* [PATCH v1] hwmon: Fix double-free in __hwmon_device_register()
@ 2018-10-24 19:37 Dmitry Osipenko
2018-10-25 0:15 ` linux
0 siblings, 1 reply; 3+ messages in thread
From: Dmitry Osipenko @ 2018-10-24 19:37 UTC (permalink / raw)
To: Jean Delvare, Guenter Roeck; +Cc: Linus Walleij, linux-hwmon, linux-kernel
Fix double-free that happens when thermal zone setup fails, see KASAN log
below.
==================================================================
BUG: KASAN: double-free or invalid-free in __hwmon_device_register+0x5dc/0xa7c
CPU: 0 PID: 132 Comm: kworker/0:2 Tainted: G B 4.19.0-rc8-next-20181016-00042-gb52cd80401e9-dirty #41
Hardware name: NVIDIA Tegra SoC (Flattened Device Tree)
Workqueue: events deferred_probe_work_func
Backtrace:
[<c0110540>] (dump_backtrace) from [<c0110944>] (show_stack+0x20/0x24)
[<c0110924>] (show_stack) from [<c105cb08>] (dump_stack+0x9c/0xb0)
[<c105ca6c>] (dump_stack) from [<c02fdaec>] (print_address_description+0x68/0x250)
[<c02fda84>] (print_address_description) from [<c02fd4ac>] (kasan_report_invalid_free+0x68/0x88)
[<c02fd444>] (kasan_report_invalid_free) from [<c02fc85c>] (__kasan_slab_free+0x1f4/0x200)
[<c02fc668>] (__kasan_slab_free) from [<c02fd0c0>] (kasan_slab_free+0x14/0x18)
[<c02fd0ac>] (kasan_slab_free) from [<c02f9c6c>] (kfree+0x90/0x294)
[<c02f9bdc>] (kfree) from [<c0b41bbc>] (__hwmon_device_register+0x5dc/0xa7c)
[<c0b415e0>] (__hwmon_device_register) from [<c0b421e8>] (hwmon_device_register_with_info+0xa0/0xa8)
[<c0b42148>] (hwmon_device_register_with_info) from [<c0b42324>] (devm_hwmon_device_register_with_info+0x74/0xb4)
[<c0b422b0>] (devm_hwmon_device_register_with_info) from [<c0b4481c>] (lm90_probe+0x414/0x578)
[<c0b44408>] (lm90_probe) from [<c0aeeff4>] (i2c_device_probe+0x35c/0x384)
[<c0aeec98>] (i2c_device_probe) from [<c08776cc>] (really_probe+0x290/0x3e4)
[<c087743c>] (really_probe) from [<c0877a2c>] (driver_probe_device+0x80/0x1c4)
[<c08779ac>] (driver_probe_device) from [<c0877da8>] (__device_attach_driver+0x104/0x11c)
[<c0877ca4>] (__device_attach_driver) from [<c0874dd8>] (bus_for_each_drv+0xa4/0xc8)
[<c0874d34>] (bus_for_each_drv) from [<c08773b0>] (__device_attach+0xf0/0x15c)
[<c08772c0>] (__device_attach) from [<c0877e24>] (device_initial_probe+0x1c/0x20)
[<c0877e08>] (device_initial_probe) from [<c08762f4>] (bus_probe_device+0xdc/0xec)
[<c0876218>] (bus_probe_device) from [<c0876a08>] (deferred_probe_work_func+0xa8/0xd4)
[<c0876960>] (deferred_probe_work_func) from [<c01527c4>] (process_one_work+0x3dc/0x96c)
[<c01523e8>] (process_one_work) from [<c01541e0>] (worker_thread+0x4ec/0x8bc)
[<c0153cf4>] (worker_thread) from [<c015b238>] (kthread+0x230/0x240)
[<c015b008>] (kthread) from [<c01010bc>] (ret_from_fork+0x14/0x38)
Exception stack(0xcf743fb0 to 0xcf743ff8)
3fa0: 00000000 00000000 00000000 00000000
3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
3fe0: 00000000 00000000 00000000 00000000 00000013 00000000
