From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
"Sören Brinkmann" <soren.brinkmann@xilinx.com>,
"Lai Jiangshan" <laijs@cn.fujitsu.com>,
"Mike Turquette" <mturquette@linaro.org>
Subject: [ 07/95] clk: remove notifier from list before freeing it
Date: Tue, 25 Jun 2013 11:31:54 -0700 [thread overview]
Message-ID: <20130625182154.471338406@linuxfoundation.org> (raw)
In-Reply-To: <20130625182153.605455184@linuxfoundation.org>
3.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lai Jiangshan <laijs@cn.fujitsu.com>
commit 72b5322f11ff0abf6a52b3007486656578d2c982 upstream.
The @cn is stay in @clk_notifier_list after it is freed, it cause
memory corruption.
Example, if @clk is registered(first), unregistered(first),
registered(second), unregistered(second).
The freed @cn will be used when @clk is registered(second),
and the bug will be happened when @clk is unregistered(second):
[ 517.040000] clk_notif_dbg clk_notif_dbg.1: clk_notifier_unregister()
[ 517.040000] Unable to handle kernel paging request at virtual address 00df3008
[ 517.050000] pgd = ed858000
[ 517.050000] [00df3008] *pgd=00000000
[ 517.060000] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
[ 517.060000] Modules linked in: clk_notif_dbg(O-) [last unloaded: clk_notif_dbg]
[ 517.060000] CPU: 1 PID: 499 Comm: modprobe Tainted: G O 3.10.0-rc3-00119-ga93cb29-dirty #85
[ 517.060000] task: ee1e0180 ti: ee3e6000 task.ti: ee3e6000
[ 517.060000] PC is at srcu_readers_seq_idx+0x48/0x84
[ 517.060000] LR is at srcu_readers_seq_idx+0x60/0x84
[ 517.060000] pc : [<c0052720>] lr : [<c0052738>] psr: 80070013
[ 517.060000] sp : ee3e7d48 ip : 00000000 fp : ee3e7d6c
[ 517.060000] r10: 00000000 r9 : ee3e6000 r8 : 00000000
[ 517.060000] r7 : ed84fe4c r6 : c068ec90 r5 : c068e430 r4 : 00000000
[ 517.060000] r3 : 00df3000 r2 : 00000000 r1 : 00000002 r0 : 00000000
[ 517.060000] Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
[ 517.060000] Control: 18c5387d Table: 2d85804a DAC: 00000015
[ 517.060000] Process modprobe (pid: 499, stack limit = 0xee3e6238)
[ 517.060000] Stack: (0xee3e7d48 to 0xee3e8000)
....
[ 517.060000] [<c0052720>] (srcu_readers_seq_idx+0x48/0x84) from [<c0052790>] (try_check_zero+0x34/0xfc)
[ 517.060000] [<c0052790>] (try_check_zero+0x34/0xfc) from [<c00528b0>] (srcu_advance_batches+0x58/0x114)
[ 517.060000] [<c00528b0>] (srcu_advance_batches+0x58/0x114) from [<c0052c30>] (__synchronize_srcu+0x114/0x1ac)
[ 517.060000] [<c0052c30>] (__synchronize_srcu+0x114/0x1ac) from [<c0052d14>] (synchronize_srcu+0x2c/0x34)
[ 517.060000] [<c0052d14>] (synchronize_srcu+0x2c/0x34) from [<c0053a08>] (srcu_notifier_chain_unregister+0x68/0x74)
[ 517.060000] [<c0053a08>] (srcu_notifier_chain_unregister+0x68/0x74) from [<c0375a78>] (clk_notifier_unregister+0x7c/0xc0)
[ 517.060000] [<c0375a78>] (clk_notifier_unregister+0x7c/0xc0) from [<bf008034>] (clk_notif_dbg_remove+0x34/0x9c [clk_notif_dbg])
[ 517.060000] [<bf008034>] (clk_notif_dbg_remove+0x34/0x9c [clk_notif_dbg]) from [<c02bb974>] (platform_drv_remove+0x24/0x28)
