lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240924055850.GN38742@google.com>
Date: Tue, 24 Sep 2024 14:58:50 +0900
From: Sergey Senozhatsky <senozhatsky@...omium.org>
To: Christophe JAILLET <christophe.jaillet@...adoo.fr>
Cc: Andrey Skvortsov <andrej.skvortzov@...il.com>,
	Venkat Rao Bagalkote <venkat88@...ux.vnet.ibm.com>,
	Minchan Kim <minchan@...nel.org>, Jens Axboe <axboe@...nel.dk>,
	Andrew Morton <akpm@...ux-foundation.org>,
	linux-kernel@...r.kernel.org, linux-block@...r.kernel.org,
	stable@...r.kernel.org,
	Sergey Senozhatsky <senozhatsky@...omium.org>
Subject: Re: [PATCH v3] zram: don't free statically defined names

On (24/09/24 14:49), Sergey Senozhatsky wrote:
> On (24/09/24 07:21), Christophe JAILLET wrote:
> [..]
> > > kfree_const() will not work if zram is built as a module. It works
> > > only for .rodata for kernel image. [1]
> > >
> > > 1. https://elixir.bootlin.com/linux/v6.11/source/include/asm-generic/sections.h#L177
> > >
> >
> > If so, then it is likely that it is not correctly used elsewhere.
> >
> > https://elixir.bootlin.com/linux/v6.11/source/drivers/dax/kmem.c#L289
> > https://elixir.bootlin.com/linux/v6.11/source/drivers/firmware/arm_scmi/bus.c#L341
> > https://elixir.bootlin.com/linux/v6.11/source/drivers/input/touchscreen/chipone_icn8505.c#L379
>
> icn8505_probe_acpi() uses kfree_const(subsys)...
>
> subsys is returned from acpi_get_subsystem_id() which only
> does
> 		sub = kstrdup(obj->string.pointer, GFP_KERNEL);
>
> However, if acpi_get_subsystem_id() returns an error then
> icn8505_probe_acpi() does
>
> 		subsys = "unknown";
>
> and I suspect that kfree_const(subsys) can, in fact, explode?

A trivial test to replicate icn8505_probe_acpi() error path

(zram built as a module)

---
diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c
index d3329a67e805..5cd65dd7dafa 100644
--- a/drivers/block/zram/zram_drv.c
+++ b/drivers/block/zram/zram_drv.c
@@ -2719,11 +2719,21 @@ static void destroy_devices(void)
        cpuhp_remove_multi_state(CPUHP_ZCOMP_PREPARE);
 }

+static void boom(void)
+{
+       char *str = "unknown";
+
+       pr_err(":: kfree_const() %s\n", str);
+       kfree_const(str);
+}
+
 static int __init zram_init(void)
 {
        struct zram_table_entry zram_te;
        int ret;

+       boom();
+
        BUILD_BUG_ON(__NR_ZRAM_PAGEFLAGS > sizeof(zram_te.flags) * 8);

