From patchwork Tue Oct 15 10:48:25 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xinqi Zhang X-Patchwork-Id: 13836159 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id C641FCFC287 for ; Tue, 15 Oct 2024 10:50:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:CC:To:Message-ID: Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:Date:From: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=7/7R27TdpyywjeZI4CpLKAXus/59McKW1JXTs9g8F+E=; b=XTBWly7FfbM7YprwJ4VBe4VtQs GuxW0I9hmg01KAU24v/ydffs4rGNPlKoTVlofWuYC5SYk8pZKMd3IELG6sXThfc4g/NTh2AH67I3k xmUnp87M1uJcL4GX/njxpsd9DmNGJx6ALzXBycLLhpyY1++lpKhrddhNPxeB1VHjxSF0CqHTybxRb viKEeh3R+Fe4WP7fgOHRNeN05fbQOucLag8LOIFkeMwJXgtW2bDpFMrA+RSDU43ccz0J5FwP/+62+ 7Ta+20yu9BQysgdHd7ZBu0vL7esolS2zyqMgd8Dv/UHIk7ig9rks4121lPdoZ2QJ8R4lF5ddM7E/P ETeQYmQA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.98 #2 (Red Hat Linux)) id 1t0f8G-00000007uBD-25s1; Tue, 15 Oct 2024 10:50:28 +0000 Received: from mx0b-0031df01.pphosted.com ([205.220.180.131]) by bombadil.infradead.org with esmtps (Exim 4.98 #2 (Red Hat Linux)) id 1t0f6p-00000007txy-3wVm for linux-arm-kernel@lists.infradead.org; Tue, 15 Oct 2024 10:49:01 +0000 Received: from pps.filterd (m0279870.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 49F9G9kv019996; Tue, 15 Oct 2024 10:48:54 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h= cc:content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to; s=qcppdkim1; bh=7/7R27TdpyywjeZI4CpLKA Xus/59McKW1JXTs9g8F+E=; b=KEzfBTxGsPqczgBO1XQyckTH4JZR0zT7kIvnsw L9nE291IMsPCxTqqVYbDzYFOE7LCRThDVsfnw29NRTgYUDWbJkhMATSmsqiRhBW/ 69xC7lIrE/RMNOMO7QL22WHzxupHaTIK5qUHpU2z5y/GBoXlbqv14GaZz4ffaLGL 4FNFCWhkbHe05AFSAuypA4XRVkD3WSoNJZmqu7xx+94Hs/2tJv9BHqWnQifoDKlw vgLMfFtxHbnxe5PR+QzLOJR1r8vTTbHNogvMKvAcWtnIz/BwwnInHygGyU/RMgSX af5ewMLuZb7O+BFwqHZ/tLgqR71Kg07ite62uTebM/KUca/A== Received: from nalasppmta01.qualcomm.com (Global_NAT1.qualcomm.com [129.46.96.20]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 429nm3g7cp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 15 Oct 2024 10:48:54 +0000 (GMT) Received: from nalasex01c.na.qualcomm.com (nalasex01c.na.qualcomm.com [10.47.97.35]) by NALASPPMTA01.qualcomm.com (8.18.1.2/8.18.1.2) with ESMTPS id 49FAmrkD002559 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 15 Oct 2024 10:48:53 GMT Received: from xinqzhan-gv.ap.qualcomm.com (10.80.80.8) by nalasex01c.na.qualcomm.com (10.47.97.35) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.9; Tue, 15 Oct 2024 03:48:51 -0700 From: Xinqi Zhang Date: Tue, 15 Oct 2024 18:48:25 +0800 Subject: [PATCH] firmware: arm_scmi: fix slab-use-after-free in scmi_bus_notifier MIME-Version: 1.0 Message-ID: <20241015-fix-arm-scmi-slab-use-after-free-v1-1-b006eba9c8df@quicinc.com> X-B4-Tracking: v=1; b=H4sIAHhIDmcC/x2NSwrCQBAFrxJ67YOZfPBzFXExGd9og4nSHUUIu buDy1pU1SpOU7qcmlWMH3V9zhXirpF8T/ON0GtlaUPbxxAHFP0i2QTPk8IfacTbiVQWGoqR2Pf shsPY5WPIUjMvY3X+i/Nl235PlO7UcgAAAA== X-Change-ID: 20241015-fix-arm-scmi-slab-use-after-free-74e358b3c90c To: Sudeep Holla , Cristian Marussi CC: , , , , "Xinqi Zhang" X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1728989331; l=4437; i=quic_xinqzhan@quicinc.com; s=20241015; h=from:subject:message-id; bh=h7NDHpBdYdU643tF3YorSGPzxxfZAdS1qbY5EL6UD6c=; b=4c0hZqxYb27wVvv9WZRJlosG7GOGsTdciDeNGvEnkHL9S/QLHWbqYfUtHCWQvGf2JCPVQdOXg Y/QZYtoVt0VCG0CUNpPcqEMgOv//DcojoyvYTnh2GP7MWIlLQ2zLVbv X-Developer-Key: i=quic_xinqzhan@quicinc.com; a=ed25519; pk=e+mEOolV1It3rv+K/zKK83GBcQFoVe2iQO+mmOoesHg= X-Originating-IP: [10.80.80.8] X-ClientProxiedBy: nasanex01b.na.qualcomm.com (10.46.141.250) To nalasex01c.na.qualcomm.com (10.47.97.35) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-GUID: 46_0Gx9cYIxIfW4Fp_JiqI-HFqGsXtRP X-Proofpoint-ORIG-GUID: 46_0Gx9cYIxIfW4Fp_JiqI-HFqGsXtRP X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.60.29 definitions=2024-09-06_09,2024-09-06_01,2024-09-02_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 clxscore=1011 lowpriorityscore=0 malwarescore=0 adultscore=0 phishscore=0 priorityscore=1501 mlxscore=0 spamscore=0 suspectscore=0 bulkscore=0 mlxlogscore=889 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2409260000 definitions=main-2410150073 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20241015_034900_133454_AE022FE7 X-CRM114-Status: GOOD ( 10.78 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Move release of scmi_dev->name into scmi_device_release to avoid slab-use-after-free. ================================================================== BUG: KASAN: slab-use-after-free in strncmp+0xe4/0xec Read of size 1 at addr ffffff80a482bcc0 by task swapper/0/1 CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.6.38-debug #1 Hardware name: Qualcomm Technologies, Inc. SA8775P Ride (DT) Call trace: dump_backtrace+0x94/0x114 show_stack+0x18/0x24 dump_stack_lvl+0x48/0x60 print_report+0xf4/0x5b0 kasan_report+0xa4/0xec __asan_report_load1_noabort+0x20/0x2c strncmp+0xe4/0xec scmi_bus_notifier+0x5c/0x54c notifier_call_chain+0xb4/0x31c blocking_notifier_call_chain+0x68/0x9c bus_notify+0x54/0x78 device_del+0x1bc/0x840 device_unregister+0x20/0xb4 __scmi_device_destroy+0xac/0x280 scmi_device_destroy+0x94/0xd0 scmi_chan_setup+0x524/0x750 scmi_probe+0x7fc/0x1508 platform_probe+0xc4/0x19c really_probe+0x32c/0x99c __driver_probe_device+0x15c/0x3c4 driver_probe_device+0x5c/0x170 __driver_attach+0x1c8/0x440 bus_for_each_dev+0xf4/0x178 driver_attach+0x3c/0x58 bus_add_driver+0x234/0x4d4 driver_register+0xf4/0x3c0 __platform_driver_register+0x60/0x88 scmi_driver_init+0xb0/0x104 do_one_initcall+0xb4/0x664 kernel_init_freeable+0x3c8/0x894 kernel_init+0x24/0x1e8 