217992 – ubi: gluebi: NULL pointer dereference in gluebi_read()

Bug 217992 - ubi: gluebi: NULL pointer dereference in gluebi_read()

Summary: ubi: gluebi: NULL pointer dereference in gluebi_read()

Status:	RESOLVED CODE_FIX

Alias:	None

Product:	Drivers
Classification:	Unclassified
Component:	Flash/Memory Technology Devices (show other bugs)
Hardware:	All Linux

Importance:	P3 normal
Assignee:	David Woodhouse

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-10-10 14:01 UTC by wangzhaolong1
Modified:	2024-02-02 09:21 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description wangzhaolong1 2023-10-10 14:01:57 UTC

### Reproduce the problem.

#### Kernel CONFIG

~~~
CONFIG_MTD=m
CONFIG_MTD_BLKDEVS=m
CONFIG_MTD_BLOCK=m
CONFIG_FTL=m
CONFIG_MTD_PARTITIONED_MASTER=y
CONFIG_MTD_NAND_NANDSIM=m
CONFIG_MTD_UBI=m
CONFIG_MTD_UBI_GLUEBI=m
~~~

### Scenario 1: Load ftl.ko --> Create volume --> Load gluebi.ko

~~~bash
ID="0x20,0xa5,0x00,0x15" # 2GB 128KB PEB, 2KB page
modprobe nandsim id_bytes=$ID

modprobe ftl
modprobe ubi
ubiattach -m 1 -O 4096
ubimkvol -N vol_a -m -n 0 /dev/ubi0
modprobe gluebi
~~~
~~~
[   17.694334] BUG: kernel NULL pointer dereference, address: 0000000000000000
[   17.695060] #PF: supervisor read access in kernel mode
[   17.695575] #PF: error_code(0x0000) - not-present page
[   17.696093] PGD 0 P4D 0 
[   17.696350] Oops: 0000 [#1] PREEMPT SMP PTI
[   17.696773] CPU: 0 PID: 1502 Comm: modprobe Not tainted 6.6.0-rc5 #158
[   17.697418] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014
[   17.698744] RIP: 0010:ubi_leb_read+0x2c/0xc0 [ubi]
[   17.699246] Code: 1e fa 0f 1f 44 00 00 41 57 41 89 cf 44 89 c1 41 56 45 89 c6 41 55 49 89 d5 44 89 fa 41 54 41 89 f4 55 53 44 89 cb 48 83 ec 10 <48> 8b 2f 48 89 ef e8 39 ff ff ff 85 c0 0
[   17.701090] RSP: 0018:ffffa1bac047f8f0 EFLAGS: 00010286
[   17.701608] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000044
[   17.702322] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   17.703016] RBP: 0000000000000044 R08: 0000000000000044 R09: 0000000000000000
[   17.703715] R10: 0000000000000044 R11: 5441505645440064 R12: 0000000000000000
[   17.704401] R13: ffffa1bac047fa2c R14: 0000000000000044 R15: 0000000000000000
[   17.705098] FS:  00007fbb7eefa040(0000) GS:ffff891ff7c00000(0000) knlGS:0000000000000000
[   17.705873] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   17.706424] CR2: 0000000000000000 CR3: 000000010a6a6000 CR4: 00000000000006f0
[   17.707109] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   17.707795] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   17.708491] Call Trace:
[   17.708746]  <TASK>
[   17.708964]  ? __die_body+0x1f/0x70
[   17.709328]  ? page_fault_oops+0x15b/0x430
[   17.709736]  ? search_module_extables+0x1a/0x60
[   17.710195]  ? fixup_exception+0x26/0x310
[   17.710600]  ? exc_page_fault+0x64/0x130
[   17.710988]  ? asm_exc_page_fault+0x26/0x30
[   17.711401]  ? ubi_leb_read+0x2c/0xc0 [ubi]
[   17.711820]  gluebi_read+0x78/0xb0 [gluebi]
[   17.712240]  mtd_read_oob+0xa8/0x160 [mtd]
[   17.712647]  mtd_read+0x44/0x70 [mtd]
[   17.713018]  ftl_add_mtd+0xb2/0x240 [ftl]
[   17.713418]  ? device_create+0x4d/0x70
[   17.713788]  blktrans_notify_add+0x35/0x60 [mtd_blkdevs]
[   17.714319]  add_mtd_device+0x2ac/0x400 [mtd]
[   17.714772]  mtd_device_parse_register+0x1a3/0x390 [mtd]
[   17.715307]  gluebi_notify+0x2ab/0x500 [gluebi]
[   17.715756]  ubi_notify_all+0x67/0xe0 [ubi]
[   17.716177]  ubi_enumerate_volumes+0x35/0x50 [ubi]
[   17.716654]  ubi_register_volume_notifier+0x4c/0x70 [ubi]
[   17.717195]  ? __pfx_ubi_gluebi_init+0x10/0x10 [gluebi]
[   17.717704]  do_one_initcall+0x48/0x220
[   17.718091]  ? kmalloc_trace+0x29/0x90
[   17.718453]  do_init_module+0x64/0x230
[   17.718818]  load_module+0xe93/0x10c0
[   17.719176]  ? v9fs_file_read_iter+0x50/0xa0
[   17.719591]  ? init_module_from_file+0x8b/0xd0
[   17.720023]  init_module_from_file+0x8b/0xd0
[   17.720446]  idempotent_init_module+0x181/0x240
[   17.720895]  __x64_sys_finit_module+0x59/0x90
[   17.721338]  do_syscall_64+0x3f/0x90
[   17.721708]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[   17.722203] RIP: 0033:0x7fbb7e3ce4e9
[   17.722551] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6f 8
[   17.724321] RSP: 002b:00007ffcf553af38 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[   17.725033] RAX: ffffffffffffffda RBX: 00005556909f7480 RCX: 00007fbb7e3ce4e9
[   17.725729] RDX: 0000000000000000 RSI: 000055569021bc26 RDI: 0000000000000003
[   17.726418] RBP: 000055569021bc26 R08: 0000000000000000 R09: 0000000000000000
[   17.727129] R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000
[   17.727812] R13: 00005556909f7440 R14: 0000000000040000 R15: 00005556909f7480
[   17.728499]  </TASK>
[   17.728717] Modules linked in: gluebi(+) ubi ftl mtd_blkdevs nandsim nand nandcore mtd iptable_nat
[   17.729581] CR2: 0000000000000000
[   17.729934] ---[ end trace 0000000000000000 ]---
[   17.730379] RIP: 0010:ubi_leb_read+0x2c/0xc0 [ubi]
[   17.730867] Code: 1e fa 0f 1f 44 00 00 41 57 41 89 cf 44 89 c1 41 56 45 89 c6 41 55 49 89 d5 44 89 fa 41 54 41 89 f4 55 53 44 89 cb 48 83 ec 10 <48> 8b 2f 48 89 ef e8 39 ff ff ff 85 c0 0
[   17.732639] RSP: 0018:ffffa1bac047f8f0 EFLAGS: 00010286
[   17.733154] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000044
[   17.733847] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   17.734552] RBP: 0000000000000044 R08: 0000000000000044 R09: 0000000000000000
[   17.735248] R10: 0000000000000044 R11: 5441505645440064 R12: 0000000000000000
[   17.735952] R13: ffffa1bac047fa2c R14: 0000000000000044 R15: 0000000000000000
[   17.736658] FS:  00007fbb7eefa040(0000) GS:ffff891ff7c00000(0000) knlGS:0000000000000000
[   17.737451] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   17.738002] CR2: 0000000000000000 CR3: 000000010a6a6000 CR4: 00000000000006f0
[   17.738699] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   17.739379] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   17.740793] modprobe (1502) used greatest stack depth: 12200 bytes left
~~~

