TWxSoftware/twx-linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
06173edfc7
twx-linux/drivers
History
Jing Xia b57196a5ec class: fix use-after-free in class_register() 
commit 93ec4a3b76404bce01bd5c9032bef5df6feb1d62 upstream.

The lock_class_key is still registered and can be found in
lock_keys_hash hlist after subsys_private is freed in error
handler path.A task who iterate over the lock_keys_hash
later may cause use-after-free.So fix that up and unregister
the lock_class_key before kfree(cp).

On our platform, a driver fails to kset_register because of
creating duplicate filename '/class/xxx'.With Kasan enabled,
it prints a invalid-access bug report.

KASAN bug report:

BUG: KASAN: invalid-access in lockdep_register_key+0x19c/0x1bc
Write of size 8 at addr 15ffff808b8c0368 by task modprobe/252
Pointer tag: [15], memory tag: [fe]

CPU: 7 PID: 252 Comm: modprobe Tainted: G        W
 6.6.0-mainline-maybe-dirty #1

Call trace:
dump_backtrace+0x1b0/0x1e4
show_stack+0x2c/0x40
dump_stack_lvl+0xac/0xe0
print_report+0x18c/0x4d8
kasan_report+0xe8/0x148
__hwasan_store8_noabort+0x88/0x98
lockdep_register_key+0x19c/0x1bc
class_register+0x94/0x1ec
init_module+0xbc/0xf48 [rfkill]
do_one_initcall+0x17c/0x72c
do_init_module+0x19c/0x3f8
...
Memory state around the buggy address:
ffffff808b8c0100: 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a
ffffff808b8c0200: 8a 8a 8a 8a 8a 8a 8a 8a fe fe fe fe fe fe fe fe
>ffffff808b8c0300: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
                                     ^
ffffff808b8c0400: 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03

As CONFIG_KASAN_GENERIC is not set, Kasan reports invalid-access
not use-after-free here.In this case, modprobe is manipulating
the corrupted lock_keys_hash hlish where lock_class_key is already
freed before.

It's worth noting that this only can happen if lockdep is enabled,
which is not true for normal system.

