drivers/base/swnode.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
syzbot reported a uaf in software_node_notify_remove. [1]
When any of the two sysfs_create_link() in software_node_notify() fails,
the swnode->kobj reference count will not increase normally, which will
cause swnode to be released incorrectly due to the imbalance of kobj reference
count when executing software_node_notify_remove().
Increase the reference count of kobj before creating the link to avoid uaf.
[1]
BUG: KASAN: slab-use-after-free in software_node_notify_remove+0x1bc/0x1c0 drivers/base/swnode.c:1108
Read of size 1 at addr ffff888033c08908 by task syz-executor105/5844
CPU: 0 UID: 0 PID: 5844 Comm: syz-executor105 Not tainted 6.14.0-syzkaller-12456-gacc4d5ff0b61 #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0x16e/0x5b0 mm/kasan/report.c:521
kasan_report+0x143/0x180 mm/kasan/report.c:634
software_node_notify_remove+0x1bc/0x1c0 drivers/base/swnode.c:1108
device_platform_notify_remove drivers/base/core.c:2387 [inline]
device_del+0x594/0x9b0 drivers/base/core.c:3858
device_unregister+0x20/0xc0 drivers/base/core.c:3896
mock_dev_destroy drivers/iommu/iommufd/selftest.c:960 [inline]
iommufd_test_mock_domain drivers/iommu/iommufd/selftest.c:1022 [inline]
iommufd_test+0x3715/0x56a0 drivers/iommu/iommufd/selftest.c:1866
iommufd_fops_ioctl+0x4fc/0x610 drivers/iommu/iommufd/main.c:419
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl+0xf1/0x160 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f14c7b0b6e9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff388f87b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fff388f87d0 RCX: 00007f14c7b0b6e9
RDX: 0000200000000200 RSI: 0000000000003ba0 RDI: 0000000000000003
RBP: 0000000000000002 R08: 00007fff388f8556 R09: 00000000000000a0
R10: 0000000000000002 R11: 0000000000000246 R12: 00007fff388f87cc
R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
</TASK>
Allocated by task 5844:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x9d/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__kmalloc_cache_noprof+0x236/0x370 mm/slub.c:4362
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
swnode_register+0x5a/0x540 drivers/base/swnode.c:790
fwnode_create_software_node+0x199/0x1f0 drivers/base/swnode.c:949
device_create_managed_software_node+0xd5/0x1f0 drivers/base/swnode.c:1060
mock_dev_create drivers/iommu/iommufd/selftest.c:942 [inline]
iommufd_test_mock_domain drivers/iommu/iommufd/selftest.c:989 [inline]
iommufd_test+0x3335/0x56a0 drivers/iommu/iommufd/selftest.c:1866
iommufd_fops_ioctl+0x4fc/0x610 drivers/iommu/iommufd/main.c:419
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl+0xf1/0x160 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 5844:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2389 [inline]
slab_free mm/slub.c:4646 [inline]
kfree+0x198/0x430 mm/slub.c:4845
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x22f/0x480 lib/kobject.c:737
software_node_notify_remove+0x159/0x1c0 drivers/base/swnode.c:1106
device_platform_notify_remove drivers/base/core.c:2387 [inline]
device_del+0x594/0x9b0 drivers/base/core.c:3858
device_unregister+0x20/0xc0 drivers/base/core.c:3896
mock_dev_destroy drivers/iommu/iommufd/selftest.c:960 [inline]
iommufd_test_mock_domain drivers/iommu/iommufd/selftest.c:1022 [inline]
iommufd_test+0x3715/0x56a0 drivers/iommu/iommufd/selftest.c:1866
iommufd_fops_ioctl+0x4fc/0x610 drivers/iommu/iommufd/main.c:419
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl+0xf1/0x160 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Fixes: 9eb59204d519 ("iommufd/selftest: Add set_dev_pasid in mock iommu")
Reported-by: syzbot+2ff22910687ee0dfd48e@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2ff22910687ee0dfd48e
Tested-by: syzbot+2ff22910687ee0dfd48e@syzkaller.appspotmail.com
Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
---
drivers/base/swnode.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/base/swnode.c b/drivers/base/swnode.c
index b1726a3515f6..5c78fa6ae772 100644
--- a/drivers/base/swnode.c
+++ b/drivers/base/swnode.c
@@ -1080,6 +1080,7 @@ void software_node_notify(struct device *dev)
if (!swnode)
return;
+ kobject_get(&swnode->kobj);
ret = sysfs_create_link(&dev->kobj, &swnode->kobj, "software_node");
if (ret)
return;
@@ -1089,8 +1090,6 @@ void software_node_notify(struct device *dev)
sysfs_remove_link(&dev->kobj, "software_node");
return;
}
-
- kobject_get(&swnode->kobj);
}
void software_node_notify_remove(struct device *dev)
--
2.43.0On Fri, Apr 11, 2025 at 08:42:02AM +0800, Lizhi Xu wrote:
> syzbot reported a uaf in software_node_notify_remove. [1]
>
> When any of the two sysfs_create_link() in software_node_notify() fails,
> the swnode->kobj reference count will not increase normally, which will
> cause swnode to be released incorrectly due to the imbalance of kobj reference
> count when executing software_node_notify_remove().
>
> Increase the reference count of kobj before creating the link to avoid uaf.
>
> [1]
Please, reduce this to ~5-7 lines only. This is how Submitting Patches document
recommends to put backtraces in the commit messages:
https://www.kernel.org/doc/html/latest/process/submitting-patches.html#backtraces-in-commit-messages
> Fixes: 9eb59204d519 ("iommufd/selftest: Add set_dev_pasid in mock iommu")
> Reported-by: syzbot+2ff22910687ee0dfd48e@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=2ff22910687ee0dfd48e
> Tested-by: syzbot+2ff22910687ee0dfd48e@syzkaller.appspotmail.com
Where is the positive result of it? I can't find the respective log.
To me this one
https://syzkaller.appspot.com/x/report.txt?x=158af070580000
doesn't sound as a useful report as I don't know if this patch fixes one
regression and introduced another.
Dmitry?
--
With Best Regards,
Andy Shevchenko
On Mon, 14 Apr 2025 09:20:30 +0300, Andy Shevchenko wrote:
> On Fri, Apr 11, 2025 at 08:42:02AM +0800, Lizhi Xu wrote:
> > syzbot reported a uaf in software_node_notify_remove. [1]
> >
> > When any of the two sysfs_create_link() in software_node_notify() fails,
> > the swnode->kobj reference count will not increase normally, which will
> > cause swnode to be released incorrectly due to the imbalance of kobj reference
> > count when executing software_node_notify_remove().
> >
> > Increase the reference count of kobj before creating the link to avoid uaf.
> >
> > [1]
>
> Please, reduce this to ~5-7 lines only. This is how Submitting Patches document
> recommends to put backtraces in the commit messages:
> https://www.kernel.org/doc/html/latest/process/submitting-patches.html#backtraces-in-commit-messages
Ok, I will reduce the calltrace, and send V2 patch.
>
> > Fixes: 9eb59204d519 ("iommufd/selftest: Add set_dev_pasid in mock iommu")
> > Reported-by: syzbot+2ff22910687ee0dfd48e@syzkaller.appspotmail.com
> > Closes: https://syzkaller.appspot.com/bug?extid=2ff22910687ee0dfd48e
>
> > Tested-by: syzbot+2ff22910687ee0dfd48e@syzkaller.appspotmail.com
>
> Where is the positive result of it? I can't find the respective log.
> To me this one
> https://syzkaller.appspot.com/x/report.txt?x=158af070580000
> doesn't sound as a useful report as I don't know if this patch fixes one
> regression and introduced another.
You can see: https://syzkaller.appspot.com/x/log.txt?x=118af07058000
For tasks related to the reproducing program, there are only FAULT_INJECTION
related problems in the log, no other problems, and the log record duration
exceeds 240 seconds, and no uaf occurs, which is enough to prove that the
problem has been fixed.
BR,
Lizhi
On Mon, Apr 14, 2025 at 03:08:34PM +0800, Lizhi Xu wrote:
> On Mon, 14 Apr 2025 09:20:30 +0300, Andy Shevchenko wrote:
> > On Fri, Apr 11, 2025 at 08:42:02AM +0800, Lizhi Xu wrote:
> > > syzbot reported a uaf in software_node_notify_remove. [1]
> > >
> > > When any of the two sysfs_create_link() in software_node_notify() fails,
> > > the swnode->kobj reference count will not increase normally, which will
> > > cause swnode to be released incorrectly due to the imbalance of kobj reference
> > > count when executing software_node_notify_remove().
> > >
> > > Increase the reference count of kobj before creating the link to avoid uaf.
> > >
> > > [1]
> >
> > Please, reduce this to ~5-7 lines only. This is how Submitting Patches document
> > recommends to put backtraces in the commit messages:
> > https://www.kernel.org/doc/html/latest/process/submitting-patches.html#backtraces-in-commit-messages
> Ok, I will reduce the calltrace, and send V2 patch.
> >
> > > Fixes: 9eb59204d519 ("iommufd/selftest: Add set_dev_pasid in mock iommu")
> > > Reported-by: syzbot+2ff22910687ee0dfd48e@syzkaller.appspotmail.com
> > > Closes: https://syzkaller.appspot.com/bug?extid=2ff22910687ee0dfd48e
> >
> > > Tested-by: syzbot+2ff22910687ee0dfd48e@syzkaller.appspotmail.com
> >
> > Where is the positive result of it? I can't find the respective log.
> > To me this one
> > https://syzkaller.appspot.com/x/report.txt?x=158af070580000
> > doesn't sound as a useful report as I don't know if this patch fixes one
> > regression and introduced another.
> You can see: https://syzkaller.appspot.com/x/log.txt?x=118af07058000
> For tasks related to the reproducing program, there are only FAULT_INJECTION
> related problems in the log, no other problems, and the log record duration
> exceeds 240 seconds, and no uaf occurs, which is enough to prove that the
> problem has been fixed.
I'm not objecting that the original issue is being fixed, what I'm confused on
is that the report has only one line which doesn't make it clear that there are
no new regressions found during the same run.
--
With Best Regards,
Andy Shevchenko
On Mon, Apr 14, 2025 at 09:20:30AM +0300, Andy Shevchenko wrote:
> On Fri, Apr 11, 2025 at 08:42:02AM +0800, Lizhi Xu wrote:
> > syzbot reported a uaf in software_node_notify_remove. [1]
> >
> > When any of the two sysfs_create_link() in software_node_notify() fails,
> > the swnode->kobj reference count will not increase normally, which will
> > cause swnode to be released incorrectly due to the imbalance of kobj reference
> > count when executing software_node_notify_remove().
> >
> > Increase the reference count of kobj before creating the link to avoid uaf.
> >
> > [1]
>
> Please, reduce this to ~5-7 lines only. This is how Submitting Patches document
> recommends to put backtraces in the commit messages:
> https://www.kernel.org/doc/html/latest/process/submitting-patches.html#backtraces-in-commit-messages
>
> > Fixes: 9eb59204d519 ("iommufd/selftest: Add set_dev_pasid in mock iommu")
> > Reported-by: syzbot+2ff22910687ee0dfd48e@syzkaller.appspotmail.com
> > Closes: https://syzkaller.appspot.com/bug?extid=2ff22910687ee0dfd48e
>
> > Tested-by: syzbot+2ff22910687ee0dfd48e@syzkaller.appspotmail.com
>
> Where is the positive result of it? I can't find the respective log.
> To me this one
> https://syzkaller.appspot.com/x/report.txt?x=158af070580000
> doesn't sound as a useful report as I don't know if this patch fixes one
> regression and introduced another.
>
> Dmitry?
Code wise makes sense to me. We do the put in asymmetrical order.
Thanks for looking into it.
--
With Best Regards,
Andy Shevchenko
syzbot reported a uaf in software_node_notify_remove. [1]
When any of the two sysfs_create_link() in software_node_notify() fails,
the swnode->kobj reference count will not increase normally, which will
cause swnode to be released incorrectly due to the imbalance of kobj reference
count when executing software_node_notify_remove().
Increase the reference count of kobj before creating the link to avoid uaf.
