Bug 120361

Summary: UBSAN splat in drivers/usb/host/ehci-hub.c:877:47
Product: Drivers Reporter: Wilfried Klaebe (linux-kernel)
Component: USBAssignee: Greg Kroah-Hartman (greg)
Status: CLOSED CODE_FIX    
Severity: normal    
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 4.7.0-rc3 Subsystem:
Regression: No Bisected commit-id:
Attachments: .config

Description Wilfried Klaebe 2016-06-15 12:30:27 UTC
Created attachment 220101 [details]
.config

While booting, UBSAN reports an index out of range use in drivers/usb/host/ehci-hub.c:877:47:

[    1.873691] ================================================================================
[    1.875970] UBSAN: Undefined behaviour in /usr/local/src/kernel/linux-git/drivers/usb/host/ehci-hub.c:877:47
[    1.878277] index -1 is out of range for type 'u32 [1]'
[    1.880549] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.7.0-rc3-00002-g44c5afa #1
[    1.882811] Hardware name: Apple Inc. MacBookPro8,2/Mac-94245A3940C91C80, BIOS    MBP81.88Z.0047.B27.1201241646 01/24/12
[    1.885121]  ffff880265158800 ffff88026610b388 ffffffff815c8665 ffffffff811b1994
[    1.887428]  ffff88026610b3b0 ffffffffffffffff ffff88026610b3a0 ffffffff8163e77d
[    1.889719]  ffffffff826a2c60 ffff88026610b3f8 ffffffff8163ee95 0000000000000292
[    1.892001] Call Trace:
[    1.894242]  [<ffffffff815c8665>] dump_stack+0x68/0xa3
[    1.896493]  [<ffffffff811b1994>] ? console_unlock+0x284/0x6a0
[    1.898751]  [<ffffffff8163e77d>] ubsan_epilogue+0xd/0x40
[    1.900984]  [<ffffffff8163ee95>] __ubsan_handle_out_of_bounds+0x75/0xa0
[    1.903227]  [<ffffffff8184de06>] ehci_hub_control+0xde6/0xf80
[    1.905473]  [<ffffffff81828a22>] usb_hcd_submit_urb+0x822/0xcc0
[    1.907710]  [<ffffffff8182a6fd>] usb_submit_urb+0x29d/0x960
[    1.909982]  [<ffffffff811947b3>] ? lockdep_init_map+0x63/0x270
[    1.912257]  [<ffffffff8182b698>] usb_start_wait_urb+0x78/0x120
[    1.914549]  [<ffffffff8182b7f4>] usb_control_msg+0xb4/0xf0
[    1.916826]  [<ffffffff81823994>] hub_probe+0x4b4/0xfd0
[    1.919045]  [<ffffffff81b31a76>] ? _raw_spin_unlock_irqrestore+0x46/0x60
[    1.921302]  [<ffffffff8119758d>] ? trace_hardirqs_on+0xd/0x10
[    1.923575]  [<ffffffff81831a4e>] usb_probe_interface+0x13e/0x3f0
[    1.925870]  [<ffffffff8177373f>] driver_probe_device+0x10f/0x390
[    1.928111]  [<ffffffff81773b6e>] __device_attach_driver+0xbe/0x180
[    1.930340]  [<ffffffff81773ab0>] ? __driver_attach+0xf0/0xf0
[    1.932540]  [<ffffffff81770bd2>] bus_for_each_drv+0x72/0xd0
[    1.934710]  [<ffffffff817734f1>] __device_attach+0xc1/0x150
[    1.936850]  [<ffffffff81773c7e>] device_initial_probe+0xe/0x10
[    1.938963]  [<ffffffff81772273>] bus_probe_device+0xd3/0x130
[    1.941046]  [<ffffffff8176f2fb>] device_add+0x52b/0x720
[    1.943098]  [<ffffffff8182e716>] usb_set_configuration+0x566/0xb90
[    1.945140]  [<ffffffff81840971>] generic_probe+0x31/0xa0
[    1.947156]  [<ffffffff818318d6>] usb_probe_device+0x36/0x70
[    1.949157]  [<ffffffff8177373f>] driver_probe_device+0x10f/0x390
[    1.951142]  [<ffffffff81773b6e>] __device_attach_driver+0xbe/0x180
[    1.953110]  [<ffffffff81773ab0>] ? __driver_attach+0xf0/0xf0
[    1.955076]  [<ffffffff81770bd2>] bus_for_each_drv+0x72/0xd0
[    1.957017]  [<ffffffff817734f1>] __device_attach+0xc1/0x150
[    1.958942]  [<ffffffff81773c7e>] device_initial_probe+0xe/0x10
[    1.960844]  [<ffffffff81772273>] bus_probe_device+0xd3/0x130
[    1.962766]  [<ffffffff8176f2fb>] device_add+0x52b/0x720
[    1.964702]  [<ffffffff81820436>] usb_new_device+0x2d6/0x720
[    1.966659]  [<ffffffff81826f7b>] usb_add_hcd+0x5db/0x970
[    1.968629]  [<ffffffff81843e9a>] usb_hcd_pci_probe+0x4ba/0x760
[    1.970619]  [<ffffffff8119746c>] ? trace_hardirqs_on_caller+0x1ac/0x2c0
[    1.972601]  [<ffffffff81858371>] ehci_pci_probe+0x31/0x40
[    1.974598]  [<ffffffff81655519>] local_pci_probe+0x59/0xf0
[    1.976577]  [<ffffffff8165735b>] pci_device_probe+0x14b/0x1c0
[    1.978580]  [<ffffffff8177373f>] driver_probe_device+0x10f/0x390
[    1.980606]  [<ffffffff81773a74>] __driver_attach+0xb4/0xf0
[    1.982647]  [<ffffffff817739c0>] ? driver_probe_device+0x390/0x390
[    1.984679]  [<ffffffff81770afb>] bus_for_each_dev+0x6b/0xb0
[    1.986697]  [<ffffffff81772d42>] driver_attach+0x22/0x40
[    1.988710]  [<ffffffff8177264c>] bus_add_driver+0x15c/0x2b0
[    1.990718]  [<ffffffff82938493>] ? ehci_hcd_init+0x59/0x59
[    1.992717]  [<ffffffff81774568>] driver_register+0x78/0x130
[    1.994719]  [<ffffffff81654e02>] __pci_register_driver+0x72/0xb0
[    1.996732]  [<ffffffff829384f8>] ehci_pci_init+0x65/0x67
[    1.998727]  [<ffffffff8100044c>] do_one_initcall+0x5c/0x1e0
[    2.000718]  [<ffffffff828f270b>] kernel_init_freeable+0x33b/0x3d1
[    2.002702]  [<ffffffff81b2642a>] kernel_init+0xa/0x120
[    2.004665]  [<ffffffff81b3232f>] ret_from_fork+0x1f/0x40
[    2.006615]  [<ffffffff81b26420>] ? rest_init+0x170/0x170
[    2.008558] ================================================================================
Comment 1 Greg Kroah-Hartman 2016-06-16 02:35:09 UTC
On Wed, Jun 15, 2016 at 12:30:27PM +0000, bugzilla-daemon@bugzilla.kernel.org wrote:
> https://bugzilla.kernel.org/show_bug.cgi?id=120361
> 
>             Bug ID: 120361
>            Summary: UBSAN splat in drivers/usb/host/ehci-hub.c:877:47
>            Product: Drivers
>            Version: 2.5
>     Kernel Version: 4.7.0-rc3

Should be fixed in linux-next, can you verify?
Comment 2 Wilfried Klaebe 2016-06-17 04:33:05 UTC
Built linux-next-20160616, now there's a UBSAN splat in drivers/usb/host/ehci-hub.c:889:34 instead:

[    1.855916] ================================================================================
[    1.858264] UBSAN: Undefined behaviour in /usr/local/src/kernel/linux-next/drivers/usb/host/ehci-hub.c:889:34
[    1.860622] index 2 is out of range for type 'u32 [1]'
[    1.862935] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.7.0-rc3-next-20160616-00002-g9e3793c #1
[    1.865284] Hardware name: Apple Inc. MacBookPro8,2/Mac-94245A3940C91C80, BIOS    MBP81.88Z.0047.B27.1201241646 01/24/12
[    1.867658]  ffff8802662f9000 ffff88026610b2a0 ffffffffaa5ceb95 ffffffffaa1b2105
[    1.870046]  ffff88026610b2c8 0000000000000002 ffff88026610b2b8 ffffffffaa645e5d
[    1.872414]  ffffffffab6a6a60 ffff88026610b310 ffffffffaa646575 0000000000000282
[    1.874783] Call Trace:
[    1.877111]  [<ffffffffaa5ceb95>] dump_stack+0x68/0xa3
[    1.879445]  [<ffffffffaa1b2105>] ? console_unlock+0x275/0x6e0
[    1.881764]  [<ffffffffaa645e5d>] ubsan_epilogue+0xd/0x40
[    1.884089]  [<ffffffffaa646575>] __ubsan_handle_out_of_bounds+0x75/0xa0
[    1.886437]  [<ffffffffaa855524>] ehci_hub_control+0xd94/0xef0
[    1.888774]  [<ffffffffaa82fd93>] usb_hcd_submit_urb+0x423/0xcc0
[    1.891132]  [<ffffffffaa831e6d>] usb_submit_urb+0x29d/0x960
[    1.893508]  [<ffffffffaa194bc3>] ? lockdep_init_map+0x63/0x270
[    1.895906]  [<ffffffffaa832e08>] usb_start_wait_urb+0x78/0x120
[    1.898291]  [<ffffffffaa832f64>] usb_control_msg+0xb4/0xf0
[    1.900617]  [<ffffffffaa820d9e>] set_port_feature+0x4e/0x80
[    1.902963]  [<ffffffffaa825ed2>] hub_power_on+0x32/0x120
[    1.905322]  [<ffffffffaa8264b2>] hub_activate+0x4f2/0x8a0
[    1.907695]  [<ffffffffaab37d85>] ? __mutex_unlock_slowpath+0x105/0x230
[    1.910027]  [<ffffffffaa82b6a4>] hub_probe+0xa54/0xfd0
[    1.912341]  [<ffffffffaab3b556>] ? _raw_spin_unlock_irqrestore+0x46/0x60
[    1.914647]  [<ffffffffaa19799d>] ? trace_hardirqs_on+0xd/0x10
[    1.916923]  [<ffffffffaa8391be>] usb_probe_interface+0x13e/0x3f0
[    1.919174]  [<ffffffffaa77b0ff>] driver_probe_device+0x10f/0x390
[    1.921392]  [<ffffffffaa77b52e>] __device_attach_driver+0xbe/0x180
[    1.923585]  [<ffffffffaa77b470>] ? __driver_attach+0xf0/0xf0
[    1.925748]  [<ffffffffaa778592>] bus_for_each_drv+0x72/0xd0
[    1.927884]  [<ffffffffaa77aeb1>] __device_attach+0xc1/0x150
[    1.929996]  [<ffffffffaa77b63e>] device_initial_probe+0xe/0x10
[    1.932090]  [<ffffffffaa779c33>] bus_probe_device+0xd3/0x130
[    1.934164]  [<ffffffffaa776cbb>] device_add+0x52b/0x720
[    1.936210]  [<ffffffffaa835e86>] usb_set_configuration+0x566/0xb90
[    1.938268]  [<ffffffffaa8480e1>] generic_probe+0x31/0xa0
[    1.940299]  [<ffffffffaa839046>] usb_probe_device+0x36/0x70
[    1.942316]  [<ffffffffaa77b0ff>] driver_probe_device+0x10f/0x390
[    1.944317]  [<ffffffffaa77b52e>] __device_attach_driver+0xbe/0x180
[    1.946342]  [<ffffffffaa77b470>] ? __driver_attach+0xf0/0xf0
[    1.948384]  [<ffffffffaa778592>] bus_for_each_drv+0x72/0xd0
[    1.950443]  [<ffffffffaa77aeb1>] __device_attach+0xc1/0x150
[    1.952522]  [<ffffffffaa77b63e>] device_initial_probe+0xe/0x10
[    1.954622]  [<ffffffffaa779c33>] bus_probe_device+0xd3/0x130
[    1.956699]  [<ffffffffaa776cbb>] device_add+0x52b/0x720
[    1.958789]  [<ffffffffaa827bc6>] usb_new_device+0x2d6/0x720
[    1.960861]  [<ffffffffaa82e6eb>] usb_add_hcd+0x5db/0x970
[    1.962947]  [<ffffffffaa84b60a>] usb_hcd_pci_probe+0x4ba/0x760
[    1.965055]  [<ffffffffaa19787c>] ? trace_hardirqs_on_caller+0x1ac/0x2c0
[    1.967197]  [<ffffffffaa85fa61>] ehci_pci_probe+0x31/0x40
[    1.969322]  [<ffffffffaa65cc69>] local_pci_probe+0x59/0xf0
[    1.971434]  [<ffffffffaa65eaab>] pci_device_probe+0x14b/0x1c0
[    1.973548]  [<ffffffffaa77b0ff>] driver_probe_device+0x10f/0x390
[    1.975661]  [<ffffffffaa77b434>] __driver_attach+0xb4/0xf0
[    1.977766]  [<ffffffffaa77b380>] ? driver_probe_device+0x390/0x390
[    1.979878]  [<ffffffffaa7784bb>] bus_for_each_dev+0x6b/0xb0
[    1.981993]  [<ffffffffaa77a702>] driver_attach+0x22/0x40
[    1.984086]  [<ffffffffaa77a00c>] bus_add_driver+0x15c/0x2b0
[    1.986174]  [<ffffffffab93c7e8>] ? ehci_hcd_init+0x59/0x59
[    1.988245]  [<ffffffffaa77bf28>] driver_register+0x78/0x130
[    1.990291]  [<ffffffffaa65c552>] __pci_register_driver+0x72/0xb0
[    1.992325]  [<ffffffffab93c84d>] ehci_pci_init+0x65/0x67
[    1.994356]  [<ffffffffaa00044c>] do_one_initcall+0x5c/0x1e0
[    1.996397]  [<ffffffffab8f670b>] kernel_init_freeable+0x33b/0x3d1
[    1.998411]  [<ffffffffaab2fe3a>] kernel_init+0xa/0x120
[    2.000377]  [<ffffffffaab3bdef>] ret_from_fork+0x1f/0x40
[    2.002304]  [<ffffffffaab2fe30>] ? rest_init+0x170/0x170
[    2.004194] ================================================================================
Comment 3 Greg Kroah-Hartman 2016-06-17 18:24:43 UTC
On Fri, Jun 17, 2016 at 04:33:05AM +0000, bugzilla-daemon@bugzilla.kernel.org wrote:
> https://bugzilla.kernel.org/show_bug.cgi?id=120361
> 
> --- Comment #2 from Wilfried Klaebe <linux-kernel@lebenslange-mailadresse.de>
> ---
> Built linux-next-20160616, now there's a UBSAN splat in
> drivers/usb/host/ehci-hub.c:889:34 instead:

Please send to the linux-usb@vger.kernel.org mailing list.
Comment 4 Wilfried Klaebe 2017-02-22 20:06:55 UTC
Seems to be fixed, does not appear in (at least) 4.10 anymore.