Hi there, I've been trying to track down some memory corruption in my driver for the HVR-950q related to dequeueing of ISOC URBs when shutting down the stream. I enabled SLUB poisoning, and I'm seeing a use-after-free condition in the EHCI driver. See below.
Based on my read of the stack, it looks like the IRQ handler comes along and tries to access the URB eba088f0 *after* I've already killed it. In fact, I can see that the usb_kill_urb() call for that URB has returned, since it's already moved onto killing the next URB in the list when the crash occurs. My assumption would have to be that the URB wasn't properly removed from the ISOC schedule. Now I'm on 3.12-rc7 which I know is a bit old, and even my typical response to complaining users is "upgrade to the latest and see if it's already fixed". That said, really all I'm asking at this point is if anybody recalls having hit this before and fixed it in some later revision. For reasons I cannot really get into right now, upgrading to the last kernel isn't practical, but if I know for sure it's something fixed in some later release then I can look at backporting the fix. Thanks in advance, Devin [ 540.930055] au0828/0: au0828_dvb_stop_feed(), start_count: 124, stop_count: 124 [ 540.930062] au0828/0: stop_urb_transfer() [ 540.930069] au0828/0: killing urb eba08340 [ 540.933270] au0828/0: killing urb eba088f0 [ 540.933293] au0828/0: killing urb f431ca90 [ 540.936242] BUG: unable to handle kernel paging request at 6b6b6b6f [ 540.936445] IP: [<c149bc1e>] usb_hcd_unlink_urb_from_ep+0x1e/0x40 [ 540.936614] *pdpt = 000000002f1e8001 *pde = 0000000000000000 [ 540.936770] Oops: 0002 [#1] SMP [ 540.936866] Modules linked in: cuse nfsd(F) auth_rpcgss(F) nfs_acl(F) nfs(F) lockd(F) sunrpc(F) fscache(F) snd_usb_audio snd_usbmidi_lib au8522_dig(OF) btusb bluetooth joydev(F) hid_generic xc5000(OF) tuner(OF) au8522_decoder(OF) au8522_common(OF) kvm_amd(F) kvm(F) microcode(F) snd_hda_codec_realtek snd_hda_codec_hdmi sp5100_tco k10temp arc4(F) iwldvm au0828(OF) tveeprom(OF) videobuf_vmalloc(OF) videobuf_core(OF) v4l2_common(OF) mac80211 dvb_core(OF) videodev(OF) media(OF) iwlwifi usbhid hid snd_hda_intel snd_hda_codec snd_hwdep(F) cfg80211 snd_seq_midi(F) snd_seq_midi_event(F) snd_pcm(F) snd_rawmidi(F) i2c_piix4 snd_page_alloc(F) ohci_pci radeon snd_seq(F) snd_seq_device(F) ttm snd_timer(F) drm_kms_helper drm snd(F) i2c_algo_bit mac_hid soundcore(F) lp(F) parport(F) r8169 ahci(F) libahci(F) mii(F) [ 540.939014] [ 540.939033] CPU: 0 PID: 0 Comm: swapper/0 Tainted: GF O 3.12.0-031200rc7-generic #201310271935 [ 540.939256] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Inagua CRB, BIOS 4.6.5 02/12/2014 [ 540.939487] task: c1910980 ti: f7008000 task.ti: c1904000 [ 540.939621] EIP: 0060:[<c149bc1e>] EFLAGS: 00210046 CPU: 0 [ 540.939758] EIP is at usb_hcd_unlink_urb_from_ep+0x1e/0x40 [ 540.939894] EAX: eba08904 EBX: eba088f0 ECX: 6b6b6b6b EDX: 6b6b6b6b [ 540.940046] ESI: eba088f0 EDI: f6831860 EBP: f7009e50 ESP: f7009e4c [ 540.940197] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 [ 540.940329] CR0: 8005003b CR2: 6b6b6b6f CR3: 2ba72000 CR4: 000007f0 [ 540.940480] Stack: [ 540.940534] f6831a64 f7009e68 c14ae94a ffffff8d eb96c8a0 eb96c39c ef9d1d90 f7009ecc [ 540.940773] c14af863 2b96c5a0 00000000 00200082 000f4240 00000007 f68319e0 f7009ea0 [ 540.941010] c1075a26 000f4240 03010000 f685d960 eb96c8a0 ef9d1da0 00000001 f68319a8 [ 540.941247] Call Trace: [ 540.941322] [<c14ae94a>] ehci_urb_done+0x4a/0x90 [ 540.941443] [<c14af863>] qh_completions+0x203/0x580 [ 540.941573] [<c1075a26>] ? hrtimer_start_range_ns+0x26/0x30 [ 540.941720] [<c14b0738>] end_unlink_async+0x108/0x1f0 [ 540.941852] [<c14b3141>] ehci_irq+0xf1/0x430 [ 540.941967] [<c13ee480>] ? add_interrupt_randomness+0x120/0x170 [ 540.942118] [<c13ec8b9>] ? __mix_pool_bytes+0x39/0x80 [ 540.942248] [<c13ee4a9>] ? add_interrupt_randomness+0x149/0x170 [ 540.942400] [<c149cb23>] usb_hcd_irq+0x33/0x50 [ 540.942517] [<c10a27d5>] handle_irq_event_percpu+0x35/0x1a0 [ 540.942663] [<c103bf5d>] ? __unmask_ioapic+0x2d/0x40 [ 540.942792] [<c10a2971>] handle_irq_event+0x31/0x50 [ 540.942921] [<c10a52a0>] ? unmask_irq+0x30/0x30 [ 540.943040] [<c10a52ee>] handle_fasteoi_irq+0x4e/0xe0 [ 540.943166] <IRQ> [ 540.943221] [ 540.943274] [<c164ceac>] ? do_IRQ+0x3c/0xb0 [ 540.943354] [<c164cc73>] ? common_interrupt+0x33/0x38 [ 540.943489] [<c152375e>] ? cpuidle_enter_state+0x3e/0xd0 [ 540.943626] [<c152388e>] ? cpuidle_idle_call+0x9e/0x1d0 [ 540.943762] [<c10173dd>] ? arch_cpu_idle+0xd/0x30 [ 540.943885] [<c10a1eab>] ? cpu_startup_entry+0x9b/0x200 [ 540.944019] [<c107ba38>] ? complete+0x48/0x50 [ 540.944136] [<c1634512>] ? rest_init+0x62/0x70 [ 540.944254] [<c19a1acd>] ? start_kernel+0x397/0x39d [ 540.944380] [<c19a156d>] ? repair_env_string+0x51/0x51 [ 540.950487] [<c19a1394>] ? i386_start_kernel+0x137/0x13a [ 540.956536] Code: eb d6 83 cb ff eb d1 8d b6 00 00 00 00 55 89 e5 53 3e 8d 74 26 00 b8 26 8b b5 c1 89 d3 e8 ab 95 1a 00 8b 4b 14 8d 43 14 8b 53 18 <89> 51 04 89 0a 89 43 14 89 43 18 b8 26 8b b5 c1 e8 1d 95 1a 00 [ 540.969778] EIP: [<c149bc1e>] usb_hcd_unlink_urb_from_ep+0x1e/0x40 SS:ESP 0068:f7009e4c [ 540.976118] CR2: 000000006b6b6b6f -- Devin J. Heitmueller - Kernel Labs http://www.kernellabs.com -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
