OpenE2K
/
linux
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
linux/drivers
History
Li RongQing 6d2b0f02f5 connector: fix unsafe usage of ->real_parent 
proc_exit_connector() uses ->real_parent lockless. This is not
safe that its parent can go away at any moment, so use RCU to
protect it, and ensure that this task is not released.

[  747.624551] ==================================================================
[  747.632946] BUG: KASAN: use-after-free in proc_exit_connector+0x1f7/0x310
[  747.640686] Read of size 4 at addr ffff88a0276988e0 by task sshd/2882
[  747.648032]
[  747.649804] CPU: 11 PID: 2882 Comm: sshd Tainted: G            E     4.19.26-rc2 #11
[  747.658629] Hardware name: IBM x3550M4 -[7914OFV]-/00AM544, BIOS -[D7E142BUS-1.71]- 07/31/2014
[  747.668419] Call Trace:
[  747.671269]  dump_stack+0xf0/0x19b
[  747.675186]  ? show_regs_print_info+0x5/0x5
[  747.679988]  ? kmsg_dump_rewind_nolock+0x59/0x59
[  747.685302]  print_address_description+0x6a/0x270
[  747.691162]  kasan_report+0x258/0x380
[  747.695835]  ? proc_exit_connector+0x1f7/0x310
[  747.701402]  proc_exit_connector+0x1f7/0x310
[  747.706767]  ? proc_coredump_connector+0x2d0/0x2d0
[  747.712715]  ? _raw_write_unlock_irq+0x29/0x50
[  747.718270]  ? _raw_write_unlock_irq+0x29/0x50
[  747.723820]  ? ___preempt_schedule+0x16/0x18
[  747.729193]  ? ___preempt_schedule+0x16/0x18
[  747.734574]  do_exit+0xa11/0x14f0
[  747.738880]  ? mm_update_next_owner+0x590/0x590
[  747.744525]  ? debug_show_all_locks+0x3c0/0x3c0
[  747.761448]  ? ktime_get_coarse_real_ts64+0xeb/0x1c0
[  747.767589]  ? lockdep_hardirqs_on+0x1a6/0x290
[  747.773154]  ? check_chain_key+0x139/0x1f0
[  747.778345]  ? check_flags.part.35+0x240/0x240
[  747.783908]  ? __lock_acquire+0x2300/0x2300
[  747.789171]  ? _raw_spin_unlock_irqrestore+0x59/0x70
[  747.795316]  ? _raw_spin_unlock_irqrestore+0x59/0x70
[  747.801457]  ? do_raw_spin_unlock+0x10f/0x1e0
[  747.806914]  ? do_raw_spin_trylock+0x120/0x120
[  747.812481]  ? preempt_count_sub+0x14/0xc0
[  747.817645]  ? _raw_spin_unlock+0x2e/0x50
[  747.822708]  ? __handle_mm_fault+0x12db/0x1fa0
[  747.828367]  ? __pmd_alloc+0x2d0/0x2d0
[  747.833143]  ? check_noncircular+0x50/0x50
[  747.838309]  ? match_held_lock+0x7f/0x340
[  747.843380]  ? check_noncircular+0x50/0x50
[  747.848561]  ? handle_mm_fault+0x21a/0x5f0
[  747.853730]  ? check_flags.part.35+0x240/0x240
[  747.859290]  ? check_chain_key+0x139/0x1f0
[  747.864474]  ? __do_page_fault+0x40f/0x760
[  747.869655]  ? __audit_syscall_entry+0x4b/0x1f0
[  747.875319]  ? syscall_trace_enter+0x1d5/0x7b0
[  747.880877]  ? trace_raw_output_preemptirq_template+0x90/0x90
[  747.887895]  ? trace_raw_output_sys_exit+0x80/0x80
[  747.893860]  ? up_read+0x3b/0x90
[  747.898142]  ? stop_critical_timings+0x260/0x260
[  747.903909]  do_group_exit+0xe0/0x1c0
[  747.908591]  ? __x64_sys_exit+0x30/0x30
[  747.913460]  ? trace_raw_output_preemptirq_template+0x90/0x90
[  747.920485]  ? tracer_hardirqs_on+0x270/0x270
[  747.925956]  __x64_sys_exit_group+0x28/0x30
[  747.931214]  do_syscall_64+0x117/0x400
[  747.935988]  ? syscall_return_slowpath+0x2f0/0x2f0
[  747.941931]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  747.947788]  ? trace_hardirqs_on_caller+0x1d0/0x1d0
[  747.953838]  ? lockdep_sys_exit+0x16/0x8e
[  747.958915]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  747.964784]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  747.971021] RIP: 0033:0x7f572f154c68
[  747.975606] Code: Bad RIP value.
[  747.979791] RSP: 002b:00007ffed2dfaa58 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[  747.989324] RAX: ffffffffffffffda RBX: 00007f572f431840 RCX: 00007f572f154c68
[  747.997910] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
[  748.006495] RBP: 0000000000000001 R08: 00000000000000e7 R09: fffffffffffffee0
[  748.015079] R10: 00007f572f4387e8 R11: 0000000000000246 R12: 00007f572f431840
[  748.023664] R13: 000055a7f90f2c50 R14: 000055a7f96e2310 R15: 000055a7f96e2310
[  748.032287]
[  748.034509] Allocated by task 2300:
[  748.038982]  kasan_kmalloc+0xa0/0xd0
[  748.043562]  kmem_cache_alloc_node+0xf5/0x2e0
[  748.049018]  copy_process+0x1781/0x4790
[  748.053884]  _do_fork+0x166/0x9a0
[  748.058163]  do_syscall_64+0x117/0x400
[  748.062943]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  748.069180]
[  748.071405] Freed by task 15395:
[  748.075591]  __kasan_slab_free+0x130/0x180
[  748.080752]  kmem_cache_free+0xc2/0x310
[  748.085619]  free_task+0xea/0x130
[  748.089901]  __put_task_struct+0x177/0x230
[  748.095063]  finish_task_switch+0x51b/0x5d0
[  748.100315]  __schedule+0x506/0xfa0
[  748.104791]  schedule+0xca/0x260
[  748.108978]  futex_wait_queue_me+0x27e/0x420
[  748.114333]  futex_wait+0x251/0x550
[  748.118814]  do_futex+0x75b/0xf80
[  748.123097]  __x64_sys_futex+0x231/0x2a0
[  748.128065]  do_syscall_64+0x117/0x400
[  748.132835]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  748.139066]
[  748.141289] The buggy address belongs to the object at ffff88a027698000
[  748.141289]  which belongs to the cache task_struct of size 12160
[  748.156589] The buggy address is located 2272 bytes inside of
[  748.156589]  12160-byte region [ffff88a027698000, ffff88a02769af80)
[  748.171114] The buggy address belongs to the page:
[  748.177055] page:ffffea00809da600 count:1 mapcount:0 mapping:ffff888107d01e00 index:0x0 compound_mapcount: 0
[  748.189136] flags: 0x57ffffc0008100(slab|head)
[  748.194688] raw: 0057ffffc0008100 ffffea00809a3200 0000000300000003 ffff888107d01e00
[  748.204424] raw: 0000000000000000 0000000000020002 00000001ffffffff 0000000000000000
[  748.214146] page dumped because: kasan: bad access detected
[  748.220976]
[  748.223197] Memory state around the buggy address:
[  748.229128]  ffff88a027698780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  748.238271]  ffff88a027698800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  748.247414] >ffff88a027698880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  748.256564]                                                        ^
[  748.264267]  ffff88a027698900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  748.273493]  ffff88a027698980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  748.282630] ==================================================================

Fixes: b086ff8725 ("connector: add parent pid and tgid to coredump and exit events")
Signed-off-by: Zhang Yu <zhangyu31@baidu.com>
Signed-off-by: Li RongQing <lirongqing@baidu.com>
Acked-by: Evgeniy Polyakov <zbr@ioremap.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
 		2019-03-08 15:06:38 -08:00
..
