BUG: KASAN: slab-out-of-bounds in rsi_sdio_write_register_multiple+0xdc/0x1b8 [rsi_sdio]

Martin Kepplinger <martin.kepplinger@xxxxxxx> · Thu, 19 Mar 2020 15:31:47 +0100

hi,

I'm running Linus' tree and hit the following when KASAN is enabled. Do
you have an idea of what goes wrong here? I'm happy to test any changes:

Mar 19 11:26:24 pureos kernel: [   23.375247]
==================================================================
Mar 19 11:26:24 pureos kernel: [   23.382592] BUG: KASAN:
slab-out-of-bounds in rsi_sdio_write_register_multiple+0xdc/0x1b8 [rsi_sdio]
Mar 19 11:26:24 pureos kernel: [   23.391761] Read of size 16 at addr
ffff0000bf1ed400 by task systemd-udevd/338
Mar 19 11:26:24 pureos kernel: [   23.399003]
Mar 19 11:26:24 pureos kernel: [   23.400528] CPU: 0 PID: 338 Comm:
systemd-udevd Not tainted 5.6.0-1-librem5 #31
Mar 19 11:26:24 pureos kernel: [   23.400542] Hardware name: Purism
Librem 5 (DT)
Mar 19 11:26:24 pureos kernel: [   23.400555] Call trace:
Mar 19 11:26:24 pureos kernel: [   23.400590]  dump_backtrace+0x0/0x2a8
Mar 19 11:26:24 pureos kernel: [   23.400615]  show_stack+0x1c/0x28
Mar 19 11:26:24 pureos kernel: [   23.400638]  dump_stack+0x110/0x188
Mar 19 11:26:24 pureos kernel: [   23.400669]
print_address_description.isra.11+0x6c/0x354
Mar 19 11:26:24 pureos kernel: [   23.400691]  __kasan_report+0x130/0x244
Mar 19 11:26:24 pureos kernel: [   23.400712]  kasan_report+0xc/0x18
Mar 19 11:26:24 pureos kernel: [   23.400736]
check_memory_region+0x17c/0x1e8
Mar 19 11:26:24 pureos kernel: [   23.400758]  __asan_loadN+0x14/0x20
Mar 19 11:26:24 pureos kernel: [   23.400813]
rsi_sdio_write_register_multiple+0xdc/0x1b8 [rsi_sdio]
Mar 19 11:26:24 pureos kernel: [   23.400863]
rsi_sdio_master_reg_write+0x94/0x140 [rsi_sdio]
Mar 19 11:26:24 pureos kernel: [   23.400962]
rsi_hal_prepare_fwload+0x1a8/0x250 [rsi_91x]
Mar 19 11:26:24 pureos kernel: [   23.401049]
rsi_hal_device_init+0xd4/0x1110 [rsi_91x]
Mar 19 11:26:24 pureos kernel: [   23.401099]  rsi_probe+0x3d0/0x5a0
[rsi_sdio]
Mar 19 11:26:24 pureos kernel: [   23.401122]  sdio_bus_probe+0x13c/0x288
Mar 19 11:26:24 pureos kernel: [   23.401147]  really_probe+0x1bc/0x5e0
Mar 19 11:26:24 pureos kernel: [   23.401170]
driver_probe_device+0xdc/0x1a8
Mar 19 11:26:24 pureos kernel: [   23.401193]
device_driver_attach+0x9c/0xa8
Mar 19 11:26:24 pureos kernel: [   23.401215]  __driver_attach+0x110/0x1a0
Mar 19 11:26:24 pureos kernel: [   23.401237]  bus_for_each_dev+0xf0/0x158
Mar 19 11:26:24 pureos kernel: [   23.401258]  driver_attach+0x38/0x48
Mar 19 11:26:24 pureos kernel: [   23.401279]  bus_add_driver+0x280/0x2e8
Mar 19 11:26:24 pureos kernel: [   23.401302]  driver_register+0xc4/0x1d8
Mar 19 11:26:24 pureos kernel: [   23.401328]
sdio_register_driver+0x50/0x60
Mar 19 11:26:24 pureos kernel: [   23.401377]  rsi_module_init+0x24/0x50
[rsi_sdio]
Mar 19 11:26:24 pureos kernel: [   23.401399]  do_one_initcall+0xa4/0x3d8
Mar 19 11:26:24 pureos kernel: [   23.401424]  do_init_module+0xe8/0x360
Mar 19 11:26:24 pureos kernel: [   23.401445]  load_module+0x2efc/0x3390
Mar 19 11:26:24 pureos kernel: [   23.401468]
__do_sys_finit_module+0x11c/0x1a0
Mar 19 11:26:24 pureos kernel: [   23.401491]
__arm64_sys_finit_module+0x48/0x58
Mar 19 11:26:24 pureos kernel: [   23.401518]
el0_svc_common.constprop.1+0xcc/0x1e0
Mar 19 11:26:24 pureos kernel: [   23.401541]  do_el0_svc+0x34/0x40
Mar 19 11:26:24 pureos kernel: [   23.401563]  el0_sync_handler+0x134/0x1a8
Mar 19 11:26:24 pureos kernel: [   23.401581]  el0_sync+0x140/0x180
Mar 19 11:26:24 pureos kernel: [   23.401592]
Mar 19 11:26:24 pureos kernel: [   23.403105] Allocated by task 338:
Mar 19 11:26:24 pureos kernel: [   23.406536]  save_stack+0x24/0xb0
Mar 19 11:26:24 pureos kernel: [   23.406559]
__kasan_kmalloc.isra.10+0xc4/0xe0
Mar 19 11:26:24 pureos kernel: [   23.406579]  kasan_kmalloc+0xc/0x18
Mar 19 11:26:24 pureos kernel: [   23.406600]
kmem_cache_alloc_trace+0x170/0x328
Mar 19 11:26:24 pureos kernel: [   23.406652]
rsi_sdio_master_reg_write+0x4c/0x140 [rsi_sdio]
Mar 19 11:26:24 pureos kernel: [   23.406744]
rsi_hal_prepare_fwload+0x1a8/0x250 [rsi_91x]
Mar 19 11:26:24 pureos kernel: [   23.406831]
rsi_hal_device_init+0xd4/0x1110 [rsi_91x]
Mar 19 11:26:24 pureos kernel: [   23.406880]  rsi_probe+0x3d0/0x5a0
[rsi_sdio]
Mar 19 11:26:24 pureos kernel: [   23.406900]  sdio_bus_probe+0x13c/0x288
Mar 19 11:26:24 pureos kernel: [   23.406923]  really_probe+0x1bc/0x5e0
Mar 19 11:26:24 pureos kernel: [   23.406946]
driver_probe_device+0xdc/0x1a8
Mar 19 11:26:24 pureos kernel: [   23.406968]
device_driver_attach+0x9c/0xa8
Mar 19 11:26:24 pureos kernel: [   23.406989]  __driver_attach+0x110/0x1a0
Mar 19 11:26:24 pureos kernel: [   23.407010]  bus_for_each_dev+0xf0/0x158
Mar 19 11:26:24 pureos kernel: [   23.407031]  driver_attach+0x38/0x48
Mar 19 11:26:24 pureos kernel: [   23.407052]  bus_add_driver+0x280/0x2e8
Mar 19 11:26:24 pureos kernel: [   23.407074]  driver_register+0xc4/0x1d8
Mar 19 11:26:24 pureos kernel: [   23.407100]
sdio_register_driver+0x50/0x60
Mar 19 11:26:24 pureos kernel: [   23.407149]  rsi_module_init+0x24/0x50
[rsi_sdio]
Mar 19 11:26:24 pureos kernel: [   23.407168]  do_one_initcall+0xa4/0x3d8
Mar 19 11:26:24 pureos kernel: [   23.407191]  do_init_module+0xe8/0x360
Mar 19 11:26:24 pureos kernel: [   23.407212]  load_module+0x2efc/0x3390
Mar 19 11:26:24 pureos kernel: [   23.407234]
__do_sys_finit_module+0x11c/0x1a0
Mar 19 11:26:24 pureos kernel: [   23.407257]
__arm64_sys_finit_module+0x48/0x58
Mar 19 11:26:24 pureos kernel: [   23.407282]
el0_svc_common.constprop.1+0xcc/0x1e0
Mar 19 11:26:24 pureos kernel: [   23.407304]  do_el0_svc+0x34/0x40
Mar 19 11:26:24 pureos kernel: [   23.407326]  el0_sync_handler+0x134/0x1a8
Mar 19 11:26:24 pureos kernel: [   23.407343]  el0_sync+0x140/0x180
Mar 19 11:26:24 pureos kernel: [   23.407352]
Mar 19 11:26:24 pureos kernel: [   23.408863] Freed by task 338:
Mar 19 11:26:24 pureos kernel: [   23.411947]  save_stack+0x24/0xb0
Mar 19 11:26:24 pureos kernel: [   23.411969]  __kasan_slab_free+0x10c/0x188
Mar 19 11:26:24 pureos kernel: [   23.411991]  kasan_slab_free+0x10/0x18
Mar 19 11:26:24 pureos kernel: [   23.412009]  kfree+0x88/0x378
Mar 19 11:26:24 pureos kernel: [   23.412032]
ext4_ext_map_blocks+0x518/0x14c0
Mar 19 11:26:24 pureos kernel: [   23.412059]  ext4_map_blocks+0x53c/0x888
