Since you're going to have to resend the patch anyway could you modify this commit message some more?

On Wed, Aug 02, 2023 at 10:43:49AM -0700, cujomalainey@chromium.org wrote:

From: Curtis Malainey cujomalainey@chromium.org

The current implementation of how devices are released is valid for production use cases (root control of memory is handled by card_dev, all other devices are no-ops).

I don't understand what "root control of memory is handled by card_dev, all other devices are no-ops" means. At first I thought this was refering to code that is out of tree but now I think we are talking about a CONFIG_DEBUG option. Could you spell out which option we are talking about?

This model does not work though in a kernel hacking environment where KASAN and delayed release on kobj is enabled.

I don't think KASAN has anything to do with the bug, right? KASAN just finds the bug, it doesn't cause it. The bug is always there regardless. The "delayed release" is CONFIG_DEBUG_KOBJECT_RELEASE. Could you please mention that specifically. Say something like:

"KASAN detected a use after free when CONFIG_DEBUG_KOBJECT_RELEASE is enabled, which, hopefully, no one does on a production system."

I feel like a KASAN stack trace might help clarify where the use after free happens.

If the card_dev device is released before any of the child objects a use-after-free bug is caught by KASAN as the delayed release still has a reference to the devices that were freed by the card_dev release.

Ah... I think I understand.

"The CONFIG_DEBUG_KOBJECT_RELEASE introduces an element of randomness to the release process so we could free the card_dev before the child objects resulting in a use after free. But if we don't enable that the releases happen in a nice fixed order."

Also both snd_card and snd_pcm both own two devices internally, so even if they released independently, the shared struct would result in another use after free.

Does this second use after free happen regardless of CONFIG_DEBUG_KOBJECT_RELEASE?

Solution is to move the child devices into their own memory so they can be handled independently and released on their own schedule.

Signed-off-by: Curtis Malainey cujomalainey@chromium.org Cc: Doug Anderson dianders@chromium.org

---

Also I know it's complicated here, but could you try identify a Fixes tag where this bug is introduced or first starts affecting the things? This looks like a pretty core bug so it's possible it predates git. I'm not sure what to do in that case. I normally just mention it under the --- cut off line.

regards, dan carpenter

On Wed, 02 Aug 2023 19:06:05 +0200, Curtis Malainey wrote:

On Tue, Aug 1, 2023 at 11:42 PM Takashi Iwai tiwai@suse.de wrote:

...

On Tue, 01 Aug 2023 19:18:41 +0200, cujomalainey@chromium.org wrote:

...

From: Curtis Malainey cujomalainey@chromium.org

The current implementation of how devices are released is valid for production use cases (root control of memory is handled by card_dev, all other devices are no-ops).

This model does not work though in a kernel hacking environment where KASAN and delayed release on kobj is enabled. If the card_dev device is released before any of the child objects a use-after-free bug is caught by KASAN as the delayed release still has a reference to the devices that were freed by the card_dev release. Also both snd_card and snd_pcm both own two devices internally, so even if they released independently, the shared struct would result in another use after free.

Solution is to move the child devices into their own memory so they can be handled independently and released on their own schedule.

Signed-off-by: Curtis Malainey cujomalainey@chromium.org Cc: Doug Anderson dianders@chromium.org

Thanks, it's an interesting bug.

I'm not much against the proposed solution, but still this has to be carefully evaluated. So, could you give more details about the bug itself? It's related with CONFIG_DEBUG_KOBJECT_RELEASE, right? In which condition it's triggered and how the UAF looks like?

Hi Takashi

Here is one of the stack traces we are seeing (for snd_pcm)

[ 1098.876460] ================================================================== [ 1098.884763] BUG: KASAN: use-after-free in enqueue_timer+0xa0/0x628 [ 1098.884849] Write of size 8 at addr ffffff80cbdc6800 by task kworker/7:4/255 [ 1098.884888] [ 1098.884909] CPU: 7 PID: 255 Comm: kworker/7:4 Not tainted 5.15.117-lockdep-19614-g05bc12fd18a9 #1 5a757fac993273e9fde5e8de9925ee0cebe8540f [ 1098.884961] Hardware name: Google Pompom (rev3+) with LTE (DT) [ 1098.884990] Workqueue: events kobject_delayed_cleanup [ 1098.885038] Call trace: [ 1098.885059] dump_backtrace+0x0/0x4e8 [ 1098.885095] show_stack+0x34/0x44 [ 1098.885129] dump_stack_lvl+0xdc/0x11c [ 1098.885165] print_address_description+0x30/0x2d8 [ 1098.885203] kasan_report+0x178/0x1e4 [ 1098.885237] __asan_report_store8_noabort+0x44/0x50 [ 1098.885276] enqueue_timer+0xa0/0x628 [ 1098.885309] internal_add_timer+0xa0/0x254 [ 1098.885346] __mod_timer+0x588/0xc4c [ 1098.885378] add_timer+0x74/0x94 [ 1098.885411] __queue_delayed_work+0x170/0x208 [ 1098.885447] queue_delayed_work_on+0x128/0x160 [ 1098.885483] kobject_put+0x278/0x2cc [ 1098.885517] put_device+0x30/0x48 [ 1098.885553] snd_ctl_dev_free+0xc8/0xe4 [ 1098.885590] __snd_device_free+0x124/0x1b8 [ 1098.885626] snd_device_free_all+0x148/0x184 [ 1098.885663] release_card_device+0x5c/0x180 [ 1098.885698] device_release+0xd4/0x1b4 [ 1098.885732] kobject_delayed_cleanup+0x130/0x304 [ 1098.885765] process_one_work+0x620/0x137c [ 1098.885802] worker_thread+0x43c/0xa08 [ 1098.885837] kthread+0x2e4/0x3a0 [ 1098.885872] ret_from_fork+0x10/0x20 [ 1098.885907] [ 1098.885926] Allocated by task 11891: [ 1098.885953] kasan_save_stack+0x38/0x68 [ 1098.885992] __kasan_kmalloc+0x90/0xac [ 1098.886026] kmem_cache_alloc_trace+0x258/0x40c [ 1098.886063] _snd_pcm_new+0xc4/0x2c8 [ 1098.886098] snd_pcm_new+0x5c/0x74 [ 1098.886132] loopback_pcm_new+0xa0/0x20c [snd_aloop] [ 1098.886194] loopback_probe+0x210/0x850 [snd_aloop] [ 1098.886235] platform_probe+0x150/0x1c8 [ 1098.886273] really_probe+0x274/0xa20 [ 1098.886308] __driver_probe_device+0x1b4/0x3b4 [ 1098.886344] driver_probe_device+0x78/0x1c0 [ 1098.886379] __device_attach_driver+0x1ac/0x2c8 [ 1098.886414] bus_for_each_drv+0x11c/0x190 [ 1098.886448] __device_attach+0x278/0x3c8 [ 1098.886482] device_initial_probe+0x2c/0x3c [ 1098.886517] bus_probe_device+0xbc/0x1c8 [ 1098.886550] device_add+0x1174/0x1630 [ 1098.886581] platform_device_add+0x3f8/0x6f8 [ 1098.886617] platform_device_register_full+0x36c/0x3f8 [ 1098.886656] 0xffffffc0032e3174 [ 1098.886691] do_one_initcall+0x1e8/0x91c [ 1098.886727] do_init_module+0x16c/0x444 [ 1098.886762] load_module+0x63e0/0x7f8c [ 1098.886795] __arm64_sys_finit_module+0x1e4/0x214 [ 1098.886830] invoke_syscall+0x98/0x278 [ 1098.886862] el0_svc_common+0x214/0x274 [ 1098.886894] do_el0_svc+0x9c/0x19c [ 1098.886926] el0_svc+0x5c/0xc0 [ 1098.886959] el0t_64_sync_handler+0x78/0x108 [ 1098.886994] el0t_64_sync+0x1a4/0x1a8 [ 1098.887027] [ 1098.887046] Freed by task 255: [ 1098.887071] kasan_save_stack+0x38/0x68 [ 1098.887106] kasan_set_track+0x28/0x3c [ 1098.887139] kasan_set_free_info+0x28/0x4c [ 1098.887174] ____kasan_slab_free+0x110/0x164 [ 1098.887209] __kasan_slab_free+0x18/0x28 [ 1098.887242] kfree+0x200/0x868 [ 1098.887275] snd_pcm_free+0x88/0x98 [ 1098.887311] snd_pcm_dev_free+0x48/0x5c [ 1098.887347] __snd_device_free+0x124/0x1b8 [ 1098.887384] snd_device_free_all+0xc8/0x184 [ 1098.887419] release_card_device+0x5c/0x180 [ 1098.887453] device_release+0xd4/0x1b4 [ 1098.887486] kobject_delayed_cleanup+0x130/0x304 [ 1098.887519] process_one_work+0x620/0x137c [ 1098.887555] worker_thread+0x43c/0xa08 [ 1098.887590] kthread+0x2e4/0x3a0 [ 1098.887623] ret_from_fork+0x10/0x20

A similar one is generated for snd_card if card_dev.release runs before ctl_dev.release. This patch is solving the same bug in both places at once.

