Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#58548 - [linux] Linux 4.16.8 - Ejecting/removing USB 3.0 devices causes system functional lockup.

Attached to Project: Arch Linux
Opened by Jacob S (Gourdcaptain) - Friday, 11 May 2018, 20:36 GMT
Last edited by Jan de Groot (JGC) - Monday, 21 May 2018, 08:22 GMT
Task Type Bug Report
Category Kernel
Status Closed
Assigned To Tobias Powalowski (tpowa)
Jan Steffens (heftig)
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No


On Linux 4.16.8, removing/ejecting USB 3.0 devices causes it to enter a stunned state in which many USB devices refuse to respond, the CPU frequently goes into a softlock, and a Kernel BUGs begin being spewed every couple of seconds. While it will respond to some input if the keyboard still works (or an SSH connection is maintained), this is unreliable and will hang in the middle of shutdown, let alone other activity. Bisecting the differences between 4.16.7 and 4.16.7 narrowed it down to commit f5331826b0b7a5f2db56a9020ddbb8ce16acdfc0, "xhci: Fix use-after-free in xhci_free_virt_device". Unfortunately, I was unable to capture a log in a less terrible way, so the logs I'm uploading are images from my terrible cell phone camera - sorry.

Additional info:
* linux 4.16.8
* Bisected to commit:
commit f5331826b0b7a5f2db56a9020ddbb8ce16acdfc0
Author: Mathias Nyman <>
Date: Thu May 3 17:30:07 2018 +0300

xhci: Fix use-after-free in xhci_free_virt_device

commit 44a182b9d17765514fa2b1cc911e4e65134eef93 upstream.

KASAN found a use-after-free in xhci_free_virt_device+0x33b/0x38e
where xhci_free_virt_device() sets slot id to 0 if udev exists:
if (dev->udev && dev->udev->slot_id)
dev->udev->slot_id = 0;

dev->udev will be true even if udev is freed because dev->udev is
not set to NULL.

set dev->udev pointer to NULL in xhci_free_dev()

The original patch went to stable so this fix needs to be applied
there as well.

Fixes: a400efe455f7 ("xhci: zero usb device slot_id member when
disabling and freeing a xhci slot")
Cc: <>
Reported-by: Guenter Roeck <>
Reviewed-by: Guenter Roeck <>
Tested-by: Guenter Roeck <>
Signed-off-by: Mathias Nyman <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Greg Kroah-Hartman <>

:040000 040000 356ecdc13bf252535bd51b8558a8173dae546f19
d28f201228652e87e51ba48f5a0ad4539cca5c29 M drivers

Log Images:

Steps to reproduce:
Insert a USB 3.0 device, in my case a mass storage device. Detach it from the system, which I did with "udisksctl power-off --block-device /dev/sde" where sde was the block device of the drive. The drive did not need to be mounted for the issues to start.
This task depends upon

Closed by  Jan de Groot (JGC)
Monday, 21 May 2018, 08:22 GMT
Reason for closing:  Fixed
Additional comments about closing:  4.16.9
Comment by loqs (loqs) - Saturday, 12 May 2018, 01:09 GMT
Have you reported this upstream using the linux-usb, linux-stable or linux-kernel mailing lists?
Comment by Jacob S (Gourdcaptain) - Saturday, 12 May 2018, 01:10 GMT
I'm trying on Linux Stable mailing list. I'm... kinda new at trying this stuff, got blocked by the spam filter when asking for help, and my message might be being held for checking to see if it's spam. Every other time I've filed a bug for a kernel component they've used a bug tracker which is something I'm a lot more familiar with.
Comment by loqs (loqs) - Saturday, 12 May 2018, 01:18 GMT
As per the USB subsystem does not use the bugtracker. I do not know if the the linux-stable list is moderated.
Comment by Jacob S (Gourdcaptain) - Saturday, 12 May 2018, 01:22 GMT
I sent a copy of my bug report just now to the linux-usb bug tracker as well as my attempted copy to linux-stable.
Comment by Jacob S (Gourdcaptain) - Saturday, 12 May 2018, 01:56 GMT - Here appears to be the bug occuring in 4.17 as a result and being bisected by them. - Linked to the same commit. - Suggested fix? I'll apply it to a compile on my system and try it out. Someone else on the list says the patch listed there works as well.
Comment by Jacob S (Gourdcaptain) - Saturday, 12 May 2018, 02:33 GMT
The linked patch in: does work applied to 4.16.8 to fix my issues.
Comment by Torus (T0t0) - Sunday, 13 May 2018, 14:57 GMT
On my computer, removing a flash drive freezes it completely
Comment by Jacob S (Gourdcaptain) - Monday, 21 May 2018, 00:39 GMT
This was resolved by 4.16.9-1.