypted: i=1; AJvYcCW5oBVANG/e/UpH9L5XJ0aHtbsdhs1kV7rC3mg3VSB4kUVv6Fve117lVAWYiRviDyOA0NtmWpPZcqPyWjA=@vger.kernel.org X-Gm-Message-State: AOJu0YygPOt07My2g12eauDbLlEFzomeEXkG9//MxyvKJrKp5/gdqUrg +ksSAJ2XsAmYzkyGQCIBqun6+LEKlk23rYK3cex+p9Y9U3A8hKqT+OCgexSqCj34NhNAQoCHfAg wOIDTke+EH9Q/2ijKvQpW+Yc8DLSPFQd7TtvYeHudjZOr6pzvL56P7gnrnJiVADdCbtm1Wl+qS1 aY73Z/UjRR4QJpBTvz2/KX4HTf50NYWgHVGEleg4GvA0m64i57/bdixHBBqV8BG/STk9qDiRoMl 4ZqVtukym0/o8DTI+tISURu5r8JaM7oqHx1/aw= X-Gm-Gg: AY/fxX5igQFHVO7581jpCJBWzP1KwlNCd1fIwXLpI/rsh1SXdxmqbUknP/W79uMD5PT 0d9mUqeVBRJGAWQa3tReXsjCpE8jVaE6lFXeUuaZNoq6rvwga0GJORMQX0FEAy7AzT6R/whhvxL vW+eLdJga1ZO4uhrnUEfLl3p2N0kmkeRm6KvJE2TvkUt+rtYyu3Ny3fRwyCdX4r6MN9aXQCR8P7 IYnoZRIfvXwAvw4WuP9MvYa/4yIFw4NzbTCNN2tYjpr25RtGwWuXxzBpGfAV0zrxcCa+3mjSBi/ qp2JQW87FpsY3d4f4Zgi52dSHwhcbSVmR6dm6CL+ujCtCXH5FfkKPa3D1AW6CBNuhYVqv6+dmV3 01C97swLYvxokO3pNkisa5wnQ/Kihohi6bRjgMk4k3/aqzZXrgiSsuXREMwzq7EROGFwJRlITei DINRe/WsqszUtapFiU+ngxTHLbGyRDcGZSnrcWwoV5QkcMn5kZjVHqD0VCSS+veA== X-Google-Smtp-Source: AGHT+IHAFbWC16IKhQG5lrmJU6yiU/V2vlrKYYIfwqRq7fesZyovpJRFUfPwk4L153jglxC/xYYJ62j60st0 X-Received: by 2002:a05:690c:dc9:b0:78c:6918:6ffb with SMTP id 00721157ae682-78fb4025c4bmr101884987b3.2.1766476135931; Mon, 22 Dec 2025 23:48:55 -0800 (PST) Received: from smtp-us-east1-p01-i01-si01.dlp.protect.broadcom.com (address-144-49-247-19.dlp.protect.broadcom.com. [144.49.247.19]) by smtp-relay.gmail.com with ESMTPS id 00721157ae682-78fb4411a36sm5413607b3.13.2025.12.22.23.48.55 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 22 Dec 2025 23:48:55 -0800 (PST) X-Relaying-Domain: broadcom.com X-CFilter-Loop: Reflected Received: by mail-qk1-f200.google.com with SMTP id af79cd13be357-8b5ff26d6a9so122414885a.0 for ; Mon, 22 Dec 2025 23:48:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; t=1766476135; x=1767080935; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=9MB5/klIZLcRdn29G8MESTTyUAHutoCNjLyvX9pZr2o=; b=M+CLeqrWYxBqkVwKBHuG8+ifXsX9UhvSJLFH8wMCu1RZYW+faBDGYZCsMTmlbqz4Sn g2mchP7xChzOJmz3BHPmLpOGlp+CJZJ25LJWU0cQellPgLF4G1K6OhTaQMlDBSAgnYCT vXnqeZbU4PYeq5CBHsgkB7yEzu83xEFrpGKNs= X-Forwarded-Encrypted: i=1; AJvYcCUuDdl3/Tsr5mBxcEZ8dgRdb9TvdHjTN0phpAESqz9mD/cKxw7TbQsP1JSQ5fIYRw5J8oMyYwrMrzAcA+4=@vger.kernel.org X-Received: by 2002:a05:620a:4588:b0:8b2:e177:fb18 with SMTP id af79cd13be357-8c0906edaddmr1517801885a.9.1766476135209; Mon, 22 Dec 2025 23:48:55 -0800 (PST) X-Received: by 2002:a05:620a:4588:b0:8b2:e177:fb18 with SMTP id af79cd13be357-8c0906edaddmr1517800785a.9.1766476134826; Mon, 22 Dec 2025 23:48:54 -0800 (PST) Received: from keerthanak-ph5-dev.. ([192.19.161.250]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8c0971ee247sm1018753185a.27.2025.12.22.23.48.