Ubuntu
linux-intel-5.13 package

can_bcm01 from can in ubuntu_ltp_stable crash system on F-OEM-5.13

Bug #1942498 reported by Po-Hsu Lin on 2021-09-03

This bug affects 1 person

	Status	Importance	Assigned to
ubuntu-kernel-tests	Fix Released	Undecided	Unassigned
linux-intel-5.13 (Ubuntu)	Invalid	Undecided	Unassigned
Focal	Fix Released	Undecided	Unassigned
linux-signed-oem-5.13 (Ubuntu)	Invalid	Undecided	Unassigned
Focal	Fix Released	Undecided	Unassigned

Bug Description

It looks like this is a test case for CVE-2021-3609

This issue does not exist in the last cycle for OEM 5.13.0-1010 as this test case does not exist back then.

can_bcm01 test in ubuntu_ltp_stable/can will trigger the following error on 5.13.0-1011-oem and crash the system:
Sep 3 04:30:20 spitfire kernel: [ 324.458389] LTP: starting can_bcm01
Sep 3 04:30:20 spitfire kernel: [ 324.474313] vcan: Virtual CAN interface driver
Sep 3 04:30:20 spitfire systemd-networkd[1967]: ltp_vcan0: Link UP
Sep 3 04:30:20 spitfire networkd-dispatcher[2025]: WARNING:Unknown index 4 seen, reloading interface list
Sep 3 04:30:20 spitfire systemd-networkd[1967]: ltp_vcan0: Gained carrier
Sep 3 04:30:20 spitfire systemd-udevd[4596]: ethtool: autonegotiation is unset or enabled, the speed and duplex are not writable.
Sep 3 04:30:20 spitfire systemd-udevd[4596]: Using default interface naming scheme 'v245'.
Sep 3 04:30:20 spitfire kernel: [ 324.483778] can: controller area network core
Sep 3 04:30:20 spitfire kernel: [ 324.483819] NET: Registered protocol family 29
Sep 3 04:30:20 spitfire kernel: [ 324.491947] can: broadcast manager protocol
Sep 3 04:30:20 spitfire kernel: [ 324.515859] ------------[ cut here ]------------
Sep 3 04:30:20 spitfire kernel: [ 324.515863] WARNING: CPU: 7 PID: 4591 at lib/timerqueue.c:55 timerqueue_del+0x43/0x50
Sep 3 04:30:20 spitfire kernel: [ 324.515877] Modules linked in: can_bcm can vcan nls_iso8859_1 dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua intel_rapl_msr intel_rapl_common i10nm_edac nfit x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm ipmi_ssif rapl joydev input_leds efi_pstore isst_if_mbox_pci isst_if_mmio isst_if_common mei_me intel_pch_thermal mei ioatdma acpi_ipmi ipmi_si ipmi_devintf ipmi_msghandler acpi_power_meter acpi_pad mac_hid sch_fq_codel msr ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear hid_generic usbhid hid crct10dif_pclmul ast crc32_pclmul drm_vram_helper i2c_algo_bit drm_ttm_helper ttm ghash_clmulni_intel drm_kms_helper aesni_intel syscopyarea ixgbe sysfillrect sysimgblt fb_sys_fops crypto_simd cec xfrm_algo rc_core cryptd dca drm mdio ahci i2c_i801 xhci_pci i2c_smbus xhci_pci_renesas intel_pmt libahci wmi
Sep 3 04:30:20 spitfire kernel: [ 324.515953] CPU: 7 PID: 4591 Comm: can_bcm01 Not tainted 5.13.0-1011-oem #15-Ubuntu
Sep 3 04:30:20 spitfire kernel: [ 324.515957] Hardware name: Intel Corporation M50CYP2SB2U/M50CYP2SB2U, BIOS SE5C6200.86B.0021.D40.2101090208 01/09/2021
Sep 3 04:30:20 spitfire kernel: [ 324.515959] RIP: 0010:timerqueue_del+0x43/0x50
Sep 3 04:30:20 spitfire kernel: [ 324.515965] Code: 48 89 df e8 ef c5 ff ff 49 89 44 24 08 4c 89 e6 48 89 df e8 9f be ff ff 48 89 1b 49 8b 04 24 5b 41 5c 48 85 c0 5d 0f 95 c0 c3 <0f> 0b eb cb cc cc cc cc cc cc cc cc cc 48 8b 07 45 31 c0 48 83 c0
Sep 3 04:30:20 spitfire kernel: [ 324.515968] RSP: 0018:ff46f753c8917d40 EFLAGS: 00010046
Sep 3 04:30:20 spitfire kernel: [ 324.515972] RAX: 0000000000000001 RBX: ff3a23c5110cae50 RCX: 0000000000000000
Sep 3 04:30:20 spitfire kernel: [ 324.515974] RDX: 0000000000000000 RSI: ff3a23c5110cae50 RDI: ff3a23cc5f85f260
Sep 3 04:30:20 spitfire kernel: [ 324.515975] RBP: ff46f753c8917d50 R08: ffffffffa3ce6048 R09: ff3a23c51bc84e40
Sep 3 04:30:20 spitfire kernel: [ 324.515977] R10: 0000000000000008 R11: ff3a23c54ea21a10 R12: ff3a23cc5f85f260
Sep 3 04:30:20 spitfire kernel: [ 324.515979] R13: 0000000000000000 R14: ff3a23cc5f85f100 R15: ff3a23c54ea2df10
Sep 3 04:30:20 spitfire kernel: [ 324.515980] FS: 00007f196de15740(0000) GS:ff3a23cc5f3c0000(0000) knlGS:0000000000000000
Sep 3 04:30:20 spitfire kernel: [ 324.515983] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Sep 3 04:30:20 spitfire kernel: [ 324.515984] CR2: 00007f196e008fec CR3: 000000010ea66003 CR4: 0000000000771ee0
Sep 3 04:30:20 spitfire kernel: [ 324.515986] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Sep 3 04:30:20 spitfire kernel: [ 324.515988] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Sep 3 04:30:20 spitfire kernel: [ 324.515990] PKRU: 55555554
Sep 3 04:30:20 spitfire kernel: [ 324.515992] Call Trace:
Sep 3 04:30:20 spitfire kernel: [ 324.515997] __remove_hrtimer+0x3c/0x90
Sep 3 04:30:20 spitfire kernel: [ 324.516007] hrtimer_try_to_cancel+0xb7/0xf0
Sep 3 04:30:20 spitfire kernel: [ 324.516011] hrtimer_cancel+0x15/0x20
Sep 3 04:30:20 spitfire kernel: [ 324.516015] bcm_remove_op+0x17/0x70 [can_bcm]
Sep 3 04:30:20 spitfire kernel: [ 324.516020] bcm_release+0x13c/0x250 [can_bcm]
Sep 3 04:30:20 spitfire kernel: [ 324.516024] __sock_release+0x42/0xb0
Sep 3 04:30:20 spitfire kernel: [ 324.516033] sock_close+0x15/0x20
Sep 3 04:30:20 spitfire kernel: [ 324.516036] __fput+0x9c/0x250
Sep 3 04:30:20 spitfire kernel: [ 324.516042] ____fput+0xe/0x10
Sep 3 04:30:20 spitfire kernel: [ 324.516044] task_work_run+0x70/0xb0
Sep 3 04:30:20 spitfire kernel: [ 324.516052] exit_to_user_mode_prepare+0x1c8/0x1d0
Sep 3 04:30:20 spitfire kernel: [ 324.516059] syscall_exit_to_user_mode+0x27/0x50
Sep 3 04:30:20 spitfire kernel: [ 324.516069] ? __x64_sys_close+0x12/0x40
Sep 3 04:30:20 spitfire kernel: [ 324.516075] do_syscall_64+0x4d/0xb0
Sep 3 04:30:20 spitfire kernel: [ 324.516080] entry_SYSCALL_64_after_hwframe+0x44/0xae
Sep 3 04:30:20 spitfire kernel: [ 324.516085] RIP: 0033:0x7f196e01e3fb
Sep 3 04:30:20 spitfire kernel: [ 324.516087] Code: 03 00 00 00 0f 05 48 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 f3 fb ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2f 44 89 c7 89 44 24 0c e8 31 fc ff ff 8b 44
Sep 3 04:30:20 spitfire kernel: [ 324.516091] RSP: 002b:00007ffc668ceb30 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
Sep 3 04:30:20 spitfire kernel: [ 324.516094] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f196e01e3fb
Sep 3 04:30:20 spitfire kernel: [ 324.516095] RDX: 0000000000000000 RSI: 0000000000000072 RDI: 0000000000000004
Sep 3 04:30:20 spitfire kernel: [ 324.516097] RBP: 000056437d62e065 R08: 0000000000000000 R09: 0000000000000144
Sep 3 04:30:20 spitfire kernel: [ 324.516099] R10: 00007ffc669ab1b0 R11: 0000000000000293 R12: 00007ffc668cee18
Sep 3 04:30:20 spitfire kernel: [ 324.516100] R13: 0000000000000000 R14: 0000000000000072 R15: 0000000000000000
Sep 3 04:30:20 spitfire kernel: [ 324.516103] ---[ end trace 388c8dba4a6fb81b ]---
Sep 3 04:30:20 spitfire kernel: [ 324.516481] ------------[ cut here ]------------
Sep 3 04:30:20 spitfire kernel: [ 324.516485] WARNING: CPU: 25 PID: 4602 at arch/x86/include/asm/kfence.h:44 kfence_protect_page+0x33/0xc0
Sep 3 04:30:20 spitfire kernel: [ 324.516498] Modules linked in: can_bcm can vcan nls_iso8859_1 dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua intel_rapl_msr intel_rapl_common i10nm_edac nfit x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm ipmi_ssif rapl joydev input_leds efi_pstore isst_if_mbox_pci isst_if_mmio isst_if_common mei_me intel_pch_thermal mei ioatdma acpi_ipmi ipmi_si ipmi_devintf ipmi_msghandler acpi_power_meter acpi_pad mac_hid sch_fq_codel msr ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear hid_generic usbhid hid crct10dif_pclmul ast crc32_pclmul drm_vram_helper i2c_algo_bit drm_ttm_helper ttm ghash_clmulni_intel drm_kms_helper aesni_intel syscopyarea ixgbe sysfillrect sysimgblt fb_sys_fops crypto_simd cec xfrm_algo rc_core cryptd dca drm mdio ahci i2c_i801 xhci_pci i2c_smbus xhci_pci_renesas intel_pmt libahci wmi
Sep 3 04:30:20 spitfire kernel: [ 324.516582] CPU: 25 PID: 4602 Comm: can_bcm01 Tainted: G W 5.13.0-1011-oem #15-Ubuntu
Sep 3 04:30:20 spitfire kernel: [ 324.516587] Hardware name: Intel Corporation M50CYP2SB2U/M50CYP2SB2U, BIOS SE5C6200.86B.0021.D40.2101090208 01/09/2021
Sep 3 04:30:20 spitfire kernel: [ 324.516589] RIP: 0010:kfence_protect_page+0x33/0xc0
Sep 3 04:30:20 spitfire kernel: [ 324.516594] Code: 53 89 f3 48 8d 75 e4 48 83 ec 10 65 48 8b 04 25 28 00 00 00 48 89 45 e8 31 c0 e8 98 1f da ff 48 85 c0 74 06 83 7d e4 01 74 06 <0f> 0b 31 c0 eb 39 48 8b 38 48 89 c2 84 db 75 47 48 89 f8 0f 1f 40
Sep 3 04:30:20 spitfire kernel: [ 324.516598] RSP: 0018:ff46f753c6ff0ae8 EFLAGS: 00010046
Sep 3 04:30:20 spitfire kernel: [ 324.516602] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffffa3a10000
Sep 3 04:30:20 spitfire kernel: [ 324.516604] RDX: ff46f753c6ff0aec RSI: 0000000000000000 RDI: 0000000000000000
Sep 3 04:30:20 spitfire kernel: [ 324.516606] RBP: ff46f753c6ff0b08 R08: 0000000000000000 R09: 0000000000000000
Sep 3 04:30:20 spitfire kernel: [ 324.516608] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
Sep 3 04:30:20 spitfire kernel: [ 324.516610] R13: 0000000000000000 R14: ff46f753c6ff0c58 R15: ff3a23c50a37fb40
Sep 3 04:30:20 spitfire kernel: [ 324.516612] FS: 00007f196de14700(0000) GS:ff3a23cc5f840000(0000) knlGS:0000000000000000
Sep 3 04:30:20 spitfire kernel: [ 324.516615] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Sep 3 04:30:20 spitfire kernel: [ 324.516617] CR2: 0000000000000008 CR3: 000000010ea66006 CR4: 0000000000771ee0
Sep 3 04:30:20 spitfire kernel: [ 324.516619] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Sep 3 04:30:20 spitfire kernel: [ 324.516621] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Sep 3 04:30:20 spitfire kernel: [ 324.516622] PKRU: 55555554
Sep 3 04:30:20 spitfire kernel: [ 324.516624] Call Trace:
Sep 3 04:30:20 spitfire kernel: [ 324.516626] <IRQ>
Sep 3 04:30:20 spitfire kernel: [ 324.516630] kfence_unprotect+0x17/0x30
Sep 3 04:30:20 spitfire kernel: [ 324.516635] kfence_handle_page_fault+0x97/0x250
Sep 3 04:30:20 spitfire kernel: [ 324.516641] page_fault_oops+0xa0/0x2a0
Sep 3 04:30:20 spitfire kernel: [ 324.516647] ? scheduler_tick+0xf8/0x260
Sep 3 04:30:20 spitfire kernel: [ 324.516654] do_user_addr_fault+0x2f4/0x640
Sep 3 04:30:20 spitfire kernel: [ 324.516658] exc_page_fault+0x7d/0x170
Sep 3 04:30:20 spitfire kernel: [ 324.516666] asm_exc_page_fault+0x1e/0x30
