Oops in 4.6-rc2: NULL pointer dereference in cdc-acm

From: Gabriele Mazzotta
Date: Wed Apr 06 2016 - 17:06:21 EST

Next message: Lars-Peter Clausen: "Re: [PATCH v2] staging: iio: ad7606: use iio_device_{claim|release}_direct_mode()"
Previous message: Len Brown: "[PATCH 03/13] intel_idle: Fix a helper function's return value."
Next in thread: Oliver Neukum: "Re: Oops in 4.6-rc2: NULL pointer dereference in cdc-acm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

I'm getting a kernel oops when I plug some smartphone via USB to my
laptop, which is currently running the v4.6-rc2.

The problem seems to be caused by a81cf9799ad7 ("cdc-acm: implement
put_char() and flush_chars()").

A simple NULL pointer check prevents the crash, but since I have no
use of cdc-acm and I didn't read the code, I don't know if some other
changes are required.

Here below you can find the change I did to prevent the crash and
the dmesg showing the problem.

Regards,
Gabriele

diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
index 83fd30b..aa0c244 100644
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -754,8 +754,9 @@ static void acm_tty_flush_chars(struct tty_struct *tty)

if (acm->susp_count)
usb_anchor_urb(cur->urb, &acm->delayed);
- else
+ else if (cur) {
acm_start_wb(acm, cur);
+ }
out:
spin_unlock_irqrestore(&acm->write_lock, flags);
return;

<6>[ 46.942493] cdc_acm 2-1:1.0: ttyACM0: USB ACM device
<6>[ 46.942716] usbcore: registered new interface driver cdc_acm
<6>[ 46.942718] cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters
<6>[ 46.946245] usb-storage 2-1:1.3: USB Mass Storage device detected
<1>[ 46.946751] BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
<1>[ 46.946790] IP: [<ffffffffa0331138>] acm_start_wb+0x18/0xb0 [cdc_acm]
<4>[ 46.946824] PGD 0
<4>[ 46.946836] Oops: 0000 [#1] SMP
<4>[ 46.946855] Modules linked in: usb_storage(+) cdc_acm rfcomm ccm bnep uvcvideo videobuf2_vmalloc videobuf2_memops btusb videobuf2_v4l2 btintel videobuf2_core videodev bluetooth hid_multitouch media usbhid vboxpci(O) vboxnetadp(O) vboxnetflt(O) vboxdrv(O) arc4 joydev binfmt_misc nls_utf8 nls_cp437 dell_wmi sparse_keymap x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm iTCO_wdt irqbypass iTCO_vendor_support hid_rmi crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel dell_laptop dell_smbios dcdbas dell_smm_hwmon snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic mac80211 aesni_intel aes_x86_64 glue_helper lrw ablk_helper cryptd psmouse cfg80211 serio_raw sg snd_hda_intel rfkill snd_hda_codec snd_hwdep snd_hda_core xhci_pci ehci_pci xhci_hcd snd_pcm ehci_hcd usbcore snd_timer snd lpc_ich usb_common soundcore mfd_core shpchp i2c_i801 thermal wmi battery i2c_hid hid acpi_als kfifo_buf industrialio sdhci_acpi sdhci mmc_core
i2c_designware_platform i2c_designware_core evdev intel_rst ac parport_pc ppdev lp parport [last unloaded: iwlwifi]
<4>[ 46.947425] CPU: 2 PID: 84 Comm: kworker/u8:3 Tainted: G U O 4.6.0-rc2+ #1
<4>[ 46.947461] Hardware name: Dell Inc. XPS13 9333/0HP75V, BIOS A07 03/27/2015
<4>[ 46.947496] Workqueue: events_unbound flush_to_ldisc
<4>[ 46.947521] task: ffff88021541c100 ti: ffff8800d04c8000 task.ti: ffff8800d04c8000
<4>[ 46.947555] RIP: 0010:[<ffffffffa0331138>] [<ffffffffa0331138>] acm_start_wb+0x18/0xb0 [cdc_acm]
<4>[ 46.947598] RSP: 0018:ffff8800d04cbd10 EFLAGS: 00010006
<4>[ 46.947623] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000004
<4>[ 46.947655] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff8800d056d000
<4>[ 46.947688] RBP: ffff8800d056d000 R08: 0000000000000002 R09: 0000000000000000
<4>[ 46.947720] R10: 0000000000000002 R11: ffff8800ac270040 R12: 0000000000000246
<4>[ 46.947753] R13: 0000000000000000 R14: 0000000000000000 R15: ffffc90000f832a8
<4>[ 46.947786] FS: 0000000000000000(0000) GS:ffff88021f300000(0000) knlGS:0000000000000000
<4>[ 46.947823] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
<4>[ 46.947850] CR2: 0000000000000018 CR3: 00000000cfc99000 CR4: 00000000001406e0
<4>[ 46.947882] Stack:
<4>[ 46.947892] 0000000000000009 ffff8800d056d000 ffff8800d056d744 ffffffffa03318ee
<4>[ 46.947932] ffff8801dac26c00 ffffc90000f81000 ffffc90000f81000 0000000000000009
<4>[ 46.947971] 0000000000000000 ffffffff814032c5 ffff8802123cb420 ffffc90000f81000
<4>[ 46.948010] Call Trace:
<4>[ 46.948024] [<ffffffffa03318ee>] ? acm_tty_flush_chars+0x5e/0x90 [cdc_acm]
<4>[ 46.948057] [<ffffffff814032c5>] ? n_tty_receive_buf_common+0x665/0xb30
<4>[ 46.948090] [<ffffffff8109aed0>] ? pick_next_task_fair+0xf0/0x440
<4>[ 46.948120] [<ffffffff81405dae>] ? flush_to_ldisc+0xbe/0x130
<4>[ 46.948148] [<ffffffff8107b9a4>] ? process_one_work+0x164/0x480
<4>[ 46.948176] [<ffffffff8107bd0a>] ? worker_thread+0x4a/0x4f0
<4>[ 46.948203] [<ffffffff8107bcc0>] ? process_one_work+0x480/0x480
<4>[ 46.948232] [<ffffffff8108146d>] ? kthread+0xbd/0xe0
<4>[ 46.948258] [<ffffffff816e0282>] ? ret_from_fork+0x22/0x40
<4>[ 46.948285] [<ffffffff810813b0>] ? kthread_create_on_node+0x180/0x180
<4>[ 46.948315] Code: 40 09 c8 09 d0 c3 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 fd 53 48 89 f3 48 83 ec 08 83 87 40 07 00 00 01 <48> 8b 46 18 48 8b 16 48 89 50 68 48 8b 46 18 48 8b 56 08 48 89
<1>[ 46.948488] RIP [<ffffffffa0331138>] acm_start_wb+0x18/0xb0 [cdc_acm]
<4>[ 46.948517] RSP <ffff8800d04cbd10>
<4>[ 46.948532] CR2: 0000000000000018
<4>[ 46.959254] ---[ end trace 006fe18e3212a836 ]---

Next message: Lars-Peter Clausen: "Re: [PATCH v2] staging: iio: ad7606: use iio_device_{claim|release}_direct_mode()"
Previous message: Len Brown: "[PATCH 03/13] intel_idle: Fix a helper function's return value."
Next in thread: Oliver Neukum: "Re: Oops in 4.6-rc2: NULL pointer dereference in cdc-acm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]