[ 517.060000] [<c02bb974>] (platform_drv_remove+0x24/0x28) from [<c02b9bf8>] (__device_release_driver+0x8c/0xd4)
[ 517.060000] [<c02b9bf8>] (__device_release_driver+0x8c/0xd4) from [<c02ba680>] (driver_detach+0x9c/0xc4)
[ 517.060000] [<c02ba680>] (driver_detach+0x9c/0xc4) from [<c02b99c4>] (bus_remove_driver+0xcc/0xfc)
[ 517.060000] [<c02b99c4>] (bus_remove_driver+0xcc/0xfc) from [<c02bace4>] (driver_unregister+0x54/0x78)
[ 517.060000] [<c02bace4>] (driver_unregister+0x54/0x78) from [<c02bbb44>] (platform_driver_unregister+0x1c/0x20)
[ 517.060000] [<c02bbb44>] (platform_driver_unregister+0x1c/0x20) from [<bf0081f8>] (clk_notif_dbg_driver_exit+0x14/0x1c [clk_notif_dbg])
[ 517.060000] [<bf0081f8>] (clk_notif_dbg_driver_exit+0x14/0x1c [clk_notif_dbg]) from [<c00835e4>] (SyS_delete_module+0x200/0x28c)
[ 517.060000] [<c00835e4>] (SyS_delete_module+0x200/0x28c) from [<c000edc0>] (ret_fast_syscall+0x0/0x48)
[ 517.060000] Code: e5973004 e7911102 e0833001 e2881002 (e7933101)
Reported-by: Sören Brinkmann <soren.brinkmann@xilinx.com>
Signed-off-by: Lai Jiangshan <laijs@cn.fujitsu.com>
Tested-by: Sören Brinkmann <soren.brinkmann@xilinx.com>
Signed-off-by: Mike Turquette <mturquette@linaro.org>
[mturquette@linaro.org: shortened $SUBJECT]
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clk/clk.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/clk/clk.c
+++ b/drivers/clk/clk.c
@@ -1759,6 +1759,7 @@ int clk_notifier_unregister(struct clk *
/* XXX the notifier code should handle this better */
if (!cn->notifier_head.head) {
srcu_cleanup_notifier_head(&cn->notifier_head);
+ list_del(&cn->node);
kfree(cn);
}
next prev parent reply other threads:[~2013-06-25 18:31 UTC|newest]
Thread overview: 98+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-25 18:31 [ 00/95] 3.9.8-stable review Greg Kroah-Hartman
2013-06-25 18:31 ` [ 01/95] ARM: 7752/1: errata: LoUIS bit field in CLIDR register is incorrect Greg Kroah-Hartman
2013-06-25 18:31 ` [ 02/95] ARM: 7754/1: Fix the CPU ID and the mask associated to the PJ4B Greg Kroah-Hartman
2013-06-25 18:31 ` [ 03/95] perf: arm64: Record the user-mode PC in the call chain Greg Kroah-Hartman
2013-06-25 18:31 ` [ 04/95] ALSA: usb-audio: Fix invalid volume resolution for Logitech HD Webcam c310 Greg Kroah-Hartman
2013-06-25 18:31 ` [ 05/95] ALSA: hda - Fix pin configurations for MacBook Air 4,2 Greg Kroah-Hartman
2013-06-25 18:31 ` [ 06/95] ALSA: usb-audio: work around Android accessory firmware bug Greg Kroah-Hartman
2013-06-25 18:31 ` Greg Kroah-Hartman [this message]
2013-06-25 18:31 ` [ 08/95] tilepro: work around module link error with gcc 4.7 Greg Kroah-Hartman
2013-06-25 18:31 ` [ 09/95] rtlwifi: rtl8192cu: Fix problem in connecting to WEP or WPA(1) networks Greg Kroah-Hartman
2013-06-25 18:31 ` [ 10/95] brcmfmac: Turn off ARP offloading when configured for AP Greg Kroah-Hartman
