Re: use-after-free with Lenovo Ultra Docking Station

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg KH <gregkh@linuxfoundation.org>
To: Philipp Leskovitz <philipp.leskovitz@secunet.com>
Cc: linux-usb@vger.kernel.org
Subject: Re: use-after-free with Lenovo Ultra Docking Station
Date: Fri, 21 Feb 2025 09:08:43 +0100	[thread overview]
Message-ID: <2025022122-corrode-tactless-7789@gregkh> (raw)
In-Reply-To: <4dc90eac-584b-4266-8666-d34b96124722@secunet.com>

On Fri, Feb 21, 2025 at 08:48:52AM +0100, Philipp Leskovitz wrote:
> Hello Greg,
> 
> I can also reproduce it without the proprietary modules. The latest BIOS
> version N2IETA5W is installed. Attached is the log file. Only dm_mod,
> intel_lpss_pci, intel_lpss, pinctrl_cannonlake and pinctrl_intel were still
> loaded. I had also activated kasan.
> 
> Kernel version 6.1 seems to be one of the last versions with which the docking station works well.
> 
> The error doesn't always occur. I stress the device a little bit by
> connecting the notebook to the docking station and disconnecting it again.
> Sometimes I also plug in an external power supply. This combination
> generates the error in less than 10 minutes. I also had the case that the
> device was idle for about 30 minutes. Then it was connected to the docking
> station once and the error occurred.

Your kernel log shows that this is probably a bios bug:

> [  520.107312] pcieport 0000:03:02.0: bridge window [mem 0x00100000-0x000fffff 64bit pref] to [bus 3a] add_size 200000 add_align 100000
> [  520.107323] pcieport 0000:03:02.0: bridge window [mem 0xa0000000-0xa01fffff 64bit pref]: assigned
> [  520.107601] pci_bus 0000:3a: busn_res: [bus 3a] is released
> [  520.109588] pci_bus 0000:03: busn_res: [bus 03-3a] is released
> [  522.973010] ACPI BIOS Error (bug): Could not resolve symbol [\_SB.PCI0.RP09.PEGP.NVDN], AE_NOT_FOUND (20240827/psargs-332)
> [  522.973048] ACPI Error: Aborting method \_SB.PCI0.LPCB.EC._Q26 due to previous error (AE_NOT_FOUND) (20240827/psparse-529)
> [  529.409351] ACPI BIOS Error (bug): Could not resolve symbol [\_SB.PCI0.RP09.PEGP.NVDN], AE_NOT_FOUND (20240827/psargs-332)
> [  529.409395] ACPI Error: Aborting method \_SB.PCI0.LPCB.EC._Q27 due to previous error (AE_NOT_FOUND) (20240827/psparse-529)
> [  543.303502] usb 1-5: new high-speed USB device number 12 using xhci_hcd
> [  543.340048] ACPI BIOS Error (bug): Could not resolve symbol [\_SB.PCI0.RP09.PEGP.NVDN], AE_NOT_FOUND (20240827/psargs-332)
> [  543.340092] ACPI Error: Aborting method \_SB.PCI0.LPCB.EC._Q26 due to previous error (AE_NOT_FOUND) (20240827/psparse-529)

And then later:

> [  647.629519] hub 1-5:1.0: USB hub found
> [  647.630656] hub 1-5:1.0: 5 ports detected
> [  647.656103] ACPI BIOS Error (bug): Could not resolve symbol [\_SB.PCI0.RP09.PEGP.NVDN], AE_NOT_FOUND (20240827/psargs-332)
> [  647.656140] ACPI Error: Aborting method \_SB.PCI0.LPCB.EC._Q26 due to previous error (AE_NOT_FOUND) (20240827/psparse-529)
> [  647.738644] ==================================================================
> [  647.738648] BUG: KASAN: slab-use-after-free in sysfs_create_link+0x8a/0xc0

Boom.

Now what is odd is that sysfs_create_link is showing a use-after-free,
which it shouldn't, but as your bios is spitting out invalid device
symbols, who knows what confusion the kernel got into with regards to
creating a symlink that was already present.

So maybe go poke the bios vendor to resolve this?

thanks,

greg k-h

next prev parent reply	other threads:[~2025-02-21  8:08 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-02-18  6:52 use-after-free with Lenovo Ultra Docking Station Philipp Leskovitz
2025-02-18  7:16 ` Greg KH
2025-02-19  7:35   ` Philipp Leskovitz
2025-02-19  7:41     ` Greg KH
2025-02-20  9:34   ` Philipp Leskovitz
2025-02-20 10:17     ` Greg KH
2025-02-21  7:48       ` Philipp Leskovitz
2025-02-21  8:08         ` Greg KH [this message]
2025-02-21 11:54           ` Philipp Leskovitz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2025022122-corrode-tactless-7789@gregkh \
    --to=gregkh@linuxfoundation.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=philipp.leskovitz@secunet.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.