According the PoC in link: https://www.openwall.com/lists/oss-security/2020/11/05/2 Here is UAF log: [ 235.504246] ================================================================== [ 235.508297] BUG: KASAN: use-after-free in __lock_acquire+0x2c75/0x34e0 [ 235.511906] Read of size 8 at addr ffff88812d4754f0 by task kworker/2:1/124 [ 235.515752] [ 235.516641] CPU: 2 PID: 124 Comm: kworker/2:1 Not tainted 5.10.0-rc4 #1169 [ 235.520390] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014 [ 235.526648] Workqueue: events sunkbd_reinit [ 235.528869] Call Trace: [ 235.530140] dump_stack+0xe6/0x136 [ 235.531881] ? __lock_acquire+0x2c75/0x34e0 [ 235.533954] print_address_description.constprop.8+0x3e/0x60 [ 235.536781] ? rcu_read_lock_bh_held+0xc0/0xc0 [ 235.539005] ? vprintk_func+0xaf/0x1b0 [ 235.540830] ? __lock_acquire+0x2c75/0x34e0 [ 235.542709] ? __lock_acquire+0x2c75/0x34e0 [ 235.544613] kasan_report.cold.10+0x1f/0x37 [ 235.546506] ? __lock_acquire+0x2c75/0x34e0 [ 235.548410] __lock_acquire+0x2c75/0x34e0 [ 235.550241] ? lock_is_held_type+0xae/0xe0 [ 235.552130] ? rcu_read_lock_sched_held+0xaf/0xe0 [ 235.554237] ? rcu_read_lock_bh_held+0xc0/0xc0 [ 235.556239] lock_acquire+0x19c/0x8f0 [ 235.557908] ? prepare_to_wait_event+0x73/0x660 [ 235.559946] ? rcu_read_unlock+0x50/0x50 [ 235.561715] ? del_timer_sync+0xe3/0x130 [ 235.563548] ? schedule_timeout+0x43b/0x950 [ 235.565278] _raw_spin_lock_irqsave+0x43/0x60 [ 235.567047] ? prepare_to_wait_event+0x73/0x660 [ 235.568910] prepare_to_wait_event+0x73/0x660 [ 235.570701] ? __next_timer_interrupt+0x1b0/0x1b0 [ 235.572647] ? wait_woken+0x280/0x280 [ 235.574187] sunkbd_reinit+0x579/0x700 [ 235.575744] ? sunkbd_event+0x3d0/0x3d0 [ 235.577189] ? finish_wait+0x280/0x280 [ 235.578623] ? rcu_read_lock_bh_held+0xc0/0xc0 [ 235.580303] ? lockdep_hardirqs_on_prepare+0x294/0x3e0 [ 235.582253] process_one_work+0x8ef/0x1560 [ 235.583815] ? pwq_dec_nr_in_flight+0x330/0x330 [ 235.585537] ? do_raw_spin_lock+0x126/0x290 [ 235.587133] worker_thread+0x91/0xc30 [ 235.588601] ? process_one_work+0x1560/0x1560 [ 235.590233] kthread+0x37a/0x450 [ 235.591487] ? _raw_spin_unlock_irq+0x24/0x40 [ 235.593131] ? kthread_mod_delayed_work+0x190/0x190 [ 235.594965] ret_from_fork+0x22/0x30 [ 235.596346] [ 235.596945] Allocated by task 85: [ 235.598200] kasan_save_stack+0x19/0x40 [ 235.599685] __kasan_kmalloc.constprop.13+0xc1/0xd0 [ 235.601389] kmem_cache_alloc_trace+0x11b/0x1d0 [ 235.602969] sunkbd_connect+0xa7/0x10e0 [ 235.604330] serio_connect_driver+0x50/0x70 [ 235.605810] really_probe+0x287/0xd90 [ 235.607102] driver_probe_device+0x267/0x3d0 [ 235.608611] __device_attach_driver+0x1cc/0x280 [ 235.610209] bus_for_each_drv+0x154/0x1d0 [ 235.611638] __device_attach+0x234/0x3a0 [ 235.612912] bus_probe_device+0x1dd/0x290 [ 235.614223] device_add+0xc5f/0x1880 [ 235.615415] serio_handle_event+0x4ae/0x8f0 [ 235.616788] process_one_work+0x8ef/0x1560 [ 235.618124] worker_thread+0x91/0xc30 [ 235.619351] kthread+0x37a/0x450 [ 235.620427] ret_from_fork+0x22/0x30 [ 235.621582] [ 235.622097] Freed by task 2609: [ 235.623130] kasan_save_stack+0x19/0x40 [ 235.624396] kasan_set_track+0x1c/0x30 [ 235.625612] kasan_set_free_info+0x1b/0x30 [ 235.626944] __kasan_slab_free+0x111/0x160 [ 235.628282] slab_free_freelist_hook+0x5a/0x150 [ 235.629754] kfree+0xe5/0x660 [ 235.630731] serio_disconnect_driver+0x78/0xa0 [ 235.632187] serio_driver_remove+0x1a/0x20 [ 235.633537] device_release_driver_internal+0x239/0x520 [ 235.635250] serio_unregister_port+0x24/0x40 [ 235.636634] serport_ldisc_read+0x416/0x5f0 [ 235.638008] tty_read+0x17d/0x270 [ 235.639096] vfs_read+0x156/0x4c0 [ 235.640203] ksys_read+0x104/0x200 [ 235.641318] do_syscall_64+0x33/0x40 [ 235.642475] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 235.644099] [ 235.644631] The buggy address belongs to the object at ffff88812d475400 [ 235.644631] which belongs to the cache kmalloc-512 of size 512 [ 235.648610] The buggy address is located 240 bytes inside of [ 235.648610] 512-byte region [ffff88812d475400, ffff88812d475600) [ 235.652304] The buggy address belongs to the page: [ 235.653862] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12d470 [ 235.656841] head:(____ptrval____) order:3 compound_mapcount:0 compound_pincount:0 [ 235.659232] flags: 0x2fffff80010200(slab|head) [ 235.660688] raw: 002fffff80010200 dead000000000100 dead000000000122 ffff8881000432c0 [ 235.663141] raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 [ 235.665605] page dumped because: kasan: bad access detected [ 235.667390] [ 235.667898] Memory state around the buggy address: [ 235.669433] ffff88812d475380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 235.671755] ffff88812d475400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 235.674072] >ffff88812d475480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 235.676390] ^ [ 235.678576] ffff88812d475500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 235.680880] ffff88812d475580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 235.683221] ================================================================== After sunkbd->tq is added to workqueue, before scheduled work finish, sunkbd is freed by sunkbd_disconnect(), when sunkbd is used in sunkbd_reinit(), it causes a UAF. Fix this by calling flush_scheduled_work() before free sunkbd. This fixes CVE-2020-25669. Signed-off-by: Yang Yingliang <yangyingliang@xxxxxxxxxx> --- drivers/input/keyboard/sunkbd.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/input/keyboard/sunkbd.c b/drivers/input/keyboard/sunkbd.c index 27126e621eb6..b6222896acdf 100644 --- a/drivers/input/keyboard/sunkbd.c +++ b/drivers/input/keyboard/sunkbd.c @@ -316,6 +316,7 @@ static void sunkbd_disconnect(struct serio *serio) { struct sunkbd *sunkbd = serio_get_drvdata(serio); + flush_scheduled_work(); sunkbd_enable(sunkbd, false); input_unregister_device(sunkbd->dev); serio_close(serio); -- 2.17.1