| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20171217124515.bjmbtwdr3rjz2kk4@wfg-t540p.sh.intel.com>
Date: Sun, 17 Dec 2017 20:45:15 +0800
From: Fengguang Wu <fengguang.wu@...el.com>
To: linux-usb@...r.kernel.org
Cc: Felipe Balbi <balbi@...nel.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Krzysztof Opasiak <k.opasiak@...sung.com>,
Florian Fainelli <f.fainelli@...il.com>,
Alan Stern <stern@...land.harvard.edu>,
Felix Hädicke <felixhaedicke@....de>,
Stefan Agner <stefan@...er.ch>, linux-kernel@...r.kernel.org,
lkp@...org
Subject: [usb_add_gadget_udc_release] BUG: KASAN: double-free or invalid-free
in (null)
Hello,
FYI this happens in mainline kernel 4.15.0-rc3.
It looks like a new regression.
It occurs in 23 out of 36 boots.
[ 38.592360] LUN: removable file: (no medium)
[ 38.593442] no file given for LUN0
[ 38.594589] g_mass_storage usbip-vudc.0: failed to start g_mass_storage: -22
[ 38.600881] udc usbip-vudc.0: releasing 'usbip-vudc.0'
[ 38.604397] ==================================================================
[ 38.605034] BUG: KASAN: double-free or invalid-free in (null)
[ 38.605034]
[ 38.605034] CPU: 0 PID: 1 Comm: swapper Not tainted 4.15.0-rc3 #468
[ 38.605034] Call Trace:
[ 38.605034] dump_stack+0x2f/0x3e:
__dump_stack at lib/dump_stack.c:17
(inlined by) dump_stack at lib/dump_stack.c:63
[ 38.605034] print_address_description+0xc2/0x3b7:
print_address_description at mm/kasan/report.c:253
[ 38.605034] kasan_report_double_free+0x50/0x8c:
kasan_report_double_free at mm/kasan/report.c:334
[ 38.605034] kasan_slab_free+0x60/0x1ef:
kasan_slab_free at mm/kasan/kasan.c:514
[ 38.605034] ? ftrace_likely_update+0x5c/0xc4:
ftrace_likely_update at kernel/trace/trace_branch.c:223
[ 38.605034] ? kobj_kset_leave+0x193/0x1dc:
kobj_kset_leave at lib/kobject.c:184
[ 38.605034] ? lock_acquired+0x8d2/0x8d2:
lock_release at kernel/locking/lockdep.c:4013
[ 38.605034] ? ftrace_likely_update+0x5c/0xc4:
ftrace_likely_update at kernel/trace/trace_branch.c:223
[ 38.605034] ? trace_preempt_on+0x489/0x4d7:
trace_preempt_enable_rcuidle at include/trace/events/preemptirq.h:50
(inlined by) trace_preempt_on at kernel/trace/trace_irqsoff.c:855
[ 38.605034] ? static_obj+0x40/0x40:
match_held_lock at kernel/locking/lockdep.c:3567
[ 38.605034] ? kobject_put+0xf5/0x642:
refcount_dec_and_test at arch/x86/include/asm/refcount.h:75
(inlined by) kref_put at include/linux/kref.h:69
(inlined by) kobject_put at lib/kobject.c:694
[ 38.605034] ? trace_hardirqs_off+0x17/0x1f:
trace_hardirqs_off at kernel/locking/lockdep.c:2984
[ 38.605034] ? kfree+0x419/0x5e7:
slab_free_hook at mm/slub.c:1380
(inlined by) slab_free_freelist_hook at mm/slub.c:1412
(inlined by) slab_free at mm/slub.c:2968
(inlined by) kfree at mm/slub.c:3899
[ 38.605034] kfree+0x43c/0x5e7:
slab_free at mm/slub.c:2973
(inlined by) kfree at mm/slub.c:3899
[ 38.605034] usb_add_gadget_udc_release+0x693/0x6ca:
usb_add_gadget_udc_release at drivers/usb/gadget/udc/core.c:1199
[ 38.605034] usb_add_gadget_udc+0x29/0x35:
usb_add_gadget_udc at drivers/usb/gadget/udc/core.c:1247
[ 38.605034] vudc_probe+0x7e8/0x8fb:
vudc_probe at drivers/usb/usbip/vudc_dev.c:616
[ 38.605034] ? put_vudc_device+0x4f/0x4f:
vudc_probe at drivers/usb/usbip/vudc_dev.c:598
[ 38.605034] platform_drv_probe+0xa8/0x15e:
platform_drv_probe at drivers/base/platform.c:578
[ 38.605034] ? platform_drv_remove+0xac/0xac:
platform_drv_probe at drivers/base/platform.c:566
[ 38.605034] really_probe+0x5b7/0xc52:
really_probe at drivers/base/dd.c:428
[ 38.605034] ? driver_allows_async_probing+0x72/0x72:
__device_attach_driver at drivers/base/dd.c:627
[ 38.605034] driver_probe_device+0x20b/0x295:
pm_request_idle at include/linux/pm_runtime.h:205
(inlined by) driver_probe_device at drivers/base/dd.c:567
[ 38.605034] __device_attach_driver+0x2e8/0x301:
__device_attach_driver at drivers/base/dd.c:662
[ 38.605034] bus_for_each_drv+0x125/0x1f0:
bus_for_each_drv at drivers/base/bus.c:463
[ 38.605034] ? subsys_find_device_by_id+0x306/0x306:
bus_for_each_drv at drivers/base/bus.c:452
[ 38.605034] ? _raw_spin_unlock_irqrestore+0xd9/0xfa:
__raw_spin_unlock_irqrestore at include/linux/spinlock_api_smp.h:161
(inlined by) _raw_spin_unlock_irqrestore at kernel/locking/spinlock.c:191
[ 38.605034] __device_attach+0x1cc/0x339:
__device_attach at drivers/base/dd.c:719
[ 38.605034] ? device_bind_driver+0xdb/0xdb:
__device_attach at drivers/base/dd.c:693
[ 38.605034] device_initial_probe+0x1f/0x28:
device_initial_probe at drivers/base/dd.c:766
[ 38.605034] bus_probe_device+0xd0/0x260:
bus_probe_device at drivers/base/bus.c:523
[ 38.605034] device_add+0xd68/0x1264:
device_add at drivers/base/core.c:1835
[ 38.605034] ? put_device+0x37/0x37:
device_add at drivers/base/core.c:1738
[ 38.605034] ? lockdep_init_map+0x5e/0x6b:
lockdep_init_map at kernel/locking/lockdep.c:3296
[ 38.605034] ? __raw_spin_lock_init+0x37/0xf5:
__raw_spin_lock_init at kernel/locking/spinlock_debug.c:26
[ 38.605034] platform_device_add+0x5a9/0x72e:
platform_device_add at drivers/base/platform.c:418
[ 38.605034] ? arch_setup_pdev_archdata+0x5/0xd
[ 38.605034] init+0xfa/0x412:
init at drivers/usb/usbip/vudc_main.c:56
[ 38.605034] ? usbip_host_init+0x1b2/0x1b2:
init at drivers/usb/usbip/vudc_main.c:31
[ 38.605034] do_one_initcall+0x143/0x2d3:
do_one_initcall at init/main.c:826
[ 38.605034] ? start_kernel+0xa20/0xa20:
do_one_initcall at init/main.c:815
[ 38.605034] kernel_init_freeable+0x31f/0x469:
do_initcall_level at init/main.c:892
(inlined by) do_initcalls at init/main.c:900
(inlined by) do_basic_setup at init/main.c:918
(inlined by) kernel_init_freeable at init/main.c:1066
[ 38.605034] ? rest_init+0x3d0/0x3d0:
kernel_init at init/main.c:990
[ 38.605034] kernel_init+0x13/0x1fe:
kernel_init at init/main.c:993
[ 38.605034] ? rest_init+0x3d0/0x3d0:
kernel_init at init/main.c:990
[ 38.605034] ret_from_fork+0x24/0x30:
ret_from_fork at arch/x86/entry/entry_64.S:447
[ 38.605034]
[ 38.605034] Allocated by task 1:
[ 38.605034] kasan_kmalloc+0xec/0x1bb:
filter_irq_stacks at mm/kasan/kasan.c:427
(inlined by) save_stack at mm/kasan/kasan.c:448
(inlined by) set_track at mm/kasan/kasan.c:459
(inlined by) kasan_kmalloc at mm/kasan/kasan.c:551
[ 38.605034] kmem_cache_alloc_trace+0x474/0x48d:
kmem_cache_alloc_trace at mm/slub.c:2752
[ 38.605034] usb_add_gadget_udc_release+0x1de/0x6ca:
kmalloc at include/linux/slab.h:499
(inlined by) kzalloc at include/linux/slab.h:688
(inlined by) usb_add_gadget_udc_release at drivers/usb/gadget/udc/core.c:1148
[ 38.605034] usb_add_gadget_udc+0x29/0x35:
usb_add_gadget_udc at drivers/usb/gadget/udc/core.c:1247
[ 38.605034] vudc_probe+0x7e8/0x8fb:
vudc_probe at drivers/usb/usbip/vudc_dev.c:616
[ 38.605034] platform_drv_probe+0xa8/0x15e:
platform_drv_probe at drivers/base/platform.c:578
[ 38.605034] really_probe+0x5b7/0xc52:
really_probe at drivers/base/dd.c:428
[ 38.605034] driver_probe_device+0x20b/0x295:
pm_request_idle at include/linux/pm_runtime.h:205
(inlined by) driver_probe_device at drivers/base/dd.c:567
[ 38.605034] __device_attach_driver+0x2e8/0x301:
__device_attach_driver at drivers/base/dd.c:662
[ 38.605034] bus_for_each_drv+0x125/0x1f0:
bus_for_each_drv at drivers/base/bus.c:463
[ 38.605034] __device_attach+0x1cc/0x339:
__device_attach at drivers/base/dd.c:719
[ 38.605034] device_initial_probe+0x1f/0x28:
device_initial_probe at drivers/base/dd.c:766
[ 38.605034] bus_probe_device+0xd0/0x260:
bus_probe_device at drivers/base/bus.c:523
[ 38.605034] device_add+0xd68/0x1264:
device_add at drivers/base/core.c:1835
[ 38.605034] platform_device_add+0x5a9/0x72e:
platform_device_add at drivers/base/platform.c:418
[ 38.605034] init+0xfa/0x412:
init at drivers/usb/usbip/vudc_main.c:56
[ 38.605034] do_one_initcall+0x143/0x2d3:
do_one_initcall at init/main.c:826
[ 38.605034] kernel_init_freeable+0x31f/0x469:
do_initcall_level at init/main.c:892
(inlined by) do_initcalls at init/main.c:900
(inlined by) do_basic_setup at init/main.c:918
(inlined by) kernel_init_freeable at init/main.c:1066
[ 38.605034] kernel_init+0x13/0x1fe:
kernel_init at init/main.c:993
[ 38.605034] ret_from_fork+0x24/0x30:
ret_from_fork at arch/x86/entry/entry_64.S:447
[ 38.605034]
[ 38.605034] Freed by task 1:
[ 38.605034] kasan_slab_free+0xf0/0x1ef:
filter_irq_stacks at mm/kasan/kasan.c:427
(inlined by) save_stack at mm/kasan/kasan.c:448
(inlined by) set_track at mm/kasan/kasan.c:459
(inlined by) kasan_slab_free at mm/kasan/kasan.c:524
[ 38.605034] kfree+0x43c/0x5e7:
slab_free at mm/slub.c:2973
(inlined by) kfree at mm/slub.c:3899
[ 38.605034] usb_udc_release+0xe3/0xef:
usb_udc_release at drivers/usb/gadget/udc/core.c:1093
