github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-24 15:11:55 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
14f4eaedda
linux/drivers
History
Mauro Carvalho Chehab 14f4eaedda media: dvbsky: fix driver unregister logic 
There's a user-after-free there, if the frontend is attached
via the new I2C way:

[  112.539806] usbcore: deregistering interface driver dvb_usb_dvbsky
[  112.568489] ==================================================================
[  112.568600] BUG: KASAN: use-after-free in dvb_unregister_frontend+0x18/0xb0 [dvb_core]
[  112.568610] Read of size 8 at addr ffff8803a6f61530 by task rmmod/2246

[  112.568622] CPU: 0 PID: 2246 Comm: rmmod Not tainted 4.16.0-rc4+ #103
[  112.568624] Hardware name:  /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017
[  112.568625] Call Trace:
[  112.568631]  dump_stack+0x5c/0x7c
[  112.568636]  print_address_description+0x6a/0x270
[  112.568640]  kasan_report+0x258/0x380
[  112.568657]  ? dvb_unregister_frontend+0x18/0xb0 [dvb_core]
[  112.568673]  dvb_unregister_frontend+0x18/0xb0 [dvb_core]
[  112.568681]  dvb_usbv2_exit+0x156/0x4a0 [dvb_usb_v2]
[  112.568689]  dvb_usbv2_disconnect+0xa0/0x140 [dvb_usb_v2]
[  112.568694]  usb_unbind_interface+0xd8/0x3f0
[  112.568700]  device_release_driver_internal+0x1ce/0x2f0
[  112.568705]  driver_detach+0x66/0xc0
[  112.568709]  bus_remove_driver+0x86/0x150
[  112.568713]  usb_deregister+0x90/0x180
[  112.568718]  SyS_delete_module+0x293/0x330
[  112.568721]  ? free_module+0x330/0x330
[  112.568725]  ? _cond_resched+0x16/0x50
[  112.568729]  ? task_work_run+0x7d/0xd0
[  112.568732]  ? mem_cgroup_handle_over_high+0x1c/0xc0
[  112.568736]  ? free_module+0x330/0x330
[  112.568740]  do_syscall_64+0xe7/0x250
[  112.568744]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[  112.568747] RIP: 0033:0x7facafa272a7
[  112.568749] RSP: 002b:00007fffdea14cc8 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
[  112.568753] RAX: ffffffffffffffda RBX: 00007fffdea14d28 RCX: 00007facafa272a7
[  112.568755] RDX: 000000000000000a RSI: 0000000000000800 RDI: 00005599557337c8
[  112.568756] RBP: 0000559955733760 R08: 000000000000000a R09: 0000000000000000
[  112.568758] R10: 00007facafaa0280 R11: 0000000000000206 R12: 00007fffdea14ef0
[  112.568761] R13: 00007fffdea16eac R14: 0000559955733260 R15: 0000559955733760

[  112.568808] Allocated by task 638:
[  112.568816]  kasan_kmalloc+0xa0/0xd0
[  112.568820]  kmem_cache_alloc_trace+0x114/0x230
[  112.568826]  m88ds3103_probe+0x9a/0x643 [m88ds3103]
[  112.568830]  i2c_device_probe+0x2e9/0x3c0
[  112.568833]  driver_probe_device+0x46e/0x6a0
[  112.568836]  bus_for_each_drv+0xd6/0x130
[  112.568838]  __device_attach+0x166/0x1f0
[  112.568841]  bus_probe_device+0xea/0x110
[  112.568844]  device_add+0x6a3/0x9f0
[  112.568847]  i2c_new_device+0x28f/0x5c0
[  112.568861]  dvb_module_probe+0x91/0x110 [dvb_core]
[  112.568867]  dvbsky_s960c_attach+0x1c4/0x460 [dvb_usb_dvbsky]
[  112.568873]  dvb_usbv2_probe+0x1191/0x1950 [dvb_usb_v2]
[  112.568877]  usb_probe_interface+0x1b3/0x430
[  112.568880]  driver_probe_device+0x46e/0x6a0
[  112.568882]  __driver_attach+0xeb/0x110
[  112.568885]  bus_for_each_dev+0xe4/0x140
[  112.568888]  bus_add_driver+0x249/0x380
[  112.568891]  driver_register+0xc6/0x170
[  112.568893]  usb_register_driver+0xec/0x200
[  112.568896]  do_one_initcall+0x8f/0x1ee
[  112.568900]  do_init_module+0xde/0x320
[  112.568902]  load_module+0x3ed0/0x4850
[  112.568905]  SYSC_finit_module+0x192/0x1c0
[  112.568908]  do_syscall_64+0xe7/0x250
[  112.568911]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2

[  112.568916] Freed by task 2246:
[  112.568923]  __kasan_slab_free+0x136/0x180
[  112.568925]  kfree+0xa5/0x1e0
[  112.568931]  m88ds3103_remove+0x42/0x60 [m88ds3103]
[  112.568934]  i2c_device_remove+0x72/0xd0
[  112.568937]  device_release_driver_internal+0x1ce/0x2f0
[  112.568940]  bus_remove_device+0x197/0x270
[  112.568942]  device_del+0x239/0x550
[  112.568945]  device_unregister+0x16/0x70
[  112.568949]  dvbsky_exit+0x4c/0x70 [dvb_usb_dvbsky]
[  112.568955]  dvb_usbv2_disconnect+0x98/0x140 [dvb_usb_v2]
[  112.568958]  usb_unbind_interface+0xd8/0x3f0
[  112.568961]  device_release_driver_internal+0x1ce/0x2f0
[  112.568964]  driver_detach+0x66/0xc0
[  112.568967]  bus_remove_driver+0x86/0x150
[  112.568970]  usb_deregister+0x90/0x180
[  112.568973]  SyS_delete_module+0x293/0x330
[  112.568976]  do_syscall_64+0xe7/0x250
[  112.568979]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2

[  112.568985] The buggy address belongs to the object at ffff8803a6f61100
                which belongs to the cache kmalloc-2048 of size 2048
[  112.568998] The buggy address is located 1072 bytes inside of
                2048-byte region [ffff8803a6f61100, ffff8803a6f61900)
[  112.569008] The buggy address belongs to the page:
[  112.569015] page:ffffea000e9bd800 count:1 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0
[  112.569025] flags: 0x17ffe000008100(slab|head)
[  112.569034] raw: 0017ffe000008100 0000000000000000 0000000000000000 00000001000f000f
[  112.569044] raw: ffffea000ee2d000 0000000500000005 ffff880407002a80 0000000000000000
[  112.569053] page dumped because: kasan: bad access detected

[  112.569062] Memory state around the buggy address:
[  112.569070]  ffff8803a6f61400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  112.569079]  ffff8803a6f61480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  112.569088] >ffff8803a6f61500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  112.569095]                                      ^
[  112.569103]  ffff8803a6f61580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  112.569112]  ffff8803a6f61600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  112.569119] ==================================================================
[  112.569127] Disabling lock debugging due to kernel taint
[  112.571161] dvb_usb_v2: 'DVBSky S960CI:2-2' successfully deinitialized and disconnected

Fix it by letting the dvb-usb-v2 core to know that the frontend
was already removed.

Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
2018-05-04 10:55:12 -04:00
..
accessibility
acpi xen: fixes for 4.17-rc1 2018-04-12 11:04:35 -07:00
amba
android
ata Merge branch 'for-4.17' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata 2018-04-03 17:42:25 -07:00
atm Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-04-01 19:49:34 -04:00
auxdisplay
base mm: check __highest_present_section_nr directly in memory_dev_init() 2018-04-11 10:28:31 -07:00
bcma
block for-linus-20180413 2018-04-13 15:15:15 -07:00
bluetooth Bluetooth: Set HCI_QUIRK_SIMULTANEOUS_DISCOVERY for BTUSB_QCA_ROME 2018-04-01 21:43:02 +03:00
bus pci-v4.17-changes 2018-04-06 18:31:06 -07:00
cdrom
char RTC for 4.17 2018-04-10 10:22:27 -07:00
clk The large diff this time around is from the addition of a new clk driver 2018-04-13 15:51:06 -07:00
clocksource ARM: SoC platform updates for 4.17 2018-04-05 21:21:08 -07:00
connector
cpufreq cpufreq: Drop cpufreq_table_validate_and_show() 2018-04-10 08:40:45 +02:00
cpuidle cpuidle: menu: Avoid selecting shallow states with stopped tick 2018-04-09 11:54:57 +02:00
crypto .gitignore: move *-asn1.[ch] patterns to the top-level .gitignore 2018-04-07 19:04:02 +09:00
dax libnvdimm for 4.17 2018-04-10 10:25:57 -07:00
dca
devfreq
dio
dma DMAengine updates for v4.17-rc1 2018-04-10 12:14:37 -07:00
dma-buf
edac * Add NVDIMM support to EDAC (Tony Luck) 2018-04-05 14:21:13 -07:00
eisa
extcon Char/Misc patches for 4.17-rc1 2018-04-04 20:07:20 -07:00
firewire
firmware Merge branch 'dmi-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging 2018-04-13 16:32:16 -07:00
fmc
fpga
fsi
gpio DeviceTree updates for 4.17: 2018-04-05 21:03:42 -07:00
gpu amdgpu, omap and snd regression fix 2018-04-12 20:56:10 -07:00
hid Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid 2018-04-05 11:53:34 -07:00
hsi
hv ARM: 2018-04-09 11:42:31 -07:00
hwmon hwmon updates for v4.17 2018-04-09 19:59:54 -07:00
hwspinlock
hwtracing Char/Misc patches for 4.17-rc1 2018-04-04 20:07:20 -07:00
i2c i2c: add param sanity check to i2c_transfer() 2018-04-11 23:33:46 +02:00
ide for-4.17/block-20180402 2018-04-05 14:27:02 -07:00
idle
iio This is the bulk of GPIO changes for the v4.17 kernel cycle: 2018-04-05 09:51:41 -07:00
infiniband Merge candidates for 4.17 merge window 2018-04-06 17:35:43 -07:00
input Changes to chrome-platform for v4.17 2018-04-13 16:20:36 -07:00
iommu IOMMU Updates for Linux v4.17 2018-04-11 18:50:41 -07:00
ipack
irqchip IOMMU Updates for Linux v4.17 2018-04-11 18:50:41 -07:00
isdn Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2018-04-03 14:04:18 -07:00
leds
lightnvm lightnvm: pblk: remove some unnecessary NULL checks 2018-03-29 17:29:09 -06:00
macintosh powerpc updates for 4.17 2018-04-07 12:08:19 -07:00
mailbox
mcb
md libnvdimm for 4.17 2018-04-10 10:25:57 -07:00
media media: dvbsky: fix driver unregister logic 2018-05-04 10:55:12 -04:00
memory
memstick
message
mfd platform/chrome: mfd/cros_ec_dev: Add sysfs entry to set keyboard wake lid angle 2018-04-10 22:25:07 -07:00
misc * Fix 2032 time access issues and new compiler warnings 2018-04-12 10:21:19 -07:00
mmc MMC core: 2018-04-12 10:59:03 -07:00
mtd This pull request contains updates for both UBI and UBIFS: 2018-04-11 16:39:34 -07:00
mux
net Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-04-12 11:09:05 -07:00
nfc
ntb
nubus
nvdimm libnvdimm for 4.17 2018-04-10 10:25:57 -07:00
nvme nvme: expand nvmf_check_if_ready checks 2018-04-12 09:58:27 -06:00
nvmem Char/Misc patches for 4.17-rc1 2018-04-04 20:07:20 -07:00
of Kbuild updates for v4.17 (2nd) 2018-04-15 17:21:30 -07:00
opp
oprofile oprofilefs: don't oops on allocation failure 2018-03-29 15:07:48 -04:00
parisc parisc/pci: Switch LBA PCI bus from Hard Fail to Soft Fail mode 2018-03-27 18:52:22 +02:00
parport Char/Misc patches for 4.17-rc1 2018-04-04 20:07:20 -07:00
pci PCI: Remove messages about reassigning resources 2018-04-11 08:46:50 -05:00
pcmcia Merge branch 'for-linus-sa1100' of git://git.armlinux.org.uk/~rmk/linux-arm 2018-04-09 09:26:36 -07:00
perf ARM: SoC driver updates for 4.17 2018-04-05 21:29:35 -07:00
phy ARM: SoC platform updates for 4.17 2018-04-05 21:21:08 -07:00
pinctrl This is the bulk of GPIO changes for the v4.17 kernel cycle: 2018-04-05 09:51:41 -07:00
platform Changes to chrome-platform for v4.17 2018-04-13 16:20:36 -07:00
pnp media: sound, isapnp: allow building more drivers with COMPILE_TEST 2018-04-20 10:53:45 -04:00
power ARM: SoC platform updates for 4.17 2018-04-05 21:21:08 -07:00
powercap
pps
ps3
ptp
pwm pwm: Changes for v4.17-rc1 2018-04-13 15:46:21 -07:00
rapidio rapidio: use a reference count for struct mport_dma_req 2018-04-11 10:28:37 -07:00
ras
regulator Merge remote-tracking branches 'regulator/topic/88pg86x', 'regulator/topic/dt', 'regulator/topic/formatting' and 'regulator/topic/gpio' into regulator-next 2018-03-28 10:33:53 +08:00
remoteproc remoteproc: fix null pointer dereference on glink only platforms 2018-04-05 22:53:16 -07:00
reset
rpmsg rpmsg: smd: Use announce_create to process any receive work 2018-03-27 21:54:37 -07:00
rtc RTC for 4.17 2018-04-10 10:22:27 -07:00
s390 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux 2018-04-13 09:43:20 -07:00
sbus sparc64: Properly range check DAX completion index 2018-04-01 20:07:00 -04:00
scsi SCSI fixes on 20180415 2018-04-15 17:24:12 -07:00
sfi
sh
siox
slimbus
sn
soc The large diff this time around is from the addition of a new clk driver 2018-04-13 15:51:06 -07:00
soundwire
spi spi: SPI updates for v4.17 2018-04-03 12:06:21 -07:00
spmi
ssb
staging media: staging: tegra-vde: Correct included header 2018-05-04 06:33:57 -04:00
target for-4.17/block-20180402 2018-04-05 14:27:02 -07:00
tc
tee
thermal Merge branches 'thermal-core' and 'thermal-soc' into next 2018-04-13 14:11:53 +08:00
thunderbolt
tty Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux 2018-04-09 09:04:10 -07:00
uio
usb Merge branch 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2018-04-07 11:11:41 -07:00
uwb
vfio VFIO updates for v4.17-rc1 2018-04-06 19:44:27 -07:00
vhost vhost: return bool from *_access_ok() functions 2018-04-11 10:54:06 -04:00
video drivers: omap2: Kconfig: make FB_OMAP2_DSS_INIT depend on OF 2018-05-04 08:27:04 -04:00
virt
virtio virtio: feature 2018-04-11 18:58:27 -07:00
visorbus
vlynq
vme
w1
watchdog linux-watchdog 4.17-rc1 merge window tag 2018-04-13 15:43:50 -07:00
xen xen: fixes for 4.17-rc1 2018-04-12 11:04:35 -07:00
zorro
Kconfig hwtracing: Add HW tracing support menu 2018-03-29 13:38:10 +03:00
Makefile