Web lists-archives.com

PCI: BUG in pci_epf_remove_cfs() from pci-epf-test




This is Linux v5.0-11053-gebc551f2b8f9 from March 12, on x86_64.

Just load and unload the pci-epf-test module.


[   78.942581] calling  pci_epf_test_init+0x0/0x1000 [pci_epf_test] @ 1650
[   78.945926] initcall pci_epf_test_init+0x0/0x1000 [pci_epf_test] returned 0 after 3216 usecs
[   91.293344] ==================================================================
[   91.293381] BUG: KASAN: use-after-free in pci_epf_remove_cfs+0x1b0/0x1f0
[   91.293404] Write of size 8 at addr ffff888111843388 by task rmmod/1672

[   91.293435] CPU: 3 PID: 1672 Comm: rmmod Not tainted 5.0.0mod #1
[   91.293454] Hardware name: TOSHIBA PORTEGE R835/Portable PC, BIOS Version 4.10   01/08/2013
[   91.293486] Call Trace:
[   91.293501]  dump_stack+0x7b/0xb5
[   91.293520]  print_address_description+0x6e/0x360
[   91.293544]  kasan_report+0x11a/0x198
[   91.293568]  ? kasan_slab_free+0xe/0x10
[   91.293583]  ? pci_epf_remove_cfs+0x1b0/0x1f0
[   91.293602]  ? pci_epf_remove_cfs+0x1b0/0x1f0
[   91.293620]  __asan_report_store8_noabort+0x17/0x20
[   91.293638]  pci_epf_remove_cfs+0x1b0/0x1f0
[   91.293658]  pci_epf_unregister_driver+0xd/0x20
[   91.293678]  pci_epf_test_exit+0x10/0x18 [pci_epf_test]
[   91.293697]  __x64_sys_delete_module+0x329/0x490
[   91.293715]  ? __ia32_sys_delete_module+0x490/0x490
[   91.293736]  ? blkcg_exit_queue+0x20/0x20
[   91.293751]  ? _raw_spin_unlock_irq+0x22/0x40
[   91.293778]  do_syscall_64+0xaa/0x310
[   91.293793]  ? prepare_exit_to_usermode+0x8b/0x150
[   91.293812]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   91.293830] RIP: 0033:0x7f7494f5af77
[   91.293845] Code: 73 01 c3 48 8b 0d 21 af 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f1 ae 2b 00 f7 d8 64 89 01 48
[   91.293893] RSP: 002b:00007fff91ebf118 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
[   91.293917] RAX: ffffffffffffffda RBX: 00007fff91ebf178 RCX: 00007f7494f5af77
[   91.293938] RDX: 000000000000000a RSI: 0000000000000800 RDI: 000055b8934a47d8
[   91.293959] RBP: 000055b8934a4770 R08: 00007fff91ebe091 R09: 0000000000000000
[   91.293980] R10: 00007f7494fca1c0 R11: 0000000000000206 R12: 00007fff91ebf340
[   91.294001] R13: 00007fff91ec173e R14: 000055b8934a4260 R15: 000055b8934a4770

[   91.294042] Allocated by task 1650:
[   91.294057]  save_stack+0x43/0xd0
[   91.294071]  __kasan_kmalloc.constprop.8+0xa7/0xd0
[   91.294088]  kasan_kmalloc+0x9/0x10
[   91.294104]  configfs_register_default_group+0x63/0xe0
[   91.294121]  pci_ep_cfs_add_epf_group+0x20/0x50
[   91.294138]  __pci_epf_register_driver+0x2b2/0x410
[   91.294154]  0xffffffffc1d18032
[   91.294168]  do_one_initcall+0xab/0x2ad
[   91.294182]  do_init_module+0x1c7/0x548
[   91.294197]  load_module+0x46bb/0x5da0
[   91.294211]  __do_sys_finit_module+0x193/0x1b0
[   91.294227]  __x64_sys_finit_module+0x6e/0xb0
[   91.294243]  do_syscall_64+0xaa/0x310
[   91.294257]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

[   91.294282] Freed by task 1672:
[   91.294295]  save_stack+0x43/0xd0
[   91.294309]  __kasan_slab_free+0x137/0x190
[   91.294324]  kasan_slab_free+0xe/0x10
[   91.294339]  kfree+0xb0/0x1b0
[   91.294352]  configfs_unregister_default_group+0x15/0x20
[   91.294370]  pci_ep_cfs_remove_epf_group+0x17/0x20
[   91.294387]  pci_epf_remove_cfs+0x8e/0x1f0
[   91.294403]  pci_epf_unregister_driver+0xd/0x20
[   91.294419]  pci_epf_test_exit+0x10/0x18 [pci_epf_test]
[   91.294437]  __x64_sys_delete_module+0x329/0x490
[   91.294454]  do_syscall_64+0xaa/0x310
[   91.294475]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

[   91.294503] The buggy address belongs to the object at ffff888111843308
                which belongs to the cache kmalloc-192 of size 192
[   91.294547] The buggy address is located 128 bytes inside of
                192-byte region [ffff888111843308, ffff8881118433c8)
[   91.294579] The buggy address belongs to the page:
[   91.294596] page:ffffea0004461000 count:1 mapcount:0 mapping:ffff888107c10e40 index:0xffff888111841fe8 compound_mapcount: 0
[   91.294628] flags: 0x17ffffc0010200(slab|head)
[   91.294646] raw: 0017ffffc0010200 ffffea0004696208 ffff888107c03690 ffff888107c10e40
[   91.294670] raw: ffff888111841fe8 00000000001e0014 00000001ffffffff 0000000000000000
[   91.294692] page dumped because: kasan: bad access detected

[   91.294717] Memory state around the buggy address:
[   91.294734]  ffff888111843280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   91.294756]  ffff888111843300: fc fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   91.294777] >ffff888111843380: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   91.294798]                       ^
[   91.294812]  ffff888111843400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   91.294833]  ffff888111843480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   91.294854] ==================================================================

-- 
~Randy