From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S964950AbdACOo4 (ORCPT ); Tue, 3 Jan 2017 09:44:56 -0500 Received: from smtp.codeaurora.org ([198.145.29.96]:41078 "EHLO smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1758449AbdACOoF (ORCPT ); Tue, 3 Jan 2017 09:44:05 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Tue, 03 Jan 2017 06:44:03 -0800 From: Sodagudi Prasad To: ming.lei@canonical.com, gregkh@linuxfoundation.org Cc: linux-kernel@vger.kernel.org Subject: Free after use in fw_pm_notify()->kill_requests_without_uevent() due pending_fw_head Message-ID: <51ff19ddfe540f7b1886e4b1025ac391@codeaurora.org> User-Agent: Roundcube Webmail/1.2.1 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi All, Device has crashed due to memory access after free while pending_fw_head list accessed. Kernel 4.4 stable version is used to reproduce this use after free. ------------------------------------------------------------------------------------------ [ 9031.178428] Unable to handle kernel paging request at virtual address 6b6b6b6b6b6b6b6b [ 9031.178508] pgd = ffffffc0de9d2000 [ 9031.185888] [6b6b6b6b6b6b6b6b] *pgd=0000000000000000, *pud=0000000000000000 [ 9031.253045] ------------[ cut here ]------------ [ 9031.253100] Kernel BUG at ffffff800864c0a0 [verbose debug info unavailable] [ 9031.256860] Internal error: Oops - BUG: 96000004 [#1] PREEMPT SMP [ 9031.263539] Modules linked in: [ 9031.272708] CPU: 6 PID: 1373 Comm: system_server Tainted: G W L 4.4.16+ #1 [ 9031.280648] task: ffffffc0d1a1d700 ti: ffffffc0d1a2c000 task.ti: ffffffc0d1a2c000 [ 9031.287776] PC is at fw_pm_notify+0x84/0x19c [ 9031.295215] LR is at fw_pm_notify+0x60/0x19c [ 9031.511559] [] fw_pm_notify+0x84/0x19c [ 9031.519355] [] notifier_call_chain+0x58/0x8c [ 9031.524739] [] __blocking_notifier_call_chain+0x54/0x70 [ 9031.530387] [] blocking_notifier_call_chain+0x38/0x44 [ 9031.537243] [] pm_notifier_call_chain+0x28/0x48 [ 9031.543662] [] pm_suspend+0x278/0x674 [ 9031.549906] [] state_store+0x58/0x90 [ 9031.554942] [] kobj_attr_store+0x18/0x28 [ 9031.560154] [] sysfs_kf_write+0x5c/0x68 [ 9031.565620] [] kernfs_fop_write+0x114/0x16c [ 9031.571092] [] __vfs_write+0x48/0xf0 [ 9031.576816] [] vfs_write+0xb8/0x150 [ 9031.581848] [] SyS_write+0x58/0x94 [ 9031.586973] [] el0_svc_naked+0x24/0x28 ----------------------------------------------------------------------------------------------- Kernel panic is observed during device suspend/resume path in the kill_requests_without_uevent() called from fw_pm_notify(). when pending_list of a firmware_buf is accessed 0x6b(free pattern) pattern observed. Based on this firmware_buf is freed even if firmware_buf is part of pending_fw_head list. {code snippet} 1147 static void kill_requests_without_uevent(void) 1148{ 1149 struct firmware_buf *buf; 1150 struct firmware_buf *next; 1151 1152 mutex_lock(&fw_lock); 1153 list_for_each_entry_safe(buf, next, &pending_fw_head, pending_list) { 1154 if (!buf->need_uevent) 1155 __fw_load_abort(buf); 1156 } 1157 mutex_unlock(&fw_lock); 1158} 1159#endif {code} -Thanks, Prasad -- The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum, Linux Foundation Collaborative Project