lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <201011250234.10424.s.L-H@gmx.de>
Date:	Thu, 25 Nov 2010 02:34:06 +0100
From:	"Stefan Lippers-Hollmann" <s.L-H@....de>
To:	gregkh@...e.de
Cc:	linux-kernel@...r.kernel.org, isimatu.yasuaki@...fujitsu.com,
	stable@...nel.org
Subject: Re: Patch "block: fix accounting bug on cross partition merges" has been added to the 2.6.36-stable tree

Hi

On Thursday 25 November 2010, gregkh@...e.de wrote: 
> This is a note to let you know that I've just added the patch titled
> 
>     block: fix accounting bug on cross partition merges
> 
> to the 2.6.36-stable tree which can be found at:
>     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> 
> The filename of the patch is:
>      block-fix-accounting-bug-on-cross-partition-merges.patch
> and it can be found in the queue-2.6.36 subdirectory.
> 
> If you, or anyone else, feels it should not be added to the stable tree,
> please let <stable@...nel.org> know about it.
> 
> 
> From 7681bfeeccff5efa9eb29bf09249a3c400b15327 Mon Sep 17 00:00:00 2001
> From: Yasuaki Ishimatsu <isimatu.yasuaki@...fujitsu.com>
> Date: Tue, 19 Oct 2010 09:05:00 +0200
> Subject: block: fix accounting bug on cross partition merges
[...]

This patch, as part of the current -stable queue-2.6.36, throws the 
attached NULL pointer dereference upon unplugging usb_storage devices. 
My test case is plugging in an USB flash drive, letting it settle a 
few seconds and - without having it mounted or touched in any other 
way - removing it again (X doesn't need to be running). I can reproduce
this reliably with several different flash drives and on different 
ia32 and x86_64 systems running current Debian/ unstable userland:

x86_64 (AMD CPU):
[  125.041034] usb 1-4: new high speed USB device using ehci_hcd and address 5
[  125.167103] usb 1-4: New USB device found, idVendor=0930, idProduct=6545
[  125.167111] usb 1-4: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  125.167118] usb 1-4: Product: USB Flash Memory
[  125.167123] usb 1-4: SerialNumber: 0DC0D77160A25918
[  125.201275] Initializing USB Mass Storage driver...
[  125.201554] scsi6 : usb-storage 1-4:1.0
[  125.201953] usbcore: registered new interface driver usb-storage
[  125.201958] USB Mass Storage support registered.
[  126.232761] scsi 6:0:0:0: Direct-Access              USB Flash Memory 5.00 PQ: 0 ANSI: 0 CCS
[  126.234239] sd 6:0:0:0: Attached scsi generic sg3 type 0
[  126.428102] sd 6:0:0:0: [sdb] 1956864 512-byte logical blocks: (1.00 GB/955 MiB)
[  126.429105] sd 6:0:0:0: [sdb] Write Protect is off
[  126.429111] sd 6:0:0:0: [sdb] Mode Sense: 23 00 00 00
[  126.429117] sd 6:0:0:0: [sdb] Assuming drive cache: write through
[  126.434082] sd 6:0:0:0: [sdb] Assuming drive cache: write through
[  126.474358]  sdb: sdb1
[  126.477081] sd 6:0:0:0: [sdb] Assuming drive cache: write through
[  126.477203] sd 6:0:0:0: [sdb] Attached SCSI removable disk
[  160.223809] usb 1-4: USB disconnect, address 5