Hmm. It's still puzzling, and I'm not 100% sure whether your analysis is right. The above shows it's freed by task 255, while the task hitting UAF itself is 255. It might be rather the combination of devres and delayed releases.

With CONFIG_DEBUG_KOBJECT_RELEASE, the kernel should show the info of each delayed release kobject. Could you give them together with the Oops, so that we can see the flow how it hits UAF?

thanks,

Takashi

You should be able to easily reproduce this if you turn on the following

CONFIG_DEBUG_KOBJECT=y CONFIG_DEBUG_KOBJECT_RELEASE=y CONFIG_DEBUG_OBJECTS=y CONFIG_DEBUG_OBJECTS_TIMERS=y CONFIG_KASAN=y

Then just unload and reload snd-dummy or snd-aloop in a loop. E.g.

while true; do modprobe snd-dummy; rmmod snd-dummy; done

The issue is that kobj should be able to be released independently of each other, but since all of them depend on card_dev for memory release and sometimes they even share the same allocation, it breaks this rule.

There is still another latent bug hiding in the system as well that I am working on today related to devm memory release of snd_card running before card_dev.release

It will reproduce with the same setup even with the above patch applied, so just an FYI if you spot it.

[ 4972.098280] kobject: 'snd_dummy' (000000006c6d3069): kobject_release, parent 000000009bf07dfe (delayed 2000) [ 4972.098278] CPU: 9 PID: 16058 Comm: kworker/9:0 Tainted: G U 6.5.0-rc3-00236-gd54aad9920bd-dirty #18 a69e57e648f1e29627a189036c9fd8083c170225 [ 4972.098294] Hardware name: Google Anahera/Anahera, BIOS Google_Anahera.14505.315.0 12/02/2022 [ 4972.098302] Workqueue: events kobject_delayed_cleanup [ 4972.098317] Call Trace: [ 4972.098324] <TASK> [ 4972.098330] dump_stack_lvl+0x91/0xd0 [ 4972.098344] print_report+0x15b/0x4d0 [ 4972.098356] ? __virt_addr_valid+0xbb/0x130 [ 4972.098369] ? kasan_addr_to_slab+0x11/0x80 [ 4972.098381] ? release_card_device+0x86/0xd0 [ 4972.098392] kasan_report+0xb1/0xf0 [ 4972.098403] ? release_card_device+0x86/0xd0 [ 4972.098415] ? _raw_spin_unlock_irqrestore+0x1b/0x40 [ 4972.098427] release_card_device+0x86/0xd0 [ 4972.098438] device_release+0x66/0x110 [ 4972.098449] kobject_delayed_cleanup+0x133/0x140 [ 4972.098462] process_one_work+0x3e3/0x680 [ 4972.098474] worker_thread+0x487/0x6d0 [ 4972.098487] ? __pfx_worker_thread+0x10/0x10 [ 4972.098497] kthread+0x199/0x1c0 [ 4972.098508] ? __pfx_worker_thread+0x10/0x10 [ 4972.098518] ? __pfx_kthread+0x10/0x10 [ 4972.098528] ret_from_fork+0x3c/0x60 [ 4972.098540] ? __pfx_kthread+0x10/0x10 [ 4972.098552] ret_from_fork_asm+0x1b/0x30 [ 4972.098563] RIP: 0000:0x0 [ 4972.098577] Code: Unable to access opcode bytes at 0xffffffffffffffd6. [ 4972.098584] RSP: 0000:0000000000000000 EFLAGS: 00000000 ORIG_RAX: 0000000000000000 [ 4972.098596] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 4972.098604] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 4972.098612] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 4972.098620] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 4972.098622] kobject: 'drivers' (00000000d71d1f56): kobject_release, parent 000000007062c760 (delayed 4000) [ 4972.098631] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 4972.098641] kobject: 'holders' (0000000091718821): kobject_release, parent 000000007062c760 (delayed 2000) [ 4972.098641] </TASK>

Curtis

...