accessibility
acpi ACPI: Set debug output flags independent of ACPICA 2019-02-07 12:24:28 +01:00
amba
android binderfs: remove separate device_initcall() 2019-02-01 15:50:26 +01:00
ata libata: Add NOLPM quirk for SAMSUNG MZ7TE512HMHP-000L1 SSD 2019-02-06 12:47:09 -07:00
atm atm: he: fix sign-extension overflow on large shift 2019-01-17 11:27:00 -08:00
auxdisplay auxdisplay: ht16k33: fix potential user-after-free on module unload 2019-02-15 19:48:39 +01:00
base regmap: Changes for v5.1 2019-03-04 19:16:09 -08:00
bcma bcma: use dev_* printing functions 2019-01-10 13:39:19 +02:00
block floppy: check_events callback should not return a negative number 2019-02-12 09:13:18 -07:00
bluetooth Bluetooth: mediatek: add support for MediaTek MT7663U and MT7668U UART devices 2019-03-02 19:51:23 +01:00
bus Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2019-03-05 09:09:55 -08:00
cdrom gdrom: fix a memory leak bug 2018-12-29 08:20:44 -07:00
char Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2019-03-05 09:09:55 -08:00
clk clk: at91: fix masterck name 2019-02-20 11:40:21 -08:00
clocksource Merge branch 'pwm-dmtimer-fixes' into omap-for-v5.0/fixes-v2 2019-01-29 07:53:47 -08:00
connector connector: fix unsafe usage of ->real_parent 2019-03-08 15:06:38 -08:00
cpufreq cpufreq: scmi: Fix use-after-free in scmi_cpufreq_exit() 2019-02-19 11:17:37 +01:00
cpuidle cpuidle: poll_state: Fix default time limit 2019-01-30 22:57:42 +01:00
crypto Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2019-03-05 09:09:55 -08:00
dax mm, devm_memremap_pages: fix shutdown handling 2018-12-28 12:11:47 -08:00
dca
devfreq PM / devfreq: add devfreq_suspend/resume() functions 2018-12-11 11:40:13 +09:00
dio dio: Fix buffer overflow in case of unknown board 2019-01-21 10:36:53 +01:00
dma dmaengine-fix-5.0-rc6 2019-02-10 10:39:37 -08:00
dma-buf drivers/dma-buf/udmabuf.c: convert to use vm_fault_t 2019-01-04 13:13:46 -08:00
edac EDAC, altera: Fix S10 persistent register offset 2019-01-24 17:13:59 +01:00
eisa
extcon
firewire scsi: communicate max segment size to the DMA mapping code 2019-01-22 20:40:59 -05:00
firmware Merge branch 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2019-02-17 09:22:01 -08:00
fmc
fpga fpga: stratix10-soc: fix wrong of_node_put() in init function 2019-01-31 16:19:48 +01:00
fsi
gnss Merge 4.20-rc6 into tty-next 2018-12-10 10:17:45 +01:00
gpio Merge branch 'spi-5.1' into spi-next 2019-03-04 15:32:51 +00:00
gpu drm/bochs: Fix the ID mismatch error 2019-02-28 14:05:33 +10:00
hid HID: debug: fix the ring buffer implementation 2019-01-29 12:09:11 +01:00
hsi
hv vmbus: fix subchannel removal 2019-01-09 19:20:31 -05:00
hwmon hwmon: (ad7418) Add device tree probing 2019-02-25 09:06:00 -08:00
hwspinlock hwspinlock: fix return value check in stm32_hwspinlock_probe() 2019-01-03 11:42:10 -08:00
hwtracing intel_th: msu: Fix an off-by-one in attribute store 2018-12-19 20:21:06 +01:00
i2c i2c: bcm2835: Clear current buffer pointers and counts after a transfer 2019-02-15 09:45:05 +01:00
i3c - Add a /* fall-through */ comment in the dw-i3c-master driver 2019-03-04 19:05:02 -08:00
ide ide: ensure atapi sense request aren't preempted 2019-01-31 08:25:09 -07:00
idle
iio First set of IIO fixes for the 5.0 cycle. 2019-02-03 13:10:41 +01:00
infiniband net: devlink: turn devlink into a built-in 2019-02-26 08:49:05 -08:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2019-02-17 08:30:35 -08:00
iommu IOMMU Fix for Linux v5.0-rc8 2019-03-01 09:13:04 -08:00
ipack
irqchip Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2019-02-10 09:54:19 -08:00
isdn isdn: isdnloop: fix pointer dereference bug 2019-03-07 09:25:52 -08:00
leds LED updates for 5.1-rc1 2019-03-04 19:33:04 -08:00
lightnvm lightnvm: pblk: fix use-after-free bug 2018-12-22 14:45:35 -07:00
macintosh Remove 'type' argument from access_ok() function 2019-01-03 18:57:57 -08:00
mailbox mailbox: bcm-flexrm-mailbox: Fix FlexRM ring flush timeout issue 2019-02-18 10:40:58 -06:00
mcb
md for-linus-20190215 2019-02-15 09:12:28 -08:00
media media: vim2m: only cancel work if it is for right context 2019-01-16 11:13:25 -05:00
memory ARM: SoC: late updates 2019-01-05 11:30:37 -08:00
