evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_oneplus_msm8998/drivers
History
Eric Dumazet c532eb1d45 mISDN: fix a race in dev_expire_timer() 
commit bdcc5bc25548ef6b08e2e43937148f907c212292 upstream.

Since mISDN_close() uses dev->pending to iterate over active
timers, there is a chance that one timer got removed from the
->pending list in dev_expire_timer() but that the thread
has not called yet wake_up_interruptible()

So mISDN_close() could miss this and free dev before
completion of at least one dev_expire_timer()

syzbot was able to catch this race :

BUG: KASAN: use-after-free in register_lock_class+0x140c/0x1bf0 kernel/locking/lockdep.c:827
Write of size 8 at addr ffff88809fc18948 by task syz-executor1/24769

CPU: 1 PID: 24769 Comm: syz-executor1 Not tainted 5.0.0-rc5 #60
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
 __asan_report_store8_noabort+0x17/0x20 mm/kasan/generic_report.c:140
 register_lock_class+0x140c/0x1bf0 kernel/locking/lockdep.c:827
 __lock_acquire+0x11f/0x4700 kernel/locking/lockdep.c:3224
 lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3841
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0x95/0xcd kernel/locking/spinlock.c:152
 __wake_up_common_lock+0xc7/0x190 kernel/sched/wait.c:120
 __wake_up+0xe/0x10 kernel/sched/wait.c:145
 dev_expire_timer+0xe4/0x3b0 drivers/isdn/mISDN/timerdev.c:174
 call_timer_fn+0x190/0x720 kernel/time/timer.c:1325
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
 expire_timers kernel/time/timer.c:1362 [inline]
 __run_timers kernel/time/timer.c:1681 [inline]
 __run_timers kernel/time/timer.c:1649 [inline]
 run_timer_softirq+0x652/0x1700 kernel/time/timer.c:1694
 __do_softirq+0x266/0x95a kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0x180/0x1d0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:536 [inline]
 smp_apic_timer_interrupt+0x14a/0x570 arch/x86/kernel/apic/apic.c:1062
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807
 </IRQ>
RIP: 0010:__sanitizer_cov_trace_pc+0x26/0x50 kernel/kcov.c:101
Code: 90 90 90 90 55 48 89 e5 48 8b 75 08 65 48 8b 04 25 40 ee 01 00 65 8b 15 98 12 92 7e 81 e2 00 01 1f 00 75 2b 8b 90 d8 12 00 00 <83> fa 02 75 20 48 8b 88 e0 12 00 00 8b 80 dc 12 00 00 48 8b 11 48
RSP: 0018:ffff8880589b7a60 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: ffff888087ce25c0 RBX: 0000000000000001 RCX: ffffffff818f8ca3
RDX: 0000000000000000 RSI: ffffffff818f8b48 RDI: 0000000000000001
RBP: ffff8880589b7a60 R08: ffff888087ce25c0 R09: ffffed1015d25bd0
R10: ffffed1015d25bcf R11: ffff8880ae92de7b R12: ffffea0001ae4680
R13: ffffea0001ae4688 R14: 0000000000000000 R15: ffffea0001b41648
 PageIdle include/linux/page-flags.h:398 [inline]
 page_is_idle include/linux/page_idle.h:29 [inline]
 mark_page_accessed+0x618/0x1140 mm/swap.c:398
 touch_buffer fs/buffer.c:59 [inline]
 __find_get_block+0x312/0xcc0 fs/buffer.c:1298
 sb_find_get_block include/linux/buffer_head.h:338 [inline]
 recently_deleted fs/ext4/ialloc.c:682 [inline]
 find_inode_bit.isra.0+0x202/0x510 fs/ext4/ialloc.c:722
 __ext4_new_inode+0x14ad/0x52c0 fs/ext4/ialloc.c:914
 ext4_symlink+0x3f8/0xbe0 fs/ext4/namei.c:3096
 vfs_symlink fs/namei.c:4126 [inline]
 vfs_symlink+0x378/0x5d0 fs/namei.c:4112
 do_symlinkat+0x22b/0x290 fs/namei.c:4153
 __do_sys_symlink fs/namei.c:4172 [inline]
 __se_sys_symlink fs/namei.c:4170 [inline]
 __x64_sys_symlink+0x59/0x80 fs/namei.c:4170
 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457b67
Code: 0f 1f 00 b8 5c 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 6d bb fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 58 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 4d bb fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fff045ce0f8 EFLAGS: 00000202 ORIG_RAX: 0000000000000058
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000457b67
RDX: 00007fff045ce173 RSI: 00000000004bd63f RDI: 00007fff045ce160
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
R10: 0000000000000075 R11: 0000000000000202 R12: 0000000000000000
R13: 0000000000000001 R14: 000000000000029b R15: 0000000000000001

Allocated by task 24763:
 save_stack+0x45/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc mm/kasan/common.c:496 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:469
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:504
 kmem_cache_alloc_trace+0x151/0x760 mm/slab.c:3609
 kmalloc include/linux/slab.h:545 [inline]
 mISDN_open+0x9a/0x270 drivers/isdn/mISDN/timerdev.c:59
 misc_open+0x398/0x4c0 drivers/char/misc.c:141
 chrdev_open+0x247/0x6b0 fs/char_dev.c:417
 do_dentry_open+0x47d/0x1130 fs/open.c:771
 vfs_open+0xa0/0xd0 fs/open.c:880
 do_last fs/namei.c:3418 [inline]
 path_openat+0x10d7/0x4690 fs/namei.c:3534
 do_filp_open+0x1a1/0x280 fs/namei.c:3564
 do_sys_open+0x3fe/0x5d0 fs/open.c:1063
 __do_sys_openat fs/open.c:1090 [inline]
 __se_sys_openat fs/open.c:1084 [inline]
 __x64_sys_openat+0x9d/0x100 fs/open.c:1084
 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 24762:
 save_stack+0x45/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:458
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:466
 __cache_free mm/slab.c:3487 [inline]
 kfree+0xcf/0x230 mm/slab.c:3806
 mISDN_close+0x2a1/0x390 drivers/isdn/mISDN/timerdev.c:97
 __fput+0x2df/0x8d0 fs/file_table.c:278
 ____fput+0x16/0x20 fs/file_table.c:309
 task_work_run+0x14a/0x1c0 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop+0x273/0x2c0 arch/x86/entry/common.c:166
 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
 do_syscall_64+0x52d/0x610 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff88809fc18900
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 72 bytes inside of
 192-byte region [ffff88809fc18900, ffff88809fc189c0)
The buggy address belongs to the page:
page:ffffea00027f0600 count:1 mapcount:0 mapping:ffff88812c3f0040 index:0xffff88809fc18000
flags: 0x1fffc0000000200(slab)
raw: 01fffc0000000200 ffffea000269f648 ffffea00029f7408 ffff88812c3f0040
raw: ffff88809fc18000 ffff88809fc18000 000000010000000b 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809fc18800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88809fc18880: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88809fc18900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                              ^
 ffff88809fc18980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff88809fc18a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Karsten Keil <isdn@linux-pingi.de>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-02-23 09:05:14 +01:00
..
accessibility
acpi ACPI: power: Skip duplicate power resource references in _PRx 2019-01-16 22:16:12 +01:00
amba ARM: amba: Don't read past the end of sysfs "driver_override" buffer 2018-05-02 07:53:42 -07:00
android
ata sata_rcar: fix deferred probing 2019-02-20 10:13:08 +01:00
atm atm: zatm: Fix potential Spectre v1 2018-07-22 14:25:52 +02:00
auxdisplay
base drivers: core: Remove glue dirs from sysfs earlier 2019-02-06 19:43:08 +01:00
bcma
block block/swim3: Fix -EBUSY error when re-opening device after unmount 2019-02-20 10:13:13 +01:00
bluetooth Revert "Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV" 2018-11-27 16:08:01 +01:00
bus bus: brcmstb_gisb: correct support for 64-bit address output 2018-04-13 19:50:05 +02:00
cdrom gdrom: fix a memory leak bug 2019-02-20 10:13:13 +01:00
char char/mwave: fix potential Spectre v1 vulnerability 2019-02-06 19:43:04 +01:00
clk clk: imx6sl: ensure MMDC CH0 handshake is bypassed 2019-02-20 10:13:08 +01:00
clocksource clockevents/drivers/i8253: Add support for PIT shutdown quirk 2018-11-21 09:27:42 +01:00
connector
cpufreq cpufreq: imx6q: add return value check for voltage scale 2018-12-01 09:46:34 +01:00
cpuidle cpuidle: big.LITTLE: fix refcount leak 2019-02-20 10:13:09 +01:00
crypto crypto: ux500 - Use proper enum in hash_set_dma_transfer 2019-02-20 10:13:12 +01:00
dca
devfreq PM / devfreq: tegra: fix error return code in tegra_devfreq_probe() 2018-11-10 07:41:40 -08:00
dio
dma dmaengine: imx-dma: fix wrong callback invoke 2019-02-20 10:13:16 +01:00
dma-buf
edac EDAC, i7core: Fix memleaks and use-after-free on probe and remove 2018-10-10 08:52:06 +02:00
eisa
extcon
firewire firewire-ohci: work around oversized DMA reads on JMicron controllers 2018-05-30 07:48:52 +02:00
firmware x86/platform/UV: Use efi_runtime_lock to serialise BIOS calls 2019-02-20 10:13:23 +01:00
fmc
fpga
gpio gpio: max7301: fix driver for use with CONFIG_VMAP_STACK 2019-01-13 10:05:27 +01:00
gpu drm/vmwgfx: Return error code from vmw_execbuf_copy_fence_user 2019-02-20 10:13:19 +01:00
hid HID: debug: fix the ring buffer implementation 2019-02-20 10:13:19 +01:00
hsi HSI: ssi_protocol: double free in ssip_pn_xmit() 2018-03-24 10:58:42 +01:00
hv Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels 2019-01-13 10:05:27 +01:00
hwmon hwmon: (lm80) Fix missing unlock on error in set_fan_div() 2019-02-23 09:05:13 +01:00
hwspinlock
hwtracing intel_th: msu: Fix an off-by-one in attribute store 2019-01-13 10:05:33 +01:00
i2c i2c-axxia: check for error conditions first 2019-02-20 10:13:09 +01:00
ide ide: pmac: add of_node_put() 2018-12-21 14:09:52 +01:00
idle
iio iio: adc: at91: fix wrong channel number in triggered buffer mode 2018-11-21 09:27:35 +01:00
infiniband mm: replace get_user_pages() write/force parameters with gup_flags 2018-12-17 21:55:16 +01:00
input Input: elantech - enable 3rd button support on Fujitsu CELSIUS H780 2019-02-20 10:13:22 +01:00
iommu iommu/arm-smmu-v3: Use explicit mb() when moving cons pointer 2019-02-20 10:13:08 +01:00
ipack
irqchip irqchip/gic-v3-its: Align PCI Multi-MSI allocation on their size 2019-02-06 19:43:05 +01:00
isdn mISDN: fix a race in dev_expire_timer() 2019-02-23 09:05:14 +01:00
leds leds: leds-gpio: Fix return value check in create_gpio_led() 2018-12-13 09:21:31 +01:00
lguest
lightnvm
macintosh macintosh/via-pmu: Add missing mmio accessors 2018-09-19 22:48:57 +02:00
mailbox
mcb
md dm thin: fix bug where bio that overwrites thin block ignores FUA 2019-02-20 10:13:23 +01:00
media media: DaVinci-VPBE: fix error handling in vpbe_initialize() 2019-02-20 10:13:07 +01:00
memory memory: tegra: Apply interrupts mask per SoC 2018-08-06 16:24:38 +02:00
memstick memstick: Prevent memstick host from getting runtime suspended during card detection 2019-02-20 10:13:09 +01:00
message scsi: mptfusion: Add bounds check in mptctl_hp_targetinfo() 2018-05-30 07:48:58 +02:00
mfd mfd: as3722: Mark PM functions as __maybe_unused 2019-02-23 09:05:14 +01:00
misc misc: vexpress: Off by one in vexpress_syscfg_exec() 2019-02-20 10:13:18 +01:00
mmc mmc: sdhci-iproc: handle mmc_of_parse() errors during probe 2019-02-06 19:43:07 +01:00
mtd mtd: rawnand: gpmi: fix MX28 bus master lockup problem 2019-02-20 10:13:17 +01:00
net net: stmmac: Fix a race in EEE enable callback 2019-02-23 09:05:14 +01:00
nfc NFC: nxp-nci: Include unaligned.h instead of access_ok.h 2019-02-20 10:13:20 +01:00
ntb ntb_transport: Fix bug with max_mw_size parameter 2018-05-30 07:48:55 +02:00
nubus
nvdimm libnvdimm: Hold reference on parent while scheduling async init 2018-11-21 09:27:34 +01:00
nvme nvme-pci: initialize queue memory before interrupts 2018-07-11 16:03:47 +02:00
nvmem
of of: add helper to lookup compatible child node 2018-12-01 09:46:35 +01:00
oprofile
parisc parisc/pci: Switch LBA PCI bus from Hard Fail to Soft Fail mode 2018-05-30 07:49:10 +02:00
parport parport: sunbpp: fix error return code 2018-09-26 08:35:09 +02:00
pci PCI: altera: Move retrain from fixup to altera_pcie_host_init() 2019-01-16 22:16:11 +01:00
pcmcia pcmcia: Implement CLKRUN protocol disabling for Ricoh bridges 2018-11-21 09:27:30 +01:00
perf drivers/perf: arm_pmu: handle no platform_device 2018-03-22 09:23:26 +01:00
phy
pinctrl pinctrl: msm: fix gpio-hog related boot issues 2019-02-20 10:13:24 +01:00
platform platform/x86: asus-nb-wmi: Drop mapping of 0x33 and 0x34 scan codes 2019-02-06 19:43:07 +01:00
pnp
power power: supply: olpc_battery: correct the temperature units 2019-01-13 10:05:34 +01:00
powercap PowerCap: Fix an error code in powercap_register_zone() 2018-04-13 19:50:05 +02:00
pps
ps3
ptp ptp: check gettime64 return code in PTP_SYS_OFFSET ioctl 2019-02-20 10:13:05 +01:00
pwm pwm: tiehrpwm: Fix disabling of output of PWMs 2018-09-09 20:04:35 +02:00
rapidio
ras
regulator regulator: pfuze100: add .is_enable() for pfuze100_swb_regulator_ops 2018-08-06 16:24:35 +02:00
remoteproc
reset
rpmsg
rtc rtc: snvs: Add timeouts to avoid kernel lockups 2018-12-21 14:09:53 +01:00
s390 s390/smp: fix CPU hotplug deadlock with CPU rescan 2019-02-06 19:43:03 +01:00
sbus drivers/sbus/char: add of_node_put() 2018-12-21 14:09:52 +01:00
scsi scsi: lpfc: Correct LCB RJT handling 2019-02-20 10:13:04 +01:00
sfi
sh
sn
soc soc/tegra: Don't leak device tree node reference 2019-02-20 10:13:06 +01:00
spi spi: bcm2835: Unbreak the build of esoteric configs 2019-01-13 10:05:31 +01:00
spmi
ssb
staging staging: iio: ad7780: update voltage on read 2019-02-20 10:13:05 +01:00
target scsi: target: use consistent left-aligned ASCII INQUIRY data 2019-01-26 09:42:53 +01:00
tc TC: Set DMA masks for devices 2018-11-21 09:27:36 +01:00
thermal thermal: hwmon: inline helpers when CONFIG_THERMAL_HWMON is not set 2019-02-20 10:13:14 +01:00
thunderbolt thunderbolt: Resume control channel after hibernation image is created 2018-04-24 09:32:07 +02:00
tty tty: serial: samsung: Properly set flags in autoCTS mode 2019-02-20 10:13:10 +01:00
uio uio: Fix an Oops on load 2018-11-27 16:08:02 +01:00
usb usb: dwc2: Remove unnecessary kfree 2019-02-20 10:13:24 +01:00
uwb uwb: hwa-rc: fix memory leak at probe 2018-10-10 08:52:04 +02:00
vfio vfio/pci: Virtualize Maximum Read Request Size 2018-04-24 09:32:09 +02:00
vhost vhost: make sure used idx is seen before log in vhost_add_used_n() 2019-01-13 10:05:28 +01:00
video fbdev: fbcon: Fix unregister crash when more than one framebuffer 2019-02-20 10:13:12 +01:00
virt mm: replace get_user_pages() write/force parameters with gup_flags 2018-12-17 21:55:16 +01:00
virtio virtio_balloon: fix another race between migration and ballooning 2018-08-06 16:24:42 +02:00
vlynq
vme
w1 w1: omap-hdq: fix missing bus unregister at removal 2018-11-21 09:27:35 +01:00
watchdog watchdog: f71808e_wdt: Fix magic close handling 2018-05-30 07:49:03 +02:00
xen xen: xlate_mmu: add missing header to fix 'W=1' warning 2018-12-17 21:55:11 +01:00
zorro zorro: Set up z->dev.dma_mask for the DMA API 2018-05-30 07:49:11 +02:00
Kconfig
Makefile