1. Apply diff (turn on CONFIG_KASAN) and compile kernel 2. Exec: ID="0xec,0xa1,0x00,0x15" # 128M 128KB 2KB modprobe nandsim id_bytes=$ID modprobe ubi mtd="0,2048" ubimkvol -N vol_a -m -n 0 /dev/ubi0 3. dmesg [ 244.257211] ================================================================== [ 244.261004] BUG: KASAN: use-after-free in ubi_eba_destroy_table+0x1b/0x50 [ubi] [ 244.262410] Read of size 8 at addr ffff888101948410 by task ubimkvol/1606 [ 244.263367] [ 244.263605] CPU: 0 PID: 1606 Comm: ubimkvol Not tainted 5.18.0-rc1-00005-g9fe871fba02c-dirty #473 [ 244.264776] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc314 [ 244.266602] Call Trace: [ 244.266966] <TASK> [ 244.267273] ? dump_stack_lvl+0x73/0x9f [ 244.267834] ? print_report.cold+0x100/0xa3f [ 244.268459] ? _raw_spin_lock_irqsave+0xcd/0x160 [ 244.269131] ? ubi_eba_destroy_table+0x1b/0x50 [ubi] [ 244.270173] ? kasan_report+0xbf/0x130 [ 244.270746] ? devres_release_group+0x230/0x240 [ 244.271407] ? ubi_eba_destroy_table+0x1b/0x50 [ubi] [ 244.272530] ? __asan_load8+0x74/0x110 [ 244.273081] ? ubi_eba_destroy_table+0x1b/0x50 [ubi] [ 244.274187] ? ubi_eba_replace_table+0x32/0x50 [ubi] [ 244.275300] ? vol_release+0x18/0x50 [ubi] [ 244.276258] ? device_release+0x6e/0x170 [ 244.276827] ? kobject_put+0x1aa/0x430 [ 244.277372] ? put_device+0x17/0x30 [ 244.277881] ? ubi_create_volume+0x5db/0xad0 [ubi] [ 244.278951] ? ubi_cdev_ioctl+0xf1c/0x1640 [ubi] [ 244.279967] ? vfs_fileattr_set+0x690/0x690 [ 244.280580] ? vol_cdev_llseek+0xc0/0xc0 [ubi] [ 244.281595] ? ioctl_has_perm.constprop.0+0x1eb/0x2b0 [ 244.282307] ? selinux_inet_conn_established+0x80/0x80 [ 244.283096] ? selinux_file_ioctl+0xeb/0x1a0 [ 244.283712] ? selinux_file_ioctl+0xeb/0x1a0 [ 244.284343] ? __x64_sys_ioctl+0x118/0x170 [ 244.284937] ? do_syscall_64+0x35/0x80 [ 244.285485] ? entry_SYSCALL_64_after_hwframe+0x44/0xae [ 244.286256] </TASK> [ 244.286582] [ 244.286807] Allocated by task 1606: [ 244.287302] kasan_save_stack+0x26/0x60 [ 244.287854] set_alloc_info+0x4b/0x80 [ 244.288380] __kasan_kmalloc+0x8d/0xd0 [ 244.288918] kmem_cache_alloc_trace+0x262/0x5a0 [ 244.289588] ubi_eba_create_table+0x3a/0x140 [ubi] [ 244.290627] ubi_create_volume+0x70f/0xad0 [ubi] [ 244.291649] ubi_cdev_ioctl+0xf1c/0x1640 [ubi] [ 244.292630] __x64_sys_ioctl+0x118/0x170 [ 244.293181] do_syscall_64+0x35/0x80 [ 244.293697] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 244.294408] [ 244.294639] Freed by task 1606: [ 244.295086] kasan_save_stack+0x26/0x60 [ 244.295633] kasan_set_track+0x29/0x40 [ 244.296171] kasan_set_free_info+0x30/0x60 [ 244.296768] __kasan_slab_free+0x184/0x2c0 [ 244.297352] kfree+0x14a/0x6c0 [ 244.297799] ubi_eba_destroy_table+0x34/0x50 [ubi] [ 244.298827] ubi_create_volume+0x944/0xad0 [ubi] [ 244.299823] ubi_cdev_ioctl+0xf1c/0x1640 [ubi] [ 244.300838] __x64_sys_ioctl+0x118/0x170 [ 244.301391] do_syscall_64+0x35/0x80 [ 244.301906] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 244.302618] [ 244.302842] The buggy address belongs to the object at ffff888101948410 [ 244.302842] which belongs to the cache kmalloc-8 of size 8 [ 244.304482] The buggy address is located 0 bytes inside of [ 244.304482] 8-byte region [ffff888101948410, ffff888101948418) [ 244.306011] [ 244.306235] The buggy address belongs to the physical page: [ 244.306999] page:00000000a1e9be2b refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8881019487f8 pfn:0x101948 [ 244.308447] flags: 0x2fffff80000200(slab|node=0|zone=2|lastcpupid=0x1fffff) [ 244.309417] raw: 002fffff80000200 0000000000000000 dead000000000001 ffff888100042280 [ 244.310487] raw: ffff8881019487f8 0000000080660046 00000001ffffffff 0000000000000000 [ 244.311547] page dumped because: kasan: bad access detected [ 244.312318] [ 244.312546] Memory state around the buggy address: [ 244.313202] ffff888101948300: fc fc fc fc fb fc fc fc fc fa fc fc fc fc fa fc [ 244.314185] ffff888101948380: fc fc fc fa fc fc fc fc fa fc fc fc fc 00 fc fc [ 244.315163] >ffff888101948400: fc fc fa fc fc fc fc fa fc fc fc fc 00 fc fc fc [ 244.316146] ^ [ 244.316680] ffff888101948480: fc 00 fc fc fc fc 00 fc fc fc fc 00 fc fc fc fc [ 244.317666] ffff888101948500: 00 fc fc fc fc fa fc fc fc fc fa fc fc fc fc 00 [ 244.318663] ================================================================== [ 244.319677] Disabling lock debugging due to kernel taint [ 244.320883] ubi0 error: ubi_create_volume [ubi]: cannot create volume 0, error -12
You'd better find the maintainers of this driver and email them directly or email the appropriate mailing list otherwise this bug report might not be seen by anyone.
Created attachment 300927 [details] diff
(In reply to Artem S. Tashkinov from comment #1) > You'd better find the maintainers of this driver and email them directly or > email the appropriate mailing list otherwise this bug report might not be > seen by anyone. I have send the fix patch to linux-mtd. The reproducer link is attached into the patch. https://patchwork.ozlabs.org/project/linux-mtd/patch/20220510123126.1820335-4-chengzhihao1@huawei.com/
Created attachment 300928 [details] diff