Android SDK / linux-imx / 150ce1ee8ee - PHYTEC BitBucket (Stash)

Commits

Peter Chen committed 150ce1ee8ee12 Dec 2018
MLK-20585-1 usb: cdns3: gadget: fix the KASAN issue

BUG: KASAN: use-after-free in cdns3_gadget_remove+0x114/0x1d8
Read of size 8 at addr ffff80081f8817a0 by task swapper/0/1

CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.14.78-05577-gbe1ecd23b99a-dirty #231
Hardware name: Freescale i.MX8QXP MEK (DT)
Call trace:
[<ffff20000808cd10>] dump_backtrace+0x0/0x510
[<ffff20000808d234>] show_stack+0x14/0x20
[<ffff200009471d84>] dump_stack+0xa4/0xc8
[<ffff2000082966c0>] print_address_description+0x60/0x250
[<ffff200008296bb8>] kasan_report+0x240/0x308
[<ffff2000082952e0>] __asan_load8+0x88/0xb0
[<ffff200008d089cc>] cdns3_gadget_remove+0x114/0x1d8
[<ffff200008d0220c>] cdns3_probe+0x634/0x940
[<ffff2000089ebf10>] platform_drv_probe+0x70/0xf0
[<ffff2000089e9060>] driver_probe_device+0x388/0x5f0
[<ffff2000089e9414>] __driver_attach+0x14c/0x150
[<ffff2000089e5dd8>] bus_for_each_dev+0xd8/0x138
[<ffff2000089e8560>] driver_attach+0x30/0x40
[<ffff2000089e7c38>] bus_add_driver+0x278/0x3a0
[<ffff2000089ea27c>] driver_register+0xb4/0x198
[<ffff2000089ebe0c>] __platform_driver_register+0x7c/0x88
[<ffff20000a0d78e8>] cdns3_driver_platform_register+0x1c/0x24
[<ffff200008083cc0>] do_one_initcall+0x90/0x1b8
[<ffff20000a071040>] kernel_init_freeable+0x238/0x2d8
[<ffff20000948c2a8>] kernel_init+0x10/0x118
[<ffff200008085450>] ret_from_fork+0x10/0x18

Allocated by task 1:
 kasan_kmalloc+0xd8/0x188
 __cdns3_gadget_init+0xb8/0x998
 cdns3_gadget_init+0xbc/0xd0
 cdns3_probe+0x718/0x940
 platform_drv_probe+0x70/0xf0
 driver_probe_device+0x388/0x5f0
 __driver_attach+0x14c/0x150
 bus_for_each_dev+0xd8/0x138
 driver_attach+0x30/0x40
 bus_add_driver+0x278/0x3a0
 driver_register+0xb4/0x198
 __platform_driver_register+0x7c/0x88
 cdns3_driver_platform_register+0x1c/0x24
 do_one_initcall+0x90/0x1b8
 kernel_init_freeable+0x238/0x2d8
 kernel_init+0x10/0x118
 ret_from_fork+0x10/0x18

Freed by task 1:
 kasan_slab_free+0x88/0x188
 kfree+0x70/0x1e0
 cdns3_gadget_release+0x60/0x80
 device_release+0x44/0xd8
 kobject_put+0xd8/0x280
 device_unregister+0x28/0x80
 cdns3_gadget_remove+0x100/0x1d8
 cdns3_probe+0x634/0x940
 platform_drv_probe+0x70/0xf0
 driver_probe_device+0x388/0x5f0
 __driver_attach+0x14c/0x150
 bus_for_each_dev+0xd8/0x138
 driver_attach+0x30/0x40
 bus_add_driver+0x278/0x3a0
 driver_register+0xb4/0x198
 __platform_driver_register+0x7c/0x88
 cdns3_driver_platform_register+0x1c/0x24
 do_one_initcall+0x90/0x1b8
 kernel_init_freeable+0x238/0x2d8
 kernel_init+0x10/0x118
 ret_from_fork+0x10/0x18

The buggy address belongs to the object at ffff80081f881100
 which belongs to the cache kmalloc-4096 of size 4096
The buggy address is located 1696 bytes inside of
 4096-byte region [ffff80081f881100, ffff80081f882100)
The buggy address belongs to the page:
page:ffff7e00207e2000 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
flags: 0x1fffc00000008100(slab|head)
raw: 1fffc00000008100 0000000000000000 0000000000000000 0000000180070007
raw: dead000000000100 dead000000000200 ffff800822003200 0000000000000000
page dumped because: kasan: bad access detected

Reviewed-by: Jun Li <jun.li@nxp.com>
Signed-off-by: Peter Chen <peter.chen@nxp.com>
(cherry picked from commit 68e0107f55ad121ac07f7660f63d42522ba2f64f)