leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
56a0b978d4
linux/drivers
History
John Garry 56a0b978d4 ACPI: CPPC: Set pcc_data[pcc_ss_id] to NULL in acpi_cppc_processor_exit() 
When enabling KASAN and DEBUG_TEST_DRIVER_REMOVE, I find this KASAN
warning:

[   20.872057] BUG: KASAN: use-after-free in pcc_data_alloc+0x40/0xb8
[   20.878226] Read of size 4 at addr ffff00236cdeb684 by task swapper/0/1
[   20.884826]
[   20.886309] CPU: 19 PID: 1 Comm: swapper/0 Not tainted 5.4.0-rc1-00009-ge7f7df3db5bf-dirty #289
[   20.894994] Hardware name: Huawei D06 /D06, BIOS Hisilicon D06 UEFI RC0 - V1.16.01 03/15/2019
[   20.903505] Call trace:
[   20.905942]  dump_backtrace+0x0/0x200
[   20.909593]  show_stack+0x14/0x20
[   20.912899]  dump_stack+0xd4/0x130
[   20.916291]  print_address_description.isra.9+0x6c/0x3b8
[   20.921592]  __kasan_report+0x12c/0x23c
[   20.925417]  kasan_report+0xc/0x18
[   20.928808]  __asan_load4+0x94/0xb8
[   20.932286]  pcc_data_alloc+0x40/0xb8
[   20.935938]  acpi_cppc_processor_probe+0x4e8/0xb08
[   20.940717]  __acpi_processor_start+0x48/0xb0
[   20.945062]  acpi_processor_start+0x40/0x60
[   20.949235]  really_probe+0x118/0x548
[   20.952887]  driver_probe_device+0x7c/0x148
[   20.957059]  device_driver_attach+0x94/0xa0
[   20.961231]  __driver_attach+0xa4/0x110
[   20.965055]  bus_for_each_dev+0xe8/0x158
[   20.968966]  driver_attach+0x30/0x40
[   20.972531]  bus_add_driver+0x234/0x2f0
[   20.976356]  driver_register+0xbc/0x1d0
[   20.980182]  acpi_processor_driver_init+0x40/0xe4
[   20.984875]  do_one_initcall+0xb4/0x254
[   20.988700]  kernel_init_freeable+0x24c/0x2f8
[   20.993047]  kernel_init+0x10/0x118
[   20.996524]  ret_from_fork+0x10/0x18
[   21.000087]
[   21.001567] Allocated by task 1:
[   21.004785]  save_stack+0x28/0xc8
[   21.008089]  __kasan_kmalloc.isra.9+0xbc/0xd8
[   21.012435]  kasan_kmalloc+0xc/0x18
[   21.015913]  pcc_data_alloc+0x94/0xb8
[   21.019564]  acpi_cppc_processor_probe+0x4e8/0xb08
[   21.024343]  __acpi_processor_start+0x48/0xb0
[   21.028689]  acpi_processor_start+0x40/0x60
[   21.032860]  really_probe+0x118/0x548
[   21.036512]  driver_probe_device+0x7c/0x148
[   21.040684]  device_driver_attach+0x94/0xa0
[   21.044855]  __driver_attach+0xa4/0x110
[   21.048680]  bus_for_each_dev+0xe8/0x158
[   21.052591]  driver_attach+0x30/0x40
[   21.056155]  bus_add_driver+0x234/0x2f0
[   21.059980]  driver_register+0xbc/0x1d0
[   21.063805]  acpi_processor_driver_init+0x40/0xe4
[   21.068497]  do_one_initcall+0xb4/0x254
[   21.072322]  kernel_init_freeable+0x24c/0x2f8
[   21.076667]  kernel_init+0x10/0x118
[   21.080144]  ret_from_fork+0x10/0x18
[   21.083707]
[   21.085186] Freed by task 1:
[   21.088056]  save_stack+0x28/0xc8
[   21.091360]  __kasan_slab_free+0x118/0x180
[   21.095445]  kasan_slab_free+0x10/0x18
[   21.099183]  kfree+0x80/0x268
[   21.102139]  acpi_cppc_processor_exit+0x1a8/0x1b8
[   21.106832]  acpi_processor_stop+0x70/0x80
[   21.110917]  really_probe+0x174/0x548
[   21.114568]  driver_probe_device+0x7c/0x148
[   21.118740]  device_driver_attach+0x94/0xa0
[   21.122912]  __driver_attach+0xa4/0x110
[   21.126736]  bus_for_each_dev+0xe8/0x158
[   21.130648]  driver_attach+0x30/0x40
[   21.134212]  bus_add_driver+0x234/0x2f0
[   21.0x10/0x18
[   21.161764]
[   21.163244] The buggy address belongs to the object at ffff00236cdeb600
[   21.163244]  which belongs to the cache kmalloc-256 of size 256
[   21.175750] The buggy address is located 132 bytes inside of
[   21.175750]  256-byte region [ffff00236cdeb600, ffff00236cdeb700)
[   21.187473] The buggy address belongs to the page:
[   21.192254] page:fffffe008d937a00 refcount:1 mapcount:0 mapping:ffff002370c0fa00 index:0x0 compound_mapcount: 0
[   21.202331] flags: 0x1ffff00000010200(slab|head)
[   21.206940] raw: 1ffff00000010200 dead000000000100 dead000000000122 ffff002370c0fa00
[   21.214671] raw: 0000000000000000 00000000802a002a 00000001ffffffff 0000000000000000
[   21.222400] page dumped because: kasan: bad access detected
[   21.227959]
[   21.229438] Memory state around the buggy address:
[   21.234218]  ffff00236cdeb580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   21.241427]  ffff00236cdeb600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   21.248637] >ffff00236cdeb680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   21.255845]                    ^
[   21.259062]  ffff00236cdeb700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   21.266272]  ffff00236cdeb780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   21.273480] ==================================================================

It seems that global pcc_data[pcc_ss_id] can be freed in
acpi_cppc_processor_exit(), but we may later reference this value, so
NULLify it when freed.

Also remove the useless setting of data "pcc_channel_acquired", which
we're about to free.

Fixes: 85b1407bf6 ("ACPI / CPPC: Make CPPC ACPI driver aware of PCC subspace IDs")
Signed-off-by: John Garry <john.garry@huawei.com>
Cc: 4.15+ <stable@vger.kernel.org> # 4.15+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2019-10-18 10:36:37 +02:00
..
accessibility
acpi ACPI: CPPC: Set pcc_data[pcc_ss_id] to NULL in acpi_cppc_processor_exit() 2019-10-18 10:36:37 +02:00
amba ARM updates for 5.4-rc1: 2019-09-22 09:39:09 -07:00
android binder: Fix comment headers on binder_alloc_prepare_to_free() 2019-10-10 14:39:23 +02:00
ata Revert "libata, freezer: avoid block device removal while system is frozen" 2019-10-06 09:11:37 -06:00
atm atm: he: clean up an indentation issue 2019-09-25 13:54:45 +02:00
auxdisplay It's a somewhat calmer cycle for docs this time, as the churn of the mass 2019-09-17 16:22:26 -07:00
base driver core: platform: Add platform_get_irq_byname_optional() 2019-10-07 12:52:44 +02:00
bcma bcma: make arrays pwr_info_offset and sprom_sizes static const, shrinks object size 2019-09-13 16:44:49 +03:00
block for-linus-20191010 2019-10-11 08:45:32 -07:00
bluetooth Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2019-09-15 14:17:27 +02:00
bus ARM: SoC fixes 2019-09-30 10:04:28 -07:00
cdrom
char char/random: Add a newline at the end of the file 2019-10-02 13:49:43 -07:00
clk Fixes for omaps for v5.4-rc cycle 2019-10-03 09:15:19 -07:00
clocksource timer-of: don't use conditional expression with mixed 'void' types 2019-10-02 16:16:07 -07:00
connector
counter
cpufreq Power management updates for 5.4-rc1 2019-09-17 19:15:14 -07:00
cpuidle Power management updates for 5.4-rc1 2019-09-17 19:15:14 -07:00
crypto Merge branch 'akpm' (patches from Andrew) 2019-09-24 16:10:23 -07:00
dax
dca
devfreq
dio
dma Main MIPS changes for v5.4: 2019-09-22 09:30:30 -07:00
dma-buf
edac ARM updates for 5.4-rc1: 2019-09-22 09:39:09 -07:00
eisa
extcon chrome platform changes for v5.4 2019-09-19 14:14:28 -07:00
firewire
firmware Char/Misc driver fixes for 5.4-rc3. 2019-10-12 15:47:19 -07:00
fpga Char/Misc driver patches for 5.4-rc1 2019-09-18 11:14:31 -07:00
fsi
gnss
gpio gpio: max77620: Use correct unit for debounce times 2019-10-04 23:58:10 +02:00
gpu xen: fixes for 5.4-rc3 2019-10-12 14:11:21 -07:00
greybus
hid HID: hyperv: Use in-place iterator API in the channel callback 2019-10-01 14:49:41 -04:00
hsi HSI changes for the 5.4 series 2019-09-22 12:02:21 -07:00
hv Drivers: hv: vmbus: Fix harmless building warnings without CONFIG_PM_SLEEP 2019-10-01 14:49:45 -04:00
hwmon hwmon: (nct7904) Add array fan_alarm and vsen_alarm to store the alarms in nct7904_data struct. 2019-10-02 06:42:48 -07:00
hwspinlock
hwtracing Char/Misc driver patches for 5.4-rc1 2019-09-18 11:14:31 -07:00
i2c i2c: slave-eeprom: Add read only mode 2019-09-28 20:44:12 +02:00
i3c
ide
idle
iio First set of IIO fixes for the 5.4 cycle. 2019-10-10 11:18:37 +02:00
infiniband RDMA/mlx5: Add missing synchronize_srcu() for MW cases 2019-10-04 15:54:22 -03:00
input chrome platform changes for v5.4 2019-09-19 14:14:28 -07:00
interconnect
iommu IOMMU Fixes for Linux v5.4-rc1 2019-09-29 10:00:14 -07:00
ipack
irqchip Main MIPS changes for v5.4: 2019-09-22 09:30:30 -07:00
isdn mISDN: enforce CAP_NET_RAW for raw sockets 2019-09-24 16:37:18 +02:00
leds leds: lm3532: Fix optional led-max-microamp prop error handling 2019-09-12 20:45:52 +02:00
lightnvm lightnvm: print error when target is not found 2019-09-05 13:17:01 -06:00
macintosh
mailbox mailbox: qcom-apcs: fix max_register value 2019-09-17 00:54:29 -05:00
mcb
md for-5.4/post-2019-09-24 2019-09-24 16:31:50 -07:00
media media: stkwebcam: fix runtime PM after driver unbind 2019-10-04 14:38:46 +02:00
memory
memstick ms_block: fix spelling mistake "randomally" -> "randomly" 2019-09-11 16:11:01 +02:00
message
mfd Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal 2019-09-29 10:24:23 -07:00
misc misc: fastrpc: prevent memory leak in fastrpc_dma_buf_attach 2019-10-04 18:22:14 +02:00
mmc mmc: host: sdhci-pci: Add Genesys Logic GL975x support 2019-09-27 20:48:20 +02:00
mtd mtd: rawnand: au1550nd: Fix au_read_buf16() prototype 2019-10-07 09:56:36 +02:00
mux
net RDMA subsystem updates for 5.4-rc 2019-10-09 09:46:46 -07:00
nfc NFC: st95hf: clean up indentation issue 2019-09-27 20:31:18 +02:00
ntb NTB: fix IDT Kconfig typos/spellos 2019-09-23 17:20:40 -04:00
nubus
nvdimm libnvdimm fixes v5.4-rc1 2019-09-29 10:33:41 -07:00
nvme Merge branch 'nvme-5.4' of git://git.infradead.org/nvme into for-linus 2019-09-27 13:17:37 -06:00
nvmem Char/Misc driver patches for 5.4-rc1 2019-09-18 11:14:31 -07:00
of Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2019-09-28 17:47:33 -07:00
opp
oprofile
parisc dma-mapping updates for 5.4: 2019-09-19 13:27:23 -07:00
parport Char/Misc driver patches for 5.4-rc1 2019-09-18 11:14:31 -07:00
pci Merge branch 'next-lockdown' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2019-09-28 08:14:15 -07:00
pcmcia Merge branch 'next-lockdown' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2019-09-28 08:14:15 -07:00
perf
phy pci-v5.4-changes 2019-09-23 19:16:01 -07:00
pinctrl This is the bulk of pin control changes for the v5.4 kernel 2019-09-19 14:19:33 -07:00
platform platform-drivers-x86 for v5.4-2 2019-09-24 12:39:40 -07:00
pnp
power power supply and reset changes for the v5.4 series 2019-09-22 12:04:59 -07:00
powercap Power management updates for 5.4-rc1 2019-09-17 19:15:14 -07:00
pps
ps3
ptp ptp_qoriq: Initialize the registers' spinlock before calling ptp_qoriq_settime 2019-10-02 12:20:38 -04:00
pwm pwm: Changes for v5.4-rc1 2019-09-27 12:19:47 -07:00
rapidio
ras
regulator LED updates for 5.4-rc1 2019-09-17 18:40:42 -07:00
remoteproc remoteproc updates for v5.4 2019-09-22 10:55:08 -07:00
reset ARM: SoC fixes 2019-09-30 10:04:28 -07:00
rpmsg rpmsg: glink-smem: Name the edge based on parent remoteproc 2019-09-17 15:33:31 -07:00
rtc RTC for 5.4 2019-09-22 11:05:43 -07:00
s390 s390/cio: fix virtio-ccw DMA without PV 2019-10-10 10:49:46 +02:00
sbus
scsi SCSI fixes on 20191004 2019-10-05 12:53:27 -07:00
sfi
sh
siox
slimbus
soc ARM: SoC driver updates for v5.4 2019-09-16 15:52:38 -07:00
soundwire soundwire updates for v5.4-rc1 2019-09-22 10:52:23 -07:00
spi LED updates for 5.4-rc1 2019-09-17 18:40:42 -07:00
spmi
ssb ssb: make array pwr_info_offset static const, makes object smaller 2019-09-13 17:23:18 +03:00
staging Staging/IIO driver fixes for 5.4-rc3 2019-10-12 15:44:46 -07:00
target mm: introduce page_size() 2019-09-24 15:54:08 -07:00
tc
tee tee/shm: untag user pointers in tee_shm_register 2019-09-25 17:51:41 -07:00
thermal Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal 2019-09-29 10:24:23 -07:00
thunderbolt
tty tty: serial: imx: Use platform_get_irq_optional() for optional IRQs 2019-10-10 13:12:28 +02:00
uio Char/Misc driver patches for 5.4-rc1 2019-09-18 11:14:31 -07:00
usb USB: yurex: fix NULL-derefs on disconnect 2019-10-10 14:24:06 +02:00
vfio vfio/type1: untag user pointers in vaddr_get_pfn 2019-09-25 17:51:41 -07:00
vhost Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2019-09-15 14:17:27 +02:00
video video/logo: do not generate unneeded logo C files 2019-10-05 15:29:49 +09:00
virt virt: vbox: fix memory leak in hgcm_call_preprocess_linaddr 2019-10-10 14:50:32 +02:00
virtio virtio_ring: fix unmap of indirect descriptors 2019-09-09 10:43:15 -04:00
visorbus
vlynq
vme
w1 w1: ds250x: Fix build error without CRC16 2019-10-10 15:35:41 +02:00
watchdog linux-watchdog 5.4-rc1 tag 2019-09-27 11:17:38 -07:00
xen xen: fixes for 5.4-rc3 2019-10-12 14:11:21 -07:00
zorro
Kconfig Staging/IIO driver patches for 5.4-rc1 2019-09-18 11:05:34 -07:00
Makefile Staging/IIO driver patches for 5.4-rc1 2019-09-18 11:05:34 -07:00