Takashi

On Thu, Aug 3, 2023 at 8:35 AM Takashi Iwai tiwai@suse.de wrote:

On Thu, 03 Aug 2023 15:06:19 +0200, Takashi Iwai wrote:

...

On Wed, 02 Aug 2023 19:06:05 +0200, Curtis Malainey wrote:

...

On Tue, Aug 1, 2023 at 11:42 PM Takashi Iwai tiwai@suse.de wrote:

...

On Tue, 01 Aug 2023 19:18:41 +0200, cujomalainey@chromium.org wrote:

...

From: Curtis Malainey cujomalainey@chromium.org

The current implementation of how devices are released is valid for production use cases (root control of memory is handled by card_dev, all other devices are no-ops).

This model does not work though in a kernel hacking environment where KASAN and delayed release on kobj is enabled. If the card_dev device is released before any of the child objects a use-after-free bug is caught by KASAN as the delayed release still has a reference to the devices that were freed by the card_dev release. Also both snd_card and snd_pcm both own two devices internally, so even if they released independently, the shared struct would result in another use after free.

Solution is to move the child devices into their own memory so they can be handled independently and released on their own schedule.

Signed-off-by: Curtis Malainey cujomalainey@chromium.org Cc: Doug Anderson dianders@chromium.org

Thanks, it's an interesting bug.

I'm not much against the proposed solution, but still this has to be carefully evaluated. So, could you give more details about the bug itself? It's related with CONFIG_DEBUG_KOBJECT_RELEASE, right? In which condition it's triggered and how the UAF looks like?

Hi Takashi

Here is one of the stack traces we are seeing (for snd_pcm)

[ 1098.876460] ================================================================== [ 1098.884763] BUG: KASAN: use-after-free in enqueue_timer+0xa0/0x628 [ 1098.884849] Write of size 8 at addr ffffff80cbdc6800 by task kworker/7:4/255 [ 1098.884888] [ 1098.884909] CPU: 7 PID: 255 Comm: kworker/7:4 Not tainted 5.15.117-lockdep-19614-g05bc12fd18a9 #1 5a757fac993273e9fde5e8de9925ee0cebe8540f [ 1098.884961] Hardware name: Google Pompom (rev3+) with LTE (DT) [ 1098.884990] Workqueue: events kobject_delayed_cleanup [ 1098.885038] Call trace: [ 1098.885059] dump_backtrace+0x0/0x4e8 [ 1098.885095] show_stack+0x34/0x44 [ 1098.885129] dump_stack_lvl+0xdc/0x11c [ 1098.885165] print_address_description+0x30/0x2d8 [ 1098.885203] kasan_report+0x178/0x1e4 [ 1098.885237] __asan_report_store8_noabort+0x44/0x50 [ 1098.885276] enqueue_timer+0xa0/0x628 [ 1098.885309] internal_add_timer+0xa0/0x254 [ 1098.885346] __mod_timer+0x588/0xc4c [ 1098.885378] add_timer+0x74/0x94 [ 1098.885411] __queue_delayed_work+0x170/0x208 [ 1098.885447] queue_delayed_work_on+0x128/0x160 [ 1098.885483] kobject_put+0x278/0x2cc [ 1098.885517] put_device+0x30/0x48 [ 1098.885553] snd_ctl_dev_free+0xc8/0xe4 [ 1098.885590] __snd_device_free+0x124/0x1b8 [ 1098.885626] snd_device_free_all+0x148/0x184 [ 1098.885663] release_card_device+0x5c/0x180 [ 1098.885698] device_release+0xd4/0x1b4 [ 1098.885732] kobject_delayed_cleanup+0x130/0x304 [ 1098.885765] process_one_work+0x620/0x137c [ 1098.885802] worker_thread+0x43c/0xa08 [ 1098.885837] kthread+0x2e4/0x3a0 [ 1098.885872] ret_from_fork+0x10/0x20 [ 1098.885907] [ 1098.885926] Allocated by task 11891: [ 1098.885953] kasan_save_stack+0x38/0x68 [ 1098.885992] __kasan_kmalloc+0x90/0xac [ 1098.886026] kmem_cache_alloc_trace+0x258/0x40c [ 1098.886063] _snd_pcm_new+0xc4/0x2c8 [ 1098.886098] snd_pcm_new+0x5c/0x74 [ 1098.886132] loopback_pcm_new+0xa0/0x20c [snd_aloop] [ 1098.886194] loopback_probe+0x210/0x850 [snd_aloop] [ 1098.886235] platform_probe+0x150/0x1c8 [ 1098.886273] really_probe+0x274/0xa20 [ 1098.886308] __driver_probe_device+0x1b4/0x3b4 [ 1098.886344] driver_probe_device+0x78/0x1c0 [ 1098.886379] __device_attach_driver+0x1ac/0x2c8 [ 1098.886414] bus_for_each_drv+0x11c/0x190 [ 1098.886448] __device_attach+0x278/0x3c8 [ 1098.886482] device_initial_probe+0x2c/0x3c [ 1098.886517] bus_probe_device+0xbc/0x1c8 [ 1098.886550] device_add+0x1174/0x1630 [ 1098.886581] platform_device_add+0x3f8/0x6f8 [ 1098.886617] platform_device_register_full+0x36c/0x3f8 [ 1098.886656] 0xffffffc0032e3174 [ 1098.886691] do_one_initcall+0x1e8/0x91c [ 1098.886727] do_init_module+0x16c/0x444 [ 1098.886762] load_module+0x63e0/0x7f8c [ 1098.886795] __arm64_sys_finit_module+0x1e4/0x214 [ 1098.886830] invoke_syscall+0x98/0x278 [ 1098.886862] el0_svc_common+0x214/0x274 [ 1098.886894] do_el0_svc+0x9c/0x19c [ 1098.886926] el0_svc+0x5c/0xc0 [ 1098.886959] el0t_64_sync_handler+0x78/0x108 [ 1098.886994] el0t_64_sync+0x1a4/0x1a8 [ 1098.887027] [ 1098.887046] Freed by task 255: [ 1098.887071] kasan_save_stack+0x38/0x68 [ 1098.887106] kasan_set_track+0x28/0x3c [ 1098.887139] kasan_set_free_info+0x28/0x4c [ 1098.887174] ____kasan_slab_free+0x110/0x164 [ 1098.887209] __kasan_slab_free+0x18/0x28 [ 1098.887242] kfree+0x200/0x868 [ 1098.887275] snd_pcm_free+0x88/0x98 [ 1098.887311] snd_pcm_dev_free+0x48/0x5c [ 1098.887347] __snd_device_free+0x124/0x1b8 [ 1098.887384] snd_device_free_all+0xc8/0x184 [ 1098.887419] release_card_device+0x5c/0x180 [ 1098.887453] device_release+0xd4/0x1b4 [ 1098.887486] kobject_delayed_cleanup+0x130/0x304 [ 1098.887519] process_one_work+0x620/0x137c [ 1098.887555] worker_thread+0x43c/0xa08 [ 1098.887590] kthread+0x2e4/0x3a0 [ 1098.887623] ret_from_fork+0x10/0x20

A similar one is generated for snd_card if card_dev.release runs before ctl_dev.release. This patch is solving the same bug in both places at once.

Hmm. It's still puzzling, and I'm not 100% sure whether your analysis is right. The above shows it's freed by task 255, while the task hitting UAF itself is 255. It might be rather the combination of devres and delayed releases.

With CONFIG_DEBUG_KOBJECT_RELEASE, the kernel should show the info of each delayed release kobject. Could you give them together with the Oops, so that we can see the flow how it hits UAF?

Now I slowly understand what's happening. Essentially, it's because the *embedded* struct device is released asynchronously from the ALSA's resource management (via dev_free ops). The objects may be already released via card's device release (that calls snd_device_free_all()), while the release of each struct device that was already triggered beforehand can be delayed due to the debug option.

Ah that actually is the second bug I am still working on and not this one. This patch fixes a bug in both the devm and non-devm case.

If you look at snd_card_init it installs release_card_device as the release function for the struct device card_dev.

snd_card also has another struct device embedded in it, ctl_dev.

release_card_device calls snd_card_do_free which at the end releases the snd_card struct.

The problem here is that in the kernel hacking situation, the release function on the devices are not always called inplace (i.e. assuming proper referencing counting behaviour). So with a bit of RNG, you hit a case where card_dev runs release_card_device before ctl_dev, or even before the PCM devices which results in the release function operating on a freed pointer.

