Bug 29976

Summary:

kernel NULL pointer dereference in symbolserial

Product:

Sisyphus

Reporter:

Vadim Zelenin <VadimZelenin>

Component:

kernel-image-std-def

Assignee:

Vitaly Chikunov <vt>

Status:

NEW ---

QA Contact:

qa-sisyphus

Severity:

normal

Priority:

CC:

kernelbot, placeholder, vt

Version:

unstable

Hardware:

all

OS:

Linux

Bug Depends on:

Bug Blocks:

29989

Attachments:

Description	Flags
diff между оригинальным symbolserial.c и исправленным	none

Description Vadim Zelenin 2014-04-08 17:55:52 MSK

при подключении сканера kraftway KLS-02D ("адаптированный" Motorola Symbol DS4208)
при использовании драйвера symbolserial фиксируется ошибка.

В 3.10.34-std-def-alt1 x86_64:

[   54.290502] usb 1-1.5: new full-speed USB device number 3 using ehci-pci
[   54.435435] usbcore: registered new interface driver usbserial
[   54.435443] usbcore: registered new interface driver usbserial_generic
[   54.435449] usbserial: USB Serial support registered for generic
[   54.435783] usbcore: registered new interface driver symbolserial
[   54.435793] usbserial: USB Serial support registered for symbol
[   54.435802] symbolserial 1-1.5:1.0: symbol converter detected
[   54.435873] usb 1-1.5: symbol converter now attached to ttyUSB0
[   54.511060] BUG: unable to handle kernel NULL pointer dereference at           (null)
[   54.511300] IP: [<ffffffff81043a19>] __ticket_spin_lock+0x9/0x30
[   54.511481] PGD 429323067 PUD 429315067 PMD 0 
[   54.511624] Oops: 0002 [#1] SMP 
[   54.511728] Modules linked in: symbolserial usbserial nvidia(PO) drm vhost_net bnep tun macvtap macvlan uinput bluetooth af_packet vboxnetadp(O) vboxnetflt(O) ipv6 pci_stub vboxpci(O) vboxdrv(O) hid_generic usbhid hid coretemp intel_powerclamp kvm_intel kvm snd_hda_codec_hdmi eeepc_wmi crc32_pclmul asus_wmi crc32c_intel ghash_clmulni_intel i2c_i801 i2c_core cryptd sparse_keymap rfkill hwmon pci_hotplug sr_mod cdrom iTCO_wdt xhci_hcd pcspkr acpi_cpufreq iTCO_vendor_support mperf microcode ehci_pci ehci_hcd r8169 usbcore snd_hda_codec_realtek snd_hda_intel snd_hda_codec mxm_wmi mii snd_hwdep snd_pcm usb_common processor lpc_ich snd_seq_midi snd_seq_midi_event snd_seq snd_page_alloc wmi snd_rawmidi snd_seq_device video snd_timer snd soundcore button dm_mod ext4 crc16 mbcache jbd2 sd_mod crc_t10dif ahci
[   54.514183]  libahci libata evdev scsi_mod autofs4
[   54.514312] CPU: 0 PID: 912 Comm: ModemManager Tainted: P           O 3.10.34-std-def-alt1 #1
[   54.514555] Hardware name: System manufacturer System Product Name/P8Z68-V LX, BIOS 0703 10/21/2011
[   54.514814] task: ffff88042ab78700 ti: ffff880428cb2000 task.ti: ffff880428cb2000
[   54.515027] RIP: 0010:[<ffffffff81043a19>]  [<ffffffff81043a19>] __ticket_spin_lock+0x9/0x30
[   54.515274] RSP: 0018:ffff880428cb3ab8  EFLAGS: 00010082
[   54.515426] RAX: 0000000000000100 RBX: 0000000000000286 RCX: 0000000000000000
[   54.515630] RDX: 0000000000000003 RSI: 0000000000000286 RDI: 0000000000000000
[   54.515833] RBP: ffff880428cb3ab8 R08: 0000000000000000 R09: 0000000000000001
[   54.516036] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88041505a000
[   54.516240] R13: ffff88041505a008 R14: ffff8804285e3c00 R15: ffff8804285e3c00
[   54.516444] FS:  00007f861fd647c0(0000) GS:ffff88043f400000(0000) knlGS:0000000000000000
[   54.516674] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   54.516839] CR2: 0000000000000000 CR3: 0000000428c9e000 CR4: 00000000000407f0
[   54.517042] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   54.517246] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[   54.517449] Stack:
[   54.517506]  ffff880428cb3ac8 ffffffff81043ad3 ffff880428cb3ae8 ffffffff814d96c7
[   54.517739]  0000000000000000 ffff88041505a000 ffff880428cb3b08 ffffffffa04ca03c
[   54.523667]  ffff88041a977b68 ffff88041a977b00 ffff880428cb3b48 ffffffffa05792f5
[   54.529614] Call Trace:
[   54.535534]  [<ffffffff81043ad3>] default_spin_lock_flags+0x13/0x20
[   54.541599]  [<ffffffff814d96c7>] _raw_spin_lock_irqsave+0x47/0x60
[   54.547545]  [<ffffffffa04ca03c>] symbol_open+0x1c/0x70 [symbolserial]
[   54.553430]  [<ffffffffa05792f5>] serial_port_activate+0x75/0xa0 [usbserial]
[   54.559309]  [<ffffffff81346163>] ? tty_port_tty_set+0x63/0xa0
[   54.565139]  [<ffffffff81346870>] tty_port_open+0xb0/0x100
[   54.570957]  [<ffffffffa057963d>] serial_open+0x1d/0x20 [usbserial]
[   54.576732]  [<ffffffff8133d6fc>] tty_open+0x17c/0x5a0
[   54.582327]  [<ffffffff811835a3>] chrdev_open+0xb3/0x1b0
[   54.587772]  [<ffffffff8117c903>] do_dentry_open+0x203/0x290
[   54.593072]  [<ffffffff811834f0>] ? cdev_put+0x30/0x30
[   54.598187]  [<ffffffff8117c9c0>] finish_open+0x30/0x40
[   54.603149]  [<ffffffff8118d8e9>] do_last+0x6f9/0xef0
[   54.607973]  [<ffffffff8118a3ff>] ? link_path_walk+0x6f/0x870
[   54.612656]  [<ffffffff8119d6ff>] ? mntput+0x1f/0x30
[   54.617181]  [<ffffffff8118898d>] ? path_put+0x1d/0x30
[   54.621590]  [<ffffffff8118e191>] path_openat+0xb1/0x4c0
[   54.625865]  [<ffffffff81144e8d>] ? handle_mm_fault+0x2ad/0x3c0
[   54.630033]  [<ffffffff814dd4b4>] ? __do_page_fault+0x224/0x520
[   54.634074]  [<ffffffff8118ee3c>] do_filp_open+0x3c/0x90
[   54.637988]  [<ffffffff8119b935>] ? __alloc_fd+0xd5/0x130
[   54.641777]  [<ffffffff8117dcbf>] do_sys_open+0xef/0x1d0
[   54.645499]  [<ffffffff8101fdb0>] ? syscall_trace_enter+0x20/0x240
[   54.649318]  [<ffffffff8117ddbd>] SyS_open+0x1d/0x20
[   54.653135]  [<ffffffff814e1d37>] tracesys+0xdd/0xe2
[   54.656937] Code: 00 00 48 c7 c1 31 38 04 81 48 c7 c2 2e 38 04 81 e9 dd fe ff ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 55 b8 00 01 00 00 48 89 e5 <f0> 66 0f c1 07 0f b6 d4 38 c2 74 0c 0f 1f 00 f3 90 0f b6 07 38 
[   54.669149] RIP  [<ffffffff81043a19>] __ticket_spin_lock+0x9/0x30
[   54.673182]  RSP <ffff880428cb3ab8>
[   54.677189] CR2: 0000000000000000
[   54.681217] ---[ end trace 8da18c5391c8fa84 ]---

В 3.12.16-std-def-alt1 x86_64:

