[PATCH -next] mtd: Fix the refcount error of the mtd info

Zhang Xiaoxu zhangxiaoxu5 at huawei.com
Tue Jul 25 14:55:39 PDT 2023 

There is a UAF when test the mchp23k256 driver with bpf mock device:

  BUG: KASAN: slab-use-after-free in device_pm_remove+0x7d/0xe0
  Write of size 8 at addr ffff888118bf0400 by task python3/261

  CPU: 0 PID: 261 Comm: python3 Tainted: G        W        N 6.5.0-rc2+
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
  Call Trace:
   <TASK>
   dump_stack_lvl+0x65/0xb0
   print_report+0xcc/0x620
   kasan_report+0xba/0xf0
   device_pm_remove+0x7d/0xe0
   device_del+0x273/0x780
   spi_unregister_device+0xa3/0x140
   delete_device_store+0x172/0x290
   dev_attr_store+0x3e/0x70
   sysfs_kf_write+0x8c/0xb0
   kernfs_fop_write_iter+0x246/0x330
   vfs_write+0x646/0x840
   ksys_write+0xd6/0x1b0
   do_syscall_64+0x38/0x90
   entry_SYSCALL_64_after_hwframe+0x6e/0xd8

  Allocated by task 261:
   kasan_save_stack+0x1e/0x40
   kasan_set_track+0x21/0x30
   __kasan_kmalloc+0x7b/0x90
   __kmalloc_node_track_caller+0x57/0x150
   devm_kmalloc+0x6a/0x1c0
   mchp23k256_probe+0x28/0x270 [mchp23k256]
   spi_probe+0xe1/0x140
   really_probe+0x283/0x530
   __driver_probe_device+0xe5/0x1e0
   device_driver_attach+0x75/0x120
   bind_store+0xa4/0x120
   drv_attr_store+0x49/0x70
   sysfs_kf_write+0x8c/0xb0
   kernfs_fop_write_iter+0x246/0x330
   vfs_write+0x646/0x840
   ksys_write+0xd6/0x1b0
   do_syscall_64+0x38/0x90
   entry_SYSCALL_64_after_hwframe+0x6e/0xd8

  Freed by task 261:
   kasan_save_stack+0x1e/0x40
   kasan_set_track+0x21/0x30
   kasan_save_free_info+0x27/0x40
   __kasan_slab_free+0x106/0x190
   __kmem_cache_free+0xdd/0x330
   devres_release_all+0x143/0x1b0
   device_unbind_cleanup+0x19/0xd0
   device_release_driver_internal+0x31f/0x380
   unbind_store+0xce/0xd0
   drv_attr_store+0x49/0x70
   sysfs_kf_write+0x8c/0xb0
   kernfs_fop_write_iter+0x246/0x330
   vfs_write+0x646/0x840
   ksys_write+0xd6/0x1b0
   do_syscall_64+0x38/0x90
   entry_SYSCALL_64_after_hwframe+0x6e/0xd8

The refcount of the parent was increased when get the mtd device with
MTD_PARTITIONED_MASTER enabled, but always decrease when put the mtd
device, it will lead refcount error.

Fixes: 19bfa9ebebb5 ("mtd: use refcount to prevent corruption")
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5 at huawei.com>
---
 drivers/mtd/mtdcore.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/mtd/mtdcore.c b/drivers/mtd/mtdcore.c
index 2466ea466466..7c2040a7af0a 100644
--- a/drivers/mtd/mtdcore.c
+++ b/drivers/mtd/mtdcore.c
@@ -1335,12 +1335,12 @@ void __put_mtd_device(struct mtd_info *mtd)
 	while (mtd != master) {
 		struct mtd_info *parent = mtd->parent;
 
-		kref_put(&mtd->refcnt, mtd_device_release);
+		if (IS_ENABLED(CONFIG_MTD_PARTITIONED_MASTER))
+			kref_put(&mtd->refcnt, mtd_device_release);
 		mtd = parent;
 	}
 
-	if (IS_ENABLED(CONFIG_MTD_PARTITIONED_MASTER))
-		kref_put(&master->refcnt, mtd_device_release);
+	kref_put(&master->refcnt, mtd_device_release);
 
 	module_put(master->owner);
 
-- 
2.34.1

More information about the linux-mtd mailing list