Created
June 4, 2021 10:33
-
-
Save erosca/4ded55ed32f0133bc2f4ccfe821c7776 to your computer and use it in GitHub Desktop.
BUG: KASAN: use-after-free in ffs_data_clear+0x70/0x370 [usb_f_fs]
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Kernel: v5.13-rc4-88-gf88cd3fb9df2 | |
GCC: aarch64-linux-gnu-gcc 10.0.0 20191203 | |
HW: Renesas R-Car H3-ES2.0-Salvator-X | |
root@rcar-gen3:~# cat ffs2.sh | |
mkdir -p /dev/ffs | |
mkdir -p /dev/cfs | |
modprobe libcomposite | |
mount -t configfs none /dev/cfs | |
mkdir -p /dev/cfs/usb_gadget/g1 | |
mkdir -p /dev/cfs/usb_gadget/g1/functions/ffs.ffs | |
mount -t functionfs ffs /dev/ffs | |
rmdir /dev/cfs/usb_gadget/g1/functions/ffs.ffs | |
cat /dev/ffs/ep0 | |
root@rcar-gen3:~# sh -x ffs2.sh | |
+ mkdir -p /dev/ffs | |
+ mkdir -p /dev/cfs | |
+ modprobe libcomposite | |
+ mount -t configfs none /dev/cfs | |
+ mkdir -p /dev/cfs/usb_gadget/g1 | |
+ mkdir -p /dev/cfs/usb_gadget/g1/functions/ffs.ffs | |
[ 53.436219] file system registered | |
+ mount -t functionfs ffs /dev/ffs | |
+ rmdir /dev/cfs/usb_gadget/g1/functions/ffs.ffs | |
[ 53.630227] unloading | |
+ cat /dev/ffs/ep0 | |
cat: read error:[ 53.731884] ================================================================== | |
[ 53.740435] BUG: KASAN: use-after-free in ffs_data_clear+0x70/0x370 [usb_f_fs] | |
[ 53.748061] Write of size 1 at addr ffff0004c219e24a by task cat/2995 | |
[ 53.754821] | |
[ 53.756422] CPU: 0 PID: 2995 Comm: cat Not tainted 5.13.0-rc4+ #9 | |
[ 53.762816] Hardware name: Renesas Salvator-X board based on r8a77951 (DT) | |
[ 53.770022] Call trace: | |
[ 53.772615] dump_backtrace+0x0/0x330 | |
[ 53.776492] show_stack+0x20/0x2c | |
[ 53.779997] dump_stack+0x11c/0x1ac | |
[ 53.783685] print_address_description.constprop.0+0x30/0x274 | |
[ 53.789727] kasan_report+0x14c/0x1c8 | |
[ 53.793593] __asan_report_store1_noabort+0x34/0x58 | |
[ 53.798728] ffs_data_clear+0x70/0x370 [usb_f_fs] | |
[ 53.803692] ffs_data_reset+0x20/0x304 [usb_f_fs] | |
[ 53.808655] ffs_data_closed+0x240/0x244 [usb_f_fs] | |
[ 53.813798] ffs_ep0_release+0x40/0x54 [usb_f_fs] | |
[ 53.818760] __fput+0x304/0x580 | |
[ 53.822086] ____fput+0x18/0x24 | |
[ 53.825410] task_work_run+0x104/0x180 | |
[ 53.829371] do_notify_resume+0x458/0x14e0 | |
[ 53.833689] work_pending+0xc/0x5f8 | |
[ 53.837377] | |
[ 53.838976] Allocated by task 2989: | |
[ 53.842657] kasan_save_stack+0x28/0x58 | |
[ 53.846711] kasan_set_track+0x28/0x3c | |
[ 53.850668] ____kasan_kmalloc+0x84/0x9c | |
[ 53.854806] __kasan_kmalloc+0x10/0x1c | |
[ 53.858764] __kmalloc+0x214/0x2f8 | |
[ 53.862361] kzalloc.constprop.0+0x14/0x20 [usb_f_fs] | |
[ 53.867687] ffs_alloc_inst+0x8c/0x208 [usb_f_fs] | |
[ 53.872650] try_get_usb_function_instance+0xf0/0x164 [libcomposite] | |
[ 53.879357] usb_get_function_instance+0x64/0x68 [libcomposite] | |
