dwc_otg: memory allocation/error handling bugfixes #223

P33M · 2013-02-15T22:49:36Z

Bugs found during the hunt for #217 - triggering OOPSes in error cases.

In dwc_otg_hcd_urb_enqueue during qtd creation, it was possible that the transaction could complete almost immediately after the qtd was assigned to a host channel during URB enqueue, which meant the qtd pointer was no longer valid having been completed and removed. Usually, this resulted in an OOPS during URB submission. By predetermining whether transactions need to be queued or not, this unsafe pointer access is avoided. This bug was only evident on the Pi model A where a device was attached that had no periodic endpoints (e.g. USB pendrive or some wlan devices).

If the memory allocation for a dwc_otg_urb failed, the kernel would OOPS because for some reason a member of the *unallocated* struct was set to zero. Error handling changed to fail correctly.

popcornmix · 2013-02-16T00:17:27Z

Looks good. I'll test tomorrow.

P33M · 2013-02-16T00:45:37Z

Note that these are incidental fixes that I found causing MORE oopses during testing. You can tickle the associated bugs by either using a model A and letting a bandwidth-intensive device run for a while or using multiple USB devices at once on a model B.

dwc_otg: memory allocation/error handling bugfixes

popcornmix · 2013-02-16T17:12:11Z

Okay. The changes look good, and I've had no problems running with it today. I'll push out a new firmware and see what happens.
Thanks for the debugging.

popcornmix · 2013-02-16T19:23:23Z

Firmware pushed.

zhanghua1984 · 2017-03-04T03:13:43Z

disconnect wlan devices or reset PC which connected PI will be get some info:

tpcast login: [ 1937.858536] Unable to handle kernel paging request at virtual address 3c2cd003
[ 1937.868417] pgd = b6bec000
[ 1937.872415] [3c2cd003] *pgd=00000000
[ 1937.877280] Internal error: Oops: 5 [#1] SMP ARM
[ 1937.883188] Modules linked in: tpusb(O) 8192du(O) cfg80211 rfkill uvcvideo evdev videobuf2_vmalloc snd_usb_audio videobuf2_memops snd_hwdep snd_usbmidi_lib videobuf2_v4l2 videobuf2_core snd_rawmidi snd_seq_device v4l2_common videodev media snd_bcm2835 snd_pcm snd_timer snd bcm2835_gpiomem bcm2835_wdt uio_pdrv_genirq uio ipv6
[ 1937.919314] CPU: 2 PID: 18903 Comm: tpusbd Tainted: G           O    4.4.19-v7+ #4
[ 1937.929906] Hardware name: BCM2709
[ 1937.934809] task: b84285c0 ti: b4802000 task.ti: b4802000
[ 1937.941772] PC is at __kmalloc+0x90/0x238
[ 1937.947311] LR is at __kmalloc+0x30/0x238
[ 1937.952785] pc : [<80148508>]    lr : [<801484a8>]    psr: 20000093
[ 1937.952785] sp : b4803c08  ip : b4803c08  fp : b4803c44
[ 1937.967270] r10: b85ded80  r9 : b9132838  r8 : 80448dec
[ 1937.973995] r7 : 02088020  r6 : 0000002c  r5 : b9801f00  r4 : 3c2cd003
[ 1937.982057] r3 : 00000000  r2 : b4803c08  r1 : 80861860  r0 : 39722000
[ 1937.990123] Flags: nzCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment user
[ 1938.000366] Control: 10c5383d  Table: 36bec06a  DAC: 00000055
[ 1938.007727] Process tpusbd (pid: 18903, stack limit = 0xb4802210)
[ 1938.015427] Stack: (0xb4803c08 to 0xb4804000)
[ 1938.021323] 3c00:                   b4803c34 801484a8 00000038 001a2c58 b4803c64 b905e800
[ 1938.032679] 3c20: b6ab7440 b9132850 b6ab7440 b9b94200 b9132838 b85ded80 b4803c54 b4803c48
[ 1938.044150] 3c40: 80448dec 80148484 b4803c6c b4803c58 80443430 80448dd4 b905e800 00000001
[ 1938.055623] 3c60: b4803c9c b4803c70 8043c8a8 80443410 b4803cc4 8040ff68 b4803c9c 00000000
[ 1938.067093] 3c80: b6ab7980 b6ab7440 b905e800 b9b94200 b4803cf4 b4803ca0 8043e614 8043c85c
[ 1938.078600] 3ca0: 00000402 b6ab7980 f6ab7980 00000001 00000000 8001cd00 00000000 b9132850
[ 1938.090233] 3cc0: ba7b23c4 60000013 b920c480 b85ded80 b9b94200 b85ded88 00000000 024000c0
[ 1938.102018] 3ce0: 00000002 00000001 b4803dac b4803cf8 80411ec0 8043e45c b6b9e000 b6b9e260
[ 1938.113942] 3d00: b4803d4c b4803d10 80515844 80515504 b920c480 00000200 b4803d64 80534d38
[ 1938.126002] 3d20: b6b9e000 b6b9e000 b920c480 00000000 00000000 00007680 00007620 00000000
[ 1938.138176] 3d40: b4803d94 b4803d50 8052d96c 80515710 00000000 00000000 00000000 00000000
[ 1938.150387] 3d60: 00000000 00000000 0000fb00 00000200 00000060 00000200 00000060 804bc750
[ 1938.162679] 3d80: b6b9e000 b85ded80 024000c0 00000000 00000200 b9132800 00000002 00000001
[ 1938.175035] 3da0: b4803df4 b4803db0 804139ec 80411e04 80148600 b85de590 20000013 20000013
[ 1938.187409] 3dc0: b85de594 00000000 b85de580 809817c8 b85de594 b85de590 b85de580 b9132838
[ 1938.199785] 3de0: b6ab7000 00000001 b4803e8c b4803df8 8041ec7c 804136fc 00000001 71bfe9a8
[ 1938.212160] 3e00: b6b9e408 b4803df0 00000000 b4803e94 00000000 00000000 00000000 00000000
[ 1938.224535] 3e20: 00000000 00000001 b6ab7980 00000402 b4803e58 00008002 00000000 00000000
[ 1938.236912] 3e40: 72d068d8 00000402 00000000 00000000 00000000 00000000 00000000 0000001f
[ 1938.249289] 3e60: 00000000 b9132868 b913289c 802c550a 802c550a b9132800 b85de580 b9337288
[ 1938.261669] 3e80: b4803f0c b4803e90 8041f5a4 8041e320 00000001 00000000 00000000 00000000
[ 1938.274047] 3ea0: 00000000 00000000 b4803ef4 00000000 72d03460 00000000 00000000 b4803f08
[ 1938.286427] 3ec0: b68d8f00 b4803f80 00000000 00000000 b4803f4c b4803ee0 80157350 804b7240
[ 1938.298806] 3ee0: 00000058 b9337288 72d03460 b86e5240 802c550a 00000035 b4802000 00000000
[ 1938.311185] 3f00: b4803f1c b4803f10 804208f8 8041f09c b4803f7c b4803f20 80169798 804208ec
[ 1938.323564] 3f20: 00000000 00000058 b68d8f00 00000000 b70444a0 801747e0 b931e100 72d068d0
[ 1938.335944] 3f40: 72d03460 001b6d2c 802c550a 00000035 b4803f6c b4803f60 b86e5241 72d03460
[ 1938.348324] 3f60: b86e5240 802c550a 00000035 b4802000 b4803fa4 b4803f80 801699cc 80169380
[ 1938.360704] 3f80: 802c550a 72d068d0 00000003 001b6d2c 00000036 8000fd08 00000000 b4803fa8
[ 1938.373086] 3fa0: 8000fb40 80169994 72d068d0 00000003 00000035 802c550a 72d03460 802c550a
[ 1938.385466] 3fc0: 72d068d0 00000003 001b6d2c 00000036 00000402 00000409 001b6ccc 71bfe424
[ 1938.397845] 3fe0: 002c6838 71bfe404 0014ecf8 76c2cf2c 60000010 00000035 00000000 00000000
[ 1938.410234] [<80148508>] (__kmalloc) from [<80448dec>] (__DWC_ALLOC_ATOMIC+0x24/0x28)
[ 1938.422269] [<80448dec>] (__DWC_ALLOC_ATOMIC) from [<80443430>] (dwc_otg_hcd_qtd_create+0x2c/0x60)
[ 1938.435469] [<80443430>] (dwc_otg_hcd_qtd_create) from [<8043c8a8>] (dwc_otg_hcd_urb_enqueue+0x58/0x204)
[ 1938.449210] [<8043c8a8>] (dwc_otg_hcd_urb_enqueue) from [<8043e614>] (dwc_otg_urb_enqueue+0x1c4/0x354)
[ 1938.462780] [<8043e614>] (dwc_otg_urb_enqueue) from [<80411ec0>] (usb_hcd_submit_urb+0xc8/0x904)
[ 1938.475820] [<80411ec0>] (usb_hcd_submit_urb) from [<804139ec>] (usb_submit_urb+0x2fc/0x4b8)
[ 1938.488510] [<804139ec>] (usb_submit_urb) from [<8041ec7c>] (proc_submiturb+0x968/0xd7c)
[ 1938.500849] [<8041ec7c>] (proc_submiturb) from [<8041f5a4>] (usbdev_do_ioctl+0x514/0x1850)
[ 1938.513377] [<8041f5a4>] (usbdev_do_ioctl) from [<804208f8>] (usbdev_ioctl+0x18/0x1c)
[ 1938.525465] [<804208f8>] (usbdev_ioctl) from [<80169798>] (do_vfs_ioctl+0x424/0x614)
[ 1938.537472] [<80169798>] (do_vfs_ioctl) from [<801699cc>] (SyS_ioctl+0x44/0x6c)
[ 1938.549040] [<801699cc>] (SyS_ioctl) from [<8000fb40>] (ret_fast_syscall+0x0/0x1c)
[ 1938.560881] Code: e7904001 e3540000 0a00005b e5953014 (e7949003)
[ 1952.383021] Unable to handle kernel paging request at virtual address 3c2cd003
[ 1952.394511] pgd = b8498000
[ 1952.399261] [3c2cd003] *pgd=00000000
[ 1952.404855] Internal error: Oops: 5 [#2] SMP ARM
[ 1952.411465] Modules linked in: tpusb(O) 8192du(O) cfg80211 rfkill uvcvideo evdev videobuf2_vmalloc snd_usb_audio videobuf2_memops snd_hwdep snd_usbmidi_lib videobuf2_v4l2 videobuf2_core snd_rawmidi snd_seq_device v4l2_common videodev media snd_bcm2835 snd_pcm snd_timer snd bcm2835_gpiomem bcm2835_wdt uio_pdrv_genirq uio ipv6
[ 1952.450524] CPU: 2 PID: 764 Comm: ntpd Tainted: G           O    4.4.19-v7+ #4
[ 1952.461606] Hardware name: BCM2709
[ 1952.466878] task: b6bb33c0 ti: b856e000 task.ti: b856e000
[ 1952.474180] PC is at kmem_cache_alloc_trace+0x7c/0x1f0
[ 1952.481176] LR is at kmem_cache_alloc_trace+0x174/0x1f0
[ 1952.488199] pc : [<8014872c>]    lr : [<80148824>]    psr: 20000013
[ 1952.488199] sp : b856fe80  ip : b856fe80  fp : b856febc
[ 1952.503231] r10: 00000000  r9 : 808b9080  r8 : 00000040
[ 1952.510160] r7 : 804b87c8  r6 : 024000c0  r5 : b9801f00  r4 : 3c2cd003
[ 1952.518396] r3 : 00000000  r2 : b856fe80  r1 : 80861860  r0 : 39722000
[ 1952.526594] Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
[ 1952.535405] Control: 10c5383d  Table: 3849806a  DAC: 00000055
[ 1952.542779] Process ntpd (pid: 764, stack limit = 0xb856e210)
[ 1952.550140] Stack: (0xb856fe80 to 0xb8570000)
[ 1952.556061] fe80: 80148ab4 805b6224 00002000 001a2c58 00000000 b7045800 80863d18 0008e590
[ 1952.567381] fea0: 00000119 00000000 808b9080 00000000 b856fedc b856fec0 804b87c8 801486bc
[ 1952.578890] fec0: 804b8778 00000002 b983fc00 0008e590 b856fef4 b856fee0 80171198 804b8784
[ 1952.590452] fee0: 00000002 00000002 b856ff0c b856fef8 80173348 80171178 b98a1490 00000002
[ 1952.602009] ff00: b856ff24 b856ff10 804b7e70 8017333c 00000000 00000002 b856ff54 b856ff28
[ 1952.613573] ff20: 804b8124 804b7e54 00000000 00000002 00000002 0008e590 00000119 8000fd08
[ 1952.625223] ff40: b856e000 00000000 b856ff74 b856ff58 804b82c8 804b80ec b856ff84 00000000
[ 1952.636998] ff60: 8000fd08 00000000 b856ffa4 b856ff78 804b9160 804b8280 00091704 0008e590
[ 1952.648946] ff80: 00000119 60000010 00091704 00091704 0008e590 00000119 00000000 b856ffa8
[ 1952.661003] ffa0: 8000fb40 804b9130 00091704 00091704 00000002 00000002 00000000 b9913300
[ 1952.673197] ffc0: 00091704 00091704 0008e590 00000119 00000000 00000000 00000000 0008a380
[ 1952.685450] ffe0: 0008919c 7eaa66b4 0001b8b8 76cfc7cc 60000010 00000002 00000000 00000000
[ 1952.697798] [<8014872c>] (kmem_cache_alloc_trace) from [<804b87c8>] (sock_alloc_inode+0x50/0xb8)
[ 1952.710816] [<804b87c8>] (sock_alloc_inode) from [<80171198>] (alloc_inode+0x2c/0xb4)
[ 1952.722854] [<80171198>] (alloc_inode) from [<80173348>] (new_inode_pseudo+0x18/0x5c)
[ 1952.734897] [<80173348>] (new_inode_pseudo) from [<804b7e70>] (sock_alloc+0x28/0xc0)
[ 1952.746858] [<804b7e70>] (sock_alloc) from [<804b8124>] (__sock_create+0x44/0x194)
[ 1952.758650] [<804b8124>] (__sock_create) from [<804b82c8>] (sock_create+0x54/0x5c)
[ 1952.770446] [<804b82c8>] (sock_create) from [<804b9160>] (SyS_socket+0x3c/0xd0)
[ 1952.781989] [<804b9160>] (SyS_socket) from [<8000fb40>] (ret_fast_syscall+0x0/0x1c)
[ 1952.793892] Code: e7904001 e3540000 0a00004c e5953014 (e7949003)
[ 1952.802169] ---[ end trace 7994b3b97e30e5fb ]---

