leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
b1cb7372fa
linux/drivers
History
Mauro Carvalho Chehab b1cb7372fa dvb_frontend: don't use-after-free the frontend struct 
dvb_frontend_invoke_release() may free the frontend struct.
So, the free logic can't update it anymore after calling it.

That's OK, as __dvb_frontend_free() is called only when the
krefs are zeroed, so nobody is using it anymore.

That should fix the following KASAN error:

The KASAN report looks like this (running on kernel 3e0cc09a3a (4.14-rc5+)):
==================================================================
BUG: KASAN: use-after-free in __dvb_frontend_free+0x113/0x120
Write of size 8 at addr ffff880067d45a00 by task kworker/0:1/24

CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc5-43687-g06ab8a23e0e6 #545
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
 __dump_stack lib/dump_stack.c:16
 dump_stack+0x292/0x395 lib/dump_stack.c:52
 print_address_description+0x78/0x280 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351
 kasan_report+0x23d/0x350 mm/kasan/report.c:409
 __asan_report_store8_noabort+0x1c/0x20 mm/kasan/report.c:435
 __dvb_frontend_free+0x113/0x120 drivers/media/dvb-core/dvb_frontend.c:156
 dvb_frontend_put+0x59/0x70 drivers/media/dvb-core/dvb_frontend.c:176
 dvb_frontend_detach+0x120/0x150 drivers/media/dvb-core/dvb_frontend.c:2803
 dvb_usb_adapter_frontend_exit+0xd6/0x160 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:340
 dvb_usb_adapter_exit drivers/media/usb/dvb-usb/dvb-usb-init.c:116
 dvb_usb_exit+0x9b/0x200 drivers/media/usb/dvb-usb/dvb-usb-init.c:132
 dvb_usb_device_exit+0xa5/0xf0 drivers/media/usb/dvb-usb/dvb-usb-init.c:295
 usb_unbind_interface+0x21c/0xa90 drivers/usb/core/driver.c:423
 __device_release_driver drivers/base/dd.c:861
 device_release_driver_internal+0x4f1/0x5c0 drivers/base/dd.c:893
 device_release_driver+0x1e/0x30 drivers/base/dd.c:918
 bus_remove_device+0x2f4/0x4b0 drivers/base/bus.c:565
 device_del+0x5c4/0xab0 drivers/base/core.c:1985
 usb_disable_device+0x1e9/0x680 drivers/usb/core/message.c:1170
 usb_disconnect+0x260/0x7a0 drivers/usb/core/hub.c:2124
 hub_port_connect drivers/usb/core/hub.c:4754
 hub_port_connect_change drivers/usb/core/hub.c:5009
 port_event drivers/usb/core/hub.c:5115
 hub_event+0x1318/0x3740 drivers/usb/core/hub.c:5195
 process_one_work+0xc73/0x1d90 kernel/workqueue.c:2119
 worker_thread+0x221/0x1850 kernel/workqueue.c:2253
 kthread+0x363/0x440 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

Allocated by task 24:
 save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
 kmem_cache_alloc_trace+0x11e/0x2d0 mm/slub.c:2772
 kmalloc ./include/linux/slab.h:493
 kzalloc ./include/linux/slab.h:666
 dtt200u_fe_attach+0x4c/0x110 drivers/media/usb/dvb-usb/dtt200u-fe.c:212
 dtt200u_frontend_attach+0x35/0x80 drivers/media/usb/dvb-usb/dtt200u.c:136
 dvb_usb_adapter_frontend_init+0x32b/0x660 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:286
 dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:86
 dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:162
 dvb_usb_device_init+0xf73/0x17f0 drivers/media/usb/dvb-usb/dvb-usb-init.c:277
 dtt200u_usb_probe+0xa1/0xe0 drivers/media/usb/dvb-usb/dtt200u.c:155
 usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26b/0x3c0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
 generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
 usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26b/0x3c0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
 hub_port_connect drivers/usb/core/hub.c:4903
 hub_port_connect_change drivers/usb/core/hub.c:5009
 port_event drivers/usb/core/hub.c:5115
 hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
 process_one_work+0xc73/0x1d90 kernel/workqueue.c:2119
 worker_thread+0x221/0x1850 kernel/workqueue.c:2253
 kthread+0x363/0x440 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

Freed by task 24:
 save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459
 kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524
 slab_free_hook mm/slub.c:1390
 slab_free_freelist_hook mm/slub.c:1412
 slab_free mm/slub.c:2988
 kfree+0xf6/0x2f0 mm/slub.c:3919
 dtt200u_fe_release+0x3c/0x50 drivers/media/usb/dvb-usb/dtt200u-fe.c:202
 dvb_frontend_invoke_release.part.13+0x1c/0x30 drivers/media/dvb-core/dvb_frontend.c:2790
 dvb_frontend_invoke_release drivers/media/dvb-core/dvb_frontend.c:2789
 __dvb_frontend_free+0xad/0x120 drivers/media/dvb-core/dvb_frontend.c:153
 dvb_frontend_put+0x59/0x70 drivers/media/dvb-core/dvb_frontend.c:176
 dvb_frontend_detach+0x120/0x150 drivers/media/dvb-core/dvb_frontend.c:2803
 dvb_usb_adapter_frontend_exit+0xd6/0x160 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:340
 dvb_usb_adapter_exit drivers/media/usb/dvb-usb/dvb-usb-init.c:116
 dvb_usb_exit+0x9b/0x200 drivers/media/usb/dvb-usb/dvb-usb-init.c:132
 dvb_usb_device_exit+0xa5/0xf0 drivers/media/usb/dvb-usb/dvb-usb-init.c:295
 usb_unbind_interface+0x21c/0xa90 drivers/usb/core/driver.c:423
 __device_release_driver drivers/base/dd.c:861
 device_release_driver_internal+0x4f1/0x5c0 drivers/base/dd.c:893
 device_release_driver+0x1e/0x30 drivers/base/dd.c:918
 bus_remove_device+0x2f4/0x4b0 drivers/base/bus.c:565
 device_del+0x5c4/0xab0 drivers/base/core.c:1985
 usb_disable_device+0x1e9/0x680 drivers/usb/core/message.c:1170
 usb_disconnect+0x260/0x7a0 drivers/usb/core/hub.c:2124
 hub_port_connect drivers/usb/core/hub.c:4754
 hub_port_connect_change drivers/usb/core/hub.c:5009
 port_event drivers/usb/core/hub.c:5115
 hub_event+0x1318/0x3740 drivers/usb/core/hub.c:5195
 process_one_work+0xc73/0x1d90 kernel/workqueue.c:2119
 worker_thread+0x221/0x1850 kernel/workqueue.c:2253
 kthread+0x363/0x440 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

The buggy address belongs to the object at ffff880067d45500
 which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 1280 bytes inside of
 2048-byte region [ffff880067d45500, ffff880067d45d00)
The buggy address belongs to the page:
page:ffffea00019f5000 count:1 mapcount:0 mapping:          (null)
index:0x0 compound_mapcount: 0
flags: 0x100000000008100(slab|head)
raw: 0100000000008100 0000000000000000 0000000000000000 00000001000f000f
raw: dead000000000100 dead000000000200 ffff88006c002d80 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff880067d45900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff880067d45980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff880067d45a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff880067d45a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff880067d45b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Fixes: ead666000a ("media: dvb_frontend: only use kref after initialized")