[ 53.885599] function_make+0x128/0x1ec [libcomposite] | |
[ 53.890938] configfs_mkdir+0x330/0x590 [configfs] | |
[ 53.896007] vfs_mkdir+0x12c/0x1bc | |
[ 53.899606] do_mkdirat+0x180/0x1d0 | |
[ 53.903292] __arm64_sys_mkdirat+0x80/0x94 | |
[ 53.907611] invoke_syscall+0xf8/0x25c | |
[ 53.911569] el0_svc_common.constprop.0+0x150/0x1a0 | |
[ 53.916700] do_el0_svc+0xa0/0xd4 | |
[ 53.920203] el0_svc+0x24/0x34 | |
[ 53.923437] el0_sync_handler+0xcc/0x154 | |
[ 53.927574] el0_sync+0x198/0x1c0 | |
[ 53.931076] | |
[ 53.932674] Freed by task 2994: | |
[ 53.935992] kasan_save_stack+0x28/0x58 | |
[ 53.940040] kasan_set_track+0x28/0x3c | |
[ 53.943996] kasan_set_free_info+0x28/0x4c | |
[ 53.948314] ____kasan_slab_free+0x104/0x118 | |
[ 53.952813] __kasan_slab_free+0x18/0x24 | |
[ 53.956948] slab_free_freelist_hook+0x148/0x1f0 | |
[ 53.961808] kfree+0x318/0x440 | |
[ 53.965040] ffs_free_inst+0x164/0x2d8 [usb_f_fs] | |
[ 53.970002] usb_put_function_instance+0x84/0xa4 [libcomposite] | |
[ 53.976244] ffs_attr_release+0x18/0x24 [usb_f_fs] | |
[ 53.981295] config_item_put+0x140/0x1a4 [configfs] | |
[ 53.986446] configfs_rmdir+0x3fc/0x518 [configfs] | |
[ 53.991508] vfs_rmdir+0x114/0x234 | |
[ 53.995103] do_rmdir+0x274/0x2b0 | |
[ 53.998604] __arm64_sys_unlinkat+0x94/0xc8 | |
[ 54.003009] invoke_syscall+0xf8/0x25c | |
[ 54.006964] el0_svc_common.constprop.0+0x150/0x1a0 | |
[ 54.012095] do_el0_svc+0xa0/0xd4 | |
[ 54.015598] el0_svc+0x24/0x34 | |
[ 54.018830] el0_sync_handler+0xcc/0x154 | |
[ 54.022966] el0_sync+0x198/0x1c0 | |
[ 54.026469] | |
[ 54.028066] The buggy address belongs to the object at ffff0004c219e200 | |
[ 54.028066] which belongs to the cache kmalloc-128 of size 128 | |
[ 54.041150] The buggy address is located 74 bytes inside of | |
[ 54.041150] 128-byte region [ffff0004c219e200, ffff0004c219e280) | |
[ 54.053334] The buggy address belongs to the page: | |
[ 54.058371] page:000000009d51fbae refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x50219e | |
[ 54.068212] head:000000009d51fbae order:1 compound_mapcount:0 | |
[ 54.074243] flags: 0x8000000000010200(slab|head|zone=2) | |
[ 54.079745] raw: 8000000000010200 dead000000000100 dead000000000122 ffff0004c0002300 | |
[ 54.087867] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 | |
[ 54.095981] page dumped because: kasan: bad access detected | |
[ 54.101828] | |
[ 54.103425] Memory state around the buggy address: | |
[ 54.108461] ffff0004c219e100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb | |
[ 54.116037] ffff0004c219e180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc | |
[ 54.123613] >ffff0004c219e200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb | |
[ 54.131186] ^ | |
[ 54.137036] ffff0004c219e280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc | |
[ 54.144614] ffff0004c219e300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb | |
[ 54.152190] ================================================================== | |
[ 54.159762] Disabling lock debugging due to kernel taint | |
File descriptor[ 54.165539] Unable to handle kernel paging request at virtual address efff801d2000018d | |
in bad state | |
[ 54.174738] Mem abort info: | |
[ 54.178868] ESR = 0x96000004 | |
[ 54.182021] EC = 0x25: DABT (current EL), IL = 32 bits | |
[ 54.187443] SET = 0, FnV = 0 | |
[ 54.190593] EA = 0, S1PTW = 0 | |
[ 54.193829] Data abort info: | |
[ 54.196802] ISV = 0, ISS = 0x00000004 | |
[ 54.200756] CM = 0, WnR = 0 | |
[ 54.203820] [efff801d2000018d] address between user and kernel address ranges | |
[ 54.211077] Internal error: Oops: 96000004 [#1] PREEMPT SMP | |
[ 54.216697] Modules linked in: usb_f_fs libcomposite configfs ath9k_htc led_class mac80211 libarc4 ath9k_common ath9k_hw ath cfg80211 aes_ce_blk crypto_simd cryptd aes_ce_cipher ghash4 | |
[ 54.259675] CPU: 0 PID: 2995 Comm: cat Tainted: G B 5.13.0-rc4+ #9 | |
[ 54.267212] Hardware name: Renesas Salvator-X board based on r8a77951 (DT) | |
[ 54.274130] pstate: 00000005 (nzcv daif -PAN -UAO -TCO BTYPE=--) | |
[ 54.280180] pc : ffs_data_clear+0x138/0x370 [usb_f_fs] | |
[ 54.285376] lr : ffs_data_clear+0x124/0x370 [usb_f_fs] | |
[ 54.290564] sp : ffff8000147b7ad0 | |
[ 54.293903] x29: ffff8000147b7ad0 x28: ffff800009cec1c0 x27: ffff0004d0827ca0 | |
[ 54.301108] x26: ffff0004d2a90498 x25: 1fffe00098eeba85 x24: 00000000000a801d | |
[ 54.308311] x23: 1fffe00099a7e23a x22: dfff800000000000 x21: ffff0004cd3f11d0 | |
[ 54.315513] x20: 800000e900000bb2 x19: ffff0004cd3f1000 x18: 0000000000000000 | |
[ 54.322716] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 | |
[ 54.329917] x14: 0720072007200720 x13: 0000000000000000 x12: 1fffe000984aca1a | |
[ 54.337119] x11: ffff6000984aca1a x10: 0000000000001740 x9 : dfff800000000000 | |
[ 54.344322] x8 : ffff8000147b7768 x7 : ffff0004c25650d3 x6 : 0000000000000000 | |
[ 54.351524] x5 : 0000000000000001 x4 : ffff6000984aca1b x3 : 0000000000000001 | |
[ 54.358725] x2 : 0000000000000006 x1 : 1000001d2000018d x0 : 800000e900000c6e | |
[ 54.365928] Call trace: | |
[ 54.368396] ffs_data_clear+0x138/0x370 [usb_f_fs] | |
[ 54.373235] ffs_data_reset+0x20/0x304 [usb_f_fs] | |
[ 54.377987] ffs_data_closed+0x240/0x244 [usb_f_fs] | |
[ 54.382913] ffs_ep0_release+0x40/0x54 [usb_f_fs] | |
[ 54.387665] __fput+0x304/0x580 | |
[ 54.390843] ____fput+0x18/0x24 | |
[ 54.394014] task_work_run+0x104/0x180 | |
[ 54.397799] do_notify_resume+0x458/0x14e0 | |
[ 54.401931] work_pending+0xc/0x5f8 | |
[ 54.405459] Code: b4000a54 9102f280 12000802 d343fc01 (38f66821) | |
[ 54.411597] ---[ end trace eb83c7c75a9b6c12 ]--- | |
ffs2.sh: line 9: 2995 Segmentation fault cat /dev/ffs/ep0 | |
root@rcar-gen3:~# |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment