mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-27 12:57:53 +00:00
Code Issues Releases Wiki Activity
linux-stable/drivers
History
Tzung-Bi Shih 675f8a7ad7 platform/chrome: cros_ec_debugfs: detach log reader wq from devm 
[ Upstream commit 0e8eb5e8ac ]

Debugfs console_log uses devm memory (e.g. debug_info in
cros_ec_console_log_poll()).  However, lifecycles of device and debugfs
are independent.  An use-after-free issue is observed if userland
program operates the debugfs after the memory has been freed.

The call trace:
 do_raw_spin_lock
 _raw_spin_lock_irqsave
 remove_wait_queue
 ep_unregister_pollwait
 ep_remove
 do_epoll_ctl

A Python example to reproduce the issue:
... import select
... p = select.epoll()
... f = open('/sys/kernel/debug/cros_scp/console_log')
... p.register(f, select.POLLIN)
... p.poll(1)
[(4, 1)]                    # 4=fd, 1=select.POLLIN

[ shutdown cros_scp at the point ]

... p.poll(1)
[(4, 16)]                   # 4=fd, 16=select.POLLHUP
... p.unregister(f)

An use-after-free issue raises here.  It called epoll_ctl with
EPOLL_CTL_DEL which in turn to use the workqueue in the devm (i.e.
log_wq).

Detaches log reader's workqueue from devm to make sure it is persistent
even if the device has been removed.

