lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <m35yw4e2ze.fsf@t19.piap.pl>
Date:   Tue, 17 Aug 2021 13:15:49 +0200
From:   Krzysztof Hałasa <khalasa@...p.pl>
To:     lkml <linux-kernel@...r.kernel.org>
Subject: [BUG] v5.13.8 kernel NULL pointer dereference on SD card removal

Perhaps someone could use this. TIA.

Mounted an EXT4FS SD card (apparently). Removed the USB readed (with the
card) from the machine. Core i7 CPU, x86-64. Fedora normal kernel.

Now mounting:
usb 3-14: new high-speed USB device number 34 using xhci_hcd
usb 3-14: New USB device found, idVendor=05e3, idProduct=0738, bcdDevice= 0.01
usb 3-14: New USB device strings: Mfr=3, Product=4, SerialNumber=5
usb 3-14: Product:  USB3 Reader
usb 3-14: Manufacturer: Genesys
usb-storage 3-14:1.0: USB Mass Storage device detected
scsi host8: usb-storage 3-14:1.0
scsi 8:0:0:0: Direct-Access     Generic  STORAGE DEVICE   FT01 PQ: 0 ANSI: 6
scsi 8:0:0:1: Direct-Access     Generic  STORAGE DEVICE   FT01 PQ: 0 ANSI: 6
sd 8:0:0:0: Attached scsi generic sg4 type 0
sd 8:0:0:1: Attached scsi generic sg5 type 0
sd 8:0:0:1: [sdf] 31116288 512-byte logical blocks: (15.9 GB/14.8 GiB)
sd 8:0:0:1: [sdf] Write Protect is off
sd 8:0:0:1: [sdf] Mode Sense: 21 00 00 00
sd 8:0:0:1: [sdf] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA
sd 8:0:0:0: [sde] Attached SCSI removable disk
 sdf: sdf1 sdf2
sd 8:0:0:1: [sdf] Attached SCSI removable disk
EXT4-fs (sdf2): recovery complete
EXT4-fs (sdf2): mounted filesystem with ordered data mode. Opts: (null). Quota mode: none.

Then removing:
usb 3-14: USB disconnect, device number 34
blk_update_request: I/O error, dev sdf, sector 25832 op 0x1:(WRITE) flags 0x3000 phys_seg 1 prio class 0
Buffer I/O error on dev sdf2, logical block 157, lost async page write
blk_update_request: I/O error, dev sdf, sector 29368 op 0x1:(WRITE) flags 0x3000 phys_seg 1 prio class 0
Buffer I/O error on dev sdf2, logical block 599, lost async page write
blk_update_request: I/O error, dev sdf, sector 29752 op 0x1:(WRITE) flags 0x3000 phys_seg 3 prio class 0
Buffer I/O error on dev sdf2, logical block 647, lost async page write
Buffer I/O error on dev sdf2, logical block 648, lost async page write
Buffer I/O error on dev sdf2, logical block 649, lost async page write
JBD2: Error while async write back metadata bh 157.
Aborting journal on device sdf2-8.
blk_update_request: I/O error, dev sdf, sector 1597440 op 0x1:(WRITE) flags 0x800 phys_seg 1 prio class 0
Buffer I/O error on dev sdf2, logical block 196608, lost sync page write
JBD2: Error -5 detected when updating journal superblock for sdf2-8.
JBD2: Error while async write back metadata bh 599.
JBD2: Error while async write back metadata bh 647.
JBD2: Error while async write back metadata bh 648.
udisksd[7311]: Cleaning up mount point /run/media/* (device 8:82 no longer exists)
systemd[1]: run-media-*.mount: Deactivated successfully.
JBD2: Error while async write back metadata bh 649.

BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] SMP PTI
CPU: 2 PID: 279 Comm: kworker/2:1H Not tainted 5.13.8-200.fc34.x86_64 #1
Hardware name: ASUS All Series/Z87-PLUS, BIOS 2103 08/15/2014
Workqueue: kblockd blk_mq_run_work_fn
RIP: 0010:sbitmap_get+0x75/0x190
Code: 85 80 00 00 00 41 8b 57 08 85 d2 0f 84 b1 00 00 00 45 31 e4 48 63 cd 48 8d 1c 49 48 c1 e3 06 49 03 5f 10 4c 8d 6b 40 83 f0 01 <48> 8b 33 44 89 f2 4c 89 ef 0f b6 c8 e8 4a f7 ff ff 83 f8 ff 75 58
RSP: 0000:ffffac8ac0353d58 EFLAGS: 00010202
RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff955706c6a030
RBP: 0000000000000000 R08: 0000000000000001 R09: ffff9555809b8c6c
R10: 0000000000000008 R11: 0000000000000008 R12: 0000000000000000
R13: 0000000000000040 R14: 0000000000000000 R15: ffff955706c6a030
FS:  0000000000000000(0000) GS:ffff955c8fa80000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000003b298a006 CR4: 00000000001706e0
Call Trace:
 scsi_mq_get_budget+0x1a/0x110
 __blk_mq_do_dispatch_sched+0x1b4/0x2d0
 ? __switch_to_xtra+0x111/0x500
 __blk_mq_sched_dispatch_requests+0x129/0x180
 blk_mq_sched_dispatch_requests+0x30/0x60
 __blk_mq_run_hw_queue+0x2d/0x60
 process_one_work+0x1ec/0x380
 worker_thread+0x53/0x3e0
 ? process_one_work+0x380/0x380
 kthread+0x127/0x150
 ? set_kthread_struct+0x40/0x40
 ret_from_fork+0x22/0x30
Modules linked in: nls_utf8 isofs ib_core vfat fat uas usb_storage pl2303 cdc_acm tun intel_rapl_msr snd_hda_codec_hdmi snd_hda_codec_realtek i915 snd_hda_codec_generic ledtrig_audio intel_rapl_common snd_hda_intel i2c_algo_bit drm_kms_helper x86_pkg_temp_thermal snd_intel_dspcfg intel_powerclamp snd_intel_sdw_acpi snd_hda_codec coretemp snd_hda_core rapl ftdi_sio joydev intel_cstate snd_hwdep snd_seq mei_hdcp snd_seq_device intel_uncore snd_pcm mei_me snd_timer at24 snd soundcore cec i2c_i801 mei e1000e mxm_wmi wmi_bmof lpc_ich i2c_smbus drm fuse ip_tables raid1 crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel video wmi
CR2: 0000000000000000
---[ end trace 17813201f8776546 ]---
-- 
Krzysztof "Chris" Hałasa

Sieć Badawcza Łukasiewicz
Przemysłowy Instytut Automatyki i Pomiarów PIAP
Al. Jerozolimskie 202, 02-486 Warszawa

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