Ksawlii/kernel_samsung_a53x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
kernel_samsung_a53x/drivers
History
Thadeu Lima de Souza Cascardo 6d2bfe9d4d usb: typec: altmode should keep reference to parent 
[ Upstream commit befab3a278c59db0cc88c8799638064f6d3fd6f8 ]

The altmode device release refers to its parent device, but without keeping
a reference to it.

When registering the altmode, get a reference to the parent and put it in
the release function.

Before this fix, when using CONFIG_DEBUG_KOBJECT_RELEASE, we see issues
like this:

[   43.572860] kobject: 'port0.0' (ffff8880057ba008): kobject_release, parent 0000000000000000 (delayed 3000)
[   43.573532] kobject: 'port0.1' (ffff8880057bd008): kobject_release, parent 0000000000000000 (delayed 1000)
[   43.574407] kobject: 'port0' (ffff8880057b9008): kobject_release, parent 0000000000000000 (delayed 3000)
[   43.575059] kobject: 'port1.0' (ffff8880057ca008): kobject_release, parent 0000000000000000 (delayed 4000)
[   43.575908] kobject: 'port1.1' (ffff8880057c9008): kobject_release, parent 0000000000000000 (delayed 4000)
[   43.576908] kobject: 'typec' (ffff8880062dbc00): kobject_release, parent 0000000000000000 (delayed 4000)
[   43.577769] kobject: 'port1' (ffff8880057bf008): kobject_release, parent 0000000000000000 (delayed 3000)
[   46.612867] ==================================================================
[   46.613402] BUG: KASAN: slab-use-after-free in typec_altmode_release+0x38/0x129
[   46.614003] Read of size 8 at addr ffff8880057b9118 by task kworker/2:1/48
[   46.614538]
[   46.614668] CPU: 2 UID: 0 PID: 48 Comm: kworker/2:1 Not tainted 6.12.0-rc1-00138-gedbae730ad31 #535
[   46.615391] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
[   46.616042] Workqueue: events kobject_delayed_cleanup
[   46.616446] Call Trace:
[   46.616648]  <TASK>
[   46.616820]  dump_stack_lvl+0x5b/0x7c
[   46.617112]  ? typec_altmode_release+0x38/0x129
[   46.617470]  print_report+0x14c/0x49e
[   46.617769]  ? rcu_read_unlock_sched+0x56/0x69
[   46.618117]  ? __virt_addr_valid+0x19a/0x1ab
[   46.618456]  ? kmem_cache_debug_flags+0xc/0x1d
[   46.618807]  ? typec_altmode_release+0x38/0x129
[   46.619161]  kasan_report+0x8d/0xb4
[   46.619447]  ? typec_altmode_release+0x38/0x129
[   46.619809]  ? process_scheduled_works+0x3cb/0x85f
[   46.620185]  typec_altmode_release+0x38/0x129
[   46.620537]  ? process_scheduled_works+0x3cb/0x85f
[   46.620907]  device_release+0xaf/0xf2
[   46.621206]  kobject_delayed_cleanup+0x13b/0x17a
[   46.621584]  process_scheduled_works+0x4f6/0x85f
[   46.621955]  ? __pfx_process_scheduled_works+0x10/0x10
[   46.622353]  ? hlock_class+0x31/0x9a
[   46.622647]  ? lock_acquired+0x361/0x3c3
[   46.622956]  ? move_linked_works+0x46/0x7d
[   46.623277]  worker_thread+0x1ce/0x291
[   46.623582]  ? __kthread_parkme+0xc8/0xdf
[   46.623900]  ? __pfx_worker_thread+0x10/0x10
[   46.624236]  kthread+0x17e/0x190
[   46.624501]  ? kthread+0xfb/0x190
[   46.624756]  ? __pfx_kthread+0x10/0x10
[   46.625015]  ret_from_fork+0x20/0x40
[   46.625268]  ? __pfx_kthread+0x10/0x10
[   46.625532]  ret_from_fork_asm+0x1a/0x30
[   46.625805]  </TASK>
[   46.625953]
[   46.626056] Allocated by task 678:
[   46.626287]  kasan_save_stack+0x24/0x44
[   46.626555]  kasan_save_track+0x14/0x2d
[   46.626811]  __kasan_kmalloc+0x3f/0x4d
[   46.627049]  __kmalloc_noprof+0x1bf/0x1f0
[   46.627362]  typec_register_port+0x23/0x491
[   46.627698]  cros_typec_probe+0x634/0xbb6
