Re: linuxnext-2019127 edac warns (was Re: edac KASAN warning in experimental arm64 allmodconfig boot)

From: Robert Richter
Date: Thu Nov 28 2019 - 16:13:09 EST

Next message: Andy Lutomirski: "Re: [PATCH] ptrace/x86: introduce TS_COMPAT_RESTART to fix get_nr_restart_syscall()"
Previous message: Pavel Begunkov: "[PATCH 2/3] list: introduce list_for_each_continue()"
In reply to: Borislav Petkov: "Re: linuxnext-20191127 edac warns (was Re: edac KASAN warning in experimental arm64 allmodconfig boot)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 27.11.19 17:07:33, John Garry wrote:
> [ 22.104498] BUG: KASAN: use-after-free in
> edac_remove_sysfs_mci_device+0x148/0x180

It is triggered in edac_remove_sysfs_mci_device().

device_unregister(&dimm->dev) not only removes the sysfs entry, it
also frees the dimm struct in dimm_attr_release(). When incrementing
the loop in mci_for_each_dimm(), the dimm struct is accessed again
which causes the use-after-free. But, the dimm struct shouln'd be
released here already.

edac_remove_sysfs_mci_device() should not release the devices at this
point. We need clean release functions for mci and dimm_info and
refcounts to protect pdev/dev mappings. And mci_for_each_dimm() must
be checked how it handles device removals and if it is safe.

Let's see how this can be fixed.

Thanks for reporting the issue.

-Robert

Next message: Andy Lutomirski: "Re: [PATCH] ptrace/x86: introduce TS_COMPAT_RESTART to fix get_nr_restart_syscall()"
Previous message: Pavel Begunkov: "[PATCH 2/3] list: introduce list_for_each_continue()"
In reply to: Borislav Petkov: "Re: linuxnext-20191127 edac warns (was Re: edac KASAN warning in experimental arm64 allmodconfig boot)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]