iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
fd75f3694b
linux/drivers
History
Geert Uytterhoeven fd75f3694b Input: tests - fix use-after-free and refcount underflow in input_test_exit() 
With CONFIG_DEBUG_SLAB=y:

        # Subtest: input_core
        1..3
    input: Test input device as /devices/virtual/input/input1
    8<--- cut here ---
    Unable to handle kernel paging request at virtual address 6b6b6dd7 when read
    ...
     __lock_acquire from lock_acquire+0x26c/0x300
     lock_acquire from _raw_spin_lock_irqsave+0x50/0x64
     _raw_spin_lock_irqsave from devres_remove+0x20/0x7c
     devres_remove from devres_destroy+0x8/0x24
     devres_destroy from input_free_device+0x2c/0x60
     input_free_device from kunit_try_run_case+0x70/0x94 [kunit]

Without CONFIG_DEBUG_SLAB=y:

	KTAP version 1
	# Subtest: input_core
	1..3
    input: Test input device as /devices/virtual/input/input1
    ------------[ cut here ]------------
    WARNING: CPU: 0 PID: 694 at lib/refcount.c:28 refcount_warn_saturate+0x54/0x100
    refcount_t: underflow; use-after-free.
    ...
    Call Trace: [<0037cad4>] dump_stack+0xc/0x10
     [<00377614>] __warn+0x7e/0xb4
     [<0037768c>] warn_slowpath_fmt+0x42/0x62
     [<001eee1c>] refcount_warn_saturate+0x54/0x100
     [<000b1d34>] kfree_const+0x0/0x20
     [<0036290a>] __kobject_del+0x0/0x6e
     [<001eee1c>] refcount_warn_saturate+0x54/0x100
     [<00362a1a>] kobject_put+0xa2/0xb6
     [<11965770>] kunit_generic_run_threadfn_adapter+0x0/0x1c [kunit]

As per the comments for input_allocate_device() and
input_register_device(), input_free_device() must be called only to free
devices that have not been registered.  input_unregister_device()
already calls input_put_device(), thus leading to a use-after-free.

Moreover, the kunit_suite.exit() method is called after every test case,
even on failures.  As the test itself already does cleanups in its
failure paths, this may lead to a second use-after-free.

Fix the first issue by dropping the call to input_allocate_device() from
input_test_exit().
Fix the second issue by making the cleanup code conditional on a
successful test.

Fixes: fdefcbdd6f ("Input: Add KUnit tests for some of the input core helper functions")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
Link: https://lore.kernel.org/r/957b3b309a44d39fb6e38b2a526b250f69ea3d2c.1683022164.git.geert+renesas@glider.be
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
2023-05-02 10:38:59 -07:00
..
accel - Daniel Verkamp has contributed a memfd series ("mm/memfd: add 2023-02-23 17:09:35 -08:00
accessibility
acpi More ACPI updates for 6.3-rc1 2023-03-03 10:36:01 -08:00
amba
android Char/Misc and other driver subsystem changes for 6.3-rc1 2023-02-24 12:47:33 -08:00
ata ata: ahci: Revert "ata: ahci: Add Tiger Lake UP{3,4} AHCI controller" 2023-03-03 18:43:02 +09:00
atm
auxdisplay
base A set of updates for the interrupt susbsystem: 2023-03-05 11:19:16 -08:00
bcma
block block-6.3-2023-03-03 2023-03-03 10:21:39 -08:00
bluetooth
bus ARM: SoC drivers for 6.3 2023-02-27 10:04:49 -08:00
cdrom
char tpm: disable hwrng for fTPM on some AMD designs 2023-03-12 23:28:10 +02:00
clk We have one small patch to the clk core this time around. It fixes a corner 2023-02-25 15:16:23 -08:00
clocksource Updates for timekeeping, timers and clockevent/source drivers: 2023-02-21 09:45:13 -08:00
comedi
connector
counter
cpufreq More power management updates for 6.3-rc1 2023-03-03 10:30:58 -08:00
cpuidle ARM: SoC drivers for 6.3 2023-02-27 10:04:49 -08:00
crypto This push fixes a regression in the caam driver. 2023-03-05 11:32:30 -08:00
cxl cxl for v6.3 2023-02-25 09:19:23 -08:00
dax cxl for v6.3 2023-02-25 09:19:23 -08:00
dca
devfreq
dio
dma dmaengine updates for v6.3 2023-02-24 17:18:54 -08:00
dma-buf dma-buf: make kobj_type structure constant 2023-02-17 09:16:34 +01:00
edac - Add a driver for the RAS functionality on Xilinx's on chip memory 2023-02-21 08:10:03 -08:00
eisa
extcon
firewire Driver core changes for 6.3-rc1 2023-02-24 12:58:55 -08:00
firmware ARM: SoC drivers for 6.3 2023-02-27 10:04:49 -08:00
fpga Driver core changes for 6.3-rc1 2023-02-24 12:58:55 -08:00
fsi
gnss
gpio Driver core changes for 6.3-rc1 2023-02-24 12:58:55 -08:00
gpu Merge tag 'amd-drm-fixes-6.3-2023-03-09' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes 2023-03-10 14:17:35 +10:00
greybus
hid for-linus-2023030901 2023-03-09 10:17:23 -08:00
hsi Driver core changes for 6.3-rc1 2023-02-24 12:58:55 -08:00
hte
hv Driver core changes for 6.3-rc1 2023-02-24 12:58:55 -08:00
hwmon - Core Frameworks 2023-02-23 15:03:05 -08:00
hwspinlock
hwtracing Driver core changes for 6.3-rc1 2023-02-24 12:58:55 -08:00
i2c i2c: dev: Fix bus callback return values 2023-03-09 22:07:52 +01:00
i3c I3C for 6.3 2023-02-28 16:05:01 -08:00
idle Power management updates for 6.3-rc1 2023-02-21 12:13:58 -08:00
iio Char/Misc and other driver subsystem changes for 6.3-rc1 2023-02-24 12:47:33 -08:00
infiniband v6.3 RDMA pull request 2023-02-24 15:11:03 -08:00
input Input: tests - fix use-after-free and refcount underflow in input_test_exit() 2023-05-02 10:38:59 -07:00
interconnect SoC: DT changes for 6.3 2023-02-20 15:49:56 -08:00
iommu ARM: SoC drivers for 6.3 2023-02-27 10:04:49 -08:00
ipack Driver core changes for 6.3-rc1 2023-02-24 12:58:55 -08:00
irqchip ARM: 2023-02-25 11:30:21 -08:00
isdn
leds - Remove Drivers 2023-02-23 15:09:31 -08:00
macintosh powerpc updates for 6.3 2023-02-25 11:00:06 -08:00
mailbox mailbox: qcom-apcs-ipc: add IPQ5332 APSS clock support 2023-02-23 14:47:13 -06:00
mcb
md flexible-array transformations for 6.3-rc1 2023-02-25 12:53:42 -08:00
media media: i2c: ov2685: convert to i2c's .probe_new() 2023-03-09 21:59:04 +01:00
memory ARM: SoC drivers for 6.3 2023-02-27 10:04:49 -08:00
memstick MMC core: 2023-02-27 09:47:26 -08:00
message
mfd Including fixes from wireless and netfilter. 2023-02-27 14:05:08 -08:00
misc misc: ad525x_dpot-i2c: Convert to i2c's .probe_new() 2023-03-09 21:58:45 +01:00
mmc ARM: SoC drivers for 6.3 2023-02-27 10:04:49 -08:00
most
mtd * regression fix for the notifier handling of the I2C core 2023-03-11 09:24:05 -08:00
mux
net Networking fixes for 6.3-rc2, including fixes from netfilter, bpf 2023-03-09 10:56:58 -08:00
nfc nfc: fdp: add null check of devm_kmalloc_array in fdp_nci_i2c_read_device_properties 2023-02-28 11:48:28 +01:00
ntb
nubus
nvdimm virtio,vhost,vdpa: features, fixes 2023-02-25 11:48:02 -08:00
nvme block-6.3-2023-03-03 2023-03-03 10:21:39 -08:00
nvmem
of IOMMU Updates for Linux v6.3: 2023-02-24 13:40:13 -08:00
opp OPP: fix error checking in opp_migrate_dentry() 2023-02-16 13:48:53 +01:00
parisc
parport Char/Misc and other driver subsystem changes for 6.3-rc1 2023-02-24 12:47:33 -08:00
pci A set of updates for the interrupt susbsystem: 2023-03-05 11:19:16 -08:00
pcmcia Driver core changes for 6.3-rc1 2023-02-24 12:58:55 -08:00
peci
perf RISC-V Patches for the 6.3 Merge Window, Part 2 2023-03-03 09:32:51 -08:00
phy ARM: SoC drivers for 6.3 2023-02-27 10:04:49 -08:00
pinctrl ARM: SoC drivers for 6.3 2023-02-27 10:04:49 -08:00
platform platform: mellanox: mlx-platform: Initialize shift variable to 0 2023-03-07 12:08:30 +01:00
pnp
power power supply changes for the v6.3 series (part 2) 2023-03-03 16:33:28 -08:00
powercap More power management updates for 6.3-rc1 2023-03-03 10:30:58 -08:00
pps
ps3
ptp ptp: vclock: use mutex to fix "sleep on atomic" bug 2023-02-22 21:23:48 -08:00
pwm pwm: dwc: Use devm_pwmchip_add() 2023-02-20 12:26:35 +01:00
rapidio
ras
regulator regulator: Fixes for v6.3 2023-03-02 09:21:25 -08:00
remoteproc ARM: SoC drivers for 6.3 2023-02-27 10:04:49 -08:00
reset
rpmsg rpmsg updates for v6.3 2023-02-26 12:10:28 -08:00
rtc RTC for 6.3 2023-03-03 09:15:50 -08:00
s390 SCSI misc on 20230303 2023-03-03 14:41:50 -08:00
sbus
scsi SCSI fixes on 20230310 2023-03-10 20:45:53 -08:00
sh sh updates for v6.3 2023-03-01 09:44:22 -08:00
siox
slimbus
soc ARM: SoC drivers for 6.3 2023-02-27 10:04:49 -08:00
soundwire soundwire updates for 6.3 2023-02-24 17:29:52 -08:00
spi spi: Fixes for v6.3 2023-03-02 09:25:38 -08:00
spmi
ssb
staging staging: r8188eu: delete driver 2023-03-09 10:06:28 +01:00
target scsi: target: iscsi: Fix an error message in iscsi_check_key() 2023-03-06 16:50:42 -05:00
tc
tee Driver core changes for 6.3-rc1 2023-02-24 12:58:55 -08:00
thermal thermal: intel: int340x: processor_thermal: Fix deadlock 2023-03-03 20:34:49 +01:00
thunderbolt Driver core changes for 6.3-rc1 2023-02-24 12:58:55 -08:00
tty serial: sc16is7xx: Convert to i2c's .probe_new() 2023-03-09 21:58:53 +01:00
ufs scsi: ufs: mcq: qcom: Clean the return path of ufs_qcom_mcq_config_resource() 2023-03-06 18:33:12 -05:00
uio - Daniel Verkamp has contributed a memfd series ("mm/memfd: add 2023-02-23 17:09:35 -08:00
usb phy-for-6.3 2023-02-24 17:22:11 -08:00
vdpa virtio,vhost,vdpa: features, fixes 2023-02-25 11:48:02 -08:00
vfio VFIO updates for v6.3-rc1 2023-02-25 11:52:57 -08:00
vhost virtio,vhost,vdpa: features, fixes 2023-02-25 11:48:02 -08:00
video TTY/Serial driver updates for 6.3-rc1 2023-02-24 12:17:14 -08:00
virt virt/sev-guest: Return -EIO if certificate buffer is not large enough 2023-03-01 10:17:46 +01:00
virtio virtio,vhost,vdpa: features, fixes 2023-02-25 11:48:02 -08:00
vlynq
w1 w1: ds2482: Convert to i2c's .probe_new() 2023-03-09 21:58:57 +01:00
watchdog linux-watchdog 6.3-rc1 tag 2023-03-02 11:12:01 -08:00
xen Driver core changes for 6.3-rc1 2023-02-24 12:58:55 -08:00
zorro
Kconfig
Makefile Kbuild updates for v6.3 2023-02-26 11:53:25 -08:00