The other sign this is an issue is that we have 2 struct devices in the same memory allocation (both in card and pcm), therefore they cannot properly own their release.

You code change looks mostly fine, but as far as I see, compress_offload also needs a similar change. Meanwhile, rawmidi and hwdep do release the object via device release properly, so those are fine. Ditto for sequencer. And timer is only a global device, hence it must be fine.

Yes I noticed this too, will draft versions for them once I have the snd_card devm version solved. So far though only snd_card has reproduced the devm/release race.

And, I believe we need a bit more detailed patch description. So, could you improve the patch description, split the change to each component (control, pcm and compress_offload), and resubmit?

I can definitely update this to contain a bit more detail. That being said, given the confusion about which bug this solves, do you still want me to split this up? The bug is not resolved without both PCM and card change for this bug which is hit in the delayed release, but they are for two different paths reported by KASAN.

Also, maybe it's worth to change snd_device_initialize() to take the release (optional) argument, too, instead of setting it explicitly afterwards at each place. Already majority of callers will set own release callbacks. This can be done at one more additional patch at last.

Sounds like a good idea, definitely an option once we get the underlying issue solved.

Curtis

thanks,

Takashi

On Fri, Aug 4, 2023 at 1:58 AM Takashi Iwai tiwai@suse.de wrote:

Now I've been reconsidering the problem, and thought of another possible workaround. We may add the card's refcount control for the device init and release, so that we delay the actual resource free. The basic idea is to take card->card_ref at the device init and unref it at the actual device release callback. Then the snd_card_free() call is held until all those refcounted devices are released.

Below is a PoC patch (yes, this can be split, too ;) A quick test on VM seems OK, but needs more reviews and tests.

It contains somewhat ugly conditional put_device() at the dev_free ops. We can make those a bit saner with some helpers later, too.

BTW, this approach may avoid another potential problem by the delayed release; if we finish the driver remove without waiting for the actual device releases, it may hit a code (the piece of the device release callback) of the already removed module, and it's not guaranteed to be present. I'm not sure whether this really happens, but it's another thing to be considered.

thanks,

Takashi

---

diff --git a/include/sound/core.h b/include/sound/core.h index f6e0dd648b80..00c514a80a4a 100644 --- a/include/sound/core.h +++ b/include/sound/core.h

Unfortunately it doesn't hold up in my testing, hit the devm vs device race bug after a little over 30min of hammering snd-dummy (on top of your for-next branch)

[ 2214.013410] kobject: 'BAT0' (000000006eb2300b): kobject_uevent_env [ 2214.013433] kobject: 'BAT0' (000000006eb2300b): fill_kobj_path: path = '/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A08:00/device:01/PNP0C09:00/PNP0C0A:00/power_supply/BAT0' [ 2214.142604] kobject: 'card1' (00000000f5621ef1): kobject_cleanup, parent 0000000000000000 [ 2214.142627] kobject: 'card1' (00000000f5621ef1): calling ktype release [ 2214.145618] kobject: 'snd_dummy.0' (00000000965e7bc3): kobject_uevent_env [ 2214.145648] kobject: 'snd_dummy.0' (00000000965e7bc3): fill_kobj_path: path = '/devices/platform/snd_dummy.0' [ 2214.145773] kobject: 'snd_dummy.0' (00000000965e7bc3): kobject_uevent_env [ 2214.145793] kobject: 'snd_dummy.0' (00000000965e7bc3): fill_kobj_path: path = '/devices/platform/snd_dummy.0' [ 2214.145867] kobject: 'snd_dummy.0' (00000000965e7bc3): kobject_release, parent 0000000000000000 (delayed 4000) [ 2214.145941] kobject: 'snd_dummy' (000000003e14c027): kobject_release, parent 0000000092654d15 (delayed 2000) [ 2214.146355] ================================================================== [ 2214.146363] kobject: 'drivers' (000000007b7f6032): kobject_release, parent 000000009dc04f8f (delayed 2000) [ 2214.146364] BUG: KASAN: slab-use-after-free in release_card_device+0x86/0xd0 [ 2214.146384] kobject: 'holders' (000000000b4379d6): kobject_release, parent 000000009dc04f8f (delayed 2000) [ 2214.146384] Read of size 1 at addr ffff888184a0c949 by task kworker/9:2/1012

