Upstream: Use after free in xhci_free_virt_device |
|||
Issue description
Seen when booting v4.17-rc1 on eve.
[ 69.201252] BUG: KASAN: use-after-free in xhci_free_virt_device+0x33b/0x38e
[ 69.201258] Read of size 4 at addr ffff88037fb24810 by task swapper/3/0
[ 69.201267] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 4.17.0-rc1-00021-ga27fc14219f2 #4
[ 69.201270] Hardware name: Google Eve/Eve, BIOS Google_Eve.9584.95.0 09/27/2017
[ 69.201273] Call Trace:
[ 69.201278] <IRQ>
[ 69.233361] dump_stack+0x7d/0xbd
[ 69.233370] print_address_description+0x80/0x2d2
[ 69.233378] ? xhci_free_virt_device+0x33b/0x38e
[ 69.233383] kasan_report+0x26a/0x2aa
[ 69.233390] xhci_free_virt_device+0x33b/0x38e
[ 69.233398] handle_cmd_completion+0x5e6/0x1f19
[ 69.233406] ? lock_acquire+0x1f5/0x22b
[ 69.242472] ? match_held_lock+0x1d/0xff
[ 69.242480] xhci_irq+0x20c7/0x2284
[ 69.242489] ? xhci_irq+0x2284/0x2284
[ 69.242494] __handle_irq_event_percpu+0x1da/0x424
[ 69.259622] handle_irq_event_percpu+0x34/0x8f
[ 69.259629] handle_irq_event+0x59/0x89
[ 69.259636] handle_edge_irq+0x13e/0x188
[ 69.259643] handle_irq+0x19f/0x1b0
[ 69.259649] do_IRQ+0x8b/0xfa
[ 69.403781] common_interrupt+0xf/0xf
[ 69.407879] </IRQ>
[ 69.410228] RIP: 0010:cpuidle_enter_state+0x147/0x1c0
[ 69.415876] RSP: 0018:ffff88042a34fe48 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffdc
[ 69.424345] RAX: 1ffff10085468100 RBX: ffff88042bfb3080 RCX: ffffffff9e1932cc
[ 69.432324] RDX: 1ffffffff3f2c751 RSI: 0000000000000007 RDI: 000000101b48b815
[ 69.440296] RBP: ffff88042a34fe80 R08: dffffc0000000000 R09: 0000000000000001
[ 69.448274] R10: fffffbfff3f2ba9c R11: ffffffff9f95d4db R12: 0000000000000004
[ 69.456254] R13: 000000101b48b815 R14: ffff88042bfb3084 R15: 0000000000000000
[ 69.464229] ? trace_hardirqs_on_caller+0x262/0x271
[ 69.469690] ? cpuidle_enter_state+0x143/0x1c0
[ 69.474663] do_idle+0x221/0x290
[ 69.478275] cpu_startup_entry+0x85/0x87
[ 69.482664] start_secondary+0x210/0x239
[ 69.487052] secondary_startup_64+0xa5/0xb0
[ 69.493400] Allocated by task 36:
[ 69.497108] kasan_kmalloc+0x99/0xa8
[ 69.501107] kmem_cache_alloc_trace+0x10d/0x133
[ 69.506177] usb_alloc_dev+0x41/0x551
[ 69.510276] hub_event+0x9d2/0x1626
[ 69.514178] process_one_work+0x423/0x761
[ 69.518664] worker_thread+0x2ec/0x469
[ 69.522860] kthread+0x1d2/0x1e1
[ 69.526471] ret_from_fork+0x3a/0x50
[ 69.532127] Freed by task 36:
[ 69.535446] __kasan_slab_free+0x102/0x126
[ 69.540028] slab_free_freelist_hook+0x84/0xd1
[ 69.544997] kfree+0x1d9/0x26f
[ 69.548414] device_release+0x9b/0xda
[ 69.552511] kobject_put+0x9f/0xb9
[ 69.556316] hub_event+0x7fc/0x1626
[ 69.560216] process_one_work+0x423/0x761
[ 69.564700] worker_thread+0x33d/0x469
[ 69.568893] kthread+0x1d2/0x1e1
[ 69.572507] ret_from_fork+0x3a/0x50
[ 69.578174] The buggy address belongs to the object at ffff88037fb241a8
which belongs to the cache kmalloc-2048 of size 2048
[ 69.592369] The buggy address is located 1640 bytes inside of
2048-byte region [ffff88037fb241a8, ffff88037fb249a8)
[ 69.605686] The buggy address belongs to the page:
[ 69.611046] page:ffffea000dfec800 count:1 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0
[ 69.622041] flags: 0x8000000000008100(slab|head)
[ 69.627206] raw: 8000000000008100 0000000000000000 0000000000000000 00000001000d000d
[ 69.635869] raw: ffffea00107f1a20 ffffea000e577420 ffff88042a00d0c0 0000000000000000
[ 69.644529] page dumped because: kasan: bad access detected
[ 69.652418] Memory state around the buggy address:
[ 69.657776] ffff88037fb24700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 69.665852] ffff88037fb24780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 69.673928] >ffff88037fb24800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 69.682004] ^
[ 69.686202] ffff88037fb24880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 69.694279] ffff88037fb24900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 69.702355] ==================================================================
[ 69.710432] Disabling lock debugging due to kernel taint
[ 69.939496] usb 2-2: new SuperSpeed USB device number 3 using xhci_hcd
[ 69.966445] usb 2-2: New USB device found, idVendor=2109, idProduct=0812, bcdDevice=91.05
[ 69.975615] usb 2-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 69.983617] usb 2-2: Product: USB3.0 Hub
[ 69.989299] usb 2-2: Manufacturer: VIA Labs, Inc.
[ 70.000853] hub 2-2:1.0: USB hub found
[ 70.005448] hub 2-2:1.0: 4 ports detected
[ 70.228055] hub 2-2:1.0: hub_ext_port_status failed (err = -71)
[ 70.935671] usb 2-2: USB disconnect, device number 3
This appears to be related to removing/inserting a USB Type-C dongle. I have also seen reboots in this situation; it is unknown if the problem is the same.
,
Apr 24 2018
The offending access is:
if (dev->udev && dev->udev->slot_id)
^^^^^^^^^^^^^^^^^^
dev->udev->slot_id = 0;
Unfortunately I can no longer reproduce the problem.
,
Apr 25 2018
Also reported by others: https://bugs.freedesktop.org/show_bug.cgi?id=106084
,
Apr 25 2018
Primary culprit: commit a400efe455f ("xhci: zero usb device slot_id member when disabling and freeing a xhci slot").
,
Apr 27 2018
Confirmed to be an upstream regression. Fix is being tested.
,
May 11 2018
Fixed upstream with commit 44a182b9d177 ("xhci: Fix use-after-free in xhci_free_virt_device"). Current ChromeOS releases/branches are not affected. Marking as WontFix.
|
|||
►
Sign in to add a comment |
|||
Comment 1 by groeck@chromium.org
, Apr 24 201895.2 KB
95.2 KB View Download