[1]
BUG: KASAN: slab-use-after-free in software_node_notify_remove+0x1bc/0x1c0 drivers/base/swnode.c:1108
Read of size 1 at addr ffff888033c08908 by task syz-executor105/5844
Freed by task 5844:
software_node_notify_remove+0x159/0x1c0 drivers/base/swnode.c:1106
device_platform_notify_remove drivers/base/core.c:2387 [inline]
Fixes: 9eb59204d519 ("iommufd/selftest: Add set_dev_pasid in mock iommu")
Reported-by: syzbot+2ff22910687ee0dfd48e@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2ff22910687ee0dfd48e
Tested-by: syzbot+2ff22910687ee0dfd48e@syzkaller.appspotmail.com
Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
---
V1 -> V2: reduce calltrace
drivers/base/swnode.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/base/swnode.c b/drivers/base/swnode.c
index b1726a3515f6..5c78fa6ae772 100644
--- a/drivers/base/swnode.c
+++ b/drivers/base/swnode.c
@@ -1080,6 +1080,7 @@ void software_node_notify(struct device *dev)
if (!swnode)
return;
+ kobject_get(&swnode->kobj);
ret = sysfs_create_link(&dev->kobj, &swnode->kobj, "software_node");
if (ret)
return;
@@ -1089,8 +1090,6 @@ void software_node_notify(struct device *dev)
sysfs_remove_link(&dev->kobj, "software_node");
return;
}
-
- kobject_get(&swnode->kobj);
}
void software_node_notify_remove(struct device *dev)
--
2.43.0On Mon, Apr 14, 2025 at 03:11:23PM +0800, Lizhi Xu wrote:
> syzbot reported a uaf in software_node_notify_remove. [1]
>
> When any of the two sysfs_create_link() in software_node_notify() fails,
> the swnode->kobj reference count will not increase normally, which will
> cause swnode to be released incorrectly due to the imbalance of kobj reference
> count when executing software_node_notify_remove().
>
> Increase the reference count of kobj before creating the link to avoid uaf.
>
> [1]
> BUG: KASAN: slab-use-after-free in software_node_notify_remove+0x1bc/0x1c0 drivers/base/swnode.c:1108
> Read of size 1 at addr ffff888033c08908 by task syz-executor105/5844
> Freed by task 5844:
> software_node_notify_remove+0x159/0x1c0 drivers/base/swnode.c:1106
> device_platform_notify_remove drivers/base/core.c:2387 [inline]
>
> Fixes: 9eb59204d519 ("iommufd/selftest: Add set_dev_pasid in mock iommu")
> Reported-by: syzbot+2ff22910687ee0dfd48e@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=2ff22910687ee0dfd48e
> Tested-by: syzbot+2ff22910687ee0dfd48e@syzkaller.appspotmail.com
> Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
> ---
> V1 -> V2: reduce calltrace
>
> drivers/base/swnode.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/drivers/base/swnode.c b/drivers/base/swnode.c
> index b1726a3515f6..5c78fa6ae772 100644
> --- a/drivers/base/swnode.c
> +++ b/drivers/base/swnode.c
> @@ -1080,6 +1080,7 @@ void software_node_notify(struct device *dev)
> if (!swnode)
> return;
>
> + kobject_get(&swnode->kobj);
> ret = sysfs_create_link(&dev->kobj, &swnode->kobj, "software_node");
> if (ret)
> return;
> @@ -1089,8 +1090,6 @@ void software_node_notify(struct device *dev)
> sysfs_remove_link(&dev->kobj, "software_node");
> return;
> }
> -
> - kobject_get(&swnode->kobj);
> }
>
> void software_node_notify_remove(struct device *dev)
> --
> 2.43.0
>
--
Sakari Ailus
On Mon, Apr 14, 2025 at 03:11:23PM +0800, Lizhi Xu wrote: > syzbot reported a uaf in software_node_notify_remove. [1] > > When any of the two sysfs_create_link() in software_node_notify() fails, > the swnode->kobj reference count will not increase normally, which will > cause swnode to be released incorrectly due to the imbalance of kobj reference > count when executing software_node_notify_remove(). > > Increase the reference count of kobj before creating the link to avoid uaf. > > [1] > BUG: KASAN: slab-use-after-free in software_node_notify_remove+0x1bc/0x1c0 drivers/base/swnode.c:1108 > Read of size 1 at addr ffff888033c08908 by task syz-executor105/5844 > Freed by task 5844: > software_node_notify_remove+0x159/0x1c0 drivers/base/swnode.c:1106 > device_platform_notify_remove drivers/base/core.c:2387 [inline] The fix looks correct to me, Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> -- With Best Regards, Andy Shevchenko
© 2016 - 2025 Red Hat, Inc.