FS#58548 - [linux] Linux 4.16.8 - Ejecting/removing USB 3.0 devices causes system functional lockup.
Attached to Project:
Arch Linux
Opened by Jacob S (Gourdcaptain) - Friday, 11 May 2018, 20:36 GMT
Last edited by Jan de Groot (JGC) - Monday, 21 May 2018, 08:22 GMT
Opened by Jacob S (Gourdcaptain) - Friday, 11 May 2018, 20:36 GMT
Last edited by Jan de Groot (JGC) - Monday, 21 May 2018, 08:22 GMT
|
Details
Description:
On Linux 4.16.8, removing/ejecting USB 3.0 devices causes it to enter a stunned state in which many USB devices refuse to respond, the CPU frequently goes into a softlock, and a Kernel BUGs begin being spewed every couple of seconds. While it will respond to some input if the keyboard still works (or an SSH connection is maintained), this is unreliable and will hang in the middle of shutdown, let alone other activity. Bisecting the differences between 4.16.7 and 4.16.7 narrowed it down to commit f5331826b0b7a5f2db56a9020ddbb8ce16acdfc0, "xhci: Fix use-after-free in xhci_free_virt_device". Unfortunately, I was unable to capture a log in a less terrible way, so the logs I'm uploading are images from my terrible cell phone camera - sorry. Additional info: * linux 4.16.8 * Bisected to commit: commit f5331826b0b7a5f2db56a9020ddbb8ce16acdfc0 Author: Mathias Nyman <mathias.nyman@linux.intel.com> Date: Thu May 3 17:30:07 2018 +0300 xhci: Fix use-after-free in xhci_free_virt_device commit 44a182b9d17765514fa2b1cc911e4e65134eef93 upstream. KASAN found a use-after-free in xhci_free_virt_device+0x33b/0x38e where xhci_free_virt_device() sets slot id to 0 if udev exists: if (dev->udev && dev->udev->slot_id) dev->udev->slot_id = 0; dev->udev will be true even if udev is freed because dev->udev is not set to NULL. set dev->udev pointer to NULL in xhci_free_dev() The original patch went to stable so this fix needs to be applied there as well. Fixes: a400efe455f7 ("xhci: zero usb device slot_id member when disabling and freeing a xhci slot") Cc: <stable@vger.kernel.org> Reported-by: Guenter Roeck <linux@roeck-us.net> Reviewed-by: Guenter Roeck <linux@roeck-us.net> Tested-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> :040000 040000 356ecdc13bf252535bd51b8558a8173dae546f19 d28f201228652e87e51ba48f5a0ad4539cca5c29 M drivers Log Images: https://www.dropbox.com/s/xazat5r1zevuoyl/IMG_20180511_151208.jpg?dl=0 https://www.dropbox.com/s/87x8xrq4jtyj6wn/IMG_20180511_151243.jpg?dl=0 https://www.dropbox.com/s/6w1uxoni1u71lsl/IMG_20180511_151246.jpg?dl=0 https://www.dropbox.com/s/4lk1lf5qwfzr95e/IMG_20180511_151307.jpg?dl=0 Steps to reproduce: Insert a USB 3.0 device, in my case a mass storage device. Detach it from the system, which I did with "udisksctl power-off --block-device /dev/sde" where sde was the block device of the drive. The drive did not need to be mounted for the issues to start. |
This task depends upon
Closed by Jan de Groot (JGC)
Monday, 21 May 2018, 08:22 GMT
Reason for closing: Fixed
Additional comments about closing: 4.16.9
Monday, 21 May 2018, 08:22 GMT
Reason for closing: Fixed
Additional comments about closing: 4.16.9
https://www.spinics.net/lists/linux-usb/msg168851.html - Linked to the same commit.
https://www.spinics.net/lists/linux-usb/msg168861.html - Suggested fix? I'll apply it to a compile on my system and try it out. Someone else on the list says the patch listed there works as well.