FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

BUG: I found An use-after-free BUG in the pfeng

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Jump to solution

BUG: I found An use-after-free BUG in the pfeng

Jump to solution
‎03-09-2022 07:39 PM
1,675 Views
ChenJun945
Contributor III

following is BUG log

[ 5402.327073] ==================================================================
[ 5402.327164] BUG: KASAN: use-after-free in pfeng_netif_logif_xmit+0x1464/0x16a0 [pfeng]
[ 5402.327670] Read of size 4 at addr ffffff800533eda8 by task sshd/32475

[ 5402.327843] CPU: 1 PID: 32475 Comm: sshd Tainted: G O 5.10.41 #1
[ 5402.328007] Hardware name: Freescale S32G274 (DT)
[ 5402.328075] Call trace:
[ 5402.328113] dump_backtrace+0x0/0x48c
[ 5402.328311] show_stack+0x2c/0x40
[ 5402.328493] dump_stack+0x18c/0x210
[ 5402.328647] print_address_description.constprop.0+0x6c/0x464
[ 5402.328841] kasan_report+0x118/0x1b0
[ 5402.329033] __asan_report_load4_noabort+0x34/0x60
[ 5402.329194] pfeng_netif_logif_xmit+0x1464/0x16a0 [pfeng]
[ 5402.329593] dev_hard_start_xmit+0x28c/0xe00
[ 5402.329761] sch_direct_xmit+0x218/0x9c0
[ 5402.329932] __dev_queue_xmit+0x1188/0x309c
[ 5402.330094] dev_queue_xmit+0x24/0x34
[ 5402.330245] vlan_dev_hard_start_xmit+0x164/0x63c
[ 5402.330442] dev_hard_start_xmit+0x28c/0xe00
[ 5402.330604] __dev_queue_xmit+0x1e18/0x309c
[ 5402.330765] dev_queue_xmit+0x24/0x34
[ 5402.330916] neigh_connected_output+0x2a4/0x3a4
[ 5402.331122] ip_finish_output2+0x720/0x25f0
[ 5402.331293] __ip_finish_output+0x18c/0x220
[ 5402.331461] ip_output+0x31c/0x4d4
[ 5402.331615] __ip_queue_xmit+0x70c/0x182c
[ 5402.331780] ip_queue_xmit+0x5c/0x80
[ 5402.331938] __tcp_transmit_skb+0x13d0/0x34ec
[ 5402.332118] __tcp_send_ack+0x3ac/0x624
[ 5402.332283] tcp_send_ack+0x48/0x60
[ 5402.332449] __tcp_ack_snd_check+0x13c/0x8e0
[ 5402.332604] tcp_rcv_established+0x950/0x1ee0
[ 5402.332773] tcp_v4_do_rcv+0x678/0x960
[ 5402.332959] __release_sock+0xf4/0x31c
[ 5402.333116] release_sock+0x58/0x2a0
[ 5402.333266] tcp_sendmsg+0x4c/0x64
[ 5402.333397] inet_sendmsg+0xa8/0x100
[ 5402.333539] sock_write_iter+0x244/0x3dc
[ 5402.333717] new_sync_write+0x354/0x520
[ 5402.333884] vfs_write+0x490/0x5e0
[ 5402.334042] ksys_write+0x1fc/0x25c
[ 5402.334200] __arm64_sys_write+0x70/0xa4
[ 5402.334368] el0_svc_common.constprop.0+0x158/0x510
[ 5402.334574] do_el0_svc+0xec/0x114
[ 5402.334749] el0_svc+0x24/0x34
[ 5402.334913] el0_sync_handler+0x17c/0x180
[ 5402.335095] el0_sync+0x180/0x1c0

[ 5402.335252] Allocated by task 32475:
[ 5402.335322] kasan_save_stack+0x28/0x60
[ 5402.335503] __kasan_kmalloc.constprop.0+0xc8/0xf0
[ 5402.335702] kasan_slab_alloc+0x18/0x2c
[ 5402.335885] kmem_cache_alloc+0x16c/0x610
[ 5402.336060] __alloc_skb+0xc4/0x5f4
[ 5402.336221] __tcp_send_ack+0xac/0x624
[ 5402.336382] tcp_send_ack+0x48/0x60
[ 5402.336544] __tcp_ack_snd_check+0x13c/0x8e0
[ 5402.336695] tcp_rcv_established+0x950/0x1ee0
[ 5402.336859] tcp_v4_do_rcv+0x678/0x960
[ 5402.337038] __release_sock+0xf4/0x31c
[ 5402.337188] release_sock+0x58/0x2a0
[ 5402.337335] tcp_sendmsg+0x4c/0x64
[ 5402.337462] inet_sendmsg+0xa8/0x100
[ 5402.337598] sock_write_iter+0x244/0x3dc
[ 5402.337770] new_sync_write+0x354/0x520
[ 5402.337927] vfs_write+0x490/0x5e0
[ 5402.338082] ksys_write+0x1fc/0x25c
[ 5402.338238] __arm64_sys_write+0x70/0xa4
[ 5402.338405] el0_svc_common.constprop.0+0x158/0x510
[ 5402.338604] do_el0_svc+0xec/0x114
[ 5402.338777] el0_svc+0x24/0x34
[ 5402.338934] el0_sync_handler+0x17c/0x180
[ 5402.339112] el0_sync+0x180/0x1c0

[ 5402.339262] Freed by task 32477:
[ 5402.339325] kasan_save_stack+0x28/0x60
[ 5402.339504] kasan_set_track+0x28/0x40
[ 5402.339679] kasan_set_free_info+0x24/0x50
[ 5402.339823] __kasan_slab_free+0xec/0x160
[ 5402.340003] kasan_slab_free+0x14/0x20
[ 5402.340184] kmem_cache_free_bulk+0xc0/0x2a0
[ 5402.340363] __kfree_skb_flush+0xd4/0x164
[ 5402.340558] net_rx_action+0x664/0xc00
[ 5402.340712] _stext+0x408/0x1190

[ 5402.340859] The buggy address belongs to the object at ffffff800533ed40
which belongs to the cache skbuff_head_cache of size 208
[ 5402.340992] The buggy address is located 104 bytes inside of
208-byte region [ffffff800533ed40, ffffff800533ee10)
[ 5402.341152] The buggy address belongs to the page:
[ 5402.341201] page:000000005530c645 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffffff800533e0c0 pfn:0x8533e
[ 5402.341386] flags: 0x200(slab)
[ 5402.341570] raw: 0000000000000200 fffffffefffed788 ffffffff00171288 ffffff8003943800
[ 5402.341732] raw: ffffff800533e0c0 ffffff800533e0c0 0000000100000007 0000000000000000
[ 5402.341824] page dumped because: kasan: bad access detected

[ 5402.341913] Memory state around the buggy address:
[ 5402.341985] ffffff800533ec80: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc
[ 5402.342102] ffffff800533ed00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 5402.342216] >ffffff800533ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 5402.342304] ^
[ 5402.342382] ffffff800533ee00: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 5402.342496] ffffff800533ee80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 5402.342583] ==================================================================

should we make changes as following:

ChenJun945_0-1646879942735.png

 

 

Tags (1)
0 Kudos
Reply
1 Solution

Jump to solution
‎03-15-2022 06:28 AM
1,601 Views
Bio_TICFSL
NXP TechSupport
NXP TechSupport

Yes, It will fixed in nest revision of the BSP. thanks for the catch.

View solution in original post

0 Kudos
Reply
4 Replies

Jump to solution
‎03-14-2022 11:01 AM
1,631 Views
Bio_TICFSL
NXP TechSupport
NXP TechSupport

Hello ChenJun,

Please provide in which steps of the Linux BSP this error happends? Because I just tested the latest one and it works nicely.

Regards

0 Kudos
Reply

Jump to solution
‎03-15-2022 12:23 AM
1,613 Views
ChenJun945
Contributor III

Maybe fixed by NXP and how can I get following commits of patches.Not the full pfeng git repository.

+========================================================
+What's Modified in BETA_0.9.6
+========================================================
+
+# New Feature
+
+[AAVB-4047] - [PFE_DRV_LINUX] M/S: IP-ready signalization
+[AAVB-2830] - [PFE_DRV_LINUX] Ingress QoS
+
+# Bug
+
+[AAVB-3705] - [PFE_DRV_LINUX] Slave logical interface prints IDEX error messages when getting up
+[AAVB-3754] - [PFE_DRV_LINUX] Slave driver does not accept HIF NOCPY as a master channel
+[AAVB-3828] - [PFE_DRV_LINUX] "Kernel BUG at pfeng_hif_chnl_txconf_free_map_full" for high Tx rate on 2.5G link
+[AAVB-3878] - [PFE_DRV_LINUX] Slave: Don't setup EMAC logif to promisc mode
+[AAVB-3898] - [PFE_DRV_LINUX] BUG: KASAN: use-after-free in pfeng_hif_chnl_poll+0x570/0x644 [pfeng]
+[AAVB-3946] - [PFE_DRV_LINUX] "Sleeping while atomic" bug in pfeng driver
+[AAVB-4000] - [PFE_DRV_LINUX] Slave driver unload triggers Kernel BUG at gen_pool_destroy()
0 Kudos
Reply

Jump to solution
‎03-14-2022 07:04 PM
1,621 Views
ChenJun945
Contributor III

I test with syzkaller:https://github.com/google/syzkaller

open following kernel configs,and recompile kernel and dtb and pfeng.ko

https://github.com/google/syzkaller/blob/master/docs/linux/kernel_configs.md

You can easily reproduce this issue.

0 Kudos
Reply

Jump to solution
‎03-15-2022 06:28 AM
1,602 Views
Bio_TICFSL
NXP TechSupport
NXP TechSupport

Yes, It will fixed in nest revision of the BSP. thanks for the catch.

0 Kudos
Reply