Use after free in dispatch_hid_bpf_output_report()

Use after free in dispatch_hid_bpf_output_report()

[Petr Tesařík]

Hi all,

after installing v6.15-rc5 on my laptop, I'm running into an invalid
pointer dereference in dispatch_hid_bpf_output_report() on suspend. I
added some debugging messages (see patch below), and I can see this
sequence of events:

[ 1568.571776] [   T7420] PM: suspend entry (deep)
[ 1568.602245] [   T7420] Filesystems sync: 0.030 seconds
[ 1568.613183] [   T1704] hid-generic 0005:04F2:182A.0004: CLEANED UP srcu 00000000b7570e01
[ 1568.613348] [    T724] hid-generic 0005:04F2:182A.0004: UAF srcu 00000000b7570e01
[ 1568.616215] [   T7420] Freezing user space processes

The HID device is a Bluetooth keyboard (using bluez 5.79), which
(presumably) gets disconnected on suspend.

FTR I didn't encounter any such issues with v6.14.

Petr T

diff --git a/drivers/hid/bpf/hid_bpf_dispatch.c b/drivers/hid/bpf/hid_bpf_dispatch.c
index 2e96ec6a3073..f284175e8b0b 100644
--- a/drivers/hid/bpf/hid_bpf_dispatch.c
+++ b/drivers/hid/bpf/hid_bpf_dispatch.c
@@ -130,6 +130,11 @@ int dispatch_hid_bpf_output_report(struct hid_device *hdev,
 	struct hid_bpf_ops *e;
 	int ret, idx;
 
+	if (unlikely(!hdev->bpf.srcu.sda)) {
+		hid_warn(hdev, "UAF srcu %p", &hdev->bpf.srcu);
+		return 0;
+	}
+
 	idx = srcu_read_lock(&hdev->bpf.srcu);
 	list_for_each_entry_srcu(e, &hdev->bpf.prog_list, list,
 				 srcu_read_lock_held(&hdev->bpf.srcu)) {
@@ -143,6 +148,8 @@ int dispatch_hid_bpf_output_report(struct hid_device *hdev,
 	ret = 0;
 
 out:
+	if (unlikely(!hdev->bpf.srcu.sda))
+		hid_warn(hdev, "RACE srcu %p", &hdev->bpf.srcu);
 	srcu_read_unlock(&hdev->bpf.srcu, idx);
 	return ret;
 }
@@ -631,6 +638,7 @@ void hid_bpf_destroy_device(struct hid_device *hdev)
 
 	synchronize_srcu(&hdev->bpf.srcu);
 	cleanup_srcu_struct(&hdev->bpf.srcu);
+	hid_info(hdev, "CLEANED UP srcu %p", &hdev->bpf.srcu);
 }
 EXPORT_SYMBOL_GPL(hid_bpf_destroy_device);
 

Re: Use after free in dispatch_hid_bpf_output_report()

[Petr Tesařík]

On Fri, 9 May 2025 11:39:05 +0200
Petr Tesařík <petr@tesarici.cz> wrote:

> Hi all,
> 
> after installing v6.15-rc5 on my laptop, I'm running into an invalid
> pointer dereference in dispatch_hid_bpf_output_report() on suspend. I
> added some debugging messages (see patch below), and I can see this
> sequence of events:
> 
> [ 1568.571776] [   T7420] PM: suspend entry (deep)
> [ 1568.602245] [   T7420] Filesystems sync: 0.030 seconds
> [ 1568.613183] [   T1704] hid-generic 0005:04F2:182A.0004: CLEANED UP srcu 00000000b7570e01
> [ 1568.613348] [    T724] hid-generic 0005:04F2:182A.0004: UAF srcu 00000000b7570e01
> [ 1568.616215] [   T7420] Freezing user space processes

Forgot to include the UAF stack trace (before the debug patch was
applied):

May 06 21:18:24 meshulam kernel: BUG: unable to handle page fault for address: ffff8c9071a1c018
May 06 21:18:24 meshulam kernel: #PF: supervisor write access in kernel mode
May 06 21:18:44 meshulam kernel: #PF: error_code(0x0002) - not-present page
May 06 21:18:44 meshulam kernel: PGD 33f401067 P4D 33f401067 PUD 0 
May 06 21:18:44 meshulam kernel: Oops: Oops: 0002 [#1] SMP NOPTI
May 06 21:18:44 meshulam kernel: CPU: 0 UID: 0 PID: 26142 Comm: kworker/0:0 Not tainted 6.15.0-rc5-laptop #51 PREEMPT(voluntary)  1072ac82a8987caeba8aaea73a32d97435788b0c
May 06 21:18:44 meshulam kernel: Hardware name: LENOVO 20NF0004MC/20NF0004MC, BIOS R11ET45W (1.25 ) 07/04/2022
May 06 21:18:44 meshulam kernel: Workqueue: events hidinput_led_worker
May 06 21:18:44 meshulam kernel: RIP: 0010:__srcu_read_unlock+0x1a/0x30
May 06 21:18:44 meshulam kernel: Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 f0 83 44 24 fc 00 48 63 f6 48 c1 e6 04 48 03 77 08 <65> 48 ff 46 08 e9 8c 98 b8 00 66 66 2>
May 06 21:18:44 meshulam kernel: RSP: 0018:ffffcd67ccf43d98 EFLAGS: 00010202
May 06 21:18:44 meshulam kernel: RAX: 0000000000000000 RBX: ffff8c8fc8fb3e20 RCX: 0000000000000000
May 06 21:18:44 meshulam kernel: RDX: 0000000000000002 RSI: 0000000000000010 RDI: ffff8c8fc8fb3e50
May 06 21:18:44 meshulam kernel: RBP: ffffcd67ccf43e08 R08: 0000000000000000 R09: ffff8c8d2c761000
May 06 21:18:44 meshulam kernel: R10: 0000000000000001 R11: 00000000ffffffff R12: 0000000000000000
May 06 21:18:44 meshulam kernel: R13: ffff8c8c618475c0 R14: 0000000000000001 R15: 0000000000000000
May 06 21:18:44 meshulam kernel: FS:  0000000000000000(0000) GS:ffff8c9071a1c000(0000) knlGS:0000000000000000
May 06 21:18:44 meshulam kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
May 06 21:18:44 meshulam kernel: CR2: ffff8c9071a1c018 CR3: 000000012e463000 CR4: 00000000003506f0
May 06 21:18:44 meshulam kernel: Call Trace:
May 06 21:18:44 meshulam kernel:  <TASK>
May 06 21:18:44 meshulam kernel:  dispatch_hid_bpf_output_report+0xb5/0xf0
May 06 21:18:44 meshulam kernel:  ? srso_return_thunk+0x5/0x5f
May 06 21:18:44 meshulam kernel:  hid_hw_output_report+0x46/0x90
May 06 21:18:44 meshulam kernel:  hidinput_led_worker+0xaa/0xf0
May 06 21:18:44 meshulam kernel:  process_one_work+0x17f/0x330
May 06 21:18:44 meshulam kernel:  worker_thread+0x33a/0x480
May 06 21:18:44 meshulam kernel:  ? __pfx_worker_thread+0x10/0x10
May 06 21:18:44 meshulam kernel:  kthread+0xfc/0x210
May 06 21:18:44 meshulam kernel:  ? __pfx_kthread+0x10/0x10
May 06 21:18:44 meshulam kernel:  ret_from_fork+0x34/0x50
May 06 21:18:44 meshulam kernel:  ? __pfx_kthread+0x10/0x10
May 06 21:18:44 meshulam kernel:  ret_from_fork_asm+0x1a/0x30
May 06 21:18:44 meshulam kernel:  </TASK>
May 06 21:18:44 meshulam kernel: Modules linked in: uhid snd_seq_dummy snd_hrtimer rfcomm snd_seq ccm nf_nat_tftp nf_conntrack_tftp nf_conntrack_netbios_ns nf_conntrack_broadcast af_packet bridge stp llc >
May 06 21:18:44 meshulam kernel:  dm_bio_prison cfg80211 snd_seq_device realtek think_lmi sparse_keymap videobuf2_common mdio_devres i2c_piix4 snd_acp_config mii snd_timer snd_soc_acpi irqbypass efi_pstor>
May 06 21:18:44 meshulam kernel:  dm_mirror dm_region_hash dm_log dm_mod msr efivarfs dmi_sysfs
May 06 21:18:44 meshulam kernel: CR2: ffff8c9071a1c018
May 06 21:18:44 meshulam kernel: ---[ end trace 0000000000000000 ]---
May 06 21:18:44 meshulam kernel: RIP: 0010:__srcu_read_unlock+0x1a/0x30
May 06 21:18:44 meshulam kernel: Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 f0 83 44 24 fc 00 48 63 f6 48 c1 e6 04 48 03 77 08 <65> 48 ff 46 08 e9 8c 98 b8 00 66 66 2>
May 06 21:18:44 meshulam kernel: RSP: 0018:ffffcd67ccf43d98 EFLAGS: 00010202
May 06 21:18:44 meshulam kernel: RAX: 0000000000000000 RBX: ffff8c8fc8fb3e20 RCX: 0000000000000000
May 06 21:18:44 meshulam kernel: RDX: 0000000000000002 RSI: 0000000000000010 RDI: ffff8c8fc8fb3e50
May 06 21:18:44 meshulam kernel: RBP: ffffcd67ccf43e08 R08: 0000000000000000 R09: ffff8c8d2c761000
May 06 21:18:44 meshulam kernel: R10: 0000000000000001 R11: 00000000ffffffff R12: 0000000000000000
May 06 21:18:44 meshulam kernel: R13: ffff8c8c618475c0 R14: 0000000000000001 R15: 0000000000000000
May 06 21:18:44 meshulam kernel: FS:  0000000000000000(0000) GS:ffff8c9071a1c000(0000) knlGS:0000000000000000
May 06 21:18:44 meshulam kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
May 06 21:18:44 meshulam kernel: CR2: ffff8c9071a1c018 CR3: 000000012e463000 CR4: 00000000003506f0
May 06 21:18:44 meshulam kernel: note: kworker/0:0[26142] exited with irqs disabled

