* usb: cdc-acm: BUG kmalloc-128 Poison overwritten
@ 2021-02-12 15:33 Bruno Thomsen
2021-02-18 15:52 ` Bruno Thomsen
0 siblings, 1 reply; 8+ messages in thread
From: Bruno Thomsen @ 2021-02-12 15:33 UTC (permalink / raw)
To: linux-usb,
moderated list:ARM/FREESCALE IMX / MXC ARM ARCHITECTURE,
open list
Cc: Bruno Thomsen, Lars Alex Pedersen, Bruno Thomsen
Hi,
I have been experience random kernel oops in the cdc-acm driver on
imx7 (arm arch). Normally it happens during the first 1-3min runtime
after power-on. Below oops is from 5.8.17 mainline kernel with an
extra patch back-ported in an attempt to fix it:
38203b8385 ("usb: cdc-acm: fix cooldown mechanism")
Output from kconfig_hardened_check in version 2020-10-30-g2f8e7a4dc57a
has been included below oops as it might be related to the hardened kernel.
Currently I cannot update to latest mainline kernel as our board
isn't able to boot due to SPI errors on ecspi4 in versions 5.9-5.11rc6.
I am trying to bisect that issue, but I can still apply test patches if
anyone has an idea to why this is happening.
[ 55.065305] 8<--- cut here ---
[ 55.068392] Unable to handle kernel paging request at virtual
address 6b6b6c03
[ 55.075624] pgd = be866494
[ 55.078335] [6b6b6c03] *pgd=00000000
[ 55.081924] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
[ 55.087238] Modules linked in: ppp_async crc_ccitt ppp_generic slhc
xt_TCPMSS xt_tcpmss xt_hl nf_log_ipv6 nf_log_ipv4 nf_log_common
xt_policy xt_limit xt_conntrack xt_tcpudp xt_pkttype ip6table_mangle
iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4
iptable_mangle ip6table_filter ip6_tables iptable_filter ip_tables
des_generic md5 sch_fq_codel cdc_mbim cdc_wdm cdc_ncm usbnet mii
cdc_acm usb_storage ip_tunnel xfrm_user xfrm6_tunnel tunnel6
xfrm4_tunnel tunnel4 esp6 esp4 ah6 ah4 xfrm_algo xt_LOG xt_LED
xt_comment x_tables ipv6
[ 55.134954] CPU: 0 PID: 82 Comm: kworker/0:2 Tainted: G
T 5.8.17 #1
[ 55.142526] Hardware name: Freescale i.MX7 Dual (Device Tree)
[ 55.148304] Workqueue: events acm_softint [cdc_acm]
[ 55.153196] PC is at kobject_get+0x10/0xa4
[ 55.157302] LR is at usb_get_dev+0x14/0x1c
[ 55.161402] pc : [<8047c06c>] lr : [<80560448>] psr: 20000193
[ 55.167671] sp : bca39ea8 ip : 00007374 fp : bf6cbd80
[ 55.172899] r10: 00000000 r9 : bdd92284 r8 : bdd92008
[ 55.178128] r7 : 6b6b6b6b r6 : fffffffe r5 : 60000113 r4 : 6b6b6be3
[ 55.184658] r3 : 6b6b6b6b r2 : 00000111 r1 : 00000000 r0 : 6b6b6be3
[ 55.191191] Flags: nzCv IRQs off FIQs on Mode SVC_32 ISA ARM
Segment none
[ 55.198417] Control: 10c5387d Table: bcf0c06a DAC: 00000051
[ 55.204168] Process kworker/0:2 (pid: 82, stack limit = 0x9bdd2a89)
[ 55.210439] Stack: (0xbca39ea8 to 0xbca3a000)
[ 55.214805] 9ea0: bf6cbd80 80769a50 6b6b6b6b
80560448 bdeb0500 8056bfe8
[ 55.222991] 9ec0: 00000002 b76da000 00000000 bdeb0500 bdd92448
bca38000 bdeb0510 8056d69c
[ 55.231177] 9ee0: bca38000 00000000 80c050fc 00000000 bca39f44
09d42015 00000000 00000001
[ 55.239363] 9f00: bdd92448 bdd92438 bdd92000 7f1158c4 bdd92448
bca2ee00 bf6cbd80 bf6cef00
[ 55.247549] 9f20: 00000000 00000000 00000000 801412d8 bf6cbd98
80c03d00 bca2ee00 bf6cbd80
[ 55.255735] 9f40: bca2ee14 bf6cbd98 80c03d00 00000008 bca38000
80141568 00000000 80c446ae
[ 55.263921] 9f60: 00000000 bc9ed880 bc9f0700 bca38000 bc117eb4
80141524 bca2ee00 bc9ed8a4
[ 55.272107] 9f80: 00000000 80147cc8 00000000 bc9f0700 80147b84
00000000 00000000 00000000
[ 55.280292] 9fa0: 00000000 00000000 00000000 80100148 00000000
00000000 00000000 00000000
[ 55.288477] 9fc0: 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000
[ 55.296662] 9fe0: 00000000 00000000 00000000 00000000 00000013
00000000 00000000 00000000
[ 55.304860] [<8047c06c>] (kobject_get) from [<80560448>]
(usb_get_dev+0x14/0x1c)
[ 55.312271] [<80560448>] (usb_get_dev) from [<8056bfe8>]
(usb_hcd_unlink_urb+0x50/0xd8)
[ 55.320286] [<8056bfe8>] (usb_hcd_unlink_urb) from [<8056d69c>]
(usb_kill_urb.part.0+0x44/0xd0)
[ 55.329004] [<8056d69c>] (usb_kill_urb.part.0) from [<7f1158c4>]
(acm_softint+0x4c/0x10c [cdc_acm])
[ 55.338082] [<7f1158c4>] (acm_softint [cdc_acm]) from [<801412d8>]
(process_one_work+0x19c/0x3e8)
[ 55.346969] [<801412d8>] (process_one_work) from [<80141568>]
(worker_thread+0x44/0x4dc)
[ 55.355072] [<80141568>] (worker_thread) from [<80147cc8>]
(kthread+0x144/0x180)
[ 55.362481] [<80147cc8>] (kthread) from [<80100148>]
(ret_from_fork+0x14/0x2c)
[ 55.369706] Exception stack(0xbca39fb0 to 0xbca39ff8)
[ 55.374764] 9fa0: 00000000
00000000 00000000 00000000
[ 55.382949] 9fc0: 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000
[ 55.391133] 9fe0: 00000000 00000000 00000000 00000000 00000013 00000000
[ 55.397757] Code: e92d4010 e2504000 e24dd008 0a00000e (e5d43020)
[ 55.403857] ---[ end trace 1ec2a82c3635d550 ]---
[ 55.408479] note: kworker/0:2[82] exited with preempt_count 1
[ 60.237377] =============================================================================
[ 60.245593] BUG kmalloc-128 (Tainted: G D T): Poison overwritten
[ 60.252737] -----------------------------------------------------------------------------
[ 60.252737]
[ 60.262402] INFO: 0xa0093f52-0xa0093f52 @offset=1296. First byte
0x6c instead of 0x6b
[ 60.270249] INFO: Allocated in usb_alloc_urb+0x24/0x58 age=1380 cpu=0 pid=82
[ 60.277326] INFO: Freed in acm_disconnect+0x124/0x194 [cdc_acm]
age=521 cpu=0 pid=1566
[ 60.285250] INFO: Slab 0xccf60d34 objects=21 used=21 fp=0x00000000
flags=0x10200
[ 60.292651] INFO: Object 0xf99f52f8 @offset=1280 fp=0x2bebcd84
[ 60.292651]
[ 60.299970] Redzone d4df7357: bb bb bb bb bb bb bb bb bb bb bb bb
bb bb bb bb ................
[ 60.308673] Redzone 4d860a97: bb bb bb bb bb bb bb bb bb bb bb bb
bb bb bb bb ................
[ 60.317376] Redzone baac8314: bb bb bb bb bb bb bb bb bb bb bb bb
bb bb bb bb ................
[ 60.326079] Redzone 96f8eac1: bb bb bb bb bb bb bb bb bb bb bb bb
bb bb bb bb ................
[ 60.334782] Redzone ec38f6ed: bb bb bb bb bb bb bb bb bb bb bb bb
bb bb bb bb ................
[ 60.343484] Redzone b3fb9a18: bb bb bb bb bb bb bb bb bb bb bb bb
bb bb bb bb ................
[ 60.352187] Redzone 74064318: bb bb bb bb bb bb bb bb bb bb bb bb
bb bb bb bb ................
[ 60.360890] Redzone 2dff267e: bb bb bb bb bb bb bb bb bb bb bb bb
bb bb bb bb ................
[ 60.369593] Object f99f52f8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
[ 60.378209] Object a0093f52: 6c 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b lkkkkkkkkkkkkkkk
[ 60.386825] Object b7794eec: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
[ 60.395441] Object 0b027fa1: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
[ 60.404057] Object 61e1d5ae: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
[ 60.412673] Object cabf4fee: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
[ 60.421289] Object fd09753d: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
[ 60.429905] Object a9fe4019: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b a5 kkkkkkkkkkkkkkk.
[ 60.438521] Redzone 6e67d9d1: bb bb bb bb
....
[ 60.446182] Padding 57758010: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a
5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
[ 60.454885] Padding a6aa7e4a: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a
5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
[ 60.463588] Padding d58391c3: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a
5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
[ 60.472291] Padding cf07eeb7: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a
5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
[ 60.480994] Padding ead255cb: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a
5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
[ 60.489697] Padding c6e3c745: 5a 5a 5a 5a 5a 5a 5a 5a
ZZZZZZZZ
[ 60.497709] CPU: 0 PID: 1 Comm: systemd Tainted: G B D T 5.8.17 #1
[ 60.504846] Hardware name: Freescale i.MX7 Dual (Device Tree)
[ 60.510619] [<8010eb74>] (unwind_backtrace) from [<8010b5c8>]
(show_stack+0x10/0x14)
[ 60.518379] [<8010b5c8>] (show_stack) from [<804765ec>]
(dump_stack+0x8c/0xa0)
[ 60.525617] [<804765ec>] (dump_stack) from [<8026b508>]
(check_bytes_and_report+0xcc/0xe8)
[ 60.533895] [<8026b508>] (check_bytes_and_report) from [<8026cde8>]
(check_object+0x248/0x2ac)
[ 60.542519] [<8026cde8>] (check_object) from [<8026de04>]
(alloc_debug_processing+0xc4/0x188)
[ 60.551055] [<8026de04>] (alloc_debug_processing) from [<8026e4fc>]
(___slab_alloc.constprop.0+0x634/0x6dc)
[ 60.560808] [<8026e4fc>] (___slab_alloc.constprop.0) from
[<8026e5e4>] (__slab_alloc.constprop.0+0x40/0x48)
[ 60.570560] [<8026e5e4>] (__slab_alloc.constprop.0) from
[<8026ed14>] (kmem_cache_alloc+0x1a8/0x290)
[ 60.579704] [<8026ed14>] (kmem_cache_alloc) from [<801dc7c8>]
(push_stack+0x2c/0xf0)
[ 60.587459] [<801dc7c8>] (push_stack) from [<801e3b34>]
(check_cond_jmp_op+0xf0/0x780)
[ 60.595388] [<801e3b34>] (check_cond_jmp_op) from [<801e8094>]
(do_check+0xcac/0x1220)
[ 60.603315] [<801e8094>] (do_check) from [<801e8848>]
(do_check_common+0x240/0x300)
[ 60.610983] [<801e8848>] (do_check_common) from [<801e9c90>]
(bpf_check+0x1388/0x154c)
[ 60.618913] [<801e9c90>] (bpf_check) from [<801d55c4>]
(bpf_prog_load+0x664/0x9d4)
[ 60.626496] [<801d55c4>] (bpf_prog_load) from [<801d62b0>]
(__do_sys_bpf+0x3e8/0x1840)
[ 60.634426] [<801d62b0>] (__do_sys_bpf) from [<80100060>]
(ret_fast_syscall+0x0/0x54)
[ 60.642260] Exception stack(0xbc101fa8 to 0xbc101ff0)
[ 60.647320] 1fa0: 00000000 0000000f 00000005
7e9004e8 00000070 00000000
[ 60.655507] 1fc0: 00000000 0000000f 0000003a 00000182 072ddbc0
0000003a 0000000f 07281b38
[ 60.663689] 1fe0: 7e9004e0 7e9004d0 70799fdb 70611692
[ 60.668750] FIX kmalloc-128: Restoring 0xa0093f52-0xa0093f52=0x6b
[ 60.668750]
[ 60.676323] FIX kmalloc-128: Marking all objects used
-----------------------------------8<-------------------------------------------------------
[+] Config file to check: configs/platform-v7a/tqma7/kernelconfig
[+] Detected architecture: ARM
[+] Detected kernel version: 5.8
=========================================================================================================================
option name | desired val | decision
| reason | check result
=========================================================================================================================
CONFIG_BUG | y |defconfig
| self_protection | OK
CONFIG_SLUB_DEBUG | y |defconfig
| self_protection | OK
CONFIG_GCC_PLUGINS | y |defconfig
| self_protection | OK
CONFIG_STACKPROTECTOR_STRONG | y |defconfig
| self_protection | OK
CONFIG_STRICT_KERNEL_RWX | y |defconfig
| self_protection | OK
CONFIG_STRICT_MODULE_RWX | y |defconfig
| self_protection | OK
CONFIG_REFCOUNT_FULL | y |defconfig
| self_protection | OK: version >= 5.5
CONFIG_IOMMU_SUPPORT | y |defconfig
| self_protection | FAIL: "is not set"
CONFIG_CPU_SW_DOMAIN_PAN | y |defconfig
| self_protection | OK
CONFIG_STACKPROTECTOR_PER_TASK | y |defconfig
| self_protection | OK
CONFIG_HARDEN_BRANCH_PREDICTOR | y |defconfig
| self_protection | OK
CONFIG_BUG_ON_DATA_CORRUPTION | y | kspp
| self_protection | OK
CONFIG_DEBUG_WX | y | kspp
| self_protection | OK
CONFIG_SCHED_STACK_END_CHECK | y | kspp
| self_protection | OK
CONFIG_SLAB_FREELIST_HARDENED | y | kspp
| self_protection | OK
CONFIG_SLAB_FREELIST_RANDOM | y | kspp
| self_protection | OK
CONFIG_SHUFFLE_PAGE_ALLOCATOR | y | kspp
| self_protection | OK
CONFIG_FORTIFY_SOURCE | y | kspp
| self_protection | OK
CONFIG_DEBUG_LIST | y | kspp
| self_protection | OK
CONFIG_DEBUG_SG | y | kspp
| self_protection | OK
CONFIG_DEBUG_CREDENTIALS | y | kspp
| self_protection | OK
CONFIG_DEBUG_NOTIFIERS | y | kspp
| self_protection | OK
CONFIG_INIT_ON_ALLOC_DEFAULT_ON | y | kspp
| self_protection | OK
CONFIG_GCC_PLUGIN_LATENT_ENTROPY | y | kspp
| self_protection | OK
CONFIG_GCC_PLUGIN_RANDSTRUCT | y | kspp
| self_protection | OK
CONFIG_HARDENED_USERCOPY | y | kspp
| self_protection | OK
CONFIG_HARDENED_USERCOPY_FALLBACK | is not set | kspp
| self_protection | OK
CONFIG_MODULE_SIG | y | kspp
| self_protection | FAIL: "is not set"
CONFIG_MODULE_SIG_ALL | y | kspp
| self_protection | FAIL: not found
CONFIG_MODULE_SIG_SHA512 | y | kspp
| self_protection | FAIL: not found
CONFIG_MODULE_SIG_FORCE | y | kspp
| self_protection | FAIL: not found
CONFIG_INIT_STACK_ALL_ZERO | y | kspp
| self_protection | FAIL: not found
CONFIG_INIT_ON_FREE_DEFAULT_ON | y | kspp
| self_protection | FAIL: "is not set"
CONFIG_SYN_COOKIES | y | kspp
| self_protection | OK
CONFIG_DEFAULT_MMAP_MIN_ADDR | 32768 | kspp
| self_protection | OK
CONFIG_SECURITY_DMESG_RESTRICT | y | clipos
| self_protection | OK
CONFIG_DEBUG_VIRTUAL | y | clipos
| self_protection | OK
CONFIG_STATIC_USERMODEHELPER | y | clipos
| self_protection | FAIL: "is not set"
CONFIG_EFI_DISABLE_PCI_DMA | y | clipos
| self_protection | FAIL: not found
CONFIG_SLAB_MERGE_DEFAULT | is not set | clipos
| self_protection | OK
CONFIG_RANDOM_TRUST_BOOTLOADER | is not set | clipos
| self_protection | OK
CONFIG_RANDOM_TRUST_CPU | is not set | clipos
| self_protection | OK: not found
CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE | is not set | clipos
| self_protection | OK
CONFIG_UBSAN_BOUNDS | y | my
| self_protection | FAIL: CONFIG_UBSAN_TRAP not "y"
CONFIG_SLUB_DEBUG_ON | y | my
| self_protection | OK
CONFIG_RESET_ATTACK_MITIGATION | y | my
| self_protection | FAIL: not found
CONFIG_SECURITY | y | kspp
| security_policy | OK
CONFIG_SECURITY_YAMA | y | kspp
| security_policy | OK
CONFIG_SECURITY_WRITABLE_HOOKS | is not set | my
| security_policy | OK: not found
CONFIG_SECURITY_LOCKDOWN_LSM | y | clipos
| security_policy | FAIL: "is not set"
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY | y | clipos
| security_policy | FAIL: not found
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY| y | clipos
| security_policy | FAIL: not found
CONFIG_SECURITY_SAFESETID | y | my
| security_policy | FAIL: "is not set"
CONFIG_SECURITY_LOADPIN | y | my
| security_policy | FAIL: "is not set"
CONFIG_SECURITY_LOADPIN_ENFORCE | y | my
| security_policy | FAIL: CONFIG_SECURITY_LOADPIN not "y"
CONFIG_SECCOMP | y |defconfig
| cut_attack_surface | OK
CONFIG_SECCOMP_FILTER | y |defconfig
| cut_attack_surface | OK
CONFIG_ACPI_CUSTOM_METHOD | is not set | kspp
| cut_attack_surface | OK: not found
CONFIG_COMPAT_BRK | is not set | kspp
| cut_attack_surface | OK
CONFIG_DEVKMEM | is not set | kspp
| cut_attack_surface | OK
CONFIG_COMPAT_VDSO | is not set | kspp
| cut_attack_surface | OK: not found
CONFIG_BINFMT_MISC | is not set | kspp
| cut_attack_surface | OK
CONFIG_INET_DIAG | is not set | kspp
| cut_attack_surface | OK
CONFIG_KEXEC | is not set | kspp
| cut_attack_surface | OK: not found
CONFIG_PROC_KCORE | is not set | kspp
| cut_attack_surface | OK: not found
CONFIG_LEGACY_PTYS | is not set | kspp
| cut_attack_surface | OK
CONFIG_HIBERNATION | is not set | kspp
| cut_attack_surface | OK: not found
CONFIG_IA32_EMULATION | is not set | kspp
| cut_attack_surface | OK: not found
CONFIG_X86_X32 | is not set | kspp
| cut_attack_surface | OK: not found
CONFIG_MODIFY_LDT_SYSCALL | is not set | kspp
| cut_attack_surface | OK: not found
CONFIG_OABI_COMPAT | is not set | kspp
| cut_attack_surface | OK
CONFIG_MODULES | is not set | kspp
| cut_attack_surface | FAIL: "y"
CONFIG_DEVMEM | is not set | kspp
| cut_attack_surface | OK
CONFIG_IO_STRICT_DEVMEM | y | kspp
| cut_attack_surface | OK: CONFIG_DEVMEM "is not set"
CONFIG_STRICT_DEVMEM | y | kspp
| cut_attack_surface | OK: CONFIG_DEVMEM "is not set"
CONFIG_ZSMALLOC_STAT | is not set
|grsecurity| cut_attack_surface | OK: not found
CONFIG_PAGE_OWNER | is not set
|grsecurity| cut_attack_surface | OK
CONFIG_DEBUG_KMEMLEAK | is not set
|grsecurity| cut_attack_surface | OK
CONFIG_BINFMT_AOUT | is not set
|grsecurity| cut_attack_surface | OK: not found
CONFIG_KPROBES | is not set
|grsecurity| cut_attack_surface | OK
CONFIG_UPROBES | is not set
|grsecurity| cut_attack_surface | OK: not found
CONFIG_GENERIC_TRACER | is not set
|grsecurity| cut_attack_surface | OK: not found
CONFIG_PROC_VMCORE | is not set
|grsecurity| cut_attack_surface | OK: not found
CONFIG_PROC_PAGE_MONITOR | is not set
|grsecurity| cut_attack_surface | FAIL: "y"
CONFIG_USELIB | is not set
|grsecurity| cut_attack_surface | OK
CONFIG_CHECKPOINT_RESTORE | is not set
|grsecurity| cut_attack_surface | FAIL: "y"
CONFIG_USERFAULTFD | is not set
|grsecurity| cut_attack_surface | OK
CONFIG_HWPOISON_INJECT | is not set
|grsecurity| cut_attack_surface | OK: not found
CONFIG_MEM_SOFT_DIRTY | is not set
|grsecurity| cut_attack_surface | OK: not found
CONFIG_DEVPORT | is not set
|grsecurity| cut_attack_surface | OK: not found
CONFIG_DEBUG_FS | is not set
|grsecurity| cut_attack_surface | FAIL: "y"
CONFIG_NOTIFIER_ERROR_INJECTION | is not set
|grsecurity| cut_attack_surface | OK
CONFIG_X86_PTDUMP | is not set
|grsecurity| cut_attack_surface | OK: not found
CONFIG_DRM_LEGACY | is not set
|maintainer| cut_attack_surface | OK: not found
CONFIG_FB | is not set
|maintainer| cut_attack_surface | OK
CONFIG_VT | is not set
|maintainer| cut_attack_surface | FAIL: "y"
CONFIG_AIO | is not set
|grapheneos| cut_attack_surface | FAIL: "y"
CONFIG_STAGING | is not set | clipos
| cut_attack_surface | OK
CONFIG_KSM | is not set | clipos
| cut_attack_surface | OK
CONFIG_KALLSYMS | is not set | clipos
| cut_attack_surface | FAIL: "y"
CONFIG_X86_VSYSCALL_EMULATION | is not set | clipos
| cut_attack_surface | OK: not found
CONFIG_MAGIC_SYSRQ | is not set | clipos
| cut_attack_surface | OK
CONFIG_KEXEC_FILE | is not set | clipos
| cut_attack_surface | OK: not found
CONFIG_USER_NS | is not set | clipos
| cut_attack_surface | FAIL: "y"
CONFIG_X86_MSR | is not set | clipos
| cut_attack_surface | OK: not found
CONFIG_X86_CPUID | is not set | clipos
| cut_attack_surface | OK: not found
CONFIG_IO_URING | is not set | clipos
| cut_attack_surface | FAIL: "y"
CONFIG_X86_IOPL_IOPERM | is not set | clipos
| cut_attack_surface | OK: not found
CONFIG_ACPI_TABLE_UPGRADE | is not set | clipos
| cut_attack_surface | OK: not found
CONFIG_EFI_CUSTOM_SSDT_OVERLAYS | is not set | clipos
| cut_attack_surface | OK: not found
CONFIG_LDISC_AUTOLOAD | is not set | clipos
| cut_attack_surface | OK
CONFIG_EFI_TEST | is not set | lockdown
| cut_attack_surface | OK: not found
CONFIG_BPF_SYSCALL | is not set | lockdown
| cut_attack_surface | FAIL: "y"
CONFIG_MMIOTRACE_TEST | is not set | lockdown
| cut_attack_surface | OK: not found
CONFIG_TRIM_UNUSED_KSYMS | y | my
| cut_attack_surface | FAIL: "is not set"
CONFIG_MMIOTRACE | is not set | my
| cut_attack_surface | OK: not found
CONFIG_LIVEPATCH | is not set | my
| cut_attack_surface | OK: not found
CONFIG_IP_DCCP | is not set | my
| cut_attack_surface | OK
CONFIG_IP_SCTP | is not set | my
| cut_attack_surface | OK
CONFIG_FTRACE | is not set | my
| cut_attack_surface | OK
CONFIG_VIDEO_VIVID | is not set | my
| cut_attack_surface | OK: not found
CONFIG_INPUT_EVBUG | is not set | my
| cut_attack_surface | OK
CONFIG_INTEGRITY | y | my
|userspace_hardening | FAIL: "is not set"
CONFIG_VMSPLIT_3G | y |defconfig
|userspace_hardening | FAIL: "is not set"
CONFIG_ARCH_MMAP_RND_BITS | 16 | my
|userspace_hardening | FAIL: "15"
[+] Config check is finished: 'OK' - 94 / 'FAIL' - 31
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: usb: cdc-acm: BUG kmalloc-128 Poison overwritten
2021-02-12 15:33 usb: cdc-acm: BUG kmalloc-128 Poison overwritten Bruno Thomsen
@ 2021-02-18 15:52 ` Bruno Thomsen
2021-02-22 9:36 ` Oliver Neukum
0 siblings, 1 reply; 8+ messages in thread
From: Bruno Thomsen @ 2021-02-18 15:52 UTC (permalink / raw)
To: linux-usb,
moderated list:ARM/FREESCALE IMX / MXC ARM ARCHITECTURE,
open list
Cc: Bruno Thomsen, Lars Alex Pedersen
Den fre. 12. feb. 2021 kl. 16.33 skrev Bruno Thomsen <bruno.thomsen@gmail.com>:
>
> Hi,
>
> I have been experience random kernel oops in the cdc-acm driver on
> imx7 (arm arch). Normally it happens during the first 1-3min runtime
> after power-on. Below oops is from 5.8.17 mainline kernel with an
> extra patch back-ported in an attempt to fix it:
> 38203b8385 ("usb: cdc-acm: fix cooldown mechanism")
I can now boot board with 5.11 kernel without any extra patches and
it produce similar issue. Hopefully that make the oops more useful.
Issue has been seen on multiple devices, so I don't think it's a bad
hardware issue.
[ 76.458010] 8<--- cut here ---
[ 76.461178] Unable to handle kernel paging request at virtual address 6b6b6b93
[ 76.472958] pgd = f805d813
[ 76.475788] [6b6b6b93] *pgd=00000000
[ 76.488068] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
[ 76.493441] Modules linked in: xt_TCPMSS xt_tcpmss xt_hl nf_log_ipv6
nf_log_ipv4 nf_log_common xt_policy xt_limit xt_conntrack xt_tcpudp
xt_pkttype ip6table_mangle iptable_nat nf_nat nf_conntrack
nf_defrag_ipv6 nf_defrag_ipv4 iptable_mangle ip6table_filter
ip6_tables iptable_filter ip_tables des_generic md5 sch_fq_codel
cdc_mbim cdc_wdm cdc_ncm cdc_ether usbnet mii cdc_acm usb_storage
ip_tunnel xfrm_user xfrm6_tunnel tunnel6 xfrm4_tunnel tunnel4 esp6
esp4 ah6 ah4 xfrm_algo xt_LOG xt_LED xt_comment x_tables ipv6
[ 76.539032] CPU: 0 PID: 5 Comm: kworker/0:0 Tainted: G T 5.11.0 #1
[ 76.546539] Hardware name: Freescale i.MX7 Dual (Device Tree)
[ 76.552295] Workqueue: events acm_softint [cdc_acm]
[ 76.557223] PC is at usb_kill_urb+0x8/0x24
[ 76.561337] LR is at acm_softint+0x4c/0x10c [cdc_acm]
[ 76.566415] pc : [<805911a8>] lr : [<7f1168c4>] psr: 200e0113
[ 76.572689] sp : 84113f08 ip : 8575de7c fp : 840e92bc
[ 76.577920] r10: 00000000 r9 : 893222a8 r8 : 89322008
[ 76.583151] r7 : 89322000 r6 : 89322438 r5 : 89322448 r4 : 0000000a
[ 76.589686] r3 : 6b6b6b6b r2 : 12d79029 r1 : 800e0113 r0 : 6b6b6b6b
[ 76.596223] Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
[ 76.603369] Control: 10c5387d Table: 8933406a DAC: 00000051
[ 76.609120] Process kworker/0:0 (pid: 5, stack limit = 0x8fb8cf7e)
[ 76.615315] Stack: (0x84113f08 to 0x84114000)
[ 76.619685] 3f00: 89322448 840e9280 bf6caf40 bf6ce100 00000000 00000000
[ 76.627875] 3f20: 00000000 8013f14c 84112000 bf6caf40 bf6caf58
840e9280 bf6caf40 840e9294
[ 76.636065] 3f40: bf6caf58 80c03d00 00000008 84112000 bf6caf40
8013f3e8 00000000 80d0bbb0
[ 76.644255] 3f60: 00000000 840a7640 840a77c0 84112000 840ede7c
8013f3a4 840e9280 840a7664
[ 76.652445] 3f80: 00000000 801467d8 00000000 840a77c0 80146694
00000000 00000000 00000000
[ 76.660634] 3fa0: 00000000 00000000 00000000 80100150 00000000
00000000 00000000 00000000
[ 76.668823] 3fc0: 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000
[ 76.677012] 3fe0: 00000000 00000000 00000000 00000000 00000013
00000000 00000000 00000000
[ 76.685203] [<805911a8>] (usb_kill_urb) from [<7f1168c4>]
(acm_softint+0x4c/0x10c [cdc_acm])
[ 76.693690] [<7f1168c4>] (acm_softint [cdc_acm]) from [<8013f14c>]
(process_one_work+0x1bc/0x414)
[ 76.702605] [<8013f14c>] (process_one_work) from [<8013f3e8>]
(worker_thread+0x44/0x4dc)
[ 76.710719] [<8013f3e8>] (worker_thread) from [<801467d8>]
(kthread+0x144/0x180)
[ 76.718139] [<801467d8>] (kthread) from [<80100150>] (ret_from_fork+0x14/0x24)
[ 76.725380] Exception stack(0x84113fb0 to 0x84113ff8)
[ 76.730443] 3fa0: 00000000 00000000 00000000 00000000
[ 76.738632] 3fc0: 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000
[ 76.746819] 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000
[ 76.753448] Code: eaffffe0 eb081505 e2503000 012fff1e (e5932028)
[ 76.761647] ---[ end trace 05b398f82b2a04b9 ]---
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: usb: cdc-acm: BUG kmalloc-128 Poison overwritten
2021-02-18 15:52 ` Bruno Thomsen
@ 2021-02-22 9:36 ` Oliver Neukum
2021-02-24 15:21 ` Bruno Thomsen
0 siblings, 1 reply; 8+ messages in thread
From: Oliver Neukum @ 2021-02-22 9:36 UTC (permalink / raw)
To: Bruno Thomsen, linux-usb,
moderated list:ARM/FREESCALE IMX / MXC ARM ARCHITECTURE,
open list
Cc: Bruno Thomsen, Lars Alex Pedersen
Am Donnerstag, den 18.02.2021, 16:52 +0100 schrieb Bruno Thomsen:
> Den fre. 12. feb. 2021 kl. 16.33 skrev Bruno Thomsen <bruno.thomsen@gmail.com>:
> > Hi,
> >
> > I have been experience random kernel oops in the cdc-acm driver on
> > imx7 (arm arch). Normally it happens during the first 1-3min runtime
> > after power-on. Below oops is from 5.8.17 mainline kernel with an
> > extra patch back-ported in an attempt to fix it:
> > 38203b8385 ("usb: cdc-acm: fix cooldown mechanism")
>
> I can now boot board with 5.11 kernel without any extra patches and
> it produce similar issue. Hopefully that make the oops more useful.
> Issue has been seen on multiple devices, so I don't think it's a bad
> hardware issue.
Hi,
is this a regression from 5.10?
Regards
Oliver
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: usb: cdc-acm: BUG kmalloc-128 Poison overwritten
2021-02-22 9:36 ` Oliver Neukum
@ 2021-02-24 15:21 ` Bruno Thomsen
2021-02-25 9:57 ` Oliver Neukum
0 siblings, 1 reply; 8+ messages in thread
From: Bruno Thomsen @ 2021-02-24 15:21 UTC (permalink / raw)
To: Oliver Neukum
Cc: linux-usb,
moderated list:ARM/FREESCALE IMX / MXC ARM ARCHITECTURE,
open list, Bruno Thomsen, Lars Alex Pedersen
Den man. 22. feb. 2021 kl. 10.36 skrev Oliver Neukum <oneukum@suse.com>:
>
> Am Donnerstag, den 18.02.2021, 16:52 +0100 schrieb Bruno Thomsen:
> > Den fre. 12. feb. 2021 kl. 16.33 skrev Bruno Thomsen <bruno.thomsen@gmail.com>:
> > > Hi,
> > >
> > > I have been experience random kernel oops in the cdc-acm driver on
> > > imx7 (arm arch). Normally it happens during the first 1-3min runtime
> > > after power-on. Below oops is from 5.8.17 mainline kernel with an
> > > extra patch back-ported in an attempt to fix it:
> > > 38203b8385 ("usb: cdc-acm: fix cooldown mechanism")
> >
> > I can now boot board with 5.11 kernel without any extra patches and
> > it produce similar issue. Hopefully that make the oops more useful.
> > Issue has been seen on multiple devices, so I don't think it's a bad
> > hardware issue.
>
> is this a regression from 5.10?
Hi Oliver
No, this is not a regression from 5.10. It seems that many attempts to
fix cdc-acm in the 5.x kernel series have failed to fix the root cause of
these oops. I have not seen this on 4.14 and 4.19, but I have observed
it on at least 5.3 and newer kernels in slight variations.
I guess this is because cdc-acm is very common in the embedded
ARM world and rarely used on servers or laptops. Combined with
ARM devices still commonly use 4.x LTS kernels. Not sure if
hardening options on the kernel has increased change of reproducing
oops.
I am ready to test new patches and will continue to report oops
/Bruno
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: usb: cdc-acm: BUG kmalloc-128 Poison overwritten
2021-02-24 15:21 ` Bruno Thomsen
@ 2021-02-25 9:57 ` Oliver Neukum
2021-02-26 14:14 ` Bruno Thomsen
0 siblings, 1 reply; 8+ messages in thread
From: Oliver Neukum @ 2021-02-25 9:57 UTC (permalink / raw)
To: Bruno Thomsen
Cc: linux-usb,
moderated list:ARM/FREESCALE IMX / MXC ARM ARCHITECTURE,
open list, Bruno Thomsen, Lars Alex Pedersen
[-- Attachment #1: Type: text/plain, Size: 859 bytes --]
Am Mittwoch, den 24.02.2021, 16:21 +0100 schrieb Bruno Thomsen:
Hi,
> No, this is not a regression from 5.10. It seems that many attempts to
> fix cdc-acm in the 5.x kernel series have failed to fix the root cause of
> these oops. I have not seen this on 4.14 and 4.19, but I have observed
> it on at least 5.3 and newer kernels in slight variations.
> I guess this is because cdc-acm is very common in the embedded
> ARM world and rarely used on servers or laptops. Combined with
> ARM devices still commonly use 4.x LTS kernels. Not sure if
> hardening options on the kernel has increased change of reproducing
> oops.
OK, so this is not an additional problem.
According to your logs, an URB that should have been killed wasn't.
> I am ready to test new patches and will continue to report oops
Could you test the attached patches?
Regards
Oliver
[-- Attachment #2: 0001-cdc-wdm-untangle-a-circular-dependency-between-callb.patch --]
[-- Type: text/x-patch, Size: 3403 bytes --]
From 307097e80657ca44ac99da8efc8397070b1aff3f Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Thu, 18 Feb 2021 13:42:40 +0100
Subject: [PATCH 1/2] cdc-wdm: untangle a circular dependency between callback
and softint
We have a cycle of callbacks scheduling works which submit
URBs with thos callbacks. This needs to be blocked, stopped
and unblocked to untangle the circle..
Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
drivers/usb/class/cdc-wdm.c | 30 ++++++++++++++++++++++--------
1 file changed, 22 insertions(+), 8 deletions(-)
diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
index 508b1c3f8b73..d1e4a7379beb 100644
--- a/drivers/usb/class/cdc-wdm.c
+++ b/drivers/usb/class/cdc-wdm.c
@@ -321,12 +321,23 @@ static void wdm_int_callback(struct urb *urb)
}
-static void kill_urbs(struct wdm_device *desc)
+static void poison_urbs(struct wdm_device *desc)
{
/* the order here is essential */
- usb_kill_urb(desc->command);
- usb_kill_urb(desc->validity);
- usb_kill_urb(desc->response);
+ usb_poison_urb(desc->command);
+ usb_poison_urb(desc->validity);
+ usb_poison_urb(desc->response);
+}
+
+static void unpoison_urbs(struct wdm_device *desc)
+{
+ /*
+ * the order here is not essential
+ * it is symmetrical just to be nice
+ */
+ usb_unpoison_urb(desc->response);
+ usb_unpoison_urb(desc->validity);
+ usb_unpoison_urb(desc->command);
}
static void free_urbs(struct wdm_device *desc)
@@ -741,11 +752,12 @@ static int wdm_release(struct inode *inode, struct file *file)
if (!desc->count) {
if (!test_bit(WDM_DISCONNECTING, &desc->flags)) {
dev_dbg(&desc->intf->dev, "wdm_release: cleanup\n");
- kill_urbs(desc);
+ poison_urbs(desc);
spin_lock_irq(&desc->iuspin);
desc->resp_count = 0;
spin_unlock_irq(&desc->iuspin);
desc->manage_power(desc->intf, 0);
+ unpoison_urbs(desc);
} else {
/* must avoid dev_printk here as desc->intf is invalid */
pr_debug(KBUILD_MODNAME " %s: device gone - cleaning up\n", __func__);
@@ -1037,9 +1049,9 @@ static void wdm_disconnect(struct usb_interface *intf)
wake_up_all(&desc->wait);
mutex_lock(&desc->rlock);
mutex_lock(&desc->wlock);
+ poison_urbs(desc);
cancel_work_sync(&desc->rxwork);
cancel_work_sync(&desc->service_outs_intr);
- kill_urbs(desc);
mutex_unlock(&desc->wlock);
mutex_unlock(&desc->rlock);
@@ -1080,9 +1092,10 @@ static int wdm_suspend(struct usb_interface *intf, pm_message_t message)
set_bit(WDM_SUSPENDING, &desc->flags);
spin_unlock_irq(&desc->iuspin);
/* callback submits work - order is essential */
- kill_urbs(desc);
+ poison_urbs(desc);
cancel_work_sync(&desc->rxwork);
cancel_work_sync(&desc->service_outs_intr);
+ unpoison_urbs(desc);
}
if (!PMSG_IS_AUTO(message)) {
mutex_unlock(&desc->wlock);
@@ -1140,7 +1153,7 @@ static int wdm_pre_reset(struct usb_interface *intf)
wake_up_all(&desc->wait);
mutex_lock(&desc->rlock);
mutex_lock(&desc->wlock);
- kill_urbs(desc);
+ poison_urbs(desc);
cancel_work_sync(&desc->rxwork);
cancel_work_sync(&desc->service_outs_intr);
return 0;
@@ -1151,6 +1164,7 @@ static int wdm_post_reset(struct usb_interface *intf)
struct wdm_device *desc = wdm_find_device(intf);
int rv;
+ unpoison_urbs(desc);
clear_bit(WDM_OVERFLOW, &desc->flags);
clear_bit(WDM_RESETTING, &desc->flags);
rv = recover_from_urb_loss(desc);
--
2.26.2
[-- Attachment #3: 0002-cdc-acm-untangle-a-circular-dependency-between-callb.patch --]
[-- Type: text/x-patch, Size: 3680 bytes --]
From 3eeb644af140174ebad6ddce5526bcaf42ccd9c9 Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Thu, 18 Feb 2021 13:52:28 +0100
Subject: [PATCH 2/2] cdc-acm: untangle a circular dependency between callback
and softint
We have a cycle of callbacks scheduling works which submit
URBs with thos callbacks. This needs to be blocked, stopped
and unblocked to untangle the circle.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
drivers/usb/class/cdc-acm.c | 41 +++++++++++++++++++++++++------------
1 file changed, 28 insertions(+), 13 deletions(-)
diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
index 781905745812..235fd1f654a4 100644
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -147,17 +147,29 @@ static inline int acm_set_control(struct acm *acm, int control)
#define acm_send_break(acm, ms) \
acm_ctrl_msg(acm, USB_CDC_REQ_SEND_BREAK, ms, NULL, 0)
-static void acm_kill_urbs(struct acm *acm)
+static void acm_poison_urbs(struct acm *acm)
{
int i;
- usb_kill_urb(acm->ctrlurb);
+ usb_poison_urb(acm->ctrlurb);
for (i = 0; i < ACM_NW; i++)
- usb_kill_urb(acm->wb[i].urb);
+ usb_poison_urb(acm->wb[i].urb);
for (i = 0; i < acm->rx_buflimit; i++)
- usb_kill_urb(acm->read_urbs[i]);
+ usb_poison_urb(acm->read_urbs[i]);
+}
+
+static void acm_unpoison_urbs(struct acm *acm)
+{
+ int i;
+
+ for (i = 0; i < acm->rx_buflimit; i++)
+ usb_unpoison_urb(acm->read_urbs[i]);
+ for (i = 0; i < ACM_NW; i++)
+ usb_unpoison_urb(acm->wb[i].urb);
+ usb_unpoison_urb(acm->ctrlurb);
}
+
/*
* Write buffer management.
* All of these assume proper locks taken by the caller.
@@ -480,11 +492,6 @@ static void acm_read_bulk_callback(struct urb *urb)
dev_vdbg(&acm->data->dev, "got urb %d, len %d, status %d\n",
rb->index, urb->actual_length, status);
- if (!acm->dev) {
- dev_dbg(&acm->data->dev, "%s - disconnected\n", __func__);
- return;
- }
-
switch (status) {
case 0:
usb_mark_last_busy(acm->dev);
@@ -731,6 +738,7 @@ static void acm_port_shutdown(struct tty_port *port)
* Need to grab write_lock to prevent race with resume, but no need to
* hold it due to the tty-port initialised flag.
*/
+ acm_poison_urbs(acm);
spin_lock_irq(&acm->write_lock);
spin_unlock_irq(&acm->write_lock);
@@ -747,7 +755,8 @@ static void acm_port_shutdown(struct tty_port *port)
usb_autopm_put_interface_async(acm->control);
}
- acm_kill_urbs(acm);
+ acm_unpoison_urbs(acm);
+
}
static void acm_tty_cleanup(struct tty_struct *tty)
@@ -1540,8 +1549,14 @@ static void acm_disconnect(struct usb_interface *intf)
if (!acm)
return;
- mutex_lock(&acm->mutex);
acm->disconnected = true;
+ /*
+ * there is a circular dependency. acm_softint() can resubmit
+ * the URBs in error handling so we need to block any
+ * submission right away
+ */
+ acm_poison_urbs(acm);
+ mutex_lock(&acm->mutex);
if (acm->country_codes) {
device_remove_file(&acm->control->dev,
&dev_attr_wCountryCodes);
@@ -1560,7 +1575,6 @@ static void acm_disconnect(struct usb_interface *intf)
tty_kref_put(tty);
}
- acm_kill_urbs(acm);
cancel_delayed_work_sync(&acm->dwork);
tty_unregister_device(acm_tty_driver, acm->minor);
@@ -1602,7 +1616,7 @@ static int acm_suspend(struct usb_interface *intf, pm_message_t message)
if (cnt)
return 0;
- acm_kill_urbs(acm);
+ acm_poison_urbs(acm);
cancel_delayed_work_sync(&acm->dwork);
acm->urbs_in_error_delay = 0;
@@ -1615,6 +1629,7 @@ static int acm_resume(struct usb_interface *intf)
struct urb *urb;
int rv = 0;
+ acm_unpoison_urbs(acm);
spin_lock_irq(&acm->write_lock);
if (--acm->susp_count)
--
2.26.2
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: usb: cdc-acm: BUG kmalloc-128 Poison overwritten
2021-02-25 9:57 ` Oliver Neukum
@ 2021-02-26 14:14 ` Bruno Thomsen
2021-03-08 8:50 ` Bruno Thomsen
0 siblings, 1 reply; 8+ messages in thread
From: Bruno Thomsen @ 2021-02-26 14:14 UTC (permalink / raw)
To: Oliver Neukum
Cc: linux-usb,
moderated list:ARM/FREESCALE IMX / MXC ARM ARCHITECTURE,
open list, Bruno Thomsen, Lars Alex Pedersen
Den tor. 25. feb. 2021 kl. 10.57 skrev Oliver Neukum <oneukum@suse.com>:
>
> Am Mittwoch, den 24.02.2021, 16:21 +0100 schrieb Bruno Thomsen:
>
> Hi,
>
> > No, this is not a regression from 5.10. It seems that many attempts to
> > fix cdc-acm in the 5.x kernel series have failed to fix the root cause of
> > these oops. I have not seen this on 4.14 and 4.19, but I have observed
> > it on at least 5.3 and newer kernels in slight variations.
> > I guess this is because cdc-acm is very common in the embedded
> > ARM world and rarely used on servers or laptops. Combined with
> > ARM devices still commonly use 4.x LTS kernels. Not sure if
> > hardening options on the kernel has increased change of reproducing
> > oops.
>
> OK, so this is not an additional problem.
> According to your logs, an URB that should have been killed wasn't.
Thanks for looking into this bug rapport.
> > I am ready to test new patches and will continue to report oops
>
> Could you test the attached patches?
Yes, I am already running tests on the patches.
I have not seen any oops yet and it seems the USB cdc-acm driver is still
working as intended.
The only notable trace I have seen is this new error from the cdc-acm driver
but everything kept on working.
kernel: cdc_acm 1-1.1:1.7: acm_start_wb - usb_submit_urb(write bulk) failed: -19
Other then that I see this common error (should probably be a warning) during
device enumeration:
kernel: cdc_acm 1-1.2:1.0: failed to set dtr/rts
I will post an update next week when the patches have survived some
more runtime.
/Bruno
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: usb: cdc-acm: BUG kmalloc-128 Poison overwritten
2021-02-26 14:14 ` Bruno Thomsen
@ 2021-03-08 8:50 ` Bruno Thomsen
2021-03-08 9:57 ` Oliver Neukum
0 siblings, 1 reply; 8+ messages in thread
From: Bruno Thomsen @ 2021-03-08 8:50 UTC (permalink / raw)
To: Oliver Neukum
Cc: linux-usb,
moderated list:ARM/FREESCALE IMX / MXC ARM ARCHITECTURE,
open list, Bruno Thomsen, Lars Alex Pedersen
Den fre. 26. feb. 2021 kl. 15.14 skrev Bruno Thomsen <bruno.thomsen@gmail.com>:
>
> Den tor. 25. feb. 2021 kl. 10.57 skrev Oliver Neukum <oneukum@suse.com>:
> >
> > Am Mittwoch, den 24.02.2021, 16:21 +0100 schrieb Bruno Thomsen:
> >
> > Hi,
> >
> > > No, this is not a regression from 5.10. It seems that many attempts to
> > > fix cdc-acm in the 5.x kernel series have failed to fix the root cause of
> > > these oops. I have not seen this on 4.14 and 4.19, but I have observed
> > > it on at least 5.3 and newer kernels in slight variations.
> > > I guess this is because cdc-acm is very common in the embedded
> > > ARM world and rarely used on servers or laptops. Combined with
> > > ARM devices still commonly use 4.x LTS kernels. Not sure if
> > > hardening options on the kernel has increased change of reproducing
> > > oops.
> >
> > OK, so this is not an additional problem.
> > According to your logs, an URB that should have been killed wasn't.
>
> Thanks for looking into this bug rapport.
>
> > > I am ready to test new patches and will continue to report oops
> >
> > Could you test the attached patches?
>
> Yes, I am already running tests on the patches.
> I have not seen any oops yet and it seems the USB cdc-acm driver is still
> working as intended.
>
> The only notable trace I have seen is this new error from the cdc-acm driver
> but everything kept on working.
> kernel: cdc_acm 1-1.1:1.7: acm_start_wb - usb_submit_urb(write bulk) failed: -19
>
> Other then that I see this common error (should probably be a warning) during
> device enumeration:
> kernel: cdc_acm 1-1.2:1.0: failed to set dtr/rts
>
> I will post an update next week when the patches have survived some
> more runtime.
Tested-by: Bruno Thomsen <bruno.thomsen@gmail.com>
I have not observed any oops with patches applied. Patches have seen
more than 10 weeks of runtime testing across multiple devices.
/Bruno
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: usb: cdc-acm: BUG kmalloc-128 Poison overwritten
2021-03-08 8:50 ` Bruno Thomsen
@ 2021-03-08 9:57 ` Oliver Neukum
0 siblings, 0 replies; 8+ messages in thread
From: Oliver Neukum @ 2021-03-08 9:57 UTC (permalink / raw)
To: Bruno Thomsen
Cc: linux-usb,
moderated list:ARM/FREESCALE IMX / MXC ARM ARCHITECTURE,
open list, Bruno Thomsen, Lars Alex Pedersen
Am Montag, den 08.03.2021, 09:50 +0100 schrieb Bruno Thomsen:
>
> Tested-by: Bruno Thomsen <bruno.thomsen@gmail.com>
>
> I have not observed any oops with patches applied. Patches have seen
> more than 10 weeks of runtime testing across multiple devices.
Hi,
that is good news. I shall send them upstream.
Regards
Oliver
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2021-03-08 9:58 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-12 15:33 usb: cdc-acm: BUG kmalloc-128 Poison overwritten Bruno Thomsen
2021-02-18 15:52 ` Bruno Thomsen
2021-02-22 9:36 ` Oliver Neukum
2021-02-24 15:21 ` Bruno Thomsen
2021-02-25 9:57 ` Oliver Neukum
2021-02-26 14:14 ` Bruno Thomsen
2021-03-08 8:50 ` Bruno Thomsen
2021-03-08 9:57 ` Oliver Neukum
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).