ret_from_fork+0x10/0x20 Allocated by task 1: kasan_save_stack+0x2c/0x54 kasan_set_track+0x2c/0x40 kasan_save_alloc_info+0x24/0x34 __kasan_kmalloc+0xa0/0xb8 __kmalloc_node_track_caller+0x6c/0x104 kstrdup+0x48/0x84 kstrdup_const+0x34/0x40 __scmi_device_create.part.0+0x8c/0x408 scmi_device_create+0x104/0x370 scmi_chan_setup+0x2a0/0x750 scmi_probe+0x7fc/0x1508 platform_probe+0xc4/0x19c really_probe+0x32c/0x99c __driver_probe_device+0x15c/0x3c4 driver_probe_device+0x5c/0x170 __driver_attach+0x1c8/0x440 bus_for_each_dev+0xf4/0x178 driver_attach+0x3c/0x58 bus_add_driver+0x234/0x4d4 driver_register+0xf4/0x3c0 __platform_driver_register+0x60/0x88 scmi_driver_init+0xb0/0x104 do_one_initcall+0xb4/0x664 kernel_init_freeable+0x3c8/0x894 kernel_init+0x24/0x1e8 ret_from_fork+0x10/0x20 Freed by task 1: kasan_save_stack+0x2c/0x54 kasan_set_track+0x2c/0x40 kasan_save_free_info+0x38/0x5c __kasan_slab_free+0xe8/0x164 __kmem_cache_free+0x11c/0x230 kfree+0x70/0x130 kfree_const+0x20/0x40 __scmi_device_destroy+0x70/0x280 scmi_device_destroy+0x94/0xd0 scmi_chan_setup+0x524/0x750 scmi_probe+0x7fc/0x1508 platform_probe+0xc4/0x19c really_probe+0x32c/0x99c __driver_probe_device+0x15c/0x3c4 driver_probe_device+0x5c/0x170 __driver_attach+0x1c8/0x440 bus_for_each_dev+0xf4/0x178 driver_attach+0x3c/0x58 bus_add_driver+0x234/0x4d4 driver_register+0xf4/0x3c0 __platform_driver_register+0x60/0x88 scmi_driver_init+0xb0/0x104 do_one_initcall+0xb4/0x664 kernel_init_freeable+0x3c8/0x894 kernel_init+0x24/0x1e8 ret_from_fork+0x10/0x20 Signed-off-by: Xinqi Zhang --- drivers/firmware/arm_scmi/bus.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) --- base-commit: eca631b8fe808748d7585059c4307005ca5c5820 change-id: 20241015-fix-arm-scmi-slab-use-after-free-74e358b3c90c Best regards, diff --git a/drivers/firmware/arm_scmi/bus.c b/drivers/firmware/arm_scmi/bus.c index 96b2e5f9a8ef0386525f9d91d2925e7e6d48ac28..157172a5f2b577ce4f04425f967f548230c1ebed 100644 --- a/drivers/firmware/arm_scmi/bus.c +++ b/drivers/firmware/arm_scmi/bus.c @@ -325,7 +325,10 @@ EXPORT_SYMBOL_GPL(scmi_driver_unregister); static void scmi_device_release(struct device *dev) { - kfree(to_scmi_dev(dev)); + struct scmi_device *scmi_dev = to_scmi_dev(dev); + + kfree_const(scmi_dev->name); + kfree(scmi_dev); } static void __scmi_device_destroy(struct scmi_device *scmi_dev) @@ -338,7 +341,6 @@ static void __scmi_device_destroy(struct scmi_device *scmi_dev) if (scmi_dev->protocol_id == SCMI_PROTOCOL_SYSTEM) atomic_set(&scmi_syspower_registered, 0); - kfree_const(scmi_dev->name); ida_free(&scmi_bus_id, scmi_dev->id); device_unregister(&scmi_dev->dev); } @@ -410,7 +412,6 @@ __scmi_device_create(struct device_node *np, struct device *parent, return scmi_dev; put_dev: - kfree_const(scmi_dev->name); put_device(&scmi_dev->dev); ida_free(&scmi_bus_id, id); return NULL;