Issue 700182 link

Starred by 1 user

Issue metadata

Status:	Duplicate
Merged:	issue 700088
Owner:	groeck@chromium.org
Closed:	Mar 2017
Cc:	briannorris@chromium.org diand...@chromium.org
Components:	OS>Kernel
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	2
Type:	Bug
Kernel-4.4

BUG: KASAN: null-ptr-deref in usb_hub_find_child

Project Member Reported by groeck@chromium.org, Mar 9 2017

Issue description

unbind/bind stress test resulted in the following crash.

[  316.230279] ==================================================================
[  316.237524] BUG: KASAN: null-ptr-deref on address 0000000000000260
[  316.243707] Read of size 8 by task kworker/2:2/2462
[  316.248593] CPU: 2 PID: 2462 Comm: kworker/2:2 Not tainted 4.4.52 #516
[  316.255121] Hardware name: Google Kevin (DT)
[  316.259413] Workqueue: pm pm_runtime_work
[  316.263448] Call trace:
[  316.265920] [<ffffffc00020a6b4>] dump_backtrace+0x0/0x190
[  316.271335] [<ffffffc00020a864>] show_stack+0x20/0x28
[  316.276404] [<ffffffc0005d1a94>] dump_stack+0xa4/0xcc
[  316.281472] [<ffffffc0003cf910>] kasan_report+0x124/0x4ec
[  316.286884] [<ffffffc0003ced60>] __asan_load8+0x78/0x80
[  316.292127] [<ffffffc0007fdc98>] usb_hub_find_child+0x58/0x8c
[  316.297885] [<ffffffc0008090d8>] hcd_bus_resume+0x178/0x214
[  316.303468] [<ffffffc000809298>] hcd_bus_suspend+0x124/0x1a4
[  316.309140] [<ffffffc00081bf4c>] generic_suspend+0x38/0x74
[  316.314639] [<ffffffc00080efbc>] usb_suspend_both+0x184/0x288
[  316.320399] [<ffffffc000810414>] usb_runtime_suspend+0x3c/0x98
[  316.326245] [<ffffffc000785ae0>] __rpm_callback+0x48/0x7c
[  316.331654] [<ffffffc000785bbc>] rpm_callback+0xa8/0xd4
[  316.336891] [<ffffffc00078650c>] rpm_suspend+0x35c/0x684
[  316.342213] [<ffffffc000787b64>] __pm_runtime_suspend+0x60/0xac
[  316.348139] [<ffffffc0008104d0>] usb_runtime_idle+0x30/0x40
[  316.353719] [<ffffffc000785ae0>] __rpm_callback+0x48/0x7c
[  316.359127] [<ffffffc000786af0>] rpm_idle+0x1e8/0x498
[  316.364188] [<ffffffc000787cdc>] pm_runtime_work+0x88/0xcc
[  316.369693] [<ffffffc000249bb8>] process_one_work+0x390/0x6b8
[  316.375457] [<ffffffc00024abcc>] worker_thread+0x480/0x610
[  316.380955] [<ffffffc000251a80>] kthread+0x164/0x178
[  316.385936] [<ffffffc0002045d0>] ret_from_fork+0x10/0x40
[  316.391253] ==================================================================
[  316.398477] Disabling lock debugging due to kernel taint
[  316.404043] Unable to handle kernel NULL pointer dereference at virtual address 00000260
[  316.412208] pgd = ffffffc00165f000
[  316.415735] [00000260] *pgd=000000000174f003, *pud=000000000174f003, *pmd=0000000001750003, *pte=00e8000001751713
[  316.426527] Internal error: Oops: 96000005 [#1] PREEMPT SMP

Also see chromium:700088, which has an overlapping traceback.

ramoops-crash3
255 KB View Download

Comment 1 by groeck@chromium.org, Mar 9 2017

(gdb) l *0xffffffc0007fdc98
0xffffffc0007fdc98 is in usb_hub_find_child (/mnt/host/source/src/third_party/kernel/v4.4/drivers/usb/core/hub.c:5720).
5715	{
5716		struct usb_hub *hub = usb_hub_to_struct_hub(hdev);
5717	
5718		if (port1 < 1 || port1 > hdev->maxchild)
5719			return NULL;
5720		return hub->ports[port1 - 1]->child;
5721	}
5722	EXPORT_SYMBOL_GPL(usb_hub_find_child);
5723	
5724	void usb_hub_adjust_deviceremovable(struct usb_device *hdev,

Comment 2 by groeck@chromium.org, Mar 9 2017

Mergedinto: 700088
Status: Duplicate (was: Assigned)

Side effect of attempt to fix chromium:700088.

►

Issue 700182 link

Issue metadata

BUG: KASAN: null-ptr-deref in usb_hub_find_child

Issue description

Comment 1 by groeck@chromium.org, Mar 9 2017

Comment 1 Deleted

Comment 2 by groeck@chromium.org, Mar 9 2017

Comment 2 Deleted

Sign in to add a comment