Sep 3 04:30:20 spitfire kernel: [ 324.516671] RIP: 0010:rb_insert_color+0x14/0x120
Sep 3 04:30:20 spitfire kernel: [ 324.516678] Code: c0 75 eb 4c 89 c0 c3 45 31 c0 eb f7 66 2e 0f 1f 84 00 00 00 00 00 48 8b 07 48 85 c0 0f 84 b0 00 00 00 48 8b 10 f6 c2 01 75 5b <48> 8b 4a 08 48 39 c1 74 53 48 85 c9 74 05 f6 01 01 74 72 48 8b 48
Sep 3 04:30:20 spitfire kernel: [ 324.516681] RSP: 0018:ff46f753c6ff0d08 EFLAGS: 00010046
Sep 3 04:30:20 spitfire kernel: [ 324.516684] RAX: ff3a23c5110cae50 RBX: ff3a23cc5f85f240 RCX: ff3a23c5110cae58
Sep 3 04:30:20 spitfire kernel: [ 324.516687] RDX: 0000000000000000 RSI: ff3a23cc5f85f260 RDI: ff3a23c5110cd450
Sep 3 04:30:20 spitfire kernel: [ 324.516688] RBP: ff46f753c6ff0d20 R08: 000000000001f100 R09: ff3a23c516032800
Sep 3 04:30:20 spitfire kernel: [ 324.516691] R10: ff3a23c518b18090 R11: ff3a23c5209d3cd4 R12: ff3a23c5110cd450
Sep 3 04:30:20 spitfire kernel: [ 324.516692] R13: 0000000000000000 R14: 0000000000000005 R15: ff3a23cc5f85f240
Sep 3 04:30:20 spitfire kernel: [ 324.516697] ? timerqueue_add+0x6e/0xc0
Sep 3 04:30:20 spitfire kernel: [ 324.516702] enqueue_hrtimer+0x39/0x70
Sep 3 04:30:20 spitfire kernel: [ 324.516708] hrtimer_start_range_ns+0x196/0x2f0
Sep 3 04:30:20 spitfire kernel: [ 324.516714] bcm_rx_handler+0x112/0x160 [can_bcm]
Sep 3 04:30:20 spitfire kernel: [ 324.516721] can_rcv_filter+0x10d/0x1d0 [can]
Sep 3 04:30:20 spitfire kernel: [ 324.516726] can_receive+0x71/0xd0 [can]
Sep 3 04:30:20 spitfire kernel: [ 324.516731] can_rcv+0x35/0x70 [can]
Sep 3 04:30:20 spitfire kernel: [ 324.516736] __netif_receive_skb_one_core+0x8c/0xa0
Sep 3 04:30:20 spitfire kernel: [ 324.516745] __netif_receive_skb+0x18/0x60
Sep 3 04:30:20 spitfire kernel: [ 324.516749] process_backlog+0xa9/0x160
Sep 3 04:30:20 spitfire kernel: [ 324.516754] __napi_poll+0x2e/0x140
Sep 3 04:30:20 spitfire kernel: [ 324.516758] net_rx_action+0x23f/0x290
Sep 3 04:30:20 spitfire kernel: [ 324.516762] __do_softirq+0xdd/0x29b
Sep 3 04:30:20 spitfire kernel: [ 324.516768] do_softirq+0x66/0x80
Sep 3 04:30:20 spitfire kernel: [ 324.516775] </IRQ>
Sep 3 04:30:20 spitfire kernel: [ 324.516777] netif_rx_ni+0x9b/0xa0
Sep 3 04:30:20 spitfire kernel: [ 324.516781] can_send+0x151/0x240 [can]
Sep 3 04:30:20 spitfire kernel: [ 324.516786] bcm_sendmsg+0x466/0x554 [can_bcm]
Sep 3 04:30:20 spitfire kernel: [ 324.516791] sock_sendmsg+0x65/0x70
Sep 3 04:30:20 spitfire kernel: [ 324.516797] ____sys_sendmsg+0x218/0x290
Sep 3 04:30:20 spitfire kernel: [ 324.516801] ? copy_msghdr_from_user+0x5c/0x90
Sep 3 04:30:20 spitfire kernel: [ 324.516806] ? do_set_pte+0xc8/0x140
Sep 3 04:30:20 spitfire kernel: [ 324.516814] ? __unlock_page_memcg+0x25/0x60
Sep 3 04:30:20 spitfire kernel: [ 324.516822] ___sys_sendmsg+0x81/0xc0
Sep 3 04:30:20 spitfire kernel: [ 324.516826] ? trigger_load_balance+0x15f/0x2f0
Sep 3 04:30:20 spitfire kernel: [ 324.516832] ? scheduler_tick+0xf8/0x260
Sep 3 04:30:20 spitfire kernel: [ 324.516835] ? rcu_advance_cbs+0x21/0x50
Sep 3 04:30:20 spitfire kernel: [ 324.516842] ? __note_gp_changes+0x133/0x140
Sep 3 04:30:20 spitfire kernel: [ 324.516846] ? __fget_files+0x56/0x80
Sep 3 04:30:20 spitfire kernel: [ 324.516853] ? __fget_light+0x62/0x80
Sep 3 04:30:20 spitfire kernel: [ 324.516857] __sys_sendmsg+0x62/0xb0
Sep 3 04:30:20 spitfire kernel: [ 324.516862] ? exit_to_user_mode_prepare+0x41/0x1d0
Sep 3 04:30:20 spitfire kernel: [ 324.516867] __x64_sys_sendmsg+0x1f/0x30
Sep 3 04:30:20 spitfire kernel: [ 324.516872] do_syscall_64+0x40/0xb0
Sep 3 04:30:20 spitfire kernel: [ 324.516877] entry_SYSCALL_64_after_hwframe+0x44/0xae
Sep 3 04:30:20 spitfire kernel: [ 324.516880] RIP: 0033:0x7f196e01f12d
Sep 3 04:30:20 spitfire kernel: [ 324.516883] Code: 28 89 54 24 1c 48 89 74 24 10 89 7c 24 08 e8 ca ee ff ff 8b 54 24 1c 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2f 44 89 c7 48 89 44 24 08 e8 fe ee ff ff 48
Sep 3 04:30:20 spitfire kernel: [ 324.516886] RSP: 002b:00007f196de13dc0 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
Sep 3 04:30:20 spitfire kernel: [ 324.516889] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f196e01f12d
Sep 3 04:30:20 spitfire kernel: [ 324.516891] RDX: 0000000000000000 RSI: 00007f196de13e60 RDI: 0000000000000003
Sep 3 04:30:20 spitfire kernel: [ 324.516892] RBP: 00007f196de13e60 R08: 0000000000000002 R09: 0000000000000000
Sep 3 04:30:20 spitfire kernel: [ 324.516894] R10: 00007ffc669ab1b0 R11: 0000000000000246 R12: 0000000000000000
Sep 3 04:30:20 spitfire kernel: [ 324.516895] R13: 0000000000000048 R14: 000056437d62e065 R15: 0000000000000052
Sep 3 04:30:20 spitfire kernel: [ 324.516899] ---[ end trace 388c8dba4a6fb81c ]---
Sep 3 04:30:20 spitfire kernel: [ 324.516905] ------------[ cut here ]------------
Sep 3 04:30:20 spitfire kernel: [ 324.516906] WARNING: CPU: 25 PID: 4602 at mm/kfence/core.c:135 kfence_unprotect+0x1d/0x30
Sep 3 04:30:20 spitfire kernel: [ 324.516912] Modules linked in: can_bcm can vcan nls_iso8859_1 dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua intel_rapl_msr intel_rapl_common i10nm_edac nfit x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm ipmi_ssif rapl joydev input_leds efi_pstore isst_if_mbox_pci isst_if_mmio isst_if_common mei_me intel_pch_thermal mei ioatdma acpi_ipmi ipmi_si ipmi_devintf ipmi_msghandler acpi_power_meter acpi_pad mac_hid sch_fq_codel msr ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear hid_generic usbhid hid crct10dif_pclmul ast crc32_pclmul drm_vram_helper i2c_algo_bit drm_ttm_helper ttm ghash_clmulni_intel drm_kms_helper aesni_intel syscopyarea ixgbe sysfillrect sysimgblt fb_sys_fops crypto_simd cec xfrm_algo rc_core cryptd dca drm mdio ahci i2c_i801 xhci_pci i2c_smbus xhci_pci_renesas intel_pmt libahci wmi
Sep 3 04:30:20 spitfire kernel: [ 324.516981] CPU: 25 PID: 4602 Comm: can_bcm01 Tainted: G W 5.13.0-1011-oem #15-Ubuntu
Sep 3 04:30:20 spitfire kernel: [ 324.516983] Hardware name: Intel Corporation M50CYP2SB2U/M50CYP2SB2U, BIOS SE5C6200.86B.0021.D40.2101090208 01/09/2021
Sep 3 04:30:20 spitfire kernel: [ 324.516985] RIP: 0010:kfence_unprotect+0x1d/0x30
Sep 3 04:30:20 spitfire kernel: [ 324.516989] Code: e8 08 fd ff ff 5d c3 66 0f 1f 44 00 00 0f 1f 44 00 00 55 48 81 e7 00 f0 ff ff 31 f6 48 89 e5 e8 f9 fb ff ff 84 c0 74 02 5d c3 <0f> 0b c6 05 aa 7d 67 01 00 5d c3 0f 1f 84 00 00 00 00 00 0f 1f 44
Sep 3 04:30:20 spitfire kernel: [ 324.516992] RSP: 0018:ff46f753c6ff0b18 EFLAGS: 00010046
Sep 3 04:30:20 spitfire kernel: [ 324.516994] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
Sep 3 04:30:20 spitfire kernel: [ 324.516995] RDX: ff46f753c6ff0aec RSI: 0000000000000000 RDI: 0000000000000000
Sep 3 04:30:20 spitfire kernel: [ 324.516997] RBP: ff46f753c6ff0b18 R08: 0000000000000000 R09: 0000000000000000
Sep 3 04:30:20 spitfire kernel: [ 324.516998] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000008
Sep 3 04:30:20 spitfire kernel: [ 324.517000] R13: 0000000000000000 R14: ff46f753c6ff0c58 R15: ff3a23c50a37fb40
Sep 3 04:30:20 spitfire kernel: [ 324.517001] FS: 00007f196de14700(0000) GS:ff3a23cc5f840000(0000) knlGS:0000000000000000
Sep 3 04:30:20 spitfire kernel: [ 324.517003] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Sep 3 04:30:20 spitfire kernel: [ 324.517005] CR2: 0000000000000008 CR3: 000000010ea66006 CR4: 0000000000771ee0
Sep 3 04:30:20 spitfire kernel: [ 324.517007] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Sep 3 04:30:20 spitfire kernel: [ 324.517009] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Sep 3 04:30:20 spitfire kernel: [ 324.517011] PKRU: 55555554
Sep 3 04:30:20 spitfire kernel: [ 324.517012] Call Trace:
Sep 3 04:30:20 spitfire kernel: [ 324.517013] <IRQ>
Sep 3 04:30:20 spitfire kernel: [ 324.517015] kfence_handle_page_fault+0x97/0x250
Sep 3 04:30:20 spitfire kernel: [ 324.517020] page_fault_oops+0xa0/0x2a0
Sep 3 04:30:20 spitfire kernel: [ 324.517023] ? scheduler_tick+0xf8/0x260
Sep 3 04:30:20 spitfire kernel: [ 324.517026] do_user_addr_fault+0x2f4/0x640
Sep 3 04:30:20 spitfire kernel: [ 324.517029] exc_page_fault+0x7d/0x170
Sep 3 04:30:20 spitfire kernel: [ 324.517034] asm_exc_page_fault+0x1e/0x30
Sep 3 04:30:20 spitfire kernel: [ 324.517037] RIP: 0010:rb_insert_color+0x14/0x120
Sep 3 04:30:20 spitfire kernel: [ 324.517042] Code: c0 75 eb 4c 89 c0 c3 45 31 c0 eb f7 66 2e 0f 1f 84 00 00 00 00 00 48 8b 07 48 85 c0 0f 84 b0 00 00 00 48 8b 10 f6 c2 01 75 5b <48> 8b 4a 08 48 39 c1 74 53 48 85 c9 74 05 f6 01 01 74 72 48 8b 48
Sep 3 04:30:20 spitfire kernel: [ 324.517044] RSP: 0018:ff46f753c6ff0d08 EFLAGS: 00010046
Sep 3 04:30:20 spitfire kernel: [ 324.517047] RAX: ff3a23c5110cae50 RBX: ff3a23cc5f85f240 RCX: ff3a23c5110cae58
Sep 3 04:30:20 spitfire kernel: [ 324.517049] RDX: 0000000000000000 RSI: ff3a23cc5f85f260 RDI: ff3a23c5110cd450
Sep 3 04:30:20 spitfire kernel: [ 324.517051] RBP: ff46f753c6ff0d20 R08: 000000000001f100 R09: ff3a23c516032800
Sep 3 04:30:20 spitfire kernel: [ 324.517053] R10: ff3a23c518b18090 R11: ff3a23c5209d3cd4 R12: ff3a23c5110cd450
Sep 3 04:30:20 spitfire kernel: [ 324.517055] R13: 0000000000000000 R14: 0000000000000005 R15: ff3a23cc5f85f240
Sep 3 04:30:20 spitfire kernel: [ 324.517058] ? timerqueue_add+0x6e/0xc0
Sep 3 04:30:20 spitfire kernel: [ 324.517063] enqueue_hrtimer+0x39/0x70
Sep 3 04:30:20 spitfire kernel: [ 324.517067] hrtimer_start_range_ns+0x196/0x2f0
Sep 3 04:30:20 spitfire kernel: [ 324.517071] bcm_rx_handler+0x112/0x160 [can_bcm]
Sep 3 04:30:20 spitfire kernel: [ 324.517076] can_rcv_filter+0x10d/0x1d0 [can]
Sep 3 04:30:20 spitfire kernel: [ 324.517080] can_receive+0x71/0xd0 [can]
Sep 3 04:30:20 spitfire kernel: [ 324.517085] can_rcv+0x35/0x70 [can]
Sep 3 04:30:20 spitfire kernel: [ 324.517089] __netif_receive_skb_one_core+0x8c/0xa0
Sep 3 04:30:20 spitfire kernel: [ 324.517094] __netif_receive_skb+0x18/0x60
Sep 3 04:30:20 spitfire kernel: [ 324.517097] process_backlog+0xa9/0x160
Sep 3 04:30:20 spitfire kernel: [ 324.517102] __napi_poll+0x2e/0x140
Sep 3 04:30:20 spitfire kernel: [ 324.517106] net_rx_action+0x23f/0x290
Sep 3 04:30:20 spitfire kernel: [ 324.517111] __do_softirq+0xdd/0x29b
Sep 3 04:30:20 spitfire kernel: [ 324.517116] do_softirq+0x66/0x80
Sep 3 04:30:20 spitfire kernel: [ 324.517119] </IRQ>
Sep 3 04:30:20 spitfire kernel: [ 324.517120] netif_rx_ni+0x9b/0xa0
Sep 3 04:30:20 spitfire kernel: [ 324.517124] can_send+0x151/0x240 [can]
