lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 9 Aug 2017 01:40:06 -0700
From:   noman pouigt <variksla@...il.com>
To:     bjorn@...k.no, gregkh@...uxfoundation.org,
        linux-kernel@...r.kernel.org, jikos@...nel.org,
        linux-usb@...r.kernel.org, Pavel Machek <pavel@....cz>,
        balbi@...com, eu@...ipetonello.com, k.opasiak@...sung.com
Subject: f_hid.c conversion to the new function interface and crash due to race

Hello,

I am currently using 3.18 linux kernel and getting below
spinlock crashe in f_hid.c driver (https://goo.gl/3mdAr1).

Crash is happening due to race condition between
hidg_unbind and f_hidg_poll function. This is still a problem
with latest kernel though as cdev_del(&hidg->cdev) is racing
with f_hidg_poll function.

[ 2300.676626] BUG: spinlock bad magic on CPU#0, firmware_update/2403
[ 2300.682787] Unable to handle kernel paging request at virtual
address 6b6b6f03
[ 2300.689975] pgd = e8dec000
[ 2300.692663] [6b6b6f03] *pgd=00000000
[ 2300.696240] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
[ 2300.701521] Modules linked in:
[ 2300.704583] CPU: 0 PID: 2403 Comm: firmware_update Tainted: G
 W      3.18.31 #1
[ 2300.712466] task: e9d94140 ti: e97b6000 task.ti: e97b6000
[ 2300.717869] PC is at spin_bug+0x64/0xb0
[ 2300.721667] LR is at spin_bug+0x58/0xb0
[ 2300.725495] pc : [<c0063f40>]    lr : [<c0063f34>]    psr: 200f0093
[ 2300.725495] sp : e97b7ae0  ip : c130d400  fp : 00000000
[ 2300.736938] r10: 00000008  r9 : 00000000  r8 : 00000100
[ 2300.742151] r7 : e97b7bb4  r6 : c0e5e797  r5 : ea145e64  r4 : 6b6b6b6b
[ 2300.748661] r3 : 6b6b6feb  r2 : 6b6b6b6b  r1 : e97b6000  r0 : 00000036
[ 2300.755181] Flags: nzCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM
Segment user
[ 2300.762380] Control: 10c5387d  Table: a8dec06a  DAC: 00000015
[ 2300.768104] Process firmware_update (pid: 2403, stack limit = 0xe97b6238)
[ 2300.774876] Stack: (0xe97b7ae0 to 0xe97b8000)
[ 2300.779245] 7ae0: 00000963 c0e5e797 ea145e64 ea145e64 e97b7bd8
c0064010 800f0013 ea145e64
[ 2300.787400] 7b00: e97b7bd8 e97b7bb4 00000100 00000000 00000008
c0aacc14 00000006 00000000
[ 2300.795558] 7b20: ea145e64 c005d414 00000000 e97b7bd8 00000000
c0136c7c 00000000 00000002
[ 2300.803718] 7b40: 00000002 00000002 e97b7e38 c0137360 c0012000
00000000 00000000 00000000
[ 2300.811876] 7b60: 00000050 00000000 00000000 e97b7e60 e97b7e64
e97b7e68 000000f0 00000000
[ 2300.820038] 7b80: 00000000 e97b7e54 e97b7e58 e97b7e5c 00000000
00000000 00000020 000000f0
[ 2300.828199] 7ba0: ea391880 ea391880 00006472 001b2b28 001adf64
00000000 000000db 00000000
[ 2300.836357] 7bc0: e9d94140 00000000 00000000 00000006 e9de0000
000000db 00000000 e97b7bb4
[ 2300.844520] 7be0: c013695c ea145e74 ea145e74 ea145e64 e9de0000
000000db 00000000 e97b7bb4
[ 2300.852680] 7c00: c013695c ea145ebc ea145ebc ea145eac e9de1340
000000db 00000000 e97b7bb4
[ 2300.860837] 7c20: c013695c ea12a324 e97b7c84 ea12a314 e9de1a40
000000db 00000000 e97b7bb4
[ 2300.868999] 7c40: c013695c ea146134 ea146134 ea146124 e9de1a40
000000db 00000000 e97b7bb4
[ 2300.877159] 7c60: c013695c ea14617c ea14617c ea14616c ea391880
000000db 00000000 e97b7bb4
[ 2300.885318] 7c80: c013695c e97b7c24 ea12a324 ea12a314 00000000
e97b7cd8 e97b7fa8 c000e960
[ 2300.893473] 7ca0: 00000000 c1094a28 e97b8000 00000000 00000000
00000003 00000000 e97b7d00
[ 2300.901640] 7cc0: c0012000 e97b7cf0 e97b6000 ed824100 e97b7d8c
c0134020 e97b7d1c c0011ff4
[ 2300.909799] 7ce0: e97b7d20 ffffffff e8d1a180 c0012164 e97b7d20
c000e960 c0e90a13 c0e639c6
[ 2300.917958] 7d00: 00000010 e8d1b1d8 c0134020 e8d1a180 e97b6000
ea2de540 ea4cec48 c0281200
[ 2300.926114] 7d20: ea4cec48 ec36c03c ef5ecc40 c00d9fac ea2de540
00000000 00000000 00000000
[ 2300.934277] 7d40: ea4cec44 c00da300 00000000 ea2de540 000000c9
000000c9 c0e61f37 000001e6
[ 2300.942436] 7d60: 00000000 ea2de540 000000c9 c00dc4f8 e97b7d8c
00000000 e9c0b4a0 e97b7db0
[ 2300.950598] 7d80: 000000c9 00000000 edd6d1c8 000be476 be47659f
e8c4e1e4 47279000 ef5ecc40
[ 2300.958754] 7da0: 00000000 c011181c 00000012 c001b0c4 00000103
be47659f ede89f30 ef5ecc40
[ 2300.966915] 7dc0: ede89f40 e8c4e000 e8c4e000 c0aacc68 ede89f40
c0102428 00000000 00000000
[ 2300.975074] 7de0: ef5ecc40 c013a978 e9aee6dc e9aef784 e9aef784
ea367f00 ea4c9618 e97b7fb0
[ 2300.983232] 7e00: e9c0b4a0 47279000 e8c4e000 00000000 e9c1a080
00000004 e97b7e50 00000000
[ 2300.991392] 7e20: 00000000 001b2a6c e97b6038 00000008 00000000
c013759c e97b7e50 e97b7e54
[ 2300.999553] 7e40: e97b7e58 e97b7e5c e97b7e60 e97b7e64 000000f0
00000000 00000000 00000050
[ 2301.007713] 7e60: 00000000 00000000 80000007 e9c1a080 e9c1a0c4
c0aaeec8 00000000 c0134020
[ 2301.015872] 7e80: e8d1a180 e8d1a180 fffffffe c13465a8 00000000
00000000 e97b6000 00000000
[ 2301.024032] 7ea0: 00000000 c0134020 ed85af10 e9aee668 f02ce0fe
0000000b e8d1a196 c011c914
[ 2301.032190] 7ec0: 00000000 ea4c95c8 e988ef38 00000001 00000002
0000008a 00000000 00000000
[ 2301.040351] 7ee0: ea391880 47279380 00000007 c11b6ac4 47279380
e97b7fb0 00000005 001adf64
[ 2301.048513] 7f00: 00000000 c000874c 00000001 001adf64 ffffff9c
001b2c94 e97b7f50 c0134048
[ 2301.056671] 7f20: 00000000 001b2c94 00000001 c012a788 ffffff9c
001b2c94 bebfeab0 001adf64
[ 2301.064830] 7f40: 001b2a68 000000c3 c000eae4 c012ad5c 00000000
00000000 00000000 001b2a6c
[ 2301.072988] 7f60: 00000008 e97b6000 00000000 c013772c 00000000
00000000 00000000 c01606d0
[ 2301.081152] 7f80: ffffbffd ffffffff 00000000 001b2a6c 00000000
0000008e c000eae4 e97b6000
[ 2301.089307] 7fa0: 00000000 c000e960 00000000 001b2a6c 00000008
001b2a6c 00000000 00000000
[ 2301.097466] 7fc0: 00000000 001b2a6c 00000000 0000008e 001b2a78
00000005 001adf64 00000000
[ 2301.105628] 7fe0: 00000000 bebfeb98 000104ec 472793a4 600d0010
00000008 00000000 00000000
[ 2301.113814] [<c0063f40>] (spin_bug) from [<c0064010>]
(do_raw_spin_lock+0x20/0x17c)
[ 2301.121448] [<c0064010>] (do_raw_spin_lock) from [<c0aacc14>]
(_raw_spin_lock_irqsave+0x20/0x28)
[ 2301.130206] [<c0aacc14>] (_raw_spin_lock_irqsave) from [<c005d414>]
(remove_wait_queue+0x10/0x2c)
[ 2301.139060] [<c005d414>] (remove_wait_queue) from [<c0136c7c>]
(poll_freewait+0x2c/0x84)
[ 2301.147128] [<c0136c7c>] (poll_freewait) from [<c0137360>]
(do_select+0x50c/0x524)
[ 2301.154678] [<c0137360>] (do_select) from [<c013759c>]
(core_sys_select+0x224/0x2e0)
[ 2301.162403] [<c013759c>] (core_sys_select) from [<c013772c>]
(SyS_select+0xd4/0x104)
[ 2301.170138] [<c013772c>] (SyS_select) from [<c000e960>]
(ret_fast_syscall+0x0/0x38)
[ 2301.177761] Code: eb28fab0 e3540000 12843d12 e5952004 (15941398)
[ 2301.183827] ---[ end trace 6b784faa179a13ec ]---
[ 2301.188516] note: firmware_update[2403] exited with preempt_count 1
[ 2301.210857] f_hidg_poll


So, i ported latest f_hid.c file from upstream to my kernel
along with dependent changes.

This f_hid driver is instantiated from gadget driver for android.

drivers/usb/gadget/android.c
static struct android_usb_function hid_function = {
        .name           = "hid",
        .init           = hid_function_init,
        .cleanup        = hid_function_cleanup,
        .bind_config    = hid_function_bind_config,
        .attributes     = hid_function_attributes,
};

I got above patch from here: https://goo.gl/Ygkjrw

Can anyone let me how can I instantiate function hid
driver to get /dev/hid{0-2} nodes after it got converted
to new function interface?

Currently ep0 of ffs driver in android is instatiating the hid
function driver but I don't know how that can happen in
the latest upstream code.


Thanks,
varisla

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