[  160.224168] BUG: unable to handle kernel NULL pointer dereference at 0000000000000340
[  160.224322] IP: [<ffffffff811b203a>] disk_replace_part_tbl+0x2a/0x80
[  160.224445] PGD 7a245067 PUD 7a244067 PMD 0 
[  160.224538] Oops: 0000 [#1] PREEMPT SMP 
[  160.224625] last sysfs file: /sys/devices/system/cpu/cpu1/cache/index2/shared_cpu_map
[  160.224755] CPU 0 
[  160.224792] Modules linked in: usb_storage cpufreq_stats cpufreq_ondemand cpufreq_powersave cpufreq_conservative cpufreq_performance ppdev lp af_packet fuse nls_utf8 ntfs powernow_k8 freq_table mperf arc4 ecb ath9k ir_lirc_codec lirc_dev tda18218 ir_sony_decoder af9013 ir_jvc_decoder mac80211 ir_rc6_decoder snd_intel8x0 snd_ac97_codec ac97_bus ir_rc5_decoder radeon ath9k_common ath9k_hw dvb_usb_af9015 ath dvb_usb rtc_cmos ttm snd_pcm drm_kms_helper ir_nec_decoder cfg80211 drm rtc_core tpm_tis dvb_core snd_seq pcspkr rtc_lib tpm rfkill k8temp snd_timer ir_core parport_pc psmouse tpm_bios evdev serio_raw led_class parport i2c_algo_bit snd_seq_device button processor snd soundcore snd_page_alloc shpchp edac_core pci_hotplug edac_mce_amd i2c_nforce2 i2c_core ext4 mbcache jbd2 crc16 dm_mod btrfs zlib_deflate crc32c libcrc32c sg sr_mod cdrom sd_mod usbhid ata_generic hid pata_acpi ohci_hcd sata_nv pata_amd ssb libata mmc_core ehci_hcd pcmcia usbcore floppy e1000 firewire_ohci fan firewire_core thermal crc_itu_t scsi_mod pcmcia_core forcedeth nls_base [last unloaded: scsi_wait_scan]
[  160.227178] 
[  160.227178] Pid: 682, comm: khubd Not tainted 2.6.36-1.slh.1-aptosid-amd64 #1 MS-7185/MS-7185
[  160.227178] RIP: 0010:[<ffffffff811b203a>]  [<ffffffff811b203a>] disk_replace_part_tbl+0x2a/0x80
[  160.227178] RSP: 0018:ffff88003774dae0  EFLAGS: 00010286
[  160.227178] RAX: 0000000000000000 RBX: ffff88007cb50ec0 RCX: 0000000000000040
[  160.227178] RDX: 0000000000000051 RSI: 0000000000000000 RDI: ffff88007c9f9400
[  160.227178] RBP: 0000000000000000 R08: ffffffff814d4fd8 R09: ffffffff811c1130
[  160.227178] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[  160.227178] R13: ffffffffa0ac26e0 R14: ffffffffa0ac2748 R15: 0000000000000000
[  160.227178] FS:  00007fcf9962f700(0000) GS:ffff880001800000(0000) knlGS:0000000000000000
[  160.227178] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[  160.227178] CR2: 0000000000000340 CR3: 000000007a23e000 CR4: 00000000000006f0
[  160.227178] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  160.227178] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[  160.227178] Process khubd (pid: 682, threadinfo ffff88003774c000, task ffff88007ca942e0)
[  160.227178] Stack:
[  160.227178]  0000000000000000 ffff88007c9f9400 ffffffff8150cc20 ffffffff811b210b
[  160.227178] <0> 0000000000000000 ffffffff8126b52a ffff88007c9f9470 ffffffff811c04e3
[  160.227178] <0> ffff88007c9f94a8 ffffffff811c04a0 0000000000000286 ffffffff811c1713
[  160.227178] Call Trace:
[  160.227178]  [<ffffffff811b210b>] ? disk_release+0x1b/0x30
[  160.227178]  [<ffffffff8126b52a>] ? device_release+0x1a/0x80
[  160.227178]  [<ffffffff811c04e3>] ? kobject_release+0x43/0xb0
[  160.227178]  [<ffffffff811c04a0>] ? kobject_release+0x0/0xb0
[  160.227178]  [<ffffffff811c1713>] ? kref_put+0x33/0x70
[  160.227178]  [<ffffffffa0314570>] ? sg_device_destroy+0x60/0xa0 [sg]
[  160.227178]  [<ffffffffa0314510>] ? sg_device_destroy+0x0/0xa0 [sg]
[  160.227178]  [<ffffffff811c1713>] ? kref_put+0x33/0x70
[  160.227178]  [<ffffffff8126bf4a>] ? device_del+0xba/0x1c0
[  160.227178]  [<ffffffff8126c059>] ? device_unregister+0x9/0x20
[  160.227178]  [<ffffffffa000cf7d>] ? __scsi_remove_device+0xad/0xc0 [scsi_mod]
[  160.227178]  [<ffffffffa0009a84>] ? scsi_forget_host+0x54/0x80 [scsi_mod]
[  160.227178]  [<ffffffffa0001fc1>] ? scsi_remove_host+0x61/0x100 [scsi_mod]
[  160.227178]  [<ffffffffa0abf240>] ? quiesce_and_remove_host+0x60/0xb0 [usb_storage]
[  160.227178]  [<ffffffffa0abf345>] ? usb_stor_disconnect+0x15/0x20 [usb_storage]
[  160.227178]  [<ffffffffa00bf246>] ? usb_unbind_interface+0x66/0x1b0 [usbcore]
[  160.227178]  [<ffffffff8126e8ff>] ? __device_release_driver+0x6f/0xf0
[  160.227178]  [<ffffffff8126ea55>] ? device_release_driver+0x25/0x40
[  160.227178]  [<ffffffff8126dd8e>] ? bus_remove_device+0x9e/0xe0
[  160.227178]  [<ffffffff8126bfb0>] ? device_del+0x120/0x1c0
[  160.227178]  [<ffffffffa00bbfc8>] ? usb_disable_device+0x68/0x120 [usbcore]
[  160.227178]  [<ffffffffa00b68af>] ? usb_disconnect+0x8f/0x130 [usbcore]
[  160.227178]  [<ffffffffa00b7719>] ? hub_thread+0x479/0x11b0 [usbcore]
[  160.227178]  [<ffffffff810416d0>] ? __dequeue_entity+0x40/0x50
[  160.227178]  [<ffffffff8106b740>] ? autoremove_wake_function+0x0/0x30
[  160.227178]  [<ffffffffa00b72a0>] ? hub_thread+0x0/0x11b0 [usbcore]
[  160.227178]  [<ffffffffa00b72a0>] ? hub_thread+0x0/0x11b0 [usbcore]
[  160.227178]  [<ffffffff8106b276>] ? kthread+0x96/0xa0
[  160.227178]  [<ffffffff8100bce4>] ? kernel_thread_helper+0x4/0x10
[  160.227178]  [<ffffffff8106b1e0>] ? kthread+0x0/0xa0
[  160.227178]  [<ffffffff8100bce0>] ? kernel_thread_helper+0x0/0x10
[  160.227178] Code: 00 48 83 ec 18 48 89 5c 24 08 48 89 6c 24 10 48 8b 5f 38 48 8b af d0 02 00 00 48 85 db 48 89 77 38 74 4e 48 c7 43 18 00 00 00 00 <48> 8b bd 40 03 00 00 e8 3a ae 1d 00 48 89 ef e8 b2 6d ff ff 48 
[  160.227178] RIP  [<ffffffff811b203a>] disk_replace_part_tbl+0x2a/0x80
[  160.227178]  RSP <ffff88003774dae0>
[  160.227178] CR2: 0000000000000340
[  160.615286] ---[ end trace a932a28f5152163d ]---



i386 (Intel CPU):
[   49.420017] usb 1-5: new high speed USB device using ehci_hcd and address 4
[   49.539578] usb 1-5: New USB device found, idVendor=0ea0, idProduct=2168
[   49.539585] usb 1-5: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[   49.539588] usb 1-5: Product: Mass storage    
[   49.539591] usb 1-5: Manufacturer: USB     
[   49.539594] usb 1-5: SerialNumber: 1D7A160C3FB576C6
[   49.590718] Initializing USB Mass Storage driver...
[   49.590946] scsi2 : usb-storage 1-5:1.0
[   49.591562] usbcore: registered new interface driver usb-storage
[   49.591567] USB Mass Storage support registered.
[   50.598755] scsi 2:0:0:0: Direct-Access     SHARKOON USB2.0 Drive     2.00 PQ: 0 ANSI: 2
[   50.601613] sd 2:0:0:0: Attached scsi generic sg2 type 0
[   51.658219] ready
[   51.658848] sd 2:0:0:0: [sdb] 256000 512-byte logical blocks: (131 MB/125 MiB)
[   51.659603] sd 2:0:0:0: [sdb] Write Protect is off
[   51.659611] sd 2:0:0:0: [sdb] Mode Sense: 03 00 00 00
[   51.659615] sd 2:0:0:0: [sdb] Assuming drive cache: write through
[   51.664973] sd 2:0:0:0: [sdb] Assuming drive cache: write through
[   51.666514]  sdb: sdb1
[   51.669373] sd 2:0:0:0: [sdb] Assuming drive cache: write through
[   51.669468] sd 2:0:0:0: [sdb] Attached SCSI removable disk
[   81.733729] usb 1-5: USB disconnect, address 4
[   81.734045] BUG: unable to handle kernel NULL pointer dereference at 000001c0
[   81.734166] IP: [<c0263ab1>] disk_replace_part_tbl+0x21/0x70
[   81.734256] *pde = 00000000 
[   81.734312] Oops: 0000 [#1] PREEMPT SMP 
[   81.734408] last sysfs file: /sys/devices/pci0000:00/0000:00:1d.7/usb1/1-5/1-5:1.0/host2/target2:0:0/2:0:0:0/block/sdb/size
[   81.734520] Modules linked in: usb_storage af_packet rt73usb crc_itu_t arc4 ecb rt2500usb rt2x00usb rt2x00lib snd_intel8x0 snd_ac97_codec ac97_bus p54usb tpm_tis snd_pcm p54common tpm rtc_cmos i915 drm_kms_helper drm i2c_i801 led_class rtc_core tpm_bios intel_agp rng_core avmfritz parport_pc mISDNipac processor i2c_algo_bit rtc_lib mac80211 i2c_core container button evdev parport psmouse video snd_seq pcspkr output serio_raw mISDN_core snd_timer snd_seq_device usbhid hid snd cfg80211 shpchp soundcore rfkill pci_hotplug snd_page_alloc ext4 mbcache jbd2 crc16 dm_mod sg sr_mod sd_mod cdrom ata_generic pata_acpi ata_piix libata uhci_hcd ehci_hcd usbcore scsi_mod e100 floppy mii thermal nls_base [last unloaded: scsi_wait_scan]
[   81.735009] 
[   81.735009] Pid: 553, comm: khubd Not tainted 2.6.36-1.slh.1-aptosid-686 #1 D1521/SCENIC P300
[   81.735009] EIP: 0060:[<c0263ab1>] EFLAGS: 00010286 CPU: 0
[   81.735009] EIP is at disk_replace_part_tbl+0x21/0x70
[   81.735009] EAX: de70c400 EBX: d7713e00 ECX: d7713dc0 EDX: 00000000
[   81.735009] ESI: 00000000 EDI: 00000000 EBP: e0017d20 ESP: d74a7db0
[   81.735009]  DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
[   81.735009] Process khubd (pid: 553, ti=d74a6000 task=df071920 task.ti=d74a6000)
[   81.735009] Stack:
[   81.735009]  de70c400 c0509988 c0263b68 00000000 c03060b6 d764b740 00000000 e043731c
[   81.735009] <0> 00000000 de70c458 c026f727 de70c474 c026f6f0 de4554b8 c02706ba d764b700
[   81.735009] <0> 00000292 e0433495 c0223778 dd7f3d50 d764b72c e0433450 c02706ba de4555e8
[   81.735009] Call Trace:
[   81.735009]  [<c0263b68>] ? disk_release+0x18/0x30
[   81.735009]  [<c03060b6>] ? device_release+0x16/0x80
[   81.735009]  [<c026f727>] ? kobject_release+0x37/0x90
[   81.735009]  [<c026f6f0>] ? kobject_release+0x0/0x90
[   81.735009]  [<c02706ba>] ? kref_put+0x2a/0x60
[   81.735009]  [<e0433495>] ? sg_device_destroy+0x45/0x70 [sg]
[   81.735009]  [<c0223778>] ? sysfs_hash_and_remove+0x78/0x80
[   81.735009]  [<e0433450>] ? sg_device_destroy+0x0/0x70 [sg]
[   81.735009]  [<c02706ba>] ? kref_put+0x2a/0x60
[   81.735009]  [<c030690d>] ? device_del+0x9d/0x180
[   81.735009]  [<c03069f8>] ? device_unregister+0x8/0x10
[   81.735009]  [<e000992b>] ? __scsi_remove_device+0x8b/0xa0 [scsi_mod]
[   81.735009]  [<e0006aef>] ? scsi_forget_host+0x5f/0x70 [scsi_mod]
[   81.735009]  [<dffffb61>] ? scsi_remove_host+0x51/0xd0 [scsi_mod]
[   81.735009]  [<e07a7f6b>] ? quiesce_and_remove_host+0x5b/0xa0 [usb_storage]
[   81.735009]  [<e07a8050>] ? usb_stor_disconnect+0x10/0x20 [usb_storage]
[   81.735009]  [<e005bbe8>] ? usb_unbind_interface+0x38/0x130 [usbcore]
[   81.735009]  [<c0308d8d>] ? __device_release_driver+0x4d/0xb0
[   81.735009]  [<c0308e9d>] ? device_release_driver+0x1d/0x30
[   81.735009]  [<c030842b>] ? bus_remove_device+0x7b/0xb0
[   81.735009]  [<c030695f>] ? device_del+0xef/0x180
[   81.735009]  [<e0058e8d>] ? usb_disable_device+0x4d/0xf0 [usbcore]
[   81.735009]  [<e0054308>] ? usb_disconnect+0x78/0x100 [usbcore]
[   81.735009]  [<e0054fad>] ? hub_thread+0x3dd/0xfa0 [usbcore]
[   81.735009]  [<c01518f0>] ? autoremove_wake_function+0x0/0x40
[   81.735009]  [<e0054bd0>] ? hub_thread+0x0/0xfa0 [usbcore]
[   81.735009]  [<c0151574>] ? kthread+0x74/0x80
[   81.735009]  [<c0151500>] ? kthread+0x0/0x80
[   81.735009]  [<c0103cb6>] ? kernel_thread_helper+0x6/0x10
[   81.735009] Code: 36 22 01 00 83 c4 0c c3 66 90 83 ec 08 89 1c 24 89 74 24 04 8b 58 30 8b b0 a8 01 00 00 85 db 89 50 30 74 3e c7 43 0c 00 00 00 00 <8b> 86 c0 01 00 00 e8 f4 60 1a 00 89 f0 e8 4d 7a ff ff 8b 86 c0 
[   81.735009] EIP: [<c0263ab1>] disk_replace_part_tbl+0x21/0x70 SS:ESP 0068:d74a7db0
[   81.735009] CR2: 00000000000001c0
[   81.924511] ---[ end trace af3a9b8b1414ddab ]---

Reverting just this patch and keeping the rest of queue-2.6.36 (except
drm-i915-die-i915_probe_agp-die.patch, which doesn't apply) fixes the 
regression for me.

Regards
	Stefan Lippers-Hollmann
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