memstick MMC core: 2018-12-28 16:52:18 -08:00
message scsi: flip the default on use_clustering 2018-12-18 23:13:12 -05:00
mfd mfd: Fix unmet dependency warning for MFD_TPS68470 2019-01-29 10:55:34 +01:00
misc mic: vop: Fix crash on remove 2019-02-01 15:53:54 +01:00
mmc mmc:fix a bug when max_discard is 0 2019-03-01 09:50:10 +01:00
mtd spi: Updates for v5.1 2019-03-04 19:23:56 -08:00
mux
net vxlan: do not need BH again in vxlan_cleanup() 2019-03-08 14:45:42 -08:00
nfc
ntb cross-tree: phase out dma_zalloc_coherent() 2019-01-08 07:58:37 -05:00
nubus
nvdimm libnvdimm/security: Require nvdimm_security_setup_events() to succeed 2019-01-21 09:57:43 -08:00
nvme nvme-pci: add missing unlock for reset error 2019-02-12 09:29:07 +01:00
nvmem nvmem: add new config option 2018-12-06 15:45:46 +01:00
of net: phy: fixed-phy: Drop GPIO from fixed_phy_add() 2019-02-04 18:33:36 -08:00
opp cpufreq: scpi/scmi: Fix freeing of dynamic OPPs 2019-01-04 12:19:40 +01:00
oprofile
parisc parisc: Use F_EXTEND() macro in iosapic code 2019-02-21 20:37:12 +01:00
parport
pci pci-v5.0-fixes-4 2019-02-08 15:32:10 -08:00
pcmcia Included in this update: 2019-01-05 11:23:17 -08:00
perf drivers/perf: hisi: Fixup one DDRC PMU register offset 2019-01-04 10:13:27 +00:00
phy phy: armada38x: add common phy support 2019-02-07 18:10:25 -08:00
pinctrl pinctrl: meson: meson8b: fix the sdxc_a data 1..3 pins 2019-02-17 22:24:32 +01:00
platform platform/x86: Fix unmet dependency warning for SAMSUNG_Q10 2019-01-29 10:59:07 +01:00
pnp Remove 'type' argument from access_ok() function 2019-01-03 18:57:57 -08:00
power power supply and reset changes for the v4.21 series 2018-12-28 20:22:45 -08:00
powercap
pps Kconfig updates for v4.21 2018-12-29 13:03:29 -08:00
ps3
ptp ptp_qoriq: don't pass a large struct by value but instead pass it by reference 2019-02-19 14:15:40 -08:00
pwm pwm: imx: Add ipg clock operation 2018-12-24 12:06:56 +01:00
rapidio cross-tree: phase out dma_zalloc_coherent() 2019-01-08 07:58:37 -05:00
ras treewide: surround Kconfig file paths with double quotes 2018-12-22 00:25:54 +09:00
regulator regulator: mc13xxx: Constify regulator_ops variables 2019-03-04 00:01:08 +00:00
remoteproc virtio: don't allocate vqs when names[i] = NULL 2019-01-14 20:15:19 -05:00
reset reset: uniphier-glue: Add AHCI reset control support in glue layer 2019-01-07 16:38:51 +01:00
rpmsg
rtc RTC for 4.21 2019-01-01 13:24:31 -08:00
s390 s390 updates for the 5.1 merge window 2019-03-05 11:13:10 -08:00
sbus Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc-next 2018-12-26 10:32:18 -08:00
scsi SCSI fixes on 20190302 2019-03-02 11:39:54 -08:00
sfi
sh
siox
slimbus slimbus: ngd: fix spelling mistake "exeeds" -> "exceeds" 2018-12-06 15:50:06 +01:00
sn
soc Here's the main MIPS pull request for v5.1: 2019-03-05 11:28:25 -08:00
soundwire
spi Merge branch 'spi-5.1' into spi-next 2019-03-04 15:32:51 +00:00
spmi
ssb
staging Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2019-03-05 08:26:13 -08:00
target scsi: target: make the pi_prot_format ConfigFS path readable 2019-02-04 21:40:32 -05:00
tc
tee tee: optee: add missing of_node_put after of_device_is_available 2019-02-28 10:23:04 +01:00
thermal thermal: cpu_cooling: Clarify error message 2019-02-05 15:50:13 -08:00
thunderbolt
tty TTY/Serial fixes for 5.0-rc6 2019-02-08 10:49:55 -08:00
uio Char/Misc driver patches for 4.21-rc1 2018-12-28 20:54:57 -08:00
usb Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next 2019-02-24 22:27:19 -08:00
uwb
vfio vfio_pci: Enable memory accesses before calling pci_map_rom 2019-02-18 14:57:50 -07:00
vhost vhost: correctly check the return value of translate_desc() in log_used() 2019-02-19 13:14:45 -08:00
video TTY/Serial driver fixes for 5.0-rc4 2019-01-25 12:58:40 -10:00
virt
virtio virtio: drop internal struct from UAPI 2019-02-05 15:29:48 -05:00
visorbus
vlynq
vme
w1 treewide: surround Kconfig file paths with double quotes 2018-12-22 00:25:54 +09:00
watchdog watchdog: tqmx86: Fix a couple IS_ERR() vs NULL bugs 2019-01-07 10:10:35 +01:00
xen arm64/xen: fix xen-swiotlb cache flushing 2019-01-23 22:14:56 +01:00
zorro
Kconfig Kconfig file consolidation for v4.21 2018-12-29 13:40:29 -08:00
Makefile