New issue
Advanced search Search tips

Issue 700041 link

Starred by 2 users
Status: Fixed
Owner:
groeck@chromium.org
Closed: Nov 2017
Cc:
briannorris@chromium.org
diand...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

BUG: KASAN: use-after-free in xhci_free_virt_devices_depth_first

Project Member Reported by groeck@chromium.org, Mar 9 2017 
While running the following script on kevin

while true
do
    for i in /sys/bus/platform/drivers/rockchip-dwc3/usb*; do
	basename $i > $(dirname $i)/unbind
	basename $i > $(dirname $i)/bind
    done
    sleep 1
done

the following use-after free was seen. Subsequently the system crashed.

[28162.977974] ==================================================================
[28162.985213] BUG: KASAN: use-after-free in xhci_free_virt_devices_depth_first+0x7c/0x140 at addr ffffffc0591799d0
[28162.995376] Read of size 8 by task basename/30771
[28163.000076] =============================================================================
[28163.008245] BUG kmalloc-2048 (Not tainted): kasan: bad access detected
[28163.014764] -----------------------------------------------------------------------------
[28163.014764] 
[28163.024404] Disabling lock debugging due to kernel taint
[28163.029718] INFO: Allocated in usb_alloc_dev+0x54/0x488 age=827 cpu=3 pid=13292
[28163.037021]  alloc_debug_processing+0x124/0x178
[28163.041551]  ___slab_alloc.constprop.58+0x4f4/0x5f8
[28163.046428]  __slab_alloc.isra.55.constprop.57+0x44/0x54
[28163.051737]  kmem_cache_alloc_trace+0xd4/0x260
[28163.056180]  usb_alloc_dev+0x54/0x488
[28163.059842]  hub_event+0xb4c/0x12a4
[28163.063332]  process_one_work+0x390/0x6b8
[28163.067342]  worker_thread+0x480/0x610
[28163.071091]  kthread+0x164/0x178
[28163.074319]  ret_from_fork+0x10/0x40
[28163.077897] INFO: Freed in usb_release_dev+0x7c/0x8c age=273 cpu=2 pid=30767
[28163.084940]  free_debug_processing+0x278/0x37c
[28163.089382]  __slab_free+0x84/0x400
[28163.092871]  kfree+0x1fc/0x268
[28163.095926]  usb_release_dev+0x7c/0x8c
[28163.099675]  device_release+0x8c/0xd4
[28163.103340]  kobject_release+0x78/0x94
[28163.107089]  kobject_put+0x5c/0x68
[28163.110491]  put_device+0x24/0x30
[28163.113807]  usb_disconnect+0x270/0x28c
[28163.117641]  usb_disconnect+0xcc/0x28c
[28163.121391]  usb_remove_hcd+0x10c/0x2a8
[28163.125227]  xhci_plat_remove+0xbc/0x104
[28163.129150]  platform_drv_remove+0x48/0x6c
[28163.133246]  __device_release_driver+0x10c/0x1a8
[28163.137864]  device_release_driver+0x2c/0x40
[28163.142134]  bus_remove_device+0x1d8/0x200
[28163.146231] INFO: Slab 0xffffffbdc164de00 objects=13 used=10 fp=0xffffffc05917c280 flags=0x4080
[28163.154920] INFO: Object 0xffffffc059179300 @offset=4864 fp=0x          (null)
[28163.154920] 
[28163.163612] Bytes b4 ffffffc0591792f0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
[28163.173082] Object ffffffc059179300: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
...
[28164.587128] CPU: 4 PID: 30771 Comm: basename Tainted: G    B           4.4.52 #507
[28164.594688] Hardware name: Google Kevin (DT)
[28164.598955] Call trace:
[28164.601408] [<ffffffc00020a6b4>] dump_backtrace+0x0/0x190
[28164.606807] [<ffffffc00020a864>] show_stack+0x20/0x28
[28164.611858] [<ffffffc0005d1a94>] dump_stack+0xa4/0xcc
[28164.616910] [<ffffffc0003c9b64>] print_trailer+0x158/0x168
[28164.622394] [<ffffffc0003c9d08>] object_err+0x4c/0x5c
[28164.627444] [<ffffffc0003cfb1c>] kasan_report+0x330/0x4ec
[28164.632842] [<ffffffc0003ced60>] __asan_load8+0x78/0x80
[28164.638068] [<ffffffc00084fd78>] xhci_free_virt_devices_depth_first+0x7c/0x140
[28164.645287] [<ffffffc0008503c8>] xhci_mem_cleanup+0x2ac/0x830
[28164.651031] [<ffffffc0008464cc>] xhci_stop+0x1dc/0x224
[28164.656169] [<ffffffc000806f40>] usb_remove_hcd+0x160/0x2a8
[28164.661741] [<ffffffc00085eab8>] xhci_plat_remove+0xbc/0x104
[28164.667399] [<ffffffc00077ad68>] platform_drv_remove+0x48/0x6c
[28164.673230] [<ffffffc000778648>] __device_release_driver+0x10c/0x1a8
[28164.679581] [<ffffffc000778710>] device_release_driver+0x2c/0x40
[28164.685586] [<ffffffc000777308>] bus_remove_device+0x1d8/0x200
[28164.691416] [<ffffffc0007733cc>] device_del+0x218/0x2d0
[28164.696642] [<ffffffc00077ab50>] platform_device_del+0x2c/0xd4
[28164.702473] [<ffffffc00077ac18>] platform_device_unregister+0x20/0x34
[28164.708911] [<ffffffc000824764>] dwc3_host_exit+0xbc/0xd0
[28164.714308] [<ffffffc0008206ac>] dwc3_remove+0x90/0xe4
[28164.719446] [<ffffffc00077ad68>] platform_drv_remove+0x48/0x6c
[28164.725277] [<ffffffc000778648>] __device_release_driver+0x10c/0x1a8
[28164.731627] [<ffffffc000778710>] device_release_driver+0x2c/0x40
[28164.737631] [<ffffffc000777308>] bus_remove_device+0x1d8/0x200
[28164.743462] [<ffffffc0007733cc>] device_del+0x218/0x2d0
[28164.748686] [<ffffffc00077ab50>] platform_device_del+0x2c/0xd4
[28164.754518] [<ffffffc00077ac18>] platform_device_unregister+0x20/0x34
[28164.760957] [<ffffffc00099ad90>] of_platform_device_destroy+0x8c/0xf4
[28164.767396] [<ffffffc000772350>] device_for_each_child+0x88/0xbc
[28164.773400] [<ffffffc00099acdc>] of_platform_depopulate+0x54/0x7c
[28164.779491] [<ffffffc000825830>] dwc3_rockchip_remove+0x94/0x158
[28164.785496] [<ffffffc00077ad68>] platform_drv_remove+0x48/0x6c
[28164.791329] [<ffffffc000778648>] __device_release_driver+0x10c/0x1a8
[28164.797681] [<ffffffc000778710>] device_release_driver+0x2c/0x40
[28164.803686] [<ffffffc000776958>] unbind_store+0x88/0xc4
[28164.808910] [<ffffffc000775384>] drv_attr_store+0x54/0x64
[28164.814308] [<ffffffc000472388>] sysfs_kf_write+0x9c/0xb0

Comment 1 by groeck@chromium.org, Mar 9 2017 

Also seen:
[   83.487135] ==================================================================
[   83.494371] BUG: KASAN: slab-out-of-bounds in xhci_free_virt_devices_depth_first+0x7c/0x140 at addr ffffffc0ade8ef50
[   83.504879] Read of size 8 by task basename/7026
[   83.509491] =============================================================================
[   83.517657] BUG kmalloc-2048 (Not tainted): kasan: bad access detected
[   83.524174] -----------------------------------------------------------------------------
[   83.524174] 
[   83.533813] Disabling lock debugging due to kernel taint
[   83.539125] INFO: Allocated in load_module+0x2280/0x2b74 age=68099 cpu=2 pid=2540
[   83.546600]  alloc_debug_processing+0x124/0x178
[   83.551128]  ___slab_alloc.constprop.58+0x4f4/0x5f8
[   83.556003]  __slab_alloc.isra.55.constprop.57+0x44/0x54
[   83.561309]  __kmalloc+0x120/0x2b0
[   83.564709]  load_module+0x2280/0x2b74
[   83.568455]  SyS_finit_module+0x9c/0xc4
[   83.572288]  el0_svc_naked+0x24/0x28
[   83.575860] INFO: Slab 0xffffffbdc2b82200 objects=13 used=12 fp=0xffffffc0ade89300 flags=0x4080
[   83.584547] INFO: Object 0xffffffc0ade8e880 @offset=26752 fp=0xffffffc0ade8df00
[   83.584547] 
[   83.593325] Bytes b4 ffffffc0ade8e870: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
[   83.602794] Object ffffffc0ade8e880: 7c 14 ff 00 c0 ff ff ff 00 00 00 00 00 00 00 00  |...............
[   83.612087] Object ffffffc0ade8e890: 00 00 00 00 00 00 00 00 08 ee e8 ad c0 ff ff ff  ................
[   83.621381] Object ffffffc0ade8e8a0: 00 00 00 00 00 00 00 00 13 00 00 00 00 00 00 00  ................
[   83.630675] Object ffffffc0ade8e8b0: 00 26 0d ae c0 ff ff ff 24 01 00 00 00 00 00 00  .&......$.......
[   83.639972] Object ffffffc0ade8e8c0: 50 09 2e 00 c0 ff ff ff 00 00 00 00 00 00 00 00  P...............
...
[   84.838854] CPU: 5 PID: 7026 Comm: basename Tainted: G    B           4.4.52 #494 
[   84.846328] Hardware name: Google Kevin (DT)
[   84.850594] Call trace:
[   84.853047] [<ffffffc00020a6b4>] dump_backtrace+0x0/0x190 
[   84.858444] [<ffffffc00020a864>] show_stack+0x20/0x28
[   84.863496] [<ffffffc0005d1a94>] dump_stack+0xa4/0xcc
[   84.868548] [<ffffffc0003c9b64>] print_trailer+0x158/0x168
[   84.874029] [<ffffffc0003c9d08>] object_err+0x4c/0x5c
[   84.879079] [<ffffffc0003cfb1c>] kasan_report+0x330/0x4ec 
[   84.884474] [<ffffffc0003ced60>] __asan_load8+0x78/0x80
[   84.889697] [<ffffffc00084c4e4>] xhci_free_virt_devices_depth_first+0x7c/0x140 
[   84.896911] [<ffffffc00084cb34>] xhci_mem_cleanup+0x2ac/0x830
[   84.902652] [<ffffffc000842c38>] xhci_stop+0x1dc/0x224 
[   84.907790] [<ffffffc000803644>] usb_remove_hcd+0x160/0x2a8
[   84.913362] [<ffffffc00085b1d8>] xhci_plat_remove+0xb0/0xf8
[   84.918934] [<ffffffc0007776a0>] platform_drv_remove+0x48/0x6c
[   84.924765] [<ffffffc000774f80>] __device_release_driver+0x10c/0x1a8
[   84.931116] [<ffffffc000775048>] device_release_driver+0x2c/0x40
[   84.937121] [<ffffffc000773c40>] bus_remove_device+0x1d8/0x200
[   84.942951] [<ffffffc00076fd04>] device_del+0x218/0x2d0
[   84.948176] [<ffffffc000777488>] platform_device_del+0x2c/0xd4
[   84.954006] [<ffffffc000777550>] platform_device_unregister+0x20/0x34 
[   84.960443] [<ffffffc000820ed0>] dwc3_host_exit+0xbc/0xd0 
[   84.965840] [<ffffffc00081ce18>] dwc3_remove+0x90/0xe4 
[   84.970977] [<ffffffc0007776a0>] platform_drv_remove+0x48/0x6c
[   84.976806] [<ffffffc000774f80>] __device_release_driver+0x10c/0x1a8
[   84.983157] [<ffffffc000775048>] device_release_driver+0x2c/0x40
[   84.989161] [<ffffffc000773c40>] bus_remove_device+0x1d8/0x200
[   84.994991] [<ffffffc00076fd04>] device_del+0x218/0x2d0
[   85.000214] [<ffffffc000777488>] platform_device_del+0x2c/0xd4
[   85.006043] [<ffffffc000777550>] platform_device_unregister+0x20/0x34 
[   85.012479] [<ffffffc000997438>] of_platform_device_destroy+0x8c/0xf4 
[   85.018914] [<ffffffc00076ec88>] device_for_each_child+0x88/0xbc
[   85.024917] [<ffffffc000997384>] of_platform_depopulate+0x54/0x7c
[   85.031008] [<ffffffc000821f9c>] dwc3_rockchip_remove+0x94/0x158
[   85.037009] [<ffffffc0007776a0>] platform_drv_remove+0x48/0x6c
[   85.042837] [<ffffffc000774f80>] __device_release_driver+0x10c/0x1a8
[   85.049186] [<ffffffc000775048>] device_release_driver+0x2c/0x40
[   85.055186] [<ffffffc000773290>] unbind_store+0x88/0xc4
[   85.060408] [<ffffffc000771cbc>] drv_attr_store+0x54/0x64 
[   85.065803] [<ffffffc000472388>] sysfs_kf_write+0x9c/0xb0 
[   85.071200] [<ffffffc000470ebc>] kernfs_fop_write+0x184/0x1f8
[   85.076944] [<ffffffc0003d987c>] __vfs_write+0x6c/0x17c
[   85.082167] [<ffffffc0003da4ec>] vfs_write+0xf0/0x1c4
[   85.087214] [<ffffffc0003db128>] SyS_write+0x78/0xd8
[   85.092175] [<ffffffc000204634>] el0_svc_naked+0x24/0x28
ramoops-crash-kasan
133 KB View Download

Comment 2 by groeck@chromium.org, Mar 9 2017 

Complete log for 1st crash attached.
ramoops-crash-kasan2
255 KB View Download

Comment 3 by groeck@chromium.org, Mar 9 2017

Cc: briannorris@chromium.org diand...@chromium.org

Comment 4 by groeck@chromium.org, Mar 15 2017 

Another instance; see attachment.
dmesg-kasan
42.5 KB View Download

Comment 5 by groeck@chromium.org, Nov 3 2017 

Also see https://bugs.96boards.org/show_bug.cgi?id=535 and https://android-review.googlesource.com/#/c/kernel/hikey-linaro/+/528775/.
Turns out the problem is not really use-after-free but a not completely initialized device.

Comment 6 by groeck@chromium.org, Nov 3 2017 

Another instance with crash triggered by BUG().
console-ramoops
255 KB View Download
Project Member

Comment 7 by bugdroid1@chromium.org, Nov 9 2017

Labels: merge-merged-chromeos-4.4
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/a973ea452fe074a8e85ee49faaf678bfbf6be06e

commit a973ea452fe074a8e85ee49faaf678bfbf6be06e
Author: Yu Chen <chenyu56@huawei.com>
Date: Thu Nov 09 03:48:58 2017

FROMLIST: usb:xhci fix panic in xhci_free_virt_devices_depth_first

Check vdev->real_port 0 to avoid panic
[    9.261347] [<ffffff800884a390>] xhci_free_virt_devices_depth_first+0x58/0x108
[    9.261352] [<ffffff800884a814>] xhci_mem_cleanup+0x1bc/0x570
[    9.261355] [<ffffff8008842de8>] xhci_stop+0x140/0x1c8
[    9.261365] [<ffffff80087ed304>] usb_remove_hcd+0xfc/0x1d0
[    9.261369] [<ffffff80088551c4>] xhci_plat_remove+0x6c/0xa8
[    9.261377] [<ffffff80086e928c>] platform_drv_remove+0x2c/0x70
[    9.261384] [<ffffff80086e6ea0>] __device_release_driver+0x80/0x108
[    9.261387] [<ffffff80086e7a1c>] device_release_driver+0x2c/0x40
[    9.261392] [<ffffff80086e5f28>] bus_remove_device+0xe0/0x120
[    9.261396] [<ffffff80086e2e34>] device_del+0x114/0x210
[    9.261399] [<ffffff80086e9e00>] platform_device_del+0x30/0xa0
[    9.261403] [<ffffff8008810bdc>] dwc3_otg_work+0x204/0x488
[    9.261407] [<ffffff80088133fc>] event_work+0x304/0x5b8
[    9.261414] [<ffffff80080e31b0>] process_one_work+0x148/0x490
[    9.261417] [<ffffff80080e3548>] worker_thread+0x50/0x4a0
[    9.261421] [<ffffff80080e9ea0>] kthread+0xe8/0x100
[    9.261427] [<ffffff8008083680>] ret_from_fork+0x10/0x50

The problem can occur if xhci_plat_remove() is called shortly after
xhci_plat_probe(). While xhci_free_virt_devices_depth_first been
called before the device has been setup and get real_port initialized.
The problem occurred on Hikey960 and was reproduced by Guenter Roeck
on Kevin with chromeos-4.4.

BUG= 700041 
TEST=Build and run

Change-Id: Ia397872a9bf9b527586bff126f1634411c02603b
Cc: Guenter Roeck <groeck@google.com>
Signed-off-by: Fan Ning <fanning4@hisilicon.com>
Signed-off-by: Li Rui <lirui39@hisilicon.com>
Signed-off-by: yangdi <yangdi10@hisilicon.com>
Signed-off-by: Yu Chen <chenyu56@huawei.com>
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(am from https://patchwork.kernel.org/patch/10045623/)
Reviewed-on: https://chromium-review.googlesource.com/757457
Reviewed-by: Dylan Reid <dgreid@chromium.org>

[modify] https://crrev.com/a973ea452fe074a8e85ee49faaf678bfbf6be06e/drivers/usb/host/xhci-mem.c

Comment 8 by groeck@chromium.org, Nov 9 2017

Status: Fixed (was: Assigned)

Sign in to add a comment