no idear ,test your commit ,thanks all.

This error was reported while fuzzing: BUG: KASAN: slab-out-of-bounds in _copy_to_iter+0xd35/0x1190 Write of size 4043 at addr ffff888008724eb1 by task kworker/1:1/24 CPU: 1 PID: 24 Comm: kworker/1:1 Not tainted 6.1.0-rc5-00002-g1adf73218daa-dirty #223 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 Workqueue: events p9_read_work Call Trace: <TASK> dump_stack_lvl+0x4c/0x64 print_report+0x178/0x4b0 kasan_report+0xae/0x130 kasan_check_range+0x179/0x1e0 memcpy+0x38/0x60 _copy_to_iter+0xd35/0x1190 copy_page_to_iter+0x1d5/0xb00 pipe_read+0x3a1/0xd90 __kernel_read+0x2a5/0x760 kernel_read+0x47/0x60 p9_read_work+0x463/0x780 process_one_work+0x91d/0x1300 worker_thread+0x8c/0x1210 kthread+0x280/0x330 ret_from_fork+0x22/0x30 </TASK> Allocated by task 457: kasan_save_stack+0x1c/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0x7e/0x90 __kmalloc+0x59/0x140 p9_fcall_init.isra.11+0x5d/0x1c0 p9_tag_alloc+0x251/0x550 p9_client_prepare_req+0x162/0x350 p9_client_rpc+0x18d/0xa90 p9_client_create+0x670/0x14e0 v9fs_session_init+0x1fd/0x14f0 v9fs_mount+0xd7/0xaf0 legacy_get_tree+0xf3/0x1f0 vfs_get_tree+0x86/0x2c0 path_mount+0x885/0x1940 do_mount+0xec/0x100 __x64_sys_mount+0x1a0/0x1e0 do_syscall_64+0x3a/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd This BUG pops up when trying to reproduce https://syzkaller.appspot.com/bug?id=6c7cd46c7bdd0e86f95d26ec3153208ad186f9fa The callstack is different but the issue is valid and re-producable with the same re-producer in the link. The root cause of this issue is that we check the size of the message received against the msize of the client in p9_read_work. However, it turns out that capacity is no longer consistent with msize. Thus, the message size should be checked against sdata capacity. As the msize is non-consistant with the capacity of the tag and as we are now checking message size against capacity directly, there is no point checking message size against msize. So remove it. Link: https://lkml.kernel.org/r/[email protected] Link: https://lkml.kernel.org/r/[email protected] Reported-by: [email protected] Fixes: 60ece08 ("net/9p: allocate appropriate reduced message buffers") Signed-off-by: GUO Zihua <[email protected]> Reviewed-by: Christian Schoenebeck <[email protected]> [Dominique: squash patches 1 & 2 and fix size including header part] Signed-off-by: Dominique Martinet <[email protected]>

In kexec_extra_fdt_size_ppc64() there's logic to estimate how much extra space will be needed in the device tree for some memory related properties. That logic uses the size of RAM divided by drmem_lmb_size() to do the estimation. However drmem_lmb_size() can be zero if the machine has no hotpluggable memory configured, which is the case when booting with qemu and no maxmem=x parameter is passed (the default). The division by zero is reported by UBSAN, and can also lead to an overflow and a warning from kvmalloc, and kdump kernel loading fails: WARNING: CPU: 0 PID: 133 at mm/util.c:596 kvmalloc_node+0x15c/0x160 Modules linked in: CPU: 0 PID: 133 Comm: kexec Not tainted 6.2.0-rc5-03455-g07358bd97810 #223 Hardware name: IBM pSeries (emulated by qemu) POWER9 (raw) 0x4e1200 0xf000005 of:SLOF,git-dd0dca pSeries NIP: c00000000041ff4c LR: c00000000041fe58 CTR: 0000000000000000 REGS: c0000000096ef750 TRAP: 0700 Not tainted (6.2.0-rc5-03455-g07358bd97810) MSR: 800000000282b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 24248242 XER: 2004011e CFAR: c00000000041fed0 IRQMASK: 0 ... NIP kvmalloc_node+0x15c/0x160 LR kvmalloc_node+0x68/0x160 Call Trace: kvmalloc_node+0x68/0x160 (unreliable) of_kexec_alloc_and_setup_fdt+0xb8/0x7d0 elf64_load+0x25c/0x4a0 kexec_image_load_default+0x58/0x80 sys_kexec_file_load+0x5c0/0x920 system_call_exception+0x128/0x330 system_call_vectored_common+0x15c/0x2ec To fix it, skip the calculation if drmem_lmb_size() is zero. Fixes: 2377c92 ("powerpc/kexec_file: fix FDT size estimation for kdump kernel") Cc: [email protected] # v5.12+ Signed-off-by: Michael Ellerman <[email protected]> Link: https://lore.kernel.org/r/[email protected]

P33M added 2 commits February 15, 2013 22:36

dwc_otg: Fix incorrect URB allocation error handling

8c3d773

If the memory allocation for a dwc_otg_urb failed, the kernel would OOPS because for some reason a member of the *unallocated* struct was set to zero. Error handling changed to fail correctly.

popcornmix added a commit that referenced this pull request Feb 16, 2013

Merge pull request #223 from P33M/rpi-3.6.y

95009db

dwc_otg: memory allocation/error handling bugfixes

popcornmix merged commit 95009db into raspberrypi:rpi-3.6.y Feb 16, 2013

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

dwc_otg: memory allocation/error handling bugfixes #223

dwc_otg: memory allocation/error handling bugfixes #223

P33M commented Feb 15, 2013

popcornmix commented Feb 16, 2013

P33M commented Feb 16, 2013

popcornmix commented Feb 16, 2013

popcornmix commented Feb 16, 2013

zhanghua1984 commented Mar 4, 2017 •

edited by popcornmix

Loading

dwc_otg: memory allocation/error handling bugfixes #223

dwc_otg: memory allocation/error handling bugfixes #223

Conversation

P33M commented Feb 15, 2013

popcornmix commented Feb 16, 2013

P33M commented Feb 16, 2013

popcornmix commented Feb 16, 2013

popcornmix commented Feb 16, 2013

zhanghua1984 commented Mar 4, 2017 • edited by popcornmix Loading

zhanghua1984 commented Mar 4, 2017 •

edited by popcornmix

Loading