korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-11-17 17:24:17 +08:00
Code Issues Packages Projects Releases Wiki Activity
d46ddc593f
linux/drivers/hid
History
João Paulo Rechi Vita d46ddc593f HID: i2c-hid: Disable IRQ before freeing buffers 
The HID report buffers that are initially allocated on i2c_hid_probe()
might not be big enough to hold the HID reports from a specific device,
in which case they will be freed and new ones will be allocated in
i2c_hid_start(), at point which the device's report size is known. But
at this point ihid->irq is already running, and may call
i2c_hid_get_input() which passes ihid->inbuf to i2c_master_recv(). Since
this handler runs in a separate thread, ihid->inbuf may be freed at this
very moment, and i2c_master_recv() will write on memory which may be
already owned by a different part of the kernel, corrupting its data.

This problem has been observed on an Asus UX360UA laptop which has an
I2C touchpad, and results in a complete system freeze or an unusable
slowness with a lof of "BUG: unable to handle kernel paging request at
<address>" warnings. Enabling SLUB debugging shows a use-after-free
warning on memory allocated in i2c_hid_alloc_buffers() and freed in
i2c_hid_free_buffers():

=============================================================================
BUG kmalloc-64 (Not tainted): Poison overwritten
-----------------------------------------------------------------------------
Disabling lock debugging due to kernel taint
INFO: 0xffff880264083273-0xffff88026408329e. first byte 0x0 instead of 0x6b
INFO: Allocated in i2c_hid_alloc_buffers+0x25/0xa0 [i2c_hid] age=35793 cpu=2 pid=430
	___slab_alloc+0x41e/0x460
	__slab_alloc+0x20/0x40
	__kmalloc+0x210/0x280
	i2c_hid_alloc_buffers+0x25/0xa0 [i2c_hid]
	i2c_hid_probe+0x12f/0x5e0 [i2c_hid]
	i2c_device_probe+0x10a/0x1b0
	driver_probe_device+0x220/0x4a0
	__device_attach_driver+0x71/0xa0
	bus_for_each_drv+0x67/0xb0
	__device_attach+0xdc/0x170
	device_initial_probe+0x13/0x20
	bus_probe_device+0x92/0xa0
	device_add+0x4aa/0x670
	device_register+0x1a/0x20
	i2c_new_device+0x18e/0x230
	acpi_i2c_add_device+0x1a0/0x210
INFO: Freed in i2c_hid_free_buffers+0x16/0x60 [i2c_hid] age=7552 cpu=1 pid=1473
	__slab_free+0x221/0x330
	kfree+0x139/0x160
	i2c_hid_free_buffers+0x16/0x60 [i2c_hid]
	i2c_hid_start+0x2a9/0x2df [i2c_hid]
	mt_probe+0x160/0x22e [hid_multitouch]
	hid_device_probe+0xd7/0x150 [hid]
	driver_probe_device+0x220/0x4a0
	__driver_attach+0x84/0x90
	bus_for_each_dev+0x6c/0xc0
	driver_attach+0x1e/0x20
	bus_add_driver+0x1c3/0x280
	driver_register+0x60/0xe0
	__hid_register_driver+0x53/0x90 [hid]
	0xffffffffc004f01e
	do_one_initcall+0xb3/0x1f0
	do_init_module+0x5f/0x1d0
INFO: Slab 0xffffea0009902080 objects=20 used=20 fp=0x          (null) flags=0x17fff8000004080
INFO: Object 0xffff880264083260 @offset=4704 fp=0x          (null)
Bytes b4 ffff880264083250: 8d e6 fe ff 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a  ........ZZZZZZZZ
Object ffff880264083260: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
Object ffff880264083270: 6b 6b 6b 00 00 00 00 00 00 00 00 00 00 00 00 00  kkk.............
Object ffff880264083280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object ffff880264083290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Redzone ffff8802640832a0: bb bb bb bb bb bb bb bb                          ........
