Re: paride/pf.c: blk-mq use-after-free (kernel v5.0)

From: Randy Dunlap
Date: Fri Mar 15 2019 - 20:32:18 EST


On 3/15/19 9:33 AM, Jens Axboe wrote:
> On 3/14/19 5:49 PM, Randy Dunlap wrote:
>> On 3/14/19 4:43 PM, Jens Axboe wrote:
>>> On 3/13/19 5:09 PM, Randy Dunlap wrote:
>>>> On 3/11/19 6:34 PM, Randy Dunlap wrote:
>>>>> On 3/11/19 6:25 PM, Randy Dunlap wrote:
>>>>>> [Has this already been addressed/fixed?]>>
>>>>>
>>>>> Same bug occurs with paride/pcd.c driver.
>>>>
>>>> This still happens (in blk-mq) in v5.0-11053-gebc551f2b8f9 of Mar. 12, 2019,
>>>> around 4pm PT. [caused by paride: pf.c and pcd.c)
>>>
>>> I'll take a look at this, been busy with other stuff. How are you
>>> reproducing this? I'm assuming you don't actually have any hardware :-)
>>
>> Right. I just load the module (pf or pcd), unload it, and
>> then load it again.
>
> Does this work?
>

No. Just loading the pf module gives this:

[ 1787.318420] calling pf_init+0x0/0x1000 [pf] @ 2889
[ 1787.321872] pf: pf version 1.04, major 47, cluster 64, nice 0
[ 1787.328702] pf: No ATAPI disk detected
[ 1787.329211] ------------[ cut here ]------------
[ 1787.329245] refcount_t: underflow; use-after-free.
[ 1787.329302] WARNING: CPU: 2 PID: 2889 at ../lib/refcount.c:190 refcount_sub_and_test_checked+0x15d/0x190
[ 1787.329359] Modules linked in: pf(+) paride ppdev parport_pc parport ctr ccm af_packet xt_tcpudp ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 ipt_REJECT nf_reject_ipv4 xt_conntrack ip_set nfnetlink ebtable_nat ebtable_broute bridge stp llc ip6table_nat ip6table_mangle ip6table_raw ip6table_security iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_mangle iptable_raw iptable_security ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter ip_tables x_tables bpfilter btrfs uvcvideo videobuf2_vmalloc videobuf2_memops msr videobuf2_v4l2 videobuf2_common xor videodev zstd_compress hid_generic media usbmouse raid6_pq usbkbd libcrc32c usbhid mei_hdcp zstd_decompress hid coretemp iTCO_wdt hwmon intel_rapl iTCO_vendor_support x86_pkg_temp_thermal intel_powerclamp kvm_intel snd_hda_codec_hdmi kvm arc4 iwldvm snd_hda_codec_realtek irqbypass snd_hda_codec_generic ledtrig_audio crct10dif_pclmul mac80211 crc32_pclmul crc32c_intel snd_hda_intel ghash_clmulni_intel snd_hda_codec
[ 1787.329462] snd_hda_core aesni_intel aes_x86_64 sdhci_pci crypto_simd iwlwifi snd_hwdep cryptd glue_helper snd_pcm toshiba_acpi cqhci sparse_keymap sdhci snd_timer intel_cstate uio_pdrv_genirq wmi intel_uncore cfg80211 uio mmc_core e1000e joydev sr_mod snd intel_rapl_perf input_leds mei_me mousedev pcspkr led_class cdrom mei serio_raw industrialio soundcore rfkill lpc_ich thermal pcc_cpufreq rtc_cmos evdev mac_hid toshiba_haps battery ac sg dm_multipath dm_mod scsi_dh_rdac scsi_dh_emc scsi_dh_alua autofs4
[ 1787.330126] CPU: 2 PID: 2889 Comm: modprobe Not tainted 5.0.0mod #1
[ 1787.330161] Hardware name: TOSHIBA PORTEGE R835/Portable PC, BIOS Version 4.10 01/08/2013
[ 1787.330209] RIP: 0010:refcount_sub_and_test_checked+0x15d/0x190
[ 1787.330246] Code: 74 86 0f b6 1d 3d d5 05 03 80 fb 01 77 2f 83 e3 01 74 04 31 c9 eb 9e 48 c7 c7 c0 c9 7c 8c c6 05 21 d5 05 03 01 e8 b3 04 4d ff <0f> 0b 31 c9 eb 85 48 89 df e8 15 95 a0 ff e9 27 ff ff ff 0f b6 f3
[ 1787.330336] RSP: 0018:ffff88810c4ff718 EFLAGS: 00010282
[ 1787.330370] RAX: dffffc0000000008 RBX: 0000000000000000 RCX: ffffffff8a450275
[ 1787.330410] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88811f3df790
[ 1787.330451] RBP: ffff88810c4ff7a8 R08: ffffed1023e7bef3 R09: ffffed1023e7bef3
[ 1787.330491] R10: 0000000000000001 R11: ffffed1023e7bef2 R12: 0000000000000001
[ 1787.330531] R13: ffff88810c4ff780 R14: dffffc0000000000 R15: 00000000ffffffff
[ 1787.330571] FS: 00007f77083bdb80(0000) GS:ffff88811f200000(0000) knlGS:0000000000000000
[ 1787.330615] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1787.330658] CR2: 00007f28306a3ed4 CR3: 000000010bb3a005 CR4: 00000000000606e0
[ 1787.330707] Call Trace:
[ 1787.330733] ? refcount_inc_checked+0x50/0x50
[ 1787.330768] ? do_raw_spin_unlock+0x54/0x220
[ 1787.330810] refcount_dec_and_test_checked+0x11/0x20
[ 1787.330844] kobject_put+0x55/0x420
[ 1787.330876] blk_put_queue+0x10/0x20
[ 1787.330904] disk_release+0x20c/0x290
[ 1787.330936] device_release+0x74/0x1d0
[ 1787.330968] kobject_put+0x153/0x420
[ 1787.331000] put_disk+0x15/0x20
[ 1787.331032] pf_init+0x946/0x1000 [pf]
[ 1787.331061] ? 0xffffffffc1d28000
[ 1787.331094] ? 0xffffffffc1d28000
[ 1787.331123] do_one_initcall+0xab/0x2ad
[ 1787.331154] ? initcall_blacklisted+0x190/0x190
[ 1787.331187] ? kasan_unpoison_shadow+0x35/0x50
[ 1787.331225] ? kasan_unpoison_shadow+0x35/0x50
[ 1787.331255] ? kasan_unpoison_shadow+0x35/0x50
[ 1787.331287] ? kasan_poison_shadow+0x2f/0x40
[ 1787.331317] ? __asan_register_globals+0x5a/0x70
[ 1787.331357] do_init_module+0x1c7/0x548
[ 1787.331394] load_module+0x46bb/0x5da0
[ 1787.331466] ? layout_and_allocate+0x2d00/0x2d00
[ 1787.331505] ? kernel_read+0x90/0x130
[ 1787.331535] ? kasan_check_write+0x14/0x20
[ 1787.331565] ? kernel_read_file+0x247/0x630
[ 1787.331640] __do_sys_finit_module+0x193/0x1b0
[ 1787.331673] ? __do_sys_finit_module+0x193/0x1b0
[ 1787.331713] ? __ia32_sys_init_module+0xa0/0xa0
[ 1787.331746] ? vfs_statx_fd+0x45/0x80
[ 1787.331775] ? kasan_check_write+0x14/0x20
[ 1787.331804] ? fput_many+0x1b/0x130
[ 1787.331833] ? fput+0xe/0x10
[ 1787.331858] ? ksys_mmap_pgoff+0x3d9/0xb50
[ 1787.331912] __x64_sys_finit_module+0x6e/0xb0
[ 1787.331943] ? __x64_sys_newfstat+0x4f/0x70
[ 1787.331975] do_syscall_64+0xaa/0x310
[ 1787.332002] ? prepare_exit_to_usermode+0x8b/0x150
[ 1787.332038] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1787.332071] RIP: 0033:0x7f7707aa6129
[ 1787.332098] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 3f 0d 2c 00 f7 d8 64 89 01 48
[ 1787.332188] RSP: 002b:00007ffff0b922a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[ 1787.332233] RAX: ffffffffffffffda RBX: 000055e0b8f46b10 RCX: 00007f7707aa6129
[ 1787.332273] RDX: 0000000000000000 RSI: 000055e0b8d34548 RDI: 0000000000000004
[ 1787.332314] RBP: 000055e0b8d34548 R08: 0000000000000000 R09: 000055e0b8f46400
[ 1787.332354] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000040000
[ 1787.332394] R13: 000055e0b8f46c40 R14: 0000000000000000 R15: 000055e0b8f46b10
[ 1787.332454] ---[ end trace 25a30d991b83572f ]---
[ 1787.333319] initcall pf_init+0x0/0x1000 [pf] returned -19 after 14500 usecs


>
> diff --git a/drivers/block/paride/pcd.c b/drivers/block/paride/pcd.c
> index 96670eefaeb2..4681ddef5666 100644
> --- a/drivers/block/paride/pcd.c
> +++ b/drivers/block/paride/pcd.c
> @@ -749,8 +749,11 @@ static int pcd_detect(void)
> return 0;
>
> printk("%s: No CD-ROM drive found\n", name);
> - for (unit = 0, cd = pcd; unit < PCD_UNITS; unit++, cd++)
> + for (unit = 0, cd = pcd; unit < PCD_UNITS; unit++, cd++) {
> + blk_cleanup_queue(cd->disk->queue);
> + blk_mq_free_tag_set(&cd->tag_set);
> put_disk(cd->disk);
> + }
> pi_unregister_driver(par_drv);
> return -1;
> }
> diff --git a/drivers/block/paride/pf.c b/drivers/block/paride/pf.c
> index e92e7a8eeeb2..d27f375bb55a 100644
> --- a/drivers/block/paride/pf.c
> +++ b/drivers/block/paride/pf.c
> @@ -761,8 +761,11 @@ static int pf_detect(void)
> return 0;
>
> printk("%s: No ATAPI disk detected\n", name);
> - for (pf = units, unit = 0; unit < PF_UNITS; pf++, unit++)
> + for (pf = units, unit = 0; unit < PF_UNITS; pf++, unit++) {
> + blk_cleanup_queue(pf->disk->queue);
> + blk_mq_free_tag_set(&pf->tag_set);
> put_disk(pf->disk);
> + }
> pi_unregister_driver(par_drv);
> return -1;
> }
>


--
~Randy