[Letux-kernel] memory corruption in iio_input_bridge

Andreas Kemnade andreas at kemnade.info
Sat Jul 28 22:52:25 CEST 2018


Hi,

I think here is the final proof:

I am using this:
diff --git a/drivers/iio/industrialio-inputbridge.c b/drivers/iio/industrialio-inputbridge.c
index bd5807f31767..c37b55a85b1c 100644
--- a/drivers/iio/industrialio-inputbridge.c
+++ b/drivers/iio/industrialio-inputbridge.c
@@ -92,6 +92,8 @@ static int accel_open(struct input_dev *input)
 #if 0
 printk("accel_open()\n");
 #endif
+                print_hex_dump(KERN_INFO, "iio delayed_work open:", DUMP_PREFIX_NONE,
+                                                16, 1, &input_work, sizeof(input_work), false);
 
        // someone has opened the input device
        // make us start the iio_dev
@@ -175,7 +177,11 @@ static int iio_input_register_accel_channel(struct iio_dev *indio_dev, const str
 //             indio_dev->input = idev;
 
 #if POLLING
+               printk("iio delayed work at %px\n", &input_work);
+
                INIT_DELAYED_WORK(&input_work, inputbridge_work);
+                print_hex_dump(KERN_INFO, "iio delayed_work:", DUMP_PREFIX_NONE,
+                                                16, 1, &input_work, sizeof(input_work), false);
 #else
                struct iio_cb_buffer *iio_channel_get_all_cb(struct device *dev,
                                int (*cb)(const void *data,


and then I do xxd /dev/input/eventX

from another shell:
dmesg | grep -C 3  iio\ delayed

[    5.986297] bmp280 1-0076: 1-0076 supply vddd not found, using dummy regulator
[    6.019775] omap_hdq 480b2000.1w: OMAP HDQ Hardware Rev 0.5. Driver in Interrupt mode
[    6.029357] musb-hdrc musb-hdrc.0.auto: MUSB HDRC host driver
[    6.056365] iio delayed work at bf06b400
[    6.064727] videodev: Linux video capture interface: v2.00
[    6.078857] bmp280 1-0076: 1-0076 supply vdda not found, using dummy regulator
[    6.092315] iio delayed_work:e0 ff ff ff 04 b4 06 bf 04 b4 06 bf 54 86 06 bf
[    6.101196] musb-hdrc musb-hdrc.0.auto: new USB bus registered, assigned bus number 1
[    6.120239] w1_master_driver w1_bus_master1: Attaching one wire slave 01.000000000000 crc 3d
[    6.161010] bq27xxx_battery_setup
[    6.165832] bq27xxx_battery_setup: dm_regs=  (null)
[    6.178680] (NULL device *): hwmon: 'bq27000-battery' is not a valid name attribute, please fix
[    6.195587] iio delayed_work:00 00 00 00 00 00 00 00 00 00 00 00 38 8e 14 c0
[    6.203521] bq27xxx_battery_settings
[    6.207244] bq27xxx_battery_settings: power_supply_get_battery_info failed ret=-1088610284
[    6.231140] usb usb1: New USB device found, idVendor=1d6b, idProduct=0002, bcdDevice= 4.18
[    6.286590] iio delayed_work:00 00 20 00 00 00 00 00 00 00 00 00
[    6.309936] usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[    6.346557] usb usb1: Product: MUSB HDRC host driver
[    6.376220] usb usb1: Manufacturer: Linux 4.18.0-rc6-letux+ musb-hcd
--
[   24.915069] systemd-logind[2717]: New seat seat0.
[   26.077636] systemd-logind[2717]: Failed to start user service: Unknown unit: user at 0.service
[   26.133728] systemd-logind[2717]: New session 1 of user root.
[   69.351837] iio delayed_work open:00 c8 7f ee 00 70 7e ee 00 f8 7d ee 54 86 06 bf
[   69.360107] iio delayed_work open:00 00 00 00 00 00 00 00 00 00 00 00 38 8e 14 c0
[   69.370056] iio delayed_work open:00 00 20 00 00 00 00 00 00 00 00 00
[   69.377502] ------------[ cut here ]------------
[   69.382385] WARNING: CPU: 0 PID: 3281 at ../kernel/workqueue.c:1513 __queue_delayed_work+0xd8/0x140
[   69.391845] Modules linked in: bnep bluetooth ecdh_generic ipv6 usb_f_ecm g_ether usb_f_rndis u_ether libcomposite configfs dm_crypt dm_mod dax arc4 wl18xx wlcore mac80211 cfg80211 omapdrm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm drm_panel_orientation_quirks pps_gpio panel_tpo_td028ttec1 snd_soc_simple_card snd_soc_simple_card_utils snd_soc_omap_twl4030 pps_core encoder_opa362 wwan_on_off snd_soc_gtm601 pwm_omap_dmtimer connector_analog_tv generic_adc_battery pwm_bl bmp280_spi ov9655 v4l2_fwnode wlcore_sdio v4l2_common bq27xxx_battery_hdq bq27xxx_battery omap_hdq omap2430 bmp280_i2c videodev bmp280 bmc150_accel_i2c bmc150_magn_i2c at24 media bmc150_magn bmc150_accel_core leds_tca6507 tsc2007 bno055 industrialio_triggered_buffer kfifo_buf phy_twl4030_usb snd_soc_omap_mcbsp

So the first 12 bytes are changing their value, that are the prev/next pointers of the list_head (which initially point to itself) and work_struct.data

I checked:
inputbridge_work is never called.

Regards,
Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.goldelico.com/pipermail/letux-kernel/attachments/20180728/71601b74/attachment.asc>


More information about the Letux-kernel mailing list