[ 38.605034] device_release+0x86/0x27e:
device_release at drivers/base/core.c:810
[ 38.605034] kobject_put+0x58d/0x642:
kobject_cleanup at lib/kobject.c:648
(inlined by) kobject_release at lib/kobject.c:677
(inlined by) kref_put at include/linux/kref.h:70
(inlined by) kobject_put at lib/kobject.c:694
[ 38.605034] put_device+0x2a/0x37:
put_device at drivers/base/core.c:1931
[ 38.605034] usb_add_gadget_udc_release+0x670/0x6ca:
usb_add_gadget_udc_release at drivers/usb/gadget/udc/core.c:1196
[ 38.605034] usb_add_gadget_udc+0x29/0x35:
usb_add_gadget_udc at drivers/usb/gadget/udc/core.c:1247
[ 38.605034] vudc_probe+0x7e8/0x8fb:
vudc_probe at drivers/usb/usbip/vudc_dev.c:616
[ 38.605034] platform_drv_probe+0xa8/0x15e:
platform_drv_probe at drivers/base/platform.c:578
[ 38.605034] really_probe+0x5b7/0xc52:
really_probe at drivers/base/dd.c:428
[ 38.605034] driver_probe_device+0x20b/0x295:
pm_request_idle at include/linux/pm_runtime.h:205
(inlined by) driver_probe_device at drivers/base/dd.c:567
[ 38.605034] __device_attach_driver+0x2e8/0x301:
__device_attach_driver at drivers/base/dd.c:662
[ 38.605034] bus_for_each_drv+0x125/0x1f0:
bus_for_each_drv at drivers/base/bus.c:463
[ 38.605034] __device_attach+0x1cc/0x339:
__device_attach at drivers/base/dd.c:719
[ 38.605034] device_initial_probe+0x1f/0x28:
device_initial_probe at drivers/base/dd.c:766
[ 38.605034] bus_probe_device+0xd0/0x260:
bus_probe_device at drivers/base/bus.c:523
[ 38.605034] device_add+0xd68/0x1264:
device_add at drivers/base/core.c:1835
[ 38.605034] platform_device_add+0x5a9/0x72e:
platform_device_add at drivers/base/platform.c:418
[ 38.605034] init+0xfa/0x412:
init at drivers/usb/usbip/vudc_main.c:56
[ 38.605034] do_one_initcall+0x143/0x2d3:
do_one_initcall at init/main.c:826
[ 38.605034] kernel_init_freeable+0x31f/0x469:
do_initcall_level at init/main.c:892
(inlined by) do_initcalls at init/main.c:900
(inlined by) do_basic_setup at init/main.c:918
(inlined by) kernel_init_freeable at init/main.c:1066
[ 38.605034] kernel_init+0x13/0x1fe:
kernel_init at init/main.c:993
[ 38.605034] ret_from_fork+0x24/0x30:
ret_from_fork at arch/x86/entry/entry_64.S:447
[ 38.605034]
[ 38.605034] The buggy address belongs to the object at ffff880014627700
[ 38.605034] which belongs to the cache kmalloc-2048 of size 2048
[ 38.605034] The buggy address is located 0 bytes inside of
[ 38.605034] 2048-byte region [ffff880014627700, ffff880014627f00)
Attached the full dmesg, kconfig and reproduce scripts.
Thanks,
Fengguang
View attachment "dmesg-yocto-ivb41-57:20171217041111:x86_64-randconfig-s0-12170213:4.15.0-rc3:468" of type "text/plain" (64106 bytes)
View attachment ".config" of type "text/plain" (123194 bytes)
View attachment "reproduce-yocto-ivb41-57:20171217041111:x86_64-randconfig-s0-12170213:4.15.0-rc3:468" of type "text/plain" (903 bytes)
Powered by blists - more mailing lists