| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <80b8347c53856cc81a37f1d8ea30ad0a@codeaurora.org>
Date: Tue, 21 Feb 2017 18:59:12 -0800
From: Sodagudi Prasad <psodagud@...eaurora.org>
To: Greg KH <gregkh@...uxfoundation.org>, mcgrof@...nel.org,
ming.lei@...onical.com
Cc: ming.lei@...onical.com, linux-kernel@...r.kernel.org
Subject: Re: Free after use in fw_pm_notify()->kill_requests_without_uevent()
due pending_fw_head
On 2017-01-03 07:19, Greg KH wrote:
> On Tue, Jan 03, 2017 at 06:44:03AM -0800, Sodagudi Prasad wrote:
>>
>> Hi All,
>>
>> Device has crashed due to memory access after free while
>> pending_fw_head
>> list accessed. Kernel 4.4 stable version is used to reproduce this use
>> after
>> free.
>> ------------------------------------------------------------------------------------------
>> [ 9031.178428] Unable to handle kernel paging request at virtual
>> address
>> 6b6b6b6b6b6b6b6b
>> [ 9031.178508] pgd = ffffffc0de9d2000
>> [ 9031.185888] [6b6b6b6b6b6b6b6b] *pgd=0000000000000000,
>> *pud=0000000000000000
>> [ 9031.253045] ------------[ cut here ]------------
>> [ 9031.253100] Kernel BUG at ffffff800864c0a0 [verbose debug info
>> unavailable]
>> [ 9031.256860] Internal error: Oops - BUG: 96000004 [#1] PREEMPT SMP
>> [ 9031.263539] Modules linked in:
>> [ 9031.272708] CPU: 6 PID: 1373 Comm: system_server Tainted: G
>> W L
>> 4.4.16+ #1
>> [ 9031.280648] task: ffffffc0d1a1d700 ti: ffffffc0d1a2c000 task.ti:
>> ffffffc0d1a2c000
>> [ 9031.287776] PC is at fw_pm_notify+0x84/0x19c
>> [ 9031.295215] LR is at fw_pm_notify+0x60/0x19c
>> [ 9031.511559] [] fw_pm_notify+0x84/0x19c
>> [ 9031.519355] [] notifier_call_chain+0x58/0x8c
>> [ 9031.524739] [] __blocking_notifier_call_chain+0x54/0x70
>> [ 9031.530387] [] blocking_notifier_call_chain+0x38/0x44
>> [ 9031.537243] [] pm_notifier_call_chain+0x28/0x48
>> [ 9031.543662] [] pm_suspend+0x278/0x674
>> [ 9031.549906] [] state_store+0x58/0x90
>> [ 9031.554942] [] kobj_attr_store+0x18/0x28
>> [ 9031.560154] [] sysfs_kf_write+0x5c/0x68
>> [ 9031.565620] [] kernfs_fop_write+0x114/0x16c
>> [ 9031.571092] [] __vfs_write+0x48/0xf0
>> [ 9031.576816] [] vfs_write+0xb8/0x150
>> [ 9031.581848] [] SyS_write+0x58/0x94
>> [ 9031.586973] [] el0_svc_naked+0x24/0x28
>> -----------------------------------------------------------------------------------------------
>>
>> Kernel panic is observed during device suspend/resume path in the
>> kill_requests_without_uevent() called from fw_pm_notify().
>> when pending_list of a firmware_buf is accessed 0x6b(free pattern)
>> pattern
>> observed. Based on this firmware_buf is freed even if firmware_buf is
>> part
>> of
>> pending_fw_head list.
>
> What are you doing in userspace to trigger this problem? What kernel
> driver is this happening with?
Device continuous suspend and resume is happening here. I think, echo
mem > /sys/power/state issued here.
It is not clear what driver involved here, because after firmware_buf is
freed all memory gets filled with 0x6b pattern.
>
> And 4.4.16 is pretty old, can you try 4.9?
We don't have system which runs on new kernels. Looking for possible
reasons/path, how firmware_buf can get freed when that in
pending_fw_head list.
>
> thanks,
>
> greg k-h
--
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora
Forum,
Linux Foundation Collaborative Project
Powered by blists - more mailing lists