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Suggested-by: Matthias Schwarzott <zzam@gentoo.org>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2017-11-07 08:39:39 -05:00
..
accessibility
acpi ACPI: properties: Fix __acpi_node_get_property_reference() return codes 2017-10-11 21:16:37 +02:00
amba
android Char/Misc driver fixes for 4.14-rc5 2017-10-15 07:50:38 -04:00
ata ahci: don't ignore result code of ahci_reset_controller() 2017-10-02 12:21:30 -07:00
atm
auxdisplay auxdisplay: charlcd: properly restore atomic counter on error path 2017-09-18 16:06:00 +02:00
base mm: only display online cpus of the numa node 2017-10-13 16:18:32 -07:00
bcma
block Merge branch 'for-linus' of git://git.kernel.dk/linux-block 2017-10-06 12:13:50 -07:00
bluetooth
bus ARM: SoC driver updates for v4.14 2017-09-10 20:40:00 -07:00
cdrom
char Merge branch 'next-tpm' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2017-09-24 11:34:28 -07:00
clk clk: samsung: exynos4: Enable VPLL and EPLL clocks for suspend/resume cycle 2017-10-04 09:19:13 -07:00
clocksource x86/numachip: Add const and __initconst to numachip2_clockevent 2017-09-25 09:36:15 +02:00
connector
cpufreq cpufreq: dt: Fix sysfs duplicate filename creation for platform-device 2017-09-26 01:10:08 +02:00
cpuidle ARM: cpuidle: Avoid memleak if init fail 2017-09-19 23:10:51 +02:00
crypto crypto: stm32 - Try to fix hash padding 2017-10-07 12:04:31 +08:00
dax - Some request-based DM core and DM multipath fixes and cleanups 2017-09-14 13:43:16 -07:00
dca
devfreq PM / devfreq: Fix memory leak when fail to register device 2017-08-28 10:31:08 +09:00
dio
dma dmaengine: altera: fix spinlock usage 2017-09-28 13:11:46 +05:30
dma-buf sync_file: Return consistent status in SYNC_IOC_FILE_INFO 2017-10-09 13:09:19 -03:00
edac
eisa
extcon
firewire
firmware dmi: Mark all struct dmi_system_id instances const 2017-09-14 11:59:30 +02:00
fmc drivers/fmc: carrier can program FPGA on registration 2017-08-28 16:24:22 +02:00
fpga fpga: altera-cvp: remove DRIVER_ATTR() usage 2017-09-19 09:20:33 +02:00
fsi drivers/fsi/scom: Remove reset before every putscom 2017-08-28 17:15:16 +02:00
gpio gpio: omap: Fix lost edge interrupts 2017-10-07 13:17:07 +02:00
gpu Merge tag 'drm-intel-fixes-2017-10-11' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes 2017-10-14 09:59:20 +10:00
hid Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid 2017-10-12 09:08:56 -07:00
hsi
hv Drivers: hv: vmbus: Fix bugs in rescind handling 2017-10-04 11:25:09 +02:00
hwmon hwmon: (xgene) Fix up error handling path mixup in 'xgene_hwmon_probe()' 2017-10-01 08:46:54 -07:00
hwspinlock
hwtracing intel_th: pci: Add Lewisburg PCH support 2017-09-22 10:28:00 +02:00
i2c Merge branch 'i2c/for-current-4.14' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux 2017-10-07 10:07:51 -07:00
ide ide: fix IRQ assignment for PCI bus order probing 2017-10-03 14:03:31 -05:00
idle Power management updates for v4.14-rc1 2017-09-05 12:19:08 -07:00
iio First round of IIO fixes for the 4.14 cycle 2017-09-25 10:58:22 +02:00
infiniband i40iw: Fix port number for query QP 2017-10-04 15:28:49 -04:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2017-09-22 17:23:41 -10:00
iommu iommu/amd: Finish TLB flush in amd_iommu_unmap() 2017-10-13 17:32:19 +02:00
ipack
irqchip irqchip/mips-gic: Use effective affinity to unmask 2017-09-25 21:23:44 +02:00
isdn isdn/i4l: fetch the ppp_write buffer in one shot 2017-09-20 16:01:36 -07:00
leds as3645a: Unregister indicator LED on device unbind 2017-09-23 21:17:43 +02:00
lightnvm
macintosh powerpc/macintosh: constify wf_sensor_ops structures 2017-09-01 16:42:54 +10:00
mailbox Just behavorial changes to a controller driver: 2017-09-07 13:23:37 -07:00
mcb Char/Misc drivers for 4.14-rc1 2017-09-05 11:08:17 -07:00
md Merge branch 'for-linus' of git://git.kernel.dk/linux-block 2017-10-06 12:13:50 -07:00
media dvb_frontend: don't use-after-free the frontend struct 2017-11-07 08:39:39 -05:00
memory ARM: SoC driver updates for v4.14 2017-09-10 20:40:00 -07:00
memstick
message scsi: scsi_transport_sas: switch to bsg-lib for SMP passthrough 2017-08-29 21:51:45 -04:00
mfd dmi: Mark all struct dmi_system_id instances const 2017-09-14 11:59:30 +02:00
misc Char/Misc driver fixes for 4.14-rc5 2017-10-15 07:50:38 -04:00
mmc mmc: sdhci-xenon: Fix clock resource by adding an optional bus clock 2017-10-04 10:50:36 +02:00
mtd mtd: nand: atmel: fix buffer overflow in atmel_pmecc_user 2017-09-27 17:33:28 +02:00
mux mux: make device_type const 2017-08-29 13:46:35 +02:00
net cdc_ether: flag the u-blox TOBY-L2 and SARA-U2 as wwan 2017-10-09 16:03:32 -07:00
nfc
ntb
nubus
nvdimm libnvdimm, namespace: fix btt claim class crash 2017-09-18 17:29:01 -07:00
nvme nvme-pci: Use PCI bus address for data/queues in CMB 2017-10-04 11:42:53 +02:00
nvmem nvmem: add missing of_node_put() in of_nvmem_cell_get() 2017-09-18 16:12:26 +02:00
of device property: preserve usecount for node passed to of_fwnode_graph_get_port_parent() 2017-10-12 12:26:14 -05:00
oprofile
parisc
parport Char/Misc drivers for 4.14-rc1 2017-09-05 11:08:17 -07:00
pci PCI: aardvark: Move to struct pci_host_bridge IRQ mapping functions 2017-10-10 21:17:43 -05:00
pcmcia MIPS: Alchemy: Threaded carddetect irqs for devboards 2017-08-29 15:21:53 +02:00
perf drivers/perf: arm_pmu_acpi: Release memory obtained by kasprintf 2017-09-22 15:11:46 +01:00
phy Merge branch '4.14-features' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2017-09-15 20:43:33 -07:00
pinctrl pinctrl: cherryview: fix issues caused by dynamic gpio irqs mapping 2017-10-08 02:32:59 +02:00
platform platform/x86: fujitsu-laptop: Don't oops when FUJ02E3 is not presnt 2017-09-27 00:04:43 -07:00
pnp dmi: Mark all struct dmi_system_id instances const 2017-09-14 11:59:30 +02:00
power power supply and reset changes for the v4.14 series 2017-09-09 14:44:39 -07:00
powercap
pps drivers/pps: use surrounding "if PPS" to remove numerous dependency checks 2017-09-08 18:26:51 -07:00
ps3
ptp
pwm pwm: Changes for v4.14-rc1 2017-09-11 13:04:32 -07:00
rapidio rapidio: remove global irq spinlocks from the subsystem 2017-10-03 17:54:24 -07:00
ras RAS/CEC: Use the right length for "cec_disable" 2017-10-05 14:23:06 +02:00
regulator - New Drivers 2017-09-07 13:51:13 -07:00
remoteproc remoteproc: imx_rproc: fix return value check in imx_rproc_addr_init() 2017-10-11 10:47:47 -07:00
reset reset: Restrict RESET_HSDK to ARC_SOC_HSDK or COMPILE_TEST 2017-09-21 12:44:01 +02:00
rpmsg rpmsg: glink: Fix memory leak in qcom_glink_alloc_intent() 2017-10-10 11:22:09 -07:00
rtc RTC for 4.14 2017-09-13 10:56:00 -07:00
s390 s390/cio: recover from bad paths 2017-09-19 08:36:19 +02:00
sbus
scsi SCSI fixes on 20171007 2017-10-07 12:34:16 -07:00
sfi
sh
sn
soc Merge branch '4.14-features' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2017-09-15 20:43:33 -07:00
spi ACPI updates for v4.14-rc1 2017-09-05 12:45:03 -07:00
spmi spmi: pmic-arb: Move the ownership check to irq_chip callback 2017-08-28 13:52:22 +02:00
ssb
staging media: atomisp: make function calls cleaner 2017-11-01 12:25:55 -04:00
target Merge branch 'work.set_fs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2017-09-14 18:13:32 -07:00
tc
tee
thermal Merge branches 'thermal-core', 'thermal-soc', 'thermal-intel' and 'const-thermal-zone-structure' into next 2017-09-08 11:20:04 +08:00
thunderbolt ACPI updates for v4.14-rc1 2017-09-05 12:45:03 -07:00
tty tty: fall back to N_NULL if switching to N_TTY fails during hangup 2017-10-13 16:18:33 -07:00
uio
usb USB: fixes for v4.14-rc5 2017-10-12 11:17:34 +02:00
uwb uwb: properly check kthread_run return value 2017-09-18 11:28:23 +02:00
vfio vfio: platform: constify amba_id 2017-08-30 14:03:42 -06:00
vhost lib/interval_tree: fast overlap detection 2017-09-08 18:26:49 -07:00
video fbdev changes for v4.14: 2017-09-14 13:33:33 -07:00
virt virt: Convert to using %pOF instead of full_name 2017-08-29 08:52:51 -05:00
virtio SCSI misc on 20170907 2017-09-07 21:11:05 -07:00
vlynq
vme
w1 power supply and reset changes for the v4.14 series 2017-09-09 14:44:39 -07:00
watchdog Merge branch '4.14-features' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2017-09-15 20:43:33 -07:00
xen xen: fixes for 4.14-rc3 2017-09-29 12:24:28 -07:00
zorro
Kconfig
Makefile