Padding ffff8802640833e0: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ
CPU: 1 PID: 1503 Comm: python3 Tainted: G    B           4.4.21+ #10
Hardware name: ASUSTeK COMPUTER INC. UX360UA/UX360UA, BIOS UX360UA.200 05/05/2016
 0000000000000086 00000000622d48a2 ffff88026061ba38 ffffffff813f6044
 ffff880264082010 ffff880264083260 ffff88026061ba78 ffffffff811e8eab
 0000000000000008 ffff880200000001 ffff88026408329f ffff88026a007700
Call Trace:
 [<ffffffff813f6044>] dump_stack+0x63/0x8f
 [<ffffffff811e8eab>] print_trailer+0x14b/0x1f0
 [<ffffffff811e94c1>] check_bytes_and_report+0xc1/0x100
 [<ffffffff811e96c4>] check_object+0x1c4/0x240
 [<ffffffff81293fde>] ? ext4_htree_store_dirent+0x3e/0x120
 [<ffffffff811e9b44>] alloc_debug_processing+0x104/0x180
 [<ffffffff811eb7be>] ___slab_alloc+0x41e/0x460
 [<ffffffff81293fde>] ? ext4_htree_store_dirent+0x3e/0x120
 [<ffffffff8124590b>] ? __getblk_gfp+0x2b/0x60
 [<ffffffff8129b969>] ? ext4_getblk+0xa9/0x190
 [<ffffffff811eb820>] __slab_alloc+0x20/0x40
 [<ffffffff811ed320>] __kmalloc+0x210/0x280
 [<ffffffff81293fde>] ? ext4_htree_store_dirent+0x3e/0x120
 [<ffffffff812c1602>] ? ext4fs_dirhash+0xc2/0x2a0
 [<ffffffff81293fde>] ext4_htree_store_dirent+0x3e/0x120
 [<ffffffff812a4f47>] htree_dirblock_to_tree+0x187/0x1b0
 [<ffffffff812a5fd2>] ext4_htree_fill_tree+0xb2/0x2e0
 [<ffffffff811ebb7a>] ? kmem_cache_alloc_trace+0x1fa/0x220
 [<ffffffff81293e45>] ? ext4_readdir+0x775/0x8b0
 [<ffffffff81293cb1>] ext4_readdir+0x5e1/0x8b0
 [<ffffffff81221c82>] iterate_dir+0x92/0x120
 [<ffffffff81222118>] SyS_getdents+0x98/0x110
 [<ffffffff81221d10>] ? iterate_dir+0x120/0x120
 [<ffffffff818157f2>] entry_SYSCALL_64_fastpath+0x16/0x71
FIX kmalloc-64: Restoring 0xffff880264083273-0xffff88026408329e=0x6b
FIX kmalloc-64: Marking all objects used

Signed-off-by: João Paulo Rechi Vita <jprvita@endlessm.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2016-12-12 09:47:01 +01:00
..
i2c-hid HID: i2c-hid: Disable IRQ before freeing buffers 2016-12-12 09:47:01 +01:00
intel-ish-hid HID: intel_ish-hid: Remove duplicated include from bus.c 2016-08-29 09:36:21 +02:00
usbhid Merge branches 'for-4.8/upstream-fixes', 'for-4.9/alps', 'for-4.9/hid-input', 'for-4.9/intel-ish', 'for-4.9/kye-uclogic-waltop-fixes', 'for-4.9/logitech', 'for-4.9/sony', 'for-4.9/upstream' and 'for-4.9/wacom' into for-linus 2016-10-07 09:59:48 +02:00
hid-a4tech.c HID: trivial devm conversion for special hid drivers 2013-07-31 10:12:28 +02:00
hid-alps.c Merge branches 'for-4.8/upstream-fixes', 'for-4.9/alps', 'for-4.9/hid-input', 'for-4.9/intel-ish', 'for-4.9/kye-uclogic-waltop-fixes', 'for-4.9/logitech', 'for-4.9/sony', 'for-4.9/upstream' and 'for-4.9/wacom' into for-linus 2016-10-07 09:59:48 +02:00
hid-apple.c HID: add usb device id for Apple Magic Keyboard 2016-07-11 17:41:31 +02:00
hid-appleir.c HID: hid-input: allow input_configured callback return errors 2015-11-05 09:51:50 -08:00
hid-asus.c HID: asus: add support for VivoBook E200HA 2016-04-04 09:59:21 +02:00
hid-aureal.c HID: fix some indenting issues 2015-10-21 13:15:53 +02:00
hid-axff.c HID: enable Mayflash USB Gamecube Adapter 2013-11-12 19:06:23 +01:00
hid-belkin.c
hid-betopff.c HID: betop: add drivers/hid/hid-betopff.c 2014-12-22 15:00:25 +01:00
hid-cherry.c HID: fix a couple of off-by-ones 2014-08-21 10:43:28 -05:00
hid-chicony.c HID: chicony: Add support for Acer Aspire Switch 12 2015-07-29 14:12:26 +02:00
hid-cmedia.c HID: Support for CMedia CM6533 HID audio jack controls 2016-03-02 10:31:36 +01:00
hid-core.c Merge branches 'for-4.8/upstream-fixes', 'for-4.9/alps', 'for-4.9/hid-input', 'for-4.9/intel-ish', 'for-4.9/kye-uclogic-waltop-fixes', 'for-4.9/logitech', 'for-4.9/sony', 'for-4.9/upstream' and 'for-4.9/wacom' into for-linus 2016-10-07 09:59:48 +02:00
hid-corsair.c HID: corsair: fix mapping of non-keyboard usages 2016-02-23 14:21:19 +01:00
hid-cp2112.c GPIO bulk updates for the v4.5 kernel cycle: 2016-01-17 12:32:01 -08:00
hid-cypress.c HID: cypress: use swap() in cp_report_fixup() 2015-06-18 11:00:42 +02:00
hid-debug.c HID: debug: improve hid_debug_event() 2015-11-27 00:02:59 +01:00
hid-dr.c HID: dragonrise: fix a typo in descriptors comments s/Joystik/Joystick/ 2016-01-29 17:12:31 +01:00
hid-elecom.c HID: fix some indenting issues 2015-10-21 13:15:53 +02:00
hid-elo.c HID: elo: kill not flush the work 2016-06-01 14:08:17 +02:00
hid-emsff.c
hid-ezkey.c
hid-gaff.c
hid-gembird.c HID: gembird: add new driver to fix Gembird JPD-DualForce 2 2015-08-18 15:03:43 +02:00
hid-generic.c
hid-gfrm.c HID: hid-gfrm: avoid warning for input_configured API change 2015-11-05 10:15:35 -08:00
hid-gt683r.c HID: use to_hid_device() 2015-12-28 13:41:44 +01:00
hid-gyration.c
hid-holtek-kbd.c
hid-holtek-mouse.c HID: Add Holtek USB ID 04d9:a0c2 ETEKCITY Scroll 2014-09-08 09:48:56 +02:00
hid-holtekff.c HID: hid-holtekff: don't push static constants on stack for %*ph 2013-08-05 11:29:57 +02:00
hid-hyperv.c HID: hyperv: match wait_for_completion_timeout return type 2015-01-26 14:25:41 +01:00
hid-icade.c
hid-ids.h HID: i2c-hid: add a simple quirk to fix device defects 2016-11-10 10:23:31 +01:00
hid-input.c Merge branches 'for-4.8/upstream-fixes', 'for-4.9/alps', 'for-4.9/hid-input', 'for-4.9/intel-ish', 'for-4.9/kye-uclogic-waltop-fixes', 'for-4.9/logitech', 'for-4.9/sony', 'for-4.9/upstream' and 'for-4.9/wacom' into for-linus 2016-10-07 09:59:48 +02:00
hid-kensington.c
hid-keytouch.c
hid-kye.c HID: kye: Fix MousePen i608X v2 report descriptor 2016-09-19 14:32:22 +02:00
hid-lcpower.c
hid-led.c HID: hid-led: fix Delcom support on big endian systems 2016-07-08 12:36:03 +02:00
hid-lenovo.c HID: lenovo: Don't use stack variables for DMA buffers 2016-03-29 15:39:36 +02:00
hid-lg2ff.c HID: logitech - lg2ff: Add IDs for Formula Vibration Feedback Wheel 2013-10-09 12:06:02 +02:00
hid-lg3ff.c HID: LG: validate HID output report details 2013-09-13 15:12:39 +02:00
hid-lg4ff.c HID: hid-logitech: Improve Wingman Formula Force GP support 2016-09-26 15:39:56 +02:00
hid-lg4ff.h HID: hid-logitech: Add combined pedal support Logitech wheels 2016-09-26 15:39:54 +02:00
hid-lg.c HID: hid-logitech: Improve Wingman Formula Force GP support 2016-09-26 15:39:56 +02:00
hid-lg.h HID: hid-lg4ff: Introduce a module parameter to disable automatic switch of compatibility mode 2015-02-18 21:14:54 +01:00
hid-lgff.c HID: LG: validate HID output report details 2013-09-13 15:12:39 +02:00
hid-logitech-dj.c HID: logitech-dj: check report length 2014-12-17 08:50:12 +01:00
hid-logitech-hidpp.c HID: logitech-hidpp: limit visibility of init/deinit functions 2016-01-28 14:28:39 +01:00
hid-magicmouse.c HID: hid-input: allow input_configured callback return errors 2015-11-05 09:51:50 -08:00
hid-microsoft.c Merge branches 'for-4.8/upstream-fixes', 'for-4.9/alps', 'for-4.9/hid-input', 'for-4.9/intel-ish', 'for-4.9/kye-uclogic-waltop-fixes', 'for-4.9/logitech', 'for-4.9/sony', 'for-4.9/upstream' and 'for-4.9/wacom' into for-linus 2016-10-07 09:59:48 +02:00
hid-monterey.c HID: fix a couple of off-by-ones 2014-08-21 10:43:28 -05:00
hid-multitouch.c HID: multitouch: enable palm rejection for Windows Precision Touchpad 2016-06-28 13:24:14 +02:00
hid-ntrig.c HID: use to_hid_device() 2015-12-28 13:41:44 +01:00
hid-ortek.c
hid-penmount.c HID: penmount: report only one button for PenMount 6000 USB touchscreen controller 2016-03-10 17:17:26 +01:00
hid-petalynx.c HID: fix a couple of off-by-ones 2014-08-21 10:43:28 -05:00
hid-picolcd_backlight.c HID: picoLCD: Deletion of unnecessary checks before three function calls 2015-06-29 14:51:12 +02:00
hid-picolcd_cir.c HID: picoLCD: Deletion of unnecessary checks before three function calls 2015-06-29 14:51:12 +02:00
hid-picolcd_core.c HID: picolcd: be more verbose when reporting report size error 2014-08-27 23:27:10 +02:00
hid-picolcd_debugfs.c HID: picolcd: remove unnecessary NULL test before debugfs_remove 2014-06-30 09:54:22 +02:00
hid-picolcd_fb.c drivers/hid/hid-picolcd_fb: avoid world-writable sysfs files. 2014-05-14 10:53:56 +09:30
hid-picolcd_lcd.c HID: picoLCD: Deletion of unnecessary checks before three function calls 2015-06-29 14:51:12 +02:00
hid-picolcd_leds.c HID: use to_hid_device() 2015-12-28 13:41:44 +01:00
hid-picolcd.h
hid-pl.c HID: pantherlord: validate output report details 2013-09-04 11:58:32 +02:00
hid-plantronics.c HID: plantronics: Update to map volume up/down controls 2015-06-12 15:04:17 +02:00
hid-primax.c
hid-prodikeys.c HID: use to_hid_device() 2015-12-28 13:41:44 +01:00
hid-rmi.c HID: rmi: Check that the device is a RMI device in suspend and resume callbacks 2016-01-27 22:39:32 +01:00
hid-roccat-arvo.c HID: use kobj_to_dev() 2015-12-28 13:41:51 +01:00
hid-roccat-arvo.h
hid-roccat-common.c HID: use kobj_to_dev() 2015-12-28 13:41:51 +01:00
hid-roccat-common.h HID: roccat: generalize some common code 2013-10-30 14:17:31 +01:00
hid-roccat-isku.c HID: use kobj_to_dev() 2015-12-28 13:41:51 +01:00
hid-roccat-isku.h
hid-roccat-kone.c HID: use kobj_to_dev() 2015-12-28 13:41:51 +01:00
hid-roccat-kone.h
hid-roccat-koneplus.c HID: use kobj_to_dev() 2015-12-28 13:41:51 +01:00
hid-roccat-koneplus.h
hid-roccat-konepure.c HID: roccat: generalize some common code 2013-10-30 14:17:31 +01:00
hid-roccat-kovaplus.c HID: use kobj_to_dev() 2015-12-28 13:41:51 +01:00
hid-roccat-kovaplus.h
hid-roccat-lua.c HID: use kobj_to_dev() 2015-12-28 13:41:51 +01:00
hid-roccat-lua.h
hid-roccat-pyra.c HID: use kobj_to_dev() 2015-12-28 13:41:51 +01:00
hid-roccat-pyra.h
hid-roccat-ryos.c HID: roccat: add support for Ryos MK keyboards 2013-10-30 14:17:31 +01:00
hid-roccat-savu.c HID: roccat: generalize some common code 2013-10-30 14:17:31 +01:00
