redonkable/remarkable-linux
redonkable/remarkable-linux
1
0
Fork 0
Code Releases Activity
remarkable-linux/drivers
History
Marcin Slusarz 2e4a75cdcb rtc: fix kernel panic on second use of SIGIO nofitication 
When userspace uses SIGIO notification and forgets to disable it before
closing file descriptor, rtc->async_queue contains stale pointer to struct
file.  When user space enables again SIGIO notification in different
process, kernel dereferences this (poisoned) pointer and crashes.

So disable SIGIO notification on close.

Kernel panic:
(second run of qemu (requires echo 1024 > /sys/class/rtc/rtc0/max_user_freq))

general protection fault: 0000 [1] PREEMPT
CPU 0
Modules linked in: af_packet snd_pcm_oss snd_mixer_oss snd_seq_oss snd_seq_midi_event snd_seq usbhid tuner tea5767 tda8290 tuner_xc2028 xc5000 tda9887 tuner_simple tuner_types mt20xx tea5761 tda9875 uhci_hcd ehci_hcd usbcore bttv snd_via82xx snd_ac97_codec ac97_bus snd_pcm snd_timer ir_common compat_ioctl32 snd_page_alloc videodev v4l1_compat snd_mpu401_uart snd_rawmidi v4l2_common videobuf_dma_sg videobuf_core snd_seq_device snd btcx_risc soundcore tveeprom i2c_viapro
Pid: 5781, comm: qemu-system-x86 Not tainted 2.6.27-rc6 #363
RIP: 0010:[<ffffffff8024f891>]  [<ffffffff8024f891>] __lock_acquire+0x3db/0x73f
RSP: 0000:ffffffff80674cb8  EFLAGS: 00010002
RAX: ffff8800224c62f0 RBX: 0000000000000046 RCX: 0000000000000002
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8800224c62f0
RBP: ffffffff80674d08 R08: 0000000000000002 R09: 0000000000000001
R10: ffffffff80238941 R11: 0000000000000001 R12: 0000000000000000
R13: 6b6b6b6b6b6b6b6b R14: ffff88003a450080 R15: 0000000000000000
FS:  00007f98b69516f0(0000) GS:ffffffff80623200(0000) knlGS:00000000f7cc86d0
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000a87000 CR3: 0000000022598000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process qemu-system-x86 (pid: 5781, threadinfo ffff880028812000, task ffff88003a450080)
Stack:  ffffffff80674cf8 0000000180238440 0000000200000002 0000000000000000
 ffff8800224c62f0 0000000000000046 0000000000000000 0000000000000002
 0000000000000002 0000000000000000 ffffffff80674d68 ffffffff8024fc7a
Call Trace:
 <IRQ>  [<ffffffff8024fc7a>] lock_acquire+0x85/0xa9
 [<ffffffff8029cb62>] ? send_sigio+0x2a/0x184
 [<ffffffff80491d1f>] _read_lock+0x3e/0x4a
 [<ffffffff8029cb62>] ? send_sigio+0x2a/0x184
 [<ffffffff8029cb62>] send_sigio+0x2a/0x184
 [<ffffffff8024fb97>] ? __lock_acquire+0x6e1/0x73f
 [<ffffffff8029cd4d>] ? kill_fasync+0x2c/0x4e
 [<ffffffff8029cd10>] __kill_fasync+0x54/0x65
 [<ffffffff8029cd5b>] kill_fasync+0x3a/0x4e
 [<ffffffff80402896>] rtc_update_irq+0x9c/0xa5
 [<ffffffff80404640>] cmos_interrupt+0xae/0xc0
 [<ffffffff8025d1c1>] handle_IRQ_event+0x25/0x5a
 [<ffffffff8025e5e4>] handle_edge_irq+0xdd/0x123
 [<ffffffff8020da34>] do_IRQ+0xe4/0x144
 [<ffffffff8020bad6>] ret_from_intr+0x0/0xf
 <EOI>  [<ffffffff8026fdc2>] ? __alloc_pages_internal+0xe7/0x3ad
 [<ffffffff8033fe67>] ? clear_page_c+0x7/0x10
 [<ffffffff8026fc10>] ? get_page_from_freelist+0x385/0x450
 [<ffffffff8026fdc2>] ? __alloc_pages_internal+0xe7/0x3ad
 [<ffffffff80280aac>] ? anon_vma_prepare+0x2e/0xf6
 [<ffffffff80279400>] ? handle_mm_fault+0x227/0x6a5
 [<ffffffff80494716>] ? do_page_fault+0x494/0x83f
 [<ffffffff8049251d>] ? error_exit+0x0/0xa9

Code: cc 41 39 45 28 74 24 e8 5e 1d 0f 00 85 c0 0f 84 6a 03 00 00 83 3d 8f a9 aa 00 00 be 47 03 00 00 0f 84 6a 02 00 00 e9 53 03 00 00 <41> ff 85 38 01 00 00 45 8b be 90 06 00 00 41 83 ff 2f 76 24 e8
RIP  [<ffffffff8024f891>] __lock_acquire+0x3db/0x73f
 RSP <ffffffff80674cb8>
---[ end trace 431877d860448760 ]---
Kernel panic - not syncing: Aiee, killing interrupt handler!

