I am getting the following crash on IPMI on linus' upstream. It tries to
double-add the same element to a list, and then get
a slab-use-after-free in handle_one_recv_msg.
Here is the decoded stack against commit cf38b2340c0e ("Merge tag
'soc-fixes-6.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc")
list_add double add: new=ffff888145b19000, prev=ffff888145b19000,
next=ffff88810bb6d480.
WARNING: lib/list_debug.c:37 at
__list_add_valid_or_report+0x10a/0x130, CPU#64: 0/408
Workqueue: events smi_work [ipmi_msghandler]
RIP: 0010:__list_add_valid_or_report (rw/compile/lib/list_debug.c:35)
deliver_response (rw/compile/./include/linux/list.h:158
rw/compile/./include/linux/list.h:191
rw/compile/drivers/char/ipmi/ipmi_msghandler.c:974) ipmi_msghandler
smi_work (rw/compile/drivers/char/ipmi/ipmi_msghandler.c:985
rw/compile/drivers/char/ipmi/ipmi_msghandler.c:999
rw/compile/drivers/char/ipmi/ipmi_msghandler.c:4853) ipmi_msghandler
? process_scheduled_works (rw/compile/kernel/workqueue.c:3233
rw/compile/kernel/workqueue.c:3340)
process_scheduled_works (rw/compile/kernel/workqueue.c:?
rw/compile/kernel/workqueue.c:3340)
worker_thread (rw/compile/./include/linux/list.h:381
rw/compile/kernel/workqueue.c:946 rw/compile/kernel/workqueue.c:3422)
kthread (rw/compile/kernel/kthread.c:465)
? pr_cont_work (rw/compile/kernel/workqueue.c:3367)
? kthread_blkcg (rw/compile/kernel/kthread.c:412)
ret_from_fork (rw/compile/arch/x86/kernel/process.c:164)
? kthread_blkcg (rw/compile/kernel/kthread.c:412)
ret_from_fork_asm (rw/compile/arch/x86/entry/entry_64.S:256)
list_add double add: new=ffff888145b19000, prev=ffff888145b19000,
next=ffff88810bb6d480.
WARNING: lib/list_debug.c:37 at
__list_add_valid_or_report+0x10a/0x130, CPU#64: 0/408
<double add hit again same stack>
BUG: KASAN: slab-use-after-free in handle_one_recv_msg
(rw/compile/drivers/char/ipmi/ipmi_msghandler.c:?
rw/compile/drivers/char/ipmi/ipmi_msghandler.c:4761) ipmi_msghandler
T473136] Write of size 4 at addr ffff888145b19010 by task
kworker/30:3/473136
handle_new_recv_msgs
(rw/compile/drivers/char/ipmi/ipmi_msghandler.c:4788) ipmi_msghandler
? get_smi_info (rw/compile/drivers/char/ipmi/ipmi_si_intf.c:918)
ipmi_si
smi_work (rw/compile/drivers/char/ipmi/ipmi_msghandler.c:?)
ipmi_msghandler
? process_scheduled_works (rw/compile/kernel/workqueue.c:3233
rw/compile/kernel/workqueue.c:3340)
process_scheduled_works (rw/compile/kernel/workqueue.c:?
rw/compile/kernel/workqueue.c:3340)
worker_thread (rw/compile/./include/linux/list.h:381
rw/compile/kernel/workqueue.c:946 rw/compile/kernel/workqueue.c:3422)
kthread (rw/compile/kernel/kthread.c:465)
? rcu_is_watching (rw/compile/./include/linux/context_tracking.h:128
rw/compile/kernel/rcu/tree.c:751)
? pr_cont_work (rw/compile/kernel/workqueue.c:3367)
? kthread_blkcg (rw/compile/kernel/kthread.c:412)
ret_from_fork (rw/compile/arch/x86/kernel/process.c:164)
? kthread_blkcg (rw/compile/kernel/kthread.c:412)
ret_from_fork_asm (rw/compile/arch/x86/entry/entry_64.S:256)
Allocated by task 6379:
kasan_save_track (rw/compile/mm/kasan/common.c:58
rw/compile/mm/kasan/common.c:78)
__kasan_kmalloc (rw/compile/mm/kasan/common.c:419)
__kmalloc_cache_noprof (rw/compile/mm/slub.c:5781)
kernfs_fop_open.llvm.1481521202032378051
(rw/compile/./include/linux/slab.h:957 rw/compile/./include/linux/slab.h:1094
rw/compile/fs/kernfs/file.c:641)
do_dentry_open (rw/compile/fs/open.c:963)
vfs_open (rw/compile/fs/open.c:1095)
path_openat (rw/compile/fs/namei.c:4638 rw/compile/fs/namei.c:4796)
do_filp_open (rw/compile/fs/namei.c:4823)
do_sys_openat2 (rw/compile/./include/linux/err.h:78
rw/compile/./include/linux/file.h:177 rw/compile/fs/open.c:1430)
__x64_sys_openat (rw/compile/fs/open.c:1447)
do_syscall_64 (rw/compile/arch/x86/entry/syscall_64.c:?)
entry_SYSCALL_64_after_hwframe
(rw/compile/arch/x86/entry/entry_64.S:131)
Freed by task 6379:
kasan_save_track (rw/compile/mm/kasan/common.c:58
rw/compile/mm/kasan/common.c:78)
kasan_save_free_info (rw/compile/mm/kasan/generic.c:587)
__kasan_slab_free (rw/compile/mm/kasan/common.c:287)
kfree (rw/compile/mm/slub.c:6674 rw/compile/mm/slub.c:6882)
kernfs_fop_release.llvm.1481521202032378051
(rw/compile/fs/kernfs/file.c:788)
__fput (rw/compile/fs/file_table.c:469)
fput_close_sync (rw/compile/fs/file_table.c:574)
__x64_sys_close (rw/compile/fs/open.c:1575 rw/compile/fs/open.c:1558
rw/compile/fs/open.c:1558)
do_syscall_64 (rw/compile/arch/x86/entry/syscall_64.c:?)
entry_SYSCALL_64_after_hwframe
(rw/compile/arch/x86/entry/entry_64.S:131)
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 1d14bb067 P4D 1d14bb067 PUD 67c50d067 PMD 0
Oops: Oops: 0010 [#1] SMP DEBUG_PAGEALLOC KASAN
Hardware name: Quanta North Dome MP/North Dome MP, BIOS
F09C_3B14.sign 04/12/2023
Workqueue: events smi_work [ipmi_msghandler]
The next patch contains the issue I found and a possible fix.
Signed-off-by: Breno Leitao <[email protected]>
---
Breno Leitao (1):
ipmi: Fix use-after-free and list corruption on sender error
drivers/char/ipmi/ipmi_msghandler.c | 21 +++++++++++++++++++--
1 file changed, 19 insertions(+), 2 deletions(-)
---
base-commit: cf38b2340c0e60ef695b7137440a4d187ed49c88
change-id: 20260127-ipmi-03bae4a027bd
Best regards,
--
Breno Leitao <[email protected]>
_______________________________________________
Openipmi-developer mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openipmi-developer