Fixes: dcfbb67e48a2 ("driver core: class: use lock_class_key already present in struct subsys_private")
Cc: stable <stable@kernel.org>
Signed-off-by: Jing Xia <jing.xia@unisoc.com>
Signed-off-by: Xuewen Yan <xuewen.yan@unisoc.com>
Link: https://lore.kernel.org/r/20231220024603.186078-1-jing.xia@unisoc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-01-25 15:35:41 -08:00
..
accel accel/habanalabs: fix information leak in sec_attest_info() 2024-01-25 15:35:38 -08:00
accessibility
acpi ACPI: extlog: Clear Extended Error Log status when RAS_CEC handled the error 2024-01-25 15:35:15 -08:00
amba
android binder: fix comment on binder_alloc_new_buf() return value 2024-01-20 11:51:48 +01:00
ata scsi: sd: Fix system start for ATA devices 2023-12-08 08:52:17 +01:00
atm atm: solos-pci: Fix potential deadlock on &tx_queue_lock 2023-12-20 17:01:46 +01:00
auxdisplay
base class: fix use-after-free in class_register() 2024-01-25 15:35:41 -08:00
bcma
block null_blk: don't cap max_hw_sectors to BLK_DEF_MAX_SECTORS 2024-01-25 15:35:29 -08:00
bluetooth Bluetooth: btmtkuart: fix recv_buf() return value 2024-01-25 15:35:29 -08:00
bus bus: moxtet: Add spi device table 2024-01-20 11:51:47 +01:00
cache riscv: RISCV_NONSTANDARD_CACHE_OPS shouldn't depend on RISCV_DMA_NONCOHERENT 2023-10-26 09:42:37 +02:00
cdrom
cdx
char parisc/agp: Use 64-bit LE values in SBA IOMMU PDIR table 2023-11-28 17:20:00 +00:00
clk clk: qcom: dispcc-sm8550: Update disp PLL settings 2024-01-25 15:35:38 -08:00
clocksource clocksource/drivers/timer-atmel-tcb: Fix initialization on SAM9 hardware 2023-11-28 17:19:36 +00:00
comedi
connector connector: Fix proc_event_num_listeners count not cleared 2024-01-20 11:51:47 +01:00
counter
cpufreq cpufreq: scmi: process the result of devm_of_clk_add_hw_provider() 2024-01-25 15:35:14 -08:00
cpuidle cpuidle: haltpoll: Do not enable interrupts when entering idle 2024-01-25 15:35:15 -08:00
crypto crypto: sahara - do not resize req->src when doing hash operations 2024-01-25 15:35:18 -08:00
cxl cxl/memdev: Hold region_rwsem during inject and clear poison ops 2024-01-10 17:17:02 +01:00
dax
dca
devfreq PM / devfreq: rockchip-dfi: Make pmu regmap mandatory 2023-11-20 11:59:00 +01:00
dio
dma dmaengine: fsl-edma: fix wrong pointer check in fsl_edma3_attach_pd() 2024-01-10 17:16:59 +01:00
dma-buf dma-buf: fix check in dma_resv_add_fence 2023-12-08 08:52:19 +01:00
edac EDAC/thunderx: Fix possible out-of-bounds string access 2024-01-25 15:35:12 -08:00
eisa
extcon
firewire firewire: ohci: suppress unexpected system reboot in AMD Ryzen machines and ASM108x/VT630x PCIe cards 2024-01-10 17:17:00 +01:00
firmware firmware: ti_sci: Fix an off-by-one in ti_sci_debugfs_create() 2024-01-25 15:35:20 -08:00
fpga fpga: Fix memory leak for fpga_region_test_class_find() 2023-10-24 19:32:39 +02:00
fsi
gnss
gpio gpio: sysfs: drop the mention of gpiochip_find() from sysfs code 2024-01-25 15:35:40 -08:00
gpu drm/amd/display: avoid stringop-overflow warnings for dp_decide_lane_settings() 2024-01-25 15:35:40 -08:00
greybus
hid HID: nintendo: Prevent divide-by-zero on code 2024-01-20 11:51:45 +01:00
hsi
hte hte: tegra: Fix missing error code in tegra_hte_test_probe() 2023-11-20 11:59:08 +01:00
hv
hwmon hwmon: (corsair-psu) Fix probe when built-in 2024-01-20 11:51:42 +01:00
hwspinlock
hwtracing coresight: etm4x: Fix width of CCITMIN field 2024-01-20 11:51:49 +01:00
i2c i2c: rk3x: fix potential spinlock recursion on poll 2024-01-20 11:51:46 +01:00
i3c i3c: master: svc: fix random hot join failure since timeout error 2023-11-28 17:20:06 +00:00
idle x86: Fix CPUIDLE_FLAG_IRQ_ENABLE leaking timer reprogram 2024-01-25 15:35:12 -08:00
iio iio: imu: adis16475: use bit numbers in assign_bit() 2024-01-10 17:16:57 +01:00
infiniband IB/iser: Prevent invalidating wrong MR 2024-01-25 15:35:40 -08:00
input Input: xpad - add Razer Wolverine V2 support 2024-01-20 11:51:44 +01:00
interconnect interconnect: qcom: sm8250: Enable sync_state 2024-01-01 12:42:36 +00:00
iommu iommu/vt-d: Support enforce_cache_coherency only for empty domains 2024-01-10 17:16:57 +01:00
ipack
irqchip irqchip/gic-v3-its: Flush ITS tables correctly in non-coherent GIC designs 2023-12-03 07:33:02 +01:00
isdn isdn: mISDN: hfcsusb: Spelling fix in comment 2023-10-23 09:39:46 +01:00
leds leds: ledtrig-tty: Free allocated ttyname buffer on deactivate 2024-01-20 11:51:48 +01:00
macintosh
mailbox
mcb mcb: fix error handling for different scenarios when parsing 2023-11-28 17:20:05 +00:00
md md: synchronize flush io with array reconfiguration 2024-01-25 15:35:20 -08:00
