fwupd crashed with SIGSEGV in fu_plugin_synapticsmst_enumerate()

Bug #1671570 reported by Roland Dreier on 2017-03-09
28
This bug affects 4 people
Affects Status Importance Assigned to Milestone
fwupd (Ubuntu)
Status tracked in Artful
Zesty
Undecided
Mario Limonciello
Artful
Medium
Mario Limonciello

Bug Description

[Impact]
On some non Dell systems that contain Synaptics MST hubs, fwupd will crash.
This affects fwupd 0.8.x in zesty. In Artful, fwupd will be synced to a newer version from debian experimental (0.9.2-5) which contains this fix already.

[Test Case]
1. On a system that was previously crashing fwupd, ensure fwupd starts up correctly.
2. On a Dell system that previously works properly, ensure it continues to work properly.

[Regression potential]
Regression potential is low, this fix only prevents plugins from running where they shouldn't be running in the first place.

Roland Dreier (roland.dreier) wrote :

StacktraceTop:
 fu_plugin_synapticsmst_enumerate (error=0x7fffa0b8fbc0, plugin=0x55da59dad280) at fu-plugin-synapticsmst.c:251
 fu_plugin_coldplug (plugin=0x55da59dad280, error=0x7fffa0b8fbc0) at fu-plugin-synapticsmst.c:377
 fu_plugin_runner_coldplug (plugin=0x55da59dad280, error=0x7fffa0b8fbc0) at fu-plugin.c:605
 fu_main_plugins_coldplug (priv=0x55da59d84830) at fu-main.c:2369
 main (argc=<optimized out>, argv=<optimized out>) at fu-main.c:2838

Changed in fwupd (Ubuntu):
importance: Undecided → Medium
summary: - fwupd crashed with SIGSEGV in fu_plugin_coldplug()
+ fwupd crashed with SIGSEGV in fu_plugin_synapticsmst_enumerate()
tags: removed: need-amd64-retrace
Mario Limonciello (superm1) wrote :

Is this 100% reproducible for you?

Can you comment more about your setup?
* What system?
* What BIOS?
* What devices do you have plugged in? Monitors, docks, etc?

information type: Private → Public
Mario Limonciello (superm1) wrote :

At least my current suspicion looking through the stacktrace is that the device enumerated successfully, but it was an unsupported board ID and the error message wasn't set properly.

This commit should resolve it.
https://github.com/hughsie/fwupd/commit/99489a8638c7e1e4ae30ec9ec2b1fc2ca4bee20f

If you can reproduce this readily, it would be nice if you could also run fwupd in verbose mode to see the output:
# sudo /usr/lib/fwupd/fwupd -v

Changed in fwupd (Ubuntu):
status: New → In Progress
assignee: nobody → Mario Limonciello (superm1)
Ben Olsen (benrolsen) wrote :
Download full text (7.4 KiB)

I'm having this exact issue on a 4th Gen Lenovo X1 Carbon. Here's the last parts from "sudo /usr/lib/fwupd/fwupd -v":

16:00:44:0184 Dfu host->device: 10 ff 81 f1 00 00 00
16:00:44:0185 Fu devices now in store:
16:00:44:0185 Fu 1 UEFI-dummy-dev0 UEFI Updates
16:00:44:0185 Fu 2 com.via.VL811.firmware VL811 Firmware
16:00:44:0185 Fu 3 com.via.VL811+.firmware VL811+ Firmware
16:00:44:0185 Fu 4 com.via.VL812.firmware VL812 Firmware
16:00:44:0185 Fu 5 com.via.VL812_B2.firmware VL812 B2 Firmware
16:00:44:0185 Fu 6 com.8bitdo.fc30.firmware FC30
16:00:44:0185 Fu 7 com.8bitdo.fc30arcade.firmware FC30 Joystick
16:00:44:0185 Fu 8 com.8bitdo.fc30pro.firmware FC30 Pro
16:00:44:0185 Fu 9 com.8bitdo.nes30.firmware NES30
16:00:44:0185 Fu 10 com.8bitdo.nes30pro.firmware NES30 Pro
16:00:44:0185 Fu 11 com.8bitdo.sfc30.firmware SFC30
16:00:44:0185 Fu 12 com.8bitdo.snes30.firmware SNES30
16:00:44:0185 Fu 13 com.dell.uefi124c207d.firmware XPS 15 9550/Precision 5510 System Update
16:00:44:0185 Fu 14 com.dell.uefi1610b70e.firmware Inspiron 14 7000 Gaming/Inspiron 15 7000 Gaming System Update
16:00:44:0185 Fu 15 com.dell.uefi169d9146.firmware Vostro 14-3468 System Update
16:00:44:0185 Fu 16 com.dell.uefi1d4362ca.firmware Inspiron 14-3467 System Update
16:00:44:0185 Fu 17 com.dell.uefi212026ee.firmware Latitude E7X70 System Update
16:00:44:0185 Fu 18 com.dell.uefi21f94926.firmware Edge Gateway 3000/3001/3002/3003 System Update
16:00:44:0185 Fu 19 com.dell.uefi22d63f4.firmware TPM 2.0 Update
16:00:44:0185 Fu 20 com.dell.uefi293af847.firmware OptiPlex 3050 System Update
16:00:44:0185 Fu 21 com.dell.uefi33773727.firmware XPS 13 9350 System Update
16:00:44:0185 Fu 22 com.dell.uefi34578c72.firmware XPS 15 9560/Precision 5520 System Update
16:00:44:0185 Fu 23 com.dell.uefi3c20b9e1.firmware OptiPlex 7450 AIO System Update
16:00:44:0185 Fu 24 com.dell.uefi43ca3264.firmware OptiPlex 7440 AIO System Update
16:00:44:0185 Fu 25 com.dell.uefi45e3439b.firmware ChengMing 3967 System Update
16:00:44:0185 Fu 26 com.dell.uefi48af7d21.firmware XPS 13 9360 System Update
16:00:44:0186 Fu 27 com.dell.uefi49e03513.firmware Latitude 5X80 System Update
16:00:44:0186 Fu 28 com.dell.uefi4fed6c9d.firmware OptiPlex 7050 System Update
16:00:44:0186 Fu 29 com.dell.uefi5034bac4.firmware TPM 1.2 Update
16:00:44:0186 Fu 30 com.dell.uefi51d41d4e.firmware Latitude 7370 System Update
16:00:44:0186 Fu 31 com.dell.uefi53f51f56.firmware Latitude 7X80 System Update
16:00:44:0186 Fu 32 com.dell.uefi5b7ab884.firmware Precision E7X10 System Update
16:00:44:0186 Fu 33 com.dell.uefi5ffdbc0d.firmware XPS 13 9360 System Update
16:00:44:0186 Fu 34 com.dell.uefi6180aaaa.firmware Latitude E5X60 System Update
16:00:44:0186 Fu 35 com.dell.uefi8080d214.firmware OptiPlex 5050 System Update
16:00:44:0186 Fu 36 com.dell.uefi8661c04a.firmware Latitude 3470 System Update
16:00:44:0186 Fu 37 com.dell.uefi8b7b32a7.firmware Latitude 5X80 System Update
16:00:44:0186 Fu 38 com.dell.uefi9cb573d5.firmware Latitude 3480 System Update
16:00:44:0186 Fu 39 com.dell.uefia0a3aa54.firmware Embedded Box PC 5000 System Update
16:00:44:0186 Fu 40 com.dell.uefia81a55fe.firmware OptiPlex 3240 AIO Sys...

Read more...

Mario Limonciello (superm1) wrote :

@Ben,
That crash happened on a Lenovo box? That's really surprising. It's not supposed to run the code on anything but Dell ( https://github.com/hughsie/fwupd/blob/master/plugins/synapticsmst/fu-plugin-synapticsmst.c#L35 )

Can you please share your dmidecode output?

Ben Olsen (benrolsen) wrote :
Download full text (15.8 KiB)

Sure, thanks for the quick response. I have, AFAIK, a pretty stock install of Zesty, and I just re-installed a few days ago. Here's the full output:

# dmidecode 3.0
Getting SMBIOS data from sysfs.
SMBIOS 2.8 present.
65 structures occupying 3156 bytes.
Table at 0xD7079000.

Handle 0x0000, DMI type 222, 16 bytes
OEM-specific Type
 Header and Data:
  DE 10 00 00 01 00 99 00 03 10 01 20 02 30 03 00
 Strings:
  Memory Init Complete
  End of DXE Phase
  BIOS Boot Complete

Handle 0x0001, DMI type 14, 8 bytes
Group Associations
 Name: Intel(R) Silicon View Technology
 Items: 1
  0x0000 (<OUT OF SPEC>)

Handle 0x0002, DMI type 134, 13 bytes
OEM-specific Type
 Header and Data:
  86 0D 02 00 15 04 17 20 00 00 00 00 00

Handle 0x0003, DMI type 7, 19 bytes
Cache Information
 Socket Designation: L1 Cache
 Configuration: Enabled, Not Socketed, Level 1
 Operational Mode: Write Back
 Location: Internal
 Installed Size: 64 kB
 Maximum Size: 64 kB
 Supported SRAM Types:
  Synchronous
 Installed SRAM Type: Synchronous
 Speed: Unknown
 Error Correction Type: Parity
 System Type: Data
 Associativity: 8-way Set-associative

Handle 0x0004, DMI type 7, 19 bytes
Cache Information
 Socket Designation: L1 Cache
 Configuration: Enabled, Not Socketed, Level 1
 Operational Mode: Write Back
 Location: Internal
 Installed Size: 64 kB
 Maximum Size: 64 kB
 Supported SRAM Types:
  Synchronous
 Installed SRAM Type: Synchronous
 Speed: Unknown
 Error Correction Type: Parity
 System Type: Instruction
 Associativity: 8-way Set-associative

Handle 0x0005, DMI type 7, 19 bytes
Cache Information
 Socket Designation: L2 Cache
 Configuration: Enabled, Not Socketed, Level 2
 Operational Mode: Write Back
 Location: Internal
 Installed Size: 512 kB
 Maximum Size: 512 kB
 Supported SRAM Types:
  Synchronous
 Installed SRAM Type: Synchronous
 Speed: Unknown
 Error Correction Type: Single-bit ECC
 System Type: Unified
 Associativity: 4-way Set-associative

Handle 0x0006, DMI type 7, 19 bytes
Cache Information
 Socket Designation: L3 Cache
 Configuration: Enabled, Not Socketed, Level 3
 Operational Mode: Write Back
 Location: Internal
 Installed Size: 4096 kB
 Maximum Size: 4096 kB
 Supported SRAM Types:
  Synchronous
 Installed SRAM Type: Synchronous
 Speed: Unknown
 Error Correction Type: Multi-bit ECC
 System Type: Unified
 Associativity: 16-way Set-associative

Handle 0x0007, DMI type 4, 48 bytes
Processor Information
 Socket Designation: U3E1
 Type: Central Processor
 Family: Core i7
 Manufacturer: Intel(R) Corporation
 ID: E3 06 04 00 FF FB EB BF
 Signature: Type 0, Family 6, Model 78, Stepping 3
 Flags:
  FPU (Floating-point unit on-chip)
  VME (Virtual mode extension)
  DE (Debugging extension)
  PSE (Page size extension)
  TSC (Time stamp counter)
  MSR (Model specific registers)
  PAE (Physical address extension)
  MCE (Machine check exception)
  CX8 (CMPXCHG8 instruction supported)
  APIC (On-chip APIC hardware supported)
  SEP (Fast system call)
  MTRR (Memory type range registers)
  PGE (Page global enable)
  MCA (Machine check architecture)
  CMOV (Conditional move instruction supported)
  PAT (Page attribute table)
  PSE-36 (36-bit page size extension)
  CLFSH (CLFLUSH instr...

Mario Limonciello (superm1) wrote :

OK so my suspicion based upon that is that by checking a table that doesn't exist it's defaulting to 0x00, which for you happens to have DE for the first byte. Can you please confirm my suspicions by doing this:

Compile the following test application and run it, share your output back. I expect that it will return an invalid table address. If it does, I'll make a fix in fwupd for this for you.

