mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-15 23:25:07 +00:00
Code Issues Releases Wiki Activity
linux-stable/drivers/acpi
History
John Garry 83dc16707f ACPI: CPPC: Set pcc_data[pcc_ss_id] to NULL in acpi_cppc_processor_exit() 
commit 56a0b978d4 upstream.

When enabling KASAN and DEBUG_TEST_DRIVER_REMOVE, I find this KASAN
warning:

[   20.872057] BUG: KASAN: use-after-free in pcc_data_alloc+0x40/0xb8
[   20.878226] Read of size 4 at addr ffff00236cdeb684 by task swapper/0/1
[   20.884826]
[   20.886309] CPU: 19 PID: 1 Comm: swapper/0 Not tainted 5.4.0-rc1-00009-ge7f7df3db5bf-dirty #289
[   20.894994] Hardware name: Huawei D06 /D06, BIOS Hisilicon D06 UEFI RC0 - V1.16.01 03/15/2019
[   20.903505] Call trace:
[   20.905942]  dump_backtrace+0x0/0x200
[   20.909593]  show_stack+0x14/0x20
[   20.912899]  dump_stack+0xd4/0x130
[   20.916291]  print_address_description.isra.9+0x6c/0x3b8
[   20.921592]  __kasan_report+0x12c/0x23c
[   20.925417]  kasan_report+0xc/0x18
[   20.928808]  __asan_load4+0x94/0xb8
[   20.932286]  pcc_data_alloc+0x40/0xb8
[   20.935938]  acpi_cppc_processor_probe+0x4e8/0xb08
[   20.940717]  __acpi_processor_start+0x48/0xb0
[   20.945062]  acpi_processor_start+0x40/0x60
[   20.949235]  really_probe+0x118/0x548
[   20.952887]  driver_probe_device+0x7c/0x148
[   20.957059]  device_driver_attach+0x94/0xa0
[   20.961231]  __driver_attach+0xa4/0x110
[   20.965055]  bus_for_each_dev+0xe8/0x158
[   20.968966]  driver_attach+0x30/0x40
[   20.972531]  bus_add_driver+0x234/0x2f0
[   20.976356]  driver_register+0xbc/0x1d0
[   20.980182]  acpi_processor_driver_init+0x40/0xe4
[   20.984875]  do_one_initcall+0xb4/0x254
[   20.988700]  kernel_init_freeable+0x24c/0x2f8
[   20.993047]  kernel_init+0x10/0x118
[   20.996524]  ret_from_fork+0x10/0x18
[   21.000087]
[   21.001567] Allocated by task 1:
[   21.004785]  save_stack+0x28/0xc8
[   21.008089]  __kasan_kmalloc.isra.9+0xbc/0xd8
[   21.012435]  kasan_kmalloc+0xc/0x18
[   21.015913]  pcc_data_alloc+0x94/0xb8
[   21.019564]  acpi_cppc_processor_probe+0x4e8/0xb08
[   21.024343]  __acpi_processor_start+0x48/0xb0
[   21.028689]  acpi_processor_start+0x40/0x60
[   21.032860]  really_probe+0x118/0x548
[   21.036512]  driver_probe_device+0x7c/0x148
[   21.040684]  device_driver_attach+0x94/0xa0
[   21.044855]  __driver_attach+0xa4/0x110
[   21.048680]  bus_for_each_dev+0xe8/0x158
[   21.052591]  driver_attach+0x30/0x40
[   21.056155]  bus_add_driver+0x234/0x2f0
[   21.059980]  driver_register+0xbc/0x1d0
[   21.063805]  acpi_processor_driver_init+0x40/0xe4
[   21.068497]  do_one_initcall+0xb4/0x254
[   21.072322]  kernel_init_freeable+0x24c/0x2f8
[   21.076667]  kernel_init+0x10/0x118
[   21.080144]  ret_from_fork+0x10/0x18
[   21.083707]
[   21.085186] Freed by task 1:
[   21.088056]  save_stack+0x28/0xc8
[   21.091360]  __kasan_slab_free+0x118/0x180
[   21.095445]  kasan_slab_free+0x10/0x18
[   21.099183]  kfree+0x80/0x268
[   21.102139]  acpi_cppc_processor_exit+0x1a8/0x1b8
[   21.106832]  acpi_processor_stop+0x70/0x80
[   21.110917]  really_probe+0x174/0x548
[   21.114568]  driver_probe_device+0x7c/0x148
[   21.118740]  device_driver_attach+0x94/0xa0
[   21.122912]  __driver_attach+0xa4/0x110
[   21.126736]  bus_for_each_dev+0xe8/0x158
[   21.130648]  driver_attach+0x30/0x40
[   21.134212]  bus_add_driver+0x234/0x2f0
[   21.0x10/0x18
[   21.161764]
[   21.163244] The buggy address belongs to the object at ffff00236cdeb600
[   21.163244]  which belongs to the cache kmalloc-256 of size 256
[   21.175750] The buggy address is located 132 bytes inside of
[   21.175750]  256-byte region [ffff00236cdeb600, ffff00236cdeb700)
[   21.187473] The buggy address belongs to the page:
[   21.192254] page:fffffe008d937a00 refcount:1 mapcount:0 mapping:ffff002370c0fa00 index:0x0 compound_mapcount: 0
[   21.202331] flags: 0x1ffff00000010200(slab|head)
[   21.206940] raw: 1ffff00000010200 dead000000000100 dead000000000122 ffff002370c0fa00
[   21.214671] raw: 0000000000000000 00000000802a002a 00000001ffffffff 0000000000000000
[   21.222400] page dumped because: kasan: bad access detected
[   21.227959]
[   21.229438] Memory state around the buggy address:
[   21.234218]  ffff00236cdeb580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   21.241427]  ffff00236cdeb600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   21.248637] >ffff00236cdeb680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   21.255845]                    ^
[   21.259062]  ffff00236cdeb700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   21.266272]  ffff00236cdeb780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   21.273480] ==================================================================

It seems that global pcc_data[pcc_ss_id] can be freed in
acpi_cppc_processor_exit(), but we may later reference this value, so
NULLify it when freed.

Also remove the useless setting of data "pcc_channel_acquired", which
we're about to free.

Fixes: 85b1407bf6 ("ACPI / CPPC: Make CPPC ACPI driver aware of PCC subspace IDs")
Signed-off-by: John Garry <john.garry@huawei.com>
Cc: 4.15+ <stable@vger.kernel.org> # 4.15+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-10-29 09:19:52 +01:00
..
acpica ACPICA: Clear status of GPEs on first direct enable 2019-07-26 09:14:09 +02:00
apei pstore: Convert buf_lock to semaphore 2019-06-11 12:20:52 +02:00
arm64 ACPI/IORT: Fix off-by-one check in iort_dev_find_its_id() 2019-08-16 10:12:48 +02:00
dptf License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
nfit acpi/nfit: Always dump _DSM output payload 2019-05-16 19:41:19 +02:00
pmic ACPI / PMIC: xpower: Fix TS-pin current-source handling 2019-01-16 22:04:34 +01:00
x86 x86/cpu: Sanitize FAM6_ATOM naming 2019-05-14 19:17:53 +02:00
ac.c ACPI updates for 4.18-rc1 2018-06-05 10:08:27 -07:00
acpi_amba.c
acpi_apd.c ACPI: APD: Add AMD misc clock handler support 2018-05-17 12:44:06 +02:00
acpi_cmos_rtc.c
acpi_configfs.c ACPI: configfs: make config_item_type const 2017-10-19 16:15:29 +02:00
acpi_dbg.c vfs: do bulk POLL* -> EPOLL* replacement 2018-02-11 14:34:03 -08:00
acpi_extlog.c
acpi_ipmi.c
acpi_lpat.c ACPI / lpat: Fix typos in comments and kerneldoc style 2017-07-24 22:52:00 +02:00
acpi_lpit.c ACPI / PM: LPIT: Register sysfs attributes based on FADT 2018-11-13 11:08:24 -08:00
acpi_lpss.c x86/cpu: Sanitize FAM6_ATOM naming 2019-05-14 19:17:53 +02:00
acpi_memhotplug.c
acpi_pad.c ACPI: acpi_pad: Fix memory leak in power saving threads 2018-03-30 12:04:58 +02:00
acpi_platform.c ACPI / platform: Add SMB0001 HID to forbidden_id_list 2018-11-27 16:13:10 +01:00
acpi_pnp.c
acpi_processor.c ACPI / processor: don't print errors for processorIDs == 0xff 2019-10-05 13:09:38 +02:00
acpi_tad.c ACPI: Add Time and Alarm Device (TAD) driver 2018-03-20 10:36:04 +01:00
acpi_video.c ACPI: video: Add new hw_changes_brightness quirk, set it on PB Easynote MZ35 2019-10-01 08:26:11 +02:00
acpi_watchdog.c ACPI / watchdog: Prefer iTCO_wdt always when WDAT table uses RTC SRAM 2018-05-24 10:52:49 +02:00
battery.c ACPI / battery: Do not export energy_full[_design] on devices without full_charge_capacity 2018-08-09 10:49:35 +02:00
bgrt.c ACPI: BGRT: constify attribute_group structures 2017-07-04 22:15:20 +02:00
blacklist.c ACPI: blacklist: fix clang warning for unused DMI table 2019-08-06 19:06:50 +02:00
bus.c ACPI / bus: Only call dmi_check_system() on X86 2018-09-06 12:16:29 +02:00
button.c ACPI / button: fix defined but not used warning 2018-07-09 11:32:44 +02:00
cm_sbs.c
container.c
cppc_acpi.c ACPI: CPPC: Set pcc_data[pcc_ss_id] to NULL in acpi_cppc_processor_exit() 2019-10-29 09:19:52 +01:00
custom_method.c ACPI: custom_method: fix memory leaks 2019-10-05 13:09:53 +02:00
debugfs.c
device_pm.c ACPI/PCI: PM: Add missing wakeup.flags.valid checks 2019-06-22 08:15:17 +02:00
device_sysfs.c ACPI / device_sysfs: Avoid OF modalias creation for removed device 2019-03-23 20:09:57 +01:00
dock.c ACPI: Mark expected switch fall-throughs 2017-11-09 00:55:16 +01:00
ec.c Revert "ACPI / EC: Remove old CLEAR_ON_RESUME quirk" 2019-04-20 09:16:04 +02:00
ec_sys.c ACPI: EC: Fix debugfs_create_*() usage 2018-01-04 13:54:51 +01:00
event.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
evged.c ACPI: GED: unregister interrupts during shutdown 2017-12-16 03:05:37 +01:00
fan.c treewide: devm_kzalloc() -> devm_kcalloc() 2018-06-12 16:19:22 -07:00
glue.c
hed.c
internal.h ACPI: EC / PM: Disable non-wakeup GPEs for suspend-to-idle 2019-04-20 09:16:03 +02:00
ioapic.c
irq.c ACPI / irq: Fix return code of acpi_gsi_to_irq() 2017-07-12 13:11:49 +02:00
Kconfig ACPI: fix menuconfig presentation of ACPI submenu 2018-08-23 10:20:07 +02:00
Makefile ACPI: Enable PPTT support on ARM64 2018-05-17 17:28:09 +01:00
numa.c ACPI: NUMA: Use correct type for printing addresses on i386-PAE 2019-02-20 10:25:39 +01:00
nvs.c
osi.c ACPI / OSI: Add OEM _OSI string to enable NVidia HDMI audio 2018-07-20 10:12:41 +02:00
osl.c ACPI / OSL: Use 'jiffies' as the time bassis for acpi_os_get_timer() 2018-11-13 11:08:17 -08:00
pci_irq.c ACPI / PCI: fix acpi_pci_irq_enable() memory leak 2019-10-05 13:09:53 +02:00
pci_link.c ACPI / PCI: pci_link: Allow the absence of _PRS and change log level 2018-02-27 17:15:39 +01:00
pci_mcfg.c
pci_root.c Merge branch 'pci/hotplug' 2018-06-06 16:10:10 -05:00
pci_slot.c dmi: Mark all struct dmi_system_id instances const 2017-09-14 11:59:30 +02:00
power.c ACPI: power: Skip duplicate power resource references in _PRx 2019-01-16 22:04:33 +01:00
pptt.c ACPI/PPTT: Add support for ACPI 6.3 thread flag 2019-10-17 13:45:34 -07:00
proc.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
processor_core.c xen/ACPI: don't upload Px/Cx data for disabled processors 2018-08-20 14:46:18 -04:00
processor_driver.c ACPI: processor: use dev_dbg() instead of dev_warn() when CPPC probe failed 2017-07-27 01:51:06 +02:00
processor_idle.c More ACPI updates for v4.16-rc1 2018-02-09 09:44:25 -08:00
processor_pdc.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
processor_perflib.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
processor_thermal.c
processor_throttling.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
property.c ACPI / property: fix handling of data_nodes in acpi_get_next_subnode() 2019-05-31 06:46:11 -07:00
reboot.c ACPI: add missing newline to printk 2018-05-02 13:01:08 +02:00
resource.c ACPI: Mark expected switch fall-throughs 2017-11-09 00:55:16 +01:00
sbs.c ACPI / SBS: Fix GPE storm on recent MacBookPro's 2019-04-20 09:16:01 +02:00
sbshc.c ACPI: sbshc: remove raw pointer from printk() message 2018-02-08 09:50:08 +01:00
sbshc.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
scan.c ACPI / scan: Create platform device for fwnodes with multiple i2c devices 2018-08-09 12:12:16 +02:00
sleep.c ACPI: PM: Set enable_for_wake for wakeup GPEs during suspend-to-idle 2019-05-22 07:37:41 +02:00
sleep.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
spcr.c ACPI: SPCR: Consider baud rate 0 as preconfigured state 2019-02-12 19:47:02 +01:00
sysfs.c treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
tables.c arm64 updates for 4.18: 2018-06-08 11:10:58 -07:00
thermal.c dmi: Mark all struct dmi_system_id instances const 2017-09-14 11:59:30 +02:00
utils.c ACPI / utils: Drop reference in test for device presence 2019-04-20 09:15:58 +02:00
video_detect.c ACPI / video: Add quirk to force acpi-video backlight on Samsung 670Z5E 2018-03-20 10:38:17 +01:00
wakeup.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00