media media: dvb-frontends: m88ds3103: Fix a memory leak in an error handling path of m88ds3103_probe() 2024-01-25 15:35:35 -08:00
memory memory: tegra: Set BPMP msg flags to reset IPC channels 2023-11-20 11:59:17 +01:00
memstick
message
mfd mfd: qcom-spmi-pmic: Fix revid implementation 2023-11-28 17:20:03 +00:00
misc misc: mei: client.c: fix problem of return '-EOVERFLOW' in mei_cl_write 2023-12-13 18:45:29 +01:00
mmc mmc: sdhci_omap: Fix TI SoC dependencies 2024-01-25 15:35:39 -08:00
most
mtd mtd: Fix gluebi NULL pointer dereference caused by ftl notifier 2024-01-25 15:35:15 -08:00
mux
net mlxbf_gige: Enable the GigE port in mlxbf_gige_open 2024-01-25 15:35:30 -08:00
nfc nfc: virtual_ncidev: Add variable to check if ndev is running 2023-12-20 17:01:59 +01:00
ntb
nubus
nvdimm nd_btt: Make BTT lanes preemptible 2023-11-20 11:59:19 +01:00
nvme nvme: fix deadlock between reset and scan 2024-01-20 11:51:41 +01:00
nvmem nvmem: brcm_nvram: store a copy of NVRAM content 2024-01-01 12:42:44 +00:00
of of: unittest: Fix of_count_phandle_with_args() expected value message 2024-01-25 15:35:40 -08:00
opp
parisc parisc/power: Fix power soft-off when running on qemu 2023-11-28 17:20:08 +00:00
parport parport: parport_serial: Add Brainboxes device IDs and geometry 2024-01-20 11:51:48 +01:00
pci PCI: Add ACS quirk for more Zhaoxin Root Ports 2024-01-20 11:51:49 +01:00
pcmcia pcmcia: ds: fix possible name leak in error path in pcmcia_device_add() 2023-11-20 11:59:31 +01:00
peci
perf drivers/perf: hisi: Fix some event id for HiSilicon UC pmu 2024-01-25 15:35:13 -08:00
phy phy: sunplus: return negative error code in sp_usb_phy_probe 2024-01-10 17:16:57 +01:00
pinctrl pinctrl: cy8c95x0: Fix get_pincfg 2024-01-20 11:51:46 +01:00
platform platform/x86/intel/vsec: Fix xa_alloc memory leak 2024-01-25 15:35:14 -08:00
pmdomain pmdomain: imx: Make imx pgc power domain also set the fwnode 2023-11-28 17:20:00 +00:00
pnp
power power: supply: core: Use blocking_notifier_call_chain to avoid RCU complaint 2023-11-08 11:56:20 +01:00
powercap powercap: DTPM: Fix missing cpufreq_cpu_put() calls 2023-12-13 18:45:25 +01:00
pps
ps3
ptp ptp: annotate data-race around q->head and q->tail 2023-11-28 17:19:51 +00:00
pwm pwm: stm32: Fix enable count for clk in .probe() 2024-01-25 15:35:39 -08:00
rapidio
ras
regulator regulator: qcom-rpmh: Fix smps4 regulator for pm8550ve 2023-11-20 11:59:07 +01:00
remoteproc
reset reset: hisilicon: hi6220: fix Wvoid-pointer-to-enum-cast warning 2024-01-20 11:51:44 +01:00
rpmsg
rtc rtc: pcf85363: fix wrong mask/val parameters in regmap_update_bits call 2023-11-20 11:59:30 +01:00
s390 s390/scm: fix virtual vs physical address confusion 2024-01-20 11:51:44 +01:00
sbus
scsi scsi: hisi_sas: Correct the number of global debugfs registers 2024-01-25 15:35:26 -08:00
sh
siox
slimbus
soc soc: qcom: llcc: Fix LLCC_TRP_ATTR2_CFGn offset 2024-01-25 15:35:27 -08:00
soundwire soundwire: intel_ace2x: fix AC timing setting for ACE2.x 2024-01-20 11:51:42 +01:00
spi spi: sh-msiof: Enforce fixed DTDL for R-Car H3 2024-01-25 15:35:15 -08:00
spmi
ssb
staging media: rkvdec: Hook the (TRY_)DECODER_CMD stateless ioctls 2024-01-25 15:35:32 -08:00
target
tc
tee tee: optee: Fix supplicant based device enumeration 2023-12-13 18:45:11 +01:00
thermal drivers/thermal/loongson2_thermal: Fix incorrect PTR_ERR() judgment 2024-01-25 15:35:15 -08:00
thunderbolt thunderbolt: Fix memory leak in margining_port_remove() 2024-01-01 12:42:46 +00:00
tty serial: 8250_omap: Add earlycon support for the AM654 UART controller 2023-12-13 18:45:33 +01:00
ufs scsi: ufs: qcom: Fix the return value when platform_get_resource_byname() fails 2024-01-25 15:35:25 -08:00
uio uio: Fix use-after-free in uio_open 2024-01-20 11:51:48 +01:00
usb usb: fotg210-hcd: delete an incorrect bounds test 2024-01-01 12:42:41 +00:00
vdpa pds_vdpa: set features order 2024-01-20 11:51:41 +01:00
vfio vfio/pds: Fix possible sleep while in atomic context 2023-12-08 08:52:25 +01:00
vhost virtio/vsock: send credit update during setting SO_RCVLOWAT 2024-01-25 15:35:26 -08:00
video fbdev: imxfb: fix left margin setting 2024-01-25 15:35:40 -08:00
virt virt: sevguest: Fix passing a stack buffer as a scatterlist target 2023-11-20 11:59:30 +01:00
virtio virtio_ring: fix syncs DMA memory with different direction 2024-01-05 15:19:41 +01:00
vlynq
w1
watchdog watchdog: rti_wdt: Drop runtime pm reference count when watchdog is unused 2024-01-25 15:35:37 -08:00
xen swiotlb-xen: provide the "max_mapping_size" method 2023-12-03 07:33:07 +01:00
zorro
Kconfig
Makefile