use after free of BOS in usb_reset_and_verify_device
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Trusty |
Fix Released
|
Medium
|
Unassigned | ||
Vivid |
Fix Released
|
Medium
|
Unassigned | ||
Wily |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Should be fixed with upstream commit e5bdfd50d6f7607
With slub_debug enabled this manifests as a deref of 0x6b6b... in usb_disable_ltm
[ 218.235302] general protection fault: 0000 [#1] SMP
[ 218.235311] Modules linked in: usb_storage tcp_diag inet_diag iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_filter ip_tables x_tables autofs4 rpcsec_gss_krb5 rfcomm bnep bluetooth snd_hda_codec_hdmi binfmt_misc nvidia(POX) snd_hda_
[ 218.235410] CPU: 15 PID: 243 Comm: khubd Tainted: P OX 3.13.0-85-generic #129-Ubuntu
[ 218.235414] Hardware name: Hewlett-Packard HP Z620 Workstation/158A, BIOS J61 v03.87 02/09/2015
[ 218.235418] task: ffff8807eff98000 ti: ffff8807effa0000 task.ti: ffff8807effa0000
[ 218.235421] RIP: 0010:[<
[ 218.235437] RSP: 0018:ffff8807ef
[ 218.235440] RAX: 0000000000000000 RBX: ffff8807ea532e68 RCX: 0000000000000000
[ 218.235443] RDX: 6b6b6b6b6b6b6b6b RSI: 0000000000300021 RDI: ffff8807ea532e68
[ 218.235446] RBP: ffff8807effa1d08 R08: 0000000000000000 R09: 0000000000000000
[ 218.235449] R10: ffff8807ff804240 R11: ffffffff8136d2a1 R12: 0000000000000000
[ 218.235451] R13: ffff8807ebddd480 R14: 0000000000000001 R15: 0000000000000012
[ 218.235455] FS: 000000000000000
[ 218.235458] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 218.235461] CR2: 00000000013b1c08 CR3: 0000000001c0e000 CR4: 00000000000407e0
[ 218.235463] Stack:
[ 218.235465] ffffffff81551236 ffff8807ea532ef0 0000000000000000 ffff8807ea532e68
[ 218.235476] ffff8807ea532ef0 ffff8807ebddbf60 0000000000000000 ffff8807effa1d48
[ 218.235483] ffffffff81545c4d ffff8807ea532f50 ffff8807ebddb4d0 00000000000002a0
[ 218.235490] Call Trace:
[ 218.235499] [<ffffffff81551
[ 218.235506] [<ffffffff81545
[ 218.235511] [<ffffffff81548
[ 218.235518] [<ffffffff81543
[ 218.235523] [<ffffffff81549
[ 218.235528] [<ffffffff81549
[ 218.235535] [<ffffffff810ad
[ 218.235540] [<ffffffff81549
[ 218.235549] [<ffffffff8108d
[ 218.235554] [<ffffffff8108d
[ 218.235564] [<ffffffff8173c
[ 218.235570] [<ffffffff8108d
[ 218.235572] Code: e9 48 8b 52 10 48 85 d2 74 e0 f6 42 03 02 74 da 83 7f 1c 05 75 d4 48 8b 97 40 03 00 00 48 85 d2 74 c8 48 8b 52 10 48 85 d2 74 bf <f6> 42 03 02 74 b9 48 83 bf 50 03 00 00 00 74 af 55 45 31 c9 41
[ 218.235618] RIP [<ffffffff81544
[ 218.235624] RSP <ffff8807effa1cd0>
[ 218.235655] ---[ end trace 954cac763165b767 ]---
Without slub_debug you end up getting a double free and messing up the allocator and apparmor tends to be the first one to notice:
[ 574.027518] hub 4-0:1.0: Cannot enable port 3. Maybe the USB cable is bad?
