sugar/linux
1
0
Fork 0
Code Activity
Files
424a7cd078401591fc45587ffb2c012d7f402fb7
linux/drivers
History
YueHaibing 6ff7b06053 mdio_bus: Fix use-after-free on device_register fails 
KASAN has found use-after-free in fixed_mdio_bus_init,
commit 0c692d0784 ("drivers/net/phy/mdio_bus.c: call
put_device on device_register() failure") call put_device()
while device_register() fails,give up the last reference
to the device and allow mdiobus_release to be executed
,kfreeing the bus. However in most drives, mdiobus_free
be called to free the bus while mdiobus_register fails.
use-after-free occurs when access bus again, this patch
revert it to let mdiobus_free free the bus.

KASAN report details as below:

BUG: KASAN: use-after-free in mdiobus_free+0x85/0x90 drivers/net/phy/mdio_bus.c:482
Read of size 4 at addr ffff8881dc824d78 by task syz-executor.0/3524

CPU: 1 PID: 3524 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xfa/0x1ce lib/dump_stack.c:113
 print_address_description+0x65/0x270 mm/kasan/report.c:187
 kasan_report+0x149/0x18d mm/kasan/report.c:317
 mdiobus_free+0x85/0x90 drivers/net/phy/mdio_bus.c:482
 fixed_mdio_bus_init+0x283/0x1000 [fixed_phy]
 ? 0xffffffffc0e40000
 ? 0xffffffffc0e40000
 ? 0xffffffffc0e40000
 do_one_initcall+0xfa/0x5ca init/main.c:887
 do_init_module+0x204/0x5f6 kernel/module.c:3460
 load_module+0x66b2/0x8570 kernel/module.c:3808
 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x462e99
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6215c19c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003
RBP: 00007f6215c19c70 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6215c1a6bc
R13: 00000000004bcefb R14: 00000000006f7030 R15: 0000000000000004

Allocated by task 3524:
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:496
 kmalloc include/linux/slab.h:545 [inline]
 kzalloc include/linux/slab.h:740 [inline]
 mdiobus_alloc_size+0x54/0x1b0 drivers/net/phy/mdio_bus.c:143
 fixed_mdio_bus_init+0x163/0x1000 [fixed_phy]
 do_one_initcall+0xfa/0x5ca init/main.c:887
 do_init_module+0x204/0x5f6 kernel/module.c:3460
 load_module+0x66b2/0x8570 kernel/module.c:3808
 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 3524:
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x130/0x180 mm/kasan/common.c:458
 slab_free_hook mm/slub.c:1409 [inline]
 slab_free_freelist_hook mm/slub.c:1436 [inline]
 slab_free mm/slub.c:2986 [inline]
 kfree+0xe1/0x270 mm/slub.c:3938
 device_release+0x78/0x200 drivers/base/core.c:919
 kobject_cleanup lib/kobject.c:662 [inline]
 kobject_release lib/kobject.c:691 [inline]
 kref_put include/linux/kref.h:67 [inline]
 kobject_put+0x146/0x240 lib/kobject.c:708
 put_device+0x1c/0x30 drivers/base/core.c:2060
 __mdiobus_register+0x483/0x560 drivers/net/phy/mdio_bus.c:382
 fixed_mdio_bus_init+0x26b/0x1000 [fixed_phy]
 do_one_initcall+0xfa/0x5ca init/main.c:887
 do_init_module+0x204/0x5f6 kernel/module.c:3460
 load_module+0x66b2/0x8570 kernel/module.c:3808
 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8881dc824c80
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 248 bytes inside of
 2048-byte region [ffff8881dc824c80, ffff8881dc825480)
The buggy address belongs to the page:
page:ffffea0007720800 count:1 mapcount:0 mapping:ffff8881f6c02800 index:0x0 compound_mapcount: 0
flags: 0x2fffc0000010200(slab|head)
raw: 02fffc0000010200 0000000000000000 0000000500000001 ffff8881f6c02800
raw: 0000000000000000 00000000800f000f 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881dc824c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8881dc824c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881dc824d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                                ^
 ffff8881dc824d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881dc824e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

Fixes: 0c692d0784 ("drivers/net/phy/mdio_bus.c: call put_device on device_register() failure")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-02-22 15:34:07 -08:00
..
