Bug 217992
Summary: | ubi: gluebi: NULL pointer dereference in gluebi_read() | ||
---|---|---|---|
Product: | Drivers | Reporter: | wangzhaolong1 |
Component: | Flash/Memory Technology Devices | Assignee: | David Woodhouse (dwmw2) |
Status: | RESOLVED CODE_FIX | ||
Severity: | normal | CC: | bagasdotme |
Priority: | P3 | ||
Hardware: | All | ||
OS: | Linux | ||
Kernel Version: | Subsystem: | ||
Regression: | No | Bisected commit-id: |
Description
wangzhaolong1
2023-10-10 14:01:57 UTC
udev tools is needed https://github.com/lu-zero/udev/blob/master/src/mtd_probe/mtd_probe.c ### slab-use-after-free ~~~ ID="0x20,0xa5,0x00,0x15" # 2GB 128KB PEB, 2KB page modprobe nandsim id_bytes=$ID modprobe ubi ubiattach -m 1 -O 4096 ubimkvol -N vol_a -m -n 0 /dev/ubi0 modprobe gluebi /usr/lib/udev/mtd_probe /dev/mtd2 modprobe ftl ~~~ ~~~ [ 129.238091] ================================================================== [ 129.238855] BUG: KASAN: slab-use-after-free in ubi_leb_read+0x2d/0x110 [ubi] [ 129.239604] Read of size 8 at addr ffff88811b7383c0 by task modprobe/1423 [ 129.240292] [ 129.240473] CPU: 4 PID: 1423 Comm: modprobe Not tainted 6.6.0-rc5-dirty #162 [ 129.241177] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014 [ 129.242487] Call Trace: [ 129.242740] <TASK> [ 129.242962] dump_stack_lvl+0x37/0x50 [ 129.243343] print_address_description.constprop.0+0x2c/0x3e0 [ 129.243938] ? ubi_leb_read+0x2d/0x110 [ubi] [ 129.244404] print_report+0xb4/0x270 [ 129.244774] ? kasan_addr_to_slab+0xd/0xa0 [ 129.245190] kasan_report+0xb0/0xe0 [ 129.245559] ? ubi_leb_read+0x2d/0x110 [ubi] [ 129.246035] ubi_leb_read+0x2d/0x110 [ubi] [ 129.246504] gluebi_read+0xb4/0x100 [gluebi] [ 129.246947] mtd_read_oob+0x110/0x270 [mtd] [ 129.247402] mtd_read+0x9c/0xf0 [mtd] [ 129.247810] ? __pfx_mtd_read+0x10/0x10 [mtd] [ 129.248265] ? build_maps+0x9e1/0xa20 [ftl] [ 129.248690] ? kasan_set_track+0x25/0x30 [ 129.249076] ftl_add_mtd+0x157/0x390 [ftl] [ 129.249495] ? __pfx_ftl_add_mtd+0x10/0x10 [ftl] [ 129.249964] ? idr_get_next+0x95/0xe0 [ 129.250331] ? __pfx_idr_get_next+0x10/0x10 [ 129.250747] ? __mtd_next_device+0x6e/0xa0 [mtd] [ 129.251240] ? __pfx___mtd_next_device+0x10/0x10 [mtd] [ 129.251777] register_mtd_blktrans+0x118/0x1b0 [mtd_blkdevs] [ 129.252341] ? __pfx_ftl_tr_init+0x10/0x10 [ftl] [ 129.252808] do_one_initcall+0x8d/0x2c0 [ 129.253190] ? __pfx_do_one_initcall+0x10/0x10 [ 129.253631] ? kasan_unpoison+0x27/0x60 [ 129.254006] ? __kasan_slab_alloc+0x30/0x70 [ 129.254419] ? __kmem_cache_alloc_node+0x10b/0x230 [ 129.254897] ? do_init_module+0x30/0x3a0 [ 129.255303] ? kasan_unpoison+0x27/0x60 [ 129.255695] do_init_module+0x13a/0x3a0 [ 129.256085] load_module+0x183b/0x1b40 [ 129.256473] ? __pfx_load_module+0x10/0x10 [ 129.256896] ? selinux_file_permission+0x1c2/0x1f0 [ 129.257371] ? security_file_permission+0xf5/0x2d0 [ 129.257846] ? kernel_read_file+0x3d1/0x410 [ 129.258264] ? kernel_read_file+0x1ac/0x410 [ 129.258688] ? __pfx_kernel_read_file+0x10/0x10 [ 129.259141] ? init_module_from_file+0xd2/0x130 [ 129.259606] init_module_from_file+0xd2/0x130 [ 129.260046] ? __pfx_init_module_from_file+0x10/0x10 [ 129.260548] ? __pfx__raw_spin_lock+0x10/0x10 [ 129.260986] ? __pfx_cred_has_capability+0x10/0x10 [ 129.261479] idempotent_init_module+0x265/0x380 [ 129.261933] ? __pfx_idempotent_init_module+0x10/0x10 [ 129.262447] ? __fget_light+0xae/0x1e0 [ 129.262829] __x64_sys_finit_module+0x7b/0xb0 [ 129.263318] do_syscall_64+0x3f/0x90 [ 129.263692] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 129.264196] RIP: 0033:0x7f65bfd5d4e9 [ 129.264560] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6f 8 [ 129.266381] RSP: 002b:00007ffd07f40a98 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 [ 129.267154] RAX: ffffffffffffffda RBX: 000056348f781490 RCX: 00007f65bfd5d4e9 [ 129.267860] RDX: 0000000000000000 RSI: 000056348ee1bc26 RDI: 0000000000000004 [ 129.268569] RBP: 000056348ee1bc26 R08: 0000000000000000 R09: 0000000000000000 [ 129.269270] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000 [ 129.269978] R13: 000056348f781450 R14: 0000000000040000 R15: 000056348f781490 [ 129.270688] </TASK> [ 129.270917] [ 129.271099] Allocated by task 1422: [ 129.271462] kasan_save_stack+0x22/0x50 [ 129.271847] kasan_set_track+0x25/0x30 [ 129.272222] __kasan_kmalloc+0x7f/0x90 [ 129.272603] ubi_open_volume+0x9c/0x390 [ubi] [ 129.273068] gluebi_get_device+0x86/0x130 [gluebi] [ 129.273562] __get_mtd_device+0x84/0x1f0 [mtd] [ 129.274024] get_mtd_device+0xf0/0x150 [mtd] [ 129.274481] mtdchar_open+0x54/0x120 [mtd] [ 129.274909] chrdev_open+0x165/0x300 [ 129.275287] do_dentry_open+0x2c3/0x910 [ 129.275677] do_open.isra.0+0x3f4/0x6b0 [ 129.276066] path_openat+0x24a/0x1140 [ 129.276435] do_filp_open+0x160/0x200 [ 129.276802] do_sys_openat2+0x301/0x350 [ 129.277189] do_sys_open+0x8e/0xf0 [ 129.277545] do_syscall_64+0x3f/0x90 [ 129.277906] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 129.278420] [ 129.278584] Freed by task 1422: [ 129.278900] kasan_save_stack+0x22/0x50 [ 129.279296] kasan_set_track+0x25/0x30 [ 129.279686] kasan_save_free_info+0x2b/0x50 [ 129.280114] __kasan_slab_free+0x10e/0x190 [ 129.280522] __kmem_cache_free+0x86/0x1c0 [ 129.280921] ubi_close_volume+0x9c/0x110 [ubi] [ 129.281387] gluebi_put_device+0x53/0x60 [gluebi] [ 129.281869] put_mtd_device+0x21/0x30 [mtd] [ 129.282315] mtdchar_close+0x8d/0xc0 [mtd] [ 129.282756] __fput+0x1e2/0x450 [ 129.283089] task_work_run+0xfd/0x170 [ 129.283458] do_exit+0x536/0x1300 [ 129.283801] do_group_exit+0x5c/0xf0 [ 129.284163] __x64_sys_exit_group+0x2c/0x30 [ 129.284584] do_syscall_64+0x3f/0x90 [ 129.284950] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 129.285451] [ 129.285612] The buggy address belongs to the object at ffff88811b7383c0 [ 129.285612] which belongs to the cache kmalloc-16 of size 16 [ 129.286794] The buggy address is located 0 bytes inside of [ 129.286794] freed 16-byte region [ffff88811b7383c0, ffff88811b7383d0) [ 129.287961] [ 129.288120] The buggy address belongs to the physical page: [ 129.288658] page:00000000ea0a1fa9 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11b738 [ 129.289583] flags: 0x200000000000800(slab|node=0|zone=2) [ 129.290108] page_type: 0xffffffff() [ 129.290468] raw: 0200000000000800 ffff8881000423c0 dead000000000122 0000000000000000 [ 129.291237] raw: 0000000000000000 0000000080800080 00000001ffffffff 0000000000000000 [ 129.291990] page dumped because: kasan: bad access detected [ 129.292550] [ 129.292714] Memory state around the buggy address: [ 129.293194] ffff88811b738280: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 129.293904] ffff88811b738300: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 129.296559] >ffff88811b738380: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 129.297278] ^ [ 129.297820] ffff88811b738400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 129.298562] ffff88811b738480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 129.299293] ================================================================== [ 129.300315] Disabling lock debugging due to kernel taint [ 129.300870] BUG: kernel NULL pointer dereference, address: 0000000000000784 [ 129.301565] #PF: supervisor read access in kernel mode [ 129.302074] #PF: error_code(0x0000) - not-present page [ 129.302589] PGD 0 P4D 0 [ 129.302864] Oops: 0000 [#1] PREEMPT SMP KASAN PTI [ 129.303354] CPU: 4 PID: 1423 Comm: modprobe Tainted: G B 6.6.0-rc5-dirty #162 [ 129.304200] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014 [ 129.305515] RIP: 0010:leb_read_sanity_check.isra.0+0x55/0x110 [ubi] [ 129.306176] Code: 00 00 4c 8b bb 40 03 00 00 e8 d7 20 b3 c9 44 8b b3 48 03 00 00 45 85 f6 0f 88 b7 00 00 00 49 8d bf 84 07 00 00 e8 bb 20 b3 c9 <45> 3b b7 84 07 00 00 0f 8d 9e 00 00 00 0 [ 129.308025] RSP: 0018:ffff88810425f608 EFLAGS: 00010292 [ 129.308549] RAX: 0000000000000000 RBX: ffff88811b7383e0 RCX: ffffffffc04a2fc5 [ 129.309250] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000784 [ 129.309955] RBP: 0000000000000044 R08: ffffffffc04a2fc5 R09: fffffbfff1aecfd1 [ 129.310667] R10: fffffbfff1aecfd0 R11: ffffffff8d767e87 R12: 0000000000000000 [ 129.311383] R13: 0000000000000000 R14: 000000001b738740 R15: 0000000000000000 [ 129.312097] FS: 00007f65c0889040(0000) GS:ffff8881f7600000(0000) knlGS:0000000000000000 [ 129.312892] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 129.313464] CR2: 0000000000000784 CR3: 000000010add0000 CR4: 00000000000006e0 [ 129.314227] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 129.314940] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 129.315676] Call Trace: [ 129.315924] <TASK> [ 129.316147] ? __die_body+0x1f/0x70 [ 129.316505] ? page_fault_oops+0x1f2/0x500 [ 129.316912] ? __pfx_is_prefetch.isra.0+0x10/0x10 [ 129.317375] ? __pfx_page_fault_oops+0x10/0x10 [ 129.317825] ? leb_read_sanity_check.isra.0+0x55/0x110 [ubi] [ 129.318406] ? search_module_extables+0x30/0x80 [ 129.318857] ? fixup_exception+0x3b/0x4a0 [ 129.319277] ? exc_page_fault+0x59/0xa0 [ 129.319660] ? asm_exc_page_fault+0x26/0x30 [ 129.320071] ? leb_read_sanity_check.isra.0+0x55/0x110 [ubi] [ 129.320664] ? leb_read_sanity_check.isra.0+0x55/0x110 [ubi] [ 129.321254] ? leb_read_sanity_check.isra.0+0x55/0x110 [ubi] [ 129.321840] ? leb_read_sanity_check.isra.0+0x55/0x110 [ubi] [ 129.322411] ubi_leb_read+0x3f/0x110 [ubi] [ 129.322867] gluebi_read+0xb4/0x100 [gluebi] [ 129.323330] mtd_read_oob+0x110/0x270 [mtd] [ 129.323772] mtd_read+0x9c/0xf0 [mtd] [ 129.324161] ? __pfx_mtd_read+0x10/0x10 [mtd] [ 129.324626] ? build_maps+0x9e1/0xa20 [ftl] [ 129.325060] ? kasan_set_track+0x25/0x30 [ 129.325455] ftl_add_mtd+0x157/0x390 [ftl] [ 129.325878] ? __pfx_ftl_add_mtd+0x10/0x10 [ftl] [ 129.326342] ? idr_get_next+0x95/0xe0 [ 129.326709] ? __pfx_idr_get_next+0x10/0x10 [ 129.327140] ? __mtd_next_device+0x6e/0xa0 [mtd] [ 129.327636] ? __pfx___mtd_next_device+0x10/0x10 [mtd] [ 129.328172] register_mtd_blktrans+0x118/0x1b0 [mtd_blkdevs] [ 129.328746] ? __pfx_ftl_tr_init+0x10/0x10 [ftl] [ 129.329229] do_one_initcall+0x8d/0x2c0 [ 129.329616] ? __pfx_do_one_initcall+0x10/0x10 [ 129.330059] ? kasan_unpoison+0x27/0x60 [ 129.330458] ? __kasan_slab_alloc+0x30/0x70 [ 129.330877] ? __kmem_cache_alloc_node+0x10b/0x230 [ 129.331366] ? do_init_module+0x30/0x3a0 [ 129.331766] ? kasan_unpoison+0x27/0x60 [ 129.332152] do_init_module+0x13a/0x3a0 [ 129.332548] load_module+0x183b/0x1b40 [ 129.332929] ? __pfx_load_module+0x10/0x10 [ 129.333343] ? selinux_file_permission+0x1c2/0x1f0 [ 129.333823] ? security_file_permission+0xf5/0x2d0 [ 129.334291] ? kernel_read_file+0x3d1/0x410 [ 129.334706] ? kernel_read_file+0x1ac/0x410 [ 129.335132] ? __pfx_kernel_read_file+0x10/0x10 [ 129.335587] ? init_module_from_file+0xd2/0x130 [ 129.336033] init_module_from_file+0xd2/0x130 [ 129.336471] ? __pfx_init_module_from_file+0x10/0x10 [ 129.336963] ? __pfx__raw_spin_lock+0x10/0x10 [ 129.337396] ? __pfx_cred_has_capability+0x10/0x10 [ 129.337880] idempotent_init_module+0x265/0x380 [ 129.338327] ? __pfx_idempotent_init_module+0x10/0x10 [ 129.338833] ? __fget_light+0xae/0x1e0 [ 129.339227] __x64_sys_finit_module+0x7b/0xb0 [ 129.339664] do_syscall_64+0x3f/0x90 [ 129.340032] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 129.340532] RIP: 0033:0x7f65bfd5d4e9 [ 129.340891] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6f 8 [ 129.342685] RSP: 002b:00007ffd07f40a98 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 [ 129.343441] RAX: ffffffffffffffda RBX: 000056348f781490 RCX: 00007f65bfd5d4e9 [ 129.344137] RDX: 0000000000000000 RSI: 000056348ee1bc26 RDI: 0000000000000004 [ 129.344843] RBP: 000056348ee1bc26 R08: 0000000000000000 R09: 0000000000000000 [ 129.345540] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000 [ 129.346244] R13: 000056348f781450 R14: 0000000000040000 R15: 000056348f781490 [ 129.346949] </TASK> [ 129.347185] Modules linked in: ftl(+) mtd_blkdevs gluebi ubi nandsim nand nandcore mtd iptable_nat [ 129.348087] CR2: 0000000000000784 [ 