linux/drivers/mmc/host
Jan Glauber b917c6d18c mmc: cavium: Fix use-after-free in of_platform_device_destroy
KASAN reported the following:

[   19.338655] ==================================================================
[   19.345946] BUG: KASAN: use-after-free in of_platform_device_destroy+0x88/0x100
[   19.345966] Read of size 8 at addr fffffe01aa6f1468 by task systemd-udevd/264

[   19.345983] CPU: 1 PID: 264 Comm: systemd-udevd Not tainted 4.13.0-jang+ #737
[   19.345989] Hardware name: Cavium ThunderX CN81XX board (DT)
[   19.345995] Call trace:
[   19.346013] [<fffffc800808b1b0>] dump_backtrace+0x0/0x368
[   19.346026] [<fffffc800808b6bc>] show_stack+0x24/0x30
[   19.346040] [<fffffc8008cbb944>] dump_stack+0xa4/0xc8
[   19.346057] [<fffffc80082c2870>] print_address_description+0x68/0x258
[   19.346070] [<fffffc80082c2d70>] kasan_report+0x238/0x2f8
[   19.346082] [<fffffc80082c14a8>] __asan_load8+0x88/0xb8
[   19.346098] [<fffffc8008aacee0>] of_platform_device_destroy+0x88/0x100
[   19.346131] [<fffffc8000e02fa4>] thunder_mmc_probe+0x314/0x550 [thunderx_mmc]
[   19.346147] [<fffffc800879d560>] pci_device_probe+0x158/0x1f8
[   19.346162] [<fffffc800886e53c>] driver_probe_device+0x394/0x5f8
[   19.346174] [<fffffc800886e8f4>] __driver_attach+0x154/0x158
[   19.346185] [<fffffc800886b12c>] bus_for_each_dev+0xdc/0x140
[   19.346196] [<fffffc800886d9f8>] driver_attach+0x38/0x48
[   19.346207] [<fffffc800886d148>] bus_add_driver+0x290/0x3c8
[   19.346219] [<fffffc800886fc5c>] driver_register+0xbc/0x1a0
[   19.346232] [<fffffc800879b78c>] __pci_register_driver+0xc4/0xd8
[   19.346260] [<fffffc8000e80024>] thunder_mmc_driver_init+0x24/0x10000 [thunderx_mmc]
[   19.346273] [<fffffc8008083a80>] do_one_initcall+0x98/0x1c0
[   19.346289] [<fffffc8008177b54>] do_init_module+0xe0/0x2cc
[   19.346303] [<fffffc8008175cf0>] load_module+0x3238/0x35c0
[   19.346318] [<fffffc8008176438>] SyS_finit_module+0x190/0x1a0
[   19.346329] [<fffffc80080834a0>] __sys_trace_return+0x0/0x4

This is caused by:

  platform_device_register()
   -> platform_device_unregister(to_platform_device(dev))
	freeing struct device
   -> of_node_clear_flag(dev->of_node, ...)
	writing to the freed device

The issue is solved by increasing the reference count before calling
of_platform_device_destroy() so freeing the device is postponed after
the call.

Fixes: 8fb83b1428 ("mmc: cavium: Fix probing race with regulator")
Signed-off-by: Jan Glauber <jglauber@cavium.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
2017-09-08 15:38:22 +02:00
..
Kconfig mmc: host: fix typo after MMC_DEBUG move 2017-09-08 15:38:21 +02:00
Makefile mmc: mmci: stop building qcom dml as module 2017-08-30 15:03:53 +02:00
android-goldfish.c mmc: android-goldfish: remove logically dead code in goldfish_mmc_irq() 2017-08-30 14:01:23 +02:00
atmel-mci.c mmc: Convert to using %pOF instead of full_name 2017-08-30 14:01:36 +02:00
au1xmmc.c mmc: host: drop owner assignment from platform_drivers 2014-10-20 16:20:56 +02:00
bcm2835.c mmc: bcm2835: constify mmc_host_ops structures 2017-08-30 14:01:45 +02:00
bfin_sdh.c mmc: bfin_sdh: remove the MMC_DATA_STREAM flag 2016-02-29 11:02:59 +01:00
cavium-octeon.c mmc: cavium-octeon: Convert to use module_platform_driver 2017-08-30 15:03:38 +02:00
cavium-thunderx.c mmc: cavium: Fix use-after-free in of_platform_device_destroy 2017-09-08 15:38:22 +02:00
cavium.c mmc: Convert to using %pOF instead of full_name 2017-08-30 14:01:36 +02:00
cavium.h mmc: cavium: Add scatter-gather DMA support 2017-04-24 21:42:10 +02:00
cb710-mmc.c
cb710-mmc.h mmc: cb710: use to_platform_device() 2016-01-05 18:04:57 +01:00
davinci_mmc.c mmc: davinci: constify mmc_host_ops structures 2017-08-30 14:01:41 +02:00
dw_mmc-exynos.c mmc: dw_mmc: use the 'slot' instead of 'cur_slot' 2017-06-29 17:14:26 +02:00
dw_mmc-exynos.h mmc: dw_mmc: exynos: Support eMMC's HS400 mode 2015-03-23 14:13:28 +01:00
dw_mmc-k3.c mmc: dw_mmc-k3: add sd support for hi3660 2017-08-30 14:01:56 +02:00
dw_mmc-pci.c mmc: dw_mmc: Remove the public dw_mmc header file 2017-02-13 13:19:59 +01:00
dw_mmc-pltfm.c mmc: dw_mmc: Remove the public dw_mmc header file 2017-02-13 13:19:59 +01:00
dw_mmc-pltfm.h
dw_mmc-rockchip.c mmc: dw_mmc-rockchip: parse rockchip, desired-num-phases from DT 2017-06-29 17:13:59 +02:00
dw_mmc-zx.c mmc: dw_mmc: zx: Initial support for ZX mmc controller 2017-02-13 13:20:03 +01:00
dw_mmc-zx.h mmc: dw_mmc: zx: Initial support for ZX mmc controller 2017-02-13 13:20:03 +01:00
dw_mmc.c mmc: dw_mmc: introduce timer for broken command transfer over scheme 2017-08-30 14:01:57 +02:00
dw_mmc.h mmc: dw_mmc: introduce timer for broken command transfer over scheme 2017-08-30 14:01:57 +02:00
jz4740_mmc.c mmc: jz4740: Let the pinctrl driver configure the pins 2017-05-22 17:20:02 +02:00
meson-gx-mmc.c mmc: meson-gx: fix __ffsdi2 undefined on arm32 2017-08-31 12:42:57 +02:00
mmc_spi.c mmc: use new core function mmc_get_dma_dir 2017-04-24 21:41:52 +02:00
mmci.c mmc: mmci: constify amba_id 2017-08-30 15:03:46 +02:00
mmci.h mmc: core/mmci: restore pre/post_req behaviour 2017-02-13 13:20:52 +01:00
mmci_qcom_dml.c scripts/spelling.txt: add "intialization" pattern and fix typo instances 2017-02-27 18:43:47 -08:00
mmci_qcom_dml.h mmc: mmci: Add qcom dml support to the driver. 2014-09-09 13:58:46 +02:00
moxart-mmc.c mmc: moxart: constify mmc_host_ops structures 2017-08-30 14:01:41 +02:00
mtk-sd.c mmc: mediatek: constify mmc_host_ops structures 2017-08-30 14:01:44 +02:00
mvsdio.c mmc: use new core function mmc_get_dma_dir 2017-04-24 21:41:52 +02:00
mvsdio.h
mxcmmc.c mmc: mxcmmc: Handle return value of clk_prepare_enable 2017-08-30 14:01:55 +02:00
mxs-mmc.c mmc: mxs-mmc: Implement CMD23 support 2017-02-13 13:20:27 +01:00
of_mmc_spi.c mmc: of_mmc_spi: fix restricted cast warning of sparse 2017-08-30 14:01:45 +02:00
omap.c mmc: omap: Don't use mmc_card_present() when validating for inserted card 2017-02-13 13:20:23 +01:00
omap_hsmmc.c mmc: omap_hsmmc: Reduce max_segs for reliability 2017-08-30 14:01:22 +02:00
pxamci.c mmc: core: Delete bounce buffer Kconfig option 2017-06-20 10:30:17 +02:00
pxamci.h
renesas_sdhi.h mmc: tmio, renesas-sdhi: add max_{segs, blk_count} to tmio_mmc_data 2017-08-30 14:01:21 +02:00
renesas_sdhi_core.c mmc: sdhi: use maximum width for the sdbuf register 2017-08-30 14:01:59 +02:00
renesas_sdhi_internal_dmac.c mmc: renesas_sdhi: use extra flag for CBSY usage 2017-08-30 14:01:58 +02:00
renesas_sdhi_sys_dmac.c mmc: renesas_sdhi: Add r8a7743/5 support 2017-09-01 15:31:01 +02:00
rtsx_pci_sdmmc.c mmc: use empty initializer list to zero-clear structures 2017-02-13 13:19:54 +01:00
rtsx_usb_sdmmc.c mmc: rtsx_usb_sdmmc: make array 'width' static const 2017-08-30 14:01:27 +02:00
s3cmci.c mmc: s3cmci: constify mmc_host_ops structures 2017-08-30 14:01:40 +02:00
s3cmci.h mmc: s3cmci: Register cpufreq notifier only on S3C24xx 2016-07-25 10:34:46 +02:00
sdhci-acpi.c sdhci: acpi: Use new method to get ACPI companion 2017-08-30 14:01:39 +02:00
sdhci-bcm-kona.c mmc: sdhci-bcm-kona: constify sdhci_pltfm_data and sdhci_ops structures 2017-08-30 14:01:52 +02:00
sdhci-brcmstb.c mmc: sdhci: enable/disable the clock in sdhci_pltfm_suspend/resume 2017-08-30 15:03:44 +02:00
sdhci-cadence.c mmc: sdhci-pltfm: export sdhci_pltfm_suspend/resume 2017-08-30 15:03:45 +02:00
sdhci-cns3xxx.c mmc: sdhci-pltfm: Drop define for SDHCI_PLTFM_PMOPS 2016-07-29 11:29:04 +02:00
sdhci-dove.c mmc: sdhci-pltfm: Drop define for SDHCI_PLTFM_PMOPS 2016-07-29 11:29:04 +02:00
sdhci-esdhc-imx.c mmc: sdhci-esdhc-imx: Remove the ENGcm07207 workaround 2017-06-20 10:30:34 +02:00
sdhci-esdhc.h mmc: sdhci-of-esdhc: support ESDHC_CAPABILITIES_1 accessing 2017-08-30 15:03:36 +02:00
sdhci-iproc.c mmc: sdhci-iproc: suppress spurious interrupt with Multiblock read 2017-05-22 18:18:04 +02:00
sdhci-msm.c mmc: sdhci-msm: set sdma_boundary to zero 2017-08-30 14:01:54 +02:00
sdhci-of-arasan.c mmc: sdhci-of-arasan: constify sdhci_pltfm_data and sdhci_ops structures 2017-08-30 14:01:53 +02:00
sdhci-of-at91.c mmc: sdhci-of-at91: set clocks and presets after resume from deepest PM 2017-08-30 14:01:31 +02:00
sdhci-of-esdhc.c mmc: sdhci-of-esdhc: support ESDHC_CAPABILITIES_1 accessing 2017-08-30 15:03:36 +02:00
sdhci-of-hlwd.c mmc: sdhci-pltfm: Drop define for SDHCI_PLTFM_PMOPS 2016-07-29 11:29:04 +02:00
sdhci-pci-core.c mmc: sdhci-pci: use generic sdhci_set_bus_width() 2017-08-30 15:03:35 +02:00
sdhci-pci-data.c mmc: sdhci-pci: Use ACPI DSM to get driver strength for some Intel devices 2017-04-24 21:41:28 +02:00
sdhci-pci-o2micro.c mmc: sdhci-pci: Let suspend/resume callbacks replace default callbacks 2017-04-24 21:41:38 +02:00
