BUG: KASAN: use-after-free in idempotent_init_module when reloading 88XXau.

[sardChen]

When executing fuzzing test for and reload rtl8812au, I found a user after free bug in dmesg logs:

[ 3369.295177] BUG: KASAN: use-after-free in idempotent_init_module+0x5d0/0x750
[ 3369.295186] Read of size 8 at addr ffff88814c2afde8 by task insmod/17523

[ 3369.295192] CPU: 11 PID: 17523 Comm: insmod Tainted: G D OE 6.6.58 #1
[ 3369.295196] Hardware name: Gigabyte Technology Co., Ltd. B660M GAMING AC DDR4/B660M GAMING AC DDR4, BIOS F4 01/17/2022
[ 3369.295199] Call Trace:
[ 3369.295201]
[ 3369.295203] dump_stack_lvl+0x48/0x70
[ 3369.295209] print_report+0xcf/0x630
[ 3369.295214] ? idempotent_init_module+0x5d0/0x750
[ 3369.295218] ? kasan_addr_to_slab+0xd/0xb0
[ 3369.295221] ? idempotent_init_module+0x5d0/0x750
[ 3369.295225] kasan_report+0xaf/0x100
[ 3369.295229] ? idempotent_init_module+0x5d0/0x750
[ 3369.295233] __asan_report_load8_noabort+0x14/0x30
[ 3369.295236] idempotent_init_module+0x5d0/0x750
[ 3369.295240] ? __pfx_idempotent_init_module+0x10/0x10
[ 3369.295244] ? __fget_light+0x5c/0x590
[ 3369.295248] ? security_capable+0x5c/0xb0
[ 3369.295253] __x64_sys_finit_module+0xc0/0x140
[ 3369.295257] x64_sys_call+0xd32/0x25a0
[ 3369.295261] do_syscall_64+0x56/0x90
[ 3369.295265] ? exit_to_user_mode_prepare+0x49/0x220
[ 3369.295270] ? irqentry_exit_to_user_mode+0x10/0x30
[ 3369.295274] ? irqentry_exit+0x43/0x50
[ 3369.295278] ? exc_page_fault+0x7d/0x110
[ 3369.295282] entry_SYSCALL_64_after_hwframe+0x78/0xe2
[ 3369.295287] RIP: 0033:0x779e7111e88d
[ 3369.295291] Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 b5 0f 00 f7 d8 64 89 01 48
[ 3369.295295] RSP: 002b:00007ffe72dda058 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[ 3369.295300] RAX: ffffffffffffffda RBX: 00005bc946e26770 RCX: 0000779e7111e88d
[ 3369.295303] RDX: 0000000000000000 RSI: 00005bc92036acd2 RDI: 0000000000000003
[ 3369.295305] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[ 3369.295307] R10: 0000000000000003 R11: 0000000000000246 R12: 00005bc92036acd2
[ 3369.295309] R13: 00005bc946e2a2a0 R14: 00005bc920369888 R15: 00005bc946e26880
[ 3369.295314]

[ 3369.295318] The buggy address belongs to the physical page:
[ 3369.295320] page:ffffea000530abc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x200000000 pfn:0x14c2af
[ 3369.295324] flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff)
[ 3369.295328] page_type: 0xffffffff()
[ 3369.295331] raw: 0017ffffc0000000 0000000000000000 ffffea000530abc8 0000000000000000
[ 3369.295334] raw: 0000000200000000 0000000000000000 00000000ffffffff 0000000000000000
[ 3369.295336] page dumped because: kasan: bad access detected