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Dec 2025 23:48:54 -0800 (PST) From: Keerthana K To: stable@vger.kernel.org, gregkh@linuxfoundation.org Cc: stuyoder@gmail.com, laurentiu.tudor@nxp.com, Bharat.Bhushan@nxp.com, linux-kernel@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Shin'ichiro Kawasaki , Keerthana K Subject: [PATCH v5.10.y] bus: fsl-mc-bus: fix KASAN use-after-free in fsl_mc_bus_remove() Date: Tue, 23 Dec 2025 07:46:25 +0000 Message-ID: <20251223074625.1428715-1-keerthana.kalyanasundaram@broadcom.com> X-Mailer: git-send-email 2.43.7 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-DetectorID-Processed: b00c1d49-9d2e-4205-b15f-d015386d3d5e Content-Type: text/plain; charset="utf-8" From: Shin'ichiro Kawasaki commit 928ea98252ad75118950941683893cf904541da9 upstream. In fsl_mc_bus_remove(), mc->root_mc_bus_dev->mc_io is passed to fsl_destroy_mc_io(). However, mc->root_mc_bus_dev is already freed in fsl_mc_device_remove(). Then reference to mc->root_mc_bus_dev->mc_io triggers KASAN use-after-free. To avoid the use-after-free, keep the reference to mc->root_mc_bus_dev->mc_io in a local variable and pass to fsl_destroy_mc_io(). This patch needs rework to apply to kernels older than v5.15. Fixes: f93627146f0e ("staging: fsl-mc: fix asymmetry in destroy of mc_io") Cc: stable@vger.kernel.org # v5.15+ Signed-off-by: Shin'ichiro Kawasaki Link: https://lore.kernel.org/r/20220601105159.87752-1-shinichiro.kawasaki@= wdc.com Signed-off-by: Greg Kroah-Hartman [ Keerthana: Backported the patch to v5.10.y ] Signed-off-by: Keerthana K --- drivers/bus/fsl-mc/fsl-mc-bus.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/bus/fsl-mc/fsl-mc-bus.c b/drivers/bus/fsl-mc/fsl-mc-bu= s.c index dd7791f48537..4f13e7d8101b 100644 --- a/drivers/bus/fsl-mc/fsl-mc-bus.c +++ b/drivers/bus/fsl-mc/fsl-mc-bus.c @@ -1085,14 +1085,14 @@ static int fsl_mc_bus_probe(struct platform_device = *pdev) static int fsl_mc_bus_remove(struct platform_device *pdev) { struct fsl_mc *mc =3D platform_get_drvdata(pdev); + struct fsl_mc_io *mc_io; =20 if (!fsl_mc_is_root_dprc(&mc->root_mc_bus_dev->dev)) return -EINVAL; =20 + mc_io =3D mc->root_mc_bus_dev->mc_io; fsl_mc_device_remove(mc->root_mc_bus_dev); - - fsl_destroy_mc_io(mc->root_mc_bus_dev->mc_io); - mc->root_mc_bus_dev->mc_io =3D NULL; + fsl_destroy_mc_io(mc_io); =20 return 0; } --=20 2.43.7