sdhci-pci-o2micro.h mmc: sdhci-pci: Make sdhci_pci_o2_fujin2_pci_init() static 2015-10-26 16:00:05 +01:00
sdhci-pci.h mmc: sdhci-pci: Add support for Intel CNP 2017-06-20 10:30:38 +02:00
sdhci-pic32.c mmc: sdhci: constify sdhci_pltfm_data structures 2017-08-30 14:01:51 +02:00
sdhci-pltfm.c mmc: sdhci-pltfm: export sdhci_pltfm_suspend/resume 2017-08-30 15:03:45 +02:00
sdhci-pltfm.h mmc: sdhci-pltfm: export sdhci_pltfm_suspend/resume 2017-08-30 15:03:45 +02:00
sdhci-pxav2.c mmc: sdhci-pxav2: switch to managed clk and sdhci_pltfm_unregister() 2017-08-30 15:03:44 +02:00
sdhci-pxav3.c mmc: sdhci: constify sdhci_pltfm_data structures 2017-08-30 14:01:51 +02:00
sdhci-s3c.c mmc: sdhci-s3c: use generic sdhci_set_bus_width() 2017-08-30 15:03:35 +02:00
sdhci-sirf.c mmc: sdhci: enable/disable the clock in sdhci_pltfm_suspend/resume 2017-08-30 15:03:44 +02:00
sdhci-spear.c mmc: sdhci: Let drivers decide whether to use mmc_retune_needed() with pm 2017-04-24 21:41:26 +02:00
sdhci-st.c mmc: sdhci-st: explicitly request exclusive reset control 2017-08-30 14:01:37 +02:00
sdhci-tegra.c mmc: sdhci-tegra: use generic sdhci_set_bus_width() 2017-08-30 15:03:35 +02:00
sdhci-xenon-phy.c mmc: sdhci-xenon: Support HS400 Enhanced Strobe feature 2017-08-30 15:03:43 +02:00
sdhci-xenon.c mmc: sdhci-xenon: add runtime pm support and reimplement standby 2017-08-30 15:37:31 +02:00
sdhci-xenon.h mmc: sdhci-xenon: add runtime pm support and reimplement standby 2017-08-30 15:37:31 +02:00
sdhci.c mmc: sdhci: Add quirk to indicate MMC_RSP_136 has CRC 2017-08-30 15:03:43 +02:00
sdhci.h mmc: sdhci: Add quirk to indicate MMC_RSP_136 has CRC 2017-08-30 15:03:43 +02:00
sdhci_f_sdh30.c mmc: sdhci-pltfm: Drop define for SDHCI_PLTFM_PMOPS 2016-07-29 11:29:04 +02:00
sdricoh_cs.c mmc: sdricoh_cs: constify mmc_host_ops structures 2017-08-30 14:01:44 +02:00
sh_mmcif.c mmc: sh_mmcif: constify mmc_host_ops structures 2017-08-30 14:01:42 +02:00
sunxi-mmc.c mmc: sunxi: Reset the device at probe time 2017-08-30 15:03:52 +02:00
tifm_sd.c mmc: Convert pr_warning to pr_warn 2014-09-24 10:13:09 +02:00
tmio_mmc.c mmc: tmio: improve checkpatch cleanness 2017-06-20 10:30:50 +02:00
tmio_mmc.h mmc: tmio: no magic values when enabling DMA 2017-08-30 14:01:25 +02:00
tmio_mmc_core.c mmc: tmio: don't wait on R-Car2+ when handling the clock 2017-08-30 14:01:26 +02:00
toshsd.c mmc: toshsd: constify mmc_host_ops structures 2017-08-30 14:01:42 +02:00
toshsd.h mmc: add Toshiba PCI SD controller driver 2014-11-26 14:30:58 +01:00
usdhi6rol0.c mmc: usdhi6rol0: constify mmc_host_ops structures 2017-08-30 14:01:43 +02:00
ushc.c mmc: ushc: fix NULL-deref at probe 2017-03-16 15:31:27 +01:00
via-sdmmc.c mmc: host: via-sdmmc: constify pci_device_id. 2017-08-30 14:01:35 +02:00
vub300.c mmc: vub300: constify usb_device_id 2017-08-30 14:01:58 +02:00
wbsd.c mmc: wbsd: remove CONFIG_MMC_DEBUG from the driver 2017-08-30 14:01:35 +02:00
wbsd.h
wmt-sdmmc.c mmc: wmt-sdmmc: Handle return value of clk_prepare_enable 2017-08-30 14:01:55 +02:00