kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #180155
[Bug 1582864] Re: use after free of BOS in usb_reset_and_verify_device
It'd be helpful if this memory corruption regression could be
accelerated. It means that unplugging a USB3 device can mess up the
memory enough that file lookups that happen afterwards break if apparmor
is enabled - just because the allocation size is similar by chance. The
resulting oops is very misleading and it took a long time to track this
down. It also causes process hangs. Thanks.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1582864
Title:
use after free of BOS in usb_reset_and_verify_device
Status in linux package in Ubuntu:
In Progress
Status in linux source package in Trusty:
Fix Committed
Status in linux source package in Vivid:
Fix Committed
Status in linux source package in Wily:
Fix Committed
Bug description:
Should be fixed with upstream commit
e5bdfd50d6f76077bf8441d130c606229e100d40, which reverts upstream
commit d8f00cd685f5c8e0def8593e520a7fef12c22407.
With slub_debug enabled this manifests as a deref of 0x6b6b... in
usb_disable_ltm
[ 218.235302] general protection fault: 0000 [#1] SMP
[ 218.235311] Modules linked in: usb_storage tcp_diag inet_diag iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_filter ip_tables x_tables autofs4 rpcsec_gss_krb5 rfcomm bnep bluetooth snd_hda_codec_hdmi binfmt_misc nvidia(POX) snd_hda_codec_realtek snd_hda_intel snd_usb_audio snd_hda_codec snd_usbmidi_lib uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core snd_hwdep snd_seq_midi joydev snd_pcm videodev snd_page_alloc snd_seq_midi_event nfsd snd_rawmidi snd_seq auth_rpcgss parport_pc nfs_acl ppdev nfs lockd sunrpc fscache honeevent(OX) snd_seq_device snd_timer snd drm lp parport sb_edac mei_me hp_wmi sparse_keymap gpio_ich hpuefi(OX) intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm soundcore edac_core mei serio_raw tpm_infineon lpc_ich mac_hid wmi shpchp dm_crypt hid_generic usbhid hid crct10dif_pclmul crc32_pclmul aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd psmouse isci e1000e ahci libsas libahci ptp pps_core scsi_transport_sas pata_acpi
[ 218.235410] CPU: 15 PID: 243 Comm: khubd Tainted: P OX 3.13.0-85-generic #129-Ubuntu
[ 218.235414] Hardware name: Hewlett-Packard HP Z620 Workstation/158A, BIOS J61 v03.87 02/09/2015
[ 218.235418] task: ffff8807eff98000 ti: ffff8807effa0000 task.ti: ffff8807effa0000
[ 218.235421] RIP: 0010:[<ffffffff815444b6>] [<ffffffff815444b6>] usb_disable_ltm+0x56/0xb0
[ 218.235437] RSP: 0018:ffff8807effa1cd0 EFLAGS: 00010202
[ 218.235440] RAX: 0000000000000000 RBX: ffff8807ea532e68 RCX: 0000000000000000
[ 218.235443] RDX: 6b6b6b6b6b6b6b6b RSI: 0000000000300021 RDI: ffff8807ea532e68
[ 218.235446] RBP: ffff8807effa1d08 R08: 0000000000000000 R09: 0000000000000000
[ 218.235449] R10: ffff8807ff804240 R11: ffffffff8136d2a1 R12: 0000000000000000
[ 218.235451] R13: ffff8807ebddd480 R14: 0000000000000001 R15: 0000000000000012
[ 218.235455] FS: 0000000000000000(0000) GS:ffff88101fce0000(0000) knlGS:0000000000000000
[ 218.235458] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 218.235461] CR2: 00000000013b1c08 CR3: 0000000001c0e000 CR4: 00000000000407e0
[ 218.235463] Stack:
[ 218.235465] ffffffff81551236 ffff8807ea532ef0 0000000000000000 ffff8807ea532e68
[ 218.235476] ffff8807ea532ef0 ffff8807ebddbf60 0000000000000000 ffff8807effa1d48
[ 218.235483] ffffffff81545c4d ffff8807ea532f50 ffff8807ebddb4d0 00000000000002a0
[ 218.235490] Call Trace:
[ 218.235499] [<ffffffff81551236>] ? usb_disable_device+0x126/0x290
[ 218.235506] [<ffffffff81545c4d>] usb_disconnect+0xad/0x200
[ 218.235511] [<ffffffff815487d3>] hub_port_connect_change+0xd3/0xb20
[ 218.235518] [<ffffffff8154333d>] ? hub_port_status+0xdd/0x120
[ 218.235523] [<ffffffff815496f4>] hub_events+0x4d4/0xa20
[ 218.235528] [<ffffffff81549c75>] hub_thread+0x35/0x160
[ 218.235535] [<ffffffff810add60>] ? prepare_to_wait_event+0x100/0x100
[ 218.235540] [<ffffffff81549c40>] ? hub_events+0xa20/0xa20
[ 218.235549] [<ffffffff8108deb2>] kthread+0xd2/0xf0
[ 218.235554] [<ffffffff8108dde0>] ? kthread_create_on_node+0x1c0/0x1c0
[ 218.235564] [<ffffffff8173c2e8>] ret_from_fork+0x58/0x90
[ 218.235570] [<ffffffff8108dde0>] ? kthread_create_on_node+0x1c0/0x1c0
[ 218.235572] Code: e9 48 8b 52 10 48 85 d2 74 e0 f6 42 03 02 74 da 83 7f 1c 05 75 d4 48 8b 97 40 03 00 00 48 85 d2 74 c8 48 8b 52 10 48 85 d2 74 bf <f6> 42 03 02 74 b9 48 83 bf 50 03 00 00 00 74 af 55 45 31 c9 41
[ 218.235618] RIP [<ffffffff815444b6>] usb_disable_ltm+0x56/0xb0
[ 218.235624] RSP <ffff8807effa1cd0>
[ 218.235655] ---[ end trace 954cac763165b767 ]---
Without slub_debug you end up getting a double free and messing up the
allocator and apparmor tends to be the first one to notice:
[ 574.027518] hub 4-0:1.0: Cannot enable port 3. Maybe the USB cable is bad?
[ 574.548076] usb 4-3: USB disconnect, device number 2
[ 576.040995] ------------[ cut here ]------------
[ 576.041003] WARNING: CPU: 17 PID: 11627 at /build/linux-03BQvT/linux-3.13.0/include/linux/kref.h:47 apparmor_file_alloc_security+0x167/0x180()
[ 576.041005] Modules linked in: tcp_diag inet_diag xt_u32 ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables xt_NFLOG xt_tcpudp xt_comment ipt_REJECT xt_multiport xt_connmark xt_conntrack xt_mark iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_filter ip_tables x_tables pci_stub vboxpci(OX) vboxnetadp(OX) vboxnetflt(OX) vboxdrv(OX) nfnetlink_log nfnetlink autofs4 rfcomm bnep bluetooth binfmt_misc honeevent(OX) rpcsec_gss_krb5 nfsd auth_rpcgss nfs_acl nfs lockd sunrpc fscache snd_hda_codec_hdmi snd_hda_codec_realtek nvidia(POX) snd_hda_intel parport_pc snd_hda_codec ppdev lp snd_hwdep snd_pcm snd_page_alloc snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device snd_timer snd mei_me parport gpio_ich hpuefi(OX) sb_edac edac_core lpc_ich drm mei joydev hp_wmi sparse_keymap tpm_infineon soundcore mac_hid intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm crct10dif_pclmul crc32_pclmul aesni_intel aes_x86_64 lrw serio_raw gf128mul glue_helper ablk_helper cryptd shpchp wmi hid_generic usbhid hid psmouse e1000e isci ahci libsas ptp libahci scsi_transport_sas pps_core pata_acpi
[ 576.041068] CPU: 17 PID: 11627 Comm: at-spi-bus-laun Tainted: P OX 3.13.0-83-generic #127-Ubuntu
[ 576.041070] Hardware name: Hewlett-Packard HP Z620 Workstation/158A, BIOS J61 v03.87 02/09/2015
[ 576.041071] 0000000000000009 ffff880efd08fcf0 ffffffff81725992 0000000000000000
[ 576.041076] ffff880efd08fd28 ffffffff8106790d ffff8807ff810430 ffff880035d22a00
[ 576.041079] ffff880f63216000 ffff880efd08ff2c 00000000ffffff9c ffff880efd08fd38
[ 576.041082] Call Trace:
[ 576.041088] [<ffffffff81725992>] dump_stack+0x45/0x56
[ 576.041091] [<ffffffff8106790d>] warn_slowpath_common+0x7d/0xa0
[ 576.041094] [<ffffffff810679ea>] warn_slowpath_null+0x1a/0x20
[ 576.041096] [<ffffffff81316b67>] apparmor_file_alloc_security+0x167/0x180
[ 576.041100] [<ffffffff812d9076>] security_file_alloc+0x16/0x20
[ 576.041105] [<ffffffff811c04e0>] get_empty_filp+0x90/0x180
[ 576.041108] [<ffffffff811ce00d>] path_openat+0x3d/0x640
[ 576.041111] [<ffffffff811cd7db>] ? filename_lookup+0x2b/0xc0
[ 576.041114] [<ffffffff811cf47a>] do_filp_open+0x3a/0x90
[ 576.041116] [<ffffffff811c83a7>] ? path_get+0x27/0x30
[ 576.041120] [<ffffffff810fed4d>] ? __audit_getname+0x9d/0xa0
[ 576.041123] [<ffffffff811dc2d7>] ? __alloc_fd+0xa7/0x130
[ 576.041126] [<ffffffff811bda09>] do_sys_open+0x129/0x280
[ 576.041128] [<ffffffff811bdb7e>] SyS_open+0x1e/0x20
[ 576.041131] [<ffffffff8173659d>] system_call_fastpath+0x1a/0x1f
[ 576.041133] ---[ end trace 5de8dc1cac0eb1c6 ]---
[ 576.041171] BUG: unable to handle kernel paging request at 000000000000472e
[ 576.041174] IP: [<ffffffff811a38b0>] kmem_cache_alloc_trace+0x80/0x1f0
[ 576.041177] PGD 0
[ 576.041179] Oops: 0000 [#1] SMP
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1582864/+subscriptions
References
