6.10rc2/BUG: KASAN: slab-use-after-free in set_device_name+0xe1/0x490 [ledtrig_netdev]

From: Mikhail Gavrilov
Date: Tue Jun 04 2024 - 09:15:15 EST

Next message: Diogo Ivo: "[PATCH net-next v2 1/3] net: ti: icssg-prueth: Enable PTP timestamping support for SR1.0 devices"
Previous message: Li Nan: "Re: [PATCH] ublk_drv: fix NULL pointer dereference in ublk_ctrl_start_recovery()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,
yesterday at the first booting into 6.10rc2.
I spotted a new error message in the kernel log with follow stacktrace:
[ 16.599760] usbcore: registered new device driver apple-mfi-fastcharge
[ 16.603658] igc 0000:0a:00.0 eno1: renamed from eth0
[ 16.612386] ==================================================================
[ 16.612389] BUG: KASAN: slab-use-after-free in
set_device_name+0xe1/0x490 [ledtrig_netdev]
[ 16.612398] Read of size 4 at addr ffff88810ad217c0 by task modprobe/1111

[ 16.612403] CPU: 13 PID: 1111 Comm: modprobe Tainted: G W
L ------- --- 6.10.0-0.rc2.25.fc41.x86_64+debug #1
[ 16.612406] Hardware name: ASUS System Product Name/ROG STRIX
B650E-I GAMING WIFI, BIOS 2611 04/07/2024
[ 16.612408] Call Trace:
[ 16.612409] <TASK>
[ 16.612411] dump_stack_lvl+0x84/0xd0
[ 16.612417] ? set_device_name+0xe1/0x490 [ledtrig_netdev]
[ 16.612421] print_report+0x174/0x505
[ 16.612425] ? set_device_name+0xe1/0x490 [ledtrig_netdev]
[ 16.612429] ? __virt_addr_valid+0x228/0x420
[ 16.612433] ? set_device_name+0xe1/0x490 [ledtrig_netdev]
[ 16.612437] kasan_report+0xab/0x180
[ 16.612441] ? set_device_name+0xe1/0x490 [ledtrig_netdev]
[ 16.612446] kasan_check_range+0x104/0x1b0
[ 16.612450] __asan_memcpy+0x23/0x60
[ 16.612453] set_device_name+0xe1/0x490 [ledtrig_netdev]
[ 16.612458] netdev_trig_activate+0x576/0x7f0 [ledtrig_netdev]
[ 16.612463] ? __pfx_netdev_trig_activate+0x10/0x10 [ledtrig_netdev]
[ 16.612467] ? __down_write_trylock+0x179/0x370
[ 16.612473] led_trigger_set+0x5c6/0xb10
[ 16.641282] ? __pfx_led_trigger_set+0x10/0x10
[ 16.641292] ? up_write+0x1be/0x510
[ 16.641299] led_trigger_register+0x3a5/0x4d0
[ 16.646090] ? __pfx_netdev_led_trigger_init+0x10/0x10 [ledtrig_netdev]
[ 16.646096] do_one_initcall+0xd6/0x460
[ 16.646101] ? __pfx_do_one_initcall+0x10/0x10
[ 16.653234] ? kasan_unpoison+0x44/0x70
[ 16.653246] do_init_module+0x296/0x7c0
[ 16.653251] load_module+0x5777/0x7490
[ 16.653259] ? __pfx_load_module+0x10/0x10
[ 16.653262] ? lock_acquire+0x457/0x540
[ 16.653269] ? ima_post_load_data+0x68/0x80
[ 16.653273] ? __do_sys_init_module+0x1ef/0x220
[ 16.653275] __do_sys_init_module+0x1ef/0x220
[ 16.653277] ? __pfx___do_sys_init_module+0x10/0x10
[ 16.666390] ? ktime_get_coarse_real_ts64+0x41/0xd0
[ 16.666401] do_syscall_64+0x97/0x190
[ 16.666406] ? rcu_is_watching+0x12/0xc0
[ 16.671328] ? trace_irq_enable.constprop.0+0xce/0x110
[ 16.671332] ? syscall_exit_to_user_mode+0xbe/0x290
[ 16.671335] ? do_syscall_64+0xa3/0x190
[ 16.671338] ? rcu_is_watching+0x12/0xc0
[ 16.671340] ? lock_release+0x575/0xd60
[ 16.671344] ? rcu_is_watching+0x12/0xc0
[ 16.671345] ? lock_release+0x575/0xd60
[ 16.671347] ? __pfx_lock_acquire+0x10/0x10
[ 16.671350] ? __pfx_lock_release+0x10/0x10
[ 16.671352] ? __pfx___up_read+0x10/0x10
[ 16.671355] ? handle_mm_fault+0x47d/0x8d0
[ 16.671360] ? rcu_is_watching+0x12/0xc0
[ 16.671362] ? trace_irq_enable.constprop.0+0xce/0x110
[ 16.671365] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 16.671367] RIP: 0033:0x7f9563f2b5ae
[ 16.671380] Code: 48 8b 0d 85 a8 0c 00 f7 d8 64 89 01 48 83 c8 ff
c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 af 00 00
00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 52 a8 0c 00 f7 d8 64 89
01 48
[ 16.671382] RSP: 002b:00007ffcdf220628 EFLAGS: 00000246 ORIG_RAX:
00000000000000af
[ 16.671385] RAX: ffffffffffffffda RBX: 00005632ca650c20 RCX: 00007f9563f2b5ae
[ 16.671386] RDX: 00005632a639be79 RSI: 0000000000016be6 RDI: 00005632ca65fb40
[ 16.671388] RBP: 00007ffcdf2206e0 R08: 00005632ca650010 R09: 0000000000000007
[ 16.671389] R10: 0000000000000001 R11: 0000000000000246 R12: 00005632a639be79
[ 16.671390] R13: 0000000000040000 R14: 00005632ca650b80 R15: 00005632ca658c50
[ 16.671394] </TASK>

[ 16.671396] Allocated by task 1046:
[ 16.671398] kasan_save_stack+0x30/0x50
[ 16.671401] kasan_save_track+0x14/0x30
[ 16.671403] __kasan_kmalloc+0x8f/0xa0
[ 16.671405] kmalloc_node_track_caller_noprof+0x258/0x5f0
[ 16.671407] kstrdup+0x34/0x60
[ 16.671409] kobject_set_name_vargs+0x43/0x120
[ 16.671412] dev_set_name+0xb6/0xf0
[ 16.671414] netdev_register_kobject+0xc5/0x390
[ 16.671416] register_netdevice+0xf3f/0x1910
[ 16.671418] register_netdev+0x1e/0x40
[ 16.671420] igc_probe+0x1559/0x1e20 [igc]
[ 16.671428] local_pci_probe+0xdc/0x180
[ 16.671431] pci_device_probe+0x233/0x7f0
[ 16.671432] really_probe+0x1e0/0x8a0
[ 16.671435] __driver_probe_device+0x18c/0x370
[ 16.671436] driver_probe_device+0x4a/0x120
[ 16.671438] __driver_attach+0x194/0x4a0
[ 16.671440] bus_for_each_dev+0x106/0x190
[ 16.671441] bus_add_driver+0x2ff/0x540
[ 16.671442] driver_register+0x1a5/0x360
[ 16.671444] do_one_initcall+0xd6/0x460
[ 16.671447] do_init_module+0x296/0x7c0
[ 16.671449] load_module+0x5777/0x7490
[ 16.671450] __do_sys_init_module+0x1ef/0x220
[ 16.671452] do_syscall_64+0x97/0x190
[ 16.671453] entry_SYSCALL_64_after_hwframe+0x76/0x7e

[ 16.671455] Freed by task 1017:
[ 16.671456] kasan_save_stack+0x30/0x50
[ 16.671458] kasan_save_track+0x14/0x30
[ 16.671460] kasan_save_free_info+0x3b/0x60
[ 16.671462] poison_slab_object+0x109/0x180
[ 16.671464] __kasan_slab_free+0x14/0x30
[ 16.671465] kfree+0x11f/0x3b0
[ 16.671468] kobject_rename+0x146/0x220
[ 16.671469] device_rename+0xf6/0x1a0
[ 16.671470] dev_change_name+0x27f/0x7d0
[ 16.671472] do_setlink+0x26cf/0x33e0
[ 16.671473] rtnl_setlink+0x212/0x340
[ 16.671475] rtnetlink_rcv_msg+0x2f3/0xb10
[ 16.671476] netlink_rcv_skb+0x13d/0x3b0
[ 16.671478] netlink_unicast+0x42c/0x6e0
[ 16.671480] netlink_sendmsg+0x765/0xc20
[ 16.671481] __sys_sendto+0x3e5/0x490
[ 16.671483] __x64_sys_sendto+0xe0/0x1c0
[ 16.671485] do_syscall_64+0x97/0x190
[ 16.671486] entry_SYSCALL_64_after_hwframe+0x76/0x7e

[ 16.671489] The buggy address belongs to the object at ffff88810ad217c0
which belongs to the cache kmalloc-8 of size 8
[ 16.671491] The buggy address is located 0 bytes inside of
freed 8-byte region [ffff88810ad217c0, ffff88810ad217c8)

[ 16.671493] The buggy address belongs to the physical page:
[ 16.671494] page: refcount:1 mapcount:0 mapping:0000000000000000
index:0x0 pfn:0x10ad21
[ 16.671496] flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff)
[ 16.671499] page_type: 0xffffefff(slab)
[ 16.671501] raw: 0017ffffc0000000 ffff88810004c500 dead000000000122
0000000000000000
[ 16.671503] raw: 0000000000000000 0000000080800080 00000001ffffefff
0000000000000000
[ 16.671504] page dumped because: kasan: bad access detected

[ 16.671505] Memory state around the buggy address:
[ 16.671506] ffff88810ad21680: fc fc fc fc fc fc fc fc fc fc fc fc
fc fc fc fc
[ 16.671507] ffff88810ad21700: fc fc fc fc fc fc fc fc fc fc fc fc
fc fc fc fc
[ 16.671508] >ffff88810ad21780: fc fc fc fc fc fc fc fc fa fc fc fc
fc fc fc fc
[ 16.671509] ^
[ 16.671510] ffff88810ad21800: fc fc fc fc fc fc fc fc fc fc fc fc
fc fc fc fc
[ 16.671511] ffff88810ad21880: fc fc fc fc fc fc fc fc fc fc fc fc
fc fc fc fc
[ 16.671512] ==================================================================
[ 16.674845] mc: Linux media interface: v0.10
[ 16.689657] asus_wmi: ASUS WMI generic driver loaded

I tried to reproduce but all subsequent reboots did not trigger this alert.
I don't have any idea how to reproduce it again and I just want to
show the problematic code.

> sh /usr/src/kernels/(uname -r)/scripts/faddr2line /lib/debug/lib/modules/6.10.0-0.rc2.25.fc41.x86_64+debug/kernel/drivers/leds/trigger/ledtrig-netdev.ko.debug set_device_name+0xe1
set_device_name+0xe1/0x490:
set_device_name at
/usr/src/debug/kernel-6.10-rc2/linux-6.10.0-0.rc2.25.fc41.x86_64/drivers/leds/trigger/ledtrig-netdev.c:276

> cat -n /usr/src/debug/kernel-6.10-rc2/linux-6.10.0-0.rc2.25.fc41.x86_64/drivers/leds/trigger/ledtrig-netdev.c | sed -n '271,281 p'
271 dev_put(trigger_data->net_dev);
272 trigger_data->net_dev = NULL;
273 }
274
275 memcpy(trigger_data->device_name, name, size);
276 trigger_data->device_name[size] = 0;
277 if (size > 0 && trigger_data->device_name[size - 1] == '\n')
278 trigger_data->device_name[size - 1] = 0;
279
280 if (trigger_data->device_name[0] != 0)
281 trigger_data->net_dev =

> git blame drivers/leds/trigger/ledtrig-netdev.c -L 271,281
06f502f57d0d7 (Ben Whitten 2017-12-10 21:17:55 +0000 271)
dev_put(trigger_data->net_dev);
06f502f57d0d7 (Ben Whitten 2017-12-10 21:17:55 +0000 272)
trigger_data->net_dev = NULL;
06f502f57d0d7 (Ben Whitten 2017-12-10 21:17:55 +0000 273) }
06f502f57d0d7 (Ben Whitten 2017-12-10 21:17:55 +0000 274)
28a6a2ef18ad8 (Andrew Lunn 2023-05-29 18:32:34 +0200 275)
memcpy(trigger_data->device_name, name, size);
909346433064b (Rasmus Villemoes 2019-03-14 15:06:14 +0100 276)
trigger_data->device_name[size] = 0;
06f502f57d0d7 (Ben Whitten 2017-12-10 21:17:55 +0000 277) if
(size > 0 && trigger_data->device_name[size - 1] == '\n')
06f502f57d0d7 (Ben Whitten 2017-12-10 21:17:55 +0000 278)
trigger_data->device_name[size - 1] = 0;
06f502f57d0d7 (Ben Whitten 2017-12-10 21:17:55 +0000 279)
06f502f57d0d7 (Ben Whitten 2017-12-10 21:17:55 +0000 280) if
(trigger_data->device_name[0] != 0)
06f502f57d0d7 (Ben Whitten 2017-12-10 21:17:55 +0000 281)
trigger_data->net_dev =

I also attached the full kernel log and build config.

My hardware specs: https://linux-hardware.org/?probe=c7bc87f2b3

Rasmus from the git blame I see that you changed line 276 at
2019-03-14 maybe you have an idea how to get slab-use-after-free here.

--
Best Regards,
Mike Gavrilov.

Attachment: 6.10.0-0.rc2.25.fc41.x86_64+debug.zip
Description: Zip archive

Attachment: .config.zip
Description: Zip archive

Next message: Diogo Ivo: "[PATCH net-next v2 1/3] net: ti: icssg-prueth: Enable PTP timestamping support for SR1.0 devices"
Previous message: Li Nan: "Re: [PATCH] ublk_drv: fix NULL pointer dereference in ublk_ctrl_start_recovery()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]