* Re: UBSAN: Undefined behaviour in linux-4.7.2/drivers/usb/core/devio.c:1713:25 [not found] <CAFQ=mRQeV_UHYuU20ppHG6L=mNcr_cKxBMMM731XfWeoEO-L=g@mail.gmail.com> @ 2016-08-21 10:46 ` Jiri Slaby 2016-08-22 17:43 ` Alan Stern 0 siblings, 1 reply; 10+ messages in thread From: Jiri Slaby @ 2016-08-21 10:46 UTC (permalink / raw) To: Vittorio Zecca, stable, USB list, Linux kernel mailing list Cc: proper lists. ep->desc.bInterval seems to be 0 here. On 08/21/2016, 12:42 PM, Vittorio Zecca wrote: > I am not sure this is the right place so please bear with me... > From Vittorio Zecca > > After compiling kernel 4.7.2 with ubsan I got the following messages > at boot time: > > (devio.c:1713 is "as->urb->interval = 1 << min(15, ep->desc.bInterval - 1);") > > [ +0.354486] ================================================================================ > [ +0.000008] UBSAN: Undefined behaviour in > /home/vitti/1tb/vitti/rpmbuild/SOURCES/linux-4.7.2/drivers/usb/core/devio.c:1713:25 > [ +0.000004] shift exponent -1 is negative > [ +0.000005] CPU: 1 PID: 616 Comm: mtp-probe Not tainted 4.7.2sanitized #1 > [ +0.000004] Hardware name: To Be Filled By O.E.M. To Be Filled By > O.E.M./H81M-DGS R2.0, BIOS P1.30 07/02/2014 > [ +0.000003] ffffffff845f1d00 000000006774dd2e ffff880382e5f758 > ffffffff818cad70 > [ +0.000005] 0000000041b58ab3 ffffffff829ffc3e ffffffff818cacbe > ffff880382e5f780 > [ +0.000005] ffff880382e5f730 ffffffffffffffff ffff880382e5f800 > ffffffff845f1d00 > [ +0.000004] Call Trace: > [ +0.000009] [<ffffffff818cad70>] dump_stack+0xb2/0x103 > [ +0.000006] [<ffffffff818cacbe>] ? _atomic_dec_and_lock+0x190/0x190 > [ +0.000005] [<ffffffff819511e3>] ubsan_epilogue+0xd/0x4e > [ +0.000005] [<ffffffff81951cad>] > __ubsan_handle_shift_out_of_bounds+0x1f4/0x24c > [ +0.000005] [<ffffffff81951ab9>] ? > __ubsan_handle_load_invalid_value+0x153/0x153 > [ +0.000007] [<ffffffff81d23fe8>] ? proc_do_submiturb+0xdde/0x21a6 > [ +0.000005] [<ffffffff814be72c>] ? memset+0x31/0x38 > [ +0.000005] [<ffffffff81d099c6>] ? usb_alloc_urb+0xd5/0x13a > [ +0.000004] [<ffffffff814be5bf>] ? kasan_unpoison_shadow+0x35/0x43 > [ +0.000004] [<ffffffff814be5bf>] ? kasan_unpoison_shadow+0x35/0x43 > [ +0.000004] [<ffffffff814be62b>] ? kasan_kmalloc+0x5e/0x64 > [ +0.000005] [<ffffffff814b8c1a>] ? __kmalloc+0x143/0x40f > [ +0.000005] [<ffffffff818f13f1>] ? lockref_put_or_lock+0x8f/0x227 > [ +0.000006] [<ffffffff81d24f02>] proc_do_submiturb+0x1cf8/0x21a6 > [ +0.000004] [<ffffffff81d24f02>] ? proc_do_submiturb+0x1cf8/0x21a6 > [ +0.000006] [<ffffffff813e2df8>] ? __alloc_pages_nodemask+0x26a/0x1ebe > [ +0.000004] [<ffffffff8151635c>] ? cdev_put.part.0+0x46/0x46 > [ +0.000005] [<ffffffff818f15ea>] ? lockref_mark_dead+0x61/0x61 > [ +0.000005] [<ffffffff81d2320a>] ? usbdev_release+0x223/0x223 > [ +0.000005] [<ffffffff813e2b8e>] ? warn_alloc_failed+0x266/0x266 > [ +0.000004] [<ffffffff8155a22a>] ? mntput+0x3b/0x5e > [ +0.000005] [<ffffffff81522f5c>] ? terminate_walk+0xfe/0x2cb > [ +0.000005] [<ffffffff81509cf6>] ? vfs_open+0xb7/0x14f > [ +0.000005] [<ffffffff81d26801>] usbdev_do_ioctl+0x1451/0x25c7 > [ +0.000004] [<ffffffff81d253b0>] ? proc_do_submiturb+0x21a6/0x21a6 > [ +0.000005] [<ffffffff81550407>] ? atime_needs_update+0x28f/0x36c > [ +0.000005] [<ffffffff81550178>] ? new_inode+0x30/0x30 > [ +0.000005] [<ffffffff822087ad>] ? _raw_spin_unlock_bh+0xbf/0xbf > [ +0.000006] [<ffffffff8124f149>] ? enqueue_hrtimer+0x91/0x1c0 > [ +0.000005] [<ffffffff8124edab>] ? lock_hrtimer_base+0x6b/0xc9 > [ +0.000005] [<ffffffff812509a1>] ? hrtimer_start_range_ns+0x4ab/0xba9 > [ +0.000004] [<ffffffff812504f6>] ? hrtimer_init+0xe8/0xe8 > [ +0.000005] [<ffffffff8124f65c>] ? __hrtimer_init+0xe5/0x13f > [ +0.000005] [<ffffffff81d27999>] usbdev_ioctl+0xe/0x12 > [ +0.000004] [<ffffffff81537d1f>] do_vfs_ioctl+0x170/0xc6f > [ +0.000005] [<ffffffff815bf17b>] ? do_timerfd_settime+0x483/0x7d8 > [ +0.000004] [<ffffffff81537baf>] ? ioctl_preallocate+0x1e3/0x1e3 > [ +0.000004] [<ffffffff815becf8>] ? timerfd_release+0x91/0x91 > [ +0.000005] [<ffffffff815c0247>] ? SyS_timerfd_settime+0xbd/0x143 > [ +0.000005] [<ffffffff81551968>] ? __fget+0xde/0x1ee > [ +0.000005] [<ffffffff81552695>] ? __fget_light+0xdd/0x14f > [ +0.000004] [<ffffffff81538897>] SyS_ioctl+0x79/0x92 > [ +0.000005] [<ffffffff82208d72>] entry_SYSCALL_64_fastpath+0x1a/0xa4 > [ +0.000003] ================================================================================ > [ +0.424947] usbcore: registered new interface driver option > [ +0.000503] usbserial: USB Serial support registered for GSM modem (1-port) > [ +0.000363] option 3-8:1.0: GSM modem (1-port) converter detected > [ +0.003096] usb 3-8: GSM modem (1-port) converter now attached to ttyUSB0 > [ +0.000239] option 3-8:1.2: GSM modem (1-port) converter detected > [ +0.003003] usb 3-8: GSM modem (1-port) converter now attached to ttyUSB1 > [ +0.000198] option 3-8:1.3: GSM modem (1-port) converter detected > [ +0.002997] usb 3-8: GSM modem (1-port) converter now attached to ttyUSB2 > [ +0.855356] iTCO_vendor_support: vendor-support=0 > [ +0.334571] iTCO_wdt: Intel TCO WatchDog Timer Driver v1.11 > [ +0.000380] iTCO_wdt: Found a Lynx Point TCO device (Version=2, > TCOBASE=0x1860) > [ +0.003131] iTCO_wdt: initialized. heartbeat=30 sec (nowayout=0) > [ +0.433888] usbcore: registered new interface driver cdc_ncm > [ +0.056852] ppdev: user-space parallel port driver > [ +0.681019] usbcore: registered new interface driver cdc_wdm > [ +0.746911] huawei_cdc_ncm 3-8:1.1: MAC-Address: 58:2c:80:13:92:63 > [ +0.000009] huawei_cdc_ncm 3-8:1.1: setting rx_max = 16384 > [ +0.000443] huawei_cdc_ncm 3-8:1.1: setting tx_max = 16384 > [ +0.000391] huawei_cdc_ncm 3-8:1.1: NDP will be placed at end of > frame for this device. > [ +0.002619] huawei_cdc_ncm 3-8:1.1: cdc-wdm0: USB WDM device > [ +0.009247] huawei_cdc_ncm 3-8:1.1 wwan0: register 'huawei_cdc_ncm' > at usb-0000:00:14.0-8, Huawei CDC NCM device, 58:2c:80:13:92:63 > [ +0.000693] usbcore: registered new interface driver huawei_cdc_ncm > [ +0.081877] huawei_cdc_ncm 3-8:1.1 wwp0s20u8i1: renamed from wwan0 > -- > To unsubscribe from this list: send the line "unsubscribe stable" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- js suse labs ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: UBSAN: Undefined behaviour in linux-4.7.2/drivers/usb/core/devio.c:1713:25 2016-08-21 10:46 ` UBSAN: Undefined behaviour in linux-4.7.2/drivers/usb/core/devio.c:1713:25 Jiri Slaby @ 2016-08-22 17:43 ` Alan Stern 2016-08-22 20:21 ` Bjørn Mork 0 siblings, 1 reply; 10+ messages in thread From: Alan Stern @ 2016-08-22 17:43 UTC (permalink / raw) To: Jiri Slaby; +Cc: Vittorio Zecca, stable, USB list, Linux kernel mailing list On Sun, 21 Aug 2016, Jiri Slaby wrote: > Cc: proper lists. > > ep->desc.bInterval seems to be 0 here. > > On 08/21/2016, 12:42 PM, Vittorio Zecca wrote: > > I am not sure this is the right place so please bear with me... > > From Vittorio Zecca > > > > After compiling kernel 4.7.2 with ubsan I got the following messages > > at boot time: > > > > (devio.c:1713 is "as->urb->interval = 1 << min(15, ep->desc.bInterval - 1);") > > > > [ +0.354486] ================================================================================ > > [ +0.000008] UBSAN: Undefined behaviour in > > /home/vitti/1tb/vitti/rpmbuild/SOURCES/linux-4.7.2/drivers/usb/core/devio.c:1713:25 > > [ +0.000004] shift exponent -1 is negative As far as I can see, this isn't possible. The usb_parse_endpoint() routine in drivers/usb/core/config.c is supposed to guarantee that ep->desc.bInterval is never 0. More information from Vittorio would be helpful. For example, what shows up in /sys/kernel/debug/usb/devices (after mounting a debugfs filesystem on /sys/kernel/debug)? Alan Stern ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: UBSAN: Undefined behaviour in linux-4.7.2/drivers/usb/core/devio.c:1713:25 2016-08-22 17:43 ` Alan Stern @ 2016-08-22 20:21 ` Bjørn Mork 2016-08-22 20:40 ` Alan Stern 0 siblings, 1 reply; 10+ messages in thread From: Bjørn Mork @ 2016-08-22 20:21 UTC (permalink / raw) To: Alan Stern Cc: Jiri Slaby, Vittorio Zecca, stable, USB list, Linux kernel mailing list Alan Stern <stern@rowland.harvard.edu> writes: > On Sun, 21 Aug 2016, Jiri Slaby wrote: > >> Cc: proper lists. >> >> ep->desc.bInterval seems to be 0 here. >> >> On 08/21/2016, 12:42 PM, Vittorio Zecca wrote: >> > I am not sure this is the right place so please bear with me... >> > From Vittorio Zecca >> > >> > After compiling kernel 4.7.2 with ubsan I got the following messages >> > at boot time: >> > >> > (devio.c:1713 is "as->urb->interval = 1 << min(15, ep->desc.bInterval - 1);") >> > >> > [ +0.354486] ================================================================================ >> > [ +0.000008] UBSAN: Undefined behaviour in >> > /home/vitti/1tb/vitti/rpmbuild/SOURCES/linux-4.7.2/drivers/usb/core/devio.c:1713:25 >> > [ +0.000004] shift exponent -1 is negative > > As far as I can see, this isn't possible. The usb_parse_endpoint() > routine in drivers/usb/core/config.c is supposed to guarantee that > ep->desc.bInterval is never 0. That is if it is an ISO endpoint, right? Maybe I misunderstand something fundamental, but the "||" strikes me as odd here: as->urb->stream_id = stream_id; if (uurb->type == USBDEVFS_URB_TYPE_ISO || ps->dev->speed == USB_SPEED_HIGH) as->urb->interval = 1 << min(15, ep->desc.bInterval - 1); else as->urb->interval = ep->desc.bInterval; as->urb->context = as; Typo? Bjørn ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: UBSAN: Undefined behaviour in linux-4.7.2/drivers/usb/core/devio.c:1713:25 2016-08-22 20:21 ` Bjørn Mork @ 2016-08-22 20:40 ` Alan Stern 2016-08-22 20:57 ` Bjørn Mork 0 siblings, 1 reply; 10+ messages in thread From: Alan Stern @ 2016-08-22 20:40 UTC (permalink / raw) To: Bjørn Mork Cc: Jiri Slaby, Vittorio Zecca, stable, USB list, Linux kernel mailing list On Mon, 22 Aug 2016, Bjørn Mork wrote: > Alan Stern <stern@rowland.harvard.edu> writes: > > > On Sun, 21 Aug 2016, Jiri Slaby wrote: > > > >> Cc: proper lists. > >> > >> ep->desc.bInterval seems to be 0 here. > > As far as I can see, this isn't possible. The usb_parse_endpoint() > > routine in drivers/usb/core/config.c is supposed to guarantee that > > ep->desc.bInterval is never 0. > > That is if it is an ISO endpoint, right? I can't tell; the bug report doesn't say. However, ep->desc.bInterval is ignored for bulk and control endpoints, so it must be either isochronous or interrupt. > Maybe I misunderstand something fundamental, but the "||" strikes me as > odd here: > > as->urb->stream_id = stream_id; > if (uurb->type == USBDEVFS_URB_TYPE_ISO || > ps->dev->speed == USB_SPEED_HIGH) > as->urb->interval = 1 << min(15, ep->desc.bInterval - 1); > else > as->urb->interval = ep->desc.bInterval; > as->urb->context = as; No, that's right (mostly -- we really should check for ps->dev->speed >= USB_SPEED_SUPER as well as == USB_SPEED_HIGH). > Typo? USB uses two different encodings for endpoint intervals. The second encoding above just gives the interval in frames; this is used for low- and full-speed interrupt endpoints. The first encoding above is exponential (it gives n where the actual interval is 2^(n-1) frames or microframes); this is used for all isochronous endpoints and for high-speed (or SuperSpeed etc.) interrupt endpoints. See for example the definition of usb_fill_int_urb() in include/linux/usb.h. Alan Stern ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: UBSAN: Undefined behaviour in linux-4.7.2/drivers/usb/core/devio.c:1713:25 2016-08-22 20:40 ` Alan Stern @ 2016-08-22 20:57 ` Bjørn Mork 2016-08-22 21:06 ` Alan Stern 0 siblings, 1 reply; 10+ messages in thread From: Bjørn Mork @ 2016-08-22 20:57 UTC (permalink / raw) To: Alan Stern Cc: Jiri Slaby, Vittorio Zecca, stable, USB list, Linux kernel mailing list Alan Stern <stern@rowland.harvard.edu> writes: > On Mon, 22 Aug 2016, Bjørn Mork wrote: > >> Alan Stern <stern@rowland.harvard.edu> writes: >> >> > On Sun, 21 Aug 2016, Jiri Slaby wrote: >> > >> >> Cc: proper lists. >> >> >> >> ep->desc.bInterval seems to be 0 here. > >> > As far as I can see, this isn't possible. The usb_parse_endpoint() >> > routine in drivers/usb/core/config.c is supposed to guarantee that >> > ep->desc.bInterval is never 0. >> >> That is if it is an ISO endpoint, right? > > I can't tell; the bug report doesn't say. However, ep->desc.bInterval > is ignored for bulk and control endpoints, so it must be either > isochronous or interrupt. So what if the endpoint is not isochronous or interrupt here? >> Maybe I misunderstand something fundamental, but the "||" strikes me as >> odd here: >> >> as->urb->stream_id = stream_id; >> if (uurb->type == USBDEVFS_URB_TYPE_ISO || >> ps->dev->speed == USB_SPEED_HIGH) >> as->urb->interval = 1 << min(15, ep->desc.bInterval - 1); >> else >> as->urb->interval = ep->desc.bInterval; >> as->urb->context = as; > > No, that's right (mostly -- we really should check for ps->dev->speed >>= USB_SPEED_SUPER as well as == USB_SPEED_HIGH). > >> Typo? > > USB uses two different encodings for endpoint intervals. The second > encoding above just gives the interval in frames; this is used for low- > and full-speed interrupt endpoints. The first encoding above is > exponential (it gives n where the actual interval is 2^(n-1) frames or > microframes); this is used for all isochronous endpoints and for > high-speed (or SuperSpeed etc.) interrupt endpoints. OK, I am still puzzled: Won't the code I quoted above do the shift for *any* uurb->type and endpoint type? There doesn't seem to be any test for isochronous or interrupt endpoint around it? Bjørn ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: UBSAN: Undefined behaviour in linux-4.7.2/drivers/usb/core/devio.c:1713:25 2016-08-22 20:57 ` Bjørn Mork @ 2016-08-22 21:06 ` Alan Stern 2016-08-22 21:45 ` Vittorio Zecca 0 siblings, 1 reply; 10+ messages in thread From: Alan Stern @ 2016-08-22 21:06 UTC (permalink / raw) To: Bjørn Mork Cc: Jiri Slaby, Vittorio Zecca, stable, USB list, Linux kernel mailing list On Mon, 22 Aug 2016, Bjørn Mork wrote: > Alan Stern <stern@rowland.harvard.edu> writes: > > > On Mon, 22 Aug 2016, Bjørn Mork wrote: > > > >> Alan Stern <stern@rowland.harvard.edu> writes: > >> > >> > On Sun, 21 Aug 2016, Jiri Slaby wrote: > >> > > >> >> Cc: proper lists. > >> >> > >> >> ep->desc.bInterval seems to be 0 here. > > > >> > As far as I can see, this isn't possible. The usb_parse_endpoint() > >> > routine in drivers/usb/core/config.c is supposed to guarantee that > >> > ep->desc.bInterval is never 0. > >> > >> That is if it is an ISO endpoint, right? > > > > I can't tell; the bug report doesn't say. However, ep->desc.bInterval > > is ignored for bulk and control endpoints, so it must be either > > isochronous or interrupt. > > So what if the endpoint is not isochronous or interrupt here? Oops. You're right; for some reason I thought that code was executed only if the endpoint type was known to be isochronous or interrupt. > > USB uses two different encodings for endpoint intervals. The second > > encoding above just gives the interval in frames; this is used for low- > > and full-speed interrupt endpoints. The first encoding above is > > exponential (it gives n where the actual interval is 2^(n-1) frames or > > microframes); this is used for all isochronous endpoints and for > > high-speed (or SuperSpeed etc.) interrupt endpoints. > > OK, I am still puzzled: Won't the code I quoted above do the shift for > *any* uurb->type and endpoint type? There doesn't seem to be any test > for isochronous or interrupt endpoint around it? Yes, that's the reason for the UBSAN report. I'll write a patch to fix it. Alan Stern ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: UBSAN: Undefined behaviour in linux-4.7.2/drivers/usb/core/devio.c:1713:25 2016-08-22 21:06 ` Alan Stern @ 2016-08-22 21:45 ` Vittorio Zecca 2016-08-23 14:55 ` Alan Stern 0 siblings, 1 reply; 10+ messages in thread From: Vittorio Zecca @ 2016-08-22 21:45 UTC (permalink / raw) To: Alan Stern Cc: Bjørn Mork, Jiri Slaby, stable, USB list, Linux kernel mailing list I can reproduce the UBSAN report by inserting in the USB receptacle a HUAWEI Mobile Broadband E353 HSPA+ USB Stick. Alan Stern asked for /sys/kernel/debug/usb/devices: cat debug-usb-devices T: Bus=01 Lev=00 Prnt=00 Port=00 Cnt=00 Dev#= 1 Spd=480 MxCh= 2 B: Alloc= 0/800 us ( 0%), #Int= 0, #Iso= 0 D: Ver= 2.00 Cls=09(hub ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1d6b ProdID=0002 Rev= 4.07 S: Manufacturer=Linux 4.7.2sanitized ehci_hcd S: Product=EHCI Host Controller S: SerialNumber=0000:00:1a.0 C:* #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr= 0mA I:* If#= 0 Alt= 0 #EPs= 1 Cls=09(hub ) Sub=00 