lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <0d777868-d3b5-4f64-1bef-f7de8d7cb92d@lwfinger.net>
Date:   Sat, 31 Jul 2021 16:54:13 -0500
From:   Larry Finger <Larry.Finger@...inger.net>
To:     Fabio Aiuto <fabioaiuto83@...il.com>
Cc:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        LKML <linux-kernel@...r.kernel.org>,
        linux-staging@...ts.linux.dev
Subject: Re: kernel BUG in new r8188eu

On 7/31/21 1:53 PM, Fabio Aiuto wrote:
> Hi all,
> 
> On Sat, Jul 31, 2021 at 11:18:10AM -0500, Larry Finger wrote:
>> On 7/31/21 12:37 AM, Greg Kroah-Hartman wrote:
>>> Is this a new regression due to the recent cleanups, or something that
>>> has always been here?
>>
>> I suspect that it has been there forever. I was just doing the kinds of
>> things a user might do, and locked up my box.
>>
>>> As for the error, looks like someone is reading to an address that is
>>> in userspace without doing the proper copy_from_user() thing.  Do you
>>> have a full traceback?
>>
>>   BUG: unable to handle page fault for address: ffffeb020003b848
>>   #PF: supervisor read access in kernel mode
>>   #PF: error_code(0x0000) - not-present page
>>   PGD 0 P4D 0
>>   Oops: 0000 [#1] SMP PTI
>>   CPU: 2 PID: 45 Comm: kworker/2:1 Tainted: G         C O
>> 5.14.0-rc2-00157-g390c661543a8 #8
>>   Hardware name: TOSHIBA TECRA A50-A/TECRA A50-A, BIOS Version 4.50   09/29/2014
>>   Workqueue: usb_hub_wq hub_event [usbcore]
>>   RIP: 0010:kfree+0x68/0x2c0
>>   Code: 01 e5 0f 82 5f 02 00 00 48 b8 00 00 00 80 7f 77 00 00 48 01 c5 48 b8
>> 00 00 00 00 00 ea ff ff 48 c1 ed 0c 48 c1 e5 06 48 01 c5 <48> 8b 45 0>
>>   RSP: 0018:ffffc900001efa78 EFLAGS: 00010282
>>   RAX: ffffea0000000000 RBX: ffffc90000ee1028 RCX: 000000008010000d
>>   RDX: 0000000000000000 RSI: ffffffffa149eddf RDI: ffffc90000ee1578
>>   RBP: ffffeb020003b840 R08: 0000000000000001 R09: 0000000000000001
>>   R10: 0000000000000000 R11: ffff888121c0e400 R12: ffffc90000ee1578
>>   R13: ffff888101fd0000 R14: ffff888101fd0030 R15: 0000000000000003
>>   FS:  0000000000000000(0000) GS:ffff888323280000(0000) knlGS:0000000000000000
>>   CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>   CR2: ffffeb020003b848 CR3: 000000000220a002 CR4: 00000000001706e0
>>   Call Trace:
>>    ? kfree+0x25a/0x2c0
>>    rtw_free_mlme_priv_ie_data+0x15/0xf8 [r8188eu]
>>    _rtw_free_mlme_priv+0xe/0x30 [r8188eu]
>>    rtw_free_mlme_priv+0x1a/0x47 [r8188eu]
>>    rtw_free_drv_sw+0x5c/0x1ae [r8188eu]
>>    rtw_usb_if1_deinit+0x67/0xcd [r8188eu]
>>    rtw_dev_remove+0x5a/0xf4 [r8188eu]
>>    usb_unbind_interface+0x8a/0x270 [usbcore]
>>    ? kernfs_find_ns+0x35/0xd0
>>    __device_release_driver+0x1a0/0x260
>>    device_release_driver+0x24/0x30
>>    bus_remove_device+0xd8/0x140
>>    device_del+0x18b/0x3e0
>>    ? kobject_cleanup+0x49/0x130
>>    usb_disable_device+0xd9/0x260 [usbcore]
>>    usb_disconnect.cold+0x7b/0x201 [usbcore]
>>    hub_port_connect+0x88/0x8d0 [usbcore]
>>    ? kfree+0xe6/0x2c0
>>    hub_port_connect_change+0xb1/0x3a0 [usbcore]
>>    port_event+0x5d4/0x720 [usbcore]
>>    hub_event+0x1db/0x430 [usbcore]
>>    process_one_work+0x1dd/0x3a0
>>    worker_thread+0x50/0x3f0
>>    ? rescuer_thread+0x390/0x390
>>    kthread+0x128/0x140
>>    ? set_kthread_struct+0x40/0x40
>>    ret_from_fork+0x22/0x30
>>   Modules linked in: snd_seq_dummy snd_hrtimer snd_seq snd_seq_device ctr ccm
>> r8188eu(C) rfcomm rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs>
>>    crypto_simd cryptd i915 i2c_algo_bit serio_raw ttm drm_kms_helper
>> syscopyarea sysfillrect sysimgblt fb_sys_fops drm xhci_pci ehci_pci xhci_hcd
>>>
>>   CR2: ffffeb020003b848
>>   ---[ end trace f5f4e2b2680b5fd7 ]---
>>
>> The driver is allocating some buffers using kmalloc variants, and others
>> using vmalloc. I checked to see if there was confusion on which form of free
>> should be used, but this one is allocated with kmalloc and freed with kfree,
>> which should be OK.
>>
>> Larry
>>
> 
> Maybe hostapd is involved. Try killing hostapd before and then
> unplug the dongle... does the system freeze?
> 
> #include "../include/rtw_android.h"
> int rtw_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
> {
>          struct iwreq *wrq = (struct iwreq *)rq;
>          int ret = 0;
> 
>          switch (cmd) {
>          case RTL_IOCTL_WPA_SUPPLICANT:
>                  ret = wpa_supplicant_ioctl(dev, &wrq->u.data);
>                  break;
> #ifdef CONFIG_88EU_AP_MODE
>          case RTL_IOCTL_HOSTAPD:
>                  ret = rtw_hostapd_ioctl(dev, &wrq->u.data);
>          	^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> I think that someone tries to write the wrong fields while
> freeing memory...
> 
> 	break;
> #endif /*  CONFIG_88EU_AP_MODE */
>          case SIOCDEVPRIVATE:
> 
> static int rtw_hostapd_ioctl(struct net_device *dev, struct iw_point *p)
> {
>          struct ieee_param *param;
>          int ret = 0;
>          struct adapter *padapter = (struct adapter *)rtw_netdev_priv(dev);
> 
> ...
> 
>          switch (param->cmd) {
>          case RTL871X_HOSTAPD_FLUSH:
>                  ret = rtw_hostapd_sta_flush(dev);
>                  break;
> ...
>          case RTL871X_HOSTAPD_SET_WPS_BEACON:
>                  ret = rtw_set_wps_beacon(dev, param, p->length);
>                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 		break;
> 
> static int rtw_set_wps_beacon(struct net_device *dev, struct ieee_param *param, int len)
> {
>          int ret = 0;
>         
> ...
> 
>                  memcpy(pmlmepriv->wps_beacon_ie, param->u.bcn_ie.buf, ie_len);
> 		^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 		maybe hotsapd does some ioctl at the wrong moment.
> 
> Just to verify, we could kill hostapd, if ever runs in your machine...

No, hostapd was not involved. I was using r8188eu in STA mode.

Larry

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