lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <47F4C044.1090609@panasas.com>
Date:	Thu, 03 Apr 2008 14:32:20 +0300
From:	Boaz Harrosh <bharrosh@...asas.com>
To:	schwidefsky@...ibm.com
CC:	linux-kernel@...r.kernel.org, k-ueda@...jp.nec.com,
	j-nomura@...jp.nec.com, jens.axboe@...cle.com, zaitcev@...hat.com
Subject: Re: kernel BUG at drivers/block/ub.c:820!

On Thu, Apr 03 2008 at 11:42 +0300, Martin Schwidefsky <schwidefsky@...ibm.com> wrote:
> Greetings,
> I have an 'evil' USB stick that crashes my T43 with the yesterdays git.
> All I have to do is to insert the USB stick and watch the kernel die:
> 
> kernel BUG at drivers/block/ub.c:820!
> invalid opcode: 0000 [#1] PREEMPT
> Modules linked in: usb_storage ub ipt_LOG xt_limit ipt_REJECT xt_tcpudp
> xt_state iptable_nat nf_nat nf_conntrack_ipv4 nf_conntrack
> iptable_filter ip_tables x_tables deflate zlib_deflate ctr twofish
> twofish_common camellia serpent blowfish des_generic cbc aes_i586
> aes_generic xcbc sha256_generic sha1_generic crypto_null af_key
> nls_iso8859_1 nsl_cp437 vfat fat fuse dm_crypt crypto_blkcipher
> dm_snapshot dm_mirror dm_mod freq_table ide_generic ide_disk irtty_sir
> mousedev sir_dev snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm_oss
> snd_mixer_oss snd_pcm snd_timer pcmcia nsc_ircc snd_ipw2200 psmouse
> sdhci irda ieee80211 ieee80211_crypt serio_raw soundcore i2c_i801 rtc
> crc_ccitt parport_pc parport 8250_pnp pcspkr snd_page_alloc i2c_core
> 8250_pci yenta_socket rsrc_nonstatic pcmcia_core mmc_core firmware_class
> video output intel_agp agpgart evdev thinkpad_acpi sg sr_mod sd_mod
> ide_pci_generic ata_piix floppy pata_acpi libata scsi_mod ehci_hcd
> uhci_hcd usbcore tg3 unix ide_cd_mod cdrom
> 
> Pid: 3893, comm: udevd Not tainted (2.6.25-rc8 #4)
> EIP: 0060:[<f8ca6b99>] EFLAGS: 00010002 CPU: 0
> EIP is at ub_end_rq+0x2b/0x33 [ub]
> EAX: 00000001 EBX: f78f296c ECX: 00000024 EDX: 00000001
> ESI: 00000000 EDI: f7bb5ad4 EBP: f79fde0c ESP: f79fde04
>  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
> Process udevd (pid: 3893, ti=f79fc000 task=f64e01b0 task.ti=f79fc000)
> Stack: f7bb5ad4 00000000 f79fde34 f8ca6fa1 f7b6f400 f7bb5a00 f7bb5a34 f78f296c
>        00000086 f7b6f400 f7b6f400 f7bb5ad4 f79fde48 f8ca73b6 f7b6f400 c03ec2ec
>        0000000a f79fde6c f8ca7c06 f7b6f5c0 f7b6f550 00000286 f7bb5ad4 00000000
> Call Trace:
>  [<f8ca6fa1>] ? ub_rw_cmd_done+0x1c2/0x1d8 [ub]
>  [<f8ca73b6>] ? ub_scsi_urb_compl+0x31c/0x35b [ub]
>  [<f8ca7c06>] ? ub_scsi_action+0x18f/0x1c4 [ub]
>  [<c011e0bf>] ? tasklet_action+0x35/0x56
>  [<c011e01e>] ? __do_softirq+0x38/0x7a
>  [<c011e085>] ? do_softirq+0x25/0x2a
>  [<c011e1db>] ? irq_exit+0x28/0x61
>  [<c010630f>] ? do_IRQ+0x58/0x6d
>  [<c01052c3>] ? common_interrupt+0x23/0x28
>  [<c024cf52>] ? skb_dequeue+0x3d/0x50
>  [<c024d2a0>] ? skb_queue_purge+0x14/0x1b
>  [<f8843544>] ? unix_sock_destructor+0xe/0xb4 [unix]
>  [<f8841e65>] ? unix_release+0x1a/0x20 [unix]
>  [<c0248ee6>] ? sock_release+0x14/0x6f
>  [<c02492fe>] ? sock_close+0x29/0x30
>  [<c015afa5>] ? __fput+0x93/0x14a
>  [<c015b1e4>] ? fput+0x16/0x18
>  [<c0158aad>] ? filp_close+0x50/0x5a
>  [<c0159d1e>] ? sys_close+0x6f/0xb9
>  [<c01048b2>] ? sysenter_past_esp+0x5f/0x85
>  [<c02a0000>] ? __xfrm_state_bump_genids+0x22/0xfd
>  =======================
> Code: 55 89 e5 56 31 f6 85 d2 53 89 c3 74 08 89 50 7c be fb ff ff ff 89 d8 e8 75
>  b5 51 c7 89 f2 89 c1 89 d8 e8 30 c0 51 c7 85 c0 74 04 <0f> 0b eb fe 5b 5e 5d c3
>  55 89 e5 57 56 53 83 ec 14 89 45 e8 8b
> EIP: [<f8ca6b99>] ub_end_rq+0x2b/0x33 [ub] SS:ESP 0068:f79fde04
> Kernel panic - not syncing: Fatal exception in interrupt
> 
> Looking at the code I find:
> 
> static void ub_end_rq(struct request *rq, unsigned int scsi_status)
> {
>         int error;
> 
> 	if (scsi_status == 0) {
> 		error = 0;
> 	} else {
> 		error = -EIO;
> 		rq->errors = scsi_status;
> 	}
> 	if (__blk_end_request(rq, error, blk_rq_bytes(rq)))
> 		BUG();  <-- kernel crashes here.
> 	}
> }
> 
> With git bisect I could came up with:
> 610d8b0c972e3b75493efef8e96175518fd736d3 good
> 3bcddeac1c4c7e6fb90531b80f236b1a05dfe514 compile error
> 5450d3e1d68f10be087f0855d8bad5458b50ecbe compile error
> b8286239ddaf2632cec65c01e68a403ac4c3d079 compile error
> 7d699bafe258ebd8f9b4ec182c554200b369a504 bad
> 
> If I replace the BUG() with a printk my kernel survives the usb plug but
> udev doesn't find the stick.
> 

It is not the right fix but what happens if you change above code to this:

static void ub_end_rq(struct request *rq, unsigned int scsi_status)
{
        int error;

	if (scsi_status == 0) {
		error = 0;
	} else {
		error = -EIO;
		rq->errors = scsi_status;
	}
	if (__blk_end_request(rq, error, blk_rq_bytes(rq)))
		__blk_end_request(rq, error, ~0);  /* <-- added line BUG removed. */
	}
}

Boaz
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