#### Call Trace

~~~
ubi_gluebi_init
  ubi_register_volume_notifier
    ubi_enumerate_volumes
      ubi_notify_all
        gluebi_notify    ->notifier_call()
          gluebi_create
            mtd_device_register
              mtd_device_parse_register
                add_mtd_device
                  blktrans_notify_add   not->add()
                    ftl_add_mtd      tr->add_mtd()
                      scan_header
                        mtd_read(part->mbd.mtd,
                          mtd_read
                            mtd_read_oob
                              gluebi_read   mtd->read()
                                ubi_read(gluebi->desc
~~~





### Scenario 2: Load ftl.ko --> Load gluebi.ko --> Create volume

~~~bash
ID="0x20,0xa5,0x00,0x15" # 2GB 128KB PEB, 2KB page
modprobe nandsim id_bytes=$ID
modprobe ftl
modprobe ubi
modprobe gluebi
ubiattach -m 1 -O 4096
ubimkvol -N vol_a -m -n 0 /dev/ubi0
~~~
~~~
[   61.666996] BUG: kernel NULL pointer dereference, address: 0000000000000000
[   61.668050] #PF: supervisor read access in kernel mode
[   61.668798] #PF: error_code(0x0000) - not-present page
[   61.669557] PGD 800000010cd5b067 P4D 800000010cd5b067 PUD 107a69067 PMD 0 
[   61.670544] Oops: 0000 [#1] PREEMPT SMP PTI
[   61.670958] CPU: 0 PID: 1519 Comm: ubimkvol Not tainted 6.6.0-rc5 #158
[   61.671601] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014
[   61.672917] RIP: 0010:ubi_leb_read+0x2c/0xc0 [ubi]
[   61.673426] Code: 1e fa 0f 1f 44 00 00 41 57 41 89 cf 44 89 c1 41 56 45 89 c6 41 55 49 89 d5 44 89 fa 41 54 41 89 f4 55 53 44 89 cb 48 83 ec 10 <48> 8b 2f 48 89 ef e8 39 ff ff ff 85 c0 0
[   61.675238] RSP: 0018:ffffab20c047b990 EFLAGS: 00010286
[   61.675737] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000044
[   61.676423] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   61.677123] RBP: 0000000000000044 R08: 0000000000000044 R09: 0000000000000000
[   61.677808] R10: 0000000000000044 R11: 514553006f723264 R12: 0000000000000000
[   61.678485] R13: ffffab20c047bacc R14: 0000000000000044 R15: 0000000000000000
[   61.679144] FS:  00007fd1fa04c480(0000) GS:ffff9117f7c00000(0000) knlGS:0000000000000000
[   61.679890] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   61.680449] CR2: 0000000000000000 CR3: 000000010ce08000 CR4: 00000000000006f0
[   61.681134] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   61.681806] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   61.682498] Call Trace:
[   61.682745]  <TASK>
[   61.682959]  ? __die_body+0x1f/0x70
[   61.683802]  ? page_fault_oops+0x15b/0x430
[   61.684210]  ? search_module_extables+0x1a/0x60
[   61.684635]  ? fixup_exception+0x26/0x310
[   61.685017]  ? exc_page_fault+0x64/0x130
[   61.685398]  ? asm_exc_page_fault+0x26/0x30
[   61.685791]  ? ubi_leb_read+0x2c/0xc0 [ubi]
[   61.686199]  gluebi_read+0x78/0xb0 [gluebi]
[   61.686595]  mtd_read_oob+0xa8/0x160 [mtd]
[   61.687002]  mtd_read+0x44/0x70 [mtd]
[   61.687376]  ftl_add_mtd+0xb2/0x240 [ftl]
[   61.687757]  ? device_create+0x4d/0x70
[   61.688121]  blktrans_notify_add+0x35/0x60 [mtd_blkdevs]
[   61.688614]  add_mtd_device+0x2ac/0x400 [mtd]
[   61.689045]  mtd_device_parse_register+0x1a3/0x390 [mtd]
[   61.689551]  gluebi_notify+0x2ab/0x500 [gluebi]
[   61.689981]  notifier_call_chain+0x5d/0xd0
[   61.690847]  blocking_notifier_call_chain+0x41/0x60
[   61.691330]  ubi_volume_notify+0x53/0x80 [ubi]
[   61.691760]  ubi_create_volume+0x493/0x5a0 [ubi]
[   61.692216]  ubi_cdev_ioctl+0x379/0x960 [ubi]
[   61.692637]  __x64_sys_ioctl+0x92/0xd0
[   61.692998]  do_syscall_64+0x3f/0x90
[   61.693345]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[   61.693821] RIP: 0033:0x7fd1f9b6d577
[   61.694178] Code: b3 66 90 48 8b 05 11 89 2c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 8
[   61.695889] RSP: 002b:00007fff66dfde18 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
[   61.696600] RAX: ffffffffffffffda RBX: 00007fff66dfdf00 RCX: 00007fd1f9b6d577
[   61.697266] RDX: 00007fff66dfde20 RSI: 0000000040986f00 RDI: 0000000000000003
[   61.697924] RBP: 0000000000000003 R08: 0000000000000040 R09: 0000000000000000
[   61.698587] R10: 0000000000000003 R11: 0000000000000206 R12: 00007fff66dff44d
[   61.699250] R13: 00007fff66dff43f R14: 0000000000000000 R15: 0000000000000000
[   61.699913]  </TASK>
[   61.700139] Modules linked in: gluebi ubi ftl mtd_blkdevs nandsim nand nandcore mtd iptable_nat
[   61.700946] CR2: 0000000000000000
[   61.701293] ---[ end trace 0000000000000000 ]---
[   61.701731] RIP: 0010:ubi_leb_read+0x2c/0xc0 [ubi]
[   61.702213] Code: 1e fa 0f 1f 44 00 00 41 57 41 89 cf 44 89 c1 41 56 45 89 c6 41 55 49 89 d5 44 89 fa 41 54 41 89 f4 55 53 44 89 cb 48 83 ec 10 <48> 8b 2f 48 89 ef e8 39 ff ff ff 85 c0 0
[   61.703947] RSP: 0018:ffffab20c047b990 EFLAGS: 00010286
[   61.704444] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000044
[   61.705139] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   61.705843] RBP: 0000000000000044 R08: 0000000000000044 R09: 0000000000000000
[   61.706552] R10: 0000000000000044 R11: 514553006f723264 R12: 0000000000000000
[   61.707244] R13: ffffab20c047bacc R14: 0000000000000044 R15: 0000000000000000
[   61.707939] FS:  00007fd1fa04c480(0000) GS:ffff9117f7c00000(0000) knlGS:0000000000000000
[   61.708698] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   61.709257] CR2: 0000000000000000 CR3: 000000010ce08000 CR4: 00000000000006f0
[   61.709939] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   61.710612] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   61.711353] ubimkvol (1519) used greatest stack depth: 12360 bytes left
~~~

#### Call trace

~~~
ubi_cdev_ioctl
  ubi_create_volume
    ubi_volume_notify
      blocking_notifier_call_chain  [kernel/notifier.c]
        notifier_call_chain
          gluebi_notify   nb->notifier_call()
            gluebi_create
              mtd_device_register
                mtd_device_parse_register
                  add_mtd_device
                    blktrans_notify_add   not->add()
                      ftl_add_mtd     tr->add_mtd()
                        scan_header
                          mtd_read(part->mbd.mtd,
                            mtd_read_oob
                              gluebi_read   mtd->read()
                                ubi_read(gluebi->desc 
~~~





### Scenario 3: Create a volume --> Load the gluebi.ko --> Load the ftl.ko


~~~bash
ID="0x20,0xa5,0x00,0x15" # 2GB 128KB PEB, 2KB page
modprobe nandsim id_bytes=$ID
modprobe ubi
ubiattach -m 1 -O 4096
ubimkvol -N vol_a -m -n 0 /dev/ubi0
modprobe gluebi
modprobe ftl
~~~

~~~
[   61.979997] BUG: kernel NULL pointer dereference, address: 0000000000000000
[   61.980660] #PF: supervisor read access in kernel mode
[   61.981139] #PF: error_code(0x0000) - not-present page
[   61.981611] PGD 0 P4D 0 
[   61.981863] Oops: 0000 [#1] PREEMPT SMP PTI
[   61.982252] CPU: 1 PID: 1426 Comm: modprobe Not tainted 6.6.0-rc5 #158
[   61.982856] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014
[   61.984061] RIP: 0010:ubi_leb_read+0x2c/0xc0 [ubi]
[   61.984540] Code: 1e fa 0f 1f 44 00 00 41 57 41 89 cf 44 89 c1 41 56 45 89 c6 41 55 49 89 d5 44 89 fa 41 54 41 89 f4 55 53 44 89 cb 48 83 ec 10 <48> 8b 2f 48 89 ef e8 39 ff ff ff 85 c0 0
[   61.986290] RSP: 0018:ffffb0b5c07c7a70 EFLAGS: 00010282
[   61.986787] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000044
[   61.987491] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   61.988169] RBP: 0000000000000044 R08: 0000000000000044 R09: 0000000000000000
[   61.988836] R10: 0000000000000044 R11: 0000000000000002 R12: 0000000000000000
[   61.989518] R13: ffffb0b5c07c7bac R14: 0000000000000044 R15: 0000000000000000
[   61.990202] FS:  00007fcfa55c3040(0000) GS:ffff9e7877c40000(0000) knlGS:0000000000000000
[   61.990970] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   61.991520] CR2: 0000000000000000 CR3: 00000001105c8000 CR4: 00000000000006e0
[   61.992211] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   61.992891] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   61.993575] Call Trace:
[   61.993826]  <TASK>
[   61.994043]  ? __die_body+0x1f/0x70
[   61.994392]  ? page_fault_oops+0x15b/0x430
[   61.994786]  ? search_module_extables+0x1a/0x60
[   61.995223]  ? fixup_exception+0x26/0x310
[   61.995606]  ? exc_page_fault+0x64/0x130
[   61.995990]  ? asm_exc_page_fault+0x26/0x30
[   61.996392]  ? ubi_leb_read+0x2c/0xc0 [ubi]
[   61.996794]  gluebi_read+0x78/0xb0 [gluebi]
[   61.997205]  mtd_read_oob+0xa8/0x160 [mtd]
[   61.997607]  mtd_read+0x44/0x70 [mtd]
[   61.997966]  ftl_add_mtd+0xb2/0x240 [ftl]
[   61.998357]  ? idr_get_next_ul+0xba/0x100
[   61.998742]  register_mtd_blktrans+0xa9/0x120 [mtd_blkdevs]
[   61.999270]  ? __pfx_ftl_tr_init+0x10/0x10 [ftl]
[   61.999701]  do_one_initcall+0x48/0x220
[   62.000075]  ? kmalloc_trace+0x29/0x90
[   62.000432]  do_init_module+0x64/0x230
[   62.000785]  load_module+0xe93/0x10c0
[   62.001134]  ? v9fs_file_read_iter+0x50/0xa0
[   62.001539]  ? init_module_from_file+0x8b/0xd0
[   62.001965]  init_module_from_file+0x8b/0xd0
[   62.002374]  idempotent_init_module+0x181/0x240
[   62.002799]  __x64_sys_finit_module+0x59/0x90
[   62.003214]  do_syscall_64+0x3f/0x90
[   62.003556]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[   62.004038] RIP: 0033:0x7fcfa4a974e9
[   62.004378] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6f 8
[   62.006136] RSP: 002b:00007ffd58f92b38 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[   62.006859] RAX: ffffffffffffffda RBX: 000055dc770ab480 RCX: 00007fcfa4a974e9
[   62.007534] RDX: 0000000000000000 RSI: 000055dc7501bc26 RDI: 0000000000000004
[   62.008213] RBP: 000055dc7501bc26 R08: 0000000000000000 R09: 0000000000000000
[   62.008891] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000
[   62.009571] R13: 000055dc770ab440 R14: 0000000000040000 R15: 000055dc770ab480
[   62.010247]  </TASK>
[   62.010464] Modules linked in: ftl(+) mtd_blkdevs gluebi deflate zstd zstd_compress lzo ubifs ubi nandsim nand nandcore mtd iptable_nat
[   62.011610] CR2: 0000000000000000
[   62.011965] ---[ end trace 0000000000000000 ]---
[   62.012419] RIP: 0010:ubi_leb_read+0x2c/0xc0 [ubi]
[   62.012887] Code: 1e fa 0f 1f 44 00 00 41 57 41 89 cf 44 89 c1 41 56 45 89 c6 41 55 49 89 d5 44 89 fa 41 54 41 89 f4 55 53 44 89 cb 48 83 ec 10 <48> 8b 2f 48 89 ef e8 39 ff ff ff 85 c0 0
[   62.014579] RSP: 0018:ffffb0b5c07c7a70 EFLAGS: 00010282
[   62.015061] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000044
[   62.015722] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   62.016386] RBP: 0000000000000044 R08: 0000000000000044 R09: 0000000000000000
[   62.017036] R10: 0000000000000044 R11: 0000000000000002 R12: 0000000000000000
[   62.017720] R13: ffffb0b5c07c7bac R14: 0000000000000044 R15: 0000000000000000
[   62.018403] FS:  00007fcfa55c3040(0000) GS:ffff9e7877c40000(0000) knlGS:0000000000000000
[   62.019163] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   62.019702] CR2: 0000000000000000 CR3: 00000001105c8000 CR4: 00000000000006e0
[   62.020378] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   62.021058] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   62.022471] modprobe (1426) used greatest stack depth: 12584 bytes left
~~~

#### Call trace

~~~
load_module
  register_mtd_blktrans
    ftl_add_mtd  not->add()
      scan_header
        mtd_read(part->mbd.mtd,
          mtd_read_oob
            gluebi_read   mtd->read()
              ubi_read(gluebi->desc
~~~

Comment 1 wangzhaolong1 2023-10-12 07:59:34 UTC

udev tools is needed

https://github.com/lu-zero/udev/blob/master/src/mtd_probe/mtd_probe.c

### slab-use-after-free

~~~
ID="0x20,0xa5,0x00,0x15" # 2GB 128KB PEB, 2KB page
modprobe nandsim id_bytes=$ID
modprobe ubi
ubiattach -m 1 -O 4096
ubimkvol -N vol_a -m -n 0 /dev/ubi0

modprobe gluebi
/usr/lib/udev/mtd_probe /dev/mtd2
modprobe ftl
~~~



~~~
[  129.238091] ==================================================================
[  129.238855] BUG: KASAN: slab-use-after-free in ubi_leb_read+0x2d/0x110 [ubi]
[  129.239604] Read of size 8 at addr ffff88811b7383c0 by task modprobe/1423
[  129.240292] 
[  129.240473] CPU: 4 PID: 1423 Comm: modprobe Not tainted 6.6.0-rc5-dirty #162
[  129.241177] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014
[  129.242487] Call Trace:
[  129.242740]  <TASK>
[  129.242962]  dump_stack_lvl+0x37/0x50
[  129.243343]  print_address_description.constprop.0+0x2c/0x3e0
[  129.243938]  ? ubi_leb_read+0x2d/0x110 [ubi]
[  129.244404]  print_report+0xb4/0x270
[  129.244774]  ? kasan_addr_to_slab+0xd/0xa0
[  129.245190]  kasan_report+0xb0/0xe0
[  129.245559]  ? ubi_leb_read+0x2d/0x110 [ubi]
[  129.246035]  ubi_leb_read+0x2d/0x110 [ubi]
[  129.246504]  gluebi_read+0xb4/0x100 [gluebi]
[  129.246947]  mtd_read_oob+0x110/0x270 [mtd]
[  129.247402]  mtd_read+0x9c/0xf0 [mtd]
[  129.247810]  ? __pfx_mtd_read+0x10/0x10 [mtd]
[  129.248265]  ? build_maps+0x9e1/0xa20 [ftl]
[  129.248690]  ? kasan_set_track+0x25/0x30
[  129.249076]  ftl_add_mtd+0x157/0x390 [ftl]
[  129.249495]  ? __pfx_ftl_add_mtd+0x10/0x10 [ftl]
[  129.249964]  ? idr_get_next+0x95/0xe0
[  129.250331]  ? __pfx_idr_get_next+0x10/0x10
[  129.250747]  ? __mtd_next_device+0x6e/0xa0 [mtd]
[  129.251240]  ? __pfx___mtd_next_device+0x10/0x10 [mtd]
[  129.251777]  register_mtd_blktrans+0x118/0x1b0 [mtd_blkdevs]
[  129.252341]  ? __pfx_ftl_tr_init+0x10/0x10 [ftl]
[  129.252808]  do_one_initcall+0x8d/0x2c0
[  129.253190]  ? __pfx_do_one_initcall+0x10/0x10
[  129.253631]  ? kasan_unpoison+0x27/0x60
[  129.254006]  ? __kasan_slab_alloc+0x30/0x70
[  129.254419]  ? __kmem_cache_alloc_node+0x10b/0x230
[  129.254897]  ? do_init_module+0x30/0x3a0
[  129.255303]  ? kasan_unpoison+0x27/0x60
[  129.255695]  do_init_module+0x13a/0x3a0
[  129.256085]  load_module+0x183b/0x1b40
[  129.256473]  ? __pfx_load_module+0x10/0x10
[  129.256896]  ? selinux_file_permission+0x1c2/0x1f0
[  129.257371]  ? security_file_permission+0xf5/0x2d0
[  129.257846]  ? kernel_read_file+0x3d1/0x410
[  129.258264]  ? kernel_read_file+0x1ac/0x410
[  129.258688]  ? __pfx_kernel_read_file+0x10/0x10
[  129.259141]  ? init_module_from_file+0xd2/0x130
[  129.259606]  init_module_from_file+0xd2/0x130
[  129.260046]  ? __pfx_init_module_from_file+0x10/0x10
[  129.260548]  ? __pfx__raw_spin_lock+0x10/0x10
[  129.260986]  ? __pfx_cred_has_capability+0x10/0x10
[  129.261479]  idempotent_init_module+0x265/0x380
[  129.261933]  ? __pfx_idempotent_init_module+0x10/0x10
[  129.262447]  ? __fget_light+0xae/0x1e0
[  129.262829]  __x64_sys_finit_module+0x7b/0xb0
[  129.263318]  do_syscall_64+0x3f/0x90
[  129.263692]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[  129.264196] RIP: 0033:0x7f65bfd5d4e9
[  129.264560] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6f 8
[  129.266381] RSP: 002b:00007ffd07f40a98 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[  129.267154] RAX: ffffffffffffffda RBX: 000056348f781490 RCX: 00007f65bfd5d4e9
[  129.267860] RDX: 0000000000000000 RSI: 000056348ee1bc26 RDI: 0000000000000004
[  129.268569] RBP: 000056348ee1bc26 R08: 0000000000000000 R09: 0000000000000000
[  129.269270] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000
[  129.269978] R13: 000056348f781450 R14: 0000000000040000 R15: 000056348f781490
[  129.270688]  </TASK>
[  129.270917] 
[  129.271099] Allocated by task 1422:
[  129.271462]  kasan_save_stack+0x22/0x50
[  129.271847]  kasan_set_track+0x25/0x30
[  129.272222]  __kasan_kmalloc+0x7f/0x90
[  129.272603]  ubi_open_volume+0x9c/0x390 [ubi]
[  129.273068]  gluebi_get_device+0x86/0x130 [gluebi]
[  129.273562]  __get_mtd_device+0x84/0x1f0 [mtd]
[  129.274024]  get_mtd_device+0xf0/0x150 [mtd]
[  129.274481]  mtdchar_open+0x54/0x120 [mtd]
[  129.274909]  chrdev_open+0x165/0x300
[  129.275287]  do_dentry_open+0x2c3/0x910
[  129.275677]  do_open.isra.0+0x3f4/0x6b0
[  129.276066]  path_openat+0x24a/0x1140
[  129.276435]  do_filp_open+0x160/0x200
[  129.276802]  do_sys_openat2+0x301/0x350
[  129.277189]  do_sys_open+0x8e/0xf0
[  129.277545]  do_syscall_64+0x3f/0x90
[  129.277906]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[  129.278420] 
[  129.278584] Freed by task 1422:
[  129.278900]  kasan_save_stack+0x22/0x50
[  129.279296]  kasan_set_track+0x25/0x30
[  129.279686]  kasan_save_free_info+0x2b/0x50
[  129.280114]  __kasan_slab_free+0x10e/0x190
[  129.280522]  __kmem_cache_free+0x86/0x1c0
[  129.280921]  ubi_close_volume+0x9c/0x110 [ubi]
[  129.281387]  gluebi_put_device+0x53/0x60 [gluebi]
[  129.281869]  put_mtd_device+0x21/0x30 [mtd]
[  129.282315]  mtdchar_close+0x8d/0xc0 [mtd]
[  129.282756]  __fput+0x1e2/0x450
[  129.283089]  task_work_run+0xfd/0x170
[  129.283458]  do_exit+0x536/0x1300
[  129.283801]  do_group_exit+0x5c/0xf0
[  129.284163]  __x64_sys_exit_group+0x2c/0x30
[  129.284584]  do_syscall_64+0x3f/0x90
[  129.284950]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[  129.285451] 
[  129.285612] The buggy address belongs to the object at ffff88811b7383c0
[  129.285612]  which belongs to the cache kmalloc-16 of size 16
[  129.286794] The buggy address is located 0 bytes inside of
[  129.286794]  freed 16-byte region [ffff88811b7383c0, ffff88811b7383d0)
[  129.287961] 
[  129.288120] The buggy address belongs to the physical page:
[  129.288658] page:00000000ea0a1fa9 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11b738
[  129.289583] flags: 0x200000000000800(slab|node=0|zone=2)
[  129.290108] page_type: 0xffffffff()
[  129.290468] raw: 0200000000000800 ffff8881000423c0 dead000000000122 0000000000000000
[  129.291237] raw: 0000000000000000 0000000080800080 00000001ffffffff 0000000000000000
[  129.291990] page dumped because: kasan: bad access detected
[  129.292550] 
[  129.292714] Memory state around the buggy address:
[  129.293194]  ffff88811b738280: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[  129.293904]  ffff88811b738300: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[  129.296559] >ffff88811b738380: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[  129.297278]                                            ^
[  129.297820]  ffff88811b738400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  129.298562]  ffff88811b738480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  129.299293] ==================================================================
[  129.300315] Disabling lock debugging due to kernel taint
[  129.300870] BUG: kernel NULL pointer dereference, address: 0000000000000784
[  129.301565] #PF: supervisor read access in kernel mode
[  129.302074] #PF: error_code(0x0000) - not-present page
[  129.302589] PGD 0 P4D 0 
[  129.302864] Oops: 0000 [#1] PREEMPT SMP KASAN PTI
[  129.303354] CPU: 4 PID: 1423 Comm: modprobe Tainted: G    B              6.6.0-rc5-dirty #162
[  129.304200] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014
[  129.305515] RIP: 0010:leb_read_sanity_check.isra.0+0x55/0x110 [ubi]
[  129.306176] Code: 00 00 4c 8b bb 40 03 00 00 e8 d7 20 b3 c9 44 8b b3 48 03 00 00 45 85 f6 0f 88 b7 00 00 00 49 8d bf 84 07 00 00 e8 bb 20 b3 c9 <45> 3b b7 84 07 00 00 0f 8d 9e 00 00 00 0
[  129.308025] RSP: 0018:ffff88810425f608 EFLAGS: 00010292
[  129.308549] RAX: 0000000000000000 RBX: ffff88811b7383e0 RCX: ffffffffc04a2fc5
[  129.309250] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000784
[  129.309955] RBP: 0000000000000044 R08: ffffffffc04a2fc5 R09: fffffbfff1aecfd1
[  129.310667] R10: fffffbfff1aecfd0 R11: ffffffff8d767e87 R12: 0000000000000000
[  129.311383] R13: 0000000000000000 R14: 000000001b738740 R15: 0000000000000000
[  129.312097] FS:  00007f65c0889040(0000) GS:ffff8881f7600000(0000) knlGS:0000000000000000
[  129.312892] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  129.313464] CR2: 0000000000000784 CR3: 000000010add0000 CR4: 00000000000006e0
[  129.314227] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  129.314940] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  129.315676] Call Trace:
[  129.315924]  <TASK>
[  129.316147]  ? __die_body+0x1f/0x70
[  129.316505]  ? page_fault_oops+0x1f2/0x500
[  129.316912]  ? __pfx_is_prefetch.isra.0+0x10/0x10
[  129.317375]  ? __pfx_page_fault_oops+0x10/0x10
[  129.317825]  ? leb_read_sanity_check.isra.0+0x55/0x110 [ubi]
[  129.318406]  ? search_module_extables+0x30/0x80
[  129.318857]  ? fixup_exception+0x3b/0x4a0
[  129.319277]  ? exc_page_fault+0x59/0xa0
[  129.319660]  ? asm_exc_page_fault+0x26/0x30
[  129.320071]  ? leb_read_sanity_check.isra.0+0x55/0x110 [ubi]
[  129.320664]  ? leb_read_sanity_check.isra.0+0x55/0x110 [ubi]
[  129.321254]  ? leb_read_sanity_check.isra.0+0x55/0x110 [ubi]
[  129.321840]  ? leb_read_sanity_check.isra.0+0x55/0x110 [ubi]
[  129.322411]  ubi_leb_read+0x3f/0x110 [ubi]
[  129.322867]  gluebi_read+0xb4/0x100 [gluebi]
[  129.323330]  mtd_read_oob+0x110/0x270 [mtd]
[  129.323772]  mtd_read+0x9c/0xf0 [mtd]
[  129.324161]  ? __pfx_mtd_read+0x10/0x10 [mtd]
[  129.324626]  ? build_maps+0x9e1/0xa20 [ftl]
[  129.325060]  ? kasan_set_track+0x25/0x30
[  129.325455]  ftl_add_mtd+0x157/0x390 [ftl]
[  129.325878]  ? __pfx_ftl_add_mtd+0x10/0x10 [ftl]
[  129.326342]  ? idr_get_next+0x95/0xe0
[  129.326709]  ? __pfx_idr_get_next+0x10/0x10
[  129.327140]  ? __mtd_next_device+0x6e/0xa0 [mtd]
[  129.327636]  ? __pfx___mtd_next_device+0x10/0x10 [mtd]
[  129.328172]  register_mtd_blktrans+0x118/0x1b0 [mtd_blkdevs]
[  129.328746]  ? __pfx_ftl_tr_init+0x10/0x10 [ftl]
[  129.329229]  do_one_initcall+0x8d/0x2c0
[  129.329616]  ? __pfx_do_one_initcall+0x10/0x10
[  129.330059]  ? kasan_unpoison+0x27/0x60
[  129.330458]  ? __kasan_slab_alloc+0x30/0x70
[  129.330877]  ? __kmem_cache_alloc_node+0x10b/0x230
[  129.331366]  ? do_init_module+0x30/0x3a0
[  129.331766]  ? kasan_unpoison+0x27/0x60
[  129.332152]  do_init_module+0x13a/0x3a0
[  129.332548]  load_module+0x183b/0x1b40
[  129.332929]  ? __pfx_load_module+0x10/0x10
[  129.333343]  ? selinux_file_permission+0x1c2/0x1f0
[  129.333823]  ? security_file_permission+0xf5/0x2d0
[  129.334291]  ? kernel_read_file+0x3d1/0x410
[  129.334706]  ? kernel_read_file+0x1ac/0x410
[  129.335132]  ? __pfx_kernel_read_file+0x10/0x10
[  129.335587]  ? init_module_from_file+0xd2/0x130
[  129.336033]  init_module_from_file+0xd2/0x130
[  129.336471]  ? __pfx_init_module_from_file+0x10/0x10
[  129.336963]  ? __pfx__raw_spin_lock+0x10/0x10
[  129.337396]  ? __pfx_cred_has_capability+0x10/0x10
[  129.337880]  idempotent_init_module+0x265/0x380
[  129.338327]  ? __pfx_idempotent_init_module+0x10/0x10
[  129.338833]  ? __fget_light+0xae/0x1e0
[  129.339227]  __x64_sys_finit_module+0x7b/0xb0
[  129.339664]  do_syscall_64+0x3f/0x90
[  129.340032]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[  129.340532] RIP: 0033:0x7f65bfd5d4e9
[  129.340891] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6f 8
[  129.342685] RSP: 002b:00007ffd07f40a98 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[  129.343441] RAX: ffffffffffffffda RBX: 000056348f781490 RCX: 00007f65bfd5d4e9
[  129.344137] RDX: 0000000000000000 RSI: 000056348ee1bc26 RDI: 0000000000000004
[  129.344843] RBP: 000056348ee1bc26 R08: 0000000000000000 R09: 0000000000000000
[  129.345540] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000
[  129.346244] R13: 000056348f781450 R14: 0000000000040000 R15: 000056348f781490
[  129.346949]  </TASK>
[  129.347185] Modules linked in: ftl(+) mtd_blkdevs gluebi ubi nandsim nand nandcore mtd iptable_nat
[  129.348087] CR2: 0000000000000784
[  129.348468] ---[ end trace 0000000000000000 ]---
[  129.348935] RIP: 0010:leb_read_sanity_check.isra.0+0x55/0x110 [ubi]
[  129.349694] Code: 00 00 4c 8b bb 40 03 00 00 e8 d7 20 b3 c9 44 8b b3 48 03 00 00 45 85 f6 0f 88 b7 00 00 00 49 8d bf 84 07 00 00 e8 bb 20 b3 c9 <45> 3b b7 84 07 00 00 0f 8d 9e 00 00 00 0
[  129.351616] RSP: 0018:ffff88810425f608 EFLAGS: 00010292
[  129.352257] RAX: 0000000000000000 RBX: ffff88811b7383e0 RCX: ffffffffc04a2fc5
[  129.352963] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000784
[  129.353698] RBP: 0000000000000044 R08: ffffffffc04a2fc5 R09: fffffbfff1aecfd1
[  129.354394] R10: fffffbfff1aecfd0 R11: ffffffff8d767e87 R12: 0000000000000000
[  129.355093] R13: 0000000000000000 R14: 000000001b738740 R15: 0000000000000000
[  129.355797] FS:  00007f65c0889040(0000) GS:ffff8881f7600000(0000) knlGS:0000000000000000
[  129.356605] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  129.357176] CR2: 0000000000000784 CR3: 000000010add0000 CR4: 00000000000006e0
[  129.357880] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  129.358587] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
~~~