[ 574.548076] usb 4-3: USB disconnect, device number 2
[ 576.040995] ------------[ cut here ]------------
[ 576.041003] WARNING: CPU: 17 PID: 11627 at /build/
[ 576.041005] Modules linked in: tcp_diag inet_diag xt_u32 ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables xt_NFLOG xt_tcpudp xt_comment ipt_REJECT xt_multiport xt_connmark xt_conntrack xt_mark iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_filter ip_tables x_tables pci_stub vboxpci(OX) vboxnetadp(OX) vboxnetflt(OX) vboxdrv(OX) nfnetlink_log nfnetlink autofs4 rfcomm bnep bluetooth binfmt_misc honeevent(OX) rpcsec_gss_krb5 nfsd auth_rpcgss nfs_acl nfs lockd sunrpc fscache snd_hda_codec_hdmi snd_hda_
[ 576.041068] CPU: 17 PID: 11627 Comm: at-spi-bus-laun Tainted: P OX 3.13.0-83-generic #127-Ubuntu
[ 576.041070] Hardware name: Hewlett-Packard HP Z620 Workstation/158A, BIOS J61 v03.87 02/09/2015
[ 576.041071] 0000000000000009 ffff880efd08fcf0 ffffffff81725992 0000000000000000
[ 576.041076] ffff880efd08fd28 ffffffff8106790d ffff8807ff810430 ffff880035d22a00
[ 576.041079] ffff880f63216000 ffff880efd08ff2c 00000000ffffff9c ffff880efd08fd38
[ 576.041082] Call Trace:
[ 576.041088] [<ffffffff81725
[ 576.041091] [<ffffffff81067
[ 576.041094] [<ffffffff81067
[ 576.041096] [<ffffffff81316
[ 576.041100] [<ffffffff812d9
[ 576.041105] [<ffffffff811c0
[ 576.041108] [<ffffffff811ce
[ 576.041111] [<ffffffff811cd
[ 576.041114] [<ffffffff811cf
[ 576.041116] [<ffffffff811c8
[ 576.041120] [<ffffffff810fe
[ 576.041123] [<ffffffff811dc
[ 576.041126] [<ffffffff811bd
[ 576.041128] [<ffffffff811bd
[ 576.041131] [<ffffffff81736
[ 576.041133] ---[ end trace 5de8dc1cac0eb1c6 ]---
[ 576.041171] BUG: unable to handle kernel paging request at 000000000000472e
[ 576.041174] IP: [<ffffffff811a3
[ 576.041177] PGD 0
[ 576.041179] Oops: 0000 [#1] SMP
tags: | added: kernel-da.key |
Changed in linux (Ubuntu): | |
importance: | Undecided → Medium |
status: | Incomplete → Triaged |
Changed in linux (Ubuntu Trusty): | |
status: | New → Triaged |
importance: | Undecided → Medium |
Changed in linux (Ubuntu): | |
status: | Triaged → In Progress |
Changed in linux (Ubuntu Trusty): | |
status: | Triaged → In Progress |
Changed in linux (Ubuntu Vivid): | |
status: | New → In Progress |
Changed in linux (Ubuntu Wily): | |
status: | New → In Progress |
Changed in linux (Ubuntu Vivid): | |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Wily): | |
importance: | Undecided → Medium |
Changed in linux (Ubuntu): | |
assignee: | nobody → Joseph Salisbury (jsalisbury) |
Changed in linux (Ubuntu Trusty): | |
assignee: | nobody → Joseph Salisbury (jsalisbury) |
Changed in linux (Ubuntu Vivid): | |
assignee: | nobody → Joseph Salisbury (jsalisbury) |
Changed in linux (Ubuntu Wily): | |
assignee: | nobody → Joseph Salisbury (jsalisbury) |
Changed in linux (Ubuntu Trusty): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Vivid): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Wily): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu): | |
status: | Fix Committed → Fix Released |
This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:
apport-collect 1582864
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.