accessibility
acpi
ACPI: Set debug output flags independent of ACPICA
2019-02-07 12:24:28 +01:00
amba
android
binderfs: remove separate device_initcall()
2019-02-01 15:50:26 +01:00
ata
libata: Add NOLPM quirk for SAMSUNG MZ7TE512HMHP-000L1 SSD
2019-02-06 12:47:09 -07:00
atm
atm: he: fix sign-extension overflow on large shift
2019-01-17 11:27:00 -08:00
auxdisplay
auxdisplay: ht16k33: fix potential user-after-free on module unload
2019-02-15 19:48:39 +01:00
base
Merge tag 'driver-core-5.0-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
2019-02-08 10:53:44 -08:00
bcma
block
floppy: check_events callback should not return a negative number
2019-02-12 09:13:18 -07:00
bluetooth
Bluetooth: hci_bcm: Handle specific unknown packets after firmware loading
2018-12-19 13:43:42 +01:00
bus
Merge branch 'pwm-dmtimer-fixes' into omap-for-v5.0/fixes-v2
2019-01-29 07:53:47 -08:00
cdrom
gdrom: fix a memory leak bug
2018-12-29 08:20:44 -07:00
char
Merge tag 'char-misc-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
2019-01-25 13:03:34 -10:00
clk
clk: qcom: gcc: Use active only source for CPUSS clocks
2019-01-24 11:41:48 -08:00
clocksource
Merge branch 'pwm-dmtimer-fixes' into omap-for-v5.0/fixes-v2
2019-01-29 07:53:47 -08:00
connector
cpufreq
Merge branches 'pm-cpuidle', 'pm-cpufreq' and 'pm-sleep'
2019-01-11 10:09:51 +01:00
cpuidle
cpuidle: poll_state: Fix default time limit
2019-01-30 22:57:42 +01:00
crypto
Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
2019-02-15 08:11:43 -08:00
dax
mm, devm_memremap_pages: fix shutdown handling
2018-12-28 12:11:47 -08:00
dca
devfreq
PM / devfreq: add devfreq_suspend/resume() functions
2018-12-11 11:40:13 +09:00
dio
dma
Merge tag 'dmaengine-fix-5.0-rc6' of git://git.infradead.org/users/vkoul/slave-dma
2019-02-10 10:39:37 -08:00
dma-buf
drivers/dma-buf/udmabuf.c: convert to use vm_fault_t
2019-01-04 13:13:46 -08:00
edac
EDAC, altera: Fix S10 persistent register offset
2019-01-24 17:13:59 +01:00
eisa
extcon
firewire
scsi: communicate max segment size to the DMA mapping code
2019-01-22 20:40:59 -05:00
firmware
Merge branch 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2019-02-17 09:22:01 -08:00
fmc
fpga
fpga: stratix10-soc: fix wrong of_node_put() in init function
2019-01-31 16:19:48 +01:00
fsi
gnss
Merge 4.20-rc6 into tty-next
2018-12-10 10:17:45 +01:00
gpio
gpio: vf610: Mask all GPIO interrupts
2019-01-28 15:28:43 +01:00
gpu
drm: Use array_size() when creating lease
2019-02-15 13:08:08 +10:00
hid
HID: debug: fix the ring buffer implementation
2019-01-29 12:09:11 +01:00
hsi
hv
vmbus: fix subchannel removal
2019-01-09 19:20:31 -05:00
hwmon
hwmon: (nct6775) Fix fan6 detection for NCT6793D
2019-01-27 18:55:49 -08:00
hwspinlock
hwspinlock: fix return value check in stm32_hwspinlock_probe()
2019-01-03 11:42:10 -08:00
hwtracing
intel_th: msu: Fix an off-by-one in attribute store
2018-12-19 20:21:06 +01:00
i2c
i2c: bcm2835: Clear current buffer pointers and counts after a transfer
2019-02-15 09:45:05 +01:00
i3c
i3c: master: dw: fix deadlock
2019-01-26 11:14:25 +01:00
ide