Mar 19 11:26:24 pureos kernel: [   23.412082]  ext4_getblk+0xa0/0x298
Mar 19 11:26:24 pureos kernel: [   23.412105]  ext4_bread_batch+0x70/0x228
Mar 19 11:26:24 pureos kernel: [   23.412129]  __ext4_find_entry+0x25c/0x5f8
Mar 19 11:26:24 pureos kernel: [   23.412149]  ext4_lookup+0x120/0x350
Mar 19 11:26:24 pureos kernel: [   23.412168]  __lookup_slow+0x100/0x200
Mar 19 11:26:24 pureos kernel: [   23.412187]  walk_component+0x384/0x538
Mar 19 11:26:24 pureos kernel: [   23.412206]
path_lookupat.isra.47+0xac/0x1b0
Mar 19 11:26:24 pureos kernel: [   23.412226]
filename_lookup.part.64+0xec/0x1e8
Mar 19 11:26:24 pureos kernel: [   23.412245]  user_path_at_empty+0x54/0x68
Mar 19 11:26:24 pureos kernel: [   23.412266]  vfs_statx+0xe0/0x160
Mar 19 11:26:24 pureos kernel: [   23.412287]  __do_sys_newfstatat+0x84/0xd0
Mar 19 11:26:24 pureos kernel: [   23.412308]
__arm64_sys_newfstatat+0x58/0x68
Mar 19 11:26:24 pureos kernel: [   23.412335]
el0_svc_common.constprop.1+0xcc/0x1e0
Mar 19 11:26:24 pureos kernel: [   23.412357]  do_el0_svc+0x34/0x40
Mar 19 11:26:24 pureos kernel: [   23.412378]  el0_sync_handler+0x134/0x1a8
Mar 19 11:26:24 pureos kernel: [   23.412395]  el0_sync+0x140/0x180
Mar 19 11:26:24 pureos kernel: [   23.412404]
Mar 19 11:26:24 pureos kernel: [   23.413922] The buggy address belongs
to the object at ffff0000bf1ed400
Mar 19 11:26:24 pureos kernel: [   23.413922]  which belongs to the
cache kmalloc-128 of size 128
Mar 19 11:26:24 pureos kernel: [   23.426475] The buggy address is
located 0 bytes inside of
Mar 19 11:26:24 pureos kernel: [   23.426475]  128-byte region
[ffff0000bf1ed400, ffff0000bf1ed480)
Mar 19 11:26:24 pureos kernel: [   23.438063] The buggy address belongs
to the page:
Mar 19 11:26:24 pureos kernel: [   23.442889] page:fffffe0002dc7b40
refcount:1 mapcount:0 mapping:ffff00008ec03c00 index:0x0
Mar 19 11:26:24 pureos kernel: [   23.442909] flags:
0x4000000000000200(slab)
Mar 19 11:26:24 pureos kernel: [   23.442943] raw: 4000000000000200
fffffe0001f50a40 0000000e00000002 ffff00008ec03c00
Mar 19 11:26:24 pureos kernel: [   23.442969] raw: 0000000000000000
0000000080100010 00000001ffffffff 0000000000000000
Mar 19 11:26:24 pureos kernel: [   23.442981] page dumped because:
kasan: bad access detected
Mar 19 11:26:24 pureos kernel: [   23.442991]
Mar 19 11:26:24 pureos kernel: [   23.444499] Memory state around the
buggy address:
Mar 19 11:26:24 pureos kernel: [   23.449321]  ffff0000bf1ed300: 00 00
00 00 fc fc fc fc fc fc fc fc fc fc fc fc
Mar 19 11:26:24 pureos kernel: [   23.456576]  ffff0000bf1ed380: fc fc
fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Mar 19 11:26:24 pureos kernel: [   23.463827] >ffff0000bf1ed400: 00 04
fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Mar 19 11:26:24 pureos kernel: [   23.471068]                       ^
Mar 19 11:26:24 pureos kernel: [   23.474586]  ffff0000bf1ed480: fc fc
fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Mar 19 11:26:24 pureos kernel: [   23.481838]  ffff0000bf1ed500: 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00
Mar 19 11:26:24 pureos kernel: [   23.489080]
==================================================================