https://github.com/torvalds/linux
Revision f123db8e9d6c84c863cb3c44d17e61995dc984fb authored by Benson Leung on 25 September 2013, 03:05:11 UTC, committed by Greg Kroah-Hartman on 26 September 2013, 21:46:11 UTC
The put_device(dev) at the bottom of the loop of device_shutdown may result in the dev being cleaned up. In device_create_release, the dev is kfreed. However, device_shutdown attempts to use the dev pointer again after put_device by referring to dev->parent. Copy the parent pointer instead to avoid this condition. This bug was found on Chromium OS's chromeos-3.8, which is based on v3.8.11. See bug report : https://code.google.com/p/chromium/issues/detail?id=297842 This can easily be reproduced when shutting down with hidraw devices that report battery condition. Two examples are the HP Bluetooth Mouse X4000b and the Apple Magic Mouse. For example, with the magic mouse : The dev in question is "hidraw0" dev->parent is "magicmouse" In the course of the shutdown for this device, the input event cleanup calls a put on hidraw0, decrementing its reference count. When we finally get to put_device(dev) in device_shutdown, kobject_cleanup is called and device_create_release does kfree(dev). dev->parent is no longer valid, and we may crash in put_device(dev->parent). This change should be applied on any kernel with this change : d1c6c030fcec6f860d9bb6c632a3ebe62e28440b Cc: stable@vger.kernel.org Signed-off-by: Benson Leung <bleung@chromium.org> Reviewed-by: Ming Lei <ming.lei@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1 parent 667b410
Tip revision: f123db8e9d6c84c863cb3c44d17e61995dc984fb authored by Benson Leung on 25 September 2013, 03:05:11 UTC
driver core : Fix use after free of dev->parent in device_shutdown
driver core : Fix use after free of dev->parent in device_shutdown
Tip revision: f123db8
| File | Mode | Size |
|---|---|---|
| basic | ||
| coccinelle | ||
| dtc | ||
| genksyms | ||
| kconfig | ||
| ksymoops | ||
| mod | ||
| package | ||
| rt-tester | ||
| selinux | ||
| tracing | ||
| .gitignore | -rw-r--r-- | 122 bytes |
| Kbuild.include | -rw-r--r-- | 10.1 KB |
| Lindent | -rwxr-xr-x | 460 bytes |
| Makefile | -rw-r--r-- | 1.4 KB |
| Makefile.asm-generic | -rw-r--r-- | 684 bytes |
| Makefile.build | -rw-r--r-- | 15.1 KB |
| Makefile.clean | -rw-r--r-- | 3.2 KB |
| Makefile.fwinst | -rw-r--r-- | 2.0 KB |
| Makefile.headersinst | -rw-r--r-- | 4.7 KB |
| Makefile.help | -rw-r--r-- | 68 bytes |
| Makefile.host | -rw-r--r-- | 6.5 KB |
| Makefile.lib | -rw-r--r-- | 13.4 KB |
| Makefile.modbuiltin | -rw-r--r-- | 1.8 KB |
| Makefile.modinst | -rw-r--r-- | 1.2 KB |
| Makefile.modpost | -rw-r--r-- | 5.1 KB |
| Makefile.modsign | -rw-r--r-- | 1003 bytes |
| asn1_compiler.c | -rw-r--r-- | 33.8 KB |
| bin2c.c | -rw-r--r-- | 702 bytes |
| bloat-o-meter | -rwxr-xr-x | 1.8 KB |
| bootgraph.pl | -rw-r--r-- | 5.6 KB |
| checkincludes.pl | -rwxr-xr-x | 1.8 KB |
| checkkconfigsymbols.sh | -rwxr-xr-x | 1.8 KB |
| checkpatch.pl | -rwxr-xr-x | 117.5 KB |
| checkstack.pl | -rwxr-xr-x | 5.3 KB |
| checksyscalls.sh | -rwxr-xr-x | 5.5 KB |
| checkversion.pl | -rwxr-xr-x | 1.9 KB |
| cleanfile | -rwxr-xr-x | 3.4 KB |
| cleanpatch | -rwxr-xr-x | 5.0 KB |
| coccicheck | -rwxr-xr-x | 4.6 KB |
| config | -rwxr-xr-x | 4.5 KB |
| conmakehash.c | -rw-r--r-- | 6.0 KB |
| decodecode | -rwxr-xr-x | 2.1 KB |
| depmod.sh | -rwxr-xr-x | 1.7 KB |
| diffconfig | -rwxr-xr-x | 3.7 KB |
| docproc.c | -rw-r--r-- | 14.1 KB |
| export_report.pl | -rw-r--r-- | 4.5 KB |
| extract-ikconfig | -rwxr-xr-x | 1.6 KB |
| extract-vmlinux | -rwxr-xr-x | 1.6 KB |
| gcc-goto.sh | -rw-r--r-- | 465 bytes |
| gcc-version.sh | -rw-r--r-- | 822 bytes |
| gcc-x86_32-has-stack-protector.sh | -rw-r--r-- | 184 bytes |
| gcc-x86_64-has-stack-protector.sh | -rw-r--r-- | 200 bytes |
| gen_initramfs_list.sh | -rw-r--r-- | 7.4 KB |
| get_maintainer.pl | -rwxr-xr-x | 54.1 KB |
| gfp-translate | -rwxr-xr-x | 1.7 KB |
| headerdep.pl | -rwxr-xr-x | 3.5 KB |
| headers.sh | -rwxr-xr-x | 530 bytes |
| headers_check.pl | -rw-r--r-- | 3.5 KB |
| headers_install.sh | -rw-r--r-- | 1.3 KB |
| kallsyms.c | -rw-r--r-- | 15.2 KB |
| kernel-doc | -rwxr-xr-x | 71.4 KB |
| link-vmlinux.sh | -rw-r--r-- | 5.5 KB |
| makelst | -rwxr-xr-x | 773 bytes |
| markup_oops.pl | -rw-r--r-- | 8.1 KB |
| mkcompile_h | -rwxr-xr-x | 2.5 KB |
| mkmakefile | -rw-r--r-- | 1.2 KB |
| mksysmap | -rw-r--r-- | 1.3 KB |
| mkuboot.sh | -rwxr-xr-x | 379 bytes |
| mkversion | -rw-r--r-- | 74 bytes |
| module-common.lds | -rw-r--r-- | 737 bytes |
| namespace.pl | -rwxr-xr-x | 13.0 KB |
| patch-kernel | -rwxr-xr-x | 9.9 KB |
| pnmtologo.c | -rw-r--r-- | 11.9 KB |
| profile2linkerlist.pl | -rw-r--r-- | 375 bytes |
| recordmcount.c | -rw-r--r-- | 12.4 KB |
| recordmcount.h | -rw-r--r-- | 16.3 KB |
| recordmcount.pl | -rwxr-xr-x | 17.6 KB |
| setlocalversion | -rwxr-xr-x | 3.8 KB |
| show_delta | -rwxr-xr-x | 3.0 KB |
| sign-file | -rwxr-xr-x | 12.2 KB |
| sortextable.c | -rw-r--r-- | 6.7 KB |
| sortextable.h | -rw-r--r-- | 4.9 KB |
| tags.sh | -rwxr-xr-x | 9.5 KB |
| unifdef.c | -rw-r--r-- | 34.8 KB |
| ver_linux | -rwxr-xr-x | 3.1 KB |
| xz_wrap.sh | -rw-r--r-- | 562 bytes |
Computing file changes ...
