From: Philipp Leskovitz <philipp.leskovitz@secunet.com>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: <linux-usb@vger.kernel.org>
Subject: Re: use-after-free with Lenovo Ultra Docking Station
Date: Wed, 19 Feb 2025 08:35:37 +0100 [thread overview]
Message-ID: <e48ff1fe-4e44-41b8-861d-cff2b9b509bd@secunet.com> (raw)
In-Reply-To: <2025021853-stained-scared-9e60@gregkh>
Hello Greg,
Thank you for your message. With kernel 6.13.0 I get a different error message when I click the notebook Lenovo T490 into or out of the docking station (ThinkPad Ultra Docking Station, Type 40AJ).
<4>[ 0.568971] ------------[ cut here ]------------
<2>[ 0.568973] kernel BUG at drivers/pci/setup-bus.c:2156!
<4>[ 0.568981] Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
<4>[ 0.568992] CPU: 3 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.13.0-devel+ #1
<4>[ 0.569001] Hardware name: LENOVO 20N2S00600/20N2S00600, BIOS N2IET91S (3.69 ) 02/02/2021
<4>[ 0.569008] RIP: 0010:pci_assign_unassigned_root_bus_resources+0x23f/0x370
<4>[ 0.569020] Code: ff ff 48 89 da 4c 89 f7 48 8d 74 24 20 e8 29 f7 ff ff 4c 8b 74 24 20 48 8d 54 24 20 8b 44 24 18 4c 39 f2 0f 84 aa fe ff ff 90 <0f> 0b 83 7c 24 1c ff 0f 84 d7 00 00 00 83 7c 24
1c 03 0f 84 e9 00
<4>[ 0.569033] RSP: 0000:ffffbd8680083dd0 EFLAGS: 00010206
<4>[ 0.569041] RAX: 0000000000000000 RBX: ffffbd8680083e00 RCX: 000000000000003e
<4>[ 0.569048] RDX: ffffbd8680083df0 RSI: 0000000000000000 RDI: ffffffff9ca926d9
<4>[ 0.569055] RBP: 0000000000000000 R08: 0000000000000002 R09: 0000000000000002
<4>[ 0.569061] R10: 0000000000000000 R11: ffffffff9ca4f1a0 R12: dead000000000122
<4>[ 0.569067] R13: dead000000000100 R14: ffffa35401dca060 R15: 0000000000000000
<4>[ 0.569073] FS: 0000000000000000(0000) GS:ffffa3597c4c0000(0000) knlGS:0000000000000000
<4>[ 0.569081] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
<4>[ 0.569087] CR2: 0000000000000000 CR3: 00000002a562e001 CR4: 00000000003706f0
<4>[ 0.569093] Call Trace:
<4>[ 0.569098] <TASK>
<4>[ 0.569102] ? die+0x36/0x90
<4>[ 0.569111] ? do_trap+0xdc/0x100
<4>[ 0.569119] ? pci_assign_unassigned_root_bus_resources+0x23f/0x370
<4>[ 0.569127] ? do_error_trap+0x6d/0xb0
<4>[ 0.569133] ? pci_assign_unassigned_root_bus_resources+0x23f/0x370
<4>[ 0.569142] ? exc_invalid_op+0x51/0x70
<4>[ 0.569150] ? pci_assign_unassigned_root_bus_resources+0x23f/0x370
<4>[ 0.569158] ? asm_exc_invalid_op+0x1a/0x20
<4>[ 0.569166] ? __pfx_pci_conf1_write+0x10/0x10
<4>[ 0.569174] ? _raw_spin_unlock_irqrestore+0x19/0x40
<4>[ 0.569182] ? pci_assign_unassigned_root_bus_resources+0x23f/0x370
<4>[ 0.569194] pci_assign_unassigned_resources+0x23/0x90
<4>[ 0.569202] pcibios_assign_resources+0x43/0xe0
<4>[ 0.569210] ? __pfx_pcibios_assign_resources+0x10/0x10
<4>[ 0.569217] do_one_initcall+0x58/0x230
<4>[ 0.569228] kernel_init_freeable+0x166/0x290
<4>[ 0.569236] ? __pfx_kernel_init+0x10/0x10
<4>[ 0.569243] kernel_init+0x1a/0x1c0
<4>[ 0.569249] ret_from_fork+0x31/0x50
<4>[ 0.569257] ? __pfx_kernel_init+0x10/0x10
<4>[ 0.569263] ret_from_fork_asm+0x1a/0x30
<4>[ 0.569274] </TASK>
<4>[ 0.569277] Modules linked in:
<4>[ 0.569284] ---[ end trace 0000000000000000 ]---
<4>[ 0.575226] RIP: 0010:pci_assign_unassigned_root_bus_resources+0x23f/0x370
<4>[ 0.575240] Code: ff ff 48 89 da 4c 89 f7 48 8d 74 24 20 e8 29 f7 ff ff 4c 8b 74 24 20 48 8d 54 24 20 8b 44 24 18 4c 39 f2 0f 84 aa fe ff ff 90 <0f> 0b 83 7c 24 1c ff 0f 84 d7 00 00 00 83 7c 24
1c 03 0f 84 e9 00
<4>[ 0.575254] RSP: 0000:ffffbd8680083dd0 EFLAGS: 00010206
<4>[ 0.575262] RAX: 0000000000000000 RBX: ffffbd8680083e00 RCX: 000000000000003e
<4>[ 0.575269] RDX: ffffbd8680083df0 RSI: 0000000000000000 RDI: ffffffff9ca926d9
<4>[ 0.575276] RBP: 0000000000000000 R08: 0000000000000002 R09: 0000000000000002
<4>[ 0.575283] R10: 0000000000000000 R11: ffffffff9ca4f1a0 R12: dead000000000122
<4>[ 0.575289] R13: dead000000000100 R14: ffffa35401dca060 R15: 0000000000000000
<4>[ 0.575296] FS: 0000000000000000(0000) GS:ffffa3597c4c0000(0000) knlGS:0000000000000000
<4>[ 0.575304] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
<4>[ 0.575310] CR2: 0000000000000000 CR3: 00000002a562e001 CR4: 00000000003706f0
<0>[ 0.575317] Kernel panic - not syncing: Fatal exception
Best regards.
Philipp
> On Tue, Feb 18, 2025 at 07:52:34AM +0100, Philipp Leskovitz wrote:
>> [1.] One line summary of the problem:
>> A use-after-free is triggered when the device ThinkPad Ultra Docking Station is connected.
>>
>> [2.] Full description of the problem/report:
>>
>> When I click the notebook into the docking station (ThinkPad Ultra Docking
>> Station, Type 40AJ), a kernel crash sometimes occurs. I think the function
>> kernfs_new_node (fs/kernfs/dir.c) accesses a memory that has already been
>> released. It looks to me that an access in this function occurs with the
>> query "parent->mode & S_ISGID". The error occurs with kernel version 6.8.12
>> and 6.12.x.
>>
>> general protection fault, probably for non-canonical address 0xfefefefefefeff3d: 0000 [#1] PREEMPT SMP NOPTI
>> CPU: 7 PID: 2433 Comm: kworker/7:3 Tainted: P O T 6.8.12-grsec+ #1
>
> 6.8.12 is a very old, and obsolete, unsupported, and known-buggy kernel
> version. Does this also happen on the latest release (i.3. 6.13.3 or
> our development tree (6.14-rc3)?
>
> Lots of work has happened in the year in this driver since 6.8 was
> released.
>
> thanks,
>
> greg k-h
next prev parent reply other threads:[~2025-02-19 7:35 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-18 6:52 use-after-free with Lenovo Ultra Docking Station Philipp Leskovitz
2025-02-18 7:16 ` Greg KH
2025-02-19 7:35 ` Philipp Leskovitz [this message]
2025-02-19 7:41 ` Greg KH
2025-02-20 9:34 ` Philipp Leskovitz
2025-02-20 10:17 ` Greg KH
2025-02-21 7:48 ` Philipp Leskovitz
2025-02-21 8:08 ` Greg KH
2025-02-21 11:54 ` Philipp Leskovitz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e48ff1fe-4e44-41b8-861d-cff2b9b509bd@secunet.com \
--to=philipp.leskovitz@secunet.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-usb@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox