UbiquitousOS
/
OpenCloudOS-Kernel
mirror of https://gitee.com/OpenCloudOS/OpenCloudOS-Kernel.git
11
0
Fork 0
Code Issues Projects Releases Wiki Activity
OpenCloudOS-Kernel/drivers
History
Sean Young c268e7adea media: dvb-frontends: use ida for pll number 
KASAN: global-out-of-bounds Read in dvb_pll_attach

Syzbot reported global-out-of-bounds Read in dvb_pll_attach, while
accessing id[dvb_pll_devcount], because dvb_pll_devcount was 65,
that is more than size of 'id' which is DVB_PLL_MAX(64).

Rather than increasing dvb_pll_devcount every time, use ida so that
numbers are allocated correctly. This does mean that no more than
64 devices can be attached at the same time, but this is more than
sufficient.

usb 1-1: dvb_usb_v2: will pass the complete MPEG2 transport stream to the
software demuxer
dvbdev: DVB: registering new adapter (774 Friio White ISDB-T USB2.0)
usb 1-1: media controller created
dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered.
tc90522 0-0018: Toshiba TC90522 attached.
usb 1-1: DVB: registering adapter 0 frontend 0 (Toshiba TC90522 ISDB-T
module)...
dvbdev: dvb_create_media_entity: media entity 'Toshiba TC90522 ISDB-T
module' registered.
==================================================================
BUG: KASAN: global-out-of-bounds in dvb_pll_attach+0x6c5/0x830
drivers/media/dvb-frontends/dvb-pll.c:798
Read of size 4 at addr ffffffff89c9e5e0 by task kworker/0:1/12

CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.2.0-rc6+ #13
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0xca/0x13e lib/dump_stack.c:113
  print_address_description+0x67/0x231 mm/kasan/report.c:188
  __kasan_report.cold+0x1a/0x32 mm/kasan/report.c:317
  kasan_report+0xe/0x20 mm/kasan/common.c:614
  dvb_pll_attach+0x6c5/0x830 drivers/media/dvb-frontends/dvb-pll.c:798
  dvb_pll_probe+0xfe/0x174 drivers/media/dvb-frontends/dvb-pll.c:877
  i2c_device_probe+0x790/0xaa0 drivers/i2c/i2c-core-base.c:389
  really_probe+0x281/0x660 drivers/base/dd.c:509
  driver_probe_device+0x104/0x210 drivers/base/dd.c:670
  __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:777
  bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
  __device_attach+0x217/0x360 drivers/base/dd.c:843
  bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
  device_add+0xae6/0x16f0 drivers/base/core.c:2111
  i2c_new_client_device+0x5b3/0xc40 drivers/i2c/i2c-core-base.c:778
  i2c_new_device+0x19/0x50 drivers/i2c/i2c-core-base.c:821
  dvb_module_probe+0xf9/0x220 drivers/media/dvb-core/dvbdev.c:985
  friio_tuner_attach+0x125/0x1d0 drivers/media/usb/dvb-usb-v2/gl861.c:536
  dvb_usbv2_adapter_frontend_init
drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:675 [inline]
  dvb_usbv2_adapter_init drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:804
[inline]
  dvb_usbv2_init drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:865 [inline]
  dvb_usbv2_probe.cold+0x24dc/0x255d
drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:980
  usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361
  really_probe+0x281/0x660 drivers/base/dd.c:509
  driver_probe_device+0x104/0x210 drivers/base/dd.c:670
  __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:777
  bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
  __device_attach+0x217/0x360 drivers/base/dd.c:843
  bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
  device_add+0xae6/0x16f0 drivers/base/core.c:2111
  usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023
  generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
  usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266
  really_probe+0x281/0x660 drivers/base/dd.c:509
  driver_probe_device+0x104/0x210 drivers/base/dd.c:670
  __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:777
  bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
  __device_attach+0x217/0x360 drivers/base/dd.c:843
  bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
  device_add+0xae6/0x16f0 drivers/base/core.c:2111
  usb_new_device.cold+0x8c1/0x1016 drivers/usb/core/hub.c:2534
  hub_port_connect drivers/usb/core/hub.c:5089 [inline]
  hub_port_connect_change drivers/usb/core/hub.c:5204 [inline]
  port_event drivers/usb/core/hub.c:5350 [inline]
  hub_event+0x1ada/0x3590 drivers/usb/core/hub.c:5432
  process_one_work+0x905/0x1570 kernel/workqueue.c:2269
  process_scheduled_works kernel/workqueue.c:2331 [inline]
  worker_thread+0x7ab/0xe20 kernel/workqueue.c:2417
  kthread+0x30b/0x410 kernel/kthread.c:255
  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

The buggy address belongs to the variable:
  id+0x100/0x120

Memory state around the buggy address:
  ffffffff89c9e480: fa fa fa fa 00 00 fa fa fa fa fa fa 00 00 00 00
  ffffffff89c9e500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffffffff89c9e580: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
                                                        ^
  ffffffff89c9e600: 04 fa fa fa fa fa fa fa 04 fa fa fa fa fa fa fa
  ffffffff89c9e680: 04 fa fa fa fa fa fa fa 04 fa fa fa fa fa fa fa
==================================================================

Reported-by: syzbot+8a8f48672560c8ca59dd@syzkaller.appspotmail.com
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
 		2019-08-21 18:39:54 -03:00
..
accessibility
acpi drivers/acpi/scan.c: document why we don't need the device_hotplug_lock 2019-08-03 07:02:01 -07:00
amba Driver Core and debugfs changes for 5.3-rc1 2019-07-12 12:24:03 -07:00
android binder: prevent transactions to context manager from its own process. 2019-07-24 11:02:28 +02:00
ata libata: add SG safety checks in SFF pio transfers 2019-08-07 12:23:57 -06:00
atm atm: iphase: Fix Spectre v1 vulnerability 2019-08-02 17:30:36 -07:00
auxdisplay It's been a relatively busy cycle for docs: 2019-07-09 12:34:26 -07:00
base Driver core fixes for 5.3-rc4 2019-08-10 12:20:02 -07:00
bcma
block loop: set PF_MEMALLOC_NOIO for the worker thread 2019-08-08 10:12:21 -06:00
bluetooth Bluetooth: hci_uart: check for missing tty operations 2019-07-31 13:17:33 -07:00
bus ARM: SoC-related driver updates 2019-07-19 17:13:56 -07:00
cdrom
char tpm: tpm_ibm_vtpm: Fix unallocated banks 2019-08-05 00:55:00 +03:00
clk clk: renesas: cpg-mssr: Fix reset control race condition 2019-07-22 15:04:54 -07:00
clocksource RISC-V: Remove per cpu clocksource 2019-08-06 14:37:58 -07:00
connector connector: remove redundant input callback from cn_dev 2019-07-21 13:31:14 -07:00
counter Staging / IIO driver update for 5.3-rc1 2019-07-11 15:36:02 -07:00
cpufreq cpufreq/pasemi: fix use-after-free in pas_cpufreq_cpu_init() 2019-07-23 09:49:10 +02:00
cpuidle Merge branch 'pm-cpufreq' 2019-07-18 09:49:30 +02:00
crypto Wimplicit-fallthrough patches for 5.3-rc4 2019-08-10 10:10:33 -07:00
dax Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2019-07-19 10:42:02 -07:00
dca
devfreq
dio
dma dmaengine updates for v5.3-rc1 2019-07-17 09:55:43 -07:00
dma-buf Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2019-07-19 10:42:02 -07:00
edac EDAC: Fix global-out-of-bounds write when setting edac_mc_poll_msec 2019-06-27 10:24:47 -07:00
eisa
extcon
firewire firewire: mark expected switch fall-throughs 2019-07-25 20:09:37 -05:00
firmware Merge branch 'for-linus-5.3' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/ibft 2019-07-26 09:43:43 -07:00
fpga fpga-manager: altera-ps-spi: Fix build error 2019-07-24 11:29:41 +02:00
fsi
gnss
