forge/linux-uconsole
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
linux-uconsole/drivers
History
YueHaibing bdf3da72ae media: cpia2: Fix use-after-free in cpia2_exit 
commit dea37a9726 upstream.

Syzkaller report this:

BUG: KASAN: use-after-free in sysfs_remove_file_ns+0x5f/0x70 fs/sysfs/file.c:468
Read of size 8 at addr ffff8881f59a6b70 by task syz-executor.0/8363

CPU: 0 PID: 8363 Comm: syz-executor.0 Not tainted 5.0.0-rc8+ #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xfa/0x1ce lib/dump_stack.c:113
 print_address_description+0x65/0x270 mm/kasan/report.c:187
 kasan_report+0x149/0x18d mm/kasan/report.c:317
 sysfs_remove_file_ns+0x5f/0x70 fs/sysfs/file.c:468
 sysfs_remove_file include/linux/sysfs.h:519 [inline]
 driver_remove_file+0x40/0x50 drivers/base/driver.c:122
 usb_remove_newid_files drivers/usb/core/driver.c:212 [inline]
 usb_deregister+0x12a/0x3b0 drivers/usb/core/driver.c:1005
 cpia2_exit+0xa/0x16 [cpia2]
 __do_sys_delete_module kernel/module.c:1018 [inline]
 __se_sys_delete_module kernel/module.c:961 [inline]
 __x64_sys_delete_module+0x3dc/0x5e0 kernel/module.c:961
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x462e99
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f86f3754c58 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000300
RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f86f37556bc
R13: 00000000004bcca9 R14: 00000000006f6b48 R15: 00000000ffffffff

Allocated by task 8363:
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:495
 kmalloc include/linux/slab.h:545 [inline]
 kzalloc include/linux/slab.h:740 [inline]
 bus_add_driver+0xc0/0x610 drivers/base/bus.c:651
 driver_register+0x1bb/0x3f0 drivers/base/driver.c:170
 usb_register_driver+0x267/0x520 drivers/usb/core/driver.c:965
 0xffffffffc1b4817c
 do_one_initcall+0xfa/0x5ca init/main.c:887
 do_init_module+0x204/0x5f6 kernel/module.c:3460
 load_module+0x66b2/0x8570 kernel/module.c:3808
 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8363:
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x130/0x180 mm/kasan/common.c:457
 slab_free_hook mm/slub.c:1430 [inline]
 slab_free_freelist_hook mm/slub.c:1457 [inline]
 slab_free mm/slub.c:3005 [inline]
 kfree+0xe1/0x270 mm/slub.c:3957
 kobject_cleanup lib/kobject.c:662 [inline]
 kobject_release lib/kobject.c:691 [inline]
 kref_put include/linux/kref.h:67 [inline]
 kobject_put+0x146/0x240 lib/kobject.c:708
 bus_remove_driver+0x10e/0x220 drivers/base/bus.c:732
 driver_unregister+0x6c/0xa0 drivers/base/driver.c:197
 usb_register_driver+0x341/0x520 drivers/usb/core/driver.c:980
 0xffffffffc1b4817c
 do_one_initcall+0xfa/0x5ca init/main.c:887
 do_init_module+0x204/0x5f6 kernel/module.c:3460
 load_module+0x66b2/0x8570 kernel/module.c:3808
 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8881f59a6b40
 which belongs to the cache kmalloc-256 of size 256
The buggy address is located 48 bytes inside of
 256-byte region [ffff8881f59a6b40, ffff8881f59a6c40)
The buggy address belongs to the page:
page:ffffea0007d66980 count:1 mapcount:0 mapping:ffff8881f6c02e00 index:0x0
flags: 0x2fffc0000000200(slab)
raw: 02fffc0000000200 dead000000000100 dead000000000200 ffff8881f6c02e00
raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881f59a6a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8881f59a6a80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
>ffff8881f59a6b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                                             ^
 ffff8881f59a6b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881f59a6c00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc

cpia2_init does not check return value of cpia2_init, if it failed
in usb_register_driver, there is already cleanup using driver_unregister.
No need call cpia2_usb_cleanup on module exit.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-05-31 06:46:04 -07:00
..
accessibility
acpi ACPI: PM: Set enable_for_wake for wakeup GPEs during suspend-to-idle 2019-05-22 07:37:41 +02:00
amba
android binder: fix handling of misaligned binder object 2019-05-02 09:58:56 +02:00
ata libata: fix using DMA buffers on stack 2019-05-04 09:20:21 +02:00
atm atm: he: fix sign-extension overflow on large shift 2019-02-27 10:08:57 +01:00
auxdisplay auxdisplay: hd44780: Fix memory leak on ->remove() 2019-04-20 09:15:55 +02:00
base driver core: Postpone DMA tear-down until after devres release for probe failure 2019-05-25 18:23:47 +02:00
bcma
block brd: re-enable __GFP_HIGHMEM in brd_insert_page() 2019-05-25 18:23:24 +02:00
bluetooth Bluetooth: mediatek: fix up an error path to restore bdev->tx_state 2019-05-08 07:21:52 +02:00
bus
cdrom cdrom: Fix race condition in cdrom_sysctl_register 2019-04-05 22:33:10 +02:00
char ipmi:ssif: compare block number correctly for multi-part return messages 2019-05-22 07:37:43 +02:00
clk clk: sunxi-ng: nkmp: Avoid GENMASK(-1, 0) 2019-05-25 18:23:42 +02:00
clocksource clocksource/drivers/oxnas: Fix OX820 compatible 2019-05-16 19:41:21 +02:00
connector connector: fix unsafe usage of ->real_parent 2019-03-19 13:12:38 +01:00
cpufreq x86/cpu: Sanitize FAM6_ATOM naming 2019-05-14 19:17:53 +02:00
cpuidle cpuidle: big.LITTLE: fix refcount leak 2019-02-12 19:47:08 +01:00
crypto crypto: vmx - CTR: always increment IV as quadword 2019-05-31 06:46:01 -07:00
dax mm/huge_memory: fix vmf_insert_pfn_{pmd, pud}() crash, handle unaligned addresses 2019-05-22 07:37:40 +02:00
dca
devfreq
dio
dma dmaengine: sh: rcar-dmac: Fix glitch in dmaengine_tx_status 2019-05-02 09:58:55 +02:00
dma-buf
edac x86/cpu: Sanitize FAM6_ATOM naming 2019-05-14 19:17:53 +02:00
eisa
extcon
firewire
firmware efi: Fix debugobjects warning on 'efi_rts_work' 2019-05-08 07:21:44 +02:00
fmc
fpga fpga: altera-cvp: fix 'bad IO access' on x86_64 2019-02-12 19:46:59 +01:00
fsi fsi: master-ast-cf: select GENERIC_ALLOCATOR 2018-12-17 09:24:35 +01:00
gnss gnss: sirf: fix premature wakeup interrupt enable 2019-03-10 07:17:21 +01:00
gpio gpio: mxc: add check to return defer probe if clock tree NOT ready 2019-05-08 07:21:53 +02:00
gpu drm/sun4i: Unbind components before releasing DRM and memory 2019-05-16 19:41:25 +02:00
hid HID: input: add mapping for "Toggle Display" key 2019-05-16 19:41:19 +02:00
hsi
hv Drivers: hv: vmbus: Remove the undesired put_cpu_ptr() in hv_synic_cleanup() 2019-05-10 17:54:04 +02:00
hwmon hwmon: (pwm-fan) Disable PWM if fetching cooling data fails 2019-05-16 19:41:18 +02:00
hwspinlock
hwtracing intel_th: msu: Fix single mode with IOMMU 2019-05-25 18:23:26 +02:00
i2c i2c: i2c-stm32f7: Fix SDADEL minimum formula 2019-05-08 07:21:55 +02:00
ide ide: fix a typo in the settings proc file name 2019-01-31 08:14:42 +01:00
idle x86/cpu: Sanitize FAM6_ATOM naming 2019-05-14 19:17:53 +02:00
iio iio: adc: xilinx: prevent touching unclocked h/w on remove 2019-05-16 19:41:19 +02:00
infiniband RDMA/hns: Bugfix for mapping user db 2019-05-16 19:41:25 +02:00
input Input: synaptics-rmi4 - fix possible double free 2019-05-16 19:41:25 +02:00
iommu iommu/tegra-smmu: Fix invalid ASID bits on Tegra30/114 2019-05-25 18:23:30 +02:00
ipack
irqchip MIPS: perf: ath79: Fix perfcount IRQ assignment 2019-05-16 19:41:24 +02:00
isdn isdn: bas_gigaset: use usb_fill_int_urb() properly 2019-05-16 19:41:31 +02:00
leds leds: trigger: netdev: use memcpy in device_name_store 2019-05-04 09:20:22 +02:00
lightnvm lightnvm: pblk: add lock protection to list operations 2019-02-12 19:47:08 +01:00
macintosh
mailbox mailbox: bcm-flexrm-mailbox: Fix FlexRM ring flush timeout issue 2019-03-23 20:09:49 +01:00
mcb
md md/raid: raid5 preserve the writeback action after the parity check 2019-05-25 18:23:47 +02:00
media media: cpia2: Fix use-after-free in cpia2_exit 2019-05-31 06:46:04 -07:00
memory memory: tegra: Fix integer overflow on tick value calculation 2019-05-25 18:23:32 +02:00