Sep 3 04:30:20 spitfire kernel: [ 324.517127] bcm_sendmsg+0x466/0x554 [can_bcm]
Sep 3 04:30:20 spitfire kernel: [ 324.517132] sock_sendmsg+0x65/0x70
Sep 3 04:30:20 spitfire kernel: [ 324.517136] ____sys_sendmsg+0x218/0x290
Sep 3 04:30:20 spitfire kernel: [ 324.517140] ? copy_msghdr_from_user+0x5c/0x90
Sep 3 04:30:20 spitfire kernel: [ 324.517144] ? do_set_pte+0xc8/0x140
Sep 3 04:30:20 spitfire kernel: [ 324.517148] ? __unlock_page_memcg+0x25/0x60
Sep 3 04:30:20 spitfire kernel: [ 324.517153] ___sys_sendmsg+0x81/0xc0
Sep 3 04:30:20 spitfire kernel: [ 324.517157] ? trigger_load_balance+0x15f/0x2f0
Sep 3 04:30:20 spitfire kernel: [ 324.517160] ? scheduler_tick+0xf8/0x260
Sep 3 04:30:20 spitfire kernel: [ 324.517163] ? rcu_advance_cbs+0x21/0x50
Sep 3 04:30:20 spitfire kernel: [ 324.517167] ? __note_gp_changes+0x133/0x140
Sep 3 04:30:20 spitfire kernel: [ 324.517171] ? __fget_files+0x56/0x80
Sep 3 04:30:20 spitfire kernel: [ 324.517175] ? __fget_light+0x62/0x80
Sep 3 04:30:20 spitfire kernel: [ 324.517178] __sys_sendmsg+0x62/0xb0
Sep 3 04:30:20 spitfire kernel: [ 324.517183] ? exit_to_user_mode_prepare+0x41/0x1d0
Sep 3 04:30:20 spitfire kernel: [ 324.517187] __x64_sys_sendmsg+0x1f/0x30
Sep 3 04:30:20 spitfire kernel: [ 324.517191] do_syscall_64+0x40/0xb0
Sep 3 04:30:20 spitfire kernel: [ 324.517195] entry_SYSCALL_64_after_hwframe+0x44/0xae
Sep 3 04:30:20 spitfire kernel: [ 324.517197] RIP: 0033:0x7f196e01f12d
Sep 3 04:30:20 spitfire kernel: [ 324.517199] Code: 28 89 54 24 1c 48 89 74 24 10 89 7c 24 08 e8 ca ee ff ff 8b 54 24 1c 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2f 44 89 c7 48 89 44 24 08 e8 fe ee ff ff 48
Sep 3 04:30:20 spitfire kernel: [ 324.517201] RSP: 002b:00007f196de13dc0 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
Sep 3 04:30:20 spitfire kernel: [ 324.517204] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f196e01f12d
Sep 3 04:30:20 spitfire kernel: [ 324.517206] RDX: 0000000000000000 RSI: 00007f196de13e60 RDI: 0000000000000003
Sep 3 04:30:20 spitfire kernel: [ 324.517207] RBP: 00007f196de13e60 R08: 0000000000000002 R09: 0000000000000000
Sep 3 04:30:20 spitfire kernel: [ 324.517208] R10: 00007ffc669ab1b0 R11: 0000000000000246 R12: 0000000000000000
Sep 3 04:30:20 spitfire kernel: [ 324.517210] R13: 0000000000000048 R14: 000056437d62e065 R15: 0000000000000052
Sep 3 04:30:20 spitfire kernel: [ 324.517213] ---[ end trace 388c8dba4a6fb81d ]---
Sep 3 04:30:20 spitfire kernel: [ 324.517216] BUG: kernel NULL pointer dereference, address: 0000000000000008
Sep 3 04:30:20 spitfire kernel: [ 324.517266] #PF: supervisor read access in kernel mode
Sep 3 04:30:20 spitfire kernel: [ 324.517293] #PF: error_code(0x0000) - not-present page
Sep 3 04:30:20 spitfire kernel: [ 324.517319] PGD 11c6ea067 P4D 0
Sep 3 04:30:20 spitfire kernel: [ 324.517338] Oops: 0000 [#1] SMP NOPTI
Sep 3 04:30:20 spitfire kernel: [ 324.517360] CPU: 25 PID: 4602 Comm: can_bcm01 Tainted: G W 5.13.0-1011-oem #15-Ubuntu
Sep 3 04:30:20 spitfire kernel: [ 324.517406] Hardware name: Intel Corporation M50CYP2SB2U/M50CYP2SB2U, BIOS SE5C6200.86B.0021.D40.2101090208 01/09/2021
Sep 3 04:30:20 spitfire kernel: [ 324.517457] RIP: 0010:rb_insert_color+0x14/0x120
Sep 3 04:30:20 spitfire kernel: [ 324.517483] Code: c0 75 eb 4c 89 c0 c3 45 31 c0 eb f7 66 2e 0f 1f 84 00 00 00 00 00 48 8b 07 48 85 c0 0f 84 b0 00 00 00 48 8b 10 f6 c2 01 75 5b <48> 8b 4a 08 48 39 c1 74 53 48 85 c9 74 05 f6 01 01 74 72 48 8b 48

