Last active
June 4, 2021 10:34
-
-
Save erosca/b5976a96789e574b319cb9e076938b5c to your computer and use it in GitHub Desktop.
BUG: KASAN: use-after-free in ffs_release_dev+0x64/0xa8 [usb_f_fs]
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Kernel: v5.13-rc4-88-gf88cd3fb9df2 | |
| GCC: aarch64-linux-gnu-gcc 10.0.0 20191203 | |
| HW: Renesas R-Car H3-ES2.0-Salvator-X | |
| root@rcar-gen3:~# cat ffs1.sh | |
| mkdir -p /dev/ffs | |
| mkdir -p /dev/cfs | |
| modprobe libcomposite | |
| mount -t configfs none /dev/cfs | |
| mkdir -p /dev/cfs/usb_gadget/g1 | |
| mkdir -p /dev/cfs/usb_gadget/g1/functions/ffs.ffs | |
| mount -t functionfs ffs /dev/ffs | |
| cd /dev/ffs | |
| timeout 1 /home/root/ffs-test; | |
| cd /home/root/ | |
| rmdir /dev/cfs/usb_gadget/g1/functions/ffs.ffs | |
| umount /dev/ffs | |
| root@rcar-gen3:~# | |
| root@rcar-gen3:~# | |
| root@rcar-gen3:~# sh -x ffs1.sh | |
| + mkdir -p /dev/cfs | |
| + mkdir -p /dev/ffs | |
| + modprobe libcomposite | |
| + mount -t configfs none /dev/cfs | |
| + mkdir -p /dev/cfs/usb_gadget/g1 | |
| + mkdir -p /dev/cfs/usb_gadget/g1/functions/ffs.ffs | |
| [ 85.702859] file system registered | |
| + mount -t functionfs ffs /dev/ffs | |
| + cd /dev/ffs | |
| + timeout 1 /home/root/ffs-test | |
| ffs-test: info: ep0: writing des[ 85.962237] read descriptors | |
| [ 85.967782] read strings | |
| ffs-test: info: ep0: writing strings | |
| ffs-test: dbg: ep1: starting | |
| ffs-test: dbg: ep2: starting | |
| ffs-test: info: ep1: starts | |
| ffs-test: info: ep0: starts | |
| ffs-test: info: ep2: starts | |
| ffs1.sh: line 9: 2989 Terminated timeout 1 /home/root/ffs-test | |
| + cd /home/root/ | |
| + rmdir /dev/cfs/usb_gadget/g1/functions/ffs.ffs | |
| [ 87.019311] unloading | |
| + umount /dev/ffs | |
| [ 87.149151] ================================================================== | |
| [ 87.156917] BUG: KASAN: use-after-free in ffs_release_dev+0x64/0xa8 [usb_f_fs] | |
| [ 87.164555] Write of size 1 at addr ffff0004c21cb649 by task umount/2995 | |
| [ 87.171592] | |
| [ 87.173197] CPU: 1 PID: 2995 Comm: umount Not tainted 5.13.0-rc4+ #9 | |
| [ 87.179872] Hardware name: Renesas Salvator-X board based on r8a77951 (DT) | |
| [ 87.187089] Call trace: | |
| [ 87.189690] dump_backtrace+0x0/0x330 | |
| [ 87.193573] show_stack+0x20/0x2c | |
| [ 87.197078] dump_stack+0x11c/0x1ac | |
| [ 87.200767] print_address_description.constprop.0+0x30/0x274 | |
| [ 87.206806] kasan_report+0x14c/0x1c8 | |
| [ 87.210670] __asan_report_store1_noabort+0x34/0x58 | |
| [ 87.215805] ffs_release_dev+0x64/0xa8 [usb_f_fs] | |
| [ 87.220776] ffs_fs_kill_sb+0x50/0x84 [usb_f_fs] | |
| [ 87.225647] deactivate_locked_super+0xa0/0xf0 | |
| [ 87.230331] deactivate_super+0x98/0xac | |
| [ 87.234378] cleanup_mnt+0xd0/0x1b0 | |
| [ 87.238063] __cleanup_mnt+0x1c/0x28 | |
| [ 87.241836] task_work_run+0x104/0x180 | |
| [ 87.245797] do_notify_resume+0x458/0x14e0 | |
| [ 87.250114] work_pending+0xc/0x5f8 | |
| [ 87.253802] | |
| [ 87.255400] Allocated by task 2984: | |
| [ 87.259082] kasan_save_stack+0x28/0x58 | |
| [ 87.263134] kasan_set_track+0x28/0x3c | |
| [ 87.267090] ____kasan_kmalloc+0x84/0x9c | |