gpio gpiolib: Preserve desc->flags when setting state 2019-07-29 00:57:39 +02:00
gpu Merge branch 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2019-08-10 15:44:09 -07:00
hid Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid 2019-08-06 11:47:23 -07:00
hsi
hv proc/sysctl: add shared variables for range check 2019-07-18 17:08:07 -07:00
hwmon hwmon: (lm75) Fixup tmp75b clr_mask 2019-08-07 14:50:49 -07:00
hwspinlock hwspinlock: add the 'in_atomic' API 2019-06-29 21:08:14 -07:00
hwtracing coresight: Fix DEBUG_LOCKS_WARN_ON for uninitialized attribute 2019-08-01 20:51:34 +02:00
i2c i2c: s3c2410: Mark expected switch fall-through 2019-08-01 22:24:16 +02:00
i3c * Drop support for 10-bit I2C addresses 2019-07-09 09:04:31 -07:00
ide It's been a relatively busy cycle for docs: 2019-07-09 12:34:26 -07:00
idle
iio First set of IIO fixes in the 5.3 cycle. 2019-07-28 11:07:26 +02:00
infiniband RDMA/hns: Fix error return code in hns_roce_v1_rsv_lp_qp() 2019-08-01 12:53:53 -04:00
input Linux 5.3-rc4 2019-08-12 13:22:54 -03:00
interconnect
iommu virtio, vhost: bugfixes 2019-07-29 11:34:12 -07:00
ipack TTY / Serial driver updates for 5.3-rc1 2019-07-11 15:38:21 -07:00
irqchip irqchip fixes for 5.3 2019-08-01 20:21:00 +02:00
isdn isdn: hfcsusb: Fix mISDN driver crash caused by transfer buffer on the stack 2019-07-31 08:54:06 -07:00
leds LED updates for 5.3-rc1 2019-07-09 08:59:39 -07:00
lightnvm
macintosh drivers/macintosh/smu.c: Mark expected switch fall-through 2019-07-31 21:44:45 +10:00
mailbox - stm32: race fix by adding a spinlock 2019-07-14 16:36:51 -07:00
mcb
md for-linus-20190809 2019-08-09 09:28:18 -07:00
media media: dvb-frontends: use ida for pll number 2019-08-21 18:39:54 -03:00
memory Kbuild updates for v5.3 (2nd) 2019-07-20 09:34:55 -07:00
memstick MMC core: 2019-07-11 18:11:21 -07:00
message SCSI misc on 20190709 2019-07-11 15:14:01 -07:00
mfd mfd: omap-usb-host: Mark expected switch fall-throughs 2019-08-09 19:46:52 -05:00
misc Char/misc fixes for 5.3-rc4 2019-08-10 12:24:20 -07:00
mmc mmc: cavium: Add the missing dma unmap when the dma has finished. 2019-08-06 18:59:14 +02:00
mtd NAND: 2019-08-04 16:37:08 -07:00
mux
net Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2019-08-06 17:11:59 -07:00
nfc NFC: nfcmrvl: fix gpio-handling regression 2019-08-05 10:25:48 -07:00
ntb NTB/msi: remove incorrect MODULE defines 2019-08-05 15:42:27 -04:00
nubus
nvdimm libnvdimm fixes v5.3-rc2 2019-07-27 08:25:51 -07:00
nvme Revert "nvme-pci: don't create a read hctx mapping without read queues" 2019-07-23 17:47:02 +02:00
nvmem nvmem: Use the same permissions for eeprom as for nvmem 2019-07-30 18:22:20 +02:00
of virtio, vhost: fixes, features, performance 2019-07-17 11:26:09 -07:00
opp pci-v5.3-changes 2019-07-15 20:44:49 -07:00
oprofile vfs: Convert oprofilefs to use the new mount API 2019-07-04 22:01:59 -04:00
parisc
parport It's been a relatively busy cycle for docs: 2019-07-09 12:34:26 -07:00