        ret = cpuhp_setup_state_multi(CPUHP_ZCOMP_PREPARE, "block/zram:prepare",
---


[   15.494947] zram: :: kfree_const() unknown
[..]
[   15.498085] WARNING: CPU: 5 PID: 420 at mm/slub.c:4690 free_large_kmalloc+0x18/0xb0
[   15.500393] Modules linked in: zram(+) 842_decompress 842_compress zsmalloc zstd_compress lz4hc_compress lz4_compress zlib_deflate
[   15.503405] CPU: 5 UID: 0 PID: 420 Comm: modprobe Tainted: G                 N 6.11.0-next-20240920+ #727
[   15.506013] Tainted: [N]=TEST
[   15.506792] RIP: 0010:free_large_kmalloc+0x18/0xb0
[..]
[   15.531487] Call Trace:
[   15.532102]  <TASK>
[   15.532616]  ? __warn+0x12d/0x340
[   15.533409]  ? free_large_kmalloc+0x18/0xb0
[   15.534397]  ? free_large_kmalloc+0x18/0xb0
[   15.535426]  ? report_bug+0x170/0x380
[   15.536365]  ? handle_bug+0x5c/0xa0
[   15.537206]  ? exc_invalid_op+0x16/0x40
[   15.538155]  ? asm_exc_invalid_op+0x16/0x20
[   15.539189]  ? free_large_kmalloc+0x18/0xb0
[   15.540194]  init_module+0x25/0xffb [zram]
[   15.541173]  do_one_initcall+0x130/0x450
[   15.542143]  ? __cfi_init_module+0x5/0x5 [zram]
[   15.543282]  ? stack_depot_save_flags+0x25/0x700
[   15.544413]  ? stack_trace_save+0xb3/0x150
[   15.545428]  ? kasan_save_track+0x3c/0x60
[   15.546401]  ? kasan_save_track+0x2b/0x60
[   15.547364]  ? __kasan_kmalloc+0x6e/0x80
[   15.548350]  ? do_init_module+0x16e/0x890
[   15.549348]  ? __se_sys_finit_module+0x513/0x7e0
[   15.550437]  ? do_syscall_64+0x71/0x110
[   15.551385]  ? entry_SYSCALL_64_after_hwframe+0x4b/0x53
[   15.552662]  ? stack_depot_save_flags+0x25/0x700
[   15.553751]  ? stack_trace_save+0xb3/0x150
[   15.554754]  ? __create_object+0x62/0x110
[   15.555767]  ? do_raw_spin_unlock+0x5a/0x950
[   15.556778]  ? __create_object+0x62/0x110
[   15.557727]  ? _raw_spin_unlock_irqrestore+0x31/0x40
[   15.558928]  ? __create_object+0x62/0x110
[   15.559947]  ? kasan_unpoison+0x49/0x70
[   15.560855]  ? __asan_register_globals+0x54/0x70
[   15.561976]  do_init_module+0x36a/0x890
[   15.562940]  __se_sys_finit_module+0x513/0x7e0
[   15.564034]  do_syscall_64+0x71/0x110
[   15.564948]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[..]
[   15.894538] kernel BUG at include/linux/mm.h:1140!
[   15.895727] Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
[   15.897003] CPU: 5 UID: 0 PID: 420 Comm: modprobe Tainted: G    B   W        N 6.11.0-next-20240920+ #727
[   15.899215] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST
[   15.900395] RIP: 0010:free_large_kmalloc+0xaa/0xb0
[..]
[   15.924239] Call Trace:
[   15.924836]  <TASK>
[   15.925343]  ? __die_body+0x66/0xb0
[   15.926183]  ? die+0xa0/0xc0
[   15.926873]  ? do_trap+0xf4/0x2e0
[   15.927671]  ? free_large_kmalloc+0xaa/0xb0
[   15.928665]  ? do_error_trap+0xfc/0x180
[   15.929567]  ? free_large_kmalloc+0xaa/0xb0
[   15.930550]  ? handle_invalid_op+0x4f/0x60
[   15.931529]  ? free_large_kmalloc+0xaa/0xb0
[   15.932513]  ? exc_invalid_op+0x2f/0x40
[   15.933422]  ? asm_exc_invalid_op+0x16/0x20
[   15.934413]  ? free_large_kmalloc+0xaa/0xb0
[   15.935410]  init_module+0x25/0xffb [zram]
[   15.936375]  do_one_initcall+0x130/0x450
[   15.937306]  ? __cfi_init_module+0x5/0x5 [zram]
[   15.938550]  ? stack_depot_save_flags+0x25/0x700
[   15.939799]  ? stack_trace_save+0xb3/0x150
[   15.940786]  ? kasan_save_track+0x3c/0x60
[   15.941755]  ? kasan_save_track+0x2b/0x60
[   15.942729]  ? __kasan_kmalloc+0x6e/0x80
[   15.943697]  ? do_init_module+0x16e/0x890
[   15.944665]  ? __se_sys_finit_module+0x513/0x7e0
[   15.945782]  ? do_syscall_64+0x71/0x110
[   15.946716]  ? entry_SYSCALL_64_after_hwframe+0x4b/0x53
[   15.947978]  ? stack_depot_save_flags+0x25/0x700
[   15.949091]  ? stack_trace_save+0xb3/0x150
[   15.950082]  ? __create_object+0x62/0x110
[   15.951052]  ? do_raw_spin_unlock+0x5a/0x950
[   15.952094]  ? __create_object+0x62/0x110
[   15.953064]  ? _raw_spin_unlock_irqrestore+0x31/0x40
[   15.954255]  ? __create_object+0x62/0x110
[   15.955221]  ? kasan_unpoison+0x49/0x70
[   15.956154]  ? __asan_register_globals+0x54/0x70
[   15.957261]  do_init_module+0x36a/0x890
[   15.958199]  __se_sys_finit_module+0x513/0x7e0
[   15.959282]  do_syscall_64+0x71/0x110
[   15.960172]  entry_SYSCALL_64_after_hwframe+0x4b/0x53

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