github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-07 22:14:04 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
c1c3e98880
linux/drivers
History
Zqiang cedb0187b8 usb: gadget: function: printer: fix use-after-free in __lock_acquire 
[ Upstream commit e8d5f92b8d ]

Fix this by increase object reference count.

BUG: KASAN: use-after-free in __lock_acquire+0x3fd4/0x4180
kernel/locking/lockdep.c:3831
Read of size 8 at addr ffff8880683b0018 by task syz-executor.0/3377

CPU: 1 PID: 3377 Comm: syz-executor.0 Not tainted 5.6.11 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xce/0x128 lib/dump_stack.c:118
 print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374
 __kasan_report+0x131/0x1b0 mm/kasan/report.c:506
 kasan_report+0x12/0x20 mm/kasan/common.c:641
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
 __lock_acquire+0x3fd4/0x4180 kernel/locking/lockdep.c:3831
 lock_acquire+0x127/0x350 kernel/locking/lockdep.c:4488
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159
 printer_ioctl+0x4a/0x110 drivers/usb/gadget/function/f_printer.c:723
 vfs_ioctl fs/ioctl.c:47 [inline]
 ksys_ioctl+0xfb/0x130 fs/ioctl.c:763
 __do_sys_ioctl fs/ioctl.c:772 [inline]
 __se_sys_ioctl fs/ioctl.c:770 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:770
 do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4531a9
Code: ed 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 0f 83 bb 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fd14ad72c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 000000000073bfa8 RCX: 00000000004531a9
RDX: fffffffffffffff9 RSI: 000000000000009e RDI: 0000000000000003
RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004bbd61
R13: 00000000004d0a98 R14: 00007fd14ad736d4 R15: 00000000ffffffff

Allocated by task 2393:
 save_stack+0x21/0x90 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 __kasan_kmalloc.constprop.3+0xa7/0xd0 mm/kasan/common.c:515
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529
 kmem_cache_alloc_trace+0xfa/0x2d0 mm/slub.c:2813
 kmalloc include/linux/slab.h:555 [inline]
 kzalloc include/linux/slab.h:669 [inline]
 gprinter_alloc+0xa1/0x870 drivers/usb/gadget/function/f_printer.c:1416
 usb_get_function+0x58/0xc0 drivers/usb/gadget/functions.c:61
 config_usb_cfg_link+0x1ed/0x3e0 drivers/usb/gadget/configfs.c:444
 configfs_symlink+0x527/0x11d0 fs/configfs/symlink.c:202
 vfs_symlink+0x33d/0x5b0 fs/namei.c:4201
 do_symlinkat+0x11b/0x1d0 fs/namei.c:4228
 __do_sys_symlinkat fs/namei.c:4242 [inline]
 __se_sys_symlinkat fs/namei.c:4239 [inline]
 __x64_sys_symlinkat+0x73/0xb0 fs/namei.c:4239
 do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 3368:
 save_stack+0x21/0x90 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 kasan_set_free_info mm/kasan/common.c:337 [inline]
 __kasan_slab_free+0x135/0x190 mm/kasan/common.c:476
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:485
 slab_free_hook mm/slub.c:1444 [inline]
 slab_free_freelist_hook mm/slub.c:1477 [inline]
 slab_free mm/slub.c:3034 [inline]
 kfree+0xf7/0x410 mm/slub.c:3995
 gprinter_free+0x49/0xd0 drivers/usb/gadget/function/f_printer.c:1353
 usb_put_function+0x38/0x50 drivers/usb/gadget/functions.c:87
 config_usb_cfg_unlink+0x2db/0x3b0 drivers/usb/gadget/configfs.c:485
 configfs_unlink+0x3b9/0x7f0 fs/configfs/symlink.c:250
 vfs_unlink+0x287/0x570 fs/namei.c:4073
 do_unlinkat+0x4f9/0x620 fs/namei.c:4137
 __do_sys_unlink fs/namei.c:4184 [inline]
 __se_sys_unlink fs/namei.c:4182 [inline]
 __x64_sys_unlink+0x42/0x50 fs/namei.c:4182
 do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8880683b0000
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 24 bytes inside of
 1024-byte region [ffff8880683b0000, ffff8880683b0400)
The buggy address belongs to the page:
page:ffffea0001a0ec00 refcount:1 mapcount:0 mapping:ffff88806c00e300
index:0xffff8880683b1800 compound_mapcount: 0
flags: 0x100000000010200(slab|head)
raw: 0100000000010200 0000000000000000 0000000600000001 ffff88806c00e300
raw: ffff8880683b1800 000000008010000a 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Reported-by: Kyungtae Kim <kt0755@gmail.com>
Signed-off-by: Zqiang <qiang.zhang@windriver.com>
Signed-off-by: Felipe Balbi <balbi@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2020-10-30 10:38:29 +01:00
..
accessibility
acpi ACPI: EC: Reference count query handlers under lock 2020-10-01 13:14:30 +02:00
amba
android binder: fix UAF when releasing todo list 2020-10-29 09:54:56 +01:00
ata ata: sata_mv, avoid trigerrable BUG_ON 2020-10-01 13:14:54 +02:00
atm atm: eni: fix the missed pci_disable_device() for eni_init_one() 2020-10-01 13:14:51 +02:00
auxdisplay
base driver core: Fix probe_count imbalance in really_probe() 2020-10-14 10:31:22 +02:00
bcma
block rbd: require global CAP_SYS_ADMIN for mapping and unmapping 2020-09-17 13:45:29 +02:00
bluetooth Bluetooth: hci_uart: Cancel init work before unregistering 2020-10-29 09:55:05 +01:00
bus bus: hisi_lpc: Fixup IO ports addresses to avoid use-after-free in host removal 2020-10-01 13:14:35 +02:00
cdrom
char drivers: char: tlclk.c: Avoid data race between init and interrupt handler 2020-10-01 13:14:42 +02:00
clk clk: bcm2835: add missing release if devm_clk_hw_register fails 2020-10-30 10:38:22 +01:00
clocksource clocksource/drivers/h8300_timer8: Fix wrong return value in h8300_8timer_init() 2020-10-01 13:14:51 +02:00
connector
cpufreq cpufreq: powernv: Fix frame-size-overflow in powernv_cpufreq_reboot_notifier 2020-10-30 10:38:20 +01:00
cpuidle cpuidle: Fixup IRQ state 2020-09-09 19:04:23 +02:00
crypto crypto: ccp - fix error handling 2020-10-30 10:38:26 +01:00
dax
dca
devfreq PM / devfreq: tegra30: Fix integer overflow on CPU's freq max out 2020-10-01 13:14:26 +02:00
dio
dma dmaengine: tegra-apb: Prevent race conditions on channel's freeing 2020-10-01 13:14:35 +02:00
dma-buf dma-fence: Serialise signal enabling (dma_fence_enable_sw_signaling) 2020-10-01 13:14:24 +02:00
edac EDAC/ti: Fix handling of platform_get_irq() error 2020-10-29 09:55:00 +01:00
eisa
extcon extcon: adc-jack: Fix an error handling path in 'adc_jack_probe()' 2020-06-25 15:33:01 +02:00
firewire
firmware firmware: arm_sdei: Use cpus_read_lock() to avoid races with cpuhp 2020-10-01 13:14:35 +02:00
fmc
fpga fpga: dfl: fix bug in port reset handshake 2020-07-29 10:16:48 +02:00
fsi
gnss gnss: sirf: fix error return code in sirf_probe() 2020-06-22 09:05:28 +02:00
gpio gpio: sprd: Clear interrupt when setting the type as edge 2020-10-07 08:00:07 +02:00
gpu drm/gma500: fix error check 2020-10-29 09:55:07 +01:00
hid HID: hid-input: fix stylus battery reporting 2020-10-29 09:55:12 +01:00
hsi
hv Drivers: hv: vmbus: Add timeout to vmbus_wait_for_unload 2020-09-23 12:10:59 +02:00
hwmon hwmon: (pmbus/max34440) Fix status register reads for MAX344{51,60,61} 2020-10-29 09:55:02 +01:00
hwspinlock
hwtracing coresight: tmc: Fix TMC mode read in tmc_read_unprepare_etb() 2020-08-19 08:14:58 +02:00
i2c i2c: core: Restore acpi_walk_dep_device_list() getting called after registering the ACPI i2c devs 2020-10-30 10:38:26 +01:00
ide
idle
iio iio:accel:mma8452: Fix timestamp alignment and prevent data leak. 2020-09-17 13:45:28 +02:00
infiniband IB/rdmavt: Fix sizeof mismatch 2020-10-30 10:38:20 +01:00
input Input: sun4i-ps2 - fix handling of platform_get_irq() error 2020-10-30 10:38:24 +01:00
iommu iommu/exynos: add missing put_device() call in exynos_iommu_of_xlate() 2020-10-07 08:00:07 +02:00
ipack ipack: tpci200: fix error return code in tpci200_register() 2020-05-27 17:37:43 +02:00
irqchip irqchip/stm32-exti: Avoid losing interrupts due to clearing pending bits by mistake 2020-09-03 11:24:29 +02:00
isdn PCI: add USR vendor id and use it in r8169 and w6692 driver 2020-06-22 09:05:23 +02:00
leds leds: mlxreg: Fix possible buffer overflow 2020-10-01 13:14:25 +02:00
lightnvm
macintosh drivers/macintosh: Fix memleak in windfarm_pm112 driver 2020-06-22 09:05:29 +02:00
mailbox mailbox: avoid timer start from callback 2020-10-30 10:38:21 +01:00
mcb
md bcache: fix a lost wake-up problem caused by mca_cannibalize_lock 2020-10-01 13:14:27 +02:00
media media: venus: core: Fix runtime PM imbalance in venus_probe 2020-10-30 10:38:28 +01:00
memory memory: fsl-corenet-cf: Fix handling of platform_get_irq() error 2020-10-30 10:38:24 +01:00
memstick
message scsi: mptscsih: Fix read sense data size 2020-07-16 08:17:23 +02:00
mfd mfd: sm501: Fix leaks in probe() 2020-10-29 09:55:13 +01:00
misc misc: vop: add round_up(x,4) for vring_size to avoid kernel panic 2020-10-30 10:38:29 +01:00
mmc mmc: sdio: Check for CISTPL_VERS_1 buffer size 2020-10-30 10:38:28 +01:00
mtd mtd: mtdoops: Don't write panic data twice 2020-10-29 09:55:17 +01:00
mux
net net: korina: fix kfree of rx/tx descriptor array 2020-10-29 09:55:15 +01:00
nfc NFC: st95hf: Fix memleak in st95hf_in_send_cmd 2020-09-17 13:45:24 +02:00
ntb NTB: hw: amd: fix an issue about leak system resources 2020-10-30 10:38:25 +01:00
nubus
nvdimm libnvdimm: Fix endian conversion issues 2020-06-07 13:17:53 +02:00
nvme nvmet: fix uninitialized work for zero kato 2020-10-30 10:38:25 +01:00
nvmem nvmem: qfprom: remove incorrect write support 2020-06-10 21:35:00 +02:00
of of: of_mdio: Correct loop scanning logic 2020-07-22 09:32:03 +02:00
opp
oprofile
parisc parisc: mask out enable and reserved bits from sba imask 2020-08-19 08:15:07 +02:00
parport
pci PCI: iproc: Set affinity mask on MSI interrupts 2020-10-30 10:38:21 +01:00
pcmcia
perf drivers/perf: xgene_pmu: Fix uninitialized resource struct 2020-10-29 09:55:00 +01:00
phy phy: samsung: s5pv210-usb2: Add delay after reset 2020-10-01 13:14:44 +02:00
