From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Sasha Levin <sashal@kernel.org>
Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
Venkata Narendra Kumar Gutta <vnkgutta@codeaurora.org>
Subject: Re: [PATCH AUTOSEL 4.19 10/37] driver core: platform: Fix the usage of platform device name(pdev->name)
Date: Sat, 26 Oct 2019 03:44:45 -0400 [thread overview]
Message-ID: <20191026074445.GA553664@kroah.com> (raw)
In-Reply-To: <20191025135603.25093-10-sashal@kernel.org>
On Fri, Oct 25, 2019 at 09:55:34AM -0400, Sasha Levin wrote:
> From: Venkata Narendra Kumar Gutta <vnkgutta@codeaurora.org>
>
> [ Upstream commit edb16da34b084c66763f29bee42b4e6bb33c3d66 ]
>
> Platform core is using pdev->name as the platform device name to do
> the binding of the devices with the drivers. But, when the platform
> driver overrides the platform device name with dev_set_name(),
> the pdev->name is pointing to a location which is freed and becomes
> an invalid parameter to do the binding match.
>
> use-after-free instance:
>
> [ 33.325013] BUG: KASAN: use-after-free in strcmp+0x8c/0xb0
> [ 33.330646] Read of size 1 at addr ffffffc10beae600 by task modprobe
> [ 33.339068] CPU: 5 PID: 518 Comm: modprobe Tainted:
> G S W O 4.19.30+ #3
> [ 33.346835] Hardware name: MTP (DT)
> [ 33.350419] Call trace:
> [ 33.352941] dump_backtrace+0x0/0x3b8
> [ 33.356713] show_stack+0x24/0x30
> [ 33.360119] dump_stack+0x160/0x1d8
> [ 33.363709] print_address_description+0x84/0x2e0
> [ 33.368549] kasan_report+0x26c/0x2d0
> [ 33.372322] __asan_report_load1_noabort+0x2c/0x38
> [ 33.377248] strcmp+0x8c/0xb0
> [ 33.380306] platform_match+0x70/0x1f8
> [ 33.384168] __driver_attach+0x78/0x3a0
> [ 33.388111] bus_for_each_dev+0x13c/0x1b8
> [ 33.392237] driver_attach+0x4c/0x58
> [ 33.395910] bus_add_driver+0x350/0x560
> [ 33.399854] driver_register+0x23c/0x328
> [ 33.403886] __platform_driver_register+0xd0/0xe0
>
> So, use dev_name(&pdev->dev), which fetches the platform device name from
> the kobject(dev->kobj->name) of the device instead of the pdev->name.
>
> Signed-off-by: Venkata Narendra Kumar Gutta <vnkgutta@codeaurora.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> ---
> drivers/base/platform.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
We had to revert this patch in commit 391c0325cc5f ("Revert "driver
core: platform: Fix the usage of platform device name(pdev->name)"")
so please do not backport it to any stable kernels.
thanks,
greg k-h
next prev parent reply other threads:[~2019-10-26 7:45 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-25 13:55 [PATCH AUTOSEL 4.19 01/37] PCI/ASPM: Do not initialize link state when aspm_disabled is set Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 02/37] HID: i2c-hid: Add Odys Winbook 13 to descriptor override Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 03/37] ACPI: video: Use vendor backlight on Sony VPCEH3U1E Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 04/37] rseq/selftests: x86: Work-around bogus gcc-8 optimisation Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 05/37] f2fs: fix to do sanity check on valid node/block count Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 06/37] ALSA: hda: Fix race between creating and refreshing sysfs entries Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 07/37] Fixed https://bugzilla.kernel.org/show_bug.cgi?id=202935 allow write on the same file Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 08/37] nvme-pci: fix conflicting p2p resource adds Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 09/37] scsi: qedf: Do not retry ELS request if qedf_alloc_cmd fails Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 10/37] driver core: platform: Fix the usage of platform device name(pdev->name) Sasha Levin
2019-10-26 7:44 ` Greg Kroah-Hartman [this message]
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 11/37] KVM: PPC: Book3S HV: Fix lockdep warning when entering the guest Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 12/37] drm/amdgpu/display: Fix reload driver error Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 13/37] powerpc/pseries/hvconsole: Fix stack overread via udbg Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 14/37] scsi: RDMA/srp: Fix a sleep-in-invalid-context bug Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 15/37] scsi: bnx2fc: Only put reference to io_req in bnx2fc_abts_cleanup if cleanup times out Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 16/37] xfrm interface: fix memory leak on creation Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 17/37] drm/msm: stop abusing dma_map/unmap for cache Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 18/37] drm/msm: Use the correct dma_sync calls in msm_gem Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 19/37] net: ipv6: fix listify ip6_rcv_finish in case of forwarding Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 20/37] sch_netem: fix rcu splat in netem_enqueue() Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 21/37] rxrpc: Fix call ref leak Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 22/37] rxrpc: Fix trace-after-put looking at the put peer record Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 23/37] rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local record Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 24/37] llc: fix sk_buff leak in llc_sap_state_process() Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 25/37] llc: fix sk_buff leak in llc_conn_service() Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 26/37] NFC: pn533: fix use-after-free and memleaks Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 27/37] bonding: fix potential NULL deref in bond_update_slave_arr Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 28/37] net: usb: sr9800: fix uninitialized local variable Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 29/37] jbd2: flush_descriptor(): Do not decrease buffer head's ref count Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 30/37] ath9k: dynack: fix possible deadlock in ath_dynack_node_{de}init Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 31/37] Btrfs: fix hang when loading existing inode cache off disk Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 32/37] Btrfs: fix inode cache block reserve leak on failure to allocate data space Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 33/37] ubi: ubi_wl_get_peb: Increase the number of attempts while getting PEB Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 34/37] RDMA/iwcm: Fix a lock inversion issue Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 35/37] ipv6: Handle race in addrconf_dad_work Sasha Levin
2019-10-25 13:56 ` [PATCH AUTOSEL 4.19 36/37] bdi: Do not use freezable workqueue Sasha Levin
2019-10-25 13:56 ` [PATCH AUTOSEL 4.19 37/37] ALSA: hda: Add codec on bus address table lately Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191026074445.GA553664@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=vnkgutta@codeaurora.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).