| [ 87.271228] __kasan_kmalloc+0x10/0x1c | |
| [ 87.275184] __kmalloc+0x214/0x2f8 | |
| [ 87.278779] kzalloc.constprop.0+0x14/0x20 [usb_f_fs] | |
| [ 87.284102] ffs_alloc_inst+0x8c/0x208 [usb_f_fs] | |
| [ 87.289063] try_get_usb_function_instance+0xf0/0x164 [libcomposite] | |
| [ 87.295767] usb_get_function_instance+0x64/0x68 [libcomposite] | |
| [ 87.302009] function_make+0x128/0x1ec [libcomposite] | |
| [ 87.307348] configfs_mkdir+0x330/0x590 [configfs] | |
| [ 87.312416] vfs_mkdir+0x12c/0x1bc | |
| [ 87.316013] do_mkdirat+0x180/0x1d0 | |
| [ 87.319697] __arm64_sys_mkdirat+0x80/0x94 | |
| [ 87.324015] invoke_syscall+0xf8/0x25c | |
| [ 87.327973] el0_svc_common.constprop.0+0x150/0x1a0 | |
| [ 87.333102] do_el0_svc+0xa0/0xd4 | |
| [ 87.336604] el0_svc+0x24/0x34 | |
| [ 87.339839] el0_sync_handler+0xcc/0x154 | |
| [ 87.343975] el0_sync+0x198/0x1c0 | |
| [ 87.347477] | |
| [ 87.349074] Freed by task 2994: | |
| [ 87.352393] kasan_save_stack+0x28/0x58 | |
| [ 87.356439] kasan_set_track+0x28/0x3c | |
| [ 87.360395] kasan_set_free_info+0x28/0x4c | |
| [ 87.364712] ____kasan_slab_free+0x104/0x118 | |
| [ 87.369210] __kasan_slab_free+0x18/0x24 | |
| [ 87.373344] slab_free_freelist_hook+0x148/0x1f0 | |
| [ 87.378202] kfree+0x318/0x440 | |
| [ 87.381434] ffs_free_inst+0x164/0x2d8 [usb_f_fs] | |
| [ 87.386395] usb_put_function_instance+0x84/0xa4 [libcomposite] | |
| [ 87.392635] ffs_attr_release+0x18/0x24 [usb_f_fs] | |
| [ 87.397686] config_item_put+0x140/0x1a4 [configfs] | |
| [ 87.402838] configfs_rmdir+0x3fc/0x518 [configfs] | |
| [ 87.407896] vfs_rmdir+0x114/0x234 | |
| [ 87.411491] do_rmdir+0x274/0x2b0 | |
| [ 87.414992] __arm64_sys_unlinkat+0x94/0xc8 | |
| [ 87.419397] invoke_syscall+0xf8/0x25c | |
| [ 87.423351] el0_svc_common.constprop.0+0x150/0x1a0 | |
| [ 87.428481] do_el0_svc+0xa0/0xd4 | |
| [ 87.431983] el0_svc+0x24/0x34 | |
| [ 87.435215] el0_sync_handler+0xcc/0x154 | |
| [ 87.439350] el0_sync+0x198/0x1c0 | |
| [ 87.442851] | |
| [ 87.444447] The buggy address belongs to the object at ffff0004c21cb600 | |
| [ 87.444447] which belongs to the cache kmalloc-128 of size 128 | |
| [ 87.457530] The buggy address is located 73 bytes inside of | |
| [ 87.457530] 128-byte region [ffff0004c21cb600, ffff0004c21cb680) | |
| [ 87.469711] The buggy address belongs to the page: | |
| [ 87.474746] page:0000000086a06f2d refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5021ca | |
| [ 87.484584] head:0000000086a06f2d order:1 compound_mapcount:0 | |
| [ 87.490614] flags: 0x8000000000010200(slab|head|zone=2) | |
| [ 87.496116] raw: 8000000000010200 dead000000000100 dead000000000122 ffff0004c0002300 | |
| [ 87.504233] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 | |
| [ 87.512344] page dumped because: kasan: bad access detected | |
| [ 87.518190] | |
| [ 87.519786] Memory state around the buggy address: | |
| [ 87.524822] ffff0004c21cb500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| [ 87.532399] ffff0004c21cb580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc | |
| [ 87.539975] >ffff0004c21cb600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb | |
| [ 87.547549] ^ | |
| [ 87.553398] ffff0004c21cb680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc | |
| [ 87.560975] ffff0004c21cb700: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc | |
| [ 87.568550] ================================================================== | |
| [ 87.576120] Disabling lock debugging due to kernel taint | |
| [ 87.581712] Unable to handle kernel paging request at virtual address 0077801d6000018d | |
| [ 87.589791] Mem abort info: | |
| [ 87.592747] ESR = 0x96000004 | |
| [ 87.595895] EC = 0x25: DABT (current EL), IL = 32 bits | |
| [ 87.601306] SET = 0, FnV = 0 | |
| [ 87.604445] EA = 0, S1PTW = 0 | |
| [ 87.607677] Data abort info: | |
| [ 87.610646] ISV = 0, ISS = 0x00000004 | |
| [ 87.614575] CM = 0, WnR = 0 | |
| [ 87.617627] [0077801d6000018d] address between user and kernel address ranges | |
| [ 87.624872] Internal error: Oops: 96000004 [#1] PREEMPT SMP | |
| [ 87.630492] Modules linked in: usb_f_fs libcomposite configfs ath9k_htc led_class mac80211 libarc4 ath9k_common ath9k_hw ath cfg80211 aes_ce_blk crypto_simd cryptd aes_ce_cipher ghash4 | |
| [ 87.673473] CPU: 1 PID: 2995 Comm: umount Tainted: G B 5.13.0-rc4+ #9 | |
| [ 87.681271] Hardware name: Renesas Salvator-X board based on r8a77951 (DT) | |
| [ 87.688189] pstate: 00000005 (nzcv daif -PAN -UAO -TCO BTYPE=--) | |
| [ 87.694238] pc : ffs_data_clear+0x138/0x370 [usb_f_fs] | |
| [ 87.699430] lr : ffs_data_clear+0x124/0x370 [usb_f_fs] | |
| [ 87.704618] sp : ffff800014797a80 | |
| [ 87.707959] x29: ffff800014797a80 x28: ffff0004cde9d580 x27: 0000000000000000 | |
| [ 87.715165] x26: ffff800014797fb0 x25: ffff600099bd3ab4 x24: ffff0004cde9d5a4 | |
| [ 87.722369] x23: 1fffe0009910d43a x22: dfff800000000000 x21: ffff0004c886a1d0 | |
| [ 87.729572] x20: a3c000eb00000bb2 x19: ffff0004c886a000 x18: 0000000000000000 | |
| [ 87.736774] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 | |
| [ 87.743975] x14: 0720072007200720 x13: 0720072007200720 x12: 1ffff000013a0e58 | |
| [ 87.751178] x11: ffff7000013a0e58 x10: 0720072007200720 x9 : ffff800011323dd8 | |
| [ 87.758381] x8 : ffff800014797818 x7 : ffff800009d072c7 x6 : 0000000000000000 | |
| [ 87.765583] x5 : 0000000000000001 x4 : ffff7000013a0e59 x3 : 0000000000000001 | |
| [ 87.772783] x2 : 0000000000000006 x1 : 1478001d6000018d x0 : a3c000eb00000c6e | |
| [ 87.779985] Call trace: | |
| [ 87.782453] ffs_data_clear+0x138/0x370 [usb_f_fs] | |
| [ 87.787293] ffs_data_reset+0x20/0x304 [usb_f_fs] | |
| [ 87.792045] ffs_data_closed+0x1ec/0x244 [usb_f_fs] | |
| [ 87.796971] ffs_fs_kill_sb+0x70/0x84 [usb_f_fs] | |
| [ 87.801635] deactivate_locked_super+0xa0/0xf0 | |
| [ 87.806119] deactivate_super+0x98/0xac | |
| [ 87.809989] cleanup_mnt+0xd0/0x1b0 | |
| [ 87.813509] __cleanup_mnt+0x1c/0x28 | |
| [ 87.817115] task_work_run+0x104/0x180 | |
| [ 87.820899] do_notify_resume+0x458/0x14e0 | |
| [ 87.825030] work_pending+0xc/0x5f8 | |
| [ 87.828557] Code: b4000a54 9102f280 12000802 d343fc01 (38f66821) | |
| [ 87.834694] ---[ end trace b92be871d752daca ]--- | |
| ffs1.sh: line 12: 2995 Segmentation fault umount /dev/ffs | |
| root@rcar-gen3:~# |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment