From: Mike Galbraith <efault@gmx.de>
To: LKML <linux-kernel@vger.kernel.org>
Cc: a.zummo@towertech.it
Subject: [patch take 2] Re: linux-2.6.today: rtc_cmos init oops/panic in rtc_sysfs_remove_device()
Date: Thu, 01 Mar 2007 09:55:06 +0100 [thread overview]
Message-ID: <1172739306.6709.27.camel@Homer.simpson.net> (raw)
In-Reply-To: <1172568305.7009.39.camel@Homer.simpson.net>
On Tue, 2007-02-27 at 10:25 +0100, Mike Galbraith wrote:
> On Sun, 2007-02-25 at 09:32 +0100, Mike Galbraith wrote:
>
> > Fix NULL pointer dereference in cmos_rtc registration failure path.
> >
> > Signed-off-by: Mike Galbraith <efault@gmx.de>
> >
> > diff --git a/drivers/rtc/class.c b/drivers/rtc/class.c
> > index 7a0d8ee..9201786 100644
> > --- a/drivers/rtc/class.c
> > +++ b/drivers/rtc/class.c
> > @@ -113,10 +113,10 @@ EXPORT_SYMBOL_GPL(rtc_device_register);
> > */
> > void rtc_device_unregister(struct rtc_device *rtc)
> > {
> > + class_device_unregister(&rtc->class_dev);
> > mutex_lock(&rtc->ops_lock);
> > rtc->ops = NULL;
> > mutex_unlock(&rtc->ops_lock);
> > - class_device_unregister(&rtc->class_dev);
> > }
> > EXPORT_SYMBOL_GPL(rtc_device_unregister);
>
> However, re-enabling CONFIG_DEBUG_SLAB which somehow got disabled
> emitted the below.
>
> [ 36.765977] rtc_cmos 00:03: rtc intf: sysfs
> [ 36.779301] rtc_cmos 00:03: rtc intf: proc
> [ 36.792557] rtc_cmos 00:03: rtc intf: dev (239:0)
> [ 36.806139] rtc_cmos 00:03: rtc core: registered rtc_cmos as rtc0
> [ 36.821017] rtc_cmos 00:03: i/o registers already in use
> [ 36.834992] rtc_cmos 00:03: removing char 239:0
> [ 36.848268] pnp: Device 00:03 does not support disabling.
> [ 36.862282] rtc_cmos: probe of 00:03 failed with error -16
> [ 36.876394] md: linear personality registered for level -1
> [ 36.890508] md: raid0 personality registered for level 0
> [ 36.904563] md: raid1 personality registered for level 1
> [ 36.918454] md: raid10 personality registered for level 10
> [ 36.949187] raid6: int32x1 722 MB/s
> [ 36.978092] raid6: int32x2 800 MB/s
> [ 37.006101] raid6: int32x4 917 MB/s
> [ 37.034047] raid6: int32x8 671 MB/s
> [ 37.062030] raid6: mmxx1 2371 MB/s
> [ 37.090000] raid6: mmxx2 3066 MB/s
> [ 37.118001] raid6: sse1x1 1449 MB/s
> [ 37.145964] raid6: sse1x2 2699 MB/s
> [ 37.172947] raid6: sse2x1 2222 MB/s
> [ 37.199912] raid6: sse2x2 3375 MB/s
> [ 37.210371] raid6: using algorithm sse2x2 (3375 MB/s)
> [ 37.222143] md: raid6 personality registered for level 6
> [ 37.234127] md: raid5 personality registered for level 5
> [ 37.245889] md: raid4 personality registered for level 4
> [ 37.257313] raid5: automatically using best checksumming function: pIII_sse
> [ 37.274853] pIII_sse : 3812.000 MB/sec
> [ 37.284947] raid5: using function: pIII_sse (3812.000 MB/sec)
> [ 37.296648] md: multipath personality registered for level -4
> [ 37.308377] Slab corruption: start=dfede248, len=512
> [ 37.319200] Redzone: 0x5a2cf071/0x5a2cf071.
> [ 37.329211] Last user: [<c03c8ab2>](rtc_device_release+0x31/0x34)
> [ 37.341274] 0b0: 6b 6b 6b 6b 00 00 00 00 6b 6b 6b 6b 6b 6b 6b 6b
> [ 37.353894] Prev obj: start=dfede03c, len=512
> [ 37.364285] Redzone: 0x5a2cf071/0x5a2cf071.
> [ 37.374409] Last user: [<c0408643>](skb_release_data+0x57/0x79)
> [ 37.386402] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
> [ 37.399116] 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
> [ 37.411788] Next obj: start=dfede454, len=512
> [ 37.422309] Redzone: 0x170fc2a5/0x170fc2a5.
> [ 37.432642] Last user: [<c0350168>](device_create+0x2b/0xa3)
> [ 37.444670] 000: 01 00 00 00 00 00 00 00 5c e4 ed df 5c e4 ed df
> [ 37.457532] 010: 73 f2 34 c0 ff f0 34 c0 00 00 00 00 00 00 00 00
> [ 37.470429] device-mapper: ioctl: 4.11.0-ioctl (2006-10-12) initialised: dm-devel@redhat.com
Dummy here created a use after free.
Fix NULL pointer dereference in cmos_rtc registration failure path.
Since we're freeing rtc in rtc_device_release(), there should be no need
to NULL rtc->ops. Anybody who has a reference to the freed rtc after
device release, and uses it, will hopefully explode violently.
Signed-off-by: Mike Galbraith <efault@gmx.de>
diff --git a/drivers/rtc/class.c b/drivers/rtc/class.c
index 7a0d8ee..d338fb8 100644
--- a/drivers/rtc/class.c
+++ b/drivers/rtc/class.c
@@ -113,9 +113,6 @@ EXPORT_SYMBOL_GPL(rtc_device_register);
*/
void rtc_device_unregister(struct rtc_device *rtc)
{
- mutex_lock(&rtc->ops_lock);
- rtc->ops = NULL;
- mutex_unlock(&rtc->ops_lock);
class_device_unregister(&rtc->class_dev);
}
EXPORT_SYMBOL_GPL(rtc_device_unregister);
next prev parent reply other threads:[~2007-03-01 8:55 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-02-20 10:26 linux-2.6.today: rtc_cmos init oops/panic in rtc_sysfs_remove_device() Mike Galbraith
2007-02-25 8:31 ` [patch] " Mike Galbraith
2007-02-27 9:25 ` Mike Galbraith
2007-03-01 8:55 ` Mike Galbraith [this message]
2007-03-02 2:09 ` [patch take 2] " Andrew Morton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1172739306.6709.27.camel@Homer.simpson.net \
--to=efault@gmx.de \
--cc=a.zummo@towertech.it \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.