Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753079AbbHLNNq (ORCPT ); Wed, 12 Aug 2015 09:13:46 -0400 Received: from mx0.mattleach.net ([176.58.118.143]:57160 "EHLO mx0.mattleach.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752084AbbHLNNo (ORCPT ); Wed, 12 Aug 2015 09:13:44 -0400 From: Matthew Leach To: Jiri Kosina Cc: linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, Krzysztof Kozlowski , Sebastian Reichel , Matthew Leach , Subject: [PATCH] HID: hid-input: fix double-free in cleanup_battery Date: Wed, 12 Aug 2015 13:09:44 +0100 Message-Id: <1439381384-13733-1-git-send-email-matthew@mattleach.net> X-Mailer: git-send-email 2.5.0 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 5883 Lines: 113 The power supply layer has taken control of the power supply objects from the drivers to core, see [1]. As such, calling power_supply_unregister is enough to free the power_supply device. Remove the extra kfree's as the power_supply core will handle freeing the power_supply object for us. [1]: 297d716f6260cc9421d971b124ca196b957ee458 Signed-off-by: Matthew Leach Cc: --- Hello, Since upgrading to v4.1 of the kernel I have noticed that the kernel started to freeze whenever I disconnected my Bluetooth mouse. Other people are experiencing this too (see [1]). Between versions v4.0 and v4.1 the power_supply core was re-worked to take back ownership of the power_supply objects from the driver to core-code. I think hidinput_cleanup_battery may have been missed and as such caused a double-free to occur as power_supply_unregister now handle's freeing the objects. I confirmed this with [2], notice the battery object is cleaned up just before the kernel panics on calling kfree. Any comments welcome, Matt [1]: https://bugs.archlinux.org/task/45787 [2]: [ 1521.116857] kobject: 'power_supply' (ffff880135bff4e0): kobject_cleanup, parent ffff8800b642b8f8 [ 1521.116879] kobject: 'power_supply' (ffff880135bff4e0): auto cleanup kobject_del [ 1521.116886] kobject: 'power_supply' (ffff880135bff4e0): calling ktype release [ 1521.116892] kobject: 'power_supply': free name [ 1521.116898] kobject: 'hid-f0:65:dd:82:af:c6-battery' (ffff8800a3ddd848): kobject_cleanup, parent (null) [ 1521.116903] kobject: 'hid-f0:65:dd:82:af:c6-battery' (ffff8800a3ddd848): calling ktype release [ 1521.116911] kobject: 'hid-f0:65:dd:82:af:c6-battery': free name [ 1521.116921] BUG: unable to handle kernel NULL pointer dereference at (null) [ 1521.117052] IP: [] hidinput_disconnect+0x29/0xc0 [ 1521.117150] PGD 0 [ 1521.117190] Oops: 0000 [#1] PREEMPT SMP [ 1521.117283] CPU: 0 PID: 176 Comm: kworker/u9:0 Not tainted 4.2.0-rc6-ARCH #12 [ 1521.117373] Hardware name: LENOVO 7469W92/7469W92, BIOS 6DET44WW (2.08 ) 04/22/2009 [ 1521.117475] Workqueue: hci0 hci_rx_work [ 1521.117535] task: ffff880136b5f300 ti: ffff8800b73b4000 task.ti: ffff8800b73b4000 [ 1521.117629] RIP: 0010:[] [] hidinput_disconnect+0x29/0xc0 [ 1521.117749] RSP: 0018:ffff8800b73b7a98 EFLAGS: 00010292 [ 1521.117825] RAX: 0000000000000000 RBX: ffff8800b642a000 RCX: 0000000180800071 [ 1521.117913] RDX: 0000000180800072 RSI: 0000000000000001 RDI: ffff880137001c00 [ 1521.118001] RBP: ffff8800b73b7ab8 R08: 2779726574746162 R09: ffff880137001c00 [ 1521.118090] R10: ffff880137001c00 R11: ffffffff81453d76 R12: ffff8800b642b8e8 [ 1521.118181] R13: ffff8800b642a000 R14: ffff8800b642a000 R15: ffff8800b642b8d0 [ 1521.118270] FS: 0000000000000000(0000) GS:ffff88013bc00000(0000) knlGS:0000000000000000 [ 1521.118372] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 1521.118444] CR2: 0000000000000000 CR3: 000000000240d000 CR4: 00000000000406f0 [ 1521.118531] Stack: [ 1521.118565] ffff8800b642a000 ffff8800b642b8e8 ffff8800b642a000 ffff8800b642b8b8 [ 1521.118688] ffff8800b73b7ad8 ffffffff818e0e11 00000000fffffffc ffff8800b642b8e8 [ 1521.118809] ffff8800b73b7b18 ffffffff818e0ed5 ffff8800b73b7b18 ffff8800b642b8e8 [ 1521.118930] Call Trace: [ 1521.118971] [] hid_disconnect+0x71/0x80 [ 1521.119045] [] hid_device_remove+0xb5/0xd0 [ 1521.119122] [] __device_release_driver+0x8d/0x120 [ 1521.119205] [] device_release_driver+0x1e/0x30 [ 1521.119283] [] bus_remove_device+0x100/0x180 [ 1521.119358] [] device_del+0x134/0x260 [ 1521.119430] [] hid_destroy_device+0x22/0x60 [ 1521.119510] [] hidp_session_remove+0x46/0xb0 [ 1521.119588] [] l2cap_conn_del+0xa2/0x200 [ 1521.119661] [] l2cap_disconn_cfm+0x39/0x60 [ 1521.119736] [] hci_event_packet+0x1b75/0x3320 [ 1521.119818] [] ? dequeue_entity+0x152/0x620 [ 1521.119897] [] ? _raw_write_unlock_irqrestore+0x13/0x30 [ 1521.120884] [] hci_rx_work+0x1b8/0x3e0 [ 1521.120884] [] process_one_work+0x123/0x3c0 [ 1521.120884] [] worker_thread+0x43/0x490 [ 1521.120884] [] ? process_one_work+0x3c0/0x3c0 [ 1521.120884] [] kthread+0xd3/0xf0 [ 1521.120884] [] ? _raw_spin_unlock_irq+0x9/0x10 [ 1521.120884] [] ? __kthread_parkme+0x70/0x70 [ 1521.120884] [] ret_from_fork+0x3f/0x70 [ 1521.120884] [] ? __kthread_parkme+0x70/0x70 [ 1521.120884] Code: 00 00 55 48 89 e5 41 56 49 89 fe 41 55 41 54 53 48 8b bf 98 1b 00 00 48 85 ff 74 31 e8 11 76 fa ff 49 8b 86 98 1b 00 00 48 8b 00 <48> 8b 38 e8 af 1b 8e ff 49 8b 86 98 1b 00 00 48 8b 38 e8 a0 1b [ 1521.120884] RIP [] hidinput_disconnect+0x29/0xc0 [ 1521.120884] RSP [ 1521.120884] CR2: 0000000000000000 drivers/hid/hid-input.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c index 3511bbab..3a867bd 100644 --- a/drivers/hid/hid-input.c +++ b/drivers/hid/hid-input.c @@ -466,8 +466,6 @@ static void hidinput_cleanup_battery(struct hid_device *dev) return; power_supply_unregister(dev->battery); - kfree(dev->battery->desc->name); - kfree(dev->battery->desc); dev->battery = NULL; } #else /* !CONFIG_HID_BATTERY_STRENGTH */ -- 2.5.0 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/