2
0
mirror of https://github.com/edk2-porting/linux-next.git synced 2024-12-23 04:34:11 +08:00
linux-next/drivers
Max Kellermann c183d3584b [media] rc-main: clear rc_map.name in ir_free_table()
rc_unregister_device() will first call ir_free_table(), and later
device_del(); however, the latter causes a call to rc_dev_uevent(),
which prints rc_map.name, which at this point has already bee freed.

This fixes a use-after-free bug found with KASAN.

As reported by Shuah:

 "I am seeing the following when I do rmmod on au0828

  BUG: KASAN: use-after-free in string+0x170/0x1f0 at addr ffff8801bd513000
  Read of size 1 by task rmmod/1831
  CPU: 1 PID: 1831 Comm: rmmod Tainted: G        W       4.9.0-rc5 #5
  Hardware name: Hewlett-Packard HP ProBook 6475b/180F, BIOS 68TTU Ver. F.04 08/03/2012
  ffff8801aea2f680 ffffffff81b37ad3 ffff8801fa403b80 ffff8801bd513000
  ffff8801aea2f6a8 ffffffff8156c301 ffff8801aea2f738 ffff8801bd513000
  ffff8801fa403b80 ffff8801aea2f728 ffffffff8156c59a ffff8801aea2f770
  Call Trace:
  dump_stack+0x67/0x94
  [<ffffffff8156c301>] kasan_object_err+0x21/0x70
  [<ffffffff8156c59a>] kasan_report_error+0x1fa/0x4d0
  [<ffffffffa116f05f>] ? au0828_exit+0x10/0x21 [au0828]
  [<ffffffff8156c8b3>] __asan_report_load1_noabort+0x43/0x50
  [<ffffffff81b58b20>] ? string+0x170/0x1f0
  [<ffffffff81b58b20>] string+0x170/0x1f0
  [<ffffffff81b621c4>] vsnprintf+0x374/0x1c50
  [<ffffffff81b61e50>] ? pointer+0xa80/0xa80
  [<ffffffff8156b676>] ? save_stack+0x46/0xd0
  [<ffffffff81566faa>] ? __kmalloc+0x14a/0x2a0
  [<ffffffff81b3d70a>] ? kobject_get_path+0x9a/0x200
  [<ffffffff81b408c2>] ? kobject_uevent_env+0x282/0xca0
  [<ffffffff81b412eb>] ? kobject_uevent+0xb/0x10
  [<ffffffff81f10104>] ? device_del+0x434/0x6d0
  [<ffffffffa0fea717>] ? rc_unregister_device+0x177/0x240 [rc_core]
  [<ffffffffa116eeb0>] ? au0828_rc_unregister+0x60/0xb0 [au0828]

 The problem is fixed with this patch on Linux 4.9-rc4"

Signed-off-by: Max Kellermann <max.kellermann@gmail.com>
Tested-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2016-11-18 14:31:34 -02:00
..
accessibility
acpi Merge branch 'device-properties' 2016-11-11 23:23:02 +01:00
amba
android ANDROID: binder: Clear binder and cookie when setting handle in flat binder struct 2016-10-24 19:37:48 +02:00
ata ahci: fix the single MSI-X case in ahci_init_one 2016-10-25 11:43:07 -04:00
atm
auxdisplay auxdisplay: img-ascii-lcd: driver for simple ASCII LCD displays 2016-10-06 17:03:41 +02:00
base driver core fixes for 4.9-rc5 2016-11-13 10:22:07 -08:00
bcma
block aoe: fix crash in page count manipulation 2016-11-12 08:27:07 -07:00
bluetooth Bluetooth: btwilink: Fix probe return value 2016-10-20 10:14:49 +02:00
bus bus: qcom-ebi2: depend on ARCH_QCOM or COMPILE_TEST 2016-10-17 13:46:09 -07:00
cdrom
char char/misc fixes for 4.9-rc5 2016-11-13 10:24:08 -08:00
clk clk: mmp: pxa910: fix return value check in pxa910_clk_init() 2016-11-01 17:41:20 -07:00
clocksource Revert "clocksource/drivers/timer_sun5i: Replace code by clocksource_mmio_init" 2016-10-20 21:58:58 +02:00
connector
cpufreq Merge branches 'pm-cpufreq-fixes' and 'pm-sleep-fixes' 2016-10-29 01:29:17 +02:00
cpuidle Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2016-10-15 09:26:12 -07:00
crypto Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2016-10-10 14:04:16 -07:00
dax device-dax: fix percpu_ref_exit ordering 2016-10-27 17:04:05 -07:00
dca
devfreq PM / devfreq: Skip status update on uninitialized previous_freq 2016-10-11 00:01:20 +02:00
dio
dma dmaengine updates for 4.8-rc1 2016-10-06 17:13:54 -07:00
dma-buf Merge tag 'drm-for-v4.9' of git://people.freedesktop.org/~airlied/linux 2016-10-11 18:12:22 -07:00
edac * Altera Arria10 enablement of NAND, DMA, USB, QSPI and SD-MMC FIFO 2016-10-04 12:06:26 -07:00
eisa
extcon extcon: qcom-spmi-misc: Sync the extcon state on interrupt 2016-10-26 16:04:29 +09:00
firewire firewire: net: fix fragmented datagram_size off-by-one 2016-11-03 14:46:39 +01:00
firmware efi/arm: Fix absolute relocation detection for older toolchains 2016-10-19 14:49:44 +02:00
fmc
fpga
gpio gpio/mvebu: Use irq_domain_add_linear 2016-11-01 19:31:49 +01:00
gpu imx-drm: fix possible hangup when disabling crtcs 2016-11-11 09:09:57 +10:00
hid HID: sensor: fix attributes in HID sensor interface 2016-11-05 16:56:09 +01:00
hsi
hv vmbus: make sysfs names consistent with PCI 2016-11-01 09:07:13 -06:00
hwmon hwmon: (core) fix resource leak on devm_kcalloc failure 2016-10-24 06:05:13 -07:00
hwspinlock
hwtracing
i2c i2c: core: fix NULL pointer dereference under race condition 2016-11-04 20:36:58 +01:00
ide
idle nmi_backtrace: generate one-line reports for idle cpus 2016-10-07 18:46:30 -07:00
iio iio: maxim_thermocouple: detect invalid storage size in read() 2016-11-13 10:08:32 +01:00
infiniband infiniband: shut up a maybe-uninitialized warning 2016-11-11 08:45:08 -08:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2016-11-05 11:26:11 -07:00
iommu iommu/vt-d: Fix dead-locks in disable_dmar_iommu() path 2016-11-08 15:08:26 +01:00
ipack ipack: print a hex number after a 0x prefix 2016-10-27 18:43:43 -07:00
irqchip GIC updates for Linux 4.9-rc2 2016-10-21 21:40:29 +02:00
isdn
leds
lguest
lightnvm Merge branch 'for-4.9/block' of git://git.kernel.dk/linux-block 2016-10-07 14:42:05 -07:00
macintosh
mailbox Merge branch 'mailbox-for-next' of git://git.linaro.org/landing-teams/working/fujitsu/integration 2016-10-06 17:36:53 -07:00
mcb mcb: Add a dma_device to mcb_device 2016-09-27 12:33:47 +02:00
md Merge tag 'md/4.9-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md 2016-11-05 11:34:07 -07:00
media [media] rc-main: clear rc_map.name in ir_free_table() 2016-11-18 14:31:34 -02:00
memory ARM: SoC driver updates for v4.9 2016-10-07 21:23:40 -07:00
memstick memstick: rtsx_usb_ms: Manage runtime PM when accessing the device 2016-10-17 15:43:05 +02:00
message
mfd - Core Frameworks 2016-10-07 08:35:35 -07:00
misc mei: bus: fix received data size check in NFC fixup 2016-10-31 10:25:22 -06:00
mmc mmc: mxs: Initialize the spinlock prior to using it 2016-11-07 13:30:08 +01:00
mtd MTD updates for 4.9-rc4: 2016-11-05 10:52:29 -07:00
net Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-10-29 20:33:20 -07:00
nfc mei: bus: fix received data size check in NFC fixup 2016-10-31 10:25:22 -06:00
ntb
nubus
nvdimm nvdimm: make CONFIG_NVDIMM_DAX 'bool' 2016-10-27 16:16:21 -07:00
nvme lightnvm: invalid offset calculation for lba_shift 2016-11-11 18:27:32 -07:00
nvmem ARM: SoC driver updates for v4.9 2016-10-07 21:23:40 -07:00
of Revert "console: don't prefer first registered if DT specifies stdout-path" 2016-11-11 08:12:37 -08:00
oprofile Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-10-10 20:16:43 -07:00
parisc
parport
pci pci-v4.9-fixes-3 2016-11-11 16:38:26 -08:00
pcmcia pcmcia: fix return value of soc_pcmcia_regulator_set 2016-11-11 08:45:08 -08:00
perf perf: xgene: Remove bogus IS_ERR() check 2016-10-17 15:50:07 +01:00
phy phy: sun4i: check PMU presence when poking unknown bit of pmu 2016-11-05 13:45:02 +05:30
pinctrl pinctrl-aspeed-g5: Never set SCU90[6] 2016-11-07 10:31:33 +01:00
platform ACPI fix for v4.9-rc5 2016-11-11 17:02:01 -08:00
pnp
power power supply and reset changes for the v4.9 series 2016-10-06 18:21:15 -07:00
powercap
pps pps: kc: fix non-tickless system config dependency 2016-10-11 15:06:32 -07:00
ps3
ptp drivers/ptp: Fix kernel memory disclosure 2016-10-13 10:20:06 -04:00
pwm
rapidio mm: replace get_user_pages() write/force parameters with gup_flags 2016-10-19 08:11:43 -07:00
ras
regulator regulator: core: silence warning: "VDD1: ramp_delay not set" 2016-10-28 18:22:40 +01:00
remoteproc rpmsg updates for v4.9 2016-10-06 17:03:49 -07:00
reset reset: uniphier: rename MIO reset to SD reset for Pro5, PXs2, LD20 SoCs 2016-10-22 18:31:42 +09:00
rpmsg
rtc RTC for 4.9 2016-10-14 13:13:44 -07:00
s390 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux 2016-10-27 14:16:30 -07:00
sbus
scsi SCSI fixes on 20161111 2016-11-13 10:07:08 -08:00
sfi
sh
sn
soc powerpc updates for 4.9 #2 2016-10-14 11:07:42 -07:00
spi Merge remote-tracking branches 'spi/fix/dt', 'spi/fix/fsl-dspi' and 'spi/fix/fsl-espi' into spi-linus 2016-10-29 12:51:55 -06:00
spmi spmi: pmic-arb: Return an error code if sanity check fails 2016-09-27 12:43:34 +02:00
ssb
staging [media] Staging: media: radio-bcm2048: Remove FSF address from GPL notice 2016-11-18 13:40:01 -02:00
target target/tcm_fc: use CPU affinity for responses 2016-10-21 01:19:44 -07:00
tc
thermal thermal/powerclamp: correct cpu support check 2016-10-20 14:15:44 +08:00
thunderbolt
tty tty: serial_core: fix NULL struct tty pointer access in uart_write_wakeup 2016-10-28 08:13:07 -04:00
uio
usb USB: cdc-acm: fix TIOCMIWAIT 2016-11-10 13:12:59 +01:00
uwb uwb: fix device reference leaks 2016-11-01 09:04:04 -06:00
vfio vfio/pci: Fix integer overflows, bitmask check 2016-10-26 13:49:29 -06:00
vhost
video Merge branch 'gup_flag-cleanups' 2016-10-19 08:39:47 -07:00
virt mm: replace get_user_pages() write/force parameters with gup_flags 2016-10-19 08:11:43 -07:00
virtio virtio_ring: mark vring_dma_dev inline 2016-10-31 00:40:08 +02:00
vlynq
vme vme: vme_get_size potentially returning incorrect value on failure 2016-10-28 08:25:18 -04:00
w1
watchdog Merge branches 'acpi-wdat' and 'acpi-cppc' 2016-10-21 22:24:23 +02:00
xen xen: fixes for 4.9-rc2 2016-10-24 19:52:24 -07:00
zorro
Kconfig
Makefile A small bug fix and a new driver for acting as an IPMI device. 2016-10-23 15:56:23 -07:00