MLK-20585-1 usb: cdns3: gadget: fix the KASAN issue
BUG: KASAN: use-after-free in cdns3_gadget_remove+0x114/0x1d8
Read of size 8 at addr
ffff80081f8817a0 by task swapper/0/1
CPU: 0 PID: 1 Comm: swapper/0 Not tainted
4.14.78-05577-gbe1ecd23b99a-dirty #231
Hardware name: Freescale i.MX8QXP MEK (DT)
Call trace:
[<
ffff20000808cd10>] dump_backtrace+0x0/0x510
[<
ffff20000808d234>] show_stack+0x14/0x20
[<
ffff200009471d84>] dump_stack+0xa4/0xc8
[<
ffff2000082966c0>] print_address_description+0x60/0x250
[<
ffff200008296bb8>] kasan_report+0x240/0x308
[<
ffff2000082952e0>] __asan_load8+0x88/0xb0
[<
ffff200008d089cc>] cdns3_gadget_remove+0x114/0x1d8
[<
ffff200008d0220c>] cdns3_probe+0x634/0x940
[<
ffff2000089ebf10>] platform_drv_probe+0x70/0xf0
[<
ffff2000089e9060>] driver_probe_device+0x388/0x5f0
[<
ffff2000089e9414>] __driver_attach+0x14c/0x150
[<
ffff2000089e5dd8>] bus_for_each_dev+0xd8/0x138
[<
ffff2000089e8560>] driver_attach+0x30/0x40
[<
ffff2000089e7c38>] bus_add_driver+0x278/0x3a0
[<
ffff2000089ea27c>] driver_register+0xb4/0x198
[<
ffff2000089ebe0c>] __platform_driver_register+0x7c/0x88
[<
ffff20000a0d78e8>] cdns3_driver_platform_register+0x1c/0x24
[<
ffff200008083cc0>] do_one_initcall+0x90/0x1b8
[<
ffff20000a071040>] kernel_init_freeable+0x238/0x2d8
[<
ffff20000948c2a8>] kernel_init+0x10/0x118
[<
ffff200008085450>] ret_from_fork+0x10/0x18
Allocated by task 1:
kasan_kmalloc+0xd8/0x188
__cdns3_gadget_init+0xb8/0x998
cdns3_gadget_init+0xbc/0xd0
cdns3_probe+0x718/0x940
platform_drv_probe+0x70/0xf0
driver_probe_device+0x388/0x5f0
__driver_attach+0x14c/0x150
bus_for_each_dev+0xd8/0x138
driver_attach+0x30/0x40
bus_add_driver+0x278/0x3a0
driver_register+0xb4/0x198
__platform_driver_register+0x7c/0x88
cdns3_driver_platform_register+0x1c/0x24
do_one_initcall+0x90/0x1b8
kernel_init_freeable+0x238/0x2d8
kernel_init+0x10/0x118
ret_from_fork+0x10/0x18
Freed by task 1:
kasan_slab_free+0x88/0x188
kfree+0x70/0x1e0
cdns3_gadget_release+0x60/0x80
device_release+0x44/0xd8
kobject_put+0xd8/0x280
device_unregister+0x28/0x80
cdns3_gadget_remove+0x100/0x1d8
cdns3_probe+0x634/0x940
platform_drv_probe+0x70/0xf0
driver_probe_device+0x388/0x5f0
__driver_attach+0x14c/0x150
bus_for_each_dev+0xd8/0x138
driver_attach+0x30/0x40
bus_add_driver+0x278/0x3a0
driver_register+0xb4/0x198
__platform_driver_register+0x7c/0x88
cdns3_driver_platform_register+0x1c/0x24
do_one_initcall+0x90/0x1b8
kernel_init_freeable+0x238/0x2d8
kernel_init+0x10/0x118
ret_from_fork+0x10/0x18
The buggy address belongs to the object at
ffff80081f881100
which belongs to the cache kmalloc-4096 of size 4096
The buggy address is located 1696 bytes inside of
4096-byte region [
ffff80081f881100,
ffff80081f882100)
The buggy address belongs to the page:
page:
ffff7e00207e2000 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
flags: 0x1fffc00000008100(slab|head)
raw:
1fffc00000008100 0000000000000000 0000000000000000 0000000180070007
raw:
dead000000000100 dead000000000200 ffff800822003200 0000000000000000
page dumped because: kasan: bad access detected
Reviewed-by: Jun Li <jun.li@nxp.com>
Signed-off-by: Peter Chen <peter.chen@nxp.com>
Signed-off-by: Arulpandiyan Vadivel <arulpandiyan_vadivel@mentor.com>
Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
(cherry picked from commit
62683f2ada3da52981b7cf3775a9bab95de2b00f)
projects / linux.git / commit