Test case: https://github.com/linux-test-project/ltp/blob/master/testcases/network/can/cve/can_bcm01.c

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: linux-image-5.13.0-1011-oem 5.13.0-1011.15
ProcVersionSignature: User Name 5.13.0-1011.15-oem 5.13.1
Uname: Linux 5.13.0-1011-oem x86_64
ApportVersion: 2.20.11-0ubuntu27.18
Architecture: amd64
CasperMD5CheckResult: skip
Date: Fri Sep 3 04:28:35 2021
SourcePackage: linux-signed-oem-5.13
UpgradeStatus: No upgrade log present (probably fresh install)

See original description

Tags:

CVE References

2021-3609

Revision history for this message

Po-Hsu Lin (cypressyew) wrote on 2021-09-03:

Dependencies.txt Edit (2.2 KiB, text/plain; charset="utf-8")
ProcCpuinfoMinimal.txt Edit (1.8 KiB, text/plain; charset="utf-8")
ProcEnviron.txt Edit (270 bytes, text/plain; charset="utf-8")

tags:	added: sru-20210816 ubuntu-ltp-stable
tags:	added: 5.13

Po-Hsu Lin (cypressyew) on 2021-09-03

description:

updated

Revision history for this message

Po-Hsu Lin (cypressyew) wrote on 2021-09-03:

I can reproduce this issue on 5.13.0-1010 by running this test case.

To run this test you will need to build LTP for it.

sudo apt install -y automake bison build-essential byacc flex git keyutils libacl1-dev libaio-dev libcap-dev libmm-dev libnuma-dev libsctp-dev libselinux1-dev libssl-dev libtirpc-dev pkg-config quota virt-what xfslibs-dev xfsprogs gcc
git clone -b sru git://kernel.ubuntu.com/ubuntu/ltp.git
cd ltp
make autotools
./configure
make install
echo "can_bcm01 can_bcm01" > /tmp/target
sudo /opt/ltp/runltp -f /tmp/target

Revision history for this message

Po-Hsu Lin (cypressyew) wrote on 2021-09-09:

Test passed with 5.13.0-1012.16

Changed in linux-signed-oem-5.13 (Ubuntu Focal):
status:	New → Fix Committed
Changed in linux-signed-oem-5.13 (Ubuntu):
status:	New → Invalid

Revision history for this message

Po-Hsu Lin (cypressyew) wrote on 2021-09-16:

Found this on Intel 5.13 5.13.0-1004.4

Changed in linux-intel-5.13 (Ubuntu):
status:	New → Invalid
Changed in linux-intel-5.13 (Ubuntu Focal):
status:	New → Confirmed

Revision history for this message

Po-Hsu Lin (cypressyew) wrote on 2021-10-14:

Passed with F-intel-5.13.0-1007.7

Changed in linux-signed-oem-5.13 (Ubuntu Focal):
status:	Fix Committed → Fix Released
Changed in linux-intel-5.13 (Ubuntu Focal):
status:	Confirmed → Fix Released
Changed in ubuntu-kernel-tests:
status:	New → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux-intel-5.13 package

can_bcm01 from can in ubuntu_ltp_stable crash system on F-OEM-5.13

Bug Description

CVE References

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
linux-intel-5.13 package