Allocated by task 132:
kasan_kmalloc.part.1+0x58/0xf4
kasan_kmalloc+0x90/0xa4
kmem_cache_alloc_trace+0x90/0x2a0
__hwmon_device_register+0xbc/0xa7c
hwmon_device_register_with_info+0xa0/0xa8
devm_hwmon_device_register_with_info+0x74/0xb4
lm90_probe+0x414/0x578
i2c_device_probe+0x35c/0x384
really_probe+0x290/0x3e4
driver_probe_device+0x80/0x1c4
__device_attach_driver+0x104/0x11c
bus_for_each_drv+0xa4/0xc8
__device_attach+0xf0/0x15c
device_initial_probe+0x1c/0x20
bus_probe_device+0xdc/0xec
deferred_probe_work_func+0xa8/0xd4
process_one_work+0x3dc/0x96c
worker_thread+0x4ec/0x8bc
kthread+0x230/0x240
ret_from_fork+0x14/0x38
(null)
Freed by task 132:
__kasan_slab_free+0x12c/0x200
kasan_slab_free+0x14/0x18
kfree+0x90/0x294
hwmon_dev_release+0x1c/0x20
device_release+0x4c/0xe8
kobject_put+0xac/0x11c
device_unregister+0x2c/0x30
__hwmon_device_register+0xa58/0xa7c
hwmon_device_register_with_info+0xa0/0xa8
devm_hwmon_device_register_with_info+0x74/0xb4
lm90_probe+0x414/0x578
i2c_device_probe+0x35c/0x384
really_probe+0x290/0x3e4
driver_probe_device+0x80/0x1c4
__device_attach_driver+0x104/0x11c
bus_for_each_drv+0xa4/0xc8
__device_attach+0xf0/0x15c
device_initial_probe+0x1c/0x20
bus_probe_device+0xdc/0xec
deferred_probe_work_func+0xa8/0xd4
process_one_work+0x3dc/0x96c
worker_thread+0x4ec/0x8bc
kthread+0x230/0x240
ret_from_fork+0x14/0x38
(null)
Cc: <stable@vger.kernel.org> # v4.15+
Fixes: 47c332deb8e8 ("hwmon: Deal with errors from the thermal subsystem")
Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
---
drivers/hwmon/hwmon.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/hwmon/hwmon.c b/drivers/hwmon/hwmon.c
index 975c95169884..84f61cec6319 100644
--- a/drivers/hwmon/hwmon.c
+++ b/drivers/hwmon/hwmon.c
@@ -649,8 +649,10 @@ __hwmon_device_register(struct device *dev, const char *name, void *drvdata,
if (info[i]->config[j] & HWMON_T_INPUT) {
err = hwmon_thermal_add_sensor(dev,
hwdev, j);
- if (err)
- goto free_device;
+ if (err) {
+ device_unregister(hdev);
+ goto ida_remove;
+ }
}
}
}
@@ -658,8 +660,6 @@ __hwmon_device_register(struct device *dev, const char *name, void *drvdata,
return hdev;
-free_device:
- device_unregister(hdev);
free_hwmon:
kfree(hwdev);
ida_remove:
--
2.19.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH v1] hwmon: Fix double-free in __hwmon_device_register()
2018-10-24 19:37 [PATCH v1] hwmon: Fix double-free in __hwmon_device_register() Dmitry Osipenko
@ 2018-10-25 0:15 ` linux
2018-10-25 18:22 ` Dmitry Osipenko
0 siblings, 1 reply; 3+ messages in thread
From: linux @ 2018-10-25 0:15 UTC (permalink / raw)
To: Dmitry Osipenko; +Cc: Jean Delvare, Linus Walleij, linux-hwmon, linux-kernel
Quoting Dmitry Osipenko <digetx@gmail.com>:
> Fix double-free that happens when thermal zone setup fails, see KASAN log
> below.
>
Good catch. I'll apply this as soon as I manage to convince AT&T to restore
my internet service.
Thanks,
Guenter
> ==================================================================
> BUG: KASAN: double-free or invalid-free in
> __hwmon_device_register+0x5dc/0xa7c
>
> CPU: 0 PID: 132 Comm: kworker/0:2 Tainted: G B
> 4.19.0-rc8-next-20181016-00042-gb52cd80401e9-dirty #41
> Hardware name: NVIDIA Tegra SoC (Flattened Device Tree)
> Workqueue: events deferred_probe_work_func
> Backtrace:
> [<c0110540>] (dump_backtrace) from [<c0110944>] (show_stack+0x20/0x24)
> [<c0110924>] (show_stack) from [<c105cb08>] (dump_stack+0x9c/0xb0)
> [<c105ca6c>] (dump_stack) from [<c02fdaec>]
> (print_address_description+0x68/0x250)
> [<c02fda84>] (print_address_description) from [<c02fd4ac>]
> (kasan_report_invalid_free+0x68/0x88)
> [<c02fd444>] (kasan_report_invalid_free) from [<c02fc85c>]
> (__kasan_slab_free+0x1f4/0x200)
> [<c02fc668>] (__kasan_slab_free) from [<c02fd0c0>]
> (kasan_slab_free+0x14/0x18)
> [<c02fd0ac>] (kasan_slab_free) from [<c02f9c6c>] (kfree+0x90/0x294)
> [<c02f9bdc>] (kfree) from [<c0b41bbc>] (__hwmon_device_register+0x5dc/0xa7c)
> [<c0b415e0>] (__hwmon_device_register) from [<c0b421e8>]
> (hwmon_device_register_with_info+0xa0/0xa8)
> [<c0b42148>] (hwmon_device_register_with_info) from [<c0b42324>]
> (devm_hwmon_device_register_with_info+0x74/0xb4)
> [<c0b422b0>] (devm_hwmon_device_register_with_info) from
> [<c0b4481c>] (lm90_probe+0x414/0x578)
> [<c0b44408>] (lm90_probe) from [<c0aeeff4>] (i2c_device_probe+0x35c/0x384)
> [<c0aeec98>] (i2c_device_probe) from [<c08776cc>] (really_probe+0x290/0x3e4)
> [<c087743c>] (really_probe) from [<c0877a2c>]
> (driver_probe_device+0x80/0x1c4)
> [<c08779ac>] (driver_probe_device) from [<c0877da8>]
> (__device_attach_driver+0x104/0x11c)
> [<c0877ca4>] (__device_attach_driver) from [<c0874dd8>]
> (bus_for_each_drv+0xa4/0xc8)
> [<c0874d34>] (bus_for_each_drv) from [<c08773b0>]
> (__device_attach+0xf0/0x15c)
> [<c08772c0>] (__device_attach) from [<c0877e24>]
> (device_initial_probe+0x1c/0x20)
> [<c0877e08>] (device_initial_probe) from [<c08762f4>]
> (bus_probe_device+0xdc/0xec)
> [<c0876218>] (bus_probe_device) from [<c0876a08>]
> (deferred_probe_work_func+0xa8/0xd4)
> [<c0876960>] (deferred_probe_work_func) from [<c01527c4>]
> (process_one_work+0x3dc/0x96c)
> [<c01523e8>] (process_one_work) from [<c01541e0>] (worker_thread+0x4ec/0x8bc)
> [<c0153cf4>] (worker_thread) from [<c015b238>] (kthread+0x230/0x240)
> [<c015b008>] (kthread) from [<c01010bc>] (ret_from_fork+0x14/0x38)
> Exception stack(0xcf743fb0 to 0xcf743ff8)
> 3fa0: 00000000 00000000 00000000 00000000
> 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000
>
> Allocated by task 132:
> kasan_kmalloc.part.1+0x58/0xf4
> kasan_kmalloc+0x90/0xa4
> kmem_cache_alloc_trace+0x90/0x2a0
> __hwmon_device_register+0xbc/0xa7c
> hwmon_device_register_with_info+0xa0/0xa8
> devm_hwmon_device_register_with_info+0x74/0xb4
> lm90_probe+0x414/0x578
> i2c_device_probe+0x35c/0x384
> really_probe+0x290/0x3e4
> driver_probe_device+0x80/0x1c4
> __device_attach_driver+0x104/0x11c
> bus_for_each_drv+0xa4/0xc8
> __device_attach+0xf0/0x15c
> device_initial_probe+0x1c/0x20
> bus_probe_device+0xdc/0xec
> deferred_probe_work_func+0xa8/0xd4
> process_one_work+0x3dc/0x96c
> worker_thread+0x4ec/0x8bc
> kthread+0x230/0x240
> ret_from_fork+0x14/0x38
> (null)
>
> Freed by task 132:
> __kasan_slab_free+0x12c/0x200
> kasan_slab_free+0x14/0x18
> kfree+0x90/0x294
> hwmon_dev_release+0x1c/0x20
> device_release+0x4c/0xe8
> kobject_put+0xac/0x11c
> device_unregister+0x2c/0x30
> __hwmon_device_register+0xa58/0xa7c
> hwmon_device_register_with_info+0xa0/0xa8
> devm_hwmon_device_register_with_info+0x74/0xb4
> lm90_probe+0x414/0x578
> i2c_device_probe+0x35c/0x384
> really_probe+0x290/0x3e4
> driver_probe_device+0x80/0x1c4
> __device_attach_driver+0x104/0x11c
> bus_for_each_drv+0xa4/0xc8
> __device_attach+0xf0/0x15c
> device_initial_probe+0x1c/0x20
> bus_probe_device+0xdc/0xec
> deferred_probe_work_func+0xa8/0xd4
> process_one_work+0x3dc/0x96c
> worker_thread+0x4ec/0x8bc
> kthread+0x230/0x240
> ret_from_fork+0x14/0x38
> (null)
>
> Cc: <stable@vger.kernel.org> # v4.15+
> Fixes: 47c332deb8e8 ("hwmon: Deal with errors from the thermal subsystem")
> Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
> ---
> drivers/hwmon/hwmon.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/hwmon/hwmon.c b/drivers/hwmon/hwmon.c
> index 975c95169884..84f61cec6319 100644
> --- a/drivers/hwmon/hwmon.c
> +++ b/drivers/hwmon/hwmon.c
> @@ -649,8 +649,10 @@ __hwmon_device_register(struct device *dev,
> const char *name, void *drvdata,
> if (info[i]->config[j] & HWMON_T_INPUT) {
> err = hwmon_thermal_add_sensor(dev,
> hwdev, j);
> - if (err)
> - goto free_device;
> + if (err) {
> + device_unregister(hdev);
> + goto ida_remove;
> + }
> }
> }
> }
> @@ -658,8 +660,6 @@ __hwmon_device_register(struct device *dev,
> const char *name, void *drvdata,
>
> return hdev;
>
> -free_device:
> - device_unregister(hdev);
> free_hwmon:
> kfree(hwdev);
> ida_remove:
> --
> 2.19.0
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v1] hwmon: Fix double-free in __hwmon_device_register()
2018-10-25 0:15 ` linux
@ 2018-10-25 18:22 ` Dmitry Osipenko
0 siblings, 0 replies; 3+ messages in thread
From: Dmitry Osipenko @ 2018-10-25 18:22 UTC (permalink / raw)
To: linux; +Cc: Jean Delvare, Linus Walleij, linux-hwmon, linux-kernel
On 10/25/18 3:15 AM, linux@roeck-us.net wrote:
>
> Quoting Dmitry Osipenko <digetx@gmail.com>:
>
>> Fix double-free that happens when thermal zone setup fails, see KASAN log
>> below.
>>
>
> Good catch. I'll apply this as soon as I manage to convince AT&T to restore
> my internet service.
Cool, thanks!
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-10-25 18:22 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-10-24 19:37 [PATCH v1] hwmon: Fix double-free in __hwmon_device_register() Dmitry Osipenko
2018-10-25 0:15 ` linux
2018-10-25 18:22 ` Dmitry Osipenko
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).