erosca/ffs2.sh

## ffs2.sh
Kernel: v5.13-rc4-88-gf88cd3fb9df2
GCC: aarch64-linux-gnu-gcc 10.0.0 20191203
HW: Renesas R-Car H3-ES2.0-Salvator-X

root@rcar-gen3:~# cat ffs2.sh
mkdir -p /dev/ffs
mkdir -p /dev/cfs
modprobe libcomposite
mount -t configfs none /dev/cfs
mkdir -p /dev/cfs/usb_gadget/g1
mkdir -p /dev/cfs/usb_gadget/g1/functions/ffs.ffs
mount -t functionfs ffs /dev/ffs
rmdir /dev/cfs/usb_gadget/g1/functions/ffs.ffs
cat /dev/ffs/ep0

root@rcar-gen3:~# sh -x ffs2.sh
+ mkdir -p /dev/ffs
+ mkdir -p /dev/cfs
+ modprobe libcomposite
+ mount -t configfs none /dev/cfs
+ mkdir -p /dev/cfs/usb_gadget/g1
+ mkdir -p /dev/cfs/usb_gadget/g1/functions/ffs.ffs
[   53.436219] file system registered
+ mount -t functionfs ffs /dev/ffs
+ rmdir /dev/cfs/usb_gadget/g1/functions/ffs.ffs
[   53.630227] unloading
+ cat /dev/ffs/ep0
cat: read error:[   53.731884] ==================================================================
[   53.740435] BUG: KASAN: use-after-free in ffs_data_clear+0x70/0x370 [usb_f_fs]
[   53.748061] Write of size 1 at addr ffff0004c219e24a by task cat/2995
[   53.754821]
[   53.756422] CPU: 0 PID: 2995 Comm: cat Not tainted 5.13.0-rc4+ #9
[   53.762816] Hardware name: Renesas Salvator-X board based on r8a77951 (DT)
[   53.770022] Call trace:
[   53.772615]  dump_backtrace+0x0/0x330
[   53.776492]  show_stack+0x20/0x2c
[   53.779997]  dump_stack+0x11c/0x1ac
[   53.783685]  print_address_description.constprop.0+0x30/0x274
[   53.789727]  kasan_report+0x14c/0x1c8
[   53.793593]  __asan_report_store1_noabort+0x34/0x58
[   53.798728]  ffs_data_clear+0x70/0x370 [usb_f_fs]
[   53.803692]  ffs_data_reset+0x20/0x304 [usb_f_fs]
[   53.808655]  ffs_data_closed+0x240/0x244 [usb_f_fs]
[   53.813798]  ffs_ep0_release+0x40/0x54 [usb_f_fs]
[   53.818760]  __fput+0x304/0x580
[   53.822086]  ____fput+0x18/0x24
[   53.825410]  task_work_run+0x104/0x180
[   53.829371]  do_notify_resume+0x458/0x14e0
[   53.833689]  work_pending+0xc/0x5f8
[   53.837377]
[   53.838976] Allocated by task 2989:
[   53.842657]  kasan_save_stack+0x28/0x58
[   53.846711]  kasan_set_track+0x28/0x3c
[   53.850668]  ____kasan_kmalloc+0x84/0x9c
[   53.854806]  __kasan_kmalloc+0x10/0x1c
[   53.858764]  __kmalloc+0x214/0x2f8
[   53.862361]  kzalloc.constprop.0+0x14/0x20 [usb_f_fs]
[   53.867687]  ffs_alloc_inst+0x8c/0x208 [usb_f_fs]
[   53.872650]  try_get_usb_function_instance+0xf0/0x164 [libcomposite]
[   53.879357]  usb_get_function_instance+0x64/0x68 [libcomposite]
[   53.885599]  function_make+0x128/0x1ec [libcomposite]
[   53.890938]  configfs_mkdir+0x330/0x590 [configfs]
[   53.896007]  vfs_mkdir+0x12c/0x1bc
[   53.899606]  do_mkdirat+0x180/0x1d0
[   53.903292]  __arm64_sys_mkdirat+0x80/0x94
[   53.907611]  invoke_syscall+0xf8/0x25c
[   53.911569]  el0_svc_common.constprop.0+0x150/0x1a0
[   53.916700]  do_el0_svc+0xa0/0xd4
[   53.920203]  el0_svc+0x24/0x34
[   53.923437]  el0_sync_handler+0xcc/0x154
[   53.927574]  el0_sync+0x198/0x1c0
[   53.931076]
[   53.932674] Freed by task 2994:
[   53.935992]  kasan_save_stack+0x28/0x58
[   53.940040]  kasan_set_track+0x28/0x3c
[   53.943996]  kasan_set_free_info+0x28/0x4c
