| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 31 Jul 2021 11:18:10 -0500 From: Larry Finger <Larry.Finger@...inger.net> To: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Cc: LKML <linux-kernel@...r.kernel.org>, linux-staging@...ts.linux.dev Subject: Re: kernel BUG in new r8188eu On 7/31/21 12:37 AM, Greg Kroah-Hartman wrote: > Is this a new regression due to the recent cleanups, or something that > has always been here? I suspect that it has been there forever. I was just doing the kinds of things a user might do, and locked up my box. > As for the error, looks like someone is reading to an address that is > in userspace without doing the proper copy_from_user() thing. Do you > have a full traceback? BUG: unable to handle page fault for address: ffffeb020003b848 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI CPU: 2 PID: 45 Comm: kworker/2:1 Tainted: G C O 5.14.0-rc2-00157-g390c661543a8 #8 Hardware name: TOSHIBA TECRA A50-A/TECRA A50-A, BIOS Version 4.50 09/29/2014 Workqueue: usb_hub_wq hub_event [usbcore] RIP: 0010:kfree+0x68/0x2c0 Code: 01 e5 0f 82 5f 02 00 00 48 b8 00 00 00 80 7f 77 00 00 48 01 c5 48 b8 00 00 00 00 00 ea ff ff 48 c1 ed 0c 48 c1 e5 06 48 01 c5 <48> 8b 45 0> RSP: 0018:ffffc900001efa78 EFLAGS: 00010282 RAX: ffffea0000000000 RBX: ffffc90000ee1028 RCX: 000000008010000d RDX: 0000000000000000 RSI: ffffffffa149eddf RDI: ffffc90000ee1578 RBP: ffffeb020003b840 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000000 R11: ffff888121c0e400 R12: ffffc90000ee1578 R13: ffff888101fd0000 R14: ffff888101fd0030 R15: 0000000000000003 FS: 0000000000000000(0000) GS:ffff888323280000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffeb020003b848 CR3: 000000000220a002 CR4: 00000000001706e0 Call Trace: ? kfree+0x25a/0x2c0 rtw_free_mlme_priv_ie_data+0x15/0xf8 [r8188eu] _rtw_free_mlme_priv+0xe/0x30 [r8188eu] rtw_free_mlme_priv+0x1a/0x47 [r8188eu] rtw_free_drv_sw+0x5c/0x1ae [r8188eu] rtw_usb_if1_deinit+0x67/0xcd [r8188eu] rtw_dev_remove+0x5a/0xf4 [r8188eu] usb_unbind_interface+0x8a/0x270 [usbcore] ? kernfs_find_ns+0x35/0xd0 __device_release_driver+0x1a0/0x260 device_release_driver+0x24/0x30 bus_remove_device+0xd8/0x140 device_del+0x18b/0x3e0 ? kobject_cleanup+0x49/0x130 usb_disable_device+0xd9/0x260 [usbcore] usb_disconnect.cold+0x7b/0x201 [usbcore] hub_port_connect+0x88/0x8d0 [usbcore] ? kfree+0xe6/0x2c0 hub_port_connect_change+0xb1/0x3a0 [usbcore] port_event+0x5d4/0x720 [usbcore] hub_event+0x1db/0x430 [usbcore] process_one_work+0x1dd/0x3a0 worker_thread+0x50/0x3f0 ? rescuer_thread+0x390/0x390 kthread+0x128/0x140 ? set_kthread_struct+0x40/0x40 ret_from_fork+0x22/0x30 Modules linked in: snd_seq_dummy snd_hrtimer snd_seq snd_seq_device ctr ccm r8188eu(C) rfcomm rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs> crypto_simd cryptd i915 i2c_algo_bit serio_raw ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm xhci_pci ehci_pci xhci_hcd > CR2: ffffeb020003b848 ---[ end trace f5f4e2b2680b5fd7 ]--- The driver is allocating some buffers using kmalloc variants, and others using vmalloc. I checked to see if there was confusion on which form of free should be used, but this one is allocated with kmalloc and freed with kfree, which should be OK. Larry
Powered by blists - more mailing lists