Petr T

Re: Use after free in dispatch_hid_bpf_output_report()

[Benjamin Tissoires]

Hi Petr,


On May 09 2025, Petr Tesařík wrote:
> Hi all,
> 
> after installing v6.15-rc5 on my laptop, I'm running into an invalid
> pointer dereference in dispatch_hid_bpf_output_report() on suspend. I
> added some debugging messages (see patch below), and I can see this
> sequence of events:
> 
> [ 1568.571776] [   T7420] PM: suspend entry (deep)
> [ 1568.602245] [   T7420] Filesystems sync: 0.030 seconds
> [ 1568.613183] [   T1704] hid-generic 0005:04F2:182A.0004: CLEANED UP srcu 00000000b7570e01
> [ 1568.613348] [    T724] hid-generic 0005:04F2:182A.0004: UAF srcu 00000000b7570e01
> [ 1568.616215] [   T7420] Freezing user space processes
> 
> The HID device is a Bluetooth keyboard (using bluez 5.79), which
> (presumably) gets disconnected on suspend.
> 
> FTR I didn't encounter any such issues with v6.14.

Thanks for the patch. I already cc-ed you to the other debugging
thread[0], because I am slightly in favor of the other approach, based
on ->destroyed. Also that other patch prevents the race in other hooks.

Cheers,
Benjamin

[0] https://lore.kernel.org/linux-input/xyfdjeijtdt4sgb4zjmlibdbbvaaly3m3wiqhk7tu35cb2bpip@axziyhfcqx6w/T/#t

> 
> Petr T
> 
> diff --git a/drivers/hid/bpf/hid_bpf_dispatch.c b/drivers/hid/bpf/hid_bpf_dispatch.c
> index 2e96ec6a3073..f284175e8b0b 100644
> --- a/drivers/hid/bpf/hid_bpf_dispatch.c
> +++ b/drivers/hid/bpf/hid_bpf_dispatch.c
> @@ -130,6 +130,11 @@ int dispatch_hid_bpf_output_report(struct hid_device *hdev,
>  	struct hid_bpf_ops *e;
>  	int ret, idx;
>  
> +	if (unlikely(!hdev->bpf.srcu.sda)) {
> +		hid_warn(hdev, "UAF srcu %p", &hdev->bpf.srcu);
> +		return 0;
> +	}
> +
>  	idx = srcu_read_lock(&hdev->bpf.srcu);
>  	list_for_each_entry_srcu(e, &hdev->bpf.prog_list, list,
>  				 srcu_read_lock_held(&hdev->bpf.srcu)) {
> @@ -143,6 +148,8 @@ int dispatch_hid_bpf_output_report(struct hid_device *hdev,
>  	ret = 0;
>  
>  out:
> +	if (unlikely(!hdev->bpf.srcu.sda))
> +		hid_warn(hdev, "RACE srcu %p", &hdev->bpf.srcu);
>  	srcu_read_unlock(&hdev->bpf.srcu, idx);
>  	return ret;
>  }
> @@ -631,6 +638,7 @@ void hid_bpf_destroy_device(struct hid_device *hdev)
>  
>  	synchronize_srcu(&hdev->bpf.srcu);
>  	cleanup_srcu_struct(&hdev->bpf.srcu);
> +	hid_info(hdev, "CLEANED UP srcu %p", &hdev->bpf.srcu);
>  }
>  EXPORT_SYMBOL_GPL(hid_bpf_destroy_device);
>  

Re: Use after free in dispatch_hid_bpf_output_report()

[Petr Tesařík]

On Mon, 12 May 2025 16:47:12 +0200
Benjamin Tissoires <bentiss@kernel.org> wrote:

> Hi Petr,
> 
> 
> On May 09 2025, Petr Tesařík wrote:
> > Hi all,
> > 
> > after installing v6.15-rc5 on my laptop, I'm running into an invalid
> > pointer dereference in dispatch_hid_bpf_output_report() on suspend. I
> > added some debugging messages (see patch below), and I can see this
> > sequence of events:
> > 
> > [ 1568.571776] [   T7420] PM: suspend entry (deep)
> > [ 1568.602245] [   T7420] Filesystems sync: 0.030 seconds
> > [ 1568.613183] [   T1704] hid-generic 0005:04F2:182A.0004: CLEANED UP srcu 00000000b7570e01
> > [ 1568.613348] [    T724] hid-generic 0005:04F2:182A.0004: UAF srcu 00000000b7570e01
> > [ 1568.616215] [   T7420] Freezing user space processes
> > 
> > The HID device is a Bluetooth keyboard (using bluez 5.79), which
> > (presumably) gets disconnected on suspend.
> > 
> > FTR I didn't encounter any such issues with v6.14.  
> 
> Thanks for the patch. I already cc-ed you to the other debugging
> thread[0], because I am slightly in favor of the other approach, based
> on ->destroyed. Also that other patch prevents the race in other hooks.

Oh, sure thing. My patch was not intended as a fix, rather as a way to
debug the issue, and I included it only for reference.

Thank you for your quick fix!

Petr T