6.10rc2/BUG: KASAN: slab-use-after-free in set_device_name+0xe1/0x490 [ledtrig_netdev]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,
yesterday at the first booting into 6.10rc2.
I spotted a new error message in the kernel log with follow stacktrace:
[   16.599760] usbcore: registered new device driver apple-mfi-fastcharge
[   16.603658] igc 0000:0a:00.0 eno1: renamed from eth0
[   16.612386] ==================================================================
[   16.612389] BUG: KASAN: slab-use-after-free in
set_device_name+0xe1/0x490 [ledtrig_netdev]
[   16.612398] Read of size 4 at addr ffff88810ad217c0 by task modprobe/1111

[   16.612403] CPU: 13 PID: 1111 Comm: modprobe Tainted: G        W
L    -------  ---  6.10.0-0.rc2.25.fc41.x86_64+debug #1
[   16.612406] Hardware name: ASUS System Product Name/ROG STRIX
B650E-I GAMING WIFI, BIOS 2611 04/07/2024
[   16.612408] Call Trace:
[   16.612409]  <TASK>
[   16.612411]  dump_stack_lvl+0x84/0xd0
[   16.612417]  ? set_device_name+0xe1/0x490 [ledtrig_netdev]
[   16.612421]  print_report+0x174/0x505
[   16.612425]  ? set_device_name+0xe1/0x490 [ledtrig_netdev]
[   16.612429]  ? __virt_addr_valid+0x228/0x420
[   16.612433]  ? set_device_name+0xe1/0x490 [ledtrig_netdev]
[   16.612437]  kasan_report+0xab/0x180
[   16.612441]  ? set_device_name+0xe1/0x490 [ledtrig_netdev]
[   16.612446]  kasan_check_range+0x104/0x1b0
[   16.612450]  __asan_memcpy+0x23/0x60
[   16.612453]  set_device_name+0xe1/0x490 [ledtrig_netdev]
[   16.612458]  netdev_trig_activate+0x576/0x7f0 [ledtrig_netdev]
[   16.612463]  ? __pfx_netdev_trig_activate+0x10/0x10 [ledtrig_netdev]
[   16.612467]  ? __down_write_trylock+0x179/0x370
[   16.612473]  led_trigger_set+0x5c6/0xb10
[   16.641282]  ? __pfx_led_trigger_set+0x10/0x10
[   16.641292]  ? up_write+0x1be/0x510
[   16.641299]  led_trigger_register+0x3a5/0x4d0
[   16.646090]  ? __pfx_netdev_led_trigger_init+0x10/0x10 [ledtrig_netdev]
[   16.646096]  do_one_initcall+0xd6/0x460
[   16.646101]  ? __pfx_do_one_initcall+0x10/0x10
[   16.653234]  ? kasan_unpoison+0x44/0x70
[   16.653246]  do_init_module+0x296/0x7c0
[   16.653251]  load_module+0x5777/0x7490
[   16.653259]  ? __pfx_load_module+0x10/0x10
[   16.653262]  ? lock_acquire+0x457/0x540
[   16.653269]  ? ima_post_load_data+0x68/0x80
[   16.653273]  ? __do_sys_init_module+0x1ef/0x220
[   16.653275]  __do_sys_init_module+0x1ef/0x220
[   16.653277]  ? __pfx___do_sys_init_module+0x10/0x10
[   16.666390]  ? ktime_get_coarse_real_ts64+0x41/0xd0
[   16.666401]  do_syscall_64+0x97/0x190
[   16.666406]  ? rcu_is_watching+0x12/0xc0
[   16.671328]  ? trace_irq_enable.constprop.0+0xce/0x110
[   16.671332]  ? syscall_exit_to_user_mode+0xbe/0x290
[   16.671335]  ? do_syscall_64+0xa3/0x190
[   16.671338]  ? rcu_is_watching+0x12/0xc0
[   16.671340]  ? lock_release+0x575/0xd60
[   16.671344]  ? rcu_is_watching+0x12/0xc0
[   16.671345]  ? lock_release+0x575/0xd60
[   16.671347]  ? __pfx_lock_acquire+0x10/0x10
[   16.671350]  ? __pfx_lock_release+0x10/0x10
[   16.671352]  ? __pfx___up_read+0x10/0x10
[   16.671355]  ? handle_mm_fault+0x47d/0x8d0
[   16.671360]  ? rcu_is_watching+0x12/0xc0
[   16.671362]  ? trace_irq_enable.constprop.0+0xce/0x110
[   16.671365]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[   16.671367] RIP: 0033:0x7f9563f2b5ae
[   16.671380] Code: 48 8b 0d 85 a8 0c 00 f7 d8 64 89 01 48 83 c8 ff
c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 af 00 00
00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 52 a8 0c 00 f7 d8 64 89
01 48
[   16.671382] RSP: 002b:00007ffcdf220628 EFLAGS: 00000246 ORIG_RAX:
00000000000000af
[   16.671385] RAX: ffffffffffffffda RBX: 00005632ca650c20 RCX: 00007f9563f2b5ae
[   16.671386] RDX: 00005632a639be79 RSI: 0000000000016be6 RDI: 00005632ca65fb40
[   16.671388] RBP: 00007ffcdf2206e0 R08: 00005632ca650010 R09: 0000000000000007
[   16.671389] R10: 0000000000000001 R11: 0000000000000246 R12: 00005632a639be79
[   16.671390] R13: 0000000000040000 R14: 00005632ca650b80 R15: 00005632ca658c50
[   16.671394]  </TASK>

[   16.671396] Allocated by task 1046:
[   16.671398]  kasan_save_stack+0x30/0x50
[   16.671401]  kasan_save_track+0x14/0x30
[   16.671403]  __kasan_kmalloc+0x8f/0xa0
[   16.671405]  kmalloc_node_track_caller_noprof+0x258/0x5f0
[   16.671407]  kstrdup+0x34/0x60
[   16.671409]  kobject_set_name_vargs+0x43/0x120
[   16.671412]  dev_set_name+0xb6/0xf0
[   16.671414]  netdev_register_kobject+0xc5/0x390
[   16.671416]  register_netdevice+0xf3f/0x1910
[   16.671418]  register_netdev+0x1e/0x40
[   16.671420]  igc_probe+0x1559/0x1e20 [igc]
[   16.671428]  local_pci_probe+0xdc/0x180
[   16.671431]  pci_device_probe+0x233/0x7f0
[   16.671432]  really_probe+0x1e0/0x8a0
[   16.671435]  __driver_probe_device+0x18c/0x370
[   16.671436]  driver_probe_device+0x4a/0x120
[   16.671438]  __driver_attach+0x194/0x4a0
[   16.671440]  bus_for_each_dev+0x106/0x190
[   16.671441]  bus_add_driver+0x2ff/0x540
[   16.671442]  driver_register+0x1a5/0x360
[   16.671444]  do_one_initcall+0xd6/0x460
[   16.671447]  do_init_module+0x296/0x7c0
[   16.671449]  load_module+0x5777/0x7490
[   16.671450]  __do_sys_init_module+0x1ef/0x220
[   16.671452]  do_syscall_64+0x97/0x190
[   16.671453]  entry_SYSCALL_64_after_hwframe+0x76/0x7e

[   16.671455] Freed by task 1017:
[   16.671456]  kasan_save_stack+0x30/0x50
[   16.671458]  kasan_save_track+0x14/0x30
[   16.671460]  kasan_save_free_info+0x3b/0x60
[   16.671462]  poison_slab_object+0x109/0x180
[   16.671464]  __kasan_slab_free+0x14/0x30
[   16.671465]  kfree+0x11f/0x3b0
[   16.671468]  kobject_rename+0x146/0x220
[   16.671469]  device_rename+0xf6/0x1a0
[   16.671470]  dev_change_name+0x27f/0x7d0
[   16.671472]  do_setlink+0x26cf/0x33e0
[   16.671473]  rtnl_setlink+0x212/0x340
[   16.671475]  rtnetlink_rcv_msg+0x2f3/0xb10
[   16.671476]  netlink_rcv_skb+0x13d/0x3b0
[   16.671478]  netlink_unicast+0x42c/0x6e0
[   16.671480]  netlink_sendmsg+0x765/0xc20
[   16.671481]  __sys_sendto+0x3e5/0x490
[   16.671483]  __x64_sys_sendto+0xe0/0x1c0
[   16.671485]  do_syscall_64+0x97/0x190
[   16.671486]  entry_SYSCALL_64_after_hwframe+0x76/0x7e

[   16.671489] The buggy address belongs to the object at ffff88810ad217c0
                which belongs to the cache kmalloc-8 of size 8
[   16.671491] The buggy address is located 0 bytes inside of
                freed 8-byte region [ffff88810ad217c0, ffff88810ad217c8)

[   16.671493] The buggy address belongs to the physical page:
[   16.671494] page: refcount:1 mapcount:0 mapping:0000000000000000
index:0x0 pfn:0x10ad21
[   16.671496] flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff)
[   16.671499] page_type: 0xffffefff(slab)
[   16.671501] raw: 0017ffffc0000000 ffff88810004c500 dead000000000122
0000000000000000
[   16.671503] raw: 0000000000000000 0000000080800080 00000001ffffefff
0000000000000000
[   16.671504] page dumped because: kasan: bad access detected

[   16.671505] Memory state around the buggy address:
[   16.671506]  ffff88810ad21680: fc fc fc fc fc fc fc fc fc fc fc fc
fc fc fc fc
[   16.671507]  ffff88810ad21700: fc fc fc fc fc fc fc fc fc fc fc fc
fc fc fc fc
[   16.671508] >ffff88810ad21780: fc fc fc fc fc fc fc fc fa fc fc fc
fc fc fc fc
[   16.671509]                                            ^
[   16.671510]  ffff88810ad21800: fc fc fc fc fc fc fc fc fc fc fc fc
fc fc fc fc
[   16.671511]  ffff88810ad21880: fc fc fc fc fc fc fc fc fc fc fc fc
fc fc fc fc
[   16.671512] ==================================================================
[   16.674845] mc: Linux media interface: v0.10
[   16.689657] asus_wmi: ASUS WMI generic driver loaded

I tried to reproduce but all subsequent reboots did not trigger this alert.
I don't have any idea how to reproduce it again and I just want to
show the problematic code.

> sh /usr/src/kernels/(uname -r)/scripts/faddr2line /lib/debug/lib/modules/6.10.0-0.rc2.25.fc41.x86_64+debug/kernel/drivers/leds/trigger/ledtrig-netdev.ko.debug set_device_name+0xe1
set_device_name+0xe1/0x490:
set_device_name at
/usr/src/debug/kernel-6.10-rc2/linux-6.10.0-0.rc2.25.fc41.x86_64/drivers/leds/trigger/ledtrig-netdev.c:276

> cat -n /usr/src/debug/kernel-6.10-rc2/linux-6.10.0-0.rc2.25.fc41.x86_64/drivers/leds/trigger/ledtrig-netdev.c | sed -n '271,281 p'
   271 dev_put(trigger_data->net_dev);
   272 trigger_data->net_dev = NULL;
   273 }
   274
   275 memcpy(trigger_data->device_name, name, size);
   276 trigger_data->device_name[size] = 0;
   277 if (size > 0 && trigger_data->device_name[size - 1] == '\n')
   278 trigger_data->device_name[size - 1] = 0;
   279
   280 if (trigger_data->device_name[0] != 0)
   281 trigger_data->net_dev =

> git blame drivers/leds/trigger/ledtrig-netdev.c -L 271,281
06f502f57d0d7 (Ben Whitten      2017-12-10 21:17:55 +0000 271)
 dev_put(trigger_data->net_dev);
06f502f57d0d7 (Ben Whitten      2017-12-10 21:17:55 +0000 272)
 trigger_data->net_dev = NULL;
06f502f57d0d7 (Ben Whitten      2017-12-10 21:17:55 +0000 273)  }
06f502f57d0d7 (Ben Whitten      2017-12-10 21:17:55 +0000 274)
28a6a2ef18ad8 (Andrew Lunn      2023-05-29 18:32:34 +0200 275)
memcpy(trigger_data->device_name, name, size);
909346433064b (Rasmus Villemoes 2019-03-14 15:06:14 +0100 276)
trigger_data->device_name[size] = 0;
06f502f57d0d7 (Ben Whitten      2017-12-10 21:17:55 +0000 277)  if
(size > 0 && trigger_data->device_name[size - 1] == '\n')
06f502f57d0d7 (Ben Whitten      2017-12-10 21:17:55 +0000 278)
 trigger_data->device_name[size - 1] = 0;
06f502f57d0d7 (Ben Whitten      2017-12-10 21:17:55 +0000 279)
06f502f57d0d7 (Ben Whitten      2017-12-10 21:17:55 +0000 280)  if
(trigger_data->device_name[0] != 0)
06f502f57d0d7 (Ben Whitten      2017-12-10 21:17:55 +0000 281)
 trigger_data->net_dev =

I also attached the full kernel log and build config.

My hardware specs: https://linux-hardware.org/?probe=c7bc87f2b3

Rasmus from the git blame I see that you changed line 276 at
2019-03-14 maybe you have an idea how to get slab-use-after-free here.

-- 
Best Regards,
Mike Gavrilov.

<<attachment: 6.10.0-0.rc2.25.fc41.x86_64+debug.zip>>

Attachment: .config.zip
Description: Zip archive


[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux