* 3.11-rc2: unpriviledged user crashes kernel using bluetooth
@ 2013-08-31 10:01 Pavel Machek
2013-08-31 10:09 ` Pavel Machek
0 siblings, 1 reply; 9+ messages in thread
From: Pavel Machek @ 2013-08-31 10:01 UTC (permalink / raw)
To: marcel, gustavo, johan.hedberg, linux-bluetooth, kernel list
Hi!
While trying to set up serial bluetooth connection between two
machines, the server machine died rather hard.
This is what I got on ssh:
Message from syslogd@duo at Aug 31 11:50:07 ...
kernel:Hardware name: LENOVO 17097HU/17097HU, BIOS 7BETD8WW (2.19 )
03/31/2011
Message from syslogd@duo at Aug 31 11:50:07 ...
kernel:task: e6d6a670 ti: e8fd8000 task.ti: e8fd8000
Message from syslogd@duo at Aug 31 11:50:07 ...
kernel:Stack:
Message from syslogd@duo at Aug 31 11:50:07 ...
kernel:Call Trace:
Message from syslogd@duo at Aug 31 11:50:07 ...
kernel:Code: 66 ff ff ff eb b9 ba 79 c9 b6 c0 89 d8 e8 58 ff ff ff eb
a0 8d b6 00 00 00 00 55 89 e5 83 ec 10 89 5d f4 89 c3 89 75 f8 89 7d
fc <81> 78 04 ad 4e ad de 0f 85 11 01 00 00 64 a1 4c 87 d2 c0 39 43
Message from syslogd@duo at Aug 31 11:50:07 ...
kernel:EIP: [<c04621f1>] do_raw_spin_lock+0x11/0x140 SS:ESP
0068:e8fd9e0c
Message from syslogd@duo at Aug 31 11:50:07 ...
kernel:CPU: 0 PID: 3822 Comm: modem-manager Tainted: G D W
3.11.0-rc2+ #306
Message from syslogd@duo at Aug 31 11:50:07 ...
kernel:Hardware name: LENOVO 17097HU/17097HU, BIOS 7BETD8WW (2.19 )
03/31/2011
Message from syslogd@duo at Aug 31 11:50:07 ...
kernel:task: e6d9a670 ti: e6d4e000 task.ti: e6d4e000
Message from syslogd@duo at Aug 31 11:50:07 ...
kernel:Stack:
Message from syslogd@duo at Aug 31 11:50:07 ...
kernel:Call Trace:
Message from syslogd@duo at Aug 31 11:50:07 ...
kernel:Code: 66 ff ff ff eb b9 ba 79 c9 b6 c0 89 d8 e8 58 ff ff ff eb
a0 8d b6 00 00 00 00 55 89 e5 83 ec 10 89 5d f4 89 c3 89 75 f8 89 7d
fc <81> 78 04 ad 4e ad de 0f 85 11 01 00 00 64 a1 4c 87 d2 c0 39 43
Message from syslogd@duo at Aug 31 11:50:07 ...
kernel:EIP: [<c04621f1>] do_raw_spin_lock+0x11/0x140 SS:ESP
0068:e6d4fe0c
. Python sources for client/server are at
http://tui.cvs.sourceforge.net/viewvc/tui/tui/liveview/
. My kernels like to warn about
Aug 31 11:46:37 duo kernel: WARNING: CPU: 1 PID: 1 at
net/wireless/reg.c:423 regulatory_init+0x92/0xff()
Aug 31 11:46:37 duo kernel: db.txt is empty, you should update it...
. 3.10 does not seem to be affected.
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: 3.11-rc2: unpriviledged user crashes kernel using bluetooth
2013-08-31 10:01 3.11-rc2: unpriviledged user crashes kernel using bluetooth Pavel Machek
@ 2013-08-31 10:09 ` Pavel Machek
2013-08-31 10:12 ` 3.10: " Pavel Machek
2013-08-31 10:14 ` 3.11-rc2: " Pavel Machek
0 siblings, 2 replies; 9+ messages in thread
From: Pavel Machek @ 2013-08-31 10:09 UTC (permalink / raw)
To: marcel, gustavo, johan.hedberg, linux-bluetooth, kernel list
Hi!
