forge/linux-uconsole
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
linux-uconsole/drivers
History
Dmitry Osipenko a63fffbd90 hwmon: (core) Fix double-free in __hwmon_device_register() 
commit 74e3512731 upstream.

Fix double-free that happens when thermal zone setup fails, see KASAN log
below.

==================================================================
BUG: KASAN: double-free or invalid-free in __hwmon_device_register+0x5dc/0xa7c

CPU: 0 PID: 132 Comm: kworker/0:2 Tainted: G    B             4.19.0-rc8-next-20181016-00042-gb52cd80401e9-dirty #41
Hardware name: NVIDIA Tegra SoC (Flattened Device Tree)
Workqueue: events deferred_probe_work_func
Backtrace:
[<c0110540>] (dump_backtrace) from [<c0110944>] (show_stack+0x20/0x24)
[<c0110924>] (show_stack) from [<c105cb08>] (dump_stack+0x9c/0xb0)
[<c105ca6c>] (dump_stack) from [<c02fdaec>] (print_address_description+0x68/0x250)
[<c02fda84>] (print_address_description) from [<c02fd4ac>] (kasan_report_invalid_free+0x68/0x88)
[<c02fd444>] (kasan_report_invalid_free) from [<c02fc85c>] (__kasan_slab_free+0x1f4/0x200)
[<c02fc668>] (__kasan_slab_free) from [<c02fd0c0>] (kasan_slab_free+0x14/0x18)
[<c02fd0ac>] (kasan_slab_free) from [<c02f9c6c>] (kfree+0x90/0x294)
[<c02f9bdc>] (kfree) from [<c0b41bbc>] (__hwmon_device_register+0x5dc/0xa7c)
[<c0b415e0>] (__hwmon_device_register) from [<c0b421e8>] (hwmon_device_register_with_info+0xa0/0xa8)
[<c0b42148>] (hwmon_device_register_with_info) from [<c0b42324>] (devm_hwmon_device_register_with_info+0x74/0xb4)
[<c0b422b0>] (devm_hwmon_device_register_with_info) from [<c0b4481c>] (lm90_probe+0x414/0x578)
[<c0b44408>] (lm90_probe) from [<c0aeeff4>] (i2c_device_probe+0x35c/0x384)
[<c0aeec98>] (i2c_device_probe) from [<c08776cc>] (really_probe+0x290/0x3e4)
[<c087743c>] (really_probe) from [<c0877a2c>] (driver_probe_device+0x80/0x1c4)
[<c08779ac>] (driver_probe_device) from [<c0877da8>] (__device_attach_driver+0x104/0x11c)
[<c0877ca4>] (__device_attach_driver) from [<c0874dd8>] (bus_for_each_drv+0xa4/0xc8)
[<c0874d34>] (bus_for_each_drv) from [<c08773b0>] (__device_attach+0xf0/0x15c)
[<c08772c0>] (__device_attach) from [<c0877e24>] (device_initial_probe+0x1c/0x20)
[<c0877e08>] (device_initial_probe) from [<c08762f4>] (bus_probe_device+0xdc/0xec)
[<c0876218>] (bus_probe_device) from [<c0876a08>] (deferred_probe_work_func+0xa8/0xd4)
[<c0876960>] (deferred_probe_work_func) from [<c01527c4>] (process_one_work+0x3dc/0x96c)
[<c01523e8>] (process_one_work) from [<c01541e0>] (worker_thread+0x4ec/0x8bc)
[<c0153cf4>] (worker_thread) from [<c015b238>] (kthread+0x230/0x240)
[<c015b008>] (kthread) from [<c01010bc>] (ret_from_fork+0x14/0x38)
Exception stack(0xcf743fb0 to 0xcf743ff8)
3fa0:                                     00000000 00000000 00000000 00000000
3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
3fe0: 00000000 00000000 00000000 00000000 00000013 00000000

Allocated by task 132:
 kasan_kmalloc.part.1+0x58/0xf4
 kasan_kmalloc+0x90/0xa4
 kmem_cache_alloc_trace+0x90/0x2a0
 __hwmon_device_register+0xbc/0xa7c
 hwmon_device_register_with_info+0xa0/0xa8
 devm_hwmon_device_register_with_info+0x74/0xb4
 lm90_probe+0x414/0x578
 i2c_device_probe+0x35c/0x384
 really_probe+0x290/0x3e4
 driver_probe_device+0x80/0x1c4
 __device_attach_driver+0x104/0x11c
 bus_for_each_drv+0xa4/0xc8
 __device_attach+0xf0/0x15c
 device_initial_probe+0x1c/0x20
 bus_probe_device+0xdc/0xec
 deferred_probe_work_func+0xa8/0xd4
 process_one_work+0x3dc/0x96c
 worker_thread+0x4ec/0x8bc
 kthread+0x230/0x240
 ret_from_fork+0x14/0x38
   (null)