Prot=00 Driver=hub E: Ad=81(I) Atr=03(Int.) MxPS= 4 Ivl=256ms T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 4 D: Ver= 2.00 Cls=09(hub ) Sub=00 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=8087 ProdID=8008 Rev= 0.05 C:* #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr= 0mA I:* If#= 0 Alt= 0 #EPs= 1 Cls=09(hub ) Sub=00 Prot=00 Driver=hub E: Ad=81(I) Atr=03(Int.) MxPS= 1 Ivl=256ms T: Bus=02 Lev=00 Prnt=00 Port=00 Cnt=00 Dev#= 1 Spd=480 MxCh= 2 B: Alloc= 0/800 us ( 0%), #Int= 0, #Iso= 0 D: Ver= 2.00 Cls=09(hub ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1d6b ProdID=0002 Rev= 4.07 S: Manufacturer=Linux 4.7.2sanitized ehci_hcd S: Product=EHCI Host Controller S: SerialNumber=0000:00:1d.0 C:* #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr= 0mA I:* If#= 0 Alt= 0 #EPs= 1 Cls=09(hub ) Sub=00 Prot=00 Driver=hub E: Ad=81(I) Atr=03(Int.) MxPS= 4 Ivl=256ms T: Bus=02 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 6 D: Ver= 2.00 Cls=09(hub ) Sub=00 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=8087 ProdID=8000 Rev= 0.05 C:* #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr= 0mA I:* If#= 0 Alt= 0 #EPs= 1 Cls=09(hub ) Sub=00 Prot=00 Driver=hub E: Ad=81(I) Atr=03(Int.) MxPS= 1 Ivl=256ms T: Bus=03 Lev=00 Prnt=00 Port=00 Cnt=00 Dev#= 1 Spd=480 MxCh=10 B: Alloc= 0/800 us ( 0%), #Int= 0, #Iso= 0 D: Ver= 2.00 Cls=09(hub ) Sub=00 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=1d6b ProdID=0002 Rev= 4.07 S: Manufacturer=Linux 4.7.2sanitized xhci-hcd S: Product=xHCI Host Controller S: SerialNumber=0000:00:14.0 C:* #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr= 0mA I:* If#= 0 Alt= 0 #EPs= 1 Cls=09(hub ) Sub=00 Prot=00 Driver=hub E: Ad=81(I) Atr=03(Int.) MxPS= 4 Ivl=256ms T: Bus=03 Lev=01 Prnt=01 Port=02 Cnt=01 Dev#= 2 Spd=1.5 MxCh= 0 D: Ver= 1.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 8 #Cfgs= 1 P: Vendor=15d9 ProdID=0a37 Rev= 1.00 S: Product=USB Mouse C:* #Ifs= 1 Cfg#= 1 Atr=a0 MxPwr=100mA I:* If#= 0 Alt= 0 #EPs= 1 Cls=03(HID ) Sub=01 Prot=02 Driver=usbhid E: Ad=81(I) Atr=03(Int.) MxPS= 4 Ivl=10ms T: Bus=03 Lev=01 Prnt=01 Port=06 Cnt=02 Dev#= 3 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=12d1 ProdID=1506 Rev= 1.02 S: Manufacturer=HUAWEI S: Product=HUAWEI Mobile C:* #Ifs= 6 Cfg#= 1 Atr=80 MxPwr=500mA I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=02 Prot=01 Driver=option E: Ad=8f(I) Atr=03(Int.) MxPS= 64 Ivl=2ms E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms I: If#= 1 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=02 Prot=16 Driver=huawei_cdc_ncm E: Ad=8d(I) Atr=03(Int.) MxPS= 64 Ivl=2ms I:* If#= 1 Alt= 1 #EPs= 3 Cls=ff(vend.) Sub=02 Prot=16 Driver=huawei_cdc_ncm E: Ad=8d(I) Atr=03(Int.) MxPS= 64 Ivl=2ms E: Ad=8c(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=0e(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=02 Prot=03 Driver=option E: Ad=8b(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=0d(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=02 Prot=02 Driver=option E: Ad=8a(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=0c(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms I:* If#= 4 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage E: Ad=0b(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 5 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage E: Ad=0a(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms T: Bus=03 Lev=01 Prnt=01 Port=08 Cnt=03 Dev#= 4 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=05e3 ProdID=070e Rev=93.17 S: Manufacturer=Genesys S: Product=USB Reader S: SerialNumber=000000245202 C:* #Ifs= 1 Cfg#= 1 Atr=80 MxPwr=500mA I:* If#= 0 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms T: Bus=04 Lev=00 Prnt=00 Port=00 Cnt=00 Dev#= 1 Spd=5000 MxCh= 2 B: Alloc= 0/800 us ( 0%), #Int= 0, #Iso= 0 D: Ver= 3.00 Cls=09(hub ) Sub=00 Prot=03 MxPS= 9 #Cfgs= 1 P: Vendor=1d6b ProdID=0003 Rev= 4.07 S: Manufacturer=Linux 4.7.2sanitized xhci-hcd S: Product=xHCI Host Controller S: SerialNumber=0000:00:14.0 C:* #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr= 0mA I:* If#= 0 Alt= 0 #EPs= 1 Cls=09(hub ) Sub=00 Prot=00 Driver=hub E: Ad=81(I) Atr=03(Int.) MxPS= 4 Ivl=256ms [vitti ~]$ If there is any patch I'll be happy to try it. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: UBSAN: Undefined behaviour in linux-4.7.2/drivers/usb/core/devio.c:1713:25 2016-08-22 21:45 ` Vittorio Zecca @ 2016-08-23 14:55 ` Alan Stern 2016-08-23 15:47 ` Vittorio Zecca 0 siblings, 1 reply; 10+ messages in thread From: Alan Stern @ 2016-08-23 14:55 UTC (permalink / raw) To: Vittorio Zecca Cc: Bjørn Mork, Jiri Slaby, stable, USB list, Linux kernel mailing list On Mon, 22 Aug 2016, Vittorio Zecca wrote: > I can reproduce the UBSAN report by inserting in the USB receptacle a > HUAWEI Mobile Broadband E353 HSPA+ USB Stick. > If there is any patch I'll be happy to try it. Thank you. Please let us know what happens with the patch below. Alan Stern Index: usb-4.x/drivers/usb/core/devio.c =================================================================== --- usb-4.x.orig/drivers/usb/core/devio.c +++ usb-4.x/drivers/usb/core/devio.c @@ -1709,11 +1709,17 @@ static int proc_do_submiturb(struct usb_ as->urb->start_frame = uurb->start_frame; as->urb->number_of_packets = number_of_packets; as->urb->stream_id = stream_id; - if (uurb->type == USBDEVFS_URB_TYPE_ISO || - ps->dev->speed == USB_SPEED_HIGH) - as->urb->interval = 1 << min(15, ep->desc.bInterval - 1); - else - as->urb->interval = ep->desc.bInterval; + + if (ep->desc.bInterval) { + if (uurb->type == USBDEVFS_URB_TYPE_ISO || + ps->dev->speed == USB_SPEED_HIGH || + ps->dev->speed >= USB_SPEED_SUPER) + as->urb->interval = 1 << + min(15, ep->desc.bInterval - 1); + else + as->urb->interval = ep->desc.bInterval; + } + as->urb->context = as; as->urb->complete = async_completed; for (totlen = u = 0; u < number_of_packets; u++) { ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: UBSAN: Undefined behaviour in linux-4.7.2/drivers/usb/core/devio.c:1713:25 2016-08-23 14:55 ` Alan Stern @ 2016-08-23 15:47 ` Vittorio Zecca 2016-08-23 18:58 ` Alan Stern 0 siblings, 1 reply; 10+ messages in thread From: Vittorio Zecca @ 2016-08-23 15:47 UTC (permalink / raw) To: Alan Stern Cc: Bjørn Mork, Jiri Slaby, stable, USB list, Linux kernel mailing list After applying the patch above the UBSAN issue in devio.c disappeared. However, I got the following messages in dmesg, probably due to a NetworkManager malfunctioning, and if I click on the NetworkManager icon I get "NetworkManager is not running" but maybe this is another issue and your patch did solve the devio.c problem. Unfortunately I cannot use the 4.7.2 kernel with ubsan and asan because I need the networkmanager running, as it is doing now on kernel version 4.6.6 [ +0.648205] BUG: unable to handle kernel paging request at ffff8272d6400205 [ +0.000118] IP: [<ffffffff818e11d4>] strcmp+0x48/0x8b [ +0.000075] PGD 0 [ +0.000033] Oops: 0000 [#1] SMP KASAN [ +0.000051] Modules linked in: ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw ip6table_filter ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security iptable_raw intel_rapl x86_pkg_temp_thermal coretemp kvm_intel kvm snd_hda_codec_realtek snd_hda_codec_hdmi snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core huawei_cdc_ncm snd_hwdep snd_seq irqbypass cdc_wdm ppdev crct10dif_pclmul cdc_ncm snd_seq_device iTCO_wdt option iTCO_vendor_support crc32_pclmul snd_pcm crc32c_intel usb_wwan usbnet ghash_clmulni_intel snd_timer parport_pc i2c_i801 snd nuvoton_cir pcspkr mei_me parport soc_button_array mei rc_core [ +0.001125] shpchp lpc_ich soundcore tpm_tis tpm nfsd auth_rpcgss nfs_acl lockd grace sunrpc i915 i2c_algo_bit drm_kms_helper r8169 drm serio_raw mii video fjes uas usb_storage [ +0.000265] CPU: 1 PID: 856 Comm: NetworkManager Not tainted 4.7.2sanitized #4 [ +0.000094] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./H81M-DGS R2.0, BIOS P1.30 07/02/2014 [ +0.000127] task: ffff8800346f9e00 ti: ffff8800d5df8000 task.ti: ffff8800d5df8000 [ +0.000096] RIP: 0010:[<ffffffff818e11d4>] [<ffffffff818e11d4>] strcmp+0x48/0x8b [ +0.000104] RSP: 0018:ffff8800d5dfed28 EFLAGS: 00010246 [ +0.000071] RAX: 0000000000000000 RBX: ffffffffc0263c20 RCX: ffffffff818e11d4 [ +0.000093] RDX: 1ffff04e5ac80040 RSI: ffff8272d6400205 RDI: ffff8272d6400205 [ +0.000093] RBP: ffff8800d5dfed50 R08: ffff880389669150 R09: ffffed00712cd3d2 [ +0.000092] R10: ffff8800346f9e00 R11: 0000000000000010 R12: ffff8272d6400205 [ +0.000092] R13: 0000000000000072 R14: ffffffffc0263c21 R15: ffff8272d6400206 [ +0.000093] FS: 00007fce6294e880(0000) GS:ffff88038ed00000(0000) knlGS:0000000000000000 [ +0.000103] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ +0.002818] CR2: ffff8272d6400205 CR3: 00000000350b6000 CR4: 00000000000406e0 [ +0.002903] Stack: [ +0.002833] ffffffff82aa6a78 1ffff1001abbfdaf ffff880384ba0b80 ffffffffc0263c20 [ +0.000047] ffff880389669e70 [ +0.000001] ffff8800d5dfee00 [ +0.000001] ffffffff81bf33dd [ +0.000000] ffff88038b1c8000 [ +0.000001] 00000000026040c0 [ +0.000001] ffff88038c7fc560 [ +0.000000] 0000000041b58ab3 [ +0.000001] ffffffff82a70a84 [ +0.000001] Call Trace: [ +0.000007] [<ffffffff81bf33dd>] _request_firmware+0x156/0x274 [ +0.000004] [<ffffffff81bf3287>] ? request_firmware_nowait+0x2ad/0x2ad [ +0.000004] [<ffffffff814be62b>] ? kasan_kmalloc+0x5e/0x64 [ +0.000004] [<ffffffff814b67b6>] ? kmem_cache_alloc_trace+0x124/0x390 [ +0.000004] [<ffffffff81bf352c>] request_firmware+0x31/0x43 [ +0.000009] [<ffffffffc025d7a7>] rtl_open+0x1133/0x1b3a [r8169] [ +0.000009] [<ffffffffc025c674>] ? rtl_remove_one+0x35d/0x35d [r8169] [ +0.000004] [<ffffffff821da57f>] ? packet_notifier+0xdb/0x593 [ +0.000004] [<ffffffff821da4a4>] ? register_prot_hook.part.17+0x6e/0x6e [ +0.000003] [<ffffffff821bc032>] ? ip6mr_device_event+0xa6/0x276 [ +0.000003] [<ffffffff821bbf8c>] ? mif6_delete+0x41c/0x41c [ +0.000014] [<ffffffffc16101a1>] ? br_device_event+0x41/0x360 [bridge] [ +0.000005] [<ffffffff8119993a>] ? raw_notifier_call_chain+0x85/0xec [ +0.000005] [<ffffffff81f7d103>] __dev_open+0x161/0x24c [ +0.000002] [<ffffffff81f7cfa2>] ? dev_set_rx_mode+0x33/0x33 [ +0.000003] [<ffffffff81f7cdf0>] ? __dev_set_rx_mode+0x3d/0x1bc [ +0.000003] [<ffffffff81f7d611>] __dev_change_flags+0xe8/0x229 [ +0.000003] [<ffffffff81f7d7af>] dev_change_flags+0x5d/0xbd [ +0.000004] [<ffffffff81f9e31e>] do_setlink+0x628/0x1c26 [ +0.000003] [<ffffffff813e2df8>] ? __alloc_pages_nodemask+0x26a/0x1ebe [ +0.000003] [<ffffffff81f9dcf6>] ? rtnl_unregister+0x201/0x201 [ +0.000004] [<ffffffff814b3841>] ? alloc_debug_processing+0x56/0x36e [ +0.000003] [<ffffffff813e2df8>] ? __alloc_pages_nodemask+0x26a/0x1ebe [ +0.000003] [<ffffffff813e2b8e>] ? warn_alloc_failed+0x266/0x266 [ +0.000003] [<ffffffff812059ad>] ? __init_rwsem+0xfd/0x17c [ +0.000004] [<ffffffff812058b0>] ? rt_mutex_finish_proxy_lock+0x1bd/0x1bd [ +0.000005] [<ffffffff81307a48>] ? is_ftrace_trampoline+0x62/0xaf [ +0.000003] [<ffffffff81192ff7>] ? __kernel_text_address+0x63/0x82 [ +0.000004] [<ffffffff8106decc>] ? print_context_stack+0x7e/0x177 [ +0.000002] [<ffffffff814be72c>] ? memset+0x31/0x38 [ +0.000004] [<ffffffff8194332b>] ? nla_parse+0xa1/0x2d9 [ +0.000003] [<ffffffff81f9cb88>] ? validate_linkmsg+0x140/0x3df [ +0.000003] [<ffffffff81f9ca48>] ? rtnl_link_get_net+0xf3/0xf3 [ +0.000003] [<ffffffff81307a48>] ? is_ftrace_trampoline+0x62/0xaf [ +0.000003] [<ffffffff81fa09a3>] rtnl_newlink+0x9c8/0xf17 [ +0.000003] [<ffffffff81fa0679>] ? rtnl_newlink+0x69e/0xf17 [ +0.000003] [<ffffffff81f9ffdb>] ? rtnetlink_put_metrics+0x454/0x454 [ +0.000004] [<ffffffff81192ff7>] ? __kernel_text_address+0x63/0x82 [ +0.000003] [<ffffffff8106decc>] ? print_context_stack+0x7e/0x177 [ +0.000004] [<ffffffff81791a03>] ? cap_capable+0xc3/0x134 [ +0.000003] [<ffffffff817963e2>] ? security_capable+0x3c/0x8f [ +0.000003] [<ffffffff811619cf>] ? ns_capable+0x60/0xb9 [ +0.000004] [<ffffffff81feec1f>] ? __netlink_ns_capable+0x80/0xba [ +0.000003] [<ffffffff81f9ffdb>] ? rtnetlink_put_metrics+0x454/0x454 [ +0.000003] [<ffffffff81f9be12>] rtnetlink_rcv_msg+0x1e0/0x8fc [ +0.000003] [<ffffffff81f425a0>] ? __alloc_skb+0xb6/0x414 [ +0.000003] [<ffffffff81f9bc32>] ? rtnl_link_unregister+0x213/0x213 [ +0.000002] [<ffffffff81ff2bca>] ? netlink_lookup+0x1cf/0x2b2 [ +0.000003] [<ffffffff81ff29fb>] ? netlink_broadcast+0x1f/0x1f [ +0.000003] [<ffffffff81ff7843>] netlink_rcv_skb+0x147/0x1bb [ +0.000003] [<ffffffff81f9bc32>] ? rtnl_link_unregister+0x213/0x213 [ +0.000003] [<ffffffff81f98fb6>] rtnetlink_rcv+0x28/0x30 [ +0.000002] [<ffffffff81ff6a1f>] netlink_unicast+0x33f/0x472 [ +0.000003] [<ffffffff81ff66e0>] ? netlink_attachskb+0x49a/0x49a [ +0.000002] [<ffffffff814be51c>] ? kasan_check_write+0x14/0x16 [ +0.000003] [<ffffffff818faef0>] ? copy_from_iter+0x17d/0x5e2 [ +0.000003] [<ffffffff81ff71ff>] netlink_sendmsg+0x6ad/0x89c [ +0.000003] [<ffffffff81ff6b52>] ? netlink_unicast+0x472/0x472 [ +0.000003] [<ffffffff81ff6b52>] ? netlink_unicast+0x472/0x472 [ +0.000004] [<ffffffff81f2d710>] sock_sendmsg+0x84/0xcc [ +0.000003] [<ffffffff81f2eb1f>] ___sys_sendmsg+0x51b/0x5da [ +0.000003] [<ffffffff8162e8ea>] ? unuse_table.part.3+0x1b/0x42 [ +0.000003] [<ffffffff81f2e604>] ? copy_msghdr_from_user+0x2b6/0x2b6 [ +0.000003] [<ffffffff81160007>] ? proc_dointvec+0x5c/0x7b [ +0.000003] [<ffffffff8162f126>] ? proc_sys_call_handler+0x112/0x1d8 [ +0.000004] [<ffffffff812358c0>] ? __call_rcu_nocb_enqueue+0x140/0x31d [ +0.000002] [<ffffffff8162f014>] ? proc_sys_poll+0x1a2/0x1a2 [ +0.000004] [<ffffffff818f14e4>] ? lockref_put_or_lock+0x182/0x227 [ +0.000003] [<ffffffff818f1362>] ? lockref_get_or_lock+0x247/0x247 [ +0.000003] [<ffffffff81551968>] ? __fget+0xde/0x1ee [ +0.000003] [<ffffffff81552695>] ? __fget_light+0xdd/0x14f [ +0.000003] [<ffffffff8155271a>] ? __fdget+0x13/0x15 [ +0.000003] [<ffffffff81f2fe24>] __sys_sendmsg+0xcb/0x145 [ +0.000003] [<ffffffff81f2fd59>] ? SyS_shutdown+0x170/0x170 [ +0.000003] [<ffffffff815114a1>] ? __fput+0x262/0x3e7 [ +0.000004] [<ffffffff814eb849>] ? mem_cgroup_handle_over_high+0x7a/0x1f5 [ +0.000002] [<ffffffff814eb7cf>] ? mem_cgroup_oom_synchronize+0x72e/0x72e [ +0.000003] [<ffffffff8151168a>] ? ____fput+0xe/0x10 [ +0.000003] [<ffffffff81f2feb0>] SyS_sendmsg+0x12/0x1c [ +0.000004] [<ffffffff82226d72>] entry_SYSCALL_64_fastpath+0x1a/0xa4 [ +0.000025] Code: 4d 89 fc 4c 8d 73 01 48 85 db 74 52 48 89 df e8 a6 cd bd ff 45 0f b6 6e ff 4d 8d 7c 24 01 4d 85 e4 74 2b 4c 89 e7 e8 8f cd bd ff <45> 3a 6f ff 74 c7 19 c0 83 c8 01 5b 41 5c 41 5d 41 5e 41 5f 5d [ +0.000003] RIP [<ffffffff818e11d4>] strcmp+0x48/0x8b [ +0.000000] RSP <ffff8800d5dfed28> [ +0.000001] CR2: ffff8272d6400205 [ +0.012995] ---[ end trace aed6c80e54c9629a ]--- [Aug23 17:34] usb 3-8: USB disconnect, device number 3 [ +0.005711] option1 ttyUSB0: GSM modem (1-port) converter now disconnected from ttyUSB0 [ +0.001105] option 3-8:1.0: device disconnected [ +0.003580] huawei_cdc_ncm 3-8:1.1 wwp0s20u8i1: unregister 'huawei_cdc_ncm' usb-0000:00:14.0-8, Huawei CDC NCM device ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: UBSAN: Undefined behaviour in linux-4.7.2/drivers/usb/core/devio.c:1713:25 2016-08-23 15:47 ` Vittorio Zecca @ 2016-08-23 18:58 ` Alan Stern 0 siblings, 0 replies; 10+ messages in thread From: Alan Stern @ 2016-08-23 18:58 UTC (permalink / raw) To: Vittorio Zecca Cc: Bjørn Mork, Jiri Slaby, stable, USB list, Linux kernel mailing list On Tue, 23 Aug 2016, Vittorio Zecca wrote: > After applying the patch above the UBSAN issue in devio.c disappeared. > > However, I got the following messages in dmesg, probably due to a NetworkManager > malfunctioning, and if I click on the NetworkManager icon I get > "NetworkManager is not running" > but maybe this is another issue and your patch did solve the devio.c problem. > Unfortunately I cannot use the 4.7.2 kernel with ubsan and asan because > I need the networkmanager running, as it is doing now on kernel version 4.6.6 The NetworkManager problem does look like something completely separate. So thanks for testing the patch, and I will submit it soon. Alan Stern ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2016-08-23 18:58 UTC | newest] Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <CAFQ=mRQeV_UHYuU20ppHG6L=mNcr_cKxBMMM731XfWeoEO-L=g@mail.gmail.com> 2016-08-21 10:46 ` UBSAN: Undefined behaviour in linux-4.7.2/drivers/usb/core/devio.c:1713:25 Jiri Slaby 2016-08-22 17:43 ` Alan Stern 2016-08-22 20:21 ` Bjørn Mork 2016-08-22 20:40 ` Alan Stern 2016-08-22 20:57 ` Bjørn Mork 2016-08-22 21:06 ` Alan Stern 2016-08-22 21:45 ` Vittorio Zecca 2016-08-23 14:55 ` Alan Stern 2016-08-23 15:47 ` Vittorio Zecca 2016-08-23 18:58 ` Alan Stern
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).