KASAN: use-after-free in tegra210_adma driver

KASAN reported a UAF bug in this driver. I’ve attached the KASAN report, repro script and a proposed patch.

#!/usr/bin/env bash
set -e
# small buffer seems to make it repro more easily
export PIPEWIRE_PROPS="{ node.latency = 256/48000 }"
#for i in {1..200}; do
while true; do
  gst-launch-1.0 audiotestsrc ! \
    audio/x-raw,rate=48000,channels=2 ! \
    pipewiresink &
    # this should set a small buffer size for systems using pulseaudio, just swap it with the last line of the gstreamer pipeline
    # pulsesink buffer-time=5000 latency-time=1000 &
  PID=$!
  sleep $(echo "scale=2; 1 + ($RANDOM / 32767) * 2" | bc)
  kill -9 $PID 2>/dev/null || true
  sleep 0.05
done

diff --git a/drivers/dma/tegra210-adma.c b/drivers/dma/tegra210-adma.c
index 60f28789ff7e..98e2b0db06e5 100644
--- a/drivers/dma/tegra210-adma.c
+++ b/drivers/dma/tegra210-adma.c
@@ -354,7 +354,7 @@ static void tegra_adma_stop(struct tegra_adma_chan *tdc)
 		return;
 	}
 
-	kfree(tdc->desc);
+	vchan_terminate_vdesc(&tdc->desc->vd);
 	tdc->desc = NULL;
 }
 

[  337.427514] ==================================================================
[  337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0
[  337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0

[  337.427552] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G           OE     5.15.148-prod-tegra-russell-asan-shotover #5
[  337.427558] Hardware name: NVIDIA NVIDIA Jetson Orin NX Engineering Reference Developer Kit/Jetson, BIOS 36.4.0-gcid-37537400 09/13/2024
[  337.427562] Call trace:
[  337.427564]  dump_backtrace+0x0/0x320
[  337.427571]  show_stack+0x20/0x30
[  337.427575]  dump_stack_lvl+0x68/0x84
[  337.427584]  print_address_description.constprop.0+0x74/0x2b8
[  337.427590]  kasan_report+0x1f4/0x210
[  337.427598]  __asan_load8+0xa0/0xd0
[  337.427603]  vchan_complete+0x124/0x3b0
[  337.427609]  tasklet_action_common.constprop.0+0x190/0x1d0
[  337.427617]  tasklet_action+0x30/0x40
[  337.427623]  __do_softirq+0x1a0/0x5c4
[  337.427628]  irq_exit+0x110/0x140
[  337.427633]  handle_domain_irq+0xa4/0xe0
[  337.427640]  gic_handle_irq+0x64/0x160
[  337.427644]  call_on_irq_stack+0x20/0x4c
[  337.427649]  do_interrupt_handler+0x7c/0x90
[  337.427654]  el1_interrupt+0x30/0x80
[  337.427659]  el1h_64_irq_handler+0x18/0x30
[  337.427663]  el1h_64_irq+0x7c/0x80
[  337.427667]  cpuidle_enter_state+0xe4/0x540
[  337.427674]  cpuidle_enter+0x54/0x80
[  337.427679]  do_idle+0x2e0/0x380
[  337.427685]  cpu_startup_entry+0x2c/0x70
[  337.427690]  rest_init+0x114/0x130
[  337.427695]  arch_call_rest_init+0x18/0x24
[  337.427702]  start_kernel+0x380/0x3b4
[  337.427706]  __primary_switched+0xc0/0xc8

[  337.427713] Allocated by task 1819:
[  337.427716]  kasan_save_stack+0x28/0x60
[  337.427722]  __kasan_kmalloc+0x8c/0xb0
[  337.427727]  kmem_cache_alloc_trace+0x1f0/0x3a0
[  337.427732]  tegra_adma_prep_dma_cyclic+0x88/0x680 [tegra210_adma]
[  337.427748]  snd_dmaengine_pcm_trigger+0x1a4/0x330
[  337.427755]  tegra_admaif_trigger+0x88/0x480 [snd_soc_tegra210_admaif]
[  337.427777]  snd_soc_pcm_dai_trigger+0x22c/0x350
[  337.427782]  soc_pcm_trigger+0xfc/0x1f0
[  337.427788]  snd_pcm_do_start+0x64/0x80
[  337.427792]  snd_pcm_action_single+0x5c/0xd0
[  337.427797]  snd_pcm_action+0x84/0xa0
[  337.427801]  snd_pcm_action_lock_irq+0x5c/0xd0
[  337.427806]  snd_pcm_common_ioctl+0x1314/0x16a0
[  337.427812]  snd_pcm_ioctl+0x5c/0x80
[  337.427816]  __arm64_sys_ioctl+0xd8/0x120
[  337.427823]  invoke_syscall+0x68/0x190
[  337.427829]  el0_svc_common.constprop.0+0x130/0x160
[  337.427835]  do_el0_svc+0x8c/0xc0
[  337.427841]  el0_svc+0x3c/0x80
[  337.427844]  el0t_64_sync_handler+0xa4/0x130
[  337.427848]  el0t_64_sync+0x1a4/0x1a8

[  337.427853] Freed by task 1819:
[  337.427856]  kasan_save_stack+0x28/0x60
[  337.427861]  kasan_set_track+0x28/0x40
[  337.427865]  kasan_set_free_info+0x28/0x50
[  337.427871]  __kasan_slab_free+0xd8/0x140
[  337.427876]  slab_free_freelist_hook+0xa8/0x1d0
[  337.427880]  kfree+0xec/0x290
[  337.427884]  tegra_adma_terminate_all+0x170/0x540 [tegra210_adma]
[  337.427893]  snd_dmaengine_pcm_trigger+0x8c/0x330
[  337.427898]  tegra_admaif_trigger+0x88/0x480 [snd_soc_tegra210_admaif]
[  337.427918]  snd_soc_pcm_dai_trigger+0x16c/0x350
[  337.427923]  soc_pcm_trigger+0x150/0x1f0
[  337.427928]  snd_pcm_do_stop+0xb8/0xf0
[  337.427932]  snd_pcm_action_single+0x5c/0xd0
[  337.427937]  snd_pcm_action+0x84/0xa0
[  337.427941]  snd_pcm_stop+0x2c/0x40
[  337.427945]  __snd_pcm_xrun+0xa0/0x160
[  337.427950]  snd_pcm_update_state+0x1f8/0x200
[  337.427956]  snd_pcm_update_hw_ptr0+0x370/0x650
[  337.427962]  snd_pcm_update_hw_ptr+0x1c/0x30
[  337.427967]  do_pcm_hwsync+0xc4/0xd0
[  337.427971]  snd_pcm_hwsync+0x48/0xc0
[  337.427976]  snd_pcm_sync_ptr+0x318/0x5d0
[  337.427980]  snd_pcm_common_ioctl+0x106c/0x16a0
[  337.427986]  snd_pcm_ioctl+0x5c/0x80
[  337.427991]  __arm64_sys_ioctl+0xd8/0x120
[  337.427996]  invoke_syscall+0x68/0x190
[  337.428002]  el0_svc_common.constprop.0+0x130/0x160
[  337.428008]  do_el0_svc+0x8c/0xc0
[  337.428013]  el0_svc+0x3c/0x80
[  337.428017]  el0t_64_sync_handler+0xa4/0x130
[  337.428021]  el0t_64_sync+0x1a4/0x1a8

[  337.428025] The buggy address belongs to the object at ffff000132055400
                which belongs to the cache kmalloc-256 of size 256
[  337.428030] The buggy address is located 40 bytes inside of
                256-byte region [ffff000132055400, ffff000132055500)
[  337.428034] The buggy address belongs to the page:
[  337.428037] page:00000000da2e87dd refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1b2054
[  337.428043] head:00000000da2e87dd order:1 compound_mapcount:0
[  337.428046] flags: 0xbfffc0000010200(slab|head|node=0|zone=2|lastcpupid=0xffff)
[  337.428058] raw: 0bfffc0000010200 0000000000000000 dead000000000122 ffff000080002480
[  337.428063] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[  337.428066] page dumped because: kasan: bad access detected

[  337.428069] Memory state around the buggy address:
[  337.428072]  ffff000132055300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  337.428076]  ffff000132055380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  337.428079] >ffff000132055400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  337.428082]                                   ^
[  337.428084]  ffff000132055480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  337.428088]  ffff000132055500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  337.428090] ==================================================================

*** Please note that this reply is generated by LLM automatically ***

Based on the provided context, it appears that you are working with the Jetson Orin NX series and have encountered a Use-After-Free (UAF) bug in a driver. You have attached the KASAN report, repro script, and a proposed patch.

To address this issue, I would recommend the following steps:

1. Review the KASAN report: Carefully examine the report to understand the nature of the UAF bug, including the affected driver, the memory location, and the sequence of events leading to the bug.
2. Analyze the repro script: Study the repro script to understand how to reproduce the bug. This will help you to identify the root cause of the issue and verify the effectiveness of the proposed patch.
3. Evaluate the proposed patch: Review the proposed patch to ensure it correctly addresses the UAF bug. Check if the patch properly fixes the memory leak or incorrect memory access that led to the bug.
4. Test the patch: Apply the patch and re-run the repro script to verify that the bug is fixed. Additionally, perform thorough testing to ensure that the patch does not introduce any new issues or regressions.
5. Submit the patch for review: Once you have verified the effectiveness of the patch, submit it for review to the relevant maintainers or mailing lists. This will help to ensure that the patch is properly reviewed and integrated into the mainline kernel.

In terms of comparing the Jetson Orin NX series to other Jetson modules, it’s worth noting that the UAF bug and the proposed patch may be specific to the Jetson Orin NX series. However, if the bug is related to a common driver or component, it’s possible that other Jetson modules may also be affected.

To determine if other Jetson modules are affected, you can:

1. Check the KASAN report: Verify if the KASAN report mentions any specific hardware or module-related information that may indicate if the bug is unique to the Jetson Orin NX series.
2. Consult the Jetson documentation: Review the documentation for other Jetson modules, such as the Jetson AGX Orin series or the Jetson Nano series, to see if they share similar drivers or components that may be affected by the UAF bug.
3. Test other Jetson modules: If possible, test the repro script on other Jetson modules to determine if they are also affected by the UAF bug.

By following these steps, you can effectively address the UAF bug in the driver and ensure that the proposed patch is properly reviewed and integrated into the mainline kernel.

*** Please give the thumbs up if you get answers you like. Or provide feedback to help us improve the answer. ***

Hi,
Thanks for sharing the patch. We will check it with our teams.

Hi nathan,

Thanks for these inputs. We will check on our end and if required will push this fix for upstream.

Thanks, any update on this?

Hi, We have prepared the patch and it is ready to push it for upstream in a day or two. I will post the upstream review link once we have it pushed.

We have pushed to upstream review, please take the patch and check if you still see issue

dmaengine: tegra-adma: Fix use-after-free - Patchwork

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.