From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org, Denis Kirjanov <kda@linux-powerpc.org>,
"Hans Verkuil" <hverkuil-cisco@xs4all.nl>,
"Mauro Carvalho Chehab" <mchehab+samsung@kernel.org>,
"YueHaibing" <yuehaibing@huawei.com>,
"Hulk Robot" <hulkci@huawei.com>
Subject: [PATCH 3.16 60/63] media: cpia2: Fix use-after-free in cpia2_exit
Date: Wed, 08 Jan 2020 19:43:58 +0000 [thread overview]
Message-ID: <lsq.1578512578.733548525@decadent.org.uk> (raw)
In-Reply-To: <lsq.1578512578.117275639@decadent.org.uk>
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: YueHaibing <yuehaibing@huawei.com>
commit dea37a97265588da604c6ba80160a287b72c7bfd upstream.
Syzkaller report this:
BUG: KASAN: use-after-free in sysfs_remove_file_ns+0x5f/0x70 fs/sysfs/file.c:468
Read of size 8 at addr ffff8881f59a6b70 by task syz-executor.0/8363
CPU: 0 PID: 8363 Comm: syz-executor.0 Not tainted 5.0.0-rc8+ #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xfa/0x1ce lib/dump_stack.c:113
print_address_description+0x65/0x270 mm/kasan/report.c:187
kasan_report+0x149/0x18d mm/kasan/report.c:317
sysfs_remove_file_ns+0x5f/0x70 fs/sysfs/file.c:468
sysfs_remove_file include/linux/sysfs.h:519 [inline]
driver_remove_file+0x40/0x50 drivers/base/driver.c:122
usb_remove_newid_files drivers/usb/core/driver.c:212 [inline]
usb_deregister+0x12a/0x3b0 drivers/usb/core/driver.c:1005
cpia2_exit+0xa/0x16 [cpia2]
__do_sys_delete_module kernel/module.c:1018 [inline]
__se_sys_delete_module kernel/module.c:961 [inline]
__x64_sys_delete_module+0x3dc/0x5e0 kernel/module.c:961
do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x462e99
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f86f3754c58 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000300
RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f86f37556bc
R13: 00000000004bcca9 R14: 00000000006f6b48 R15: 00000000ffffffff
Allocated by task 8363:
set_track mm/kasan/common.c:85 [inline]
__kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:495
kmalloc include/linux/slab.h:545 [inline]
kzalloc include/linux/slab.h:740 [inline]
bus_add_driver+0xc0/0x610 drivers/base/bus.c:651
driver_register+0x1bb/0x3f0 drivers/base/driver.c:170
usb_register_driver+0x267/0x520 drivers/usb/core/driver.c:965
0xffffffffc1b4817c
do_one_initcall+0xfa/0x5ca init/main.c:887
do_init_module+0x204/0x5f6 kernel/module.c:3460
load_module+0x66b2/0x8570 kernel/module.c:3808
__do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 8363:
set_track mm/kasan/common.c:85 [inline]
__kasan_slab_free+0x130/0x180 mm/kasan/common.c:457
slab_free_hook mm/slub.c:1430 [inline]
slab_free_freelist_hook mm/slub.c:1457 [inline]
slab_free mm/slub.c:3005 [inline]
kfree+0xe1/0x270 mm/slub.c:3957
kobject_cleanup lib/kobject.c:662 [inline]
kobject_release lib/kobject.c:691 [inline]
kref_put include/linux/kref.h:67 [inline]
kobject_put+0x146/0x240 lib/kobject.c:708
bus_remove_driver+0x10e/0x220 drivers/base/bus.c:732
driver_unregister+0x6c/0xa0 drivers/base/driver.c:197
usb_register_driver+0x341/0x520 drivers/usb/core/driver.c:980
0xffffffffc1b4817c
do_one_initcall+0xfa/0x5ca init/main.c:887
do_init_module+0x204/0x5f6 kernel/module.c:3460
load_module+0x66b2/0x8570 kernel/module.c:3808
__do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8881f59a6b40
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 48 bytes inside of
256-byte region [ffff8881f59a6b40, ffff8881f59a6c40)
The buggy address belongs to the page:
page:ffffea0007d66980 count:1 mapcount:0 mapping:ffff8881f6c02e00 index:0x0
flags: 0x2fffc0000000200(slab)
raw: 02fffc0000000200 dead000000000100 dead000000000200 ffff8881f6c02e00
raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881f59a6a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8881f59a6a80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
>ffff8881f59a6b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff8881f59a6b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881f59a6c00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
cpia2_init does not check return value of cpia2_init, if it failed
in usb_register_driver, there is already cleanup using driver_unregister.
No need call cpia2_usb_cleanup on module exit.
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/media/usb/cpia2/cpia2_v4l.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/media/usb/cpia2/cpia2_v4l.c
+++ b/drivers/media/usb/cpia2/cpia2_v4l.c
@@ -1249,8 +1249,7 @@ static int __init cpia2_init(void)
LOG("%s v%s\n",
ABOUT, CPIA_VERSION);
check_parameters();
- cpia2_usb_init();
- return 0;
+ return cpia2_usb_init();
}
next prev parent reply other threads:[~2020-01-08 19:47 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
2020-01-08 19:42 ` [PATCH 3.16 01/63] net: qlogic: Fix memory leak in ql_alloc_large_buffers Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 02/63] net: qlogic: Fix error paths in ql_alloc_large_buffers() Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 03/63] HID: sony: Update device ids Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 04/63] HID: sony: Support DS4 dongle Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 05/63] crypto: cts - fix crash on short inputs Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 06/63] tracing/uprobes: Fix output for multiple string arguments Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 07/63] libceph: handle an empty authorize reply Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 08/63] ALSA: compress: add support for 32bit calls in a 64bit kernel Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 09/63] mmc: debugfs: Add a restriction to mmc debugfs clock setting Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 10/63] mmc: sanitize 'bus width' in debug output Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 11/63] mmc: core: shut up "voltage-ranges unspecified" pr_info() Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 12/63] usb: dwc3: gadget: Fix suspend/resume during device mode Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 13/63] arm64: mm: Add trace_irqflags annotations to do_debug_exception() Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 14/63] mmc: core: fix using wrong io voltage if mmc_select_hs200 fails Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 15/63] mm/rmap: replace BUG_ON(anon_vma->degree) with VM_WARN_ON Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 16/63] kbuild: setlocalversion: print error to STDERR Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 17/63] usb: gadget: composite: fix dereference after null check coverify warning Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 18/63] usb: gadget: serial: fix re-ordering of tx data Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 19/63] usb: gadget: Add the gserial port checking in gs_start_tx() Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 20/63] tcp/dccp: drop SYN packets if accept queue is full Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 21/63] arm64: traps: disable irq in die() Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 22/63] usb: renesas_usbhs: gadget: fix unused-but-set-variable warning Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 23/63] xhci: Fix port resume done detection for SS ports with LPM enabled Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 24/63] mmc: block: Allow more than 8 partitions per card Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 25/63] arm64: fix COMPAT_SHMLBA definition for large pages Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 26/63] ARM: 8458/1: bL_switcher: add GIC dependency Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 27/63] net: diag: support v4mapped sockets in inet_diag_find_one_icsk() Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 28/63] asm-generic: Fix local variable shadow in __set_fixmap_offset Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 29/63] staging: ashmem: Avoid deadlock with mmap/shrink Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 30/63] staging: ashmem: Add missing include Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 31/63] staging: ion: Set minimum carveout heap allocation order to PAGE_SHIFT Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 32/63] staging: goldfish: audio: fix compiliation on arm Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 33/63] ARM: 8510/1: rework ARM_CPU_SUSPEND dependencies Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 34/63] arm64/kernel: fix incorrect EL0 check in inv_entry macro Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 35/63] arm64: kernel: Include _AC definition in page.h Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 36/63] suspend: simplify block I/O handling Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 37/63] PM / Hibernate: Call flush_icache_range() on pages restored in-place Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 38/63] usb: gadget: configfs: add mutex lock before unregister gadget Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 39/63] usb: gadget: rndis: free response queue during REMOTE_NDIS_RESET_MSG Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 40/63] video: fbdev: Set pixclock = 0 in goldfishfb Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 41/63] arm64: kconfig: drop CONFIG_RTC_LIB dependency Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 42/63] mmc: mmc: fix switch timeout issue caused by jiffies precision Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 43/63] cfg80211: size various nl80211 messages correctly Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 44/63] arm64: support keyctl() system call in 32-bit mode Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 45/63] stmmac: copy unicast mac address to MAC registers Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 46/63] arm64: debug: Don't propagate UNKNOWN FAR into si_code for debug signals Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 47/63] arm64: debug: Ensure debug handlers check triggering exception level Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 48/63] x86/atomic: Fix smp_mb__{before,after}_atomic() Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 49/63] locking,x86: Kill atomic_or_long() Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 50/63] locking/x86: Remove the unused atomic_inc_short() methd Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 51/63] dmaengine: qcom: bam_dma: Fix resource leak Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 52/63] mwifiex: Fix NL80211_TX_POWER_LIMITED Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 53/63] xhci: fix USB3 device initiated resume race with roothub autosuspend Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 54/63] Make filldir[64]() verify the directory entry filename is valid Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 55/63] filldir[64]: remove WARN_ON_ONCE() for bad directory entries Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 56/63] ext4: Introduce ext4_clamp_want_extra_isize() Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 57/63] ext4: add more paranoia checking in ext4_expand_extra_isize handling Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 58/63] Revert "sched/fair: Fix bandwidth timer clock drift condition" Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 59/63] can: kvaser_usb: kvaser_usb_leaf: Fix some info-leaks to USB devices Ben Hutchings
2020-01-08 19:43 ` Ben Hutchings [this message]
2020-01-08 19:43 ` [PATCH 3.16 61/63] mwifiex: don't follow AP if country code received from EEPROM Ben Hutchings
2020-01-08 19:44 ` [PATCH 3.16 62/63] mwifiex: fix possible heap overflow in mwifiex_process_country_ie() Ben Hutchings
2020-01-09 12:12 ` Salvatore Bonaccorso
2020-01-10 16:01 ` Ben Hutchings
2020-01-08 19:44 ` [PATCH 3.16 63/63] scsi: libsas: stop discovering if oob mode is disconnected Ben Hutchings
2020-01-08 22:52 ` [PATCH 3.16 00/63] 3.16.81-rc1 review Guenter Roeck
2020-01-09 1:14 ` Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=lsq.1578512578.733548525@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=akpm@linux-foundation.org \
--cc=hulkci@huawei.com \
--cc=hverkuil-cisco@xs4all.nl \
--cc=kda@linux-powerpc.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mchehab+samsung@kernel.org \
--cc=stable@vger.kernel.org \
--cc=yuehaibing@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.