CVE-2022-48954

In the Linux kernel, the following vulnerability has been resolved:

s390/qeth: fix use-after-free in hsci

KASAN found that addr was dereferenced after br2deveventwork was freed.

================================================================== BUG: KASAN: use-after-free in qethl2br2devworker+0x5ba/0x6b0 Read of size 1 at addr 00000000fdcea440 by task kworker/u760:4/540 CPU: 17 PID: 540 Comm: kworker/u760:4 Tainted: G E 6.1.0-20221128.rc7.git1.5aa3bed4ce83.300.fc36.s390x+kasan #1 Hardware name: IBM 8561 T01 703 (LPAR) Workqueue: 0.0.8000event qethl2br2devworker Call Trace: [<000000016944d4ce>] dumpstacklvl+0xc6/0xf8 [<000000016942cd9c>] printaddressdescription.constprop.0+0x34/0x2a0 [<000000016942d118>] printreport+0x110/0x1f8 [<0000000167a7bd04>] kasanreport+0xfc/0x128 [<000000016938d79a>] qethl2br2devworker+0x5ba/0x6b0 [<00000001673edd1e>] processonework+0x76e/0x1128 [<00000001673ee85c>] workerthread+0x184/0x1098 [<000000016740718a>] kthread+0x26a/0x310 [<00000001672c606a>] retfromfork+0x8a/0xe8 [<00000001694711da>] retfromfork+0xa/0x40 Allocated by task 108338: kasansavestack+0x40/0x68 kasansettrack+0x36/0x48 _kasankmalloc+0xa0/0xc0 qethl2switchdevevent+0x25a/0x738 atomicnotifiercallchain+0x9c/0xf8 brswitchdevfdbnotify+0xf4/0x110 fdbnotify+0x122/0x180 fdbaddentry.constprop.0.isra.0+0x312/0x558 brfdbadd+0x59e/0x858 rtnlfdbadd+0x58a/0x928 rtnetlinkrcvmsg+0x5f8/0x8d8 netlinkrcvskb+0x1f2/0x408 netlinkunicast+0x570/0x790 netlinksendmsg+0x752/0xbe0 socksendmsg+0xca/0x110 syssendmsg+0x510/0x6a8 syssendmsg+0x12a/0x180 _syssendmsg+0xe6/0x168 _dosyssocketcall+0x3c8/0x468 dosyscall+0x22c/0x328 _dosyscall+0x94/0xf0 systemcall+0x82/0xb0 Freed by task 540: kasansavestack+0x40/0x68 kasansettrack+0x36/0x48 kasansavefreeinfo+0x4c/0x68 _kasanslabfree+0x14e/0x1a8 kasanslabfree+0x24/0x30 _kmemcachefree+0x168/0x338 qethl2br2devworker+0x154/0x6b0 processonework+0x76e/0x1128 workerthread+0x184/0x1098 kthread+0x26a/0x310 _retfromfork+0x8a/0xe8 retfromfork+0xa/0x40 Last potentially related work creation: kasansavestack+0x40/0x68 _kasanrecordauxstack+0xbe/0xd0 insertwork+0x56/0x2e8 _queuework+0x4ce/0xd10 queueworkon+0xf4/0x100 qethl2switchdevevent+0x520/0x738 atomicnotifiercallchain+0x9c/0xf8 brswitchdevfdbnotify+0xf4/0x110 fdbnotify+0x122/0x180 fdbaddentry.constprop.0.isra.0+0x312/0x558 brfdbadd+0x59e/0x858 rtnlfdbadd+0x58a/0x928 rtnetlinkrcvmsg+0x5f8/0x8d8 netlinkrcvskb+0x1f2/0x408 netlinkunicast+0x570/0x790 netlinksendmsg+0x752/0xbe0 socksendmsg+0xca/0x110 syssendmsg+0x510/0x6a8 _syssendmsg+0x12a/0x180 _syssendmsg+0xe6/0x168 _dosyssocketcall+0x3c8/0x468 dosyscall+0x22c/0x328 _dosyscall+0x94/0xf0 systemcall+0x82/0xb0 Second to last potentially related work creation: kasansavestack+0x40/0x68 _kasanrecordauxstack+0xbe/0xd0 kvfreecallrcu+0xb2/0x760 kernfsunlinkopenfile+0x348/0x430 kernfsfoprelease+0xc2/0x320 _fput+0x1ae/0x768 taskworkrun+0x1bc/0x298 exittousermodeprepare+0x1a0/0x1a8 _dosyscall+0x94/0xf0 systemcall+0x82/0xb0 The buggy address belongs to the object at 00000000fdcea400 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 64 bytes inside of 96-byte region [00000000fdcea400, 00000000fdcea460) The buggy address belongs to the physical page: page:000000005a9c26e8 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xfdcea flags: 0x3ffff00000000200(slab|node=0|zone=1|lastcpupid=0x1ffff) raw: 3ffff00000000200 0000000000000000 0000000100000122 000000008008cc00 raw: 0000000000000000 0020004100000000 ffffffff00000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: 00000000fdcea300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc 00000000fdcea380: fb fb fb fb fb fb f ---truncated---