[ 3369.295339] Memory state around the buggy address:
[ 3369.295341] ffff88814c2afc80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 3369.295344] ffff88814c2afd00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 3369.295346] >ffff88814c2afd80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 3369.295348] ^
[ 3369.295350] ffff88814c2afe00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 3369.295353] ffff88814c2afe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 3369.295354] ==================================================================
[ 3369.295359] BUG: unable to handle page fault for address: ffff88814c2afde8
[ 3369.295362] #PF: supervisor read access in kernel mode
[ 3369.295364] #PF: error_code(0x0000) - not-present page
[ 3369.295367] PGD 70c001067 P4D 70c001067 PUD 8bfb58067 PMD 8bfaf6067 PTE 800ffffeb3d50060
[ 3369.295375] Oops: 0000 [#2] PREEMPT SMP DEBUG_PAGEALLOC KASAN NOPTI
[ 3369.295378] CPU: 11 PID: 17523 Comm: insmod Tainted: G B D OE 6.6.58 #1
[ 3369.295381] Hardware name: Gigabyte Technology Co., Ltd. B660M GAMING AC DDR4/B660M GAMING AC DDR4, BIOS F4 01/17/2022
[ 3369.295383] RIP: 0010:idempotent_init_module+0x1ad/0x750
[ 3369.295387] Code: 84 92 01 00 00 48 89 d3 48 83 eb 08 74 4a 49 bd 00 00 00 00 00 fc ff df 48 89 de 48 c1 ee 03 42 80 3c 2e 00 0f 85 06 04 00 00 <48> 3b 0b 0f 84 96 00 00 00 48 8d 7b 08 48 89 fe 48 c1 ee 03 42 80
[ 3369.295391] RSP: 0018:ffff88823fe9fd70 EFLAGS: 00010246
[ 3369.295394] RAX: 0000000000000000 RBX: ffff88814c2afde8 RCX: ffff88836ba715d0
[ 3369.295396] RDX: ffff88814c2afdf0 RSI: 0000000000000000 RDI: 0000000000000000
[ 3369.295398] RBP: ffff88823fe9fe68 R08: ffff8883769ec740 R09: 0000000000000000
[ 3369.295400] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffa696d960
[ 3369.295402] R13: dffffc0000000000 R14: 00000000000000bc R15: ffff88823fe9fe40
[ 3369.295405] FS: 0000779e718eac40(0000) GS:ffff88885c580000(0000) knlGS:0000000000000000
[ 3369.295407] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 3369.295410] CR2: ffff88814c2afde8 CR3: 0000000143234000 CR4: 0000000000f50ee0
[ 3369.295413] PKRU: 55555554
[ 3369.295414] Call Trace:
[ 3369.295416]
[ 3369.295418] ? show_regs+0x72/0x90
[ 3369.295421] ? __die+0x25/0x80
[ 3369.295424] ? page_fault_oops+0x266/0x930
[ 3369.295428] ? __pfx_page_fault_oops+0x10/0x10
[ 3369.295431] ? idempotent_init_module+0x1ad/0x750
[ 3369.295435] ? __pfx_is_prefetch.constprop.0+0x10/0x10
[ 3369.295438] ? search_bpf_extables+0x128/0x190
[ 3369.295442] ? vprintk_emit+0x1fa/0x4a0
[ 3369.295446] ? idempotent_init_module+0x1ad/0x750
[ 3369.295449] ? search_exception_tables+0x67/0x80
[ 3369.295452] ? fixup_exception+0x4e/0xb70
[ 3369.295456] ? kernelmode_fixup_or_oops.constprop.0+0x8b/0xb0
[ 3369.295460] ? __bad_area_nosemaphore+0x282/0x5a0
[ 3369.295463] ? bad_area_nosemaphore+0x16/0x30
[ 3369.295467] ? do_kern_addr_fault+0x9d/0xd0
[ 3369.295470] ? exc_page_fault+0xfe/0x110
[ 3369.295474] ? asm_exc_page_fault+0x27/0x30
[ 3369.295477] ? idempotent_init_module+0x1ad/0x750
[ 3369.295481] ? __pfx_idempotent_init_module+0x10/0x10
[ 3369.295485] ? __fget_light+0x5c/0x590
[ 3369.295488] ? security_capable+0x5c/0xb0
[ 3369.295492] __x64_sys_finit_module+0xc0/0x140
[ 3369.295496] x64_sys_call+0xd32/0x25a0
[ 3369.295499] do_syscall_64+0x56/0x90
[ 3369.295503] ? exit_to_user_mode_prepare+0x49/0x220
[ 3369.295507] ? irqentry_exit_to_user_mode+0x10/0x30
[ 3369.295511] ? irqentry_exit+0x43/0x50
[ 3369.295515] ? exc_page_fault+0x7d/0x110
[ 3369.295519] entry_SYSCALL_64_after_hwframe+0x78/0xe2
[ 3369.295524] RIP: 0033:0x779e7111e88d
[ 3369.295526] Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 b5 0f 00 f7 d8 64 89 01 48
[ 3369.295529] RSP: 002b:00007ffe72dda058 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[ 3369.295533] RAX: ffffffffffffffda RBX: 00005bc946e26770 RCX: 0000779e7111e88d
[ 3369.295535] RDX: 0000000000000000 RSI: 00005bc92036acd2 RDI: 0000000000000003
[ 3369.295537] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[ 3369.295539] R10: 0000000000000003 R11: 0000000000000246 R12: 00005bc92036acd2
[ 3369.295541] R13: 00005bc946e2a2a0 R14: 00005bc920369888 R15: 00005bc946e26880
[ 3369.295545]
[ 3369.295546] Modules linked in: 88XXau(OE) tcp_diag inet_diag rfcomm ccm cmac algif_hash algif_skcipher af_alg bnep binfmt_misc nls_iso8859_1 amdgpu snd_sof_pci_intel_tgl snd_sof_intel_hda_common soundwire_intel snd_sof_intel_hda_mlink soundwire_cadence snd_sof_intel_hda snd_sof_pci snd_sof_xtensa_dsp snd_sof snd_sof_utils snd_soc_hdac_hda snd_hda_ext_core snd_soc_acpi_intel_match snd_soc_acpi soundwire_generic_allocation soundwire_bus snd_soc_core snd_compress intel_rapl_msr ac97_bus intel_rapl_common snd_pcm_dmaengine intel_uncore_frequency intel_uncore_frequency_common drm_exec amdxcp snd_hda_codec_realtek snd_hda_codec_generic drm_buddy x86_pkg_temp_thermal ledtrig_audio intel_powerclamp snd_hda_codec_hdmi gpu_sched snd_hda_intel coretemp iwlmvm drm_suballoc_helper snd_intel_dspcfg snd_intel_sdw_acpi drm_ttm_helper kvm_intel snd_hda_codec snd_hda_core btusb mac80211 ttm btrtl kvm drm_display_helper btintel snd_hwdep snd_pcm snd_seq_midi snd_seq_midi_event libarc4 pmt_telemetry pmt_class cec
[ 3369.295625] irqbypass btbcm snd_rawmidi btmtk crct10dif_pclmul bluetooth polyval_clmulni rc_core polyval_generic snd_seq ghash_clmulni_intel sha256_ssse3 i2c_algo_bit sha1_ssse3 aesni_intel snd_seq_device crypto_simd snd_timer cryptd snd iwlwifi acpi_tad mei_me soundcore rapl cmdlinepart intel_cstate ee1004 mei spi_nor cfg80211 mtd ecdh_generic ecc intel_hid joydev input_leds sparse_keymap mac_hid intel_pmc_core acpi_pad gigabyte_wmi wmi_bmof sch_fq_codel intel_vsec ipmi_devintf ipmi_msghandler msr parport_pc ppdev lp pstore_blk pstore_zone parport efi_pstore ramoops reed_solomon ip_tables x_tables autofs4 hid_generic usbhid hid crc32_pclmul nvme r8169 spi_intel_pci i2c_i801 ahci intel_lpss_pci spi_intel i2c_smbus xhci_pci intel_lpss realtek nvme_core libahci xhci_pci_renesas idma64 video wmi pinctrl_alderlake [88XXau(OE)]
[ 3369.295714] CR2: ffff88814c2afde8
[ 3369.295717] ---[ end trace 0000000000000000 ]---
[ 3372.332121] RIP: 0010:init_hal_spec_8812a+0x15/0xff0 [88XXau]
[ 3372.332140] Code: Unable to access opcode bytes at 0xffffffffc566fffb.
[ 3372.332143] RSP: 0018:ffff88814c2af7e0 EFLAGS: 00010246
[ 3372.332150] RAX: 0000000000000019 RBX: 0000000000000000 RCX: 0000000000000000
[ 3372.332154] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 3372.332157] RBP: ffff88814c2af7e0 R08: 0000000000000000 R09: 0000000000000000
[ 3372.332161] R10: 0000000000000000 R11: 0000000000000000 R12: 1ffff11029855eff
[ 3372.332164] R13: ffffffffc5670010 R14: ffff88814c2af898 R15: ffffffffc5660100
[ 3372.332168] FS: 0000779e718eac40(0000) GS:ffff88885c580000(0000) knlGS:0000000000000000
[ 3372.332172] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 3372.332175] CR2: ffffffffc566fffb CR3: 0000000143234000 CR4: 0000000000f50ee0
[ 3372.332179] PKRU: 55555554
[ 3372.332183] note: insmod[17523] exited with irqs disabled
[ 3372.332238] note: insmod[17523] exited with preempt_count 1