Re: [PATCH 0/1] cdrom: patch for inclusion

[Phillip Potter <phil@philpotter.co.uk>]

On Thu, Jul 24, 2025 at 04:51:34PM +0900, Sergey Senozhatsky wrote:
> On (25/07/24 12:54), Sergey Senozhatsky wrote:
> > On (25/07/23 09:02), Phillip Potter wrote:
> > > On Wed, Jul 23, 2025 at 10:14:32AM +0900, Sergey Senozhatsky wrote:
> > > > On (25/07/23 00:18), Phillip Potter wrote:
> > > > > [..] I plan to do more digging regarding this, hopefully
> > > > > this weekend when I have some free time, as I'd really love to replicate
> > > > > the original crash.
> > > > 
> > > > I waiting for LG GP65NB60 shipment (arriving today/tomorrow), which
> > > > shows up in crash reports (it should have CDC_MRW_W.)  So I'll be able
> > > > to run some tests soon.
> > > 
> > > Had to fake it with mine by forcing open the relevant code path for the
> > > check to be done. It still didn't crash, so I'll be interested to see
> > > your results
> > 
> > 100% reproducible (at least on 6.6 LTS) with LG GP65.
> 
> And unpatched 6.12 LTS sometimes UAFs
> 
> [  106.092832] ==================================================================
> [  106.092866] BUG: KASAN: slab-use-after-free in sr_packet+0x179/0x1c0 [sr_mod]
> [  106.092903] Read of size 8 at addr ffff888002a6c154 by task cros-disks/1958
> 
> [  106.092943] CPU: 2 UID: 213 PID: 1958 Comm: cros-disks Not tainted 6.12.24-kasan-00964-g86abb5aa35ec
> [  106.092969] Call Trace:
> [  106.092976]  <TASK>
> [  106.092983]  dump_stack_lvl+0x85/0xc0
> [  106.093007]  print_address_description+0x72/0x210
> [  106.093023]  print_report+0x4e/0x60
> [  106.093037]  kasan_report+0x131/0x170
> [  106.093052]  ? sr_packet+0x179/0x1c0 [sr_mod f28dbac28d644b5cb94db24e267ca134450739a2]
> [  106.093075]  sr_packet+0x179/0x1c0 [sr_mod f28dbac28d644b5cb94db24e267ca134450739a2]
> [  106.093095]  cdrom_mrw_exit+0xea/0x2e0 [cdrom 2d8b336738c9be415c8730ee14c0fc4e4c0367db]
> [  106.093120]  sr_free_disk+0x9a/0xc0 [sr_mod f28dbac28d644b5cb94db24e267ca134450739a2]
> [  106.093138]  disk_release+0x248/0x280
> [  106.093156]  device_release+0x94/0x190
> [  106.093172]  kobject_put+0x177/0x1f0
> [  106.093187]  blkdev_release+0x11/0x20
> [  106.093201]  __fput+0x1a7/0x7c0
> [  106.093221]  task_work_run+0x107/0x180
> [  106.093240]  resume_user_mode_work+0x4e/0x50
> [  106.093254]  syscall_exit_to_user_mode+0x63/0xb0
> [  106.093268]  do_syscall_64+0x76/0xe0
> [  106.093818]  </TASK>
> 
> [  106.094277] Allocated by task 12:
> [  106.094295]  kasan_save_track+0x3a/0x80
> [  106.094318]  __kasan_kmalloc+0x75/0x90
> [  106.094339]  __kmalloc_noprof+0x18e/0x310
> [  106.094360]  scsi_alloc_sdev+0x117/0x9d0
> [  106.094383]  scsi_probe_and_add_lun+0x168/0x3670
> [  106.094405]  __scsi_scan_target+0x121/0x7a0
> [  106.094426]  scsi_scan_host_selected+0x291/0x4f0
> [  106.094448]  do_scan_async+0x21b/0x710
> [  106.094469]  async_run_entry_fn+0x97/0x360
> [  106.094490]  process_scheduled_works+0x757/0xe20
> [  106.094512]  worker_thread+0xb4c/0x1150
> [  106.094533]  kthread+0x274/0x300
> [  106.094553]  ret_from_fork+0x3b/0x70
> [  106.094576]  ret_from_fork_asm+0x11/0x20
> 
> [  106.094611] Freed by task 1958:
> [  106.094628]  kasan_save_track+0x3a/0x80
> [  106.094649]  kasan_save_free_info+0x46/0x60
> [  106.094670]  __kasan_slab_free+0x37/0x50
> [  106.094690]  kfree+0x103/0x300
> [  106.094710]  scsi_device_dev_release+0x95d/0x9d0
> [  106.094732]  device_release+0x94/0x190
> [  106.094753]  kobject_put+0x177/0x1f0
> [  106.094773]  scsi_device_put+0x7f/0x90
> [  106.094793]  bdev_release+0x46a/0x570
> [  106.094818]  blkdev_release+0x11/0x20
> [  106.094836]  __fput+0x1a7/0x7c0
> [  106.094856]  task_work_run+0x107/0x180
> [  106.094880]  resume_user_mode_work+0x4e/0x50
> [  106.094900]  syscall_exit_to_user_mode+0x63/0xb0
> [  106.094920]  do_syscall_64+0x76/0xe0
> [  106.094940]  entry_SYSCALL_64_after_hwframe+0x55/0x5d
> 
> 
> The patched one doesn't.

Fantastic news. Thanks for testing this, and for your other testing
too, much appreciated. Have a great weekend.

Regards,
Phil