> . Python sources for client/server are at
>
> http://tui.cvs.sourceforge.net/viewvc/tui/tui/liveview/
>
> . My kernels like to warn about
>
> Aug 31 11:46:37 duo kernel: WARNING: CPU: 1 PID: 1 at
> net/wireless/reg.c:423 regulatory_init+0x92/0xff()
> Aug 31 11:46:37 duo kernel: db.txt is empty, you should update it...
>
> . 3.10 does not seem to be affected.
When I said 3.10 was not affected, I was wrong. 3.10 survived the
test, but when I attempted to reboot the box, I got
WARNING: at lib/list_debug.c:59 __list_del_entry+0xac/0xe0()
list_del_corruption. prev->next should be f44fffd4, but was f44c402c
...
...Comm: bluetoothd....
Call trace:
...
__list_del_entry
cd_forget
evict
iput
System is debian stable with gnome2.
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
^ permalink raw reply [flat|nested] 9+ messages in thread
* 3.10: unpriviledged user crashes kernel using bluetooth
2013-08-31 10:09 ` Pavel Machek
@ 2013-08-31 10:12 ` Pavel Machek
2013-08-31 10:14 ` 3.11-rc2: " Pavel Machek
1 sibling, 0 replies; 9+ messages in thread
From: Pavel Machek @ 2013-08-31 10:12 UTC (permalink / raw)
To: marcel, gustavo, johan.hedberg, linux-bluetooth, kernel list
On Sat 2013-08-31 12:09:33, Pavel Machek wrote:
> Hi!
>
> > . Python sources for client/server are at
> >
> > http://tui.cvs.sourceforge.net/viewvc/tui/tui/liveview/
> >
> > . My kernels like to warn about
> >
> > Aug 31 11:46:37 duo kernel: WARNING: CPU: 1 PID: 1 at
> > net/wireless/reg.c:423 regulatory_init+0x92/0xff()
> > Aug 31 11:46:37 duo kernel: db.txt is empty, you should update it...
> >
> > . 3.10 does not seem to be affected.
>
> When I said 3.10 was not affected, I was wrong. 3.10 survived the
> test, but when I attempted to reboot the box, I got
>
> WARNING: at lib/list_debug.c:59 __list_del_entry+0xac/0xe0()
> list_del_corruption. prev->next should be f44fffd4, but was f44c402c
> ...
> ...Comm: bluetoothd....
> Call trace:
> ...
> __list_del_entry
> cd_forget
> evict
> iput
Aha, I have even better dump in the logs:
<6>cfg80211: Calling CRDA to update world regulatory domain
<6>wlan0: authenticate with 00:11:95:05:30:d7
<6>wlan0: send auth to 00:11:95:05:30:d7 (try 1/3)
<6>iwl3945 0000:03:00.0 wlan0: disabling HT as WMM/QoS is not
supported by the AP
<6>iwl3945 0000:03:00.0 wlan0: disabling VHT as WMM/QoS is not
supported by the AP
<6>wlan0: RX AssocResp from 00:11:95:05:30:d7 (capab=0x401 status=0
aid=2)
<6>wlan0: associated
<4>the code is fine but needs lockdep annotation.
<4>turning off the locking correctness validator.
<4> edd4cc30 f3187db0 c095a48c f3187df0 c027c43e c0b27dcc f5f71670
00000000
<4> 00000000 f3187df4 00000246 edd4cc30 c10253b0 00000000 00000000
c10253b0
<4> [<c095a48c>] dump_stack+0x16/0x18
<4> [<c027c43e>] __lock_acquire+0x71e/0xcf0
<4> [<c027ca74>] lock_acquire+0x64/0x80
<4> [<c04e59ec>] ? tty_buffer_flush+0x1c/0xd0
<4> [<c095d52b>] _raw_spin_lock_irqsave+0x3b/0x50
<4> [<c04e59ec>] ? tty_buffer_flush+0x1c/0xd0
<4> [<c04e59ec>] tty_buffer_flush+0x1c/0xd0
<4> [<c04df38f>] tty_ioctl+0x5bf/0xa80
<4> [<c027c0a6>] ? __lock_acquire+0x386/0xcf0
<4> [<c02e4899>] do_vfs_ioctl+0x89/0x5b0
<4> [<c0455873>] ? debug_check_no_obj_freed+0xe3/0x190
<4> [<c02e2ac8>] ? final_putname+0x18/0x40
<4> [<c095e4b8>] sysenter_do_call+0x12/0x31
<6>wlan0: deauthenticated from 00:11:95:05:30:d7 (Reason: 3)
<6>cfg80211: Calling CRDA to update world regulatory domain
<6>wlan0: authenticate with 00:11:95:05:30:d7
<6>wlan0: send auth to 00:11:95:05:30:d7 (try 1/3)
<6>wlan0: authenticated
<6>iwl3945 0000:03:00.0 wlan0: disabling HT as WMM/QoS is not
supported by the AP
<6>iwl3945 0000:03:00.0 wlan0: disabling VHT as WMM/QoS is not
supported by the AP
<6>wlan0: associate with 00:11:95:05:30:d7 (try 1/3)
<6>wlan0: RX AssocResp from 00:11:95:05:30:d7 (capab=0x401 status=0
aid=2)
<6>wlan0: associated
<6>wlan0: deauthenticated from 00:11:95:05:30:d7 (Reason: 3)
<6>cfg80211: Calling CRDA to update world regulatory domain
<6>wlan0: authenticated
<6>iwl3945 0000:03:00.0 wlan0: disabling HT as WMM/QoS is not
supported by the AP
<6>iwl3945 0000:03:00.0 wlan0: disabling VHT as WMM/QoS is not
supported by the AP
Broadcast message from root@duo (console) (Sat Aug 31 12:05:57 2013):
The system is going down for reboot NOW!
<7>uhci_hcd 0000:00:1d.3: release dev 2 ep81-INT, period 1, phase 0,
23 us
<4>WARNING: at lib/list_debug.c:59 __list_del_entry+0xac/0xe0()
<4>list_del corruption. prev->next should be f44fffd4, but was
f44c402c
<4>Modules linked in:
<4>CPU: 0 PID: 2801 Comm: bluetoothd Tainted: G W 3.10.0+
#293
<4>Hardware name: LENOVO 17097HU/17097HU, BIOS 7BETD8WW (2.19 )
03/31/2011
<4> 0000003b f0933e14 c095a48c f0933e3c c022c96f c0b47bcc f0933e68
0000003b
<4> c0454ddc c0454ddc f44c402c f44fffd4 f44c4000 f0933e54 c022ca0e
00000009
<4> f0933e4c c0b47bcc f0933e68 f0933e74 c0454ddc c0b474dd 0000003b
c0b47bcc
<4>Call Trace:
<4> [<c095a48c>] dump_stack+0x16/0x18
<4> [<c022c96f>] warn_slowpath_common+0x5f/0x80
<4> [<c0454ddc>] ? __list_del_entry+0xac/0xe0
<4> [<c0454ddc>] ? __list_del_entry+0xac/0xe0
<4> [<c0454ddc>] __list_del_entry+0xac/0xe0
<4> [<c02d9276>] cd_forget+0x26/0x60
<4> [<c02ebc69>] evict+0x119/0x170
<4> [<c02ebda6>] iput+0xe6/0x170
<4> [<c02e950f>] d_kill+0xaf/0x100
<4> [<c02e9bf6>] dput+0xc6/0x170
<4> [<c02d6d84>] __fput+0x154/0x200
<4> [<c02d6e98>] ____fput+0x8/0x10
<4> [<c0247a61>] task_work_run+0x81/0xb0
<1>BUG: unable to handle kernel paging request at fffffffc
<1>IP: [<c02d3943>] filp_close+0x13/0x80
<4>*pde = 00d14067 *pte = 00000000
<4>Oops: 0000 [#2] SMP DEBUG_PAGEALLOC
<4>Modules linked in:
<0>CPU: 1 PID: 3735 Comm: python Tainted: G D W 3.10.0+ #293
<0>Hardware name: LENOVO 17097HU/17097HU, BIOS 7BETD8WW (2.19 )
03/31/2011
<0>task: f29c6670 ti: edf28000 task.ti: edf28000
<4>EIP: 0060:[<c02d3943>] EFLAGS: 00210282 CPU: 1
<4>EIP is at filp_close+0x13/0x80
<4>EAX: ffffffc0 EBX: ffffffc0 ECX: 00000000 EDX: ee297f00
<4>ESI: ee297f00 EDI: f4779be0 EBP: edf29de0 ESP: edf29dd0
<4> DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
<4>CR0: 8005003b CR2: fffffffc CR3: 00d13000 CR4: 00000710
<4>DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
<4>DR6: ffff0ff0 DR7: 00000400
<0>Stack:
<4> 00200246 00000000 0000001f f4779be0 edf29e0c c02ee2a5 00000002
00000001
<4> 00000000 c02ee21a 00000000 ee297f00 f29c6670 ee297f00 f29c6a54
edf29e20
<4> c02ee372 edfdadc0 f29c6670 f29c6a54 edf29e74 c0231e25 c02eff30
00000000
<0>Call Trace:
<4> [<c02ee2a5>] put_files_struct+0xa5/0x130
<4> [<c02ee21a>] ? put_files_struct+0x1a/0x130
<4> [<c02ee372>] exit_files+0x42/0x60
<4> [<c0231e25>] do_exit+0x205/0x850
<4> [<c02eff30>] ? mntput_no_expire+0x30/0xf0
<4> [<c023d454>] ? get_signal_to_deliver+0xa4/0x570
<4> [<c02324a9>] do_group_exit+0x39/0xa0
<4> [<c023d540>] get_signal_to_deliver+0x190/0x570
<4> [<c095db2d>] ? _raw_spin_unlock+0x1d/0x20
<4> [<c0201237>] do_signal+0x37/0x930
<4> [<c07eccc6>] ? sys_recv+0x36/0x40
<4> [<c07ecd7c>] ? SyS_socketcall+0xac/0x290
<4> [<c0201b68>] do_notify_resume+0x38/0x50
<4> [<c095dee2>] work_notifysig+0x24/0x2a
<0>Code: 09 3d fc fd ff ff 74 02 5d c3 b8 fc ff ff ff 5d c3 8d b4 26
00 00 00 00 55 89 e5 83 ec 10 89 5d f4 89 c3 89 75 f8 89 d6 89 7d fc
<8b> 40 3c 85 c0 74 4a 8b 43 14 85 c0 74 3f 8b 48 30 85 c9 74 38
<0>EIP: [<c02d3943>] filp_close+0x13/0x80 SS:ESP 0068:edf29dd0
<4>CR2: 00000000fffffffc
<4>---[ end trace 6a53890e7df0f3dc ]---
<1>Fixing recursive fault but reboot is needed!
<6>wlan0: deauthenticating from 00:11:95:05:30:d7 by local choice
(reason=3)
<6>cfg80211: Calling CRDA to update world regulatory domain
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: 3.11-rc2: unpriviledged user crashes kernel using bluetooth
2013-08-31 10:09 ` Pavel Machek
2013-08-31 10:12 ` 3.10: " Pavel Machek
@ 2013-08-31 10:14 ` Pavel Machek
2013-08-31 10:42 ` 3.11-rc7: " Pavel Machek
1 sibling, 1 reply; 9+ messages in thread
From: Pavel Machek @ 2013-08-31 10:14 UTC (permalink / raw)
To: marcel, gustavo, johan.hedberg, linux-bluetooth, kernel list
On Sat 2013-08-31 12:09:33, Pavel Machek wrote:
> Hi!
>
> > . Python sources for client/server are at
> >
> > http://tui.cvs.sourceforge.net/viewvc/tui/tui/liveview/
> >
> > . My kernels like to warn about
> System is debian stable with gnome2.
And no, it is not fixed in 3.11-rc7.
Pavel
pavel@duo:~$ uname -a
Linux duo 3.11.0-rc7+ #309 SMP Sat Aug 31 11:49:01 CEST 2013 i686
GNU/Linux
pavel@duo:~$ sudo cat /proc/kmsg
[sudo] password for pavel:
<4> [<c04f4c6c>] ? tty_buffer_flush+0x1c/0xd0
<4> [<c0463593>] ? debug_check_no_obj_freed+0xe3/0x190
<4> [<c02ee478>] ? final_putname+0x18/0x40
<4> [<c02ee478>] ? final_putname+0x18/0x40
<4> [<c02df45c>] ? do_sys_open+0x19c/0x220
<4> [<c02f0775>] SyS_ioctl+0x45/0x70
<4> [<c0986638>] sysenter_do_call+0x12/0x31
<0>Code: 24 04 fb 0b 00 00 c7 04 24 65 76 b5 c0 e8 57 f3 fa ff 31 c0
eb ad 8d 76 00 8b 44 9e 04 85 c0 89 45 f0 0f 84 b2 fe ff ff 8b 4d f0
<f0> ff 81 04 01 00 00 8b 0d 64 8e d5 c0 8b 9f 3c 04 00 00 85 c9
<4>CR2: 00000000c02e0e52
<4> 00000a67 c0b533ab 0000009f c0238d28 c0238d28 f2ec6e38 f2ec6f6c
f2ec6d10
<4> f549fb5c c0234ecd 00000009 00000000 f549fb64 c0238d28 f549fb70
c09857c5
<4> [<c0234e8a>] warn_slowpath_common+0x7a/0xa0
<4> [<c0238d28>] ? local_bh_enable_ip+0x58/0x80
<4> [<c09857c5>] _raw_write_unlock_bh+0x25/0x30
<4> [<c08c8643>] unix_release_sock+0x73/0x230
<4> [<c02daf4e>] ? kfree_debugcheck+0xe/0x30
<4> [<c08c8814>] unix_release+0x14/0x20
<4> [<c081dd4b>] sock_release+0x1b/0x80
<4> [<c081e0ab>] sock_close+0xb/0x10
<4> [<c02e2688>] __fput+0x88/0x1f0
<4> [<c02e2888>] ____fput+0x8/0x10
<4> [<c024d0d1>] task_work_run+0x81/0xb0
<4> [<c0236e8e>] do_exit+0x22e/0x860
<4> [<c0204c7b>] oops_end+0x8b/0xd0
<4> [<c09863da>] error_code+0x5a/0x60
<4> [<c02e0d4e>] ? do_sync_read+0x6e/0xa0
<4> [<c02e0d4e>] ? do_sync_read+0x6e/0xa0
<4> [<c022d810>] ? __do_page_fault+0x400/0x400
<4> [<c0285bc2>] ? __lock_acquire+0x192/0xcf0
<4> [<c02fbb39>] ? mntput_no_expire+0x19/0xf0
<4> [<c02e0d4e>] ? do_sync_read+0x6e/0xa0
<4> [<c04f4c6c>] ? tty_buffer_flush+0x1c/0xd0
<4> [<c04f4c6c>] tty_buffer_flush+0x1c/0xd0
<4> [<c04ee5cf>] tty_ioctl+0x5bf/0xa80
<4> [<c0285db6>] ? __lock_acquire+0x386/0xcf0
<4> [<c022ea21>] ? kernel_map_pages+0x71/0xf0
<4> [<c04ee010>] ? tty_check_change+0xe0/0xe0
<4> [<c02f0209>] do_vfs_ioctl+0x89/0x5b0
<4> [<c0463593>] ? debug_check_no_obj_freed+0xe3/0x190
<4> [<c02ee478>] ? final_putname+0x18/0x40
<4> [<c02f0775>] SyS_ioctl+0x45/0x70
<4>---[ end trace f66d593cc2b02657 ]---
Message from syslogd@duo at Aug 31 12:13:17 ...
kernel:CPU: 0 PID: 2663 Comm: modem-manager Tainted: G W
3.11.0-rc7+ #309
Message from syslogd@duo at Aug 31 12:13:17 ...
kernel:Hardware name: LENOVO 17097HU/17097HU, BIOS 7BETD8WW (2.19 )
03/31/2011
Message from syslogd@duo at Aug 31 12:13:17 ...
kernel:task: f5f16670 ti: f549e000 task.ti: f549e000
Message from syslogd@duo at Aug 31 12:13:17 ...
kernel:Stack:
Message from syslogd@duo at Aug 31 12:13:17 ...
kernel:Call Trace:
Message from syslogd@duo at Aug 31 12:13:17 ...
kernel:EIP: [<c0285bc2>] __lock_acquire+0x192/0xcf0 SS:ESP
0068:f549fdb8
<1>BUG: unable to handle kernel paging request at eb823c24
<1>IP: [<c0462691>] do_raw_spin_lock+0x11/0x140
<4>*pde = 3733f067 *pte = 2b823060
<4>Oops: 0000 [#2] SMP DEBUG_PAGEALLOC
<4>Modules linked in:
<0>CPU: 1 PID: 3804 Comm: modem-manager Tainted: G D W
3.11.0-rc7+ #309
<0>Hardware name: LENOVO 17097HU/17097HU, BIOS 7BETD8WW (2.19 )
03/31/2011
<0>task: eae37670 ti: eba0a000 task.ti: eba0a000
<4>EIP: 0060:[<c0462691>] EFLAGS: 00010086 CPU: 1
<4>EIP is at do_raw_spin_lock+0x11/0x140
<4>EAX: eb823c20 EBX: eb823c20 ECX: 00000000 EDX: 00000000
<4>ESI: 00000286 EDI: eb823c20 EBP: eba0be1c ESP: eba0be0c
<4> DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
<4>CR0: 80050033 CR2: eb823c24 CR3: 2acb4000 CR4: 00000710
<0>Stack:
<4> 00000000 eb823c20 00000286 eb823c20 eba0be3c c09856c2 00000000
00000001
<4> 00000000 c04f4c6c eba09f00 eb823c00 eba0be6c c04f4c6c 0000023b
ebf1ac00
<4> 00000f44 00000c4b 00000000 000001c5 0003463b eba09f00 ebf1ac00
00000017
<0>Call Trace:
<4> [<c09856c2>] _raw_spin_lock_irqsave+0x42/0x50
<4> [<c04f4c6c>] ? tty_buffer_flush+0x1c/0xd0
<4> [<c04f4c6c>] tty_buffer_flush+0x1c/0xd0
<4> [<c04ee5cf>] tty_ioctl+0x5bf/0xa80
<4> [<c022ea21>] ? kernel_map_pages+0x71/0xf0
<4> [<c04ee010>] ? tty_check_change+0xe0/0xe0
<4> [<c02f0209>] do_vfs_ioctl+0x89/0x5b0
<4> [<c0463593>] ? debug_check_no_obj_freed+0xe3/0x190
<4> [<c02f90a0>] ? __fd_install+0x20/0x50
<4> [<c02ee478>] ? final_putname+0x18/0x40
<4> [<c02ee478>] ? final_putname+0x18/0x40
<4> [<c02df45c>] ? do_sys_open+0x19c/0x220
<4> [<c02f0775>] SyS_ioctl+0x45/0x70
<4> [<c0986638>] sysenter_do_call+0x12/0x31
<0>Code: 66 ff ff ff eb b9 ba 39 b7 b7 c0 89 d8 e8 58 ff ff ff eb a0
8d b6 00 00 00 00 55 89 e5 83 ec 10 89 5d f4 89 c3 89 75 f8 89 7d fc
<81> 78 04 ad 4e ad de 0f 85 11 01 00 00 64 a1 4c 87 d3 c0 39 43
<0>EIP: [<c0462691>] do_raw_spin_lock+0x11/0x140 SS:ESP 0068:eba0be0c
<4>CR2: 00000000eb823c24
<4>---[ end trace f66d593cc2b02658 ]---
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: 3.11-rc7: unpriviledged user crashes kernel using bluetooth
2013-08-31 10:14 ` 3.11-rc2: " Pavel Machek
@ 2013-08-31 10:42 ` Pavel Machek
2013-09-01 16:55 ` Gustavo Padovan
0 siblings, 1 reply; 9+ messages in thread
From: Pavel Machek @ 2013-08-31 10:42 UTC (permalink / raw)
To: marcel, gustavo, johan.hedberg, linux-bluetooth, kernel list
On Sat 2013-08-31 12:14:51, Pavel Machek wrote:
> On Sat 2013-08-31 12:09:33, Pavel Machek wrote:
> > Hi!
> >
> > > . Python sources for client/server are at
> > >
> > > http://tui.cvs.sourceforge.net/viewvc/tui/tui/liveview/
> > >
> > > . My kernels like to warn about
> > System is debian stable with gnome2.
>
> And no, it is not fixed in 3.11-rc7.
2.6.32-5-686 from debian seems to work.
Notice that I probably have modemmanager fighting with my own
server, that is experiencing problem described in
http://ubuntuforums.org/showthread.php?t=2056285 . That still should
not allow me to crash the kernel.
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: 3.11-rc7: unpriviledged user crashes kernel using bluetooth
2013-08-31 10:42 ` 3.11-rc7: " Pavel Machek
@ 2013-09-01 16:55 ` Gustavo Padovan
2013-09-01 18:50 ` 3.11-final plan: unpriviledged user can crash the kernel (using bluetooth rfcomm) Pavel Machek
0 siblings, 1 reply; 9+ messages in thread
From: Gustavo Padovan @ 2013-09-01 16:55 UTC (permalink / raw)
To: Pavel Machek; +Cc: marcel, johan.hedberg, linux-bluetooth, kernel list
Hi Pavel,
2013-08-31 Pavel Machek <pavel@ucw.cz>:
> On Sat 2013-08-31 12:14:51, Pavel Machek wrote:
> > On Sat 2013-08-31 12:09:33, Pavel Machek wrote:
> > > Hi!
> > >
> > > > . Python sources for client/server are at
> > > >
> > > > http://tui.cvs.sourceforge.net/viewvc/tui/tui/liveview/
> > > >
> > > > . My kernels like to warn about
> > > System is debian stable with gnome2.
> >
> > And no, it is not fixed in 3.11-rc7.
>
> 2.6.32-5-686 from debian seems to work.
Could you try linux-next? We recently pushed a rework of the RFCOMM tty
handling, it should fix this. The work was too big to be pushed to 3.11
Gustavo
^ permalink raw reply [flat|nested] 9+ messages in thread
* 3.11-final plan: unpriviledged user can crash the kernel (using bluetooth rfcomm)
2013-09-01 16:55 ` Gustavo Padovan
@ 2013-09-01 18:50 ` Pavel Machek
2013-09-01 20:16 ` Marcel Holtmann
0 siblings, 1 reply; 9+ messages in thread
From: Pavel Machek @ 2013-09-01 18:50 UTC (permalink / raw)
To: Gustavo Padovan, marcel, johan.hedberg, linux-bluetooth,
kernel list, Linus Torvalds
Cc: security
Hi!
> > On Sat 2013-08-31 12:14:51, Pavel Machek wrote:
> > > On Sat 2013-08-31 12:09:33, Pavel Machek wrote:
> > > > Hi!
> > > >
> > > > > . Python sources for client/server are at
> > > > >
> > > > > http://tui.cvs.sourceforge.net/viewvc/tui/tui/liveview/
> > > > >
> > > > > . My kernels like to warn about
> > > > System is debian stable with gnome2.
> > >
> > > And no, it is not fixed in 3.11-rc7.
> >
> > 2.6.32-5-686 from debian seems to work.
>
> Could you try linux-next? We recently pushed a rework of the RFCOMM tty
> handling, it should fix this. The work was too big to be pushed to 3.11
So... In 3.11 unpriviledged user can crash the kernel, but the fix is
too big, so we release it without the fix?
Somehow, I don't think that's good idea.
Do you have an idea what is the impact? Is it crash-the-kernel or
execute-arbitrary-code?
What about:
a) marking CONFIG_RFCOMM as dangerous in the help text. I just
checked, help text makes it sound like a good thing.
(joke) b) renaming CONFIG_RFCOMM to CONFIG_LET_USER_CRASH_KERNEL
or better yet:
c) removing CONFIG_RFCOMM option in affected releases? I know
regressions are bad, but...
Multiuser desktops are not too common these days, but all the
Android cellphones are "multiuser"...
Plus note that bug is so easy to trigger that I hit it in first minute
trying to get non-malicious application to run.
[3.10 seems also affected.]
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: 3.11-final plan: unpriviledged user can crash the kernel (using bluetooth rfcomm)
2013-09-01 18:50 ` 3.11-final plan: unpriviledged user can crash the kernel (using bluetooth rfcomm) Pavel Machek
@ 2013-09-01 20:16 ` Marcel Holtmann
2013-09-01 22:12 ` Pavel Machek
0 siblings, 1 reply; 9+ messages in thread
From: Marcel Holtmann @ 2013-09-01 20:16 UTC (permalink / raw)
To: Pavel Machek
Cc: Gustavo Padovan, johan.hedberg, linux-bluetooth, kernel list,
Linus Torvalds, security
Hi Pavel,
>>>>>> . Python sources for client/server are at
>>>>>>
>>>>>> http://tui.cvs.sourceforge.net/viewvc/tui/tui/liveview/
>>>>>>
>>>>>> . My kernels like to warn about
>>>>> System is debian stable with gnome2.
>>>>
>>>> And no, it is not fixed in 3.11-rc7.
>>>
>>> 2.6.32-5-686 from debian seems to work.
>>
>> Could you try linux-next? We recently pushed a rework of the RFCOMM tty
>> handling, it should fix this. The work was too big to be pushed to 3.11
>
> So... In 3.11 unpriviledged user can crash the kernel, but the fix is
> too big, so we release it without the fix?
>
> Somehow, I don't think that's good idea.
can you boot a bluetooth-next kernel and see if the planned changes are fixing this or not. I would like to have that confirmed before we start any speculations here.
If the RFCOMM TTY rework that we have in bluetooth-next fixes this issue, then we can have a look at if this can be patched for 3.11 or a stable kernel without having to include the whole patch series. Or if the TTY subsystem changed from 2.6.32 so much that we have to take the whole changes.
However, please also note there is a different between RFCOMM sockets and RFCOMM TTYs. I would be curious if only the TTY part is affected or also the socket part.
Regards
Marcel
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: 3.11-final plan: unpriviledged user can crash the kernel (using bluetooth rfcomm)
2013-09-01 20:16 ` Marcel Holtmann
@ 2013-09-01 22:12 ` Pavel Machek
0 siblings, 0 replies; 9+ messages in thread
From: Pavel Machek @ 2013-09-01 22:12 UTC (permalink / raw)
To: Marcel Holtmann
Cc: Gustavo Padovan, johan.hedberg, linux-bluetooth, kernel list,
Linus Torvalds, security
Hi!
> >>>>>> . Python sources for client/server are at
> >>>>>>
> >>>>>> http://tui.cvs.sourceforge.net/viewvc/tui/tui/liveview/
> >>>>>>
> > So... In 3.11 unpriviledged user can crash the kernel, but the fix is
> > too big, so we release it without the fix?
> >
> > Somehow, I don't think that's good idea.
>
> can you boot a bluetooth-next kernel and see if the planned changes are fixing this or not. I would like to have that confirmed before we start any speculations here.
>
> If the RFCOMM TTY rework that we have in bluetooth-next fixes this issue, then we can have a look at if this can be patched for 3.11 or a stable kernel without having to include the whole patch series. Or if the TTY subsystem changed from 2.6.32 so much that we have to take the whole changes.
>
> However, please also note there is a different between RFCOMM sockets and RFCOMM TTYs. I would be curious if only the TTY part is affected or also the socket part.
>
Well, you are in as good position to repeat it as I am. Sources are in
the CVS referenced above (and they are trivial). The version that
reproduces the problem is marked as such in changelog. I already
modified my system to work (not triggering oopsen)...
Yes, I can probably setup linux-next. It will take some time.
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2013-09-01 22:12 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-08-31 10:01 3.11-rc2: unpriviledged user crashes kernel using bluetooth Pavel Machek
2013-08-31 10:09 ` Pavel Machek
2013-08-31 10:12 ` 3.10: " Pavel Machek
2013-08-31 10:14 ` 3.11-rc2: " Pavel Machek
2013-08-31 10:42 ` 3.11-rc7: " Pavel Machek
2013-09-01 16:55 ` Gustavo Padovan
2013-09-01 18:50 ` 3.11-final plan: unpriviledged user can crash the kernel (using bluetooth rfcomm) Pavel Machek
2013-09-01 20:16 ` Marcel Holtmann
2013-09-01 22:12 ` Pavel Machek
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).