[   53.948314]  ____kasan_slab_free+0x104/0x118
[   53.952813]  __kasan_slab_free+0x18/0x24
[   53.956948]  slab_free_freelist_hook+0x148/0x1f0
[   53.961808]  kfree+0x318/0x440
[   53.965040]  ffs_free_inst+0x164/0x2d8 [usb_f_fs]
[   53.970002]  usb_put_function_instance+0x84/0xa4 [libcomposite]
[   53.976244]  ffs_attr_release+0x18/0x24 [usb_f_fs]
[   53.981295]  config_item_put+0x140/0x1a4 [configfs]
[   53.986446]  configfs_rmdir+0x3fc/0x518 [configfs]
[   53.991508]  vfs_rmdir+0x114/0x234
[   53.995103]  do_rmdir+0x274/0x2b0
[   53.998604]  __arm64_sys_unlinkat+0x94/0xc8
[   54.003009]  invoke_syscall+0xf8/0x25c
[   54.006964]  el0_svc_common.constprop.0+0x150/0x1a0
[   54.012095]  do_el0_svc+0xa0/0xd4
[   54.015598]  el0_svc+0x24/0x34
[   54.018830]  el0_sync_handler+0xcc/0x154
[   54.022966]  el0_sync+0x198/0x1c0
[   54.026469]
[   54.028066] The buggy address belongs to the object at ffff0004c219e200
[   54.028066]  which belongs to the cache kmalloc-128 of size 128
[   54.041150] The buggy address is located 74 bytes inside of
[   54.041150]  128-byte region [ffff0004c219e200, ffff0004c219e280)
[   54.053334] The buggy address belongs to the page:
[   54.058371] page:000000009d51fbae refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x50219e
[   54.068212] head:000000009d51fbae order:1 compound_mapcount:0
[   54.074243] flags: 0x8000000000010200(slab|head|zone=2)
[   54.079745] raw: 8000000000010200 dead000000000100 dead000000000122 ffff0004c0002300
[   54.087867] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
[   54.095981] page dumped because: kasan: bad access detected
[   54.101828]
[   54.103425] Memory state around the buggy address:
[   54.108461]  ffff0004c219e100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   54.116037]  ffff0004c219e180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   54.123613] >ffff0004c219e200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   54.131186]                                               ^
[   54.137036]  ffff0004c219e280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   54.144614]  ffff0004c219e300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   54.152190] ==================================================================
[   54.159762] Disabling lock debugging due to kernel taint
 File descriptor[   54.165539] Unable to handle kernel paging request at virtual address efff801d2000018d
 in bad state
[   54.174738] Mem abort info:
[   54.178868]   ESR = 0x96000004
[   54.182021]   EC = 0x25: DABT (current EL), IL = 32 bits
[   54.187443]   SET = 0, FnV = 0
[   54.190593]   EA = 0, S1PTW = 0
[   54.193829] Data abort info:
[   54.196802]   ISV = 0, ISS = 0x00000004
[   54.200756]   CM = 0, WnR = 0
[   54.203820] [efff801d2000018d] address between user and kernel address ranges
[   54.211077] Internal error: Oops: 96000004 [#1] PREEMPT SMP
[   54.216697] Modules linked in: usb_f_fs libcomposite configfs ath9k_htc led_class mac80211 libarc4 ath9k_common ath9k_hw ath cfg80211 aes_ce_blk crypto_simd cryptd aes_ce_cipher ghash4
[   54.259675] CPU: 0 PID: 2995 Comm: cat Tainted: G    B             5.13.0-rc4+ #9
