Bug 207317 - [REGRESSION][POSSIBLE VULNERABILITY] CD-Rom device deadlock/race on attachment/detachment: kernel BUG at fs/inode.c:1587!
Summary: [REGRESSION][POSSIBLE VULNERABILITY] CD-Rom device deadlock/race on attachmen...
Status: NEW
Alias: None
Product: File System
Classification: Unclassified
Component: VFS (show other bugs)
Hardware: All Linux
: P1 high
Assignee: fs_vfs
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-17 12:12 UTC by ValdikSS
Modified: 2020-04-22 22:17 UTC (History)
0 users

See Also:
Kernel Version: 5.5.16
Subsystem:
Regression: No
Bisected commit-id:


Attachments
Lenovo X220 undocking dmesg (6.12 KB, text/plain)
2020-04-17 12:12 UTC, ValdikSS
Details
Full dmesg output (128.13 KB, text/plain)
2020-04-17 12:18 UTC, ValdikSS
Details
dmesg snippet (6.08 KB, text/plain)
2020-04-22 21:57 UTC, ValdikSS
Details
Full dmesg output #2 (135.72 KB, text/plain)
2020-04-22 21:57 UTC, ValdikSS
Details

Description ValdikSS 2020-04-17 12:12:38 UTC
Created attachment 288553 [details]
Lenovo X220 undocking dmesg

I'm not sure if fs/vfs is a proper component to fill the bug to, please reassign if anything.

Short description:
When attaching and detaching CD-Rom device to the PC, either emulated or physical, the device handling userspace software (udisks-daemon) and the kernel may stall all block device communication, making killing userspace application and proper shutdown/reboot impossible.

Detailed description:
I have Lenovo X220 laptop with dock. The dock includes CD-Rom drive.
Quite frequently, when I dock and undock the laptop, I see the [attachment] in dmesg.

Snippet:
>pktcdvd: pktcdvd0: writer mapped to sr0
>ata2.00: disabled
>ata2.00: detaching (SCSI 1:0:0:0)
>ACPI: \_SB_.GDCK: undocking
>------------[ cut here ]------------
>kernel BUG at fs/inode.c:1587!
>invalid opcode: 0000 [#1] SMP NOPTI
>CPU: 0 PID: 9426 Comm: udisks-daemon Tainted: G          IOE    
>5.5.16-200.fc31.x86_64 #1

After that, 'udisks2' enters 'Ds' state and could not be killed, even with 'kill -9'. I can't properly shut down or reboot the laptop. Applications, which use udisks (dolphin file manager) would stall at communication with udisks as well.

The same happens with Huawei E3372 USB LTE modem.
This modem emulates CD-Rom drive upon connection and should be switched to proper network mode with usb_modeswitch.
Switching the modem with usb_modeswitch also triggers this issue frequently.

Since the log says:
>invalid opcode: 0000 [#1] SMP NOPTI
I assume that there's code corruption (maybe use-after-free or some thread race, that's only my assumption) which possibly may be exploited to get code execution with malicious CD-Rom drive.

Versions:
Fedora 31
Kernel 5.5.16-200.fc31.x86_64 from Fedora repository, with zswap.enabled=1, mitigations=off
Lenovo ThinkPad X220 (Intel Sandy Bridge)

This began to happen somewhere around 5.3+ kernels. 4.19 does not have this issue.
Comment 1 ValdikSS 2020-04-17 12:18:32 UTC
Created attachment 288555 [details]
Full dmesg output
Comment 2 ValdikSS 2020-04-22 21:56:14 UTC
Another day, another kernel oops.
Comment 3 ValdikSS 2020-04-22 21:57:00 UTC
Created attachment 288673 [details]
dmesg snippet

Snippet from dmesg
Comment 4 ValdikSS 2020-04-22 21:57:18 UTC
Created attachment 288675 [details]
Full dmesg output #2

Full dmesg output #2
Comment 5 ValdikSS 2020-04-22 22:16:05 UTC
See also: #202743. It's the same bug.
Comment 6 ValdikSS 2020-04-22 22:17:16 UTC
bug #202743

Note You need to log in before you can comment on or make changes to this bug.