Signed-off-by: Tzung-Bi Shih <tzungbi@google.com>
Reviewed-by: Guenter Roeck <groeck@google.com>
Link: https://lore.kernel.org/r/20220209051130.386175-1-tzungbi@google.com
Signed-off-by: Benson Leung <bleung@chromium.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-05-25 09:59:01 +02:00
..
accessibility
acpi ACPI: processor: idle: Avoid falling back to C3 type C-states 2022-05-09 09:16:30 +02:00
amba
android binder: Address corner cases in deferred copy and fixup 2022-05-09 09:16:14 +02:00
ata ata: pata_marvell: Check the 'bmdma_addr' beforing reading 2022-04-27 14:41:11 +02:00
atm atm: eni: Add check for dma_map_single 2022-03-15 11:01:52 +00:00
auxdisplay auxdisplay: lcd2s: Use proper API to free the instance of charlcd object 2022-03-03 00:30:31 +01:00
base firmware_loader: use kernel credentials when reading firmware 2022-05-18 10:28:18 +02:00
bcma
block drbd: remove usage of list iterator variable after loop 2022-05-25 09:59:01 +02:00
bluetooth Bluetooth: mediatek: fix the conflict between mtk and msft vendor event 2022-04-13 19:27:19 +02:00
bus bus: sunxi-rsb: Fix the return value of sunxi_rsb_device_create() 2022-05-09 09:16:23 +02:00
cdrom
char ipmi:ipmi_ipmb: Fix null-ptr-deref in ipmi_unregister_smi() 2022-05-12 12:32:14 +02:00
clk clk: sunxi: sun9i-mmc: check return value after calling platform_get_resource() 2022-05-09 09:16:24 +02:00
clocksource clocksource: acpi_pm: fix return value of __setup handler 2022-04-08 13:57:38 +02:00
comedi
connector
counter counter: Stop using dev_get_drvdata() to get the counter device 2022-03-15 19:24:13 +01:00
cpufreq cpufreq: qcom-cpufreq-hw: Clear dcvs interrupts 2022-05-09 09:16:24 +02:00
cpuidle cpuidle: qcom-spm: Check if any CPU is managed by SPM 2022-04-08 13:57:46 +02:00
crypto crypto: stm32 - fix reference leak in stm32_crc_remove 2022-05-25 09:59:00 +02:00
cxl cxl/port: Hold port reference until decoder release 2022-04-08 13:58:07 +02:00
dax dax: make sure inodes are flushed before destroy cache 2022-04-08 13:58:07 +02:00
dca
devfreq
dio
dma dmaengine: imx-sdma: fix init of uart scripts 2022-04-27 14:41:12 +02:00
dma-buf dma-buf: call dma_buf_stats_setup after dmabuf is in valid list 2022-05-18 10:28:23 +02:00
edac EDAC/synopsys: Read the error count from the correct register 2022-04-27 14:41:11 +02:00
eisa
extcon
firewire firewire: core: extend card->lock in fw_core_handle_bus_reset 2022-05-12 12:32:20 +02:00
firmware firmware: cs_dsp: Fix overrun of unterminated control name string 2022-04-27 14:40:57 +02:00
fpga
fsi fsi: Aspeed: Fix a potential double free 2022-04-08 13:58:24 +02:00
gnss
gpio gpio: mvebu: drop pwm base assignment 2022-05-12 12:32:40 +02:00
gpu Revert "drm/i915/opregion: check port number bounds for SWSCI display power state" 2022-05-25 09:58:58 +02:00
greybus greybus: svc: fix an error handling bug in gb_svc_hello() 2022-04-08 13:57:16 +02:00
hid HID: apple: Report Magic Keyboard 2021 with fingerprint reader battery over USB 2022-04-13 19:27:15 +02:00
hsi
hv Drivers: hv: balloon: Disable balloon and hot-add accordingly 2022-04-20 09:36:22 +02:00
hwmon hwmon: (f71882fg) Fix negative temperature 2022-05-18 10:28:16 +02:00
hwspinlock
hwtracing coresight: syscfg: Fix memleak on registration failure in cscfg_create_device 2022-04-08 13:57:14 +02:00
i2c i2c: piix4: Enable EFCH MMIO for Family 17h+ 2022-05-25 09:58:57 +02:00
i3c
idle
iio iio:dac:ad3552r: Fix an IS_ERR() vs NULL check 2022-05-09 09:16:18 +02:00
infiniband RDMA/irdma: Fix deadlock in irdma_cleanup_cm_core() 2022-05-18 10:28:16 +02:00
input Input: stmfts - fix reference leak in stmfts_input_open 2022-05-25 09:58:59 +02:00
interconnect interconnect: Restore sync state by ignoring ipa-virt in provider count 2022-05-18 10:28:18 +02:00
iommu iommu: arm-smmu: disable large page mappings for Nvidia arm-smmu 2022-05-18 10:28:16 +02:00
ipack
irqchip irqchip/gic, gic-v3: Prevent GSI to SGI translations 2022-04-13 19:27:42 +02:00
isdn isdn: hfcpci: check the return value of dma_set_mask() in setup_hw() 2022-03-07 11:27:12 +00:00
leds
macintosh
mailbox mailbox: imx: fix wakeup failure from freeze mode 2022-04-08 13:58:55 +02:00
mcb
md dm integrity: fix memory corruption when tag_size is less than digest size 2022-04-20 09:36:27 +02:00
media media: rockchip/rga: do proper error checking in probe 2022-04-20 09:36:12 +02:00