[   46.628026]  platform_probe+0x47/0x8c
[   46.628311]  really_probe+0x20a/0x47d
[   46.628605]  device_driver_attach+0x39/0x72
[   46.628940]  bind_store+0x87/0xd7
[   46.629213]  kernfs_fop_write_iter+0x1aa/0x218
[   46.629574]  vfs_write+0x1d6/0x29b
[   46.629856]  ksys_write+0xcd/0x13b
[   46.630128]  do_syscall_64+0xd4/0x139
[   46.630420]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[   46.630820]
[   46.630946] Freed by task 48:
[   46.631182]  kasan_save_stack+0x24/0x44
[   46.631493]  kasan_save_track+0x14/0x2d
[   46.631799]  kasan_save_free_info+0x3f/0x4d
[   46.632144]  __kasan_slab_free+0x37/0x45
[   46.632474]  kfree+0x1d4/0x252
[   46.632725]  device_release+0xaf/0xf2
[   46.633017]  kobject_delayed_cleanup+0x13b/0x17a
[   46.633388]  process_scheduled_works+0x4f6/0x85f
[   46.633764]  worker_thread+0x1ce/0x291
[   46.634065]  kthread+0x17e/0x190
[   46.634324]  ret_from_fork+0x20/0x40
[   46.634621]  ret_from_fork_asm+0x1a/0x30

Fixes: 8a37d87d72f0 ("usb: typec: Bus type for alternate modes")
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Link: https://lore.kernel.org/r/20241004123738.2964524-1-cascardo@igalia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-11-23 23:21:59 +01:00
..
accessibility speakup: Fix sizeof() vs ARRAY_SIZE() bug 2024-11-19 12:26:51 +01:00
acpi ACPI: battery: Fix possible crash when unregistering a battery hook 2024-11-23 23:21:48 +01:00
amba
android binder: fix UAF caused by offsets overwrite 2024-11-23 23:21:07 +01:00
ata ata: sata_sil: Rename sil_blacklist to sil_quirks 2024-11-23 23:21:40 +01:00
atm atm: idt77252: prevent use after free in dequeue_rx() 2024-11-23 23:20:43 +01:00
auxdisplay
base driver core: bus: Return -EIO instead of 0 when show/store invalid bus attribute 2024-11-23 23:21:50 +01:00
battery
bcma
block aoe: fix the potential use-after-free problem in more places 2024-11-23 23:21:45 +01:00
bluetooth Bluetooth: btusb: Fix regression with fake CSR controllers 0a12:0001 2024-11-23 23:21:56 +01:00
bts
bus bus: integrator-lm: fix OF node leak in probe() 2024-11-23 23:21:30 +01:00
cdrom
char virtio_console: fix misc probe bugs 2024-11-23 23:21:49 +01:00
clk clk: imx: Remove CLK_SET_PARENT_GATE for DRAM mux for i.MX7D 2024-11-23 23:21:50 +01:00
clocksource clocksource/drivers/qcom: Add missing iounmap() on errors in msm_dt_timer_init() 2024-11-23 23:21:20 +01:00
connector
counter counter: ti-eqep: enable clock at probe 2024-11-19 14:19:33 +01:00
cpufreq cpufreq: ti-cpufreq: Introduce quirks to handle syscon fails appropriately 2024-11-23 23:21:18 +01:00
cpuidle cpuidle: menu: Take negative "sleep length" values into account 2024-11-19 18:01:28 +01:00
crypto crypto: ccp - Properly unregister /dev/sev on sev PLATFORM_STATUS failure 2024-11-23 23:21:31 +01:00
dax
dca
devfreq PM / devfreq: Fix buffer overflow in trans_stat_show 2024-11-19 11:32:38 +01:00
dio
dma dmaengine: dw: Add memory bus width verification 2024-11-23 23:20:55 +01:00
dma-buf dma-buf/sync_file: Speed up ioctl by omitting debug names 2024-11-19 17:53:23 +01:00
edac EDAC, i10nm: make skx_common.o a separate module 2024-11-23 23:19:56 +01:00
eisa
extcon extcon: max8997: select IRQ_DOMAIN instead of depending on it 2024-11-19 12:27:04 +01:00
fingerprint
firewire firewire: nosy: ensure user_length is taken into account when fetching packet contents 2024-11-19 11:32:46 +01:00
firmware firmware: tegra: bpmp: Drop unused mbox_client_to_bpmp() 2024-11-23 23:21:42 +01:00
fpga fpga: region: add owner module and take its refcount 2024-11-19 12:27:04 +01:00
fsi
gnss
gpio gpio: aspeed: Use devm_clk api to manage clock source 2024-11-23 23:21:51 +01:00
gpu drm/msm/dsi: fix 32-bit signed integer extension in pclk_rate calculation 2024-11-23 23:21:58 +01:00
greybus greybus: Fix use-after-free bug in gb_interface_release due to race condition. 2024-11-19 14:19:05 +01:00
gud
hid hid: intel-ish-hid: Fix uninitialized variable 'rv' in ish_fw_xfer_direct_dma 2024-11-23 23:21:53 +01:00
hsi
hv Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic 2024-11-23 23:21:07 +01:00
hwmon hwmon: (adm9240) Add missing dependency on REGMAP_I2C 2024-11-23 23:21:52 +01:00
hwspinlock hwspinlock: Introduce hwspin_lock_bust() 2024-11-23 23:20:58 +01:00
hwtracing coresight: tmc: sg: Do not leak sg_table 2024-11-23 23:21:28 +01:00
i2c i2c: i801: Use a different adapter-name for IDF adapters 2024-11-23 23:21:50 +01:00
i3c i3c: master: cdns: Update maximum prescaler value for i2c clock 2024-11-18 12:13:19 +01:00
ide
idle
ifconn
iio iio: adc: ti-ads124s08: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig 2024-11-23 23:21:56 +01:00
infiniband RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages 2024-11-23 23:21:58 +01:00
input Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal 2024-11-23 23:21:49 +01:00
interconnect interconnect: qcom: sm8250: Enable sync_state 2024-11-23 23:21:28 +01:00
iommu iommu/vt-d: Fix potential lockup if qi_submit_sync called with 0 count 2024-11-23 23:21:40 +01:00
ipack
irqchip irqchip/gic-v4: Don't allow a VMOVP on a dying VPE 2024-11-23 23:21:57 +01:00
isdn mISDN: Fix a use after free in hfcmulti_tx() 2024-11-23 23:20:17 +01:00
kperfmon
kq/mesh
leds leds: spi-byte: Call of_node_put() on error path 2024-11-23 23:21:03 +01:00
lightnvm
macintosh macintosh/therm_windtunnel: fix module unload. 2024-11-23 23:20:11 +01:00
mailbox mailbox: bcm2835: Fix timeout during suspend mode 2024-11-23 23:21:35 +01:00
mcb
md Revert "dm: requeue IO if mapping table not yet available" 2024-11-23 23:21:28 +01:00
media media: videobuf2-core: clear memory related fields in __vb2_plane_dmabuf_put() 2024-11-23 23:21:50 +01:00
memory memory: stm32-fmc2-ebi: check regmap_read return value 2024-11-23 23:20:46 +01:00
memstick
message
mfd mfd: omap-usb-tll: Use struct_size to allocate tll 2024-11-23 23:20:09 +01:00
misc VMCI: Fix use-after-free when removing resource in vmci_resource_remove() 2024-11-23 23:21:07 +01:00
mmc mmc: cqhci: Fix checking of CQHCI_HALT state 2024-11-23 23:21:09 +01:00
most
mtd mtd: powernv: Add check devm_kasprintf() returned value 2024-11-23 23:21:21 +01:00
muic
mux
net net: systemport: fix potential memory leak in bcm_sysport_xmit() 2024-11-23 23:21:59 +01:00
nfc nfc: pn533: Add poll mod list filling check 2024-11-23 23:20:55 +01:00
ntb ntb: ntb_hw_switchtec: Fix use after free vulnerability in switchtec_ntb_remove due to race condition 2024-11-23 23:21:50 +01:00
nubus
nvdimm virtio_pmem: Check device status before requesting flush 2024-11-23 23:21:50 +01:00
nvme nvmet-tcp: fix kernel crash if commands allocation fails 2024-11-23 23:21:08 +01:00
nvmem nvmem: Fix return type of devm_nvmem_device_get() in kerneldoc 2024-11-23 23:21:07 +01:00
of of/irq: Support #msi-cells=<0> in of_msi_get_domain 2024-11-23 23:21:44 +01:00
opp OPP: debugfs: Fix warning around icc_get_name() 2024-11-19 08:44:49 +01:00
oprofile
parisc