[   54.267212] Hardware name: Renesas Salvator-X board based on r8a77951 (DT)
[   54.274130] pstate: 00000005 (nzcv daif -PAN -UAO -TCO BTYPE=--)
[   54.280180] pc : ffs_data_clear+0x138/0x370 [usb_f_fs]
[   54.285376] lr : ffs_data_clear+0x124/0x370 [usb_f_fs]
[   54.290564] sp : ffff8000147b7ad0
[   54.293903] x29: ffff8000147b7ad0 x28: ffff800009cec1c0 x27: ffff0004d0827ca0
[   54.301108] x26: ffff0004d2a90498 x25: 1fffe00098eeba85 x24: 00000000000a801d
[   54.308311] x23: 1fffe00099a7e23a x22: dfff800000000000 x21: ffff0004cd3f11d0
[   54.315513] x20: 800000e900000bb2 x19: ffff0004cd3f1000 x18: 0000000000000000
[   54.322716] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
[   54.329917] x14: 0720072007200720 x13: 0000000000000000 x12: 1fffe000984aca1a
[   54.337119] x11: ffff6000984aca1a x10: 0000000000001740 x9 : dfff800000000000
[   54.344322] x8 : ffff8000147b7768 x7 : ffff0004c25650d3 x6 : 0000000000000000
[   54.351524] x5 : 0000000000000001 x4 : ffff6000984aca1b x3 : 0000000000000001
[   54.358725] x2 : 0000000000000006 x1 : 1000001d2000018d x0 : 800000e900000c6e
[   54.365928] Call trace:
[   54.368396]  ffs_data_clear+0x138/0x370 [usb_f_fs]
[   54.373235]  ffs_data_reset+0x20/0x304 [usb_f_fs]
[   54.377987]  ffs_data_closed+0x240/0x244 [usb_f_fs]
[   54.382913]  ffs_ep0_release+0x40/0x54 [usb_f_fs]
[   54.387665]  __fput+0x304/0x580
[   54.390843]  ____fput+0x18/0x24
[   54.394014]  task_work_run+0x104/0x180
[   54.397799]  do_notify_resume+0x458/0x14e0
[   54.401931]  work_pending+0xc/0x5f8
[   54.405459] Code: b4000a54 9102f280 12000802 d343fc01 (38f66821)
[   54.411597] ---[ end trace eb83c7c75a9b6c12 ]---
ffs2.sh: line 9:  2995 Segmentation fault      cat /dev/ffs/ep0
root@rcar-gen3:~#
	Kernel: v5.13-rc4-88-gf88cd3fb9df2
	GCC: aarch64-linux-gnu-gcc 10.0.0 20191203
	HW: Renesas R-Car H3-ES2.0-Salvator-X

	root@rcar-gen3:~# cat ffs2.sh
	mkdir -p /dev/ffs
	mkdir -p /dev/cfs
	modprobe libcomposite
	mount -t configfs none /dev/cfs
	mkdir -p /dev/cfs/usb_gadget/g1
	mkdir -p /dev/cfs/usb_gadget/g1/functions/ffs.ffs
	mount -t functionfs ffs /dev/ffs
	rmdir /dev/cfs/usb_gadget/g1/functions/ffs.ffs
	cat /dev/ffs/ep0

	root@rcar-gen3:~# sh -x ffs2.sh
	+ mkdir -p /dev/ffs
	+ mkdir -p /dev/cfs
	+ modprobe libcomposite
	+ mount -t configfs none /dev/cfs
	+ mkdir -p /dev/cfs/usb_gadget/g1
	+ mkdir -p /dev/cfs/usb_gadget/g1/functions/ffs.ffs
	[ 53.436219] file system registered
	+ mount -t functionfs ffs /dev/ffs
	+ rmdir /dev/cfs/usb_gadget/g1/functions/ffs.ffs
	[ 53.630227] unloading
	+ cat /dev/ffs/ep0
	cat: read error:[ 53.731884] ==================================================================
	[ 53.740435] BUG: KASAN: use-after-free in ffs_data_clear+0x70/0x370 [usb_f_fs]
	[ 53.748061] Write of size 1 at addr ffff0004c219e24a by task cat/2995
	[ 53.754821]
	[ 53.756422] CPU: 0 PID: 2995 Comm: cat Not tainted 5.13.0-rc4+ #9
	[ 53.762816] Hardware name: Renesas Salvator-X board based on r8a77951 (DT)
	[ 53.770022] Call trace:
	[ 53.772615] dump_backtrace+0x0/0x330
	[ 53.776492] show_stack+0x20/0x2c
	[ 53.779997] dump_stack+0x11c/0x1ac
	[ 53.783685] print_address_description.constprop.0+0x30/0x274