ide: ensure atapi sense request aren't preempted
2019-01-31 08:25:09 -07:00
idle
iio
Merge tag 'iio-fixes-5.0a' of git://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-linus
2019-02-03 13:10:41 +01:00
infiniband
IB/uverbs: Fix OOPs in uverbs_user_mmap_disassociate
2019-01-29 13:57:22 -07:00
input
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
2019-02-17 08:30:35 -08:00
iommu
Merge tag 'iommu-fixes-v5.0-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu
2019-02-08 15:34:10 -08:00
ipack
irqchip
Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2019-02-10 09:54:19 -08:00
isdn
mISDN: fix a race in dev_expire_timer()
2019-02-05 16:39:29 -08:00
leds
leds: lp5523: fix a missing check of return value of lp55xx_read
2019-01-17 22:27:39 +01:00
lightnvm
lightnvm: pblk: fix use-after-free bug
2018-12-22 14:45:35 -07:00
macintosh
Remove 'type' argument from access_ok() function
2019-01-03 18:57:57 -08:00
mailbox
mailbox: bcm-flexrm-mailbox: Fix FlexRM ring flush timeout issue
2019-02-18 10:40:58 -06:00
mcb
md
Merge tag 'for-linus-20190215' of git://git.kernel.dk/linux-block
2019-02-15 09:12:28 -08:00
media
media: vim2m: only cancel work if it is for right context
2019-01-16 11:13:25 -05:00
memory
Merge tag 'armsoc-late' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc
2019-01-05 11:30:37 -08:00
memstick
Merge tag 'mmc-v4.21' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc
2018-12-28 16:52:18 -08:00
message
scsi: flip the default on use_clustering
2018-12-18 23:13:12 -05:00
mfd
mfd: Fix unmet dependency warning for MFD_TPS68470
2019-01-29 10:55:34 +01:00
misc
mic: vop: Fix crash on remove
2019-02-01 15:53:54 +01:00
mmc
mmc: meson-gx: fix interrupt name
2019-02-13 08:41:15 +01:00
mtd
mtd: rawnand: gpmi: fix MX28 bus master lockup problem
2019-02-06 09:39:22 +01:00
mux
net
mdio_bus: Fix use-after-free on device_register fails
2019-02-22 15:34:07 -08:00
nfc
ntb
cross-tree: phase out dma_zalloc_coherent()
2019-01-08 07:58:37 -05:00
nubus
nvdimm
libnvdimm/security: Require nvdimm_security_setup_events() to succeed
2019-01-21 09:57:43 -08:00
nvme
nvme-pci: add missing unlock for reset error
2019-02-12 09:29:07 +01:00
nvmem
of
OF: properties: add missing of_node_put
2019-01-16 12:49:53 -06:00
opp
cpufreq: scpi/scmi: Fix freeing of dynamic OPPs
2019-01-04 12:19:40 +01:00
oprofile
parisc
Merge tag 'kconfig-v4.21-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
2018-12-29 13:40:29 -08:00
parport
pci
Merge tag 'pci-v5.0-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci
2019-02-08 15:32:10 -08:00
pcmcia
Merge tag 'for-4.21' of git://git.armlinux.org.uk/~rmk/linux-arm
2019-01-05 11:23:17 -08:00
perf
drivers/perf: hisi: Fixup one DDRC PMU register offset
2019-01-04 10:13:27 +00:00
phy
Merge tag 'usb-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb
2019-01-25 12:57:09 -10:00
pinctrl
pinctrl: sunxi: Correct number of IRQ banks on H6 main pin controller
2019-01-22 10:52:39 +01:00
platform
platform/x86: Fix unmet dependency warning for SAMSUNG_Q10
2019-01-29 10:59:07 +01:00
pnp
Remove 'type' argument from access_ok() function
2019-01-03 18:57:57 -08:00
power
Merge tag 'for-v4.21' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply
2018-12-28 20:22:45 -08:00
powercap
pps
Merge tag 'kconfig-v4.21' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
2018-12-29 13:03:29 -08:00
ps3
ptp
ptp: check that rsv field is zero in struct ptp_sys_offset_extended
2019-01-08 16:22:56 -05:00
pwm
pwm: imx: Add ipg clock operation
2018-12-24 12:06:56 +01:00
rapidio
cross-tree: phase out dma_zalloc_coherent()
2019-01-08 07:58:37 -05:00
ras
treewide: surround Kconfig file paths with double quotes
2018-12-22 00:25:54 +09:00
regulator
Merge remote-tracking branch 'regulator/topic/coupled' into regulator-next
2018-12-21 13:43:35 +00:00
remoteproc
virtio: don't allocate vqs when names[i] = NULL
2019-01-14 20:15:19 -05:00
reset
reset: uniphier-glue: Add AHCI reset control support in glue layer
2019-01-07 16:38:51 +01:00
rpmsg
rtc
Merge tag 'rtc-4.21' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux
2019-01-01 13:24:31 -08:00
s390
Merge tag 's390-5.0-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux
2019-02-11 10:28:48 -08:00
sbus
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc-next
2018-12-26 10:32:18 -08:00
scsi
Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi
2019-02-15 13:36:43 -08:00
sfi
sh
siox
slimbus
sn
soc
Merge tag 'soc-fsl-fix-v5.0' of git://git.kernel.org/pub/scm/linux/kernel/git/leo/linux into arm/fixes
2019-01-30 11:14:04 +01:00
soundwire
spi
cross-tree: phase out dma_zalloc_coherent()
2019-01-08 07:58:37 -05:00
spmi
ssb
staging
Merge tag 'staging-5.0-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging
2019-02-08 10:51:59 -08:00
target
scsi: target: make the pi_prot_format ConfigFS path readable
2019-02-04 21:40:32 -05:00
tc
tee
Merge tag 'tee-subsys-optee-for-4.21' of https://git.linaro.org/people/jens.wiklander/linux-tee into next/late
2018-12-31 13:06:30 -08:00
thermal
thermal: cpu_cooling: Clarify error message
2019-02-05 15:50:13 -08:00
thunderbolt
tty
Merge tag 'tty-5.0-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty
2019-02-08 10:49:55 -08:00
uio
Merge tag 'char-misc-4.21-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
2018-12-28 20:54:57 -08:00
usb
usb: typec: tcpm: Correct the PPS out_volt calculation
2019-01-31 09:14:00 +01:00
uwb
vfio
vfio-pci/nvlink2: Fix ancient gcc warnings
2019-01-23 08:20:43 -07:00
vhost
vhost: correctly check the return value of translate_desc() in log_used()
2019-02-19 13:14:45 -08:00
video
Merge tag 'tty-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty
2019-01-25 12:58:40 -10:00
virt
virtio
virtio: drop internal struct from UAPI
2019-02-05 15:29:48 -05:00
visorbus
vlynq
vme
w1
treewide: surround Kconfig file paths with double quotes
2018-12-22 00:25:54 +09:00
watchdog
watchdog: tqmx86: Fix a couple IS_ERR() vs NULL bugs
2019-01-07 10:10:35 +01:00
xen
arm64/xen: fix xen-swiotlb cache flushing
2019-01-23 22:14:56 +01:00
zorro
Kconfig
Merge tag 'kconfig-v4.21-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
2018-12-29 13:40:29 -08:00
Makefile