renegade-project/linux-next
2
0
Fork 0
mirror of https://github.com/edk2-porting/linux-next.git synced 2024-12-28 07:04:00 +08:00
Code
d46ddc593f
linux-next/drivers
History
João Paulo Rechi Vita d46ddc593f HID: i2c-hid: Disable IRQ before freeing buffers 
The HID report buffers that are initially allocated on i2c_hid_probe()
might not be big enough to hold the HID reports from a specific device,
in which case they will be freed and new ones will be allocated in
i2c_hid_start(), at point which the device's report size is known. But
at this point ihid->irq is already running, and may call
i2c_hid_get_input() which passes ihid->inbuf to i2c_master_recv(). Since
this handler runs in a separate thread, ihid->inbuf may be freed at this
very moment, and i2c_master_recv() will write on memory which may be
already owned by a different part of the kernel, corrupting its data.

This problem has been observed on an Asus UX360UA laptop which has an
I2C touchpad, and results in a complete system freeze or an unusable
slowness with a lof of "BUG: unable to handle kernel paging request at
<address>" warnings. Enabling SLUB debugging shows a use-after-free
warning on memory allocated in i2c_hid_alloc_buffers() and freed in
i2c_hid_free_buffers():

=============================================================================
BUG kmalloc-64 (Not tainted): Poison overwritten
-----------------------------------------------------------------------------
Disabling lock debugging due to kernel taint
INFO: 0xffff880264083273-0xffff88026408329e. first byte 0x0 instead of 0x6b
INFO: Allocated in i2c_hid_alloc_buffers+0x25/0xa0 [i2c_hid] age=35793 cpu=2 pid=430
	___slab_alloc+0x41e/0x460
	__slab_alloc+0x20/0x40
	__kmalloc+0x210/0x280
	i2c_hid_alloc_buffers+0x25/0xa0 [i2c_hid]
	i2c_hid_probe+0x12f/0x5e0 [i2c_hid]
	i2c_device_probe+0x10a/0x1b0
	driver_probe_device+0x220/0x4a0
	__device_attach_driver+0x71/0xa0
	bus_for_each_drv+0x67/0xb0
	__device_attach+0xdc/0x170
	device_initial_probe+0x13/0x20
	bus_probe_device+0x92/0xa0
	device_add+0x4aa/0x670
	device_register+0x1a/0x20
	i2c_new_device+0x18e/0x230
	acpi_i2c_add_device+0x1a0/0x210
INFO: Freed in i2c_hid_free_buffers+0x16/0x60 [i2c_hid] age=7552 cpu=1 pid=1473
	__slab_free+0x221/0x330
	kfree+0x139/0x160
	i2c_hid_free_buffers+0x16/0x60 [i2c_hid]
	i2c_hid_start+0x2a9/0x2df [i2c_hid]
	mt_probe+0x160/0x22e [hid_multitouch]
	hid_device_probe+0xd7/0x150 [hid]
	driver_probe_device+0x220/0x4a0
	__driver_attach+0x84/0x90
	bus_for_each_dev+0x6c/0xc0
	driver_attach+0x1e/0x20
	bus_add_driver+0x1c3/0x280
	driver_register+0x60/0xe0
	__hid_register_driver+0x53/0x90 [hid]
	0xffffffffc004f01e
	do_one_initcall+0xb3/0x1f0
	do_init_module+0x5f/0x1d0
INFO: Slab 0xffffea0009902080 objects=20 used=20 fp=0x          (null) flags=0x17fff8000004080
INFO: Object 0xffff880264083260 @offset=4704 fp=0x          (null)
Bytes b4 ffff880264083250: 8d e6 fe ff 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a  ........ZZZZZZZZ
Object ffff880264083260: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
Object ffff880264083270: 6b 6b 6b 00 00 00 00 00 00 00 00 00 00 00 00 00  kkk.............
Object ffff880264083280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object ffff880264083290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Redzone ffff8802640832a0: bb bb bb bb bb bb bb bb                          ........
Padding ffff8802640833e0: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ
CPU: 1 PID: 1503 Comm: python3 Tainted: G    B           4.4.21+ #10
Hardware name: ASUSTeK COMPUTER INC. UX360UA/UX360UA, BIOS UX360UA.200 05/05/2016
 0000000000000086 00000000622d48a2 ffff88026061ba38 ffffffff813f6044
 ffff880264082010 ffff880264083260 ffff88026061ba78 ffffffff811e8eab
 0000000000000008 ffff880200000001 ffff88026408329f ffff88026a007700
Call Trace:
 [<ffffffff813f6044>] dump_stack+0x63/0x8f
 [<ffffffff811e8eab>] print_trailer+0x14b/0x1f0
 [<ffffffff811e94c1>] check_bytes_and_report+0xc1/0x100
 [<ffffffff811e96c4>] check_object+0x1c4/0x240
 [<ffffffff81293fde>] ? ext4_htree_store_dirent+0x3e/0x120
 [<ffffffff811e9b44>] alloc_debug_processing+0x104/0x180
 [<ffffffff811eb7be>] ___slab_alloc+0x41e/0x460
 [<ffffffff81293fde>] ? ext4_htree_store_dirent+0x3e/0x120
 [<ffffffff8124590b>] ? __getblk_gfp+0x2b/0x60
 [<ffffffff8129b969>] ? ext4_getblk+0xa9/0x190
 [<ffffffff811eb820>] __slab_alloc+0x20/0x40
 [<ffffffff811ed320>] __kmalloc+0x210/0x280
 [<ffffffff81293fde>] ? ext4_htree_store_dirent+0x3e/0x120
 [<ffffffff812c1602>] ? ext4fs_dirhash+0xc2/0x2a0
 [<ffffffff81293fde>] ext4_htree_store_dirent+0x3e/0x120
 [<ffffffff812a4f47>] htree_dirblock_to_tree+0x187/0x1b0
 [<ffffffff812a5fd2>] ext4_htree_fill_tree+0xb2/0x2e0
 [<ffffffff811ebb7a>] ? kmem_cache_alloc_trace+0x1fa/0x220
 [<ffffffff81293e45>] ? ext4_readdir+0x775/0x8b0
 [<ffffffff81293cb1>] ext4_readdir+0x5e1/0x8b0
 [<ffffffff81221c82>] iterate_dir+0x92/0x120
 [<ffffffff81222118>] SyS_getdents+0x98/0x110
 [<ffffffff81221d10>] ? iterate_dir+0x120/0x120
 [<ffffffff818157f2>] entry_SYSCALL_64_fastpath+0x16/0x71
FIX kmalloc-64: Restoring 0xffff880264083273-0xffff88026408329e=0x6b
FIX kmalloc-64: Marking all objects used

Signed-off-by: João Paulo Rechi Vita <jprvita@endlessm.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2016-12-12 09:47:01 +01:00
..
accessibility
acpi PCI changes for the v4.9 merge window: 2016-10-07 11:46:37 -07:00
amba
android
ata
atm atm: iphase: fix newline escape and minor tweak to source formatting 2016-09-15 19:15:55 -04:00
auxdisplay
base General improvements: 2016-10-05 11:37:14 -07:00
bcma
block
bluetooth Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2016-10-05 10:11:24 -07:00
bus Merge branch 'smp-hotplug-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2016-10-03 19:43:08 -07:00
cdrom
char Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2016-10-04 14:48:27 -07:00
clk CLK: Add Loongson1C clock support 2016-09-23 14:49:21 -07:00
clocksource Merge branch 'timers-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2016-10-03 18:09:13 -07:00
connector
cpufreq Merge branch 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm 2016-10-06 07:59:37 -07:00
cpuidle Merge branch 'smp-hotplug-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2016-10-03 19:43:08 -07:00
crypto chcr/cxgb4i/cxgbit/RDMA/cxgb4: Allocate resources dynamically for all cxgb4 ULD's 2016-09-19 01:37:32 -04:00
dax
dca
devfreq PM / devfreq: rk3399_dmc: Remove explictly regulator_put call in .remove 2016-09-19 13:36:20 +02:00
dio
dma dmaengine updates for 4.8-rc1 2016-10-06 17:13:54 -07:00
dma-buf
edac * Altera Arria10 enablement of NAND, DMA, USB, QSPI and SD-MMC FIFO 2016-10-04 12:06:26 -07:00
eisa
extcon Merge branch 'next' into resolution 2016-09-15 16:45:20 +05:30
firewire
firmware Fix bug in module unloading. 2016-10-06 15:16:16 -07:00
fmc
fpga
gpio This is the bulk of GPIO changes for the v4.9 series: 2016-10-05 11:49:09 -07:00
gpu drm/udl: fix line iterator in damage handling 2016-09-28 13:29:18 +10:00
hid HID: i2c-hid: Disable IRQ before freeing buffers 2016-12-12 09:47:01 +01:00
hsi
hv Drivers: hv: get rid of id in struct vmbus_channel 2016-09-27 12:35:49 +02:00
hwmon hwmon updates for v4.9 2016-10-04 10:56:14 -07:00
hwspinlock
hwtracing
i2c Merge branches 'acpi-wdat' and 'acpi-ec' 2016-10-02 01:40:07 +02:00
ide
idle
iio Staging/IIO patches for 4.9-rc1 2016-10-05 14:50:51 -07:00
infiniband Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2016-10-05 10:11:24 -07:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2016-10-07 09:12:19 -07:00
iommu KVM updates for v4.9-rc1 2016-10-06 10:49:01 -07:00
ipack
irqchip irqchip core changes for v4.9 2016-09-22 22:49:52 +02:00
isdn
leds leds: triggers: Check return value of kobject_uevent_env() 2016-09-20 10:22:10 +02:00
lguest
lightnvm
macintosh
mailbox Merge branch 'mailbox-for-next' of git://git.linaro.org/landing-teams/working/fujitsu/integration 2016-10-06 17:36:53 -07:00
mcb mcb: Add a dma_device to mcb_device 2016-09-27 12:33:47 +02:00
md Merge tag 'md/4.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md 2016-10-07 09:45:43 -07:00
media USB/PHY/EXTCON patches for 4.9-rc1 2016-10-03 20:17:35 -07:00
memory Char/Misc driver update for 4.9-rc1 2016-10-03 19:57:49 -07:00
memstick
message scsi: fusion: Fix error return code in mptfc_probe() 2016-09-14 14:26:19 -04:00
mfd - Core Frameworks 2016-10-07 08:35:35 -07:00
misc Char/Misc driver update for 4.9-rc1 2016-10-03 19:57:49 -07:00
mmc USB/PHY/EXTCON patches for 4.9-rc1 2016-10-03 20:17:35 -07:00
mtd Another round of MTD fixes for v4.8 2016-09-28 12:53:08 -07:00
net phy: micrel.c: Enable ksz9031 energy-detect power-down mode 2016-10-05 21:19:06 -04:00
nfc
ntb
nubus
nvdimm libnvdimm, region: fix flush hint table thinko 2016-09-24 11:45:38 -07:00
nvme nvme-rdma: only clear queue flags after successful connect 2016-09-22 19:58:17 -06:00
nvmem
of DeviceTree updates for 4.9: 2016-10-05 11:56:38 -07:00
oprofile oprofile/timer: Convert to hotplug state machine 2016-09-19 21:44:28 +02:00
parisc
parport
pci PCI changes for the v4.9 merge window: 2016-10-07 11:46:37 -07:00
pcmcia
perf Merge branch 'smp-hotplug-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2016-10-03 19:43:08 -07:00
phy
pinctrl This is the bulk of GPIO changes for the v4.9 series: 2016-10-05 11:49:09 -07:00
platform - Core Frameworks 2016-10-07 08:35:35 -07:00
pnp
power power supply and reset changes for the v4.9 series 2016-10-06 18:21:15 -07:00
powercap
pps
ps3
ptp ptp: Fix resource leak in case of error 2016-10-03 21:54:10 -04:00
pwm
rapidio rapidio/rio_cm: avoid GFP_KERNEL in atomic context 2016-09-19 15:36:17 -07:00
ras
regulator - Core Frameworks 2016-10-07 08:35:35 -07:00
remoteproc rpmsg updates for v4.9 2016-10-06 17:03:49 -07:00
reset
rpmsg
rtc Merge branches 'ib-mfd-gpio-4.9', 'ib-mfd-gpio-regulator-4.9', 'ib-mfd-input-4.9', 'ib-mfd-regulator-4.9', 'ib-mfd-regulator-4.9.1', 'ib-mfd-regulator-rtc-4.9', 'ib-mfd-regulator-rtc-4.9-1' and 'ib-mfd-rtc-4.9' into ibs-for-mfd-merged 2016-10-04 15:47:01 +01:00
s390 SCSI misc on 20161006 2016-10-07 09:28:53 -07:00
sbus
scsi SCSI misc on 20161006 2016-10-07 09:28:53 -07:00
sfi
sh
sn
soc
spi Merge remote-tracking branches 'spi/topic/ti-qspi', 'spi/topic/tools', 'spi/topic/txx9' and 'spi/topic/xlp' into spi-next 2016-09-30 09:14:22 -07:00
spmi spmi: pmic-arb: Return an error code if sanity check fails 2016-09-27 12:43:34 +02:00
ssb
staging Staging/IIO patches for 4.9-rc1 2016-10-05 14:50:51 -07:00
target chcr/cxgb4i/cxgbit/RDMA/cxgb4: Allocate resources dynamically for all cxgb4 ULD's 2016-09-19 01:37:32 -04:00
tc
thermal
thunderbolt
tty TTY/Serial patches for 4.9-rc1 2016-10-03 20:11:49 -07:00
uio
usb Revert "usbtmc: convert to devm_kzalloc" 2016-09-28 11:51:30 +02:00
uwb
vfio vfio_pci: use pci_alloc_irq_vectors 2016-09-29 13:36:38 -06:00
vhost
video backlight: pwm_bl: Handle gpio that can sleep 2016-10-06 09:27:26 +01:00
virt
virtio
vlynq
vme vme: fake: remove unexpected unlock in fake_master_set() 2016-09-27 12:43:35 +02:00
w1
watchdog USB/PHY/EXTCON patches for 4.9-rc1 2016-10-03 20:17:35 -07:00
xen xen: features and fixes for 4.9-rc0 2016-10-06 11:19:10 -07:00
zorro
Kconfig
Makefile clk: probe common clock drivers earlier 2016-09-23 13:00:04 +02:00