	[ 53.789727] kasan_report+0x14c/0x1c8
	[ 53.793593] __asan_report_store1_noabort+0x34/0x58
	[ 53.798728] ffs_data_clear+0x70/0x370 [usb_f_fs]
	[ 53.803692] ffs_data_reset+0x20/0x304 [usb_f_fs]
	[ 53.808655] ffs_data_closed+0x240/0x244 [usb_f_fs]
	[ 53.813798] ffs_ep0_release+0x40/0x54 [usb_f_fs]
	[ 53.818760] __fput+0x304/0x580
	[ 53.822086] ____fput+0x18/0x24
	[ 53.825410] task_work_run+0x104/0x180
	[ 53.829371] do_notify_resume+0x458/0x14e0
	[ 53.833689] work_pending+0xc/0x5f8
	[ 53.837377]
	[ 53.838976] Allocated by task 2989:
	[ 53.842657] kasan_save_stack+0x28/0x58
	[ 53.846711] kasan_set_track+0x28/0x3c
	[ 53.850668] ____kasan_kmalloc+0x84/0x9c
	[ 53.854806] __kasan_kmalloc+0x10/0x1c
	[ 53.858764] __kmalloc+0x214/0x2f8
	[ 53.862361] kzalloc.constprop.0+0x14/0x20 [usb_f_fs]
	[ 53.867687] ffs_alloc_inst+0x8c/0x208 [usb_f_fs]
	[ 53.872650] try_get_usb_function_instance+0xf0/0x164 [libcomposite]
	[ 53.879357] usb_get_function_instance+0x64/0x68 [libcomposite]
	[ 53.885599] function_make+0x128/0x1ec [libcomposite]
	[ 53.890938] configfs_mkdir+0x330/0x590 [configfs]
	[ 53.896007] vfs_mkdir+0x12c/0x1bc
	[ 53.899606] do_mkdirat+0x180/0x1d0
	[ 53.903292] __arm64_sys_mkdirat+0x80/0x94
	[ 53.907611] invoke_syscall+0xf8/0x25c
	[ 53.911569] el0_svc_common.constprop.0+0x150/0x1a0
	[ 53.916700] do_el0_svc+0xa0/0xd4
	[ 53.920203] el0_svc+0x24/0x34
	[ 53.923437] el0_sync_handler+0xcc/0x154
	[ 53.927574] el0_sync+0x198/0x1c0
	[ 53.931076]
	[ 53.932674] Freed by task 2994:
	[ 53.935992] kasan_save_stack+0x28/0x58
	[ 53.940040] kasan_set_track+0x28/0x3c
	[ 53.943996] kasan_set_free_info+0x28/0x4c
	[ 53.948314] ____kasan_slab_free+0x104/0x118
	[ 53.952813] __kasan_slab_free+0x18/0x24
	[ 53.956948] slab_free_freelist_hook+0x148/0x1f0
	[ 53.961808] kfree+0x318/0x440
	[ 53.965040] ffs_free_inst+0x164/0x2d8 [usb_f_fs]
	[ 53.970002] usb_put_function_instance+0x84/0xa4 [libcomposite]
	[ 53.976244] ffs_attr_release+0x18/0x24 [usb_f_fs]
	[ 53.981295] config_item_put+0x140/0x1a4 [configfs]
	[ 53.986446] configfs_rmdir+0x3fc/0x518 [configfs]
	[ 53.991508] vfs_rmdir+0x114/0x234
	[ 53.995103] do_rmdir+0x274/0x2b0
	[ 53.998604] __arm64_sys_unlinkat+0x94/0xc8
	[ 54.003009] invoke_syscall+0xf8/0x25c
	[ 54.006964] el0_svc_common.constprop.0+0x150/0x1a0
	[ 54.012095] do_el0_svc+0xa0/0xd4
	[ 54.015598] el0_svc+0x24/0x34
	[ 54.018830] el0_sync_handler+0xcc/0x154
	[ 54.022966] el0_sync+0x198/0x1c0
	[ 54.026469]
	[ 54.028066] The buggy address belongs to the object at ffff0004c219e200
	[ 54.028066] which belongs to the cache kmalloc-128 of size 128
	[ 54.041150] The buggy address is located 74 bytes inside of
	[ 54.041150] 128-byte region [ffff0004c219e200, ffff0004c219e280)
	[ 54.053334] The buggy address belongs to the page:
	[ 54.058371] page:000000009d51fbae refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x50219e
	[ 54.068212] head:000000009d51fbae order:1 compound_mapcount:0
	[ 54.074243] flags: 0x8000000000010200(slab\|head\|zone=2)
	[ 54.079745] raw: 8000000000010200 dead000000000100 dead000000000122 ffff0004c0002300
	[ 54.087867] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
	[ 54.095981] page dumped because: kasan: bad access detected
	[ 54.101828]
	[ 54.103425] Memory state around the buggy address:
	[ 54.108461] ffff0004c219e100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
	[ 54.116037] ffff0004c219e180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
	[ 54.123613] >ffff0004c219e200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
	[ 54.131186] ^
	[ 54.137036] ffff0004c219e280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
	[ 54.144614] ffff0004c219e300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
	[ 54.152190] ==================================================================
	[ 54.159762] Disabling lock debugging due to kernel taint
	File descriptor[ 54.165539] Unable to handle kernel paging request at virtual address efff801d2000018d
	in bad state
	[ 54.174738] Mem abort info:
	[ 54.178868] ESR = 0x96000004
	[ 54.182021] EC = 0x25: DABT (current EL), IL = 32 bits
	[ 54.187443] SET = 0, FnV = 0
	[ 54.190593] EA = 0, S1PTW = 0
	[ 54.193829] Data abort info:
	[ 54.196802] ISV = 0, ISS = 0x00000004
	[ 54.200756] CM = 0, WnR = 0
	[ 54.203820] [efff801d2000018d] address between user and kernel address ranges
	[ 54.211077] Internal error: Oops: 96000004 [#1] PREEMPT SMP
	[ 54.216697] Modules linked in: usb_f_fs libcomposite configfs ath9k_htc led_class mac80211 libarc4 ath9k_common ath9k_hw ath cfg80211 aes_ce_blk crypto_simd cryptd aes_ce_cipher ghash4
	[ 54.259675] CPU: 0 PID: 2995 Comm: cat Tainted: G B 5.13.0-rc4+ #9
	[ 54.267212] Hardware name: Renesas Salvator-X board based on r8a77951 (DT)
	[ 54.274130] pstate: 00000005 (nzcv daif -PAN -UAO -TCO BTYPE=--)
	[ 54.280180] pc : ffs_data_clear+0x138/0x370 [usb_f_fs]
	[ 54.285376] lr : ffs_data_clear+0x124/0x370 [usb_f_fs]
	[ 54.290564] sp : ffff8000147b7ad0
	[ 54.293903] x29: ffff8000147b7ad0 x28: ffff800009cec1c0 x27: ffff0004d0827ca0
	[ 54.301108] x26: ffff0004d2a90498 x25: 1fffe00098eeba85 x24: 00000000000a801d
	[ 54.308311] x23: 1fffe00099a7e23a x22: dfff800000000000 x21: ffff0004cd3f11d0
	[ 54.315513] x20: 800000e900000bb2 x19: ffff0004cd3f1000 x18: 0000000000000000
	[ 54.322716] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
	[ 54.329917] x14: 0720072007200720 x13: 0000000000000000 x12: 1fffe000984aca1a
	[ 54.337119] x11: ffff6000984aca1a x10: 0000000000001740 x9 : dfff800000000000
	[ 54.344322] x8 : ffff8000147b7768 x7 : ffff0004c25650d3 x6 : 0000000000000000
	[ 54.351524] x5 : 0000000000000001 x4 : ffff6000984aca1b x3 : 0000000000000001
	[ 54.358725] x2 : 0000000000000006 x1 : 1000001d2000018d x0 : 800000e900000c6e
	[ 54.365928] Call trace:
	[ 54.368396] ffs_data_clear+0x138/0x370 [usb_f_fs]
	[ 54.373235] ffs_data_reset+0x20/0x304 [usb_f_fs]
	[ 54.377987] ffs_data_closed+0x240/0x244 [usb_f_fs]
	[ 54.382913] ffs_ep0_release+0x40/0x54 [usb_f_fs]
	[ 54.387665] __fput+0x304/0x580
	[ 54.390843] ____fput+0x18/0x24
	[ 54.394014] task_work_run+0x104/0x180
	[ 54.397799] do_notify_resume+0x458/0x14e0
	[ 54.401931] work_pending+0xc/0x5f8
	[ 54.405459] Code: b4000a54 9102f280 12000802 d343fc01 (38f66821)
	[ 54.411597] ---[ end trace eb83c7c75a9b6c12 ]---
	ffs2.sh: line 9: 2995 Segmentation fault cat /dev/ffs/ep0
	root@rcar-gen3:~#