Hi Lukas, With KASAN now working on ARM 32-bit, I was able to get the following trace upon reboot which invokes bcm2835_spi_shutdown() calling bcm2835_spi_remove(), the same can be triggered by doing a driver unbind: # pwd /sys/devices/platform/rdb/47e204800.spi/driver # echo 47e204800.spi > unbind How would you go about fixing this? This was not on a Rpi 4 but in premise the same problem exists there. Thanks! [ 229.746516] ================================================================== [ 229.754013] BUG: KASAN: use-after-free in bcm2835_dma_release+0x2c/0x260 [ 229.760820] Read of size 4 at addr e0f08358 by task reboot/157 [ 229.766727] [ 229.768302] CPU: 0 PID: 157 Comm: reboot Not tainted 5.9.0-gdf4dd84a3f7d #27 [ 229.775445] Hardware name: Broadcom STB (Flattened Device Tree) [ 229.781448] Backtrace: [ 229.784017] [<c02120b4>] (dump_backtrace) from [<c02123d8>] (show_stack+0x20/0x24) [ 229.791738] r9:ffffffff r8:00000080 r7:c298e3c0 r6:400f0093 r5:00000000 r4:c298e3c0 [ 229.799655] [<c02123b8>] (show_stack) from [<c08852a0>] (dump_stack+0xbc/0xe0) [ 229.807050] [<c08851e4>] (dump_stack) from [<c04522bc>] (print_address_description.constprop.3+0x3c/0x4b0) [ 229.816863] r10:c2b771c0 r9:e46d9848 r8:e46d9854 r7:00000000 r6:c0b3ea3c r5:eeea5940 [ 229.824815] r4:e0f08358 r3:00000100 [ 229.828510] [<c0452280>] (print_address_description.constprop.3) from [<c0452944>] (kasan_report+0x15c/0x178) [ 229.838575] r8:e46d9854 r7:00000000 r6:c0b3ea3c r5:0000009d r4:e0f08358 [ 229.845411] [<c04527e8>] (kasan_report) from [<c0452f24>] (__asan_load4+0x6c/0xbc) [ 229.853109] r7:e0f08380 r6:e0f08000 r5:e0f08358 r4:e0f08380 [ 229.858898] [<c0452eb8>] (__asan_load4) from [<c0b3ea3c>] (bcm2835_dma_release+0x2c/0x260) [ 229.867318] [<c0b3ea10>] (bcm2835_dma_release) from [<c0b3ecd8>] (bcm2835_spi_remove+0x68/0xa4) [ 229.876166] r9:e46d9848 r8:e46d9854 r7:e0f083c0 r6:00000000 r5:e0f08000 r4:e0f08380 [ 229.884069] [<c0b3ec70>] (bcm2835_spi_remove) from [<c0b3ed30>] (bcm2835_spi_shutdown+0x1c/0x38) [ 229.892991] r7:c2fc7f40 r6:e46d9810 r5:c2a1d854 r4:e46d9800 [ 229.898788] [<c0b3ed14>] (bcm2835_spi_shutdown) from [<c0a17010>] (platform_drv_shutdown+0x40/0x44) [ 229.907958] r5:c2a1d854 r4:e46d9810 [ 229.911653] [<c0a16fd0>] (platform_drv_shutdown) from [<c0a0f91c>] (device_shutdown+0x248/0x35c) [ 229.920561] r5:e465b810 r4:e46d9814 [ 229.924255] [<c0a0f6d4>] (device_shutdown) from [<c0269418>] (kernel_restart_prepare+0x4c/0x50) [ 229.933103] r10:01234567 r9:fee1dead r8:dfdb3f60 r7:c2835240 r6:c2806d48 r5:00000000 [ 229.941045] r4:c2806d40 [ 229.943675] [<c02693cc>] (kernel_restart_prepare) from [<c0269528>] (kernel_restart+0x1c/0x60) [ 229.952405] r5:00000000 r4:00000000 [ 229.956084] [<c026950c>] (kernel_restart) from [<c0269810>] (__do_sys_reboot+0x148/0x260) [ 229.964380] r5:00000000 r4:bafb67c0 [ 229.968057] [<c02696c8>] (__do_sys_reboot) from [<c0269998>] (sys_reboot+0x18/0x1c) [ 229.975852] r10:00000058 r9:dfdb0000 r8:c0200228 r7:00000058 r6:00000000 r5:00000004 [ 229.983792] r4:00000002 [ 229.986422] [<c0269980>] (sys_reboot) from [<c0200060>] (ret_fast_syscall+0x0/0x2c) [ 229.994190] Exception stack(0xdfdb3fa8 to 0xdfdb3ff0) [ 229.999350] 3fa0: 00000002 00000004 fee1dead 28121969 01234567 000a9864 [ 230.007669] 3fc0: 00000002 00000004 00000000 00000058 00000000 00000000 aedbe000 00000000 [ 230.015974] 3fe0: aecce8f0 b6a81cec 000982d4 aecce910 [ 230.021095] [ 230.022636] Allocated by task 20: [ 230.026039] kasan_save_stack+0x24/0x48 [ 230.029962] __kasan_kmalloc.constprop.1+0xb8/0xc4 [ 230.034842] kasan_kmalloc+0x10/0x14 [ 230.038495] __kmalloc+0x168/0x2f4 [ 230.041976] __spi_alloc_controller+0x30/0xc0 [ 230.046421] bcm2835_spi_probe+0x90/0x4cc [ 230.050514] platform_drv_probe+0x70/0xc8 [ 230.054612] really_probe+0x184/0x728 [ 230.058361] driver_probe_device+0xa4/0x278 [ 230.062637] __device_attach_driver+0xe8/0x148 [ 230.067169] bus_for_each_drv+0x108/0x158 [ 230.071267] __device_attach+0x190/0x234 [ 230.075279] device_initial_probe+0x1c/0x20 [ 230.079551] bus_probe_device+0xdc/0xec [ 230.083475] deferred_probe_work_func+0xd4/0x11c [ 230.088196] process_one_work+0x420/0x8f0 [ 230.092293] worker_thread+0x4fc/0x91c [ 230.096127] kthread+0x21c/0x22c [ 230.099427] ret_from_fork+0x14/0x20 [ 230.103075] 0x0 [ 230.104957] [ 230.106496] Freed by task 157: [ 230.109627] kasan_save_stack+0x24/0x48 [ 230.113542] kasan_set_track+0x30/0x38 [ 230.117375] kasan_set_free_info+0x28/0x34 [ 230.121553] __kasan_slab_free+0x110/0x144 [ 230.125732] kasan_slab_free+0x14/0x18 [ 230.129556] kfree+0xbc/0x2b8 [ 230.132597] spi_controller_release+0x18/0x1c [ 230.137037] device_release+0x4c/0xf0 [ 230.140781] kobject_put+0x14c/0x2d8 [ 230.144434] device_unregister+0x44/0x84 [ 230.148438] spi_unregister_controller+0xcc/0x124 [ 230.153233] bcm2835_spi_remove+0x5c/0xa4 [ 230.157328] bcm2835_spi_shutdown+0x1c/0x38 [ 230.161593] platform_drv_shutdown+0x40/0x44 [ 230.165949] device_shutdown+0x248/0x35c [ 230.169953] kernel_restart_prepare+0x4c/0x50 [ 230.174391] kernel_restart+0x1c/0x60 [ 230.178131] __do_sys_reboot+0x148/0x260 [ 230.182132] sys_reboot+0x18/0x1c [ 230.185519] ret_fast_syscall+0x0/0x2c [ 230.189335] 0xb6a81cec [ 230.191829] [ 230.193380] The buggy address belongs to the object at e0f08000 [ 230.193380] which belongs to the cache kmalloc-2k of size 2048 [ 230.205354] The buggy address is located 856 bytes inside of [ 230.205354] 2048-byte region [e0f08000, e0f08800) [ 230.215907] The buggy address belongs to the page: [ 230.220806] page:b990e388 refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x20f08 [ 230.228841] head:b990e388 order:3 compound_mapcount:0 compound_pincount:0 [ 230.235731] flags: 0x2010200(slab|head) [ 230.239688] raw: 02010200 00000000 00000100 00000122 e4401800 00000000 80080008 00000000 [ 230.247895] raw: ffffffff 00000001 [ 230.251358] page dumped because: kasan: bad access detected [ 230.257000] [ 230.258534] Memory state around the buggy address: [ 230.263412] e0f08200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 230.270038] e0f08280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 230.276662] >e0f08300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 230.283272] ^ [ 230.288759] e0f08380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 230.295384] e0f08400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 230.301992] ================================================================== [ 230.309311] Disabling lock debugging due to kernel taint [ 230.325568] reboot: Restarting system -- Florian
Use after free in bcm2835_spi_remove()
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Use after free in bcm2835_spi_remove()
- From: Florian Fainelli <f.fainelli@xxxxxxxxx>
- Date: Tue, 13 Oct 2020 16:48:42 -0700
- Cc: Mark Brown <broonie@xxxxxxxxxx>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
- Follow-Ups:
- [PATCH 0/4] Use-after-free be gone
- From: Lukas Wunner
- Re: Use after free in bcm2835_spi_remove()
- From: Lukas Wunner
- [PATCH 0/4] Use-after-free be gone
- Prev by Date: [PATCH] spi: bcm2835: fix gpio cs level inversion
- Next by Date: Re: [PATCH] spi: imx: Revert "spi: imx: enable runtime pm support"
- Previous by thread: [PATCH] spi: bcm2835: fix gpio cs level inversion
- Next by thread: Re: Use after free in bcm2835_spi_remove()
- Index(es):
 |