[PATCH 6.6 24/26] memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove

public inbox for patches@lists.linux.dev
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	patches@lists.linux.dev, Luo Qiu <luoqiu@kylinsec.com.cn>,
	Ulf Hansson <ulf.hansson@linaro.org>
Subject: [PATCH 6.6 24/26] memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove
Date: Thu,  3 Apr 2025 16:20:45 +0100	[thread overview]
Message-ID: <20250403151623.112100680@linuxfoundation.org> (raw)
In-Reply-To: <20250403151622.415201055@linuxfoundation.org>

6.6-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Luo Qiu <luoqiu@kylinsec.com.cn>

commit 4676741a3464b300b486e70585c3c9b692be1632 upstream.

This fixes the following crash:

==================================================================
BUG: KASAN: slab-use-after-free in rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]
Read of size 8 at addr ffff888136335380 by task kworker/6:0/140241

CPU: 6 UID: 0 PID: 140241 Comm: kworker/6:0 Kdump: loaded Tainted: G            E      6.14.0-rc6+ #1
Tainted: [E]=UNSIGNED_MODULE
Hardware name: LENOVO 30FNA1V7CW/1057, BIOS S0EKT54A 07/01/2024
Workqueue: events rtsx_usb_ms_poll_card [rtsx_usb_ms]
Call Trace:
 <TASK>
 dump_stack_lvl+0x51/0x70
 print_address_description.constprop.0+0x27/0x320
 ? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]
 print_report+0x3e/0x70
 kasan_report+0xab/0xe0
 ? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]
 rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]
 ? __pfx_rtsx_usb_ms_poll_card+0x10/0x10 [rtsx_usb_ms]
 ? __pfx___schedule+0x10/0x10
 ? kick_pool+0x3b/0x270
 process_one_work+0x357/0x660
 worker_thread+0x390/0x4c0
 ? __pfx_worker_thread+0x10/0x10
 kthread+0x190/0x1d0
 ? __pfx_kthread+0x10/0x10
 ret_from_fork+0x2d/0x50
 ? __pfx_kthread+0x10/0x10
 ret_from_fork_asm+0x1a/0x30
 </TASK>

Allocated by task 161446:
 kasan_save_stack+0x20/0x40
 kasan_save_track+0x10/0x30
 __kasan_kmalloc+0x7b/0x90
 __kmalloc_noprof+0x1a7/0x470
 memstick_alloc_host+0x1f/0xe0 [memstick]
 rtsx_usb_ms_drv_probe+0x47/0x320 [rtsx_usb_ms]
 platform_probe+0x60/0xe0
 call_driver_probe+0x35/0x120
 really_probe+0x123/0x410
 __driver_probe_device+0xc7/0x1e0
 driver_probe_device+0x49/0xf0
 __device_attach_driver+0xc6/0x160
 bus_for_each_drv+0xe4/0x160
 __device_attach+0x13a/0x2b0
 bus_probe_device+0xbd/0xd0
 device_add+0x4a5/0x760
 platform_device_add+0x189/0x370
 mfd_add_device+0x587/0x5e0
 mfd_add_devices+0xb1/0x130
 rtsx_usb_probe+0x28e/0x2e0 [rtsx_usb]
 usb_probe_interface+0x15c/0x460
 call_driver_probe+0x35/0x120
 really_probe+0x123/0x410
 __driver_probe_device+0xc7/0x1e0
 driver_probe_device+0x49/0xf0
 __device_attach_driver+0xc6/0x160
 bus_for_each_drv+0xe4/0x160
 __device_attach+0x13a/0x2b0
 rebind_marked_interfaces.isra.0+0xcc/0x110
 usb_reset_device+0x352/0x410
 usbdev_do_ioctl+0xe5c/0x1860
 usbdev_ioctl+0xa/0x20
 __x64_sys_ioctl+0xc5/0xf0
 do_syscall_64+0x59/0x170
 entry_SYSCALL_64_after_hwframe+0x76/0x7e

Freed by task 161506:
 kasan_save_stack+0x20/0x40
 kasan_save_track+0x10/0x30
 kasan_save_free_info+0x36/0x60
 __kasan_slab_free+0x34/0x50
 kfree+0x1fd/0x3b0
 device_release+0x56/0xf0
 kobject_cleanup+0x73/0x1c0
 rtsx_usb_ms_drv_remove+0x13d/0x220 [rtsx_usb_ms]
 platform_remove+0x2f/0x50
 device_release_driver_internal+0x24b/0x2e0
 bus_remove_device+0x124/0x1d0
 device_del+0x239/0x530
 platform_device_del.part.0+0x19/0xe0
 platform_device_unregister+0x1c/0x40
 mfd_remove_devices_fn+0x167/0x170
 device_for_each_child_reverse+0xc9/0x130
 mfd_remove_devices+0x6e/0xa0
 rtsx_usb_disconnect+0x2e/0xd0 [rtsx_usb]
 usb_unbind_interface+0xf3/0x3f0
 device_release_driver_internal+0x24b/0x2e0
 proc_disconnect_claim+0x13d/0x220
 usbdev_do_ioctl+0xb5e/0x1860
 usbdev_ioctl+0xa/0x20
 __x64_sys_ioctl+0xc5/0xf0
 do_syscall_64+0x59/0x170
 entry_SYSCALL_64_after_hwframe+0x76/0x7e

Last potentially related work creation:
 kasan_save_stack+0x20/0x40
 kasan_record_aux_stack+0x85/0x90
 insert_work+0x29/0x100
 __queue_work+0x34a/0x540
 call_timer_fn+0x2a/0x160
 expire_timers+0x5f/0x1f0
 __run_timer_base.part.0+0x1b6/0x1e0
 run_timer_softirq+0x8b/0xe0
 handle_softirqs+0xf9/0x360
 __irq_exit_rcu+0x114/0x130
 sysvec_apic_timer_interrupt+0x72/0x90
 asm_sysvec_apic_timer_interrupt+0x16/0x20

Second to last potentially related work creation:
 kasan_save_stack+0x20/0x40
 kasan_record_aux_stack+0x85/0x90
 insert_work+0x29/0x100
 __queue_work+0x34a/0x540
 call_timer_fn+0x2a/0x160
 expire_timers+0x5f/0x1f0
 __run_timer_base.part.0+0x1b6/0x1e0
 run_timer_softirq+0x8b/0xe0
 handle_softirqs+0xf9/0x360
 __irq_exit_rcu+0x114/0x130
 sysvec_apic_timer_interrupt+0x72/0x90
 asm_sysvec_apic_timer_interrupt+0x16/0x20

The buggy address belongs to the object at ffff888136335000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 896 bytes inside of
 freed 2048-byte region [ffff888136335000, ffff888136335800)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x136330
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff)
page_type: f5(slab)
raw: 0017ffffc0000040 ffff888100042f00 ffffea000417a000 dead000000000002
raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
head: 0017ffffc0000040 ffff888100042f00 ffffea000417a000 dead000000000002
head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
head: 0017ffffc0000003 ffffea0004d8cc01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888136335280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888136335300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888136335380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff888136335400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888136335480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Fixes: 6827ca573c03 ("memstick: rtsx_usb_ms: Support runtime power management")
Signed-off-by: Luo Qiu <luoqiu@kylinsec.com.cn>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/4B7BC3E6E291E6F2+20250317101438.25650-1-luoqiu@kylinsec.com.cn
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/memstick/host/rtsx_usb_ms.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/memstick/host/rtsx_usb_ms.c
+++ b/drivers/memstick/host/rtsx_usb_ms.c
@@ -813,6 +813,7 @@ static int rtsx_usb_ms_drv_remove(struct
 
 	host->eject = true;
 	cancel_work_sync(&host->handle_req);
+	cancel_delayed_work_sync(&host->poll_card);
 
 	mutex_lock(&host->host_mutex);
 	if (host->req) {

next prev parent reply	other threads:[~2025-04-03 15:26 UTC|newest]

Thread overview: 35+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-04-03 15:20 [PATCH 6.6 00/26] 6.6.86-rc1 review Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 01/26] ALSA: usb-audio: Add quirk for Plantronics headsets to fix control names Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 02/26] HID: hid-plantronics: Add mic mute mapping and generalize quirks Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 03/26] atm: Fix NULL pointer dereference Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 04/26] ARM: 9350/1: fault: Implement copy_from_kernel_nofault_allowed() Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 05/26] ARM: 9351/1: fault: Add "cut here" line for prefetch aborts Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 06/26] ARM: Remove address checking for MMUless devices Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 07/26] drm/amd/display: Check denominator crb_pipes before used Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 08/26] drm/dp_mst: Factor out function to queue a topology probe work Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 09/26] drm/dp_mst: Add a helper to queue a topology probe Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 10/26] drm/amd/display: Dont write DP_MSTM_CTRL after LT Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 11/26] mm/page_alloc: fix memory accept before watermarks gets initialized Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 12/26] reset: starfive: jh71x0: Fix accessing the empty member on JH7110 SoC Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 13/26] scsi: ufs: qcom: Only free platform MSIs when ESI is enabled Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 14/26] netfilter: socket: Lookup orig tuple for IPv6 SNAT Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 15/26] ALSA: hda/realtek: Support mute LED on HP Laptop 15s-du3xxx Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 16/26] counter: stm32-lptimer-cnt: fix error handling when enabling Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 17/26] counter: microchip-tcb-capture: Fix undefined counter channel state on probe Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 18/26] tty: serial: 8250: Add some more device IDs Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 19/26] tty: serial: 8250: Add Brainboxes XC devices Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 20/26] tty: serial: fsl_lpuart: disable transmitter before changing RS485 related registers Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 21/26] net: usb: qmi_wwan: add Telit Cinterion FN990B composition Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 22/26] net: usb: qmi_wwan: add Telit Cinterion FE990B composition Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 23/26] net: usb: usbnet: restore usb%d name exception for local mac addresses Greg Kroah-Hartman
2025-04-03 15:20 ` Greg Kroah-Hartman [this message]
2025-04-03 15:20 ` [PATCH 6.6 25/26] serial: 8250_dma: terminate correct DMA in tx_dma_flush() Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 26/26] usb: gadget: uvc: Fix ERR_PTR dereference in uvc_v4l2.c Greg Kroah-Hartman
2025-04-03 22:40 ` [PATCH 6.6 00/26] 6.6.86-rc1 review Peter Schneider
2025-04-03 23:54 ` Florian Fainelli
2025-04-04 13:35 ` Mark Brown
2025-04-04 14:48 ` Shuah Khan
2025-04-04 17:59 ` Naresh Kamboju
2025-04-04 19:30 ` Jon Hunter
2025-04-05  2:26 ` Ron Economos
2025-04-05  7:30 ` Harshit Mogalapalli

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250403151623.112100680@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=luoqiu@kylinsec.com.cn \
    --cc=patches@lists.linux.dev \
    --cc=stable@vger.kernel.org \
    --cc=ulf.hansson@linaro.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox