| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 23 May 2020 06:29:52 -0700
From: Guenter Roeck <linux@...ck-us.net>
To: Heikki Krogerus <heikki.krogerus@...ux.intel.com>
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
linux-kernel@...r.kernel.org,
Naresh Kamboju <naresh.kamboju@...aro.org>,
kernel test robot <rong.a.chen@...el.com>,
Brendan Higgins <brendanhiggins@...gle.com>,
Randy Dunlap <rdunlap@...radead.org>,
"Rafael J. Wysocki" <rafael@...nel.org>
Subject: Re: [PATCH] kobject: Make sure the parent does not get released
before its children
On Sat, May 23, 2020 at 06:21:01AM -0700, Guenter Roeck wrote:
> On Wed, May 13, 2020 at 06:18:40PM +0300, Heikki Krogerus wrote:
> > In the function kobject_cleanup(), kobject_del(kobj) is
> > called before the kobj->release(). That makes it possible to
> > release the parent of the kobject before the kobject itself.
> >
> > To fix that, adding function __kboject_del() that does
>
> s/kboject/kobject/
>
> > everything that kobject_del() does except release the parent
> > reference. kobject_cleanup() then calls __kobject_del()
> > instead of kobject_del(), and separately decrements the
> > reference count of the parent kobject after kobj->release()
> > has been called.
> >
> > Reported-by: Naresh Kamboju <naresh.kamboju@...aro.org>
> > Reported-by: kernel test robot <rong.a.chen@...el.com>
> > Fixes: 7589238a8cf3 ("Revert "software node: Simplify software_node_release() function"")
> > Cc: Brendan Higgins <brendanhiggins@...gle.com>
> > Cc: Randy Dunlap <rdunlap@...radead.org>
> > Suggested-by: "Rafael J. Wysocki" <rafael@...nel.org>
> > Signed-off-by: Heikki Krogerus <heikki.krogerus@...ux.intel.com>
> > Reviewed-by: Rafael J. Wysocki <rafael.j.wysocki@...el.com>
> > Reviewed-by: Brendan Higgins <brendanhiggins@...gle.com>
> > Tested-by: Brendan Higgins <brendanhiggins@...gle.com>
> > Acked-by: Randy Dunlap <rdunlap@...radead.org>
> > Tested-by: Randy Dunlap <rdunlap@...radead.org>
>
> All my arm64be (arm64 big endian) boot tests crash with this patch
> applied. Reverting it fixes the problem. Crash log and bisect results
> (from pending-fixes branch) below.
>
arm64 images don't crash but report lots of "poison overwritten" backtraces
like the one below. On arm, I see "refcount_t: underflow", also attached.
I didn't bisect those, but given the context I would suspect the same
culprit.
Guenter
---
[ 15.017361] =============================================================================
[ 15.017561] BUG kmalloc-2k (Not tainted): Poison overwritten
[ 15.017632] -----------------------------------------------------------------------------
[ 15.017632]
[ 15.017757] Disabling lock debugging due to kernel taint
[ 15.017900] INFO: 0x(____ptrval____)-0x(____ptrval____) @offset=8272. First byte 0x6a instead of 0x6b
[ 15.018039] INFO: Allocated in i2cdev_attach_adapter.part.10+0x44/0x180 age=18 cpu=0 pid=1
[ 15.018122] __slab_alloc.isra.91+0x5c/0xc8
[ 15.018182] kmem_cache_alloc_trace+0x228/0x248
[ 15.018235] i2cdev_attach_adapter.part.10+0x44/0x180
[ 15.018284] i2cdev_notifier_call+0x70/0x88
[ 15.018329] notifier_call_chain+0x54/0x98
[ 15.018372] blocking_notifier_call_chain+0x5c/0x80
[ 15.018423] device_add+0x3bc/0x770
[ 15.018462] device_register+0x20/0x30
[ 15.018502] i2c_register_adapter+0xf0/0x400
[ 15.018546] i2c_add_adapter+0x80/0xd8
[ 15.018587] i2c_add_numbered_adapter+0x2c/0x38
[ 15.018634] unittest_i2c_bus_probe+0x9c/0xf0
[ 15.018679] platform_drv_probe+0x54/0xa8
[ 15.018722] really_probe+0xd8/0x330
[ 15.018762] driver_probe_device+0x58/0xf0
[ 15.018805] device_driver_attach+0x74/0x80
[ 15.018871] INFO: Freed in i2cdev_dev_release+0x14/0x20 age=4 cpu=0 pid=1
[ 15.018933] kfree+0x3d0/0x3e0
[ 15.018969] i2cdev_dev_release+0x14/0x20
[ 15.019011] device_release+0x2c/0x88
[ 15.019054] kobject_put+0x7c/0x138
[ 15.019092] kobject_put+0x90/0x138
[ 15.019133] cdev_del+0x2c/0x40
[ 15.019169] cdev_device_del+0x40/0x50
[ 15.019210] put_i2c_dev+0x94/0xb0
[ 15.019248] i2cdev_detach_adapter.part.5+0x20/0x30
[ 15.019296] i2cdev_notifier_call+0x80/0x88
[ 15.019339] notifier_call_chain+0x54/0x98
[ 15.019381] blocking_notifier_call_chain+0x5c/0x80
[ 15.019428] device_del+0x84/0x3b0
[ 15.019466] device_unregister+0x18/0x38
[ 15.019508] i2c_del_adapter+0x1e8/0x240
[ 15.019549] unittest_i2c_bus_remove+0x18/0x28
[ 15.019632] INFO: Slab 0x(____ptrval____) objects=5 used=5 fp=0x0000000000000000 flags=0xffff00000010200
[ 15.019717] INFO: Object 0x(____ptrval____) @offset=8192 fp=0x(____ptrval____)
[ 15.019717]
---
[ 22.415374] ### dt-test ### EXPECT / : i2c i2c-1: Added multiplexed i2c bus 3
[ 22.419097] ------------[ cut here ]------------
[ 22.419586] WARNING: CPU: 0 PID: 1 at lib/refcount.c:28 i2cdev_notifier_call+0x54/0x5c
[ 22.419708] refcount_t: underflow; use-after-free.
[ 22.419860] Modules linked in:
[ 22.420074] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.7.0-rc6-00275-gdbacbfd47d67 #1
[ 22.420227] Hardware name: Generic OMAP3-GP (Flattened Device Tree)
[ 22.420440] [<c03128e0>] (unwind_backtrace) from [<c030c900>] (show_stack+0x10/0x14)
[ 22.420593] [<c030c900>] (show_stack) from [<c08c8df8>] (dump_stack+0xe0/0x10c)
[ 22.420715] [<c08c8df8>] (dump_stack) from [<c0348380>] (__warn+0xf4/0x10c)
[ 22.420867] [<c0348380>] (__warn) from [<c0348410>] (warn_slowpath_fmt+0x78/0xbc)
[ 22.420989] [<c0348410>] (warn_slowpath_fmt) from [<c0eed4c8>] (i2cdev_notifier_call+0x54/0x5c)
[ 22.421142] [<c0eed4c8>] (i2cdev_notifier_call) from [<c03745dc>] (notifier_call_chain+0x48/0x84)
[ 22.421264] [<c03745dc>] (notifier_call_chain) from [<c0374dc0>] (blocking_notifier_call_chain+0x44/0x5c)
[ 22.421386] [<c0374dc0>] (blocking_notifier_call_chain) from [<c0ba9c5c>] (device_del+0x80/0x3d4)
[ 22.421508] [<c0ba9c5c>] (device_del) from [<c0ba9fbc>] (device_unregister+0xc/0x20)
[ 22.421600] [<c0ba9fbc>] (device_unregister) from [<c0ee83d4>] (i2c_del_adapter+0x1ac/0x1f8)
[ 22.421722] [<c0ee83d4>] (i2c_del_adapter) from [<c0eee888>] (i2c_mux_del_adapters+0x90/0xc8)
[ 22.421874] [<c0eee888>] (i2c_mux_del_adapters) from [<c0fd4d50>] (unittest_i2c_mux_remove+0xc/0x14)
[ 22.421997] [<c0fd4d50>] (unittest_i2c_mux_remove) from [<c0ee7b1c>] (i2c_device_remove+0x54/0xa8)
[ 22.422119] [<c0ee7b1c>] (i2c_device_remove) from [<c0baea40>] (device_release_driver_internal+0xe8/0x1b8)
[ 22.422241] [<c0baea40>] (device_release_driver_internal) from [<c0baeb6c>] (driver_detach+0x44/0x80)
[ 22.422363] [<c0baeb6c>] (driver_detach) from [<c0bad6e4>] (bus_remove_driver+0x4c/0xa0)
[ 22.422485] [<c0bad6e4>] (bus_remove_driver) from [<c1ca89e4>] (of_unittest_overlay+0xc90/0x11a8)
[ 22.422576] [<c1ca89e4>] (of_unittest_overlay) from [<c1cab52c>] (of_unittest+0x24a0/0x2af0)
[ 22.422698] [<c1cab52c>] (of_unittest) from [<c03022d4>] (do_one_initcall+0x8c/0x3bc)
[ 22.422821] [<c03022d4>] (do_one_initcall) from [<c1c0103c>] (kernel_init_freeable+0x1a0/0x204)
[ 22.422943] [<c1c0103c>] (kernel_init_freeable) from [<c11fe8c8>] (kernel_init+0x8/0x118)
[ 22.423065] [<c11fe8c8>] (kernel_init) from [<c0300174>] (ret_from_fork+0x14/0x20)
[ 22.423187] Exception stack(0xcb0bdfb0 to 0xcb0bdff8)
[ 22.423339] dfa0: 00000000 00000000 00000000 00000000
[ 22.423492] dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 22.423645] dfe0: 00000000 00000000 00000000 00000000 00000013 00000000
[ 22.423797] irq event stamp: 774333
[ 22.423919] hardirqs last enabled at (774341): [<c03c1ab0>] console_unlock+0x458/0x648
[ 22.424011] hardirqs last disabled at (774348): [<c03c171c>] console_unlock+0xc4/0x648
[ 22.424163] softirqs last enabled at (774258): [<c0301664>] __do_softirq+0x3bc/0x5b4
[ 22.424255] softirqs last disabled at (774235): [<c03519a4>] irq_exit+0x160/0x170
[ 22.424377] ---[ end trace ae0b985481f6b675 ]---
Powered by blists - more mailing lists