Freed by task 132:
 __kasan_slab_free+0x12c/0x200
 kasan_slab_free+0x14/0x18
 kfree+0x90/0x294
 hwmon_dev_release+0x1c/0x20
 device_release+0x4c/0xe8
 kobject_put+0xac/0x11c
 device_unregister+0x2c/0x30
 __hwmon_device_register+0xa58/0xa7c
 hwmon_device_register_with_info+0xa0/0xa8
 devm_hwmon_device_register_with_info+0x74/0xb4
 lm90_probe+0x414/0x578
 i2c_device_probe+0x35c/0x384
 really_probe+0x290/0x3e4
 driver_probe_device+0x80/0x1c4
 __device_attach_driver+0x104/0x11c
 bus_for_each_drv+0xa4/0xc8
 __device_attach+0xf0/0x15c
 device_initial_probe+0x1c/0x20
 bus_probe_device+0xdc/0xec
 deferred_probe_work_func+0xa8/0xd4
 process_one_work+0x3dc/0x96c
 worker_thread+0x4ec/0x8bc
 kthread+0x230/0x240
 ret_from_fork+0x14/0x38
   (null)

Cc: <stable@vger.kernel.org> # v4.15+
Fixes: 47c332deb8 ("hwmon: Deal with errors from the thermal subsystem")
Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-11-21 09:19:19 +01:00
..
accessibility
acpi acpi, nfit: Fix ARS overflow continuation 2018-11-21 09:19:17 +01:00
amba
android android: binder: fix the race mmap and alloc_new_buf_locked 2018-09-12 09:18:29 +02:00
ata libata: Apply NOLPM quirk for SAMSUNG MZ7TD256HAFV-000L9 2018-11-13 11:08:30 -08:00
atm
auxdisplay
base Char/Misc fixes for 4.19-rc7 2018-10-07 08:15:57 +02:00
bcma
block zram: close udev startup race condition as default groups 2018-11-21 09:19:15 +01:00
bluetooth Bluetooth: hci_qca: Remove hdev dereference in qca_close(). 2018-11-13 11:08:25 -08:00
bus
cdrom cdrom: fix improper type cast, which can leat to information leak. 2018-11-21 09:19:12 +01:00
char tpm: fix response size validation in tpm_get_random() 2018-11-13 11:08:48 -08:00
clk reset: hisilicon: fix potential NULL pointer dereference 2018-11-21 09:19:17 +01:00
clocksource clocksource/drivers/timer-atmel-pit: Properly handle error cases 2018-09-27 12:01:45 +02:00
connector
cpufreq cpufreq: dt: Try freeing static OPPs only if we have added them 2018-11-13 11:08:24 -08:00
cpuidle
crypto crypto: hisilicon - Fix reference after free of memories on error path 2018-11-21 09:19:17 +01:00
dax device-dax: Add missing address_space_operations 2018-09-22 09:07:33 -07:00
dca
devfreq
dio
dma dmaengine: ppc4xx: fix off-by-one build failure 2018-11-13 11:08:41 -08:00
dma-buf
edac EDAC, skx_edac: Fix logical channel intermediate decoding 2018-11-13 11:08:44 -08:00
eisa
extcon
firewire
firmware firmware: coreboot: Unmap ioregion after device population 2018-11-13 11:08:37 -08:00
fmc
fpga fpga: bridge: fix obvious function documentation error 2018-09-30 08:49:55 -07:00
fsi
gnss
gpio gpio: brcmstb: allow 0 width GPIO banks 2018-11-13 11:08:30 -08:00
gpu drm/msm: fix OF child-node lookup 2018-11-21 09:19:15 +01:00
hid HID: hiddev: fix potential Spectre v1 2018-11-13 11:08:44 -08:00
hsi
hv Drivers: hv: vmbus: Use cpumask_var_t for on-stack cpu mask 2018-11-13 11:08:34 -08:00
hwmon hwmon: (core) Fix double-free in __hwmon_device_register() 2018-11-21 09:19:19 +01:00
hwspinlock
hwtracing coresight: etb10: Fix handling of perf mode 2018-11-13 11:08:36 -08:00
i2c i2c: rcar: cleanup DMA for all kinds of failure 2018-10-20 15:25:59 +02:00
ide
idle
iio iio: adc: at91: fix wrong channel number in triggered buffer mode 2018-11-13 11:08:47 -08:00
infiniband IB/mlx5: Fix MR cache initialization 2018-11-13 11:08:43 -08:00
input Input: wm97xx-ts - fix exit path 2018-11-21 09:19:08 +01:00
iommu iommu/arm-smmu: Ensure that page-table updates are visible before TLBI 2018-11-13 11:08:51 -08:00
ipack
irqchip irqchip/pdc: Setup all edge interrupts as rising edge at GIC 2018-11-13 11:08:34 -08:00
isdn
leds
lightnvm lightnvm: pblk: fix race condition on metadata I/O 2018-11-13 11:08:21 -08:00
macintosh
mailbox mailbox: PCC: handle parse error 2018-11-13 11:08:18 -08:00
mcb
md MD: fix invalid stored role for a disk - try2 2018-11-13 11:09:00 -08:00
media media: ov5640: fix restore of last mode set 2018-11-21 09:19:12 +01:00
memory memory: ti-aemif: fix a potential NULL-pointer dereference 2018-09-06 10:04:07 -07:00
memstick
message
mfd mfd: menelaus: Fix possible race condition and leak 2018-11-13 11:08:38 -08:00
misc ocxl: Fix access to the AFU Descriptor Data 2018-11-13 11:08:51 -08:00
mmc sdhci: acpi: add free_slot callback 2018-11-13 11:08:23 -08:00
mtd mtd: docg3: don't set conflicting BCH_CONST_PARAMS option 2018-11-21 09:19:19 +01:00
mux mux: adgs1408: use the correct MODULE_LICENSE 2018-10-12 17:36:39 +02:00
net bonding/802.3ad: fix link_failure_count tracking 2018-11-21 09:19:18 +01:00
nfc NFC: nfcmrvl_uart: fix OF child-node lookup 2018-11-13 11:08:48 -08:00
ntb
nubus
nvdimm libnvdimm, pmem: Fix badblocks population for 'raw' namespaces 2018-11-13 11:08:42 -08:00
nvme nvme: call nvme_complete_rq when nvmf_check_ready fails for mpath I/O 2018-11-13 11:08:24 -08:00
nvmem nvmem: check the return value of nvmem_add_cells() 2018-11-13 11:08:35 -08:00
of of: Add missing exports of node name compare functions 2018-11-13 11:08:32 -08:00
opp OPP: Free OPP table properly on performance state irregularities 2018-11-13 11:08:39 -08:00
oprofile
parisc
parport
pci PCI: Add Device IDs for Intel GPU "spurious interrupt" quirk 2018-11-13 11:08:45 -08:00
pcmcia pcmcia: Implement CLKRUN protocol disabling for Ricoh bridges 2018-11-13 11:08:17 -08:00
perf arm64: perf: Reject stand-alone CHAIN events for PMUv3 2018-10-12 15:25:17 +01:00
phy
pinctrl pinctrl: ssbi-gpio: Fix pm8xxx_pin_config_get() to be compliant 2018-11-13 11:08:29 -08:00
platform mfd: cros-ec: copy the whole event in get_next_event_xfer 2018-10-09 20:57:30 -07:00
pnp
power power: supply: twl4030-charger: fix OF sibling-node lookup 2018-11-13 11:08:51 -08:00
powercap
pps
ps3
ptp ptp: fix Spectre v1 vulnerability 2018-10-17 22:00:22 -07:00
pwm
rapidio
ras
regulator regulator: fix crash caused by null driver data 2018-09-20 09:04:51 -07:00
remoteproc remoteproc: qcom: q6v5: Propagate EPROBE_DEFER 2018-11-13 11:08:52 -08:00
reset
rpmsg rpmsg: smd: fix memory leak on channel create 2018-11-13 11:08:55 -08:00
rtc rtc: cmos: Remove the `use_acpi_alarm' module parameter for !ACPI 2018-11-13 11:08:51 -08:00
s390 s390 fixes for 4.19-rc8 2018-10-10 08:44:35 +02:00
sbus oradax: remove redundant null check before kfree 2018-10-07 22:42:00 -07:00
scsi SCSI: fix queue cleanup race before queue initialization is done 2018-11-21 09:19:18 +01:00
sfi
sh
siox
slimbus
sn
soc soc: ti: QMSS: Fix usage of irq_set_affinity_hint 2018-11-21 09:19:18 +01:00
soundwire
spi spi: gpio: No MISO does not imply no RX 2018-11-13 11:08:28 -08:00
spmi
ssb
staging staging: most: video: fix registration of an empty comp core_component 2018-11-21 09:19:11 +01:00
target scsi: target: Fix target_wait_for_sess_cmds breakage with active signals 2018-11-13 11:08:42 -08:00
tc TC: Set DMA masks for devices 2018-11-13 11:08:51 -08:00
tee
thermal thermal: core: Fix use-after-free in thermal_cooling_device_destroy_sysfs 2018-11-21 09:19:17 +01:00
thunderbolt thunderbolt: Initialize after IOMMUs 2018-10-02 10:51:16 -07:00
tty serial: sh-sci: Fix could not remove dev_attr_rx_fifo_timeout 2018-11-21 09:19:13 +01:00
uio uio: ensure class is registered before devices 2018-11-13 11:08:37 -08:00
usb usb: gadget: udc: renesas_usb3: Fix b-device mode for "workaround" 2018-11-13 11:08:41 -08:00
uwb
vfio
vhost vhost/scsi: truncate T10 PI iov_iter to prot_bytes 2018-11-21 09:19:17 +01:00
video mach64: fix image corruption due to reading accelerator registers 2018-11-21 09:19:17 +01:00
virt
virtio
visorbus
vlynq
vme
w1 w1: omap-hdq: fix missing bus unregister at removal 2018-11-13 11:08:48 -08:00
watchdog
xen xen: remove size limit of privcmd-buf mapping interface 2018-11-13 11:08:52 -08:00
zorro
Kconfig
Makefile