parport parport: Proper fix for array out-of-bounds access 2024-11-23 23:21:57 +01:00
pci PCI: Mark Creative Labs EMU20k2 INTx masking as broken 2024-11-23 23:21:50 +01:00
pcmcia pcmcia: Use resource_size function on resource object 2024-11-23 23:21:03 +01:00
perf
phy phy: tegra: xusb: Add API to retrieve the port number of phy 2024-11-19 09:22:34 +01:00
pinctrl pinctrl: mvebu: Fix devinit_dove_pinctrl_probe function 2024-11-23 23:21:25 +01:00
platform platform/x86: touchscreen_dmi: add nanote-next quirk 2024-11-23 23:21:40 +01:00
pnp
power power: reset: brcmstb: Do not go into infinite loop if reset fails 2024-11-23 23:21:40 +01:00
powercap powercap: RAPL: fix invalid initialization for pl4_supported field 2024-11-23 23:21:29 +01:00
pps pps: add an error check in parport_attach 2024-11-23 23:21:34 +01:00
ps3
ptp ptp: Fix error message on failed pin verification 2024-11-19 14:19:01 +01:00
pwm pwm: stm32: Always do lazy disabling 2024-11-23 23:19:56 +01:00
rapidio
ras
regulator regulator: core: Fix modpost error "regulator_get_regmap" undefined 2024-11-19 14:19:09 +01:00
remoteproc remoteproc: imx_rproc: Skip over memory region when node value is NULL 2024-11-23 23:20:20 +01:00
reset reset: berlin: fix OF node leak in probe() error path 2024-11-23 23:21:20 +01:00
rpmsg
rtc rtc: at91sam9: fix OF node leak in probe() error path 2024-11-23 23:21:46 +01:00
s390 s390/sclp_vt220: Convert newlines to CRLF instead of LFCR 2024-11-23 23:21:55 +01:00
samsung
sbus
scsi scsi: aacraid: Rearrange order of struct aac_srb_unit 2024-11-23 23:21:41 +01:00
sensorhub
sensors
sfi
sh
siox
slimbus slimbus: core: Remove usage of the deprecated ida_simple_xx() API 2024-11-19 09:22:34 +01:00
soc soc: versatile: realview: fix soc_dev leak during device remove 2024-11-23 23:21:34 +01:00
soundwire soundwire: stream: Revert "soundwire: stream: fix programming slave ports for non-continous port maps" 2024-11-23 23:21:13 +01:00
spi spi: bcm63xx: Fix module autoloading 2024-11-23 23:21:42 +01:00
spmi
spu_verify
ssb ssb: Fix division by zero issue in ssb_calc_clock_rate 2024-11-23 23:20:44 +01:00
staging minmax: reduce min/max macro expansion in atomisp driver 2024-11-23 23:21:12 +01:00
sti
target scsi: target: core: Fix null-ptr-deref in target_alloc_device() 2024-11-23 23:21:59 +01:00
tc
tee tee: optee: Fix kernel panic caused by incorrect error handling 2024-11-19 09:22:39 +01:00
thermal
thunderbolt thunderbolt: Mark XDomain as unplugged when router is removed 2024-11-23 23:20:42 +01:00
tty tty: rp2: Fix reset with non forgiving PCIe host bridges 2024-11-23 23:21:31 +01:00
uh
uio Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic 2024-11-23 23:21:07 +01:00
usb usb: typec: altmode should keep reference to parent 2024-11-23 23:21:59 +01:00
vdpa
vfio vfio/fsl-mc: Block calling interrupt handler without trigger 2024-11-19 09:22:45 +01:00
vhost vhost/scsi: null-ptr-dereference in vhost_scsi_get_req() 2024-11-23 23:21:48 +01:00
vibrator
video fbdev: sisfb: Fix strbuf array overflow 2024-11-23 23:21:50 +01:00
virt
virtio vdpa: Add eventfd for the vdpa callback 2024-11-23 23:21:28 +01:00
vision
vision3
visorbus
vlynq
vme
w1
watchdog watchdog: imx_sc_wdt: Don't disable WDT in suspend 2024-11-23 23:21:25 +01:00
xen xen/swiotlb: add alignment check for dma buffers 2024-11-23 23:21:22 +01:00
zorro
Kconfig Added KernelSU 2024-11-19 22:44:48 +01:00
Kconfig.variant1
kernelsu Added KernelSU 2024-11-19 22:44:48 +01:00
Makefile Added KernelSU 2024-11-19 22:44:48 +01:00
Makefile.variant1