129.348468] ---[ end trace 0000000000000000 ]--- [ 129.348935] RIP: 0010:leb_read_sanity_check.isra.0+0x55/0x110 [ubi] [ 129.349694] Code: 00 00 4c 8b bb 40 03 00 00 e8 d7 20 b3 c9 44 8b b3 48 03 00 00 45 85 f6 0f 88 b7 00 00 00 49 8d bf 84 07 00 00 e8 bb 20 b3 c9 <45> 3b b7 84 07 00 00 0f 8d 9e 00 00 00 0 [ 129.351616] RSP: 0018:ffff88810425f608 EFLAGS: 00010292 [ 129.352257] RAX: 0000000000000000 RBX: ffff88811b7383e0 RCX: ffffffffc04a2fc5 [ 129.352963] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000784 [ 129.353698] RBP: 0000000000000044 R08: ffffffffc04a2fc5 R09: fffffbfff1aecfd1 [ 129.354394] R10: fffffbfff1aecfd0 R11: ffffffff8d767e87 R12: 0000000000000000 [ 129.355093] R13: 0000000000000000 R14: 000000001b738740 R15: 0000000000000000 [ 129.355797] FS: 00007f65c0889040(0000) GS:ffff8881f7600000(0000) knlGS:0000000000000000 [ 129.356605] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 129.357176] CR2: 0000000000000784 CR3: 000000010add0000 CR4: 00000000000006e0 [ 129.357880] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 129.358587] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ~~~ ### page fault ~~~ ID="0x20,0xa5,0x00,0x15" # 2GB 128KB PEB, 2KB page modprobe nandsim id_bytes=$ID modprobe ubi ubiattach -m 1 -O 4096 ubimkvol -N vol_a -m -n 0 /dev/ubi0 mount -t ubifs ubi0:vol_a /mnt modprobe gluebi /usr/lib/udev/mtd_probe /dev/mtd2 modprobe ftl ~~~ ~~~ [ 204.767223] BUG: unable to handle page fault for address: fffffffffffffff0 [ 204.767924] #PF: supervisor read access in kernel mode [ 204.768433] #PF: error_code(0x0000) - not-present page [ 204.768940] PGD 130669067 P4D 130669067 PUD 13066b067 PMD 0 [ 204.769501] Oops: 0000 [#1] PREEMPT SMP KASAN PTI [ 204.769968] CPU: 5 PID: 1470 Comm: modprobe Not tainted 6.6.0-rc5 #163 [ 204.770617] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014 [ 204.771881] RIP: 0010:ubi_leb_read+0x2d/0x110 [ubi] [ 204.772375] Code: fa 0f 1f 44 00 00 41 57 49 89 ff 41 56 45 89 ce 41 55 49 89 d5 41 54 41 89 f4 55 89 cd 53 44 89 c3 48 83 ec 10 e8 23 21 37 d3 <4d> 8b 3f 89 d9 89 ea 44 89 e6 4c 89 ff 6 [ 204.774091] RSP: 0018:ffff88811b9cf640 EFLAGS: 00010246 [ 204.774578] RAX: 0000000000000000 RBX: 0000000000000044 RCX: ffffffffc02630bd [ 204.775219] RDX: dffffc0000000000 RSI: 0000000000000000 RDI: fffffffffffffff0 [ 204.775904] RBP: 0000000000000000 R08: 0000000000000044 R09: 0000000000000000 [ 204.776554] R10: 0000000000000044 R11: ffffffff966ce549 R12: 0000000000000000 [ 204.777199] R13: ffff88811b9cf880 R14: 0000000000000000 R15: fffffffffffffff0 [ 204.777851] FS: 00007f13d55f7040(0000) GS:ffff8881f7680000(0000) knlGS:0000000000000000 [ 204.778604] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 204.779141] CR2: fffffffffffffff0 CR3: 00000001048aa000 CR4: 00000000000006e0 [ 204.779807] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 204.780474] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 204.781146] Call Trace: [ 204.781389] <TASK> [ 204.781608] ? __die_body+0x1f/0x70 [ 204.781964] ? page_fault_oops+0x1f2/0x500 [ 204.782357] ? __pfx_is_prefetch.isra.0+0x10/0x10 [ 204.782812] ? __pfx_page_fault_oops+0x10/0x10 [ 204.783237] ? ubi_leb_read+0x2d/0x110 [ubi] [ 204.783671] ? search_module_extables+0x30/0x80 [ 204.784113] ? fixup_exception+0x3b/0x4a0 [ 204.784506] ? exc_page_fault+0x9d/0xa0 [ 204.784886] ? asm_exc_page_fault+0x26/0x30 [ 204.785286] ? ubi_leb_read+0x2d/0x110 [ubi] [ 204.785720] ? ubi_leb_read+0x2d/0x110 [ubi] [ 204.786154] gluebi_read+0xb4/0x100 [gluebi] [ 204.786580] mtd_read_oob+0x110/0x270 [mtd] [ 204.787011] mtd_read+0x9c/0xf0 [mtd] [ 204.787387] ? __pfx_mtd_read+0x10/0x10 [mtd] [ 204.787837] ? build_maps+0x9e1/0xa20 [ftl] [ 204.788245] ? kasan_set_track+0x25/0x30 [ 204.788630] ftl_add_mtd+0x157/0x390 [ftl] [ 204.789028] ? __pfx_ftl_add_mtd+0x10/0x10 [ftl] [ 204.789470] ? idr_get_next+0x95/0xe0 [ 204.789819] ? __pfx_idr_get_next+0x10/0x10 [ 204.790211] ? __mtd_next_device+0x6e/0xa0 [mtd] [ 204.790677] ? __pfx___mtd_next_device+0x10/0x10 [mtd] [ 204.791199] register_mtd_blktrans+0x118/0x1b0 [mtd_blkdevs] [ 204.791745] ? __pfx_ftl_tr_init+0x10/0x10 [ftl] [ 204.792189] do_one_initcall+0x8d/0x2c0 [ 204.792556] ? __pfx_do_one_initcall+0x10/0x10 [ 204.792977] ? kasan_unpoison+0x27/0x60 [ 204.793337] ? __kasan_slab_alloc+0x30/0x70 [ 204.793739] ? __kmem_cache_alloc_node+0x10b/0x230 [ 204.794184] ? do_init_module+0x30/0x3a0 [ 204.794562] ? kasan_unpoison+0x27/0x60 [ 204.794934] do_init_module+0x13a/0x3a0 [ 204.795307] load_module+0x183b/0x1b40 [ 204.795686] ? __pfx_load_module+0x10/0x10 [ 204.796080] ? selinux_file_permission+0x1c2/0x1f0 [ 204.796548] ? security_file_permission+0xf5/0x2d0 [ 204.797006] ? kernel_read_file+0x3d1/0x410 [ 204.797409] ? kernel_read_file+0x1ac/0x410 [ 204.797815] ? __pfx_kernel_read_file+0x10/0x10 [ 204.798253] ? init_module_from_file+0xd2/0x130 [ 204.798684] init_module_from_file+0xd2/0x130 [ 204.799089] ? __pfx_init_module_from_file+0x10/0x10 [ 204.799798] ? __pfx__raw_spin_lock+0x10/0x10 [ 204.800251] ? __pfx_cred_has_capability+0x10/0x10 [ 204.800696] idempotent_init_module+0x265/0x380 [ 204.801124] ? __pfx_idempotent_init_module+0x10/0x10 [ 204.801601] ? __fget_light+0xae/0x1e0 [ 204.801961] __x64_sys_finit_module+0x7b/0xb0 [ 204.802378] do_syscall_64+0x3f/0x90 [ 204.802730] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 204.803206] RIP: 0033:0x7f13d4acb4e9 [ 204.803548] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6f 8 [ 204.805309] RSP: 002b:00007ffcdba0ce48 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 [ 204.806044] RAX: ffffffffffffffda RBX: 000055cdc654c480 RCX: 00007f13d4acb4e9 [ 204.806717] RDX: 0000000000000000 RSI: 000055cdc501bc26 RDI: 0000000000000004 [ 204.807400] RBP: 000055cdc501bc26 R08: 0000000000000000 R09: 0000000000000000 [ 204.808077] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000 [ 204.808756] R13: 000055cdc654c440 R14: 0000000000040000 R15: 000055cdc654c480 [ 204.809435] </TASK> [ 204.809660] Modules linked in: ftl(+) mtd_blkdevs gluebi deflate zstd zstd_compress lzo ubifs ubi nandsim nand nandcore mtd iptable_nat [ 204.810821] CR2: fffffffffffffff0 [ 204.811138] ---[ end trace 0000000000000000 ]--- [ 204.811577] RIP: 0010:ubi_leb_read+0x2d/0x110 [ubi] [ 204.812068] Code: fa 0f 1f 44 00 00 41 57 49 89 ff 41 56 45 89 ce 41 55 49 89 d5 41 54 41 89 f4 55 89 cd 53 44 89 c3 48 83 ec 10 e8 23 21 37 d3 <4d> 8b 3f 89 d9 89 ea 44 89 e6 4c 89 ff 6 [ 204.813779] RSP: 0018:ffff88811b9cf640 EFLAGS: 00010246 [ 204.814264] RAX: 0000000000000000 RBX: 0000000000000044 RCX: ffffffffc02630bd [ 204.814921] RDX: dffffc0000000000 RSI: 0000000000000000 RDI: fffffffffffffff0 [ 204.815593] RBP: 0000000000000000 R08: 0000000000000044 R09: 0000000000000000 [ 204.816277] R10: 0000000000000044 R11: ffffffff966ce549 R12: 0000000000000000 [ 204.816962] R13: ffff88811b9cf880 R14: 0000000000000000 R15: fffffffffffffff0 [ 204.817645] FS: 00007f13d55f7040(0000) GS:ffff8881f7680000(0000) knlGS:0000000000000000 [ 204.818410] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 204.818956] CR2: fffffffffffffff0 CR3: 00000001048aa000 CR4: 00000000000006e0 [ 204.819628] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 204.820294] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 204.820968] note: modprobe[1470] exited with irqs disabled ~~~ Can you reproduce this bug report on latest mainline (currently v6.6-rc5?) > https://bugzilla.kernel.org/show_bug.cgi?id=217992 > Can you reproduce this bug report on latest mainline (currently v6.6-rc5?) > Yes! dump_stack() indicates the current kernel version in bugzilla, in this line [ 17.696773] CPU: 0 PID: 1502 Comm: modprobe Not tainted 6.6.0-rc5 #158 On this issue, I make a phased summary here: If both flt.ko and gluebi.ko are loaded, the notiier of ftl triggers NULL pointer dereference when trying to access ‘gluebi->desc’ in gluebi_read(). ubi_gluebi_init ubi_register_volume_notifier ubi_enumerate_volumes ubi_notify_all gluebi_notify nb->notifier_call() gluebi_create mtd_device_register mtd_device_parse_register add_mtd_device blktrans_notify_add not->add() ftl_add_mtd tr->add_mtd() scan_header mtd_read mtd_read mtd_read_oob gluebi_read mtd->read() gluebi->desc - NULL In the normal case, obtain gluebi->desc in the gluebi_get_device(), and accesses gluebi->desc in the gluebi_read(). However, gluebi_get_device() is not executed in advance in the ftl_add_mtd() process, which leads to NULL pointer dereference. The value of gluebi->desc may also be a negative error code, which triggers the page fault error. Discussions on how to fix the problem can be found at the following link: https://lore.kernel.org/lkml/2d04fa9e-e594-705c-339b-3090cb7d6fbd@huawei.com/T/ https://lore.kernel.org/lkml/12400272-4449-040c-1ccd-6494a67f4da0@huawei.com/T/ https://lore.kernel.org/lkml/142222867.20038.1698593973984.JavaMail.zimbra@nod.at/T/ Patch has entered the mainline: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a43bdc376deab5fff1ceb93dca55bcab8dbdc1d6 |