linux/drivers/base
Bart Van Assche 174be70b63 driver-core: Fix use-after-free triggered by bus_unregister()
Avoid that bus_unregister() triggers a use-after-free with
CONFIG_DEBUG_KOBJECT_RELEASE=y. This patch avoids that the
following sequence triggers a kernel crash with memory poisoning
enabled:
* bus_register()
* driver_register()
* driver_unregister()
* bus_unregister()

The above sequence causes the bus private data to be freed from
inside the bus_unregister() call although it is not guaranteed in
that function that the reference count on the bus private data has
dropped to zero. As an example, with CONFIG_DEBUG_KOBJECT_RELEASE=y
the ${bus}/drivers kobject is still holding a reference on
bus->p->subsys.kobj via its parent pointer at the time the bus
private data is freed. Fix this by deferring freeing the bus private
data until the last kobject_put() call on bus->p->subsys.kobj.

The kernel oops triggered by the above sequence and with memory
poisoning enabled and that is fixed by this patch is as follows:

general protection fault: 0000 [#1] PREEMPT SMP
CPU: 3 PID: 2711 Comm: kworker/3:32 Tainted: G        W  O 3.13.0-rc4-debug+ #1
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
Workqueue: events kobject_delayed_cleanup
task: ffff880037f866d0 ti: ffff88003b638000 task.ti: ffff88003b638000
Call Trace:
 [<ffffffff81263105>] ? kobject_get_path+0x25/0x100
 [<ffffffff81264354>] kobject_uevent_env+0x134/0x600
 [<ffffffff8126482b>] kobject_uevent+0xb/0x10
 [<ffffffff81262fa2>] kobject_delayed_cleanup+0xc2/0x1b0
 [<ffffffff8106c047>] process_one_work+0x217/0x700
 [<ffffffff8106bfdb>] ? process_one_work+0x1ab/0x700
 [<ffffffff8106c64b>] worker_thread+0x11b/0x3a0
 [<ffffffff8106c530>] ? process_one_work+0x700/0x700
 [<ffffffff81074b70>] kthread+0xf0/0x110
 [<ffffffff81074a80>] ? insert_kthread_work+0x80/0x80
 [<ffffffff815673bc>] ret_from_fork+0x7c/0xb0
 [<ffffffff81074a80>] ? insert_kthread_work+0x80/0x80
Code: 89 f8 48 89 e5 f6 82 c0 27 63 81 20 74 15 0f 1f 44 00 00 48 83 c0 01 0f b6 10 f6 82 c0 27 63 81 20 75 f0 5d c3 66 0f 1f 44 00 00 <80> 3f 00 55 48 89 e5 74 15 48 89 f8 0f 1f 40 00 48 83 c0 01 80
RIP  [<ffffffff81267ed0>] strlen+0x0/0x30
 RSP <ffff88003b639c70>
---[ end trace 210f883ef80376aa ]---

Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Acked-by: Ming Lei <ming.lei@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-01-08 15:36:18 -08:00
..
power Merge branches 'pm-cpuidle' and 'pm-cpufreq' 2013-12-06 02:17:59 +01:00
regmap Merge remote-tracking branches 'regmap/fix/doc' and 'regmap/fix/mmio' into regmap-linus 2013-11-26 13:16:56 +00:00
attribute_container.c drivers: avoid format string in dev_set_name 2013-07-03 16:07:41 -07:00
base.h driver core: bus_type: add drv_groups 2013-08-12 15:33:31 -07:00
bus.c driver-core: Fix use-after-free triggered by bus_unregister() 2014-01-08 15:36:18 -08:00
class.c sysfs: make attr namespace interface less convoluted 2013-09-26 14:50:01 -07:00
core.c Driver core: Fix device_add_attrs() error code path 2013-12-18 15:50:16 -08:00
cpu.c hotplug, powerpc, x86: Remove cpu_hotplug_driver_lock() 2013-09-30 19:55:51 +02:00
dd.c PM / runtime: Use pm_runtime_put_sync() in __device_release_driver() 2013-11-07 19:13:49 +01:00
devres.c devres: restore zeroing behavior of devres_alloc() 2013-10-25 05:46:27 +01:00
devtmpfs.c devtmpfs: Calling delete_path() only when necessary 2013-12-19 10:10:32 -08:00
dma-buf.c dma-buf: Expose buffer size to userspace (v2) 2013-09-10 11:36:45 +05:30
dma-coherent.c drivers: dma-coherent: Fix typo in dma_mmap_from_coherent documentation 2012-10-23 14:05:32 +02:00
dma-contiguous.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2013-11-15 16:47:22 -08:00
dma-mapping.c [media] dma-mapping: fix dma_common_get_sgtable() conditional compilation 2012-11-27 09:42:31 -02:00
driver.c driver core: add #include <linux/sysfs.h> to core files. 2013-08-27 10:24:15 -07:00
firmware_class.c firmware loader: Add sparse annotation 2014-01-08 15:36:18 -08:00
firmware.c
hypervisor.c drivers/base: Add export.h for EXPORT_SYMBOL/THIS_MODULE as required. 2011-10-31 19:31:38 -04:00
init.c driver-core: implement 'sysdev' functionality for regular devices and buses 2011-12-14 14:29:38 -08:00
isa.c
Kconfig Merge remote-tracking branch 'dma-public/for-v3.12-cma-dma' into for-next 2013-07-15 11:13:54 +02:00
Makefile Merge remote-tracking branch 'origin/next' into kvm-ppc-next 2013-08-29 00:41:59 +02:00
map.c
memory.c driver core: Release device_hotplug_lock when store_mem_state returns EINVAL 2013-10-16 18:42:41 -07:00
module.c driver core: module.c: Use kasprintf 2010-05-21 09:37:29 -07:00
node.c thp: account anon transparent huge pages into NR_ANON_PAGES 2013-09-12 15:38:03 -07:00
pinctrl.c drivers: pinctrl sleep and idle states in the core 2013-06-16 11:56:52 +02:00
platform.c ACPI / driver core: Store an ACPI device pointer in struct acpi_dev_node 2013-11-14 23:14:43 +01:00
reservation.c reservation: cross-device reservation support, v4 2013-06-28 12:02:15 +10:00
soc.c mode_t whack-a-mole: ->is_visible() returns umode_t... 2012-05-29 23:28:42 -04:00
syscore.c PM: Reintroduce dropped call to check_wakeup_irqs 2011-07-11 10:51:49 +02:00
topology.c cpu topology: remove stale arch_provides_topology_pointers and define_siblings_show_map/list() 2013-07-29 13:12:45 -07:00
transport_class.c drivers/base: transport_class explicitly requires EXPORT_SYMBOL 2011-10-31 19:31:15 -04:00