Use after free in bcm2835_spi_remove()

From: Florian Fainelli
Date: Wed Oct 14 2020 - 05:24:47 EST

Next message: Douglas Anderson: "[PATCH v2 1/3] soc: qcom: geni: More properly switch to DMA mode"
Previous message: Thomas Gleixner: "Re: [PATCH 4/4] task_work: use TIF_NOTIFY_SIGNAL if available"
Next in thread: Lukas Wunner: "Re: Use after free in bcm2835_spi_remove()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Lukas,

With KASAN now working on ARM 32-bit, I was able to get the following
trace upon reboot which invokes bcm2835_spi_shutdown() calling
bcm2835_spi_remove(), the same can be triggered by doing a driver unbind:

# pwd
/sys/devices/platform/rdb/47e204800.spi/driver
# echo 47e204800.spi > unbind

How would you go about fixing this? This was not on a Rpi 4 but in
premise the same problem exists there.

Thanks!

[ 229.746516]
==================================================================
[ 229.754013] BUG: KASAN: use-after-free in bcm2835_dma_release+0x2c/0x260
[ 229.760820] Read of size 4 at addr e0f08358 by task reboot/157
[ 229.766727]
[ 229.768302] CPU: 0 PID: 157 Comm: reboot Not tainted
5.9.0-gdf4dd84a3f7d #27
[ 229.775445] Hardware name: Broadcom STB (Flattened Device Tree)
[ 229.781448] Backtrace:
[ 229.784017] [<c02120b4>] (dump_backtrace) from [<c02123d8>]
(show_stack+0x20/0x24)
[ 229.791738] r9:ffffffff r8:00000080 r7:c298e3c0 r6:400f0093
r5:00000000 r4:c298e3c0
[ 229.799655] [<c02123b8>] (show_stack) from [<c08852a0>]
(dump_stack+0xbc/0xe0)
[ 229.807050] [<c08851e4>] (dump_stack) from [<c04522bc>]
(print_address_description.constprop.3+0x3c/0x4b0)
[ 229.816863] r10:c2b771c0 r9:e46d9848 r8:e46d9854 r7:00000000
r6:c0b3ea3c r5:eeea5940
[ 229.824815] r4:e0f08358 r3:00000100
[ 229.828510] [<c0452280>] (print_address_description.constprop.3) from
[<c0452944>] (kasan_report+0x15c/0x178)
[ 229.838575] r8:e46d9854 r7:00000000 r6:c0b3ea3c r5:0000009d r4:e0f08358
[ 229.845411] [<c04527e8>] (kasan_report) from [<c0452f24>]
(__asan_load4+0x6c/0xbc)
[ 229.853109] r7:e0f08380 r6:e0f08000 r5:e0f08358 r4:e0f08380
[ 229.858898] [<c0452eb8>] (__asan_load4) from [<c0b3ea3c>]
(bcm2835_dma_release+0x2c/0x260)
[ 229.867318] [<c0b3ea10>] (bcm2835_dma_release) from [<c0b3ecd8>]
(bcm2835_spi_remove+0x68/0xa4)
[ 229.876166] r9:e46d9848 r8:e46d9854 r7:e0f083c0 r6:00000000
r5:e0f08000 r4:e0f08380
[ 229.884069] [<c0b3ec70>] (bcm2835_spi_remove) from [<c0b3ed30>]
(bcm2835_spi_shutdown+0x1c/0x38)
[ 229.892991] r7:c2fc7f40 r6:e46d9810 r5:c2a1d854 r4:e46d9800
[ 229.898788] [<c0b3ed14>] (bcm2835_spi_shutdown) from [<c0a17010>]
(platform_drv_shutdown+0x40/0x44)
[ 229.907958] r5:c2a1d854 r4:e46d9810
[ 229.911653] [<c0a16fd0>] (platform_drv_shutdown) from [<c0a0f91c>]
(device_shutdown+0x248/0x35c)
[ 229.920561] r5:e465b810 r4:e46d9814
[ 229.924255] [<c0a0f6d4>] (device_shutdown) from [<c0269418>]
(kernel_restart_prepare+0x4c/0x50)
[ 229.933103] r10:01234567 r9:fee1dead r8:dfdb3f60 r7:c2835240
r6:c2806d48 r5:00000000
[ 229.941045] r4:c2806d40
[ 229.943675] [<c02693cc>] (kernel_restart_prepare) from [<c0269528>]
(kernel_restart+0x1c/0x60)
[ 229.952405] r5:00000000 r4:00000000
[ 229.956084] [<c026950c>] (kernel_restart) from [<c0269810>]
(__do_sys_reboot+0x148/0x260)
[ 229.964380] r5:00000000 r4:bafb67c0
[ 229.968057] [<c02696c8>] (__do_sys_reboot) from [<c0269998>]
(sys_reboot+0x18/0x1c)
[ 229.975852] r10:00000058 r9:dfdb0000 r8:c0200228 r7:00000058
r6:00000000 r5:00000004
[ 229.983792] r4:00000002
[ 229.986422] [<c0269980>] (sys_reboot) from [<c0200060>]
(ret_fast_syscall+0x0/0x2c)
[ 229.994190] Exception stack(0xdfdb3fa8 to 0xdfdb3ff0)
[ 229.999350] 3fa0: 00000002 00000004 fee1dead
28121969 01234567 000a9864
[ 230.007669] 3fc0: 00000002 00000004 00000000 00000058 00000000
00000000 aedbe000 00000000
[ 230.015974] 3fe0: aecce8f0 b6a81cec 000982d4 aecce910
[ 230.021095]
[ 230.022636] Allocated by task 20:
[ 230.026039] kasan_save_stack+0x24/0x48
[ 230.029962] __kasan_kmalloc.constprop.1+0xb8/0xc4
[ 230.034842] kasan_kmalloc+0x10/0x14
[ 230.038495] __kmalloc+0x168/0x2f4
[ 230.041976] __spi_alloc_controller+0x30/0xc0
[ 230.046421] bcm2835_spi_probe+0x90/0x4cc
[ 230.050514] platform_drv_probe+0x70/0xc8
[ 230.054612] really_probe+0x184/0x728
[ 230.058361] driver_probe_device+0xa4/0x278
[ 230.062637] __device_attach_driver+0xe8/0x148
[ 230.067169] bus_for_each_drv+0x108/0x158
[ 230.071267] __device_attach+0x190/0x234
[ 230.075279] device_initial_probe+0x1c/0x20
[ 230.079551] bus_probe_device+0xdc/0xec
[ 230.083475] deferred_probe_work_func+0xd4/0x11c
[ 230.088196] process_one_work+0x420/0x8f0
[ 230.092293] worker_thread+0x4fc/0x91c
[ 230.096127] kthread+0x21c/0x22c
[ 230.099427] ret_from_fork+0x14/0x20
[ 230.103075] 0x0
[ 230.104957]
[ 230.106496] Freed by task 157:
[ 230.109627] kasan_save_stack+0x24/0x48
[ 230.113542] kasan_set_track+0x30/0x38
[ 230.117375] kasan_set_free_info+0x28/0x34
[ 230.121553] __kasan_slab_free+0x110/0x144
[ 230.125732] kasan_slab_free+0x14/0x18
[ 230.129556] kfree+0xbc/0x2b8
[ 230.132597] spi_controller_release+0x18/0x1c
[ 230.137037] device_release+0x4c/0xf0
[ 230.140781] kobject_put+0x14c/0x2d8
[ 230.144434] device_unregister+0x44/0x84
[ 230.148438] spi_unregister_controller+0xcc/0x124
[ 230.153233] bcm2835_spi_remove+0x5c/0xa4
[ 230.157328] bcm2835_spi_shutdown+0x1c/0x38
[ 230.161593] platform_drv_shutdown+0x40/0x44
[ 230.165949] device_shutdown+0x248/0x35c
[ 230.169953] kernel_restart_prepare+0x4c/0x50
[ 230.174391] kernel_restart+0x1c/0x60
[ 230.178131] __do_sys_reboot+0x148/0x260
[ 230.182132] sys_reboot+0x18/0x1c
[ 230.185519] ret_fast_syscall+0x0/0x2c
[ 230.189335] 0xb6a81cec
[ 230.191829]
[ 230.193380] The buggy address belongs to the object at e0f08000
[ 230.193380] which belongs to the cache kmalloc-2k of size 2048
[ 230.205354] The buggy address is located 856 bytes inside of
[ 230.205354] 2048-byte region [e0f08000, e0f08800)
[ 230.215907] The buggy address belongs to the page:
[ 230.220806] page:b990e388 refcount:1 mapcount:0 mapping:00000000
index:0x0 pfn:0x20f08
[ 230.228841] head:b990e388 order:3 compound_mapcount:0 compound_pincount:0
[ 230.235731] flags: 0x2010200(slab|head)
[ 230.239688] raw: 02010200 00000000 00000100 00000122 e4401800
00000000 80080008 00000000
[ 230.247895] raw: ffffffff 00000001
[ 230.251358] page dumped because: kasan: bad access detected
[ 230.257000]
[ 230.258534] Memory state around the buggy address:
[ 230.263412] e0f08200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 230.270038] e0f08280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 230.276662] >e0f08300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 230.283272] ^
[ 230.288759] e0f08380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 230.295384] e0f08400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 230.301992]
==================================================================
[ 230.309311] Disabling lock debugging due to kernel taint
[ 230.325568] reboot: Restarting system

--
Florian

Next message: Douglas Anderson: "[PATCH v2 1/3] soc: qcom: geni: More properly switch to DMA mode"
Previous message: Thomas Gleixner: "Re: [PATCH 4/4] task_work: use TIF_NOTIFY_SIGNAL if available"
Next in thread: Lukas Wunner: "Re: Use after free in bcm2835_spi_remove()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]