Signed-off-by: Marcin Slusarz <marcin.slusarz@gmail.com>
Acked-by: Alessandro Zummo <alessandro.zummo@towertech.it>
Acked-by: David Brownell <dbrownell@users.sourceforge.net>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-10-03 18:22:17 -07:00
..
accessibility braille_console: only register notifiers when the braille console is used 2008-10-02 15:53:13 -07:00
acpi Merge branches 'smbus' and 'fujitsu-fix' into release-2.6.27 2008-09-04 14:33:03 +02:00
amba
ata sata_nv: reinstate nv_hardreset() for non generic controllers 2008-09-29 00:14:34 -04:00
atm
auxdisplay
base
block
bluetooth [Bluetooth] Fix USB disconnect handling of btusb driver 2008-09-23 00:16:36 +02:00
cdrom
char kgdboc,tty: Fix tty polling search to use name correctly 2008-09-26 10:36:42 -05:00
clocksource clocksource, acpi_pm.c: fix check for monotonicity 2008-09-11 11:14:29 +02:00
connector
cpufreq
cpuidle
crypto crypto: talitos - Avoid consecutive packets going out with same IV 2008-09-14 13:41:19 -07:00
dca
dio
dma
edac
eisa
firewire
firmware ibft: fix target info parsing in ibft module 2008-09-02 19:21:40 -07:00
gpio
gpu drm/radeon: downgrade debug message from info to debug. 2008-09-01 08:51:52 +10:00
hid
hwmon hwmon: (ad7414) Make ad7414_update_device() static 2008-09-20 10:25:20 +02:00
i2c i2c-dev: Return correct error code on class_create() failure 2008-09-24 13:39:21 +02:00
ide ide: note that IDE generic may prevent other drivers from attaching 2008-09-27 19:32:17 +02:00
ieee1394
infiniband IPoIB: Fix crash when path record fails after path flush 2008-09-25 16:37:03 -07:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2008-09-22 07:46:06 -07:00
isdn
leds
lguest
macintosh
mca
md dm mpath: add missing path switching locking 2008-10-01 14:39:27 +01:00
media VIDEO_SH_MOBILE_CEU should depend on HAS_DMA 2008-09-10 14:15:29 -07:00
memstick memstick: fix MSProHG 8-bit interface mode support 2008-09-13 14:41:52 -07:00
message
mfd mfd: Fix asic3 compilation 2008-09-30 09:57:22 +02:00
misc ia64: fix panic during `modprobe -r xpc' 2008-09-13 14:41:52 -07:00
mmc Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/drzeus/mmc 2008-09-21 12:38:45 -07:00
mtd [MTD] [NAND] tmio_nand: fix base address programming 2008-09-05 15:34:35 +01:00
net e1000e: Fix incorrect debug warning 2008-10-03 09:18:17 -07:00
nubus
of
oprofile
parisc
parport
pci Check mapped ranges on sysfs resource files 2008-10-02 18:52:51 -07:00
pcmcia pcmcia: Fix broken abuse of dev->driver_data 2008-09-22 08:42:50 -07:00
pnp
power
ps3
rapidio
regulator
rtc rtc: fix kernel panic on second use of SIGIO nofitication 2008-10-03 18:22:17 -07:00
s390 [S390] qdio: prevent stack clobber 2008-10-03 21:55:55 +02:00
sbus
scsi scsi: fix fall out of sg-chaining patch in qlogicpti 2008-09-29 09:41:56 +02:00
serial atmel_serial: update the powersave handler to match serial core 2008-09-23 08:09:14 -07:00
sh
sn
spi pxa2xx_spi: fix build breakage 2008-10-01 12:31:12 -07:00
ssb [SSB] Initialise dma_mask for SSB_BUSTYPE_SSB devices 2008-09-27 15:45:37 +01:00
tc
telephony
thermal
uio
usb USB: revert recovery from transient errors 2008-09-23 13:58:10 -07:00
video fbcon: fix monochrome color value calculation 2008-10-02 15:53:13 -07:00
virtio
w1
watchdog ibmasr: remove unnecessary spin_unlock() 2008-09-23 08:09:13 -07:00
xen xen: fix 2.6.27-rc5 xen balloon driver warnings 2008-09-08 20:21:15 +02:00
zorro
Kconfig
Makefile