memstick memstick: Prevent memstick host from getting runtime suspended during card detection 2019-02-12 19:47:10 +01:00
message
mfd mfd: twl-core: Disable IRQ while suspended 2019-05-08 07:21:48 +02:00
misc lkdtm: Add tests for NULL pointer dereference 2019-04-20 09:16:04 +02:00
mmc mmc: sdhci-iproc: Set NO_HISPD bit to fix HS50 data hold time problem 2019-05-31 06:46:01 -07:00
mtd mtd: spi-nor: intel-spi: Avoid crossing 4K address boundary on read/write 2019-05-22 07:37:41 +02:00
mux
net brcmfmac: add subtype check for event handling in data path 2019-05-31 06:46:03 -07:00
nfc spi: ST ST95HF NFC: declare missing of table 2019-05-16 19:41:25 +02:00
ntb
nubus
nvdimm libnvdimm/pmem: Bypass CONFIG_HARDENED_USERCOPY overhead 2019-05-31 06:46:01 -07:00
nvme nvme-fc: correct csn initialization and increments on error 2019-05-10 17:54:09 +02:00
nvmem
of of: overlay: do not duplicate properties from overlay for new nodes 2019-02-06 17:30:16 +01:00
opp OPP: Use opp_table->regulators to verify no regulator case 2019-02-12 19:47:08 +01:00
oprofile
parisc parisc: Skip registering LED when running in QEMU 2019-05-25 18:23:23 +02:00
parport parport_pc: fix find_superio io compare code, should use equal test. 2019-03-23 20:10:05 +01:00
pci PCI: Fix issue with "pci=disable_acs_redir" parameter being ignored 2019-05-25 18:23:43 +02:00
pcmcia
perf perf/aux: Make perf_event accessible to setup_aux() 2019-04-05 22:33:11 +02:00
phy phy: ti-pipe3: fix missing bit-wise or operator when assigning val 2019-05-25 18:23:27 +02:00
pinctrl pinctrl: core: make sure strcmp() doesn't get a null parameter 2019-04-20 09:16:01 +02:00
platform platform/x86: dell-laptop: fix rfkill functionality 2019-05-16 19:41:18 +02:00
pnp
power power: supply: sysfs: prevent endless uevent loop with CONFIG_POWER_SUPPLY_DEBUG 2019-05-25 18:23:44 +02:00
powercap x86/cpu: Sanitize FAM6_ATOM naming 2019-05-14 19:17:53 +02:00
pps
ps3
ptp ptp: Fix pass zero to ERR_PTR() in ptp_clock_register 2019-02-12 19:47:01 +01:00
pwm
rapidio
ras
regulator regulator: act8865: Fix act8600_sudcdc_voltage_ranges setting 2019-04-05 22:33:15 +02:00
remoteproc
reset reset: meson-audio-arb: Fix missing .owner setting of reset_controller_dev 2019-05-08 07:21:47 +02:00
rpmsg
rtc rtc: da9063: set uie_unsupported when relevant 2019-05-08 07:21:49 +02:00
s390 s390: ctcm: fix ctcm_new_device error return code 2019-05-16 19:41:24 +02:00
sbus drivers/sbus/char: add of_node_put() 2018-12-21 14:15:17 +01:00
scsi Revert "scsi: sd: Keep disk read-only when re-reading partition" 2019-05-31 06:46:01 -07:00
sfi
sh
siox
slimbus slimbus: ngd: mark PM functions as __maybe_unused 2018-12-19 19:19:49 +01:00
sn
soc soc: sunxi: Fix missing dependency on REGMAP_MMIO 2019-05-10 17:54:10 +02:00
soundwire
spi spi: pxa2xx: Setup maximum supported DMA transfer length 2019-03-23 20:09:57 +01:00
spmi
ssb
staging media: imx: Clear fwnode link struct for each endpoint iteration 2019-05-25 18:23:28 +02:00
target scsi: target/iscsi: Avoid iscsit_release_commands_from_conn() deadlock 2019-03-23 20:09:59 +01:00
tc
tee tee: optee: avoid possible double list_del() 2019-02-12 19:47:08 +01:00
thermal x86/cpu: Sanitize FAM6_ATOM naming 2019-05-14 19:17:53 +02:00
thunderbolt thunderbolt: Prevent root port runtime suspend during NVM upgrade 2018-12-17 09:24:36 +01:00
tty tty: Don't force RISCV SBI console as preferred console 2019-05-22 07:37:43 +02:00
uio uio: Fix an Oops on load 2018-11-27 16:13:09 +01:00
usb usb: typec: Fix unchecked return value 2019-05-16 19:41:26 +02:00
uwb
vfio vfio/pci: use correct format characters 2019-05-08 07:21:49 +02:00
vhost vhost: reject zero size iova range 2019-04-27 09:36:31 +02:00
video fbdev: fix WARNING in __alloc_pages_nodemask bug 2019-05-31 06:46:04 -07:00
virt drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl 2019-05-16 19:41:31 +02:00
virtio virtio_pci: fix a NULL pointer reference in vp_del_vqs 2019-05-10 17:54:08 +02:00
visorbus
vlynq
vme
w1 USB: w1 ds2490: Fix bug caused by improper use of altsetting array 2019-05-08 07:21:43 +02:00
watchdog watchdog: mt7621_wdt/rt2880_wdt: Fix compilation problem 2019-02-27 10:08:52 +01:00
xen fs: stream_open - opener for stream-like files so that read and write can run simultaneously without deadlock 2019-05-08 07:21:51 +02:00
zorro
Kconfig
Makefile