### page fault

~~~
ID="0x20,0xa5,0x00,0x15" # 2GB 128KB PEB, 2KB page
modprobe nandsim id_bytes=$ID
modprobe ubi
ubiattach -m 1 -O 4096
ubimkvol -N vol_a -m -n 0 /dev/ubi0

mount -t ubifs ubi0:vol_a /mnt

modprobe gluebi
/usr/lib/udev/mtd_probe /dev/mtd2
modprobe ftl
~~~



~~~
[  204.767223] BUG: unable to handle page fault for address: fffffffffffffff0
[  204.767924] #PF: supervisor read access in kernel mode
[  204.768433] #PF: error_code(0x0000) - not-present page
[  204.768940] PGD 130669067 P4D 130669067 PUD 13066b067 PMD 0 
[  204.769501] Oops: 0000 [#1] PREEMPT SMP KASAN PTI
[  204.769968] CPU: 5 PID: 1470 Comm: modprobe Not tainted 6.6.0-rc5 #163
[  204.770617] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014
[  204.771881] RIP: 0010:ubi_leb_read+0x2d/0x110 [ubi]
[  204.772375] Code: fa 0f 1f 44 00 00 41 57 49 89 ff 41 56 45 89 ce 41 55 49 89 d5 41 54 41 89 f4 55 89 cd 53 44 89 c3 48 83 ec 10 e8 23 21 37 d3 <4d> 8b 3f 89 d9 89 ea 44 89 e6 4c 89 ff 6
[  204.774091] RSP: 0018:ffff88811b9cf640 EFLAGS: 00010246
[  204.774578] RAX: 0000000000000000 RBX: 0000000000000044 RCX: ffffffffc02630bd
[  204.775219] RDX: dffffc0000000000 RSI: 0000000000000000 RDI: fffffffffffffff0
[  204.775904] RBP: 0000000000000000 R08: 0000000000000044 R09: 0000000000000000
[  204.776554] R10: 0000000000000044 R11: ffffffff966ce549 R12: 0000000000000000
[  204.777199] R13: ffff88811b9cf880 R14: 0000000000000000 R15: fffffffffffffff0
[  204.777851] FS:  00007f13d55f7040(0000) GS:ffff8881f7680000(0000) knlGS:0000000000000000
[  204.778604] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  204.779141] CR2: fffffffffffffff0 CR3: 00000001048aa000 CR4: 00000000000006e0
[  204.779807] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  204.780474] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  204.781146] Call Trace:
[  204.781389]  <TASK>
[  204.781608]  ? __die_body+0x1f/0x70
[  204.781964]  ? page_fault_oops+0x1f2/0x500
[  204.782357]  ? __pfx_is_prefetch.isra.0+0x10/0x10
[  204.782812]  ? __pfx_page_fault_oops+0x10/0x10
[  204.783237]  ? ubi_leb_read+0x2d/0x110 [ubi]
[  204.783671]  ? search_module_extables+0x30/0x80
[  204.784113]  ? fixup_exception+0x3b/0x4a0
[  204.784506]  ? exc_page_fault+0x9d/0xa0
[  204.784886]  ? asm_exc_page_fault+0x26/0x30
[  204.785286]  ? ubi_leb_read+0x2d/0x110 [ubi]
[  204.785720]  ? ubi_leb_read+0x2d/0x110 [ubi]
[  204.786154]  gluebi_read+0xb4/0x100 [gluebi]
[  204.786580]  mtd_read_oob+0x110/0x270 [mtd]
[  204.787011]  mtd_read+0x9c/0xf0 [mtd]
[  204.787387]  ? __pfx_mtd_read+0x10/0x10 [mtd]
[  204.787837]  ? build_maps+0x9e1/0xa20 [ftl]
[  204.788245]  ? kasan_set_track+0x25/0x30
[  204.788630]  ftl_add_mtd+0x157/0x390 [ftl]
[  204.789028]  ? __pfx_ftl_add_mtd+0x10/0x10 [ftl]
[  204.789470]  ? idr_get_next+0x95/0xe0
[  204.789819]  ? __pfx_idr_get_next+0x10/0x10
[  204.790211]  ? __mtd_next_device+0x6e/0xa0 [mtd]
[  204.790677]  ? __pfx___mtd_next_device+0x10/0x10 [mtd]
[  204.791199]  register_mtd_blktrans+0x118/0x1b0 [mtd_blkdevs]
[  204.791745]  ? __pfx_ftl_tr_init+0x10/0x10 [ftl]
[  204.792189]  do_one_initcall+0x8d/0x2c0
[  204.792556]  ? __pfx_do_one_initcall+0x10/0x10
[  204.792977]  ? kasan_unpoison+0x27/0x60
[  204.793337]  ? __kasan_slab_alloc+0x30/0x70
[  204.793739]  ? __kmem_cache_alloc_node+0x10b/0x230
[  204.794184]  ? do_init_module+0x30/0x3a0
[  204.794562]  ? kasan_unpoison+0x27/0x60
[  204.794934]  do_init_module+0x13a/0x3a0
[  204.795307]  load_module+0x183b/0x1b40
[  204.795686]  ? __pfx_load_module+0x10/0x10
[  204.796080]  ? selinux_file_permission+0x1c2/0x1f0
[  204.796548]  ? security_file_permission+0xf5/0x2d0
[  204.797006]  ? kernel_read_file+0x3d1/0x410
[  204.797409]  ? kernel_read_file+0x1ac/0x410
[  204.797815]  ? __pfx_kernel_read_file+0x10/0x10
[  204.798253]  ? init_module_from_file+0xd2/0x130
[  204.798684]  init_module_from_file+0xd2/0x130
[  204.799089]  ? __pfx_init_module_from_file+0x10/0x10
[  204.799798]  ? __pfx__raw_spin_lock+0x10/0x10
[  204.800251]  ? __pfx_cred_has_capability+0x10/0x10
[  204.800696]  idempotent_init_module+0x265/0x380
[  204.801124]  ? __pfx_idempotent_init_module+0x10/0x10
[  204.801601]  ? __fget_light+0xae/0x1e0
[  204.801961]  __x64_sys_finit_module+0x7b/0xb0
[  204.802378]  do_syscall_64+0x3f/0x90
[  204.802730]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[  204.803206] RIP: 0033:0x7f13d4acb4e9
[  204.803548] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6f 8
[  204.805309] RSP: 002b:00007ffcdba0ce48 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[  204.806044] RAX: ffffffffffffffda RBX: 000055cdc654c480 RCX: 00007f13d4acb4e9
[  204.806717] RDX: 0000000000000000 RSI: 000055cdc501bc26 RDI: 0000000000000004
[  204.807400] RBP: 000055cdc501bc26 R08: 0000000000000000 R09: 0000000000000000
[  204.808077] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000
[  204.808756] R13: 000055cdc654c440 R14: 0000000000040000 R15: 000055cdc654c480
[  204.809435]  </TASK>
[  204.809660] Modules linked in: ftl(+) mtd_blkdevs gluebi deflate zstd zstd_compress lzo ubifs ubi nandsim nand nandcore mtd iptable_nat
[  204.810821] CR2: fffffffffffffff0
[  204.811138] ---[ end trace 0000000000000000 ]---
[  204.811577] RIP: 0010:ubi_leb_read+0x2d/0x110 [ubi]
[  204.812068] Code: fa 0f 1f 44 00 00 41 57 49 89 ff 41 56 45 89 ce 41 55 49 89 d5 41 54 41 89 f4 55 89 cd 53 44 89 c3 48 83 ec 10 e8 23 21 37 d3 <4d> 8b 3f 89 d9 89 ea 44 89 e6 4c 89 ff 6
[  204.813779] RSP: 0018:ffff88811b9cf640 EFLAGS: 00010246
[  204.814264] RAX: 0000000000000000 RBX: 0000000000000044 RCX: ffffffffc02630bd
[  204.814921] RDX: dffffc0000000000 RSI: 0000000000000000 RDI: fffffffffffffff0
[  204.815593] RBP: 0000000000000000 R08: 0000000000000044 R09: 0000000000000000
[  204.816277] R10: 0000000000000044 R11: ffffffff966ce549 R12: 0000000000000000
[  204.816962] R13: ffff88811b9cf880 R14: 0000000000000000 R15: fffffffffffffff0
[  204.817645] FS:  00007f13d55f7040(0000) GS:ffff8881f7680000(0000) knlGS:0000000000000000
[  204.818410] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  204.818956] CR2: fffffffffffffff0 CR3: 00000001048aa000 CR4: 00000000000006e0
[  204.819628] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  204.820294] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  204.820968] note: modprobe[1470] exited with irqs disabled
~~~

Comment 2 Bagas Sanjaya 2023-10-12 09:41:18 UTC

Can you reproduce this bug report on latest mainline (currently v6.6-rc5?)

Comment 3 wangzhaolong1 2023-10-12 11:50:59 UTC

> https://bugzilla.kernel.org/show_bug.cgi?id=217992

> Can you reproduce this bug report on latest mainline (currently v6.6-rc5?)
> 
Yes! dump_stack() indicates the current kernel version in bugzilla,

in this line

[   17.696773] CPU: 0 PID: 1502 Comm: modprobe Not tainted 6.6.0-rc5 #158

Comment 4 wangzhaolong1 2023-11-04 02:22:25 UTC

On this issue, I make a phased summary here:

If both flt.ko and gluebi.ko are loaded, the notiier of ftl
triggers NULL pointer dereference when trying to access
‘gluebi->desc’ in gluebi_read().

ubi_gluebi_init
  ubi_register_volume_notifier
    ubi_enumerate_volumes
      ubi_notify_all
        gluebi_notify    nb->notifier_call()
          gluebi_create
            mtd_device_register
              mtd_device_parse_register
                add_mtd_device
                  blktrans_notify_add   not->add()
                    ftl_add_mtd         tr->add_mtd()
                      scan_header
                        mtd_read
                          mtd_read
                            mtd_read_oob
                              gluebi_read   mtd->read()
                                gluebi->desc - NULL


In the normal case, obtain gluebi->desc in the gluebi_get_device(),
and accesses gluebi->desc in the gluebi_read(). However,
gluebi_get_device() is not executed in advance in the
ftl_add_mtd() process, which leads to NULL pointer dereference.

The value of gluebi->desc may also be a negative error code, which
triggers the page fault error.

Discussions on how to fix the problem can be found at the following link:

https://lore.kernel.org/lkml/2d04fa9e-e594-705c-339b-3090cb7d6fbd@huawei.com/T/
https://lore.kernel.org/lkml/12400272-4449-040c-1ccd-6494a67f4da0@huawei.com/T/
https://lore.kernel.org/lkml/142222867.20038.1698593973984.JavaMail.zimbra@nod.at/T/

Comment 5 wangzhaolong1 2024-02-02 09:21:06 UTC

Patch has entered the mainline：

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a43bdc376deab5fff1ceb93dca55bcab8dbdc1d6

Note You need to log in before you can comment on or make changes to this bug.