[ 2214.146403] CPU: 9 PID: 1012 Comm: kworker/9:2 Tainted: G U W 6.5.0-rc3-00286-gb6697501cf3e-dirty #19 27c5c3da575c6eb45fc95c08db2c659f33df80d3 [ 2214.146417] Hardware name: Google Anahera/Anahera, BIOS Google_Anahera.14505.315.0 12/02/2022 [ 2214.146425] Workqueue: events kobject_delayed_cleanup [ 2214.146439] Call Trace: [ 2214.146446] <TASK> [ 2214.146447] kobject: 'notes' (00000000f7709af3): kobject_release, parent 000000009dc04f8f (delayed 1000) [ 2214.146452] dump_stack_lvl+0x91/0xd0 [ 2214.146466] print_report+0x15b/0x4d0 [ 2214.146478] ? __virt_addr_valid+0xbb/0x130 [ 2214.146491] ? kasan_addr_to_slab+0x11/0x80 [ 2214.146504] ? release_card_device+0x86/0xd0 [ 2214.146516] kasan_report+0xb1/0xf0 [ 2214.146526] ? release_card_device+0x86/0xd0 [ 2214.146539] ? _raw_spin_unlock_irqrestore+0x1b/0x40 [ 2214.146552] release_card_device+0x86/0xd0 [ 2214.146565] device_release+0x66/0x110 [ 2214.146576] kobject_delayed_cleanup+0x133/0x140 [ 2214.146587] process_one_work+0x3e3/0x680 [ 2214.146600] worker_thread+0x487/0x6d0 [ 2214.146613] ? __pfx_worker_thread+0x10/0x10 [ 2214.146624] kthread+0x199/0x1c0 [ 2214.146634] ? __pfx_worker_thread+0x10/0x10 [ 2214.146644] ? __pfx_kthread+0x10/0x10 [ 2214.146655] ret_from_fork+0x3c/0x60 [ 2214.146667] ? __pfx_kthread+0x10/0x10 [ 2214.146677] ret_from_fork_asm+0x1b/0x30 [ 2214.146689] RIP: 0000:0x0 [ 2214.146703] Code: Unable to access opcode bytes at 0xffffffffffffffd6. [ 2214.146710] RSP: 0000:0000000000000000 EFLAGS: 00000000 ORIG_RAX: 0000000000000000 [ 2214.146723] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 2214.146731] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 2214.146739] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 2214.146747] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 2214.146760] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 2214.146769] </TASK>

[ 2214.146779] Allocated by task 12068: [ 2214.146785] kasan_set_track+0x4f/0x80 [ 2214.146797] __kasan_kmalloc+0x92/0xb0 [ 2214.146804] __kmalloc_node_track_caller+0x72/0x140 [ 2214.146815] __devres_alloc_node+0x50/0xc0 [ 2214.146825] snd_devm_card_new+0x5a/0xe0 [ 2214.146835] snd_dummy_probe+0x91/0x660 [snd_dummy] [ 2214.146852] platform_probe+0xb5/0xf0 [ 2214.146861] really_probe+0x177/0x3c0 [ 2214.146871] __driver_probe_device+0xec/0x1b0 [ 2214.146881] driver_probe_device+0x4f/0xd0 [ 2214.146890] __device_attach_driver+0xd0/0xf0 [ 2214.146900] bus_for_each_drv+0xc6/0x120 [ 2214.146909] __device_attach+0x15c/0x210 [ 2214.146918] bus_probe_device+0x5b/0xe0 [ 2214.146926] device_add+0x462/0x6d0 [ 2214.146936] platform_device_add+0x27a/0x360 [ 2214.146945] platform_device_register_full+0x1e7/0x1f0 [ 2214.146954] 0xffffffffc0ec0118 [ 2214.146961] do_one_initcall+0x153/0x370 [ 2214.146970] do_init_module+0x126/0x350 [ 2214.146979] __se_sys_finit_module+0x2d7/0x460 [ 2214.146988] do_syscall_64+0x4c/0xa0 [ 2214.147000] entry_SYSCALL_64_after_hwframe+0x6e/0xd8

[ 2214.147028] Freed by task 12072: [ 2214.147038] kasan_set_track+0x4f/0x80 [ 2214.147054] kasan_save_free_info+0x2c/0x50 [ 2214.147069] ____kasan_slab_free+0x12c/0x180 [ 2214.147086] __kmem_cache_free+0x104/0x2a0 [ 2214.147103] release_nodes+0x69/0x80 [ 2214.147119] devres_release_all+0xbe/0x100 [ 2214.147135] device_unbind_cleanup+0x14/0xd0 [ 2214.147152] device_release_driver_internal+0x12c/0x180 [ 2214.147169] bus_remove_device+0x158/0x190 [ 2214.147183] device_del+0x2dd/0x490 [ 2214.147198] platform_device_del+0x38/0xf0 [ 2214.147214] platform_device_unregister+0x16/0x40 [ 2214.147229] snd_dummy_unregister_all+0x26/0x50 [snd_dummy] [ 2214.147256] __se_sys_delete_module+0x25a/0x380 [ 2214.147273] do_syscall_64+0x4c/0xa0 [ 2214.147288] entry_SYSCALL_64_after_hwframe+0x6e/0xd8

[ 2214.147311] Last potentially related work creation: [ 2214.147320] kasan_save_stack+0x3e/0x60 [ 2214.147335] __kasan_record_aux_stack+0xaf/0xc0 [ 2214.147350] insert_work+0x36/0x160 [ 2214.147365] __queue_work+0x54d/0x5c0 [ 2214.147380] call_timer_fn+0x9f/0x190 [ 2214.147394] __run_timers+0x427/0x4c0 [ 2214.147408] run_timer_softirq+0x21/0x40 [ 2214.147421] __do_softirq+0x164/0x344

[ 2214.147443] Second to last potentially related work creation: [ 2214.147451] kasan_save_stack+0x3e/0x60 [ 2214.147466] __kasan_record_aux_stack+0xaf/0xc0 [ 2214.147480] insert_work+0x36/0x160 [ 2214.147495] __queue_work+0x54d/0x5c0 [ 2214.147509] call_timer_fn+0x9f/0x190 [ 2214.147522] __run_timers+0x427/0x4c0 [ 2214.147535] run_timer_softirq+0x21/0x40

<snipped due to grep context being set at 100 lines>

I was talking with Stephen Boyd about this bug and his recommendation was to keep snd_card always out of devm and just allocate a pointer in devm to snd_card to puppet it as if it was managed via devm and just reference count rather than release the card so that its always handled through device->release. What do you think? This would go alongside the current patch proposed.

On Sat, 05 Aug 2023 10:09:58 +0200, Takashi Iwai wrote:

On Fri, 04 Aug 2023 21:17:56 +0200, Curtis Malainey wrote:

...

On Fri, Aug 4, 2023 at 1:58 AM Takashi Iwai tiwai@suse.de wrote:

...

Now I've been reconsidering the problem, and thought of another possible workaround. We may add the card's refcount control for the device init and release, so that we delay the actual resource free. The basic idea is to take card->card_ref at the device init and unref it at the actual device release callback. Then the snd_card_free() call is held until all those refcounted devices are released.

Below is a PoC patch (yes, this can be split, too ;) A quick test on VM seems OK, but needs more reviews and tests.

It contains somewhat ugly conditional put_device() at the dev_free ops. We can make those a bit saner with some helpers later, too.

BTW, this approach may avoid another potential problem by the delayed release; if we finish the driver remove without waiting for the actual device releases, it may hit a code (the piece of the device release callback) of the already removed module, and it's not guaranteed to be present. I'm not sure whether this really happens, but it's another thing to be considered.

thanks,

Takashi

---

diff --git a/include/sound/core.h b/include/sound/core.h index f6e0dd648b80..00c514a80a4a 100644 --- a/include/sound/core.h +++ b/include/sound/core.h

Unfortunately it doesn't hold up in my testing, hit the devm vs device race bug after a little over 30min of hammering snd-dummy (on top of your for-next branch)

(snip)

...

I was talking with Stephen Boyd about this bug and his recommendation was to keep snd_card always out of devm and just allocate a pointer in devm to snd_card to puppet it as if it was managed via devm and just reference count rather than release the card so that its always handled through device->release. What do you think? This would go alongside the current patch proposed.

Indeed, that's another issue about devres vs delayed kobj release. A quick fix would be something like below, I suppose. (note: totally untested)

Scratch it. It's still obviously broken. Will cook more proper patches later.

Takashi