pinctrl pinctrl: mcp23s08: Fix mcp23x17 precious range 2020-10-29 09:55:10 +01:00
platform platform/x86: mlx-platform: Remove PSU EEPROM configuration 2020-10-29 09:55:14 +01:00
pnp
power power: supply: max17040: Correct voltage reading 2020-10-01 13:14:43 +02:00
powercap
pps
ps3
ptp
pwm pwm: img: Fix null pointer access in probe 2020-10-30 10:38:21 +01:00
rapidio rapidio: fix the missed put_device() for rio_mport_add_riodev 2020-10-30 10:38:21 +01:00
ras
regulator regulator: resolve supply after creating regulator 2020-10-29 09:55:04 +01:00
remoteproc remoteproc: qcom: q6v5: Update running state before requesting stop 2020-08-21 11:05:34 +02:00
reset
rpmsg rpmsg: smd: Fix a kobj leak in in qcom_smd_parse_edge() 2020-10-30 10:38:21 +01:00
rtc rtc: ds1374: fix possible race condition 2020-10-01 13:14:38 +02:00
s390 s390/zcrypt: Fix ZCRYPT_PERDEV_REQCNT ioctl 2020-10-01 13:14:54 +02:00
sbus
scsi scsi: mvumi: Fix error return in mvumi_io_attach() 2020-10-30 10:38:28 +01:00
sfi
sh
siox
slimbus slimbus: qcom-ngd-ctrl: disable ngd in qmi server down callback 2020-10-29 09:55:12 +01:00
sn
soc soc: qcom: rpmh-rsc: Set suppress_bind_attrs flag 2020-08-19 08:14:50 +02:00
soundwire
spi spi: spi-s3c64xx: Check return values 2020-10-29 09:55:05 +01:00
spmi
ssb
staging staging: rtl8192u: Do not use GFP_KERNEL in atomic context 2020-10-29 09:55:07 +01:00
target scsi: target: tcmu: Fix warning: 'page' may be used uninitialized 2020-10-29 09:55:14 +01:00
tc
tee
thermal thermal: rcar_thermal: Handle probe error gracefully 2020-10-01 13:14:39 +02:00
thunderbolt thunderbolt: Drop duplicated get_switch_at_route() 2020-05-27 17:37:40 +02:00
tty pty: do tty_flip_buffer_push without port->lock in pty_write 2020-10-29 09:55:08 +01:00
uio uio_pdrv_genirq: fix use without device tree and no interrupt 2020-07-22 09:32:11 +02:00
usb usb: gadget: function: printer: fix use-after-free in __lock_acquire 2020-10-30 10:38:29 +01:00
uwb
vfio vfio iommu type1: Fix memory leak in vfio_iommu_type1_pin_pages 2020-10-30 10:38:23 +01:00
vhost vsock/virtio: add transport parameter to the virtio_transport_reset_no_sock() 2020-10-07 08:00:05 +02:00
video video: fbdev: radeon: Fix memleak in radeonfb_pci_register 2020-10-29 09:55:09 +01:00
virt drivers/virt/fsl_hypervisor: Fix error handling path 2020-10-29 09:55:09 +01:00
virtio virtio_ring: Avoid loop when vq is broken in virtqueue_poll 2020-08-26 10:31:01 +02:00
visorbus
vlynq
vme
w1 w1: omap-hdq: cleanup to add missing newline for some dev_dbg 2020-06-22 09:05:30 +02:00
watchdog watchdog: sp5100: Fix definition of EFCH_PM_DECODEEN3 2020-10-30 10:38:22 +01:00
xen xen/xenbus: Fix granting of vmalloc'd memory 2020-09-09 19:04:24 +02:00
zorro
Kconfig
Makefile