evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_oneplus_msm8998/drivers
History
Bart Van Assche 174be70b63 driver-core: Fix use-after-free triggered by bus_unregister() 
Avoid that bus_unregister() triggers a use-after-free with
CONFIG_DEBUG_KOBJECT_RELEASE=y. This patch avoids that the
following sequence triggers a kernel crash with memory poisoning
enabled:
* bus_register()
* driver_register()
* driver_unregister()
* bus_unregister()

The above sequence causes the bus private data to be freed from
inside the bus_unregister() call although it is not guaranteed in
that function that the reference count on the bus private data has
dropped to zero. As an example, with CONFIG_DEBUG_KOBJECT_RELEASE=y
the ${bus}/drivers kobject is still holding a reference on
bus->p->subsys.kobj via its parent pointer at the time the bus
private data is freed. Fix this by deferring freeing the bus private
data until the last kobject_put() call on bus->p->subsys.kobj.

The kernel oops triggered by the above sequence and with memory
poisoning enabled and that is fixed by this patch is as follows:

general protection fault: 0000 [#1] PREEMPT SMP
CPU: 3 PID: 2711 Comm: kworker/3:32 Tainted: G        W  O 3.13.0-rc4-debug+ #1
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
Workqueue: events kobject_delayed_cleanup
task: ffff880037f866d0 ti: ffff88003b638000 task.ti: ffff88003b638000
Call Trace:
 [<ffffffff81263105>] ? kobject_get_path+0x25/0x100
 [<ffffffff81264354>] kobject_uevent_env+0x134/0x600
 [<ffffffff8126482b>] kobject_uevent+0xb/0x10
 [<ffffffff81262fa2>] kobject_delayed_cleanup+0xc2/0x1b0
 [<ffffffff8106c047>] process_one_work+0x217/0x700
 [<ffffffff8106bfdb>] ? process_one_work+0x1ab/0x700
 [<ffffffff8106c64b>] worker_thread+0x11b/0x3a0
 [<ffffffff8106c530>] ? process_one_work+0x700/0x700
 [<ffffffff81074b70>] kthread+0xf0/0x110
 [<ffffffff81074a80>] ? insert_kthread_work+0x80/0x80
 [<ffffffff815673bc>] ret_from_fork+0x7c/0xb0
 [<ffffffff81074a80>] ? insert_kthread_work+0x80/0x80
Code: 89 f8 48 89 e5 f6 82 c0 27 63 81 20 74 15 0f 1f 44 00 00 48 83 c0 01 0f b6 10 f6 82 c0 27 63 81 20 75 f0 5d c3 66 0f 1f 44 00 00 <80> 3f 00 55 48 89 e5 74 15 48 89 f8 0f 1f 40 00 48 83 c0 01 80
RIP  [<ffffffff81267ed0>] strlen+0x0/0x30
 RSP <ffff88003b639c70>
---[ end trace 210f883ef80376aa ]---

Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Acked-by: Ming Lei <ming.lei@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-01-08 15:36:18 -08:00
..
accessibility
acpi pstore: Don't allow high traffic options on fragile devices 2013-12-20 13:12:01 -08:00
amba
ata SCSI fixes on 20131206 2013-12-06 08:30:18 -08:00
atm atm: idt77252: fix dev refcnt leak 2013-11-19 15:53:02 -05:00
auxdisplay
base driver-core: Fix use-after-free triggered by bus_unregister() 2014-01-08 15:36:18 -08:00
bcma Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2013-11-13 17:40:34 +09:00
block null_blk: mem garbage on NUMA systems during init 2013-12-15 12:17:16 -08:00
bluetooth
bus Merge branch 'for-linus' of git://git.linaro.org/people/rmk/linux-arm 2013-11-14 08:51:29 +09:00
cdrom
char Char/Misc driver fixes for 3.13-rc3 2013-12-08 18:47:25 -08:00
clk mfd: s2mps11: Fix build after regmap field rename in sec-core.c 2013-12-16 11:30:39 +00:00
clocksource clocksource: dw_apb_timer_of: Fix support for dts binding "snps,dw-apb-timer" 2013-12-10 19:49:18 +01:00
connector connector: improved unaligned access error fix 2013-11-14 17:19:20 -05:00
cpufreq cpufreq_ at32ap-cpufreq.c: Fix section mismatch 2013-12-10 08:46:38 +01:00
cpuidle cpuidle: Check for dev before deregistering it. 2013-12-03 22:05:22 +01:00
crypto crypto: talitos - fix aead sglen for case 'dst != src' 2013-11-28 22:25:17 +08:00
dca
devfreq
dio
dma net_dma: mark broken 2013-12-18 12:53:43 -08:00
edac sb_edac: Shut up compiler warning when EDAC_DEBUG is enabled 2013-11-30 12:26:36 +01:00
eisa
extcon extcon: remove freed groups caused the panic or warning in unregister flow 2013-11-26 15:17:23 +09:00
firewire firewire: sbp2: bring back WRITE SAME support 2013-12-15 16:32:32 +01:00
firmware Merge 3.13-rc5 into staging-next 2013-12-24 09:43:21 -08:00
fmc
gpio Merge 3.13-rc5 into staging-next 2013-12-24 09:43:21 -08:00
gpu drm/edid: add quirk for BPC in Samsung NP700G7A-S01PL notebook 2013-12-17 14:18:16 +10:00
hid Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid 2013-12-13 13:21:28 -08:00
hsi
hv
hwmon hwmon fixes for 3.13-rc4 2013-12-12 11:05:19 -08:00
hwspinlock
i2c i2c: imx: Check the return value from clk_prepare_enable() 2013-12-12 22:48:22 +01:00
ide More ACPI and power management updates for 3.13-rc1 2013-11-20 13:25:04 -08:00
idle intel_idle: Fixed C6 state on Avoton/Rangeley processors 2013-11-28 14:35:26 +01:00
iio iio:adc:ad7887 Fix channel reported endianness from cpu to big endian 2013-12-17 20:37:14 +00:00
infiniband iser-target: Move INIT_WORK setup into isert_create_device_ib_res 2013-12-19 00:18:43 -08:00
input Input: adxl34x - Fix bug in definition of ADXL346_2D_ORIENT 2013-12-09 22:23:31 -08:00
iommu iommu/arm-smmu: fix error return code in arm_smmu_device_dt_probe() 2013-12-06 16:44:25 +00:00
ipack
irqchip Renesas ARM based SoC fixes for v3.13 2013-12-20 11:28:30 -08:00
isdn net: rework recvmsg handler msg_name and msg_namelen logic 2013-11-20 21:52:30 -05:00
leds leds: pwm: Fix for deferred probe in DT booted mode 2013-12-02 11:53:17 -08:00
lguest
macintosh powerpc/windfarm: Fix XServe G5 fan control Makefile issue 2013-11-27 11:35:47 +11:00
mailbox
md Merge 3.13-rc5 into staging-next 2013-12-24 09:43:21 -08:00
media [media] videobuf2-dma-sg: fix possible memory leak 2013-12-10 05:40:57 -02:00
memory
memstick tree-wide: use reinit_completion instead of INIT_COMPLETION 2013-11-15 09:32:21 +09:00
message drivers/message/i2o/driver.c: add missing destroy_workqueue() on error in i2o_driver_register() 2013-11-13 12:09:26 +09:00
mfd mfd/rtc: s5m: fix register updating by adding regmap for RTC 2013-12-12 18:19:26 -08:00
misc Merge 3.13-rc5 into staging-next 2013-12-24 09:43:21 -08:00
mmc mmc: omap: Fix I2C dependency and make driver usable with device tree 2013-11-26 15:51:16 -08:00
mtd mtd: nand: pxa3xx: Use info->use_dma to release DMA resources 2013-12-12 15:02:04 -08:00
net Merge branch 'fixes-for-3.13' of git://gitorious.org/linux-can/linux-can 2013-12-17 17:21:30 -05:00
nfc
ntb NTB driver bug fixes to address a missed call to pci_enable_msix, 2013-11-26 11:15:12 -08:00
nubus
of Merge branch 'for-linus-dma-masks' of git://git.linaro.org/people/rmk/linux-arm 2013-11-14 07:55:21 +09:00
oprofile
parisc
parport Kconfig cleanups for v3.13 2013-11-15 14:05:15 -08:00
pci Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2013-12-15 11:56:47 -08:00
pcmcia DeviceTree updates for 3.13. This is a bit larger pull request than 2013-11-12 16:52:17 +09:00
phy phy: kconfig: add depends on "USB_PHY" to OMAP_USB2 and TWL4030_USB 2013-12-10 12:53:30 -08:00
pinctrl sh-pfc: Fix PINMUX_GPIO macro 2013-12-10 13:12:28 +01:00
platform sony-laptop: do not scribble keyboard backlight registers on resume 2013-11-26 13:03:36 +09:00
pnp PNP: fix restoring devices after hibernation 2013-12-05 02:01:55 +01:00
power Highlights: 2013-11-18 15:35:09 -08:00
powercap PowerCap: Fix mode for energy counter 2013-12-05 02:05:48 +01:00
pps drivers/pps/clients/pps-gpio.c: remove redundant of_match_ptr 2013-11-13 12:09:35 +09:00
ps3
ptp
pwm
rapidio
regulator mfd: s2mps11: Fix build after regmap field rename in sec-core.c 2013-12-16 11:30:39 +00:00
remoteproc
reset
rpmsg
rtc mfd/rtc: s5m: fix register updating by adding regmap for RTC 2013-12-12 18:19:26 -08:00
s390 s390/sclp: replace uninitialized early_event_mask_sccb variable with sccb_early 2013-12-02 15:31:07 +01:00
sbus
scsi qla2xxx: Fix scsi_host leak on qlt_lport_register callback failure 2013-12-19 14:50:17 -08:00
sfi
sh
sn
spi Merge remote-tracking branches 'spi/fix/bcm2835', 'spi/fix/bcm63xx', 'spi/fix/mpc512x-psc', 'spi/fix/mxs', 'spi/fix/pxa2xx', 'spi/fix/qspi', 'spi/fix/rspi' and 'spi/fix/txx9' into spi-linus 2013-11-28 11:31:35 +00:00
ssb
staging imx-drm: imx-drm-core: improve safety of imx_drm_add_crtc() 2013-12-17 17:12:55 -08:00
target target: Remove extra percpu_ref_init 2013-12-19 14:49:54 -08:00
tc
thermal Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2013-11-19 15:50:47 -08:00
tty tty: xuartps: Properly guard sysrq specific code 2013-12-17 16:02:25 -08:00
uio uio: we cannot mmap unaligned page contents 2013-12-02 11:50:37 -08:00
usb usb: ohci-at91: fix irq and iomem resource retrieval 2013-12-17 13:22:36 -08:00
uwb
vfio
vhost Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2013-11-22 10:52:03 -08:00
video Merge branch 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc 2013-12-09 19:21:39 -08:00
virt
virtio Nothing really exciting: some groundwork for changing virtio endian, and 2013-11-15 13:28:47 +09:00
vlynq
vme
w1 drivers/w1/masters/w1-gpio.c: use dev_get_platdata() 2013-11-15 09:32:21 +09:00
watchdog sc1200_wdt: Fix oops 2013-12-10 08:48:15 +01:00
xen Bug-fixes: 2013-12-20 09:34:54 -08:00
zorro
Kconfig ACPI and power management updates for 3.13-rc1 2013-11-14 13:41:48 +09:00
Makefile ACPI and power management updates for 3.13-rc1 2013-11-14 13:41:48 +09:00