From: Greg KH <gregkh@linuxfoundation.org>
To: Benson Leung <bleung@chromium.org>
Cc: ming.lei@canonical.com, linux-kernel@vger.kernel.org,
olofj@chromium.org, stable@vger.kernel.org
Subject: Re: [PATCH] driver core : Fix use after free of dev->parent in device_shutdown
Date: Tue, 24 Sep 2013 15:10:11 -0700 [thread overview]
Message-ID: <20130924221011.GA3837@kroah.com> (raw)
In-Reply-To: <1380058748-9347-1-git-send-email-bleung@chromium.org>
On Tue, Sep 24, 2013 at 02:39:08PM -0700, Benson Leung wrote:
> The put_device(dev) at the bottom of the loop of device_shutdown
> may result in the dev being cleaned up. In device_create_release,
> the dev is kfreed.
>
> However, device_shutdown attempts to use the dev pointer again after
> put_device by referring to dev->parent.
>
> Copy the parent pointer instead to avoid this condition.
>
> This bug was found on Chromium OS's chromeos-3.8, which is based on v3.8.11.
> See bug report : https://code.google.com/p/chromium/issues/detail?id=297842
> This can easily be reproduced when shutting down with
> hidraw devices that report battery condition.
> Two examples are the HP Bluetooth Mouse X4000b and the Apple Magic Mouse.
> For example, with the magic mouse :
> The dev in question is "hidraw0"
> dev->parent is "magicmouse"
>
> In the course of the shutdown for this device, the input event cleanup calls
> a put on hidraw0, decrementing its reference count.
> When we finally get to put_device(dev) in device_shutdown, kobject_cleanup
> is called and device_create_release does kfree(dev).
> dev->parent is no longer valid, and we may crash in
> put_device(dev->parent).
>
> This change should be applied on any kernel with this change :
> d1c6c030fcec6f860d9bb6c632a3ebe62e28440b
>
> Cc: stable@vger.kernel.org
> Signed-off-by: Benson Leung <bleung@chromium.org>
The patch makes sense, but I wonder why no one has ever seen this
problem before.
Odd...
thanks for the fix, I'll queue it up for 3.12-final soon.
greg k-h
next prev parent reply other threads:[~2013-09-24 22:10 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-24 21:39 [PATCH] driver core : Fix use after free of dev->parent in device_shutdown Benson Leung
2013-09-24 22:10 ` Greg KH [this message]
2013-09-25 1:14 ` Ming Lei
2013-09-25 3:07 ` Benson Leung
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130924221011.GA3837@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=bleung@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ming.lei@canonical.com \
--cc=olofj@chromium.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.