pci Revert "PCI: Add missing link delays required by the PCIe spec" 2019-08-07 13:06:42 +02:00
pcmcia pcmcia: db1xxx_ss: Mark expected switch fall-throughs 2019-08-09 19:53:04 -05:00
perf drivers/perf: arm_pmu: Fix failure path in PM notifier 2019-07-29 11:43:48 +01:00
phy phy: for 5.3 2019-07-01 15:04:59 +02:00
pinctrl pinctrl: aspeed: Make aspeed_pinmux_ips static 2019-07-29 23:35:31 +02:00
platform platform/x86: pcengines-apuv2: use KEY_RESTART for front button 2019-07-29 18:24:59 +03:00
pnp docs: driver-api: add a series of orphaned documents 2019-07-15 11:03:02 -03:00
power power supply and reset changes for the v5.3 series 2019-07-15 21:06:15 -07:00
powercap powercap: Invoke powercap_init() and rapl_init() earlier 2019-07-22 11:23:00 +02:00
pps drivers/pps/pps.c: clear offset flags in PPS_SETPARAMS ioctl 2019-07-16 19:23:24 -07:00
ps3
ptp
pwm pwm: Fallback to the static lookup-list when acpi_pwm_get fails 2019-08-08 13:17:38 +02:00
rapidio Merge branch 'akpm' (patches from Andrew) 2019-07-17 08:58:04 -07:00
ras
regulator regulator: of: Add of_node_put() before return in function 2019-08-01 14:07:46 +01:00
remoteproc remoteproc updates for v5.3 2019-07-17 11:44:41 -07:00
reset ARM: SoC-related driver updates 2019-07-19 17:13:56 -07:00
rpmsg
rtc RTC for 5.3 2019-07-17 10:03:50 -07:00
s390 Wimplicit-fallthrough patches for 5.3-rc4 2019-08-10 10:10:33 -07:00
sbus
scsi Wimplicit-fallthrough patches for 5.3-rc4 2019-08-10 10:10:33 -07:00
sfi
sh
siox
slimbus
sn
soc Merge branch 'pdf_fixes_v1' of https://git.linuxtv.org/mchehab/experimental into mauro 2019-07-22 13:51:20 -06:00
soundwire soundwire updates for v5.3-rc1 2019-07-05 08:15:08 +02:00
spi spi: Fixes for v5.3 2019-08-05 11:49:02 -07:00
spmi
ssb
staging media: hantro: Enable H264 decoding on rk3288 2019-08-19 14:40:58 -03:00
target scsi: target: cxgbit: add support for IEEE_8021QAZ_APP_SEL_STREAM selector 2019-07-22 17:04:20 -04:00
tc
tee
thermal int340X/processor_thermal_device: Fix proc_thermal_rapl_remove() 2019-07-23 09:36:07 +02:00
thunderbolt Driver Core and debugfs changes for 5.3-rc1 2019-07-12 12:24:03 -07:00
tty kgdboc: disable the console lock when in kgdb 2019-07-30 17:39:39 +02:00
uio
usb usb: setup authorized_default attributes using usb_bus_notify 2019-08-08 16:07:34 +02:00
uwb
vfio VFIO updates for v5.3-rc1 2019-07-17 11:23:13 -07:00
vhost vhost: disable metadata prefetch optimization 2019-07-26 07:49:29 -04:00
video video: fbdev: omapfb_main: Mark expected switch fall-throughs 2019-08-09 19:51:52 -05:00
virt
virtio Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2019-07-19 10:42:02 -07:00
visorbus
vlynq
vme
w1 docs: driver-api: add a series of orphaned documents 2019-07-15 11:03:02 -03:00
watchdog watchdog: riowd: Mark expected switch fall-through 2019-08-09 19:51:01 -05:00
xen xen: fixes for 5.3-rc3 2019-08-02 15:26:48 -07:00
zorro
Kconfig
Makefile