14.10.2019 12:42, Viresh Kumar пишет: > On 22-09-19, 23:12, Dmitry Osipenko wrote: >> This patch causes use-after-free on a cpufreq driver module reload. Please take a look, thanks in advance. >> >> >> [ 87.952369] ================================================================== >> [ 87.953259] BUG: KASAN: use-after-free in notifier_chain_register+0x4f/0x9c >> [ 87.954031] Read of size 4 at addr e6abbd0c by task modprobe/243 > > Hi Dmitry, > > I tried to reproduce it on my ubuntu on ARM64 setup and I couldn't hit > these issues on v5.4-rc1 with Kasan built in. > > I then enabled Kasan (tried both inline and outline instrumentation) > but I couldn't get past the issues with module insertion. It fails > like this for me: > > root@linaro-developer:~/work# insmod cpufreq-dt.ko > [ 72.985974] cpufreq_dt: Unknown symbol __asan_report_load1_noabort (err -2) > [ 72.993164] cpufreq_dt: Unknown symbol __asan_report_load4_noabort (err -2) > [ 73.000307] cpufreq_dt: Unknown symbol __asan_report_load8_noabort (err -2) > [ 73.007451] cpufreq_dt: Unknown symbol __asan_report_store1_noabort (err -2) > [ 73.014643] cpufreq_dt: Unknown symbol __asan_register_globals (err -2) > [ 73.021409] cpufreq_dt: Unknown symbol __asan_unregister_globals (err -2) > [ 73.028349] cpufreq_dt: Unknown symbol __asan_report_store8_noabort (err -2) > [ 73.035543] cpufreq_dt: Unknown symbol __asan_report_store4_noabort (err -2) > insmod: ERROR: could not insert module cpufreq-dt.ko: Unknown symbol in module > > I tried to search for these errors but couldn't find why I am getting > these and why the symbols are missing here. Can you suggest something > here ? > Sorry, I don't know what's wrong with ARM64. There is no KASAN on ARM32 in upstream yet, I'm using the WIP patches [1]. [1] https://lkml.org/lkml/2019/6/17/1562 BTW, I moved tegra20-cpufreq to use cpufreq-dt recently and the problem presents with the cpufreq-dt: # rmmod cpufreq_dt # modprobe cpufreq_dt [ 31.259483] ================================================================== [ 31.260321] BUG: KASAN: use-after-free in notifier_chain_register+0x2b/0x7c [ 31.261026] Read of size 4 at addr cc30250c by task modprobe/218 [ 31.262067] CPU: 1 PID: 218 Comm: modprobe Tainted: G W 5.4.0-rc2-next-20191011-00194-g02f44e30b215-dirty #2645 [ 31.263347] Hardware name: NVIDIA Tegra SoC (Flattened Device Tree) [ 31.264154] [<c011116d>] (unwind_backtrace) from [<c010bb05>] (show_stack+0x11/0x14) [ 31.264960] [<c010bb05>] (show_stack) from [<c0d749ad>] (dump_stack+0x89/0x98) [ 31.265804] [<c0d749ad>] (dump_stack) from [<c02c72dd>] (print_address_description.constprop.0+0x3d/0x340) [ 31.266830] [<c02c72dd>] (print_address_description.constprop.0) from [<c02c7767>] (__kasan_report+0xe3/0x12c) [ 31.267865] [<c02c7767>] (__kasan_report) from [<c014eabb>] (notifier_chain_register+0x2b/0x7c) [ 31.268755] [<c014eabb>] (notifier_chain_register) from [<c014eb89>] (blocking_notifier_chain_register+0x29/0x3c) [ 31.269842] [<c014eb89>] (blocking_notifier_chain_register) from [<c072cc11>] (dev_pm_qos_add_notifier+0x79/0xf8) [ 31.270948] [<c072cc11>] (dev_pm_qos_add_notifier) from [<c095ec71>] (cpufreq_online+0x5e1/0x8a4) [ 31.271922] [<c095ec71>] (cpufreq_online) from [<c095efbd>] (cpufreq_add_dev+0x79/0x80) [ 31.272889] [<c095efbd>] (cpufreq_add_dev) from [<c0720213>] (subsys_interface_register+0xc3/0x100) [ 31.273894] [<c0720213>] (subsys_interface_register) from [<c095d83f>] (cpufreq_register_driver+0x13b/0x1ec) [ 31.274912] [<c095d83f>] (cpufreq_register_driver) from [<bf800475>] (dt_cpufreq_probe+0x89/0xe0 [cpufreq_dt]) [ 31.275924] [<bf800475>] (dt_cpufreq_probe [cpufreq_dt]) from [<c0723e31>] (platform_drv_probe+0x49/0x88) [ 