android/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
56cd26b618
android_kernel_xiaomi_sm8450/drivers
History
YueHaibing 56cd26b618 media: serial_ir: Fix use-after-free in serial_ir_init_module 
Syzkaller report this:

BUG: KASAN: use-after-free in sysfs_remove_file_ns+0x5f/0x70 fs/sysfs/file.c:468
Read of size 8 at addr ffff8881dc7ae030 by task syz-executor.0/6249

CPU: 1 PID: 6249 Comm: syz-executor.0 Not tainted 5.0.0-rc8+ #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xfa/0x1ce lib/dump_stack.c:113
 print_address_description+0x65/0x270 mm/kasan/report.c:187
 kasan_report+0x149/0x18d mm/kasan/report.c:317
 ? 0xffffffffc1728000
 sysfs_remove_file_ns+0x5f/0x70 fs/sysfs/file.c:468
 sysfs_remove_file include/linux/sysfs.h:519 [inline]
 driver_remove_file+0x40/0x50 drivers/base/driver.c:122
 remove_bind_files drivers/base/bus.c:585 [inline]
 bus_remove_driver+0x186/0x220 drivers/base/bus.c:725
 driver_unregister+0x6c/0xa0 drivers/base/driver.c:197
 serial_ir_init_module+0x169/0x1000 [serial_ir]
 do_one_initcall+0xfa/0x5ca init/main.c:887
 do_init_module+0x204/0x5f6 kernel/module.c:3460
 load_module+0x66b2/0x8570 kernel/module.c:3808
 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x462e99
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f9450132c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003
RBP: 00007f9450132c70 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f94501336bc
R13: 00000000004bcefa R14: 00000000006f6fb0 R15: 0000000000000004

Allocated by task 6249:
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:495
 kmalloc include/linux/slab.h:545 [inline]
 kzalloc include/linux/slab.h:740 [inline]
 bus_add_driver+0xc0/0x610 drivers/base/bus.c:651
 driver_register+0x1bb/0x3f0 drivers/base/driver.c:170
 serial_ir_init_module+0xe8/0x1000 [serial_ir]
 do_one_initcall+0xfa/0x5ca init/main.c:887
 do_init_module+0x204/0x5f6 kernel/module.c:3460
 load_module+0x66b2/0x8570 kernel/module.c:3808
 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 6249:
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x130/0x180 mm/kasan/common.c:457
 slab_free_hook mm/slub.c:1430 [inline]
 slab_free_freelist_hook mm/slub.c:1457 [inline]
 slab_free mm/slub.c:3005 [inline]
 kfree+0xe1/0x270 mm/slub.c:3957
 kobject_cleanup lib/kobject.c:662 [inline]
 kobject_release lib/kobject.c:691 [inline]
 kref_put include/linux/kref.h:67 [inline]
 kobject_put+0x146/0x240 lib/kobject.c:708
 bus_remove_driver+0x10e/0x220 drivers/base/bus.c:732
 driver_unregister+0x6c/0xa0 drivers/base/driver.c:197
 serial_ir_init_module+0x14c/0x1000 [serial_ir]
 do_one_initcall+0xfa/0x5ca init/main.c:887
 do_init_module+0x204/0x5f6 kernel/module.c:3460
 load_module+0x66b2/0x8570 kernel/module.c:3808
 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8881dc7ae000
 which belongs to the cache kmalloc-256 of size 256
The buggy address is located 48 bytes inside of
 256-byte region [ffff8881dc7ae000, ffff8881dc7ae100)
The buggy address belongs to the page:
page:ffffea000771eb80 count:1 mapcount:0 mapping:ffff8881f6c02e00 index:0x0
flags: 0x2fffc0000000200(slab)
raw: 02fffc0000000200 ffffea0007d14800 0000000400000002 ffff8881f6c02e00
raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881dc7adf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8881dc7adf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8881dc7ae000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                     ^
 ffff8881dc7ae080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881dc7ae100: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00

There are already cleanup handlings in serial_ir_init error path,
no need to call serial_ir_exit do it again in serial_ir_init_module,
otherwise will trigger a use-after-free issue.

Fixes: fa5dc29c1f ("[media] lirc_serial: move out of staging and rename to serial_ir")

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
2019-03-19 16:46:20 -04:00
..
accessibility
acpi device-dax for 5.1 2019-03-16 13:05:32 -07:00
amba ARM: 8836/1: drivers: amba: Update component matching to use the CoreSight UCI values. 2019-02-26 11:23:49 +00:00
android
ata SCSI misc on 20190306 2019-03-09 16:53:47 -08:00
atm
auxdisplay
base device-dax for 5.1 2019-03-16 13:05:32 -07:00
bcma
block for-5.1/block-post-20190315 2019-03-16 12:36:39 -07:00
bluetooth Bluetooth: mediatek: add support for MediaTek MT7663U and MT7668U UART devices 2019-03-02 19:51:23 +01:00
bus ARM: SoC driver updates for 5.1 2019-03-06 09:41:12 -08:00
cdrom
char Merge branch 'next-tpm' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2019-03-10 17:37:29 -07:00
clk We have a fairly balanced mix of clk driver updates and clk framework 2019-03-14 08:46:17 -07:00
clocksource ARM: some cleanups, direct physical timer assignment, cache sanitization 2019-03-15 15:00:28 -07:00
connector connector: fix unsafe usage of ->real_parent 2019-03-08 15:06:38 -08:00
cpufreq cpufreq: intel_pstate: Fix up iowait_boost computation 2019-03-12 09:47:30 +01:00
cpuidle cpuidle: governor: Add new governors to cpuidle_governors again 2019-03-12 23:46:55 +01:00
crypto Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2019-03-13 09:51:17 -07:00
dax device-dax for 5.1 2019-03-16 13:05:32 -07:00
dca
devfreq
dio
dma dmaengine updates for v5.1-rc1 2019-03-14 09:11:54 -07:00
dma-buf
edac Merge branch 'ras-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2019-03-08 09:11:39 -08:00
eisa
extcon
firewire
firmware memblock: drop memblock_alloc_*_nopanic() variants 2019-03-12 10:04:02 -07:00
fmc
fpga
fsi
gnss
gpio pci-v5.1-changes 2019-03-09 14:57:08 -08:00
gpu drm i915, amdgpu, qxl and etnaviv fixes 2019-03-15 13:58:35 -07:00
hid Merge branch 'for-5.1/wacom' into for-linus 2019-03-05 15:43:05 +01:00
hsi
hv Char/Misc driver patches for 5.1-rc1 2019-03-06 14:18:59 -08:00
hwmon hwmon: (ad7418) Add device tree probing 2019-02-25 09:06:00 -08:00
hwspinlock
hwtracing ARM updates for 5.1-rc1 2019-03-15 14:37:46 -07:00
i2c i2c: i2c-designware-platdrv: Always use a dynamic adapter number 2019-03-13 18:07:10 +01:00
i3c - Add a /* fall-through */ comment in the dw-i3c-master driver 2019-03-04 19:05:02 -08:00
ide Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/ide 2019-03-11 09:34:00 -07:00
idle
iio - New Drivers 2019-03-08 10:02:58 -08:00
infiniband XArray updates for 5.1-rc1 2019-03-11 20:06:18 -07:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2019-03-11 10:57:11 -07:00
interconnect
iommu IOMMU Fix for Linux v5.1-rc1 2019-03-15 14:41:30 -07:00
ipack
irqchip arm64 updates for 5.1: 2019-03-10 10:17:23 -07:00
isdn isdn: hfcpci: fix potential NULL pointer dereference 2019-03-12 14:36:02 -07:00
leds platform-drivers-x86 for v5.1-1 2019-03-10 13:16:37 -07:00
lightnvm pblk: fix max_io calculation 2019-03-07 08:59:26 -07:00
macintosh treewide: add checks for the return value of memblock_alloc*() 2019-03-12 10:04:02 -07:00
mailbox mailbox: imx: keep MU irq working during suspend/resume 2019-03-11 02:51:43 -05:00
mcb
md for-5.1/block-post-20190315 2019-03-16 12:36:39 -07:00
media media: serial_ir: Fix use-after-free in serial_ir_init_module 2019-03-19 16:46:20 -04:00
memory
memstick
message
mfd DMA mapping updates for 5.1 2019-03-10 11:54:48 -07:00
misc 5.1 Merge Window Pull Request 2019-03-09 15:53:03 -08:00
mmc for-5.1/block-20190302 2019-03-08 14:12:17 -08:00
mtd This pull request contains updates for both UBI and UBIFS: 2019-03-13 09:34:35 -07:00
mux
net Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-03-14 09:28:12 -07:00
nfc
ntb Fixes for switchtec debugability and mapping table entries, NTB 2019-03-15 14:32:59 -07:00
nubus
nvdimm device-dax for 5.1 2019-03-16 13:05:32 -07:00
nvme for-5.1/block-post-20190315 2019-03-16 12:36:39 -07:00
nvmem Char/Misc driver patches for 5.1-rc1 2019-03-06 14:18:59 -08:00
of of: fix kmemleak crash caused by imbalance in early memory reservation 2019-03-12 10:04:02 -07:00
opp PM / OPP: Update performance state when freq == old_freq 2019-03-12 09:45:56 +01:00
oprofile
parisc DMA mapping updates for 5.1 2019-03-10 11:54:48 -07:00
parport
pci IOMMU Updates for Linux v5.1 2019-03-10 12:29:52 -07:00
pcmcia
perf arm64 updates for 5.1: 2019-03-10 10:17:23 -07:00
phy drm next pull request for 5.1 2019-03-08 08:23:15 -08:00
pinctrl This is the bulk of pin control changes for the v5.1 kernel cycle. 2019-03-11 11:12:50 -07:00
platform chrome platform changes for v5.1 2019-03-12 09:46:32 -07:00
pnp ACPI/ACPICA: Trivial: fix spelling mistakes and fix whitespace formatting 2019-02-24 21:12:01 +01:00
power
powercap
pps
ps3
ptp Merge branch 'timers-2038-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2019-03-05 14:08:26 -08:00
pwm pwm: atmel: Remove useless symbolic definitions 2019-03-04 12:52:49 +01:00
rapidio rapidio/mport_cdev: mark expected switch fall-through 2019-03-07 18:32:02 -08:00
ras
regulator regulator: mc13xxx: Constify regulator_ops variables 2019-03-04 00:01:08 +00:00
remoteproc remoteproc updates for v5.1 2019-03-14 09:00:06 -07:00
reset
rpmsg
rtc chrome platform changes for v5.1 2019-03-12 09:46:32 -07:00
s390 ARM: some cleanups, direct physical timer assignment, cache sanitization 2019-03-15 15:00:28 -07:00
sbus
scsi SCSI misc on 20190315 2019-03-16 12:51:50 -07:00
sfi
sh
siox
slimbus
sn
soc ARM: SoC driver updates for 5.1 2019-03-06 09:41:12 -08:00
soundwire
spi pci-v5.1-changes 2019-03-09 14:57:08 -08:00
spmi
ssb
staging media: staging: davinci: drop pointless static qualifier in vpfe_resizer_init() 2019-03-19 16:37:59 -04:00
target SCSI misc on 20190315 2019-03-16 12:51:50 -07:00
tc
tee ARM: SoC driver updates for 5.1 2019-03-06 09:41:12 -08:00
thermal Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal 2019-03-08 09:52:41 -08:00
thunderbolt
tty dmaengine updates for v5.1-rc1 2019-03-14 09:11:54 -07:00
uio
usb memblock: drop memblock_alloc_*_nopanic() variants 2019-03-12 10:04:02 -07:00
uwb
vfio powerpc updates for 5.1 2019-03-07 12:56:26 -08:00
vhost virtio: fixes, cleanups 2019-03-10 12:47:57 -07:00
video fbdev changes for v5.1: 2019-03-15 14:22:59 -07:00
virt virt: vbox: Mark expected switch fall-through 2019-02-27 16:00:20 +01:00
virtio virtio: hint if callbacks surprisingly might sleep 2019-03-06 11:19:57 -05:00
visorbus
vlynq
vme
w1
watchdog linux-watchdog 5.1-rc1 tag 2019-03-11 11:22:15 -07:00
xen xen/balloon: Fix mapping PG_offline pages to user space 2019-03-15 15:35:35 +01:00
zorro
Kconfig
Makefile IOMMU Updates for Linux v5.1 2019-03-10 12:29:52 -07:00