[   88.461810] usb 3-1.5: new full-speed USB device number 3 using ehci-pci
[   88.631979] usbcore: registered new interface driver usbserial
[   88.631991] usbcore: registered new interface driver usbserial_generic
[   88.632000] usbserial: USB Serial support registered for generic
[   88.632439] usbcore: registered new interface driver symbolserial
[   88.632450] usbserial: USB Serial support registered for symbol
[   88.632463] symbolserial 3-1.5:1.0: symbol converter detected
[   88.632532] usb 3-1.5: symbol converter now attached to ttyUSB0
[   88.711811] BUG: unable to handle kernel NULL pointer dereference at           (null)
[   88.728682] IP: [<ffffffff8150b09a>] _raw_spin_lock_irqsave+0x2a/0x80
[   88.737141] PGD 42887a067 PUD 429e56067 PMD 0 
[   88.745398] Oops: 0002 [#1] SMP 
[   88.753385] Modules linked in: symbolserial usbserial nvidia(PO) drm vhost_net tun vhost macvtap macvlan bnep kvm_intel uinput kvm bluetooth af_packet vboxnetadp(O) vboxnetflt(O) pci_stub vboxpci(O) ipv6 vboxdrv(O) hid_generic usbhid hid snd_hda_codec_hdmi snd_hda_codec_realtek xhci_hcd eeepc_wmi asus_wmi i2c_i801 sparse_keymap ehci_pci rfkill snd_hda_intel snd_hda_codec ehci_hcd hwmon usbcore iTCO_wdt snd_hwdep snd_pcm iTCO_vendor_support usb_common snd_page_alloc sr_mod i2c_core r8169 cdrom lpc_ich mii pcspkr mxm_wmi processor wmi video snd_seq_midi snd_seq_midi_event snd_seq snd_rawmidi snd_seq_device snd_timer snd soundcore button dm_mod ext4 crc16 mbcache jbd2 sd_mod crc_t10dif crct10dif_common ahci libahci libata evdev scsi_mod autofs4
[   88.821371] CPU: 0 PID: 978 Comm: ModemManager Tainted: P           O 3.12.16-std-def-alt1 #1
[   88.830388] Hardware name: System manufacturer System Product Name/P8Z68-V LX, BIOS 0703 10/21/2011
[   88.848247] task: ffff880428f260c0 ti: ffff880428f9a000 task.ti: ffff880428f9a000
[   88.857460] RIP: 0010:[<ffffffff8150b09a>]  [<ffffffff8150b09a>] _raw_spin_lock_irqsave+0x2a/0x80
[   88.866921] RSP: 0018:ffff880428f9baf0  EFLAGS: 00010086
[   88.876318] RAX: 0000000000000282 RBX: 0000000000000000 RCX: 0000000000000002
[   88.885827] RDX: 0000000000000200 RSI: ffff880428bd6000 RDI: 0000000000000000
[   88.895389] RBP: ffff880428f9bb08 R08: 0000000000000282 R09: 00000000002ffeb4
[   88.904926] R10: 0000000000004328 R11: 0000000000000000 R12: ffff880428bd6000
[   88.914412] R13: ffff880428bd6008 R14: ffff880418542800 R15: ffff880418542800
[   88.923894] FS:  00007ffa58c227c0(0000) GS:ffff88043f400000(0000) knlGS:0000000000000000
[   88.933627] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   88.943270] CR2: 0000000000000000 CR3: 0000000428bfa000 CR4: 00000000000407f0
[   88.953043] Stack:
[   88.962758]  ffffffffa03f103c ffff880418a8a7e8 ffff880418a8a780 ffff880428f9bb48
[   88.972876]  ffffffffa0586325 ffff880428f9bb48 ffffffff8137948c ffff880428bd6008
[   88.983015]  ffff880418542800 ffff880428bd6110 ffff88042a9da080 ffff880428f9bb88
[   88.993168] Call Trace:
[   89.003256]  [<ffffffffa03f103c>] ? symbol_open+0x1c/0x70 [symbolserial]
[   89.013604]  [<ffffffffa0586325>] serial_port_activate+0x75/0xa0 [usbserial]
[   89.023950]  [<ffffffff8137948c>] ? tty_port_tty_set+0x6c/0xb0
[   89.034236]  [<ffffffff81379bfe>] tty_port_open+0xae/0x170
[   89.044421]  [<ffffffff8137019a>] ? tty_init_dev+0xaa/0x1d0
[   89.054385]  [<ffffffffa05865ed>] serial_open+0x1d/0x20 [usbserial]
[   89.064191]  [<ffffffff81370a65>] tty_open+0x165/0x5c0
[   89.073861]  [<ffffffff8119c026>] chrdev_open+0x96/0x1c0
[   89.083415]  [<ffffffff81195313>] do_dentry_open+0x203/0x290
[   89.092961]  [<ffffffff8119bf90>] ? cdev_put+0x30/0x30
[   89.102318]  [<ffffffff811953d0>] finish_open+0x30/0x40
[   89.111419]  [<ffffffff811a67d6>] do_last+0x6d6/0xf80
[   89.120265]  [<ffffffff811a713d>] path_openat+0xbd/0x670
[   89.128866]  [<ffffffff811a2bab>] ? getname_flags.part.25+0x2b/0x140
[   89.137316]  [<ffffffff811a7f1e>] do_filp_open+0x3e/0xa0
[   89.145468]  [<ffffffff811b422e>] ? __alloc_fd+0xce/0x120
[   89.153346]  [<ffffffff81196837>] do_sys_open+0x137/0x220
[   89.160963]  [<ffffffff8119693d>] SyS_open+0x1d/0x20
[   89.168362]  [<ffffffff81513987>] tracesys+0xdd/0xe2
[   89.175500] Code: 00 48 83 3d 68 fa 28 00 00 74 30 9c 58 66 66 90 66 90 48 83 3d 67 fa 28 00 00 49 89 c0 74 4a fa 66 66 90 66 66 90 ba 00 02 00 00 <f0> 66 0f c1 17 0f b6 ce 38 d1 75 06 4c 89 c0 c3 0f 0b 83 e1 fe 
[   89.197496] RIP  [<ffffffff8150b09a>] _raw_spin_lock_irqsave+0x2a/0x80
[   89.204639]  RSP <ffff880428f9baf0>
[   89.211646] CR2: 0000000000000000
[   89.218652] ---[ end trace 39155a05d64827ec ]---

см. http://forum.altlinux.org/index.php?topic=32239

Comment 1 Vadim Zelenin 2014-04-10 21:07:50 MSK

Created attachment 6082 [details]
diff между оригинальным symbolserial.c и исправленным

Ошибка была добавлена  Johan Hovold в апреле 2013 года,
как пишет автор -
«All patches have been compile-tested only.»
судя по http://permalink.gmane.org/gmane.linux.usb.general/85260
нужно провести инспекцию и других модулей :(

Comment 2 Andrey Cherepanov 2014-04-11 09:49:09 MSK

На Sisyphus.

Comment 3 Gleb F-Malinovskiy 2014-04-11 19:25:19 MSK

(In reply to comment #1)
> Created an attachment (id=6082) [details]
> diff между оригинальным symbolserial.c и исправленным
> 
> Ошибка была добавлена  Johan Hovold в апреле 2013 года,
> как пишет автор -
> «All patches have been compile-tested only.»
> судя по http://permalink.gmane.org/gmane.linux.usb.general/85260
> нужно провести инспекцию и других модулей :(

Ну так, commitmessage этому патчу и в ту самую рассылку! ;)

Comment 4 Michael Shigorin 2014-04-13 16:57:13 MSK

Также может иметь смысл повесить в bugzilla.kernel.org, но всё равно обязательно в рассылку, как показывают предыдущие случаи.

Comment 5 Vadim Zelenin 2014-04-14 17:59:09 MSK

(В ответ на комментарий №4)
> Также может иметь смысл повесить в bugzilla.kernel.org, но всё равно
> обязательно в рассылку, как показывают предыдущие случаи.

В bugzilla.kernel.org зафиксировал и ошибку, и патч.

см. https://bugzilla.kernel.org/show_bug.cgi?id=74041

Не обессудьте - в рассылку мне писать слабО.

Comment 6 Michael Shigorin 2014-08-30 22:19:48 MSK

(В ответ на комментарий №5)
> см. https://bugzilla.kernel.org/show_bug.cgi?id=74041
О, там Грег глянул: https://bugzilla.kernel.org/show_bug.cgi?id=74041#c1

> Не обессудьте - в рассылку мне писать слабО.
И всё-таки если ещё не поправили -- лучше написать; именно про linux-usb@ не скажу, но в linux-kernel@ подписка не требуется, нам отвечали с копией.

На всё про всё с чтением документации и приведением патча в требуемый вид может уйти с полчаса; если всё-таки надо, но затруднительно, давайте попробуем вместе.