hollalinux
/
linux-sg2042
mirror of https://github.com/sophgo/linux-riscv.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linux-sg2042/drivers
History
Mauro Carvalho Chehab 8dfbcc4351 [media] xc2028: avoid use after free 
If struct xc2028_config is passed without a firmware name,
the following trouble may happen:

[11009.907205] xc2028 5-0061: type set to XCeive xc2028/xc3028 tuner
[11009.907491] ==================================================================
[11009.907750] BUG: KASAN: use-after-free in strcmp+0x96/0xb0 at addr ffff8803bd78ab40
[11009.907992] Read of size 1 by task modprobe/28992
[11009.907994] =============================================================================
[11009.907997] BUG kmalloc-16 (Tainted: G        W      ): kasan: bad access detected
[11009.907999] -----------------------------------------------------------------------------

[11009.908008] INFO: Allocated in xhci_urb_enqueue+0x214/0x14c0 [xhci_hcd] age=0 cpu=3 pid=28992
[11009.908012] 	___slab_alloc+0x581/0x5b0
[11009.908014] 	__slab_alloc+0x51/0x90
[11009.908017] 	__kmalloc+0x27b/0x350
[11009.908022] 	xhci_urb_enqueue+0x214/0x14c0 [xhci_hcd]
[11009.908026] 	usb_hcd_submit_urb+0x1e8/0x1c60
[11009.908029] 	usb_submit_urb+0xb0e/0x1200
[11009.908032] 	usb_serial_generic_write_start+0xb6/0x4c0
[11009.908035] 	usb_serial_generic_write+0x92/0xc0
[11009.908039] 	usb_console_write+0x38a/0x560
[11009.908045] 	call_console_drivers.constprop.14+0x1ee/0x2c0
[11009.908051] 	console_unlock+0x40d/0x900
[11009.908056] 	vprintk_emit+0x4b4/0x830
[11009.908061] 	vprintk_default+0x1f/0x30
[11009.908064] 	printk+0x99/0xb5
[11009.908067] 	kasan_report_error+0x10a/0x550
[11009.908070] 	__asan_report_load1_noabort+0x43/0x50
[11009.908074] INFO: Freed in xc2028_set_config+0x90/0x630 [tuner_xc2028] age=1 cpu=3 pid=28992
[11009.908077] 	__slab_free+0x2ec/0x460
[11009.908080] 	kfree+0x266/0x280
[11009.908083] 	xc2028_set_config+0x90/0x630 [tuner_xc2028]
[11009.908086] 	xc2028_attach+0x310/0x8a0 [tuner_xc2028]
[11009.908090] 	em28xx_attach_xc3028.constprop.7+0x1f9/0x30d [em28xx_dvb]
[11009.908094] 	em28xx_dvb_init.part.3+0x8e4/0x5cf4 [em28xx_dvb]
[11009.908098] 	em28xx_dvb_init+0x81/0x8a [em28xx_dvb]
[11009.908101] 	em28xx_register_extension+0xd9/0x190 [em28xx]
[11009.908105] 	em28xx_dvb_register+0x10/0x1000 [em28xx_dvb]
[11009.908108] 	do_one_initcall+0x141/0x300
[11009.908111] 	do_init_module+0x1d0/0x5ad
[11009.908114] 	load_module+0x6666/0x9ba0
[11009.908117] 	SyS_finit_module+0x108/0x130
[11009.908120] 	entry_SYSCALL_64_fastpath+0x16/0x76
[11009.908123] INFO: Slab 0xffffea000ef5e280 objects=25 used=25 fp=0x          (null) flags=0x2ffff8000004080
[11009.908126] INFO: Object 0xffff8803bd78ab40 @offset=2880 fp=0x0000000000000001

[11009.908130] Bytes b4 ffff8803bd78ab30: 01 00 00 00 2a 07 00 00 9d 28 00 00 01 00 00 00  ....*....(......
[11009.908133] Object ffff8803bd78ab40: 01 00 00 00 00 00 00 00 b0 1d c3 6a 00 88 ff ff  ...........j....
[11009.908137] CPU: 3 PID: 28992 Comm: modprobe Tainted: G    B   W       4.5.0-rc1+ #43
[11009.908140] Hardware name:                  /NUC5i7RYB, BIOS RYBDWi35.86A.0350.2015.0812.1722 08/12/2015
[11009.908142]  ffff8803bd78a000 ffff8802c273f1b8 ffffffff81932007 ffff8803c6407a80
[11009.908148]  ffff8802c273f1e8 ffffffff81556759 ffff8803c6407a80 ffffea000ef5e280
[11009.908153]  ffff8803bd78ab40 dffffc0000000000 ffff8802c273f210 ffffffff8155ccb4
[11009.908158] Call Trace:
[11009.908162]  [<ffffffff81932007>] dump_stack+0x4b/0x64
[11009.908165]  [<ffffffff81556759>] print_trailer+0xf9/0x150
[11009.908168]  [<ffffffff8155ccb4>] object_err+0x34/0x40
[11009.908171]  [<ffffffff8155f260>] kasan_report_error+0x230/0x550
[11009.908175]  [<ffffffff81237d71>] ? trace_hardirqs_off_caller+0x21/0x290
[11009.908179]  [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908182]  [<ffffffff8155f5c3>] __asan_report_load1_noabort+0x43/0x50
[11009.908185]  [<ffffffff8155ea00>] ? __asan_register_globals+0x50/0xa0
[11009.908189]  [<ffffffff8194cea6>] ? strcmp+0x96/0xb0
[11009.908192]  [<ffffffff8194cea6>] strcmp+0x96/0xb0
[11009.908196]  [<ffffffffa13ba4ac>] xc2028_set_config+0x15c/0x630 [tuner_xc2028]
[11009.908200]  [<ffffffffa13bac90>] xc2028_attach+0x310/0x8a0 [tuner_xc2028]
[11009.908203]  [<ffffffff8155ea78>] ? memset+0x28/0x30
[11009.908206]  [<ffffffffa13ba980>] ? xc2028_set_config+0x630/0x630 [tuner_xc2028]
[11009.908211]  [<ffffffffa157a59a>] em28xx_attach_xc3028.constprop.7+0x1f9/0x30d [em28xx_dvb]
[11009.908215]  [<ffffffffa157aa2a>] ? em28xx_dvb_init.part.3+0x37c/0x5cf4 [em28xx_dvb]
[11009.908219]  [<ffffffffa157a3a1>] ? hauppauge_hvr930c_init+0x487/0x487 [em28xx_dvb]
[11009.908222]  [<ffffffffa01795ac>] ? lgdt330x_attach+0x1cc/0x370 [lgdt330x]
[11009.908226]  [<ffffffffa01793e0>] ? i2c_read_demod_bytes.isra.2+0x210/0x210 [lgdt330x]
[11009.908230]  [<ffffffff812e87d0>] ? ref_module.part.15+0x10/0x10
[11009.908233]  [<ffffffff812e56e0>] ? module_assert_mutex_or_preempt+0x80/0x80
[11009.908238]  [<ffffffffa157af92>] em28xx_dvb_init.part.3+0x8e4/0x5cf4 [em28xx_dvb]
[11009.908242]  [<ffffffffa157a6ae>] ? em28xx_attach_xc3028.constprop.7+0x30d/0x30d [em28xx_dvb]
[11009.908245]  [<ffffffff8195222d>] ? string+0x14d/0x1f0
[11009.908249]  [<ffffffff8195381f>] ? symbol_string+0xff/0x1a0
[11009.908253]  [<ffffffff81953720>] ? uuid_string+0x6f0/0x6f0
[11009.908257]  [<ffffffff811a775e>] ? __kernel_text_address+0x7e/0xa0
[11009.908260]  [<ffffffff8104b02f>] ? print_context_stack+0x7f/0xf0
[11009.908264]  [<ffffffff812e9846>] ? __module_address+0xb6/0x360
[11009.908268]  [<ffffffff8137fdc9>] ? is_ftrace_trampoline+0x99/0xe0
[11009.908271]  [<ffffffff811a775e>] ? __kernel_text_address+0x7e/0xa0
[11009.908275]  [<ffffffff81240a70>] ? debug_check_no_locks_freed+0x290/0x290
[11009.908278]  [<ffffffff8104a24b>] ? dump_trace+0x11b/0x300
[11009.908282]  [<ffffffffa13e8143>] ? em28xx_register_extension+0x23/0x190 [em28xx]
[11009.908285]  [<ffffffff81237d71>] ? trace_hardirqs_off_caller+0x21/0x290
[11009.908289]  [<ffffffff8123ff56>] ? trace_hardirqs_on_caller+0x16/0x590
[11009.908292]  [<ffffffff812404dd>] ? trace_hardirqs_on+0xd/0x10
[11009.908296]  [<ffffffffa13e8143>] ? em28xx_register_extension+0x23/0x190 [em28xx]
[11009.908299]  [<ffffffff822dcbb0>] ? mutex_trylock+0x400/0x400
[11009.908302]  [<ffffffff810021a1>] ? do_one_initcall+0x131/0x300
[11009.908306]  [<ffffffff81296dc7>] ? call_rcu_sched+0x17/0x20
[11009.908309]  [<ffffffff8159e708>] ? put_object+0x48/0x70
[11009.908314]  [<ffffffffa1579f11>] em28xx_dvb_init+0x81/0x8a [em28xx_dvb]
[11009.908317]  [<ffffffffa13e81f9>] em28xx_register_extension+0xd9/0x190 [em28xx]
[11009.908320]  [<ffffffffa0150000>] ? 0xffffffffa0150000
[11009.908324]  [<ffffffffa0150010>] em28xx_dvb_register+0x10/0x1000 [em28xx_dvb]
[11009.908327]  [<ffffffff810021b1>] do_one_initcall+0x141/0x300
[11009.908330]  [<ffffffff81002070>] ? try_to_run_init_process+0x40/0x40
[11009.908333]  [<ffffffff8123ff56>] ? trace_hardirqs_on_caller+0x16/0x590
[11009.908337]  [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908340]  [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908343]  [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908346]  [<ffffffff8155ea37>] ? __asan_register_globals+0x87/0xa0
[11009.908350]  [<ffffffff8144da7b>] do_init_module+0x1d0/0x5ad
[11009.908353]  [<ffffffff812f2626>] load_module+0x6666/0x9ba0
[11009.908356]  [<ffffffff812e9c90>] ? symbol_put_addr+0x50/0x50
[11009.908361]  [<ffffffffa1580037>] ? em28xx_dvb_init.part.3+0x5989/0x5cf4 [em28xx_dvb]
[11009.908366]  [<ffffffff812ebfc0>] ? module_frob_arch_sections+0x20/0x20
[11009.908369]  [<ffffffff815bc940>] ? open_exec+0x50/0x50
[11009.908374]  [<ffffffff811671bb>] ? ns_capable+0x5b/0xd0
[11009.908377]  [<ffffffff812f5e58>] SyS_finit_module+0x108/0x130
[11009.908379]  [<ffffffff812f5d50>] ? SyS_init_module+0x1f0/0x1f0
[11009.908383]  [<ffffffff81004044>] ? lockdep_sys_exit_thunk+0x12/0x14
[11009.908394]  [<ffffffff822e6936>] entry_SYSCALL_64_fastpath+0x16/0x76
[11009.908396] Memory state around the buggy address:
[11009.908398]  ffff8803bd78aa00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908401]  ffff8803bd78aa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908403] >ffff8803bd78ab00: fc fc fc fc fc fc fc fc 00 00 fc fc fc fc fc fc
[11009.908405]                                            ^
[11009.908407]  ffff8803bd78ab80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908409]  ffff8803bd78ac00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908411] ==================================================================

In order to avoid it, let's set the cached value of the firmware
name to NULL after freeing it. While here, return an error if
the memory allocation fails.

Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
 		2016-02-01 07:16:18 -02:00
..
accessibility
acpi tree wide: use kvfree() than conditional kfree()/vfree() 2016-01-22 17:02:18 -08:00
amba
android
ata Merge branch 'for-4.5' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata 2016-01-11 19:33:59 -08:00
atm
auxdisplay
base wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
bcma GPIO bulk updates for the v4.5 kernel cycle: 2016-01-17 12:32:01 -08:00
block Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client 2016-01-24 12:34:13 -08:00
bluetooth Bluetooth: btmrvl: don't send data to firmware while processing suspend 2016-01-06 16:37:14 +01:00
bus ARM: SoC driver updates for v4.5 2016-01-20 18:42:30 -08:00
cdrom cdrom: don't open-code memdup_user() 2016-01-06 08:25:24 -05:00
char Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-01-23 12:24:56 -08:00
clk ARM: DT updates for v4.5 2016-01-20 18:16:29 -08:00
clocksource ARM: SoC cleanups for v4.5 2016-01-20 17:55:20 -08:00
connector
cpufreq powerpc updates for 4.5 2016-01-15 13:18:47 -08:00
cpuidle More power management and ACPI updates for v4.5-rc1 2016-01-20 19:06:49 -08:00
crypto Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2016-01-22 11:58:43 -08:00
dca
devfreq PM / devfreq: Do not show statistics if it's not ready. 2016-01-13 17:30:33 +09:00
dio
dma dmaengine fixes for 4.5-rc1 2016-01-20 10:15:21 -08:00
dma-buf
edac
eisa
extcon
firewire
firmware UBSAN: run-time undefined behavior sanity checker 2016-01-20 17:09:18 -08:00
fmc
fpga
gpio ARM: SoC multiplatform code changes for v4.5 2016-01-20 18:03:56 -08:00
gpu tree wide: use kvfree() than conditional kfree()/vfree() 2016-01-22 17:02:18 -08:00
hid asm-generic changes for 4.5 2016-01-20 17:30:20 -08:00
hsi HSI: omap_ssi_port: fix handling of_get_named_gpio result 2016-01-07 16:07:54 +01:00
hv char/misc patches for 4.5-rc1 2016-01-13 10:23:36 -08:00
hwmon Merge git://www.linux-watchdog.org/linux-watchdog 2016-01-17 12:15:38 -08:00
hwspinlock
hwtracing
i2c Merge branch 'i2c/for-4.5' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux 2016-01-14 11:25:37 -08:00
ide drivers/ide: make ide-scan-pci.c driver explicitly non-modular 2016-01-18 14:12:33 -05:00
idle
iio Merge branch 'akpm' (patches from Andrew) 2016-01-21 12:32:08 -08:00
infiniband Initial roundup of 4.5 merge window patches 2016-01-23 18:45:06 -08:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2016-01-22 17:20:30 -08:00
iommu IOMMU Updates for Linux v4.5 2016-01-19 09:35:06 -08:00
ipack
irqchip Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2016-01-24 12:50:56 -08:00
isdn Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-01-11 23:55:43 -05:00
leds GPIO bulk updates for the v4.5 kernel cycle: 2016-01-17 12:32:01 -08:00
lguest lguest: Map switcher text R/O 2016-01-12 12:17:28 +01:00
lightnvm lightnvm: introduce factory reset 2016-01-12 08:21:18 -07:00
macintosh
mailbox
mcb
md Merge branch 'for-4.5/drivers' of git://git.kernel.dk/linux-block 2016-01-21 18:19:38 -08:00
media [media] xc2028: avoid use after free 2016-02-01 07:16:18 -02:00
memory ARM: SoC driver updates for v4.5 2016-01-20 18:42:30 -08:00
memstick memstick: use sector_div instead of do_div 2016-01-20 17:09:18 -08:00
message
mfd GPIO bulk updates for the v4.5 kernel cycle: 2016-01-17 12:32:01 -08:00
misc Merge branch 'akpm' (patches from Andrew) 2016-01-21 12:32:08 -08:00
mmc MMC core: 2016-01-22 12:04:21 -08:00
mtd Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2016-01-24 12:50:56 -08:00
net Initial roundup of 4.5 merge window patches 2016-01-23 18:45:06 -08:00
nfc
ntb NTB: Fix macro parameter conflict with field name 2016-01-21 19:53:10 -05:00
nubus
nvdimm mm, dax, pmem: introduce {get|put}_dev_pagemap() for dax-gup 2016-01-15 17:56:32 -08:00
nvme Merge branch 'for-4.5/nvme' of git://git.kernel.dk/linux-block 2016-01-21 19:58:02 -08:00
nvmem
of DeviceTree updates for 4.5: 2016-01-14 11:13:28 -08:00
oprofile wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
parisc parisc: convert to dma_map_ops 2016-01-20 17:09:18 -08:00
parport
pci PCI changes for the v4.5 merge window: 2016-01-21 11:52:16 -08:00
pcmcia
perf
phy
pinctrl GPIO bulk updates for the v4.5 kernel cycle: 2016-01-17 12:32:01 -08:00
platform ideapad-laptop: Add Lenovo Yoga 700 to no_hw_rfkill dmi list 2016-01-24 10:15:01 -08:00
pnp
power power: bq27xxx_battery: Fix bq27541 AveragePower register address 2016-01-14 01:03:18 +01:00
powercap Merge branch 'powercap' 2016-01-12 01:12:40 +01:00
pps
ps3
ptp
pwm pwm: Mark all devices as "might sleep" 2016-01-21 15:04:59 +01:00
rapidio rapidio: use kobj_to_dev() 2016-01-20 17:09:18 -08:00
ras
regulator regulator: Update for v4.5 2016-01-15 12:14:47 -08:00
remoteproc virtio: make find_vqs() checkpatch.pl-friendly 2016-01-12 20:47:06 +02:00
reset
rpmsg virtio: make find_vqs() checkpatch.pl-friendly 2016-01-12 20:47:06 +02:00
rtc RTC for 4.5 2016-01-18 12:10:45 -08:00
s390 virtio: barrier rework+fixes 2016-01-18 16:44:24 -08:00
sbus
scsi Initial roundup of 4.5 merge window patches 2016-01-23 18:45:06 -08:00
sfi
sh
sn
soc ARM: SoC support for Tegra platforms for v4.5 2016-01-22 17:30:52 -08:00
spi powerpc updates for 4.5 2016-01-15 13:18:47 -08:00
spmi
ssb
staging [media] staging: media: lirc: space around operator 2016-01-25 15:15:36 -02:00
target Merge branch 'for-4.5/nvme' of git://git.kernel.dk/linux-block 2016-01-21 19:58:02 -08:00
tc
thermal Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux 2016-01-24 12:43:06 -08:00
thunderbolt
tty ARM: SoC driver updates for v4.5 2016-01-20 18:42:30 -08:00
uio
usb Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-01-23 12:24:56 -08:00
uwb
vfio
vhost
video wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
virt
virtio virtio: make find_vqs() checkpatch.pl-friendly 2016-01-12 20:47:06 +02:00
vlynq
vme
w1
watchdog watchdog: asm9260: remove __init and __exit annotations 2016-01-11 22:48:05 +01:00
xen virtio: barrier rework+fixes 2016-01-18 16:44:24 -08:00
zorro
Kconfig
Makefile