31.276889] [<c0723e31>] (platform_drv_probe) from [<c0721ad9>] (really_probe+0x109/0x378) [ 31.277715] [<c0721ad9>] (really_probe) from [<c0721e93>] (driver_probe_device+0x57/0x15c) [ 31.278537] [<c0721e93>] (driver_probe_device) from [<c0722145>] (device_driver_attach+0x61/0x64) [ 31.279425] [<c0722145>] (device_driver_attach) from [<c0722191>] (__driver_attach+0x49/0xa0) [ 31.280273] [<c0722191>] (__driver_attach) from [<c071fe6d>] (bus_for_each_dev+0x69/0x94) [ 31.281087] [<c071fe6d>] (bus_for_each_dev) from [<c0720f71>] (bus_add_driver+0x179/0x1e8) [ 31.281909] [<c0720f71>] (bus_add_driver) from [<c0722cf7>] (driver_register+0x8f/0x130) [ 31.282734] [<c0722cf7>] (driver_register) from [<bf805017>] (dt_cpufreq_platdrv_init+0x17/0x1000 [cpufreq_dt]) [ 31.283761] [<bf805017>] (dt_cpufreq_platdrv_init [cpufreq_dt]) from [<c0102f69>] (do_one_initcall+0x4d/0x280) [ 31.284759] [<c0102f69>] (do_one_initcall) from [<c01c70a9>] (do_init_module+0xb9/0x28c) [ 31.285561] [<c01c70a9>] (do_init_module) from [<c01c9ba9>] (load_module+0x2895/0x2c04) [ 31.286347] [<c01c9ba9>] (load_module) from [<c01ca0d7>] (sys_finit_module+0x7b/0x8c) [ 31.287117] [<c01ca0d7>] (sys_finit_module) from [<c0101001>] (ret_fast_syscall+0x1/0x26) [ 31.287901] Exception stack(0xcabb3fa8 to 0xcabb3ff0) [ 31.288406] 3fa0: 0003f348 00000001 00000003 0002b744 00000000 b6b31e74 [ 31.289200] 3fc0: 0003f348 00000001 94ccfd00 0000017b 0003f3f0 00000000 0003f348 00040010 [ 31.290029] 3fe0: b6b31df8 b6b31de8 00022534 aec752f0 [ 31.290698] Allocated by task 181: [ 31.291065] __kasan_kmalloc.constprop.0+0x7b/0x84 [ 31.291565] cpufreq_online+0x55f/0x8a4 [ 31.291959] cpufreq_add_dev+0x79/0x80 [ 31.292351] subsys_interface_register+0xc3/0x100 [ 31.292830] cpufreq_register_driver+0x13b/0x1ec [ 31.293335] dt_cpufreq_probe+0x89/0xe0 [cpufreq_dt] [ 31.293832] platform_drv_probe+0x49/0x88 [ 31.294245] really_probe+0x109/0x378 [ 31.294623] driver_probe_device+0x57/0x15c [ 31.295048] device_driver_attach+0x61/0x64 [ 31.295472] __driver_attach+0x49/0xa0 [ 31.295854] bus_for_each_dev+0x69/0x94 [ 31.296244] bus_add_driver+0x179/0x1e8 [ 31.296636] driver_register+0x8f/0x130 [ 31.297047] dt_cpufreq_platdrv_init+0x17/0x1000 [cpufreq_dt] [ 31.297616] do_one_initcall+0x4d/0x280 [ 31.298013] do_init_module+0xb9/0x28c [ 31.298397] load_module+0x2895/0x2c04 [ 31.298780] sys_finit_module+0x7b/0x8c [ 31.299167] ret_fast_syscall+0x1/0x26 [ 31.299548] 0xb6c2ac60 [ 31.299967] Freed by task 214: [ 31.300288] __kasan_slab_free+0xb7/0xe0 [ 31.300686] kfree+0x71/0x1f4 [ 31.301001] subsys_interface_unregister+0xad/0xf0 [ 31.338959] cpufreq_unregister_driver+0x2f/0x7c [ 31.377102] dt_cpufreq_remove+0x15/0x18 [cpufreq_dt] [ 31.414885] platform_drv_remove+0x27/0x34 [ 31.452644] device_release_driver_internal+0xdf/0x1a8 [ 31.490404] driver_detach+0x85/0xf8 [ 31.527682] bus_remove_driver+0x53/0xb0 [ 31.564827] dt_cpufreq_platdrv_exit+0x9/0xb28 [cpufreq_dt] [ 31.601736] sys_delete_module+0x117/0x1a4 [ 31.638575] ret_fast_syscall+0x1/0x26 [ 31.675041] 0xb6cafff4 [ 31.746517] The buggy address belongs to the object at cc302400 which belongs to the cache kmalloc-512 of size 512 [ 31.817855] The buggy address is located 268 bytes inside of 512-byte region [cc302400, cc302600) [ 31.888496] The buggy address belongs to the page: [ 31.923247] page:d291a000 refcount:1 mapcount:0 mapping:ce001a00 index:0x0 compound_mapcount: 0 [ 31.958247] flags: 0x10200(slab|head) [ 31.992944] raw: 00010200 00000100 00000122 ce001a00 00000000 00100010 ffffffff 00000001 [ 32.027763] page dumped because: kasan: bad access detected [ 32.095965] Memory state around the buggy address: [ 32.129904] cc302400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.163593] cc302480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.196538] >cc302500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.229052] ^ [ 32.260939] cc302580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.292881] cc302600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.324296] ================================================================== [ 32.355594] Disabling lock debugging due to kernel taint [ 32.462151] ------------[ cut here ]------------ [ 32.492881] WARNING: CPU: 1 PID: 218 at lib/refcount.c:156 dev_pm_opp_of_add_table+0x59/0x128 [ 32.523741] refcount_t: increment on 0; use-after-free. [ 32.554329] Modules linked in: cpufreq_dt(+) tegra30_devfreq [last unloaded: cpufreq_dt] [ 32.585233] CPU: 1 PID: 218 Comm: modprobe Tainted: G B W 5.4.0-rc2-next-20191011-00194-g02f44e30b215-dirty #2645 [ 32.646692] Hardware name: NVIDIA Tegra SoC (Flattened Device Tree) [ 32.677493] [<c011116d>] (unwind_backtrace) from [<c010bb05>] (show_stack+0x11/0x14) [ 32.708460] [<c010bb05>] (show_stack) from [<c0d749ad>] (dump_stack+0x89/0x98) [ 32.739392] [<c0d749ad>] (dump_stack) from [<c0127713>] (__warn+0x10f/0x110) [ 32.770049] [<c0127713>] (__warn) from [<c0127a09>] (warn_slowpath_fmt+0x61/0x78) [ 32.800656] [<c0127a09>] (warn_slowpath_fmt) from [<c095afc5>] (dev_pm_opp_of_add_table+0x59/0x128) [ 32.860732] [<c095afc5>] (dev_pm_opp_of_add_table) from [<c095b0c5>] (dev_pm_opp_of_cpumask_add_table+0x31/0x88) [ 32.921247] [<c095b0c5>] (dev_pm_opp_of_cpumask_add_table) from [<bf800245>] (cpufreq_init+0xd9/0x280 [cpufreq_dt]) [ 32.982732] [<bf800245>] (cpufreq_init [cpufreq_dt]) from [<c095ea0f>] (cpufreq_online+0x37f/0x8a4) [ 33.045107] [<c095ea0f>] (cpufreq_online) from [<c095efbd>] (cpufreq_add_dev+0x79/0x80) [ 33.077037] [<c095efbd>] (cpufreq_add_dev) from [<c0720213>] (subsys_interface_register+0xc3/0x100) [ 33.140128] [<c0720213>] (subsys_interface_register) from [<c095d83f>] (cpufreq_register_driver+0x13b/0x1ec) [ 33.204911] [<c095d83f>] (cpufreq_register_driver) from [<bf800475>] (dt_cpufreq_probe+0x89/0xe0 [cpufreq_dt]) [ 33.271766] [<bf800475>] (dt_cpufreq_probe [cpufreq_dt]) from [<c0723e31>] (platform_drv_probe+0x49/0x88) [ 33.340156] [<c0723e31>] (platform_drv_probe) from [<c0721ad9>] (really_probe+0x109/0x378) [ 33.375275] [<c0721ad9>] (really_probe) from [<c0721e93>] (driver_probe_device+0x57/0x15c) [ 33.410559] [<c0721e93>] (driver_probe_device) from [<c0722145>] (device_driver_attach+0x61/0x64) [ 33.446244] [<c0722145>] (device_driver_attach) from [<c0722191>] (__driver_attach+0x49/0xa0) [ 33.482238] [<c0722191>] (__driver_attach) from [<c071fe6d>] (bus_for_each_dev+0x69/0x94) [ 33.518513] [<c071fe6d>] (bus_for_each_dev) from [<c0720f71>] (bus_add_driver+0x179/0x1e8) [ 33.555099] [<c0720f71>] (bus_add_driver) from [<c0722cf7>] (driver_register+0x8f/0x130) [ 33.592015] [<c0722cf7>] (driver_register) from [<bf805017>] (dt_cpufreq_platdrv_init+0x17/0x1000 [cpufreq_dt]) [ 33.666547] [<bf805017>] (dt_cpufreq_platdrv_init [cpufreq_dt]) from [<c0102f69>] (do_one_initcall+0x4d/0x280) [ 33.742553] [<c0102f69>] (do_one_initcall) from [<c01c70a9>] (do_init_module+0xb9/0x28c) [ 33.781507] [<c01c70a9>] (do_init_module) from [<c01c9ba9>] (load_module+0x2895/0x2c04) [ 33.820735] [<c01c9ba9>] (load_module) from [<c01ca0d7>] (sys_finit_module+0x7b/0x8c) [ 33.860308] [<c01ca0d7>] (sys_finit_module) from [<c0101001>] (ret_fast_syscall+0x1/0x26) [ 33.900121] Exception stack(0xcabb3fa8 to 0xcabb3ff0) [ 33.940062] 3fa0: 0003f348 00000001 00000003 0002b744 00000000 b6b31e74 [ 33.980876] 3fc0: 0003f348 00000001 94ccfd00 0000017b 0003f3f0 00000000 0003f348 00040010 [ 34.021838] 3fe0: b6b31df8 b6b31de8 00022534 aec752f0 [ 34.062931] ---[ end trace f68728a0d3053b54 ]---
