Re: pci: endpoint test BUG

Re: pci: endpoint test BUG

[Randy Dunlap]

On 9/15/19 7:06 PM, Hillf Danton wrote:
> 
> On Sun, 15 Sep 2019 09:34:37 -0700
>>
>> Kernel is 5.3-rc8 on x86_64.
>>
>> Loading and removing the pci-epf-test module causes a BUG.
>>
>>
>> [40928.435755] calling  pci_epf_test_init+0x0/0x1000 [pci_epf_test] @ 12132
>> [40928.436717] initcall pci_epf_test_init+0x0/0x1000 [pci_epf_test] returned 0 after 891 usecs
>> [40936.996081] ==================================================================
>> [40936.996125] BUG: KASAN: use-after-free in pci_epf_remove_cfs+0x1ae/0x1f0
>> [40936.996153] Write of size 8 at addr ffff88810a22a068 by task rmmod/12139
> 
> Fix fb0de5b8dcc6 and ef1433f717a2 if the current group::group_entry
> used by pci epf does not break how configfs uses it.
> 
> --- a/drivers/pci/endpoint/pci-epf-core.c
> +++ b/drivers/pci/endpoint/pci-epf-core.c
> @@ -153,9 +153,11 @@ static void pci_epf_remove_cfs(struct pc
>  		return;
>  
>  	mutex_lock(&pci_epf_mutex);
> -	list_for_each_entry_safe(group, tmp, &driver->epf_group, group_entry)
> +	list_for_each_entry_safe(group, tmp, &driver->epf_group,
> +							group_entry) {
> +		list_del_init(&group->group_entry);
>  		pci_ep_cfs_remove_epf_group(group);
> -	list_del(&driver->epf_group);
> +	}
>  	mutex_unlock(&pci_epf_mutex);
>  }
>  
> 

Fixes the problem for me.  Thanks.
Tested-by: Randy Dunlap <rdunlap@infradead.org>

Please make a proper patch.

-- 
~Randy

Re: pci: endpoint test BUG

[Lorenzo Pieralisi]

On Mon, Sep 16, 2019 at 10:06:30AM +0800, Hillf Danton wrote:
> 
> On Sun, 15 Sep 2019 09:34:37 -0700
> > 
> > Kernel is 5.3-rc8 on x86_64.
> > 
> > Loading and removing the pci-epf-test module causes a BUG.
> > 
> > 
> > [40928.435755] calling  pci_epf_test_init+0x0/0x1000 [pci_epf_test] @ 12132
> > [40928.436717] initcall pci_epf_test_init+0x0/0x1000 [pci_epf_test] returned 0 after 891 usecs
> > [40936.996081] ==================================================================
> > [40936.996125] BUG: KASAN: use-after-free in pci_epf_remove_cfs+0x1ae/0x1f0
> > [40936.996153] Write of size 8 at addr ffff88810a22a068 by task rmmod/12139
> 
> Fix fb0de5b8dcc6 and ef1433f717a2 if the current group::group_entry
> used by pci epf does not break how configfs uses it.
> 
> --- a/drivers/pci/endpoint/pci-epf-core.c
> +++ b/drivers/pci/endpoint/pci-epf-core.c
> @@ -153,9 +153,11 @@ static void pci_epf_remove_cfs(struct pc
>  		return;
>  
>  	mutex_lock(&pci_epf_mutex);
> -	list_for_each_entry_safe(group, tmp, &driver->epf_group, group_entry)
> +	list_for_each_entry_safe(group, tmp, &driver->epf_group,
> +							group_entry) {
> +		list_del_init(&group->group_entry);
>  		pci_ep_cfs_remove_epf_group(group);
> -	list_del(&driver->epf_group);
> +	}
>  	mutex_unlock(&pci_epf_mutex);
>  }

Thank you Hillf. Kishon, can you confirm that's the proper fix for
this bug please ? I would like to turn this into a patch and merge
it in the upcoming merge window PR so it ought to be fairly quick,
please let me know asap.

Lorenzo

Re: pci: endpoint test BUG

[Kishon Vijay Abraham I]

On 16/09/19 4:52 PM, Lorenzo Pieralisi wrote:
> On Mon, Sep 16, 2019 at 10:06:30AM +0800, Hillf Danton wrote:
>>
>> On Sun, 15 Sep 2019 09:34:37 -0700
>>>
>>> Kernel is 5.3-rc8 on x86_64.
>>>
>>> Loading and removing the pci-epf-test module causes a BUG.
>>>
>>>
>>> [40928.435755] calling  pci_epf_test_init+0x0/0x1000 [pci_epf_test] @ 12132
>>> [40928.436717] initcall pci_epf_test_init+0x0/0x1000 [pci_epf_test] returned 0 after 891 usecs
>>> [40936.996081] ==================================================================
>>> [40936.996125] BUG: KASAN: use-after-free in pci_epf_remove_cfs+0x1ae/0x1f0
>>> [40936.996153] Write of size 8 at addr ffff88810a22a068 by task rmmod/12139
>>
>> Fix fb0de5b8dcc6 and ef1433f717a2 if the current group::group_entry
>> used by pci epf does not break how configfs uses it.
>>
>> --- a/drivers/pci/endpoint/pci-epf-core.c
>> +++ b/drivers/pci/endpoint/pci-epf-core.c
>> @@ -153,9 +153,11 @@ static void pci_epf_remove_cfs(struct pc
>>  		return;
>>  
>>  	mutex_lock(&pci_epf_mutex);
>> -	list_for_each_entry_safe(group, tmp, &driver->epf_group, group_entry)
>> +	list_for_each_entry_safe(group, tmp, &driver->epf_group,
>> +							group_entry) {
>> +		list_del_init(&group->group_entry);
>>  		pci_ep_cfs_remove_epf_group(group);
>> -	list_del(&driver->epf_group);
>> +	}
>>  	mutex_unlock(&pci_epf_mutex);
>>  }


Acked-by: Kishon Vijay Abraham I <kishon@ti.com>

> 
> Thank you Hillf. Kishon, can you confirm that's the proper fix for
> this bug please ? I would like to turn this into a patch and merge
> it in the upcoming merge window PR so it ought to be fairly quick,
> please let me know asap.
> 
> Lorenzo
> 

Re: pci: endpoint test BUG

[Lorenzo Pieralisi]

On Tue, Sep 17, 2019 at 11:10:37AM +0530, Kishon Vijay Abraham I wrote:
> 
> On 16/09/19 4:52 PM, Lorenzo Pieralisi wrote:
> > On Mon, Sep 16, 2019 at 10:06:30AM +0800, Hillf Danton wrote:
> >>
> >> On Sun, 15 Sep 2019 09:34:37 -0700
> >>>
> >>> Kernel is 5.3-rc8 on x86_64.
> >>>
> >>> Loading and removing the pci-epf-test module causes a BUG.
> >>>
> >>>
> >>> [40928.435755] calling  pci_epf_test_init+0x0/0x1000 [pci_epf_test] @ 12132
> >>> [40928.436717] initcall pci_epf_test_init+0x0/0x1000 [pci_epf_test] returned 0 after 891 usecs
> >>> [40936.996081] ==================================================================
> >>> [40936.996125] BUG: KASAN: use-after-free in pci_epf_remove_cfs+0x1ae/0x1f0
> >>> [40936.996153] Write of size 8 at addr ffff88810a22a068 by task rmmod/12139
> >>
> >> Fix fb0de5b8dcc6 and ef1433f717a2 if the current group::group_entry
> >> used by pci epf does not break how configfs uses it.
> >>
> >> --- a/drivers/pci/endpoint/pci-epf-core.c
> >> +++ b/drivers/pci/endpoint/pci-epf-core.c
> >> @@ -153,9 +153,11 @@ static void pci_epf_remove_cfs(struct pc
> >>  		return;
> >>  
> >>  	mutex_lock(&pci_epf_mutex);
> >> -	list_for_each_entry_safe(group, tmp, &driver->epf_group, group_entry)
> >> +	list_for_each_entry_safe(group, tmp, &driver->epf_group,
> >> +							group_entry) {
> >> +		list_del_init(&group->group_entry);
> >>  		pci_ep_cfs_remove_epf_group(group);
> >> -	list_del(&driver->epf_group);
> >> +	}
> >>  	mutex_unlock(&pci_epf_mutex);
> >>  }
> 
> 
> Acked-by: Kishon Vijay Abraham I <kishon@ti.com>
> 
> > 
> > Thank you Hillf. Kishon, can you confirm that's the proper fix for
> > this bug please ? I would like to turn this into a patch and merge
> > it in the upcoming merge window PR so it ought to be fairly quick,
> > please let me know asap.

Kishon, Hillf, can you turn it into a patch and send it asap please ?

Thanks,
Lorenzo

Re: pci: endpoint test BUG

[Randy Dunlap]

On 9/20/19 5:38 PM, Hillf Danton wrote:
>>Kishon, Hillf, can you turn it into a patch and send it asap please ?
> 
>  
> 
> What was sent a couple of days before,
> 
>  
> 
> To: Bjorn Helgaas <bhelgaas@google.com>
> 
> Cc: linux-pci <linux-pci@vger.kernel.org>, LKML <linux-kernel@vger.kernel.org>
> 
> Subject: [PATCH] PCI: endpoint: Fix uaf on unregistering driver
> 
> ...
> 
>  
> 
> Fixes: ef1433f717a2 ("PCI: endpoint: Create configfs entry for each pci_epf_device_id table entry")
> 
> Reported-and-tested-by: Randy Dunlap <rdunlap@infradead.org>
> 
> Cc: Al Viro <viro@zeniv.linux.org.uk>
> 
> Cc: Dan Carpenter <dan.carpenter@oracle.com>
> 
> Cc: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
> 
> Cc: Kishon Vijay Abraham I <kishon@ti.com>
> 
> Cc: Andrey Konovalov <andreyknvl@google.com>
> 
> Signed-off-by: Hillf Danton <hdanton@sina.com>
> 
> ---
> 
>  
> 
> and it is certain that <lorenzo.pieralisi@arm.com> is on the Cc list.
> 
>  
> 
> It will be resent if no one saw the message.

I didn't see it and I can't find it on lore.kernel.org/linux-pci/.

-- 
~Randy

Re: pci: endpoint test BUG

[Randy Dunlap]

On 9/20/19 7:04 PM, Hillf Danton wrote:
>> 
> 
>>> It will be resent if no one saw the message.
> 
>> 
> 
>> I didn't see it and I can't find it on lore.kernel.org/linux-pci/.
> 
>> 
> 
> Respin, git send-email works/jj/pci-epf-uaf.txt
> 
> ...
> 
> From: Hillf Danton <hdanton@sina.com>
> 
> To: Bjorn Helgaas <bhelgaas@google.com>
> 
> Cc: linux-pci <linux-pci@vger.kernel.org>,
> 
>         LKML <linux-kernel@vger.kernel.org>,
> 
>         Randy Dunlap <rdunlap@infradead.org>,
> 
>         Al Viro <viro@zeniv.linux.org.uk>,
> 
>         Dan Carpenter <dan.carpenter@oracle.com>,
> 
>         Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>,
> 
>         Kishon Vijay Abraham I <kishon@ti.com>,
> 
>         Andrey Konovalov <andreyknvl@google.com>,
> 
>         Hillf Danton <hdanton@sina.com>
> 
> Subject: [PATCH] PCI: endpoint: Fix uaf on unregistering driver
> 
> Date: Sat, 21 Sep 2019 09:58:28 +0800
> 
> Message-Id: <20190921015828.15644-1-hdanton@sina.com>
> 
> MIME-Version: 1.0
> 
> Content-Transfer-Encoding: 8bit
> 
>  
> 
> Result: 250
> 
>  
> 
> And let me know you see it.

No, not seeing the patch in my Inbox nor on lore.kernel.org.

It's a mystery to me.

-- 
~Randy

Re: pci: endpoint test BUG

[Lorenzo Pieralisi]

On Sat, Sep 21, 2019 at 10:04:55AM +0800, Hillf Danton wrote:
> >
> 
> >> It will be resent if no one saw the message.
> 
> > 
> 
> > I didn't see it and I can't find it on lore.kernel.org/linux-pci/.
> 
> > 
> 
> Respin, git send-email works/jj/pci-epf-uaf.txt
> 
> ...
> 
> From: Hillf Danton <hdanton@sina.com>
> 
> To: Bjorn Helgaas <bhelgaas@google.com>
> 
> Cc: linux-pci <linux-pci@vger.kernel.org>,
> 
>         LKML <linux-kernel@vger.kernel.org>,
> 
>         Randy Dunlap <rdunlap@infradead.org>,
> 
>         Al Viro <viro@zeniv.linux.org.uk>,
> 
>         Dan Carpenter <dan.carpenter@oracle.com>,
> 
>         Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>,
> 
>         Kishon Vijay Abraham I <kishon@ti.com>,
> 
>         Andrey Konovalov <andreyknvl@google.com>,
> 
>         Hillf Danton <hdanton@sina.com>
> 
> Subject: [PATCH] PCI: endpoint: Fix uaf on unregistering driver
> 
> Date: Sat, 21 Sep 2019 09:58:28 +0800
> 
> Message-Id: <20190921015828.15644-1-hdanton@sina.com>
> 
> MIME-Version: 1.0
> 
> Content-Transfer-Encoding: 8bit
> 
>  
> 
> Result: 250
> 
>  
> 
> And let me know you see it.

I do not think any of your messages hit the vger mailing lists, avoid
html.

I have not received any patch and they are not in the mailing list
archives either.

Please check your email/SMTP set-up. I do not apply patches that
are not on linux-pci@vger, worst case you can attach the patch to your
reply and I can send it on your behalf but we must do this quickly.

Lorenzo

> Thanks
> 
> Hillf
> 

Re: pci: endpoint test BUG

[Randy Dunlap]

On 9/15/19 9:39 AM, Al Viro wrote:
> On Sun, Sep 15, 2019 at 09:34:37AM -0700, Randy Dunlap wrote:
>> Kernel is 5.3-rc8 on x86_64.
>>
>> Loading and removing the pci-epf-test module causes a BUG.
> 
> Ugh...  Could you try to reproduce it on earlier kernels?
> 

Sure... will get back to you.

-- 
~Randy

Re: pci: endpoint test BUG

[Al Viro]

On Sun, Sep 15, 2019 at 09:34:37AM -0700, Randy Dunlap wrote:
> Kernel is 5.3-rc8 on x86_64.
> 
> Loading and removing the pci-epf-test module causes a BUG.

Ugh...  Could you try to reproduce it on earlier kernels?

pci: endpoint test BUG

[Randy Dunlap]

Kernel is 5.3-rc8 on x86_64.

Loading and removing the pci-epf-test module causes a BUG.


[40928.435755] calling  pci_epf_test_init+0x0/0x1000 [pci_epf_test] @ 12132
[40928.436717] initcall pci_epf_test_init+0x0/0x1000 [pci_epf_test] returned 0 after 891 usecs
[40936.996081] ==================================================================
[40936.996125] BUG: KASAN: use-after-free in pci_epf_remove_cfs+0x1ae/0x1f0
[40936.996153] Write of size 8 at addr ffff88810a22a068 by task rmmod/12139

[40936.996193] CPU: 2 PID: 12139 Comm: rmmod Not tainted 5.3.0-rc8 #3
[40936.996217] Hardware name: TOSHIBA PORTEGE R835/Portable PC, BIOS Version 4.10   01/08/2013
[40936.996247] Call Trace:
[40936.996265]  dump_stack+0x7b/0xb5
[40936.996288]  print_address_description+0x6e/0x470
[40936.996316]  __kasan_report+0x11a/0x198
[40936.996337]  ? pci_epf_remove_cfs+0x1ae/0x1f0
[40936.996362]  ? pci_epf_remove_cfs+0x1ae/0x1f0
[40936.996384]  kasan_report+0x12/0x20
[40936.996404]  __asan_report_store8_noabort+0x17/0x20
[40936.996427]  pci_epf_remove_cfs+0x1ae/0x1f0
[40936.996452]  pci_epf_unregister_driver+0xd/0x20
[40936.996476]  pci_epf_test_exit+0x10/0x19 [pci_epf_test]
[40936.996500]  __x64_sys_delete_module+0x329/0x490
[40936.996523]  ? __ia32_sys_delete_module+0x490/0x490
[40936.996549]  ? _raw_spin_unlock_irq+0x22/0x40
[40936.996582]  do_syscall_64+0xaa/0x380
[40936.996601]  ? prepare_exit_to_usermode+0xad/0x1b0
[40936.996625]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[40936.996648] RIP: 0033:0x7fb84c88d187
[40936.996667] Code: 73 01 c3 48 8b 0d 11 ad 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 ac 2b 00 f7 d8 64 89 01 48
[40936.996724] RSP: 002b:00007ffc1c5c7b38 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
[40936.996753] RAX: ffffffffffffffda RBX: 00007ffc1c5c7b98 RCX: 00007fb84c88d187
[40936.996780] RDX: 000000000000000a RSI: 0000000000000800 RDI: 0000556838f1c7d8
[40936.996806] RBP: 0000556838f1c770 R08: 00007ffc1c5c6ab1 R09: 0000000000000000
[40936.996833] R10: 00007fb84c8fc5e0 R11: 0000000000000206 R12: 00007ffc1c5c7d60
[40936.996859] R13: 00007ffc1c5c975c R14: 0000556838f1c260 R15: 0000556838f1c770

[40936.996910] Allocated by task 12132:
[40936.996929]  save_stack+0x21/0x90
[40936.996947]  __kasan_kmalloc.constprop.8+0xa7/0xd0
[40936.996968]  kasan_kmalloc+0x9/0x10
[40936.996988]  configfs_register_default_group+0x63/0xe0
[40936.997010]  pci_ep_cfs_add_epf_group+0x20/0x50
[40936.997031]  __pci_epf_register_driver+0x2b2/0x410
[40936.997052]  0xffffffffc1c9004a
[40936.997070]  do_one_initcall+0xab/0x2d5
[40936.997089]  do_init_module+0x1c7/0x582
[40936.997107]  load_module+0x4efa/0x5f30
[40936.997126]  __do_sys_finit_module+0x12a/0x1b0
[40936.997146]  __x64_sys_finit_module+0x6e/0xb0
[40936.997166]  do_syscall_64+0xaa/0x380
[40936.997185]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

[40936.997218] Freed by task 12139:
[40936.997235]  save_stack+0x21/0x90
[40936.997253]  __kasan_slab_free+0x137/0x190
[40936.997281]  kasan_slab_free+0xe/0x10
[40936.997301]  kfree+0xb8/0x210
[40936.997320]  configfs_unregister_default_group+0x15/0x20
[40936.997344]  pci_ep_cfs_remove_epf_group+0x17/0x20
[40936.997367]  pci_epf_remove_cfs+0x8e/0x1f0
[40936.997389]  pci_epf_unregister_driver+0xd/0x20
[40936.997419]  pci_epf_test_exit+0x10/0x19 [pci_epf_test]
[40936.997441]  __x64_sys_delete_module+0x329/0x490
[40936.997462]  do_syscall_64+0xaa/0x380
[40936.997480]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

[40936.997513] The buggy address belongs to the object at ffff88810a229fe8
                which belongs to the cache kmalloc-192 of size 192
[40936.997557] The buggy address is located 128 bytes inside of
                192-byte region [ffff88810a229fe8, ffff88810a22a0a8)
[40936.997597] The buggy address belongs to the page:
[40936.997619] page:ffffea0004288a00 refcount:1 mapcount:0 mapping:ffff888107c10f40 index:0x0 compound_mapcount: 0
[40936.997655] flags: 0x17ffc000010200(slab|head)
[40936.997677] raw: 0017ffc000010200 ffffea0004992e08 ffff888107c036b0 ffff888107c10f40
[40936.997706] raw: 0000000000000000 00000000001e001e 00000001ffffffff 0000000000000000
[40936.997734] page dumped because: kasan: bad access detected

[40936.997767] Memory state around the buggy address:
[40936.997789]  ffff88810a229f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[40936.997816]  ffff88810a229f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb fb
[40936.997843] >ffff88810a22a000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[40936.997869]                                                           ^
[40936.997895]  ffff88810a22a080: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
[40936.997922]  ffff88810a22a100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[40936.997948] ==================================================================


-- 
~Randy