hid-roccat-savu.h HID: roccat: generalize some common code 2013-10-30 14:17:31 +01:00
hid-roccat.c HID: roccat: silence an uninitialized variable warning 2016-04-04 09:49:12 +02:00
hid-saitek.c HID: Add a new Saitek mouse device ID (RAT 9) 2016-08-02 16:45:17 +02:00
hid-samsung.c
hid-sensor-custom.c HID: sensor: Custom and Generic sensor support 2015-04-10 22:22:55 +02:00
hid-sensor-hub.c HID: hid-sensor-hub: Add ISH quirk 2016-08-17 11:13:08 +02:00
hid-sjoy.c HID: sjoy: support Super Joy Box 4 2015-05-07 10:47:53 +02:00
hid-sony.c Merge branches 'for-4.8/upstream-fixes', 'for-4.9/alps', 'for-4.9/hid-input', 'for-4.9/intel-ish', 'for-4.9/kye-uclogic-waltop-fixes', 'for-4.9/logitech', 'for-4.9/sony', 'for-4.9/upstream' and 'for-4.9/wacom' into for-linus 2016-10-07 09:59:48 +02:00
hid-speedlink.c HID: Fix Speedlink VAD Cezanne support for some devices 2013-08-26 13:51:10 +02:00
hid-steelseries.c HID: use to_hid_device() 2015-12-28 13:41:44 +01:00
hid-sunplus.c HID: fix a couple of off-by-ones 2014-08-21 10:43:28 -05:00
hid-tivo.c HID: tivo: enable all buttons on the TiVo Slide Pro remote 2015-03-15 10:04:27 -04:00
hid-tmff.c
hid-topseed.c
hid-twinhan.c
hid-uclogic.c HID: uclogic: Add support for UC-Logic TWHA60 v3 2016-09-19 14:32:24 +02:00
hid-waltop.c HID: Remove broken links to tablet descriptions 2016-09-19 14:32:21 +02:00
hid-wiimote-core.c HID: wiimote: replace hid_output_raw_report with hid_hw_output_report for output requests 2014-02-17 14:57:17 +01:00
hid-wiimote-debug.c
hid-wiimote-modules.c HID: wiimote: Fix wiimote mp scale linearization 2016-03-18 17:31:38 +01:00
hid-wiimote.h HID: use to_hid_device() 2015-12-28 13:41:44 +01:00
hid-xinmo.c HID: use module_hid_driver() to simplify the code 2013-08-26 13:23:04 +02:00
hid-zpff.c HID: zeroplus: validate output report details 2013-09-13 15:11:34 +02:00
hid-zydacron.c HID: trivial devm conversion for special hid drivers 2013-07-31 10:12:28 +02:00
hidraw.c Merge branch 'for-4.7/upstream' into for-linus 2016-05-17 12:41:22 +02:00
Kconfig Merge branches 'for-4.8/upstream-fixes', 'for-4.9/alps', 'for-4.9/hid-input', 'for-4.9/intel-ish', 'for-4.9/kye-uclogic-waltop-fixes', 'for-4.9/logitech', 'for-4.9/sony', 'for-4.9/upstream' and 'for-4.9/wacom' into for-linus 2016-10-07 09:59:48 +02:00
Makefile HID: intel_ish-hid: ISH Transport layer 2016-08-17 11:13:07 +02:00
uhid.c miscdevice: Add helper macro for misc device boilerplate 2016-08-31 14:12:35 +02:00
wacom_sys.c HID: wacom: Augment 'oVid' and 'oPid' with heuristics for HID_GENERIC 2016-08-10 11:44:28 +02:00
wacom_wac.c Merge branches 'for-4.8/upstream-fixes', 'for-4.9/alps', 'for-4.9/hid-input', 'for-4.9/intel-ish', 'for-4.9/kye-uclogic-waltop-fixes', 'for-4.9/logitech', 'for-4.9/sony', 'for-4.9/upstream' and 'for-4.9/wacom' into for-linus 2016-10-07 09:59:48 +02:00
wacom_wac.h Merge branches 'for-4.8/upstream-fixes', 'for-4.9/alps', 'for-4.9/hid-input', 'for-4.9/intel-ish', 'for-4.9/kye-uclogic-waltop-fixes', 'for-4.9/logitech', 'for-4.9/sony', 'for-4.9/upstream' and 'for-4.9/wacom' into for-linus 2016-10-07 09:59:48 +02:00
wacom.h HID: wacom: power_supply: provide the actual model_name 2016-08-05 13:39:23 +02:00