Bugs in Out-Of-Tree Linux Drivers
The bugs in this table are from assorted out-of-tree Linux drivers. Links to or descriptions of the driver source are included for each driver.
| Driver | Bug Details |
|---|---|
| akm8975 (Android 3.0 kernel) | The driver executes request_irq before it is necessarily ready to service interrupts. request_irq is called in akm8975_init_client but akm->this_client is not set until after that call. The result is that the interrupt handler can crash because it contains this line: disable_irq_nosync(akm->this_client->irq); There is a similar copy of the driver available here that exhibits this bug, though this is not the precise version of the driver we used. The link is just for convenience. |
| akm8975 (Android 3.0 kernel) | Does not delete a device file created during probe (via device_create_file). This bug is a kind of memory leak. There is a similar copy of the driver available here that exhibits this bug. |
| akm8975 (Android 3.0 kernel) | The driver does not appear to stop the work queue during module unload. The driver schedules the workqueue via schedule_work(&akm->work) during invocations of the interrupt handler, but there is no corresponding flush or cancel work call. In addition, the driver could call enable_irq while executing the work queue even though the interrupt has already been freed during module unload. There is a similar copy of the driver available here that exhibits this bug. |
| akm8975 (Android 3.0 kernel) | akm8975_remove unconditionally calls free_irq even though the IRQ may not necessarily have been allocated. This circumstance arises if probe does not complete successfully. There is a similar copy of the driver available here that exhibits this bug. |
| mmc31xx (Counted as two bugs, driver from here) | Resource leaks during driver unload. device_create_file is called twice but the file is never destroyed. class_create is called but the class is never removed. We verified that this driver runs on a real phone. |
| mmc31xx (Driver from here) | Three calls to device_create_file (in mmc31xx_init and mmc31xx_probe), but no calls to remove the files on failure or successful paths. We verified that this driver runs on a real phone. |
| a1026 (CyanogenMod 2.6.37.6) | kmalloc may be called with a zero size parameter. Doing this is not a bug (see here), but we would argue that this code is very fragile and should be modified. There is no lower bounds check on an unsigned int being read from user-mode in a1026_bootup_init. Note that the kmalloc call passes img->img_size but img_size is an unsigned int constrained to be less than a constant. Thus, this code passes an invalid kernel pointer to copy_from_user. This code does not appear to have any bug resulting from this error though but this is very dangerous since any future (accidental) dereference operation would result in a kernel crash. The driver is available here. |
| tle62x0 (Android kernel 3.0) | Missing device_remove_file on one file that's create during probe. ret = device_create_file(&spi->dev, &dev_attr_status_show); has no corresponding remove. Loading/unloading/re-loading the module results in an error since the file remains present. There is a similar copy of the driver available here that exhibits this bug, though this is not the precise version of the driver we used. The link is just for convenience. |
| tle62x0 (Android kernel 3.0) | Probe error handling code is incorrect. This loop creates some files, e.g. 0, 1, 2, 3: for (ptr = 0; ptr < pdata->gpio_count; ptr++) { .... Suppose creation of file 4 fails. The error handling code reads as follows: for (; ptr > 0; ptr--) { .... This code would free files 4, 3, 2, 1, which is a mismatch. There is a similar copy of the driver available here. |