memory memory: renesas-rpc-if: Fix HF/OSPI data transfer in Manual Mode 2022-05-09 09:16:21 +02:00
memstick memstick/mspro_block: fix handling of read-only devices 2022-04-08 13:58:36 +02:00
message
mfd mfd: asic3: Add missing iounmap() on error asic3_mfd_probe 2022-04-08 13:58:22 +02:00
misc eeprom: at25: Use DMA safe buffers 2022-05-09 09:16:14 +02:00
mmc mmc: rtsx: add 74 Clocks in power on flow 2022-05-12 12:32:43 +02:00
most
mtd mtd: rawnand: qcom: fix memory corruption that causes panic 2022-05-09 09:16:29 +02:00
mux
net net: phy: micrel: Fix incorrect variable type in micrel 2022-05-18 10:28:23 +02:00
nfc nfc: nfcmrvl: main: reorder destructive operations in nfcmrvl_nci_unregister_dev to avoid bugs 2022-05-12 12:32:26 +02:00
ntb
nubus
nvdimm nvdimm/region: Fix default alignment for small regions 2022-04-08 13:58:27 +02:00
nvme nvme-multipath: fix hang when disk goes live over reconnect 2022-05-25 09:59:01 +02:00
nvmem
of
opp opp: Expose of-node's name in debugfs 2022-04-13 19:27:24 +02:00
parisc parisc: Fix CPU affinity for Lasi, WAX and Dino chips 2022-04-13 19:27:26 +02:00
parport
pci PCI: aardvark: Update comment about link going down after link-up 2022-05-12 12:32:48 +02:00
pcmcia
perf arm_pmu: Validate single/group leader events 2022-04-27 14:41:15 +02:00
phy phy: amlogic: fix error path in phy_g12a_usb3_pcie_probe() 2022-05-09 09:16:20 +02:00
pinctrl pinctrl: pistachio: fix use of irq_of_parse_and_map() 2022-05-09 09:16:22 +02:00
platform platform/chrome: cros_ec_debugfs: detach log reader wq from devm 2022-05-25 09:59:01 +02:00
pnp
power power: supply: axp288_fuel_gauge: Use acpi_quirk_skip_acpi_ac_and_battery() 2022-04-13 19:27:18 +02:00
powercap powercap/dtpm_cpu: Reset per_cpu variable in the release function 2022-04-08 13:58:37 +02:00
pps pps: clients: gpio: Propagate return value from pps_gpio_probe 2022-04-08 13:58:24 +02:00
ps3
ptp ptp: replace snprintf with sysfs_emit 2022-04-13 19:27:09 +02:00
pwm pwm: lpc18xx-sct: Initialize driver data and hardware before pwmchip_add() 2022-04-08 13:58:23 +02:00
rapidio
ras
regulator regulator: wm8994: Add an off-on delay for WM8994 variant 2022-04-20 09:36:21 +02:00
remoteproc remoteproc: qcom_q6v5_mss: Fix some leaks in q6v5_alloc_memory_region 2022-04-08 13:58:27 +02:00
reset reset: tegra-bpmp: Restore Handle errors in BPMP response 2022-04-27 14:41:06 +02:00
rpmsg
rtc rtc: mc146818-lib: Fix the AltCentury for AMD platforms 2022-05-25 09:59:01 +02:00
s390 s390/lcs: fix variable dereferenced before check 2022-05-18 10:28:15 +02:00
sbus
scsi scsi: sr: Do not leak information in ioctl 2022-04-27 14:41:12 +02:00
sh
siox
slimbus slimbus: qcom: Fix IRQ check in qcom_slim_probe 2022-05-18 10:28:20 +02:00
soc soc: imx: imx8m-blk-ctrl: Fix IMX8MN_DISPBLK_PD_ISI hang 2022-05-09 09:16:18 +02:00
soundwire ASoC: Intel: sof_sdw: fix quirks for 2022 HP Spectre x360 13" 2022-04-08 13:58:45 +02:00
spi spi: atmel-quadspi: Fix the buswidth adjustment between spi-mem and controller 2022-04-27 14:41:17 +02:00
spmi
ssb
staging staging: wfx: fix an error handling in wfx_init_common() 2022-04-13 19:27:24 +02:00
target scsi: target: tcmu: Fix possible page UAF 2022-04-20 09:36:20 +02:00
tc
tee tee: optee: add missing mutext_destroy in optee_ffa_probe 2022-05-09 09:16:17 +02:00
thermal thermal: int340x: Fix attr.show callback prototype 2022-05-09 09:16:30 +02:00
thunderbolt
tty serial: 8250_mtk: Fix register address for XON/XOFF character 2022-05-18 10:28:20 +02:00
uio
usb usb: gadget: fix race when gadget driver register via ioctl 2022-05-25 09:58:56 +02:00
vdpa vdpa: mlx5: prevent cvq work from hogging CPU 2022-04-13 19:27:28 +02:00
vfio vfio/pci: Fix vf_token mechanism when device-specific VF drivers are used 2022-04-20 09:36:18 +02:00
vhost vhost_vdpa: don't setup irq offloading when irq_num < 0 2022-05-25 09:59:00 +02:00
video fbdev: efifb: Fix a use-after-free due early fb_info cleanup 2022-05-18 10:28:13 +02:00
virt virt: acrn: fix a memory leak in acrn_dev_ioctl() 2022-04-08 13:58:30 +02:00
virtio virtio: use virtio_device_ready() in virtio_device_restore() 2022-04-08 13:58:57 +02:00
visorbus
vlynq
vme
w1 w1: w1_therm: fixes w1_seq for ds28ea00 sensors 2022-04-13 19:27:24 +02:00
watchdog Watchdog: sp5100_tco: Enable Family 17h+ CPUs 2022-05-25 09:58:58 +02:00
xen xen/gnttab: fix gnttab_end_foreign_access() without page specified 2022-03-07 09:48:55 +01:00
zorro
Kconfig
Makefile