Bug 12185

Summary: Unloading rtl8187 generates a GPF if SLUB poison debugging is enabled
Product: Networking Reporter: Larry Finger (Larry.Finger)
Component: WirelessAssignee: networking_wireless (networking_wireless)
Status: CLOSED CODE_FIX    
Severity: high CC: htl10
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 2.6.28-rc7 Subsystem:
Regression: --- Bisected commit-id:

Description Larry Finger 2008-12-09 07:33:25 UTC 
Latest working kernel version: None
Earliest failing kernel version: All
Distribution: openSUSE 11.0
Hardware Environment: x86_64
Software Environment: rtl8187
Problem Description: Unloading driver rtl8187 generates a GPF if SLUB debugging is enabled and the system is booted with the 'slub_debug=P' option.

The reason for the GPF is that the driver attempts to free a urb that has already been freed - a classic 'use-after-free' situation.

The crash dump is as follows:

kernel: general protection fault: 0000 [#1] SMP
kernel: last sysfs file: /sys/devices/system/cpu/cpu1/cache/index2shared_cpu_map
kernel: CPU 0
kernel: Modules linked in: rtl8187(-) eeprom_93cx6 snd_pcm_oss snd_mixer_oss snd_seq snd_seq_device af_packet sunrpc rfkill_input cpufreq_conservative cpufreq_userspace cpufreq_powersave powernow_k8 fuse loop dm_mod ide_cd_mod cdrom arc4 ecb b43 rfkill snd_hda_intel mac80211 led_class amd74xx snd_pcm input_polldev snd_timer snd cfg80211 k8temp soundcore hwmon ide_pci_generic ssb serio_raw forcedeth sg snd_page_alloc ide_core battery ac button joydev sd_mod ohci_hcd uhci_hcd ehci_hcd usbcore edd fan thermal processor ext3 mbcache jbd ahci libata scsi_mod [last unloaded: usbtest]
kernel: Pid: 8057, comm: modprobe Not tainted 2.6.28-rc7 #29
kernel: RIP: 0010:[<ffffffff8031cf99>]  [<ffffffff8031cf99>] kref_get+0xc/0x2b
kernel: RSP: 0018:ffff8800b9eb5b48  EFLAGS: 00010096
kernel: RAX: 0000000000000000 RBX: 6b6b6b6b6b6b6dbb RCX: 0000000000000016
kernel: RDX: 0000000000000301 RSI: ffffffff8020bf3b RDI: 6b6b6b6b6b6b6dbb
kernel: RBP: ffff8800b9eb5b58 R08: 00000003b9fdc830 R09: ffffffffa00fc2a0
kernel: R10: ffffffff8025b866 R11: ffffffff8089a2b0 R12: ffff8800b8f1bc80
kernel: R13: 0000000000000286 R14: 00000000fffffffe R15: ffff8800b8dd2020
kernel: FS:  00007f320f7086f0(0000) GS:ffffffff8070a600(0000) knlGS:00000000f7d1c6c0
kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
kernel: CR2: 00007f770e627000 CR3: 00000000b9f17000 CR4: 00000000000006e0
kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
kernel: DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
kernel: Process modprobe (pid: 8057, threadinfo ffff8800b9eb4000, task ffff8800b9fdc830)
kernel: Stack:
kernel:  ffff8800b9eb5b78 6b6b6b6b6b6b6d83 ffff8800b9eb5b78 ffffffff8031c1cd
kernel:  ffff8800b9f69cc0 6b6b6b6b6b6b6b6b ffff8800b9eb5b88 ffffffff80399f75
kernel:  ffff8800b9eb5ba8 ffffffffa00f7401 00000000ffffffd5 0000000000000000
kernel: Call Trace:
kernel:  [<ffffffff8031c1cd>] kobject_get+0x1a/0x22
kernel:  [<ffffffff80399f75>] get_device+0x17/0x1f
kernel:  [<ffffffffa00f7401>] usb_get_dev+0x1d/0x24 [usbcore]
kernel:  [<ffffffffa00fc2b7>] usb_hcd_unlink_urb+0x39/0x81 [usbcore]
kernel:  [<ffffffffa00fd594>] usb_kill_urb+0x6b/0xfa [usbcore]
kernel:  [<ffffffff803c3a61>] ? skb_dequeue+0x5b/0x66
kernel:  [<ffffffffa048f32d>] rtl8187_stop+0x278/0x28d [rtl8187]

A fix is now undergoing testing and will be submitted through the wireless-testing tree. This bug may be related to bugzilla entry 11887.

Steps to reproduce: Use SLUB with debugging enabled, boot with the option 'slub_debug=P', and 'modprobe -r rtl8187'.
Comment 1 Hin-Tak Leung 2008-12-09 16:50:37 UTC 
The patch doesn't improve bug 11887 (i.e. possibly unrelated).
Comment 2 John W. Linville 2009-01-13 11:19:49 UTC 
Which patch is/was this?
Comment 3 John W. Linville 2009-01-13 11:39:04 UTC 
commit c1db52b9d27ee6e15a7136e67e4a21dc916cd07f
Author: Larry Finger <Larry.Finger@lwfinger.net>
Date:   Tue Dec 9 23:34:27 2008 -0600

    rtl8187: Use usb anchor facilities to manage urbs

    When SLUB debugging is enabled in the kernel, and the boot command includes
    the option "slub_debug=P", rtl8187 encounters a GPF due to a read-after-free
    of a urb.

    Following the example of changes in p54usb to fix the same problem, the code
    has been modified to use the usb_anchor_urb() method. With this change, the
    USB core handles the freeing of urb's.

    This patch fixes the problem reported in Kernel Bugzilla #12185
    (http://bugzilla.kernel.org/show_bug.cgi?id=12185).

    Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
    Tested-by: Hin-Tak Leung <htl10@users.sourceforge.net>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>