2013-06-25 18:31 ` [ 11/95] parisc: add kernel stack overflow check Greg Kroah-Hartman
2013-06-25 18:31 ` [ 12/95] parisc: implement irq stacks Greg Kroah-Hartman
2013-06-25 18:32 ` [ 13/95] parisc: more irq statistics in /proc/interrupts Greg Kroah-Hartman
2013-06-25 18:32 ` [ 14/95] parisc: tlb flush counting fix for SMP and UP Greg Kroah-Hartman
2013-06-25 18:32 ` [ 15/95] parisc: remove the second argument of kmap_atomic() Greg Kroah-Hartman
2013-06-25 18:32 ` [ 16/95] parisc: implement irq stacks - part 2 (v2) Greg Kroah-Hartman
2013-06-25 18:32 ` [ 17/95] parisc: add rp5470 entry to machine database Greg Kroah-Hartman
2013-06-25 18:32 ` [ 18/95] parisc: show number of FPE and unaligned access handler calls in /proc/interrupts Greg Kroah-Hartman
2013-06-25 18:32 ` [ 19/95] parisc: make interrupt and interruption stack allocation reentrant Greg Kroah-Hartman
2013-06-25 18:32 ` [ 20/95] parisc: fix irq stack on UP and SMP Greg Kroah-Hartman
2013-06-25 18:32 ` [ 21/95] parisc: memory overflow, name length is too short for using Greg Kroah-Hartman
2013-06-25 18:32 ` [ 22/95] parisc: fix kernel BUG at arch/parisc/include/asm/mmzone.h:50 Greg Kroah-Hartman
2013-06-25 18:32 ` [ 23/95] parisc: rename "CONFIG_PA7100" to "CONFIG_PA7000" Greg Kroah-Hartman
2013-06-25 18:32 ` [ 24/95] parisc: kernel: using strlcpy() instead of strcpy() Greg Kroah-Hartman
2013-06-25 18:32 ` [ 25/95] parisc: parport0: fix this legacy no-device port driver! Greg Kroah-Hartman
2013-06-25 18:32 ` [ 26/95] parisc: fix kernel BUG at arch/parisc/include/asm/mmzone.h:50 (part 2) Greg Kroah-Hartman
2013-06-25 18:32 ` [ 27/95] parisc: fix serial ports on C8000 workstation Greg Kroah-Hartman
2013-06-25 18:32 ` [ 28/95] parisc: provide pci_mmap_page_range() for parisc Greg Kroah-Hartman
2013-06-25 18:32 ` [ 29/95] carl9170: fix frame drop and WARN due to minstrel_ht change Greg Kroah-Hartman
2013-06-25 18:32 ` [ 30/95] x86/efi: Fix dummy variable buffer allocation Greg Kroah-Hartman
2013-06-25 18:32 ` [ 31/95] x86: kvmclock: zero initialize pvclock shared memory area Greg Kroah-Hartman
2013-06-25 18:32 ` [ 32/95] KVM: x86: remove vcpus CPL check in host-invoked XCR set Greg Kroah-Hartman
2013-06-25 18:32 ` [ 33/95] ACPI / resources: call acpi_get_override_irq() only for legacy IRQ resources Greg Kroah-Hartman
2013-06-25 18:32 ` [ 34/95] ACPI / dock: Take ACPI scan lock in write_undock() Greg Kroah-Hartman
2013-06-25 18:32 ` [ 35/95] ACPI / PM: Fix error code path for power resources initialization Greg Kroah-Hartman
2013-06-25 18:32 ` [ 36/95] drm/prime: Honor requested file flags when exporting a buffer Greg Kroah-Hartman
2013-06-25 18:32 ` [ 37/95] drm/radeon: do not try to uselessly update virtual memory pagetable Greg Kroah-Hartman
2013-06-25 18:32 ` [ 38/95] drm/radeon: update lockup tracking when scheduling in empty ring Greg Kroah-Hartman
2013-06-25 18:32 ` [ 39/95] range: Do not add new blank slot with add_range_with_merge Greg Kroah-Hartman
2013-06-25 18:32 ` [ 40/95] x86, mtrr: Fix original mtrr range get for mtrr_cleanup Greg Kroah-Hartman
2013-06-25 18:32 ` [ 41/95] x86: fix build error and kconfig for ia32_emulation and binfmt Greg Kroah-Hartman
2013-06-25 18:32 ` [ 42/95] x86: Fix section mismatch on load_ucode_ap Greg Kroah-Hartman
2013-06-25 18:32 ` [ 43/95] net: fec: fix kernel oops when plug/unplug cable many times Greg Kroah-Hartman
2013-06-25 18:32 ` [ 44/95] tcp: fix tcp_md5_hash_skb_data() Greg Kroah-Hartman
2013-06-25 18:32 ` [ 45/95] net/802/mrp: fix lockdep splat Greg Kroah-Hartman
2013-06-25 18:32 ` [ 46/95] gianfar: add missing iounmap() on error in gianfar_ptp_probe() Greg Kroah-Hartman
2013-06-25 18:32 ` [ 47/95] vxlan: Update vxlan fdb used field after each usage Greg Kroah-Hartman
2013-06-25 18:32 ` [ 48/95] ipv6: fix possible crashes in ip6_cork_release() Greg Kroah-Hartman
2013-06-25 18:32 ` [ 49/95] netlabel: improve domain mapping validation Greg Kroah-Hartman
2013-06-25 18:32 ` [ 50/95] r8169: fix offloaded tx checksum for small packets Greg Kroah-Hartman
2013-06-25 18:32 ` [ 51/95] 8139cp: reset BQL when ring tx ring cleared Greg Kroah-Hartman
2013-06-25 18:32 ` [ 52/95] tcp: bug fix in proportional rate reduction Greg Kroah-Hartman
2013-06-25 18:32 ` [ 53/95] xfrm: properly handle invalid states as an error Greg Kroah-Hartman
2013-06-25 18:32 ` [ 54/95] tcp: xps: fix reordering issues Greg Kroah-Hartman
2013-06-25 18:32 ` [ 55/95] ip_tunnel: fix kernel panic with icmp_dest_unreach Greg Kroah-Hartman
2013-06-25 18:32 ` [ 56/95] net: phy: fix a bug when verify the EEE support Greg Kroah-Hartman
2013-06-25 18:32 ` [ 57/95] ipv4: fix redirect handling for TCP packets Greg Kroah-Hartman
2013-06-25 18:32 ` [ 58/95] net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg Greg Kroah-Hartman
2013-06-25 18:32 ` [ 59/95] net/core/sock.c: add missing VSOCK string in af_family_*_key_strings Greg Kroah-Hartman
2013-06-25 18:32 ` [ 60/95] tuntap: forbid changing mq flag for persistent device Greg Kroah-Hartman
2013-06-25 18:32 ` [ 61/95] udp6: Fix udp fragmentation for tunnel traffic Greg Kroah-Hartman
2013-06-25 18:32 ` [ 62/95] net: force a reload of first item in hlist_nulls_for_each_entry_rcu Greg Kroah-Hartman
2013-06-25 18:32 ` [ 63/95] net_sched: restore "overhead xxx" handling Greg Kroah-Hartman
2013-06-25 18:32 ` [ 64/95] ipv6: assign rt6_info to inet6_ifaddr in init_loopback Greg Kroah-Hartman
2013-06-25 18:32 ` [ 65/95] net_sched: htb: do not mix 1ns and 64ns time units Greg Kroah-Hartman
2013-06-25 18:32 ` [ 66/95] vhost_net: clear msg.control for non-zerocopy case during tx Greg Kroah-Hartman
2013-06-25 18:32 ` [ 67/95] net: sctp: fix NULL pointer dereference in socket destruction Greg Kroah-Hartman
2013-06-25 18:32 ` [ 68/95] tuntap: set SOCK_ZEROCOPY flag during open Greg Kroah-Hartman
2013-06-25 18:32 ` [ 69/95] team: check return value of team_get_port_by_index_rcu() for NULL Greg Kroah-Hartman
2013-06-25 18:32 ` [ 70/95] team: move add to port list before port enablement Greg Kroah-Hartman
2013-06-25 18:32 ` [ 71/95] packet: packet_getname_spkt: make sure string is always 0-terminated Greg Kroah-Hartman
2013-06-25 18:32 ` [ 72/95] l2tp: Fix PPP header erasure and memory leak Greg Kroah-Hartman
2013-06-25 18:33 ` [ 73/95] l2tp: Fix sendmsg() return value Greg Kroah-Hartman
2013-06-25 18:33 ` [ 74/95] sctp: fully initialize sctp_outq in sctp_outq_init Greg Kroah-Hartman
2013-06-25 18:33 ` [ 75/95] net: sh_eth: fix incorrect RX length error if R8A7740 Greg Kroah-Hartman
2013-06-25 18:33 ` [ 76/95] tuntap: correct the return value in tun_set_iff() Greg Kroah-Hartman
2013-06-25 18:33 ` [ 77/95] macvtap: set transport header before passing skb to lower device Greg Kroah-Hartman
2013-06-25 18:33 ` [ 78/95] tuntap: set transport header before passing it to kernel Greg Kroah-Hartman
2013-06-25 18:33 ` [ 79/95] packet: set transport header before doing xmit Greg Kroah-Hartman
2013-06-25 18:33 ` [ 80/95] netback: set transport header before passing it to kernel Greg Kroah-Hartman
2013-06-25 18:33 ` [ 81/95] net_sched: better precise estimation on packet length for untrusted packets Greg Kroah-Hartman
2013-06-25 18:33 ` [ 82/95] Input: cyttsp - fix memcpy size param Greg Kroah-Hartman
2013-06-25 18:33 ` [ 83/95] Input: add missing dependencies on CONFIG_HAS_IOMEM Greg Kroah-Hartman
2013-06-25 18:33 ` [ 84/95] Input: xpad - fix for "Mad Catz Street Fighter IV FightPad" controllers Greg Kroah-Hartman
2013-06-25 18:33 ` [ 85/95] USB: serial: ti_usb_3410_5052: new device id for Abbot strip port cable Greg Kroah-Hartman
2013-06-25 18:33 ` [ 86/95] firmware loader: fix use-after-free by double abort Greg Kroah-Hartman
2013-06-25 18:33 ` [ 87/95] tcm_qla2xxx: Fix residual for underrun commands that fail Greg Kroah-Hartman
2013-06-25 18:33 ` [ 88/95] tty: Fix transient pty write() EIO Greg Kroah-Hartman
2013-06-25 18:33 ` [ 89/95] target/iscsi: dont corrupt bh_count in iscsit_stop_time2retain_timer() Greg Kroah-Hartman
2013-06-25 18:33 ` [ 90/95] rbd: use the correct length for format 2 object names Greg Kroah-Hartman
2013-06-25 18:33 ` [ 91/95] perf: Fix perf mmap bugs Greg Kroah-Hartman
2013-06-25 18:33 ` [ 92/95] perf: Fix mmap() accounting hole Greg Kroah-Hartman
2013-06-25 18:33 ` [ 93/95] drivers: uio: Fix UIO device registration failure Greg Kroah-Hartman
2013-06-25 18:33 ` [ 94/95] spi/pxa2xx: use GFP_ATOMIC in sg table allocation Greg Kroah-Hartman
2013-06-25 18:33 ` [ 95/95] spi/pxa2xx: fix memory corruption due to wrong size used in devm_kzalloc() Greg Kroah-Hartman
2013-06-26 2:58 ` [ 00/95] 3.9.8-stable review Guenter Roeck
2013-06-26 3:36 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130625182154.471338406@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=laijs@cn.fujitsu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mturquette@linaro.org \
--cc=soren.brinkmann@xilinx.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).