driver core : Fix use after free of dev->parent in device_shutdown

The put_device(dev) at the bottom of the loop of device_shutdown may result in the dev being cleaned up. In device_create_release, the dev is kfreed. However, device_shutdown attempts to use the dev pointer again after put_device by referring to dev->parent. Copy the parent pointer instead to avoid this condition. This bug was found on Chromium OS's chromeos-3.8, which is based on v3.8.11. See bug report : https://code.google.com/p/chromium/issues/detail?id=297842 This can easily be reproduced when shutting down with hidraw devices that report battery condition. Two examples are the HP Bluetooth Mouse X4000b and the Apple Magic Mouse. For example, with the magic mouse : The dev in question is "hidraw0" dev->parent is "magicmouse" In the course of the shutdown for this device, the input event cleanup calls a put on hidraw0, decrementing its reference count. When we finally get to put_device(dev) in device_shutdown, kobject_cleanup is called and device_create_release does kfree(dev). dev->parent is no longer valid, and we may crash in put_device(dev->parent). This change should be applied on any kernel with this change : d1c6c030fcec6f860d9bb6c632a3ebe62e28440b Cc: stable@vger.kernel.org Signed-off-by: Benson Leung <bleung@chromium.org> Reviewed-by: Ming Lei <ming.lei@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Benson Leung <bleung@chromium.org> 2013-09-24 23:05:11 -0400
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-09-26 17:46:11 -0400
commit: f123db8e9d6c84c863cb3c44d17e61995dc984fb (patch)
tree: e5c6056e1001eabb08998a0801a7dca2b21850fa
parent: 667b4102b3e63856ca7770521ee74b1c44629df1 (diff)
1 files changed, 7 insertions, 7 deletions
diff --git a/drivers/base/core.c b/drivers/base/core.c
index c7cfadcf6752..34abf4d8a45f 100644
--- a/drivers/base/core.c
+++ b/drivers/base/core.c
@@ -2017,7 +2017,7 @@ EXPORT_SYMBOL_GPL(device_move);
 */
 void device_shutdown(void)
 {
-        struct device *dev;
+        struct device *dev, *parent;
        spin_lock(&devices_kset->list_lock);
        /*
@@ -2034,7 +2034,7 @@ void device_shutdown(void)
                 * prevent it from being freed because parent's
                 * lock is to be held
                 */
-                get_device(dev->parent);
+                parent = get_device(dev->parent);
                get_device(dev);
                /*
                 * Make sure the device is off the kset list, in the
@@ -2044,8 +2044,8 @@ void device_shutdown(void)
                spin_unlock(&devices_kset->list_lock);
                /* hold lock to avoid race with probe/release */
-                if (dev->parent)
+                if (parent)
-                        device_lock(dev->parent);
+                        device_lock(parent);
                device_lock(dev);
                /* Don't allow any more runtime suspends */
@@ -2063,11 +2063,11 @@ void device_shutdown(void)
                }
                device_unlock(dev);
-                if (dev->parent)
+                if (parent)
-                        device_unlock(dev->parent);
+                        device_unlock(parent);
                put_device(dev);
-                put_device(dev->parent);
+                put_device(parent);
                spin_lock(&devices_kset->list_lock);
        }
author	Benson Leung <bleung@chromium.org>	2013-09-24 23:05:11 -0400
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2013-09-26 17:46:11 -0400
commit	f123db8e9d6c84c863cb3c44d17e61995dc984fb (patch)
tree	e5c6056e1001eabb08998a0801a7dca2b21850fa
parent	667b4102b3e63856ca7770521ee74b1c44629df1 (diff)

diff --git a/drivers/base/core.c b/drivers/base/core.c index c7cfadcf6752..34abf4d8a45f 100644 --- a/drivers/base/core.c +++ b/drivers/base/core.c
@@ -2017,7 +2017,7 @@ EXPORT_SYMBOL_GPL(device_move);
2017	*/	2017	*/
2018	void device_shutdown(void)	2018	void device_shutdown(void)
2019	{	2019	{
2020	struct device *dev;	2020	struct device dev, parent;
2021		2021
2022	spin_lock(&devices_kset->list_lock);	2022	spin_lock(&devices_kset->list_lock);
2023	/*	2023	/*
@@ -2034,7 +2034,7 @@ void device_shutdown(void)
2034	* prevent it from being freed because parent's	2034	* prevent it from being freed because parent's
2035	* lock is to be held	2035	* lock is to be held
2036	*/	2036	*/
2037	get_device(dev->parent);	2037	parent = get_device(dev->parent);
2038	get_device(dev);	2038	get_device(dev);
2039	/*	2039	/*
2040	* Make sure the device is off the kset list, in the	2040	* Make sure the device is off the kset list, in the
@@ -2044,8 +2044,8 @@ void device_shutdown(void)
2044	spin_unlock(&devices_kset->list_lock);	2044	spin_unlock(&devices_kset->list_lock);
2045		2045
2046	/* hold lock to avoid race with probe/release */	2046	/* hold lock to avoid race with probe/release */
2047	if (dev->parent)	2047	if (parent)
2048	device_lock(dev->parent);	2048	device_lock(parent);
2049	device_lock(dev);	2049	device_lock(dev);
2050		2050
2051	/* Don't allow any more runtime suspends */	2051	/* Don't allow any more runtime suspends */
@@ -2063,11 +2063,11 @@ void device_shutdown(void)
2063	}	2063	}
2064		2064
2065	device_unlock(dev);	2065	device_unlock(dev);
2066	if (dev->parent)	2066	if (parent)
2067	device_unlock(dev->parent);	2067	device_unlock(parent);
2068		2068
2069	put_device(dev);	2069	put_device(dev);
2070	put_device(dev->parent);	2070	put_device(parent);
2071		2071
2072	spin_lock(&devices_kset->list_lock);	2072	spin_lock(&devices_kset->list_lock);
2073	}	2073	}