# gcc -o test test.c -lsmbios_c `pkg-config glib-2.0 --cflags --libs` && sudo ./test

----
#include <smbios_c/smbios.h>
#include <glib/gstdio.h>

struct smbios_struct
{
    u8 type;
    u8 length;
    u16 handle;
};

int main(void)
{
        guint8 dell_supported = 0;
        struct smbios_struct *de_table;

        de_table = smbios_get_next_struct_by_type (0, 0xED);
        if (!de_table)
                g_print("invalid table address\n");
        else
                g_print("de_table: %d %d %d\n", de_table->type, de_table->length, de_table->handle);
        smbios_struct_get_data (de_table, &(dell_supported), 0x00, sizeof(guint8));

        if (dell_supported != 0xDE)
                g_print("not supported, dell supported != de\n");
        else
                g_print("supported\n");
}
----

Mario Limonciello (superm1) wrote :

Sorry minor typo.

#include <smbios_c/smbios.h>
#include <glib/gstdio.h>

struct smbios_struct
{
    u8 type;
    u8 length;
    u16 handle;
};

int main(void)
{
        guint8 dell_supported = 0;
        struct smbios_struct *de_table;

        de_table = smbios_get_next_struct_by_type (0, 0xDE);
        if (!de_table)
                g_print("invalid table address\n");
        else
                g_print("de_table: %d %d %d\n", de_table->type, de_table->length, de_table->handle);
        smbios_struct_get_data (de_table, &(dell_supported), 0x00, sizeof(guint8));

        if (dell_supported != 0xDE)
                g_print("not supported, dell supported != de\n");
        else
                g_print("supported\n");
}

Scott Howard (showard314) wrote :

I have the same bug, on a lenovo laptop as well. I ran your code, thank you!

./test
invalid table address
not supported, dell supported != de

Please make sure you run as root (I shared the code to make sure you would
feel safe running it as root).

On Thu, May 25, 2017, 09:21 Scott Howard <email address hidden> wrote:

> I have the same bug, on a lenovo laptop as well. I ran your code, thank
> you!
>
>
> ./test
> invalid table address
> not supported, dell supported != de
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1671570
>
> Title:
> fwupd crashed with SIGSEGV in fu_plugin_synapticsmst_enumerate()
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/1671570/+subscriptions
>

Ben Olsen (benrolsen) wrote :

Mario, next time you suggest a script like this, it would be lovely if you'd mention that your end-user needs to have libsmbios-dev and libglib2.0-dev installed. I couldn't import either of those headers without them. But here's the output:

root@ungeheuer:/tmp# ./test
de_table: 222 16 0
supported

I'm guessing that means your assumption was correct, as my Lenovo probably shouldn't be reporting as Dell supported. Thank you for your incredible troubleshooting, and let me know if you'd like any more information from me.

Mario Limonciello (superm1) wrote :

@Ben, sorry about forgetting to mention the libraries, glad you could figure it out.

Thanks for checking. I think the problem is actually the wrong thing is being scanned (type vs handle).
 Can you give one more run at this one:

#include <smbios_c/smbios.h>
#include <glib/gstdio.h>

struct smbios_struct
{
    u8 type;
    u8 length;
    u16 handle;
};

int main(void)
{
        guint8 dell_supported = 0;
        struct smbios_struct *de_table;

        de_table = smbios_get_next_struct_by_handle (0, 0xDE00);
        if (!de_table)
                g_print("invalid table address\n");
        else
                g_print("de_table: %d %d %d\n", de_table->type, de_table->length, de_table->handle);
        smbios_struct_get_data (de_table, &(dell_supported), 0x00, sizeof(guint8));

        if (dell_supported != 0xDE)
                g_print("not supported, dell supported != de\n");
        else
                g_print("supported\n");
}

Ben Olsen (benrolsen) wrote :

Here's what I got:

root@ungeheuer:/tmp# ./test
invalid table address
not supported, dell supported != de

Mario Limonciello (superm1) wrote :

@Ben,

OK I've published a package here: https://launchpad.net/~superm1/+archive/ubuntu/lp1671570/+packages
Once that finishes building can you try that?

Assuming that works properly i'll put an SRU together for this.

description: updated
description: updated
Changed in fwupd (Ubuntu Zesty):
status: New → In Progress
Changed in fwupd (Ubuntu Artful):
status: In Progress → Fix Committed
Changed in fwupd (Ubuntu Zesty):
assignee: nobody → Mario Limonciello (superm1)
Ben Olsen (benrolsen) wrote :

@Mario

Do I just need to download and install the fwupd deb for my arch (in my case, fwupd_0.8.1-3ubuntu0.1_amd64.deb)? Or do I need to download and install all the amd64 debs in the package you linked?

Mario Limonciello (superm1) wrote :

The patch is restricted to the binaries in that package, but if you run
into dependency problems you may need to install more of them.

On Fri, May 26, 2017, 10:21 Ben Olsen <email address hidden> wrote:

> @Mario
>
> Do I just need to download and install the fwupd deb for my arch (in my
> case, fwupd_0.8.1-3ubuntu0.1_amd64.deb)? Or do I need to download and
> install all the amd64 debs in the package you linked?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1671570
>
> Title:
> fwupd crashed with SIGSEGV in fu_plugin_synapticsmst_enumerate()
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/1671570/+subscriptions
>

Ben Olsen (benrolsen) wrote :

@Mario

Before installing the patched file, I wanted to make sure I could reliably reproduce the error. Unfortunately I haven't been able to. So far it seems related to whether or not the ThinkPad OneLink+ adapter is plugged in to the machine on startup, but even that didn't cause the error every time. I'll try to get more time for testing this week.

Scott Howard (showard314) wrote :

When I ran as root before the patch:
$ sudo ./test
de_table: 222 16 0
supported

after patch
$ sudo ./test
invalid table address
not supported, dell supported != de

It does seem to be dependent if I'm plugged in to my lenovo docking station, like Ben Olsen wrote - it may be some peripheral that is confusing things.

Thank you for the excellent debugging!!

Mario Limonciello (superm1) wrote :

Scott, Ben,

Thanks for the extra information. The Lenovo docking station likely
provides the MST hub that is problematic.

Can you please try the updated package on that PPA I shared with the
docking station attached or plugged in?

On Tue, May 30, 2017, 09:11 Scott Howard <email address hidden> wrote:

> When I ran as root before the patch:
> $ sudo ./test
> de_table: 222 16 0
> supported
>
>
> after patch
> $ sudo ./test
> invalid table address
> not supported, dell supported != de
>
>
> It does seem to be dependent if I'm plugged in to my lenovo docking
> station, like Ben Olsen wrote - it may be some peripheral that is confusing
> things.
>
> Thank you for the excellent debugging!!
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1671570
>
> Title:
> fwupd crashed with SIGSEGV in fu_plugin_synapticsmst_enumerate()
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/1671570/+subscriptions
>

Ben Olsen (benrolsen) wrote :

@Mario,

Sorry it took a while to test, but your patch does seem to have fixed the issue, at least on my system.

Mario Limonciello (superm1) wrote :

Thanks for that confirmation. I've also uploaded this as an SRU, it's just waiting for the SRU team to process it.

tags: added: rls-aa-notfixing
Mario Limonciello (superm1) wrote :

This is fixed in 0.9.2 release for Artful.

Changed in fwupd (Ubuntu Artful):
status: Fix Committed → Fix Released

Hello Roland, or anyone else affected,

Accepted fwupd into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd/0.8.1-3ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in fwupd (Ubuntu Zesty):
status: In Progress → Fix Committed
tags: added: verification-needed
cagri (cagrias) wrote :

fwupd zesty-proposed updated fix the similar issue of mine. Thanks.

tags: added: verification-done-trusty
removed: verification-needed
tags: added: verification-done
removed: verification-done-trusty
Taner Paca (tanerpaca) wrote :

I would like to confirm that fwupd update from zesty-proposed fixed this issue with Lenovo T460s with docking station. Thanks a lot.

Thank you for taking the time to verify this stable release fix. We have noticed that you have used the verification-done tag for marking the bug as verified and would like to point out that due to a recent change in SRU bug verification policy fixes now have to be marked with per-release tags (i.e. verification-done-$RELEASE). Please remove the verification-done tag and add one for the release you have tested the package in. Thank you!

https://wiki.ubuntu.com/StableReleaseUpdates#Verification

tags: added: verification-done-zesty
removed: verification-done
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package fwupd - 0.8.1-3ubuntu0.1

---------------
fwupd (0.8.1-3ubuntu0.1) zesty; urgency=medium

  * Backport patch to fix detection of Dell systems (LP: #1671570)
  * Backport patch to fix error handling on synaptics MST.

 -- Mario Limonciello <email address hidden> Thu, 25 May 2017 23:17:38 -0500

Changed in fwupd (Ubuntu Zesty):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for fwupd has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers