[BUG] USB: ci13xxx_udc: nullpointer deref during rmmod of gadget driver

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

without this hack the rmmod of a gadget driver will trigger this nullpoint
deref:

Unable to handle kernel NULL pointer dereference at virtual address 00000000
pgd = c7b88000
[00000000] *pgd=47a31831, *pte=00000000, *ppte=00000000
Internal error: Oops: 17 [#1]
Modules linked in: g_ether(-)
CPU: 0    Not tainted  (3.1.0-rc6+ #160)
PC is at __list_del_entry+0x28/0xcc
LR is at ci13xxx_stop+0x12c/0x1a8
pc : [<c01da3a0>]    lr : [<c02292b0>]    psr: 80000093
sp : c7b8fef8  ip : 00000002  fp : bec66e54
r10: c781a18c  r9 : c7b8e000  r8 : a0000013
r7 : 00000001  r6 : c781a000  r5 : c781a000  r4 : c0b4082c
r3 : c781a18c  r2 : 00000000  r1 : 00000000  r0 : 00200200
Flags: Nzcv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment user
Control: 0005317f  Table: 47b88000  DAC: 00000015
Process rmmod (pid: 116, stack limit = 0xc7b8e270)
Stack: (0xc7b8fef8 to 0xc7b90000)
fee0:                                                       c781a000 bf006ad0
ff00: c781a018 c02292b0 c0229184 c79acc00 c05af488 c7b8e000 00000013 bec66bc0
ff20: 00000000 c022867c bf006ad0 c02286f4 bf006e38 00000000 bf006eb0 c0065f2c
ff40: c7b8e000 74655f67 00726568 c005b16c 00000013 c7aebc00 c7b8ff84 c7b8e000
ff60: c00093b4 c7b90d60 00000001 60000010 00000002 40089000 bec66e54 0005b16c
ff80: bf006eb0 00000880 c7b8ff8c 00000000 00015700 74655f67 00726568 00000081
ffa0: c0009444 c00092a0 00015700 74655f67 bec66bc0 00000880 00000000 00000000
ffc0: 00015700 74655f67 00726568 00000081 00000000 00000002 40089000 bec66e54
ffe0: bec66bb8 bec66ba8 0001545c 401c4880 60000010 bec66bc0 00000000 00000000
[<c01da3a0>] (__list_del_entry+0x28/0xcc) from [<c02292b0>] (ci13xxx_stop+0x12c/0x1a8)
[<c02292b0>] (ci13xxx_stop+0x12c/0x1a8) from [<c022867c>] (usb_gadget_remove_driver+0x88/0x98)
[<c022867c>] (usb_gadget_remove_driver+0x88/0x98) from [<c02286f4>] (usb_gadget_unregister_driver+0x68/0x88)
[<c02286f4>] (usb_gadget_unregister_driver+0x68/0x88) from [<c0065f2c>] (sys_delete_module+0x1fc/0x26c)
[<c0065f2c>] (sys_delete_module+0x1fc/0x26c) from [<c00092a0>] (ret_fast_syscall+0x0/0x38)
Code: 0a00000c e59f0090 e1520000 0a00001b (e5920000)

Signed-off-by: Marc Kleine-Budde <mkl@xxxxxxxxxxxxxx>
---
 drivers/usb/gadget/ci13xxx_udc.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/drivers/usb/gadget/ci13xxx_udc.c b/drivers/usb/gadget/ci13xxx_udc.c
index 8956a24..d07de8d 100644
--- a/drivers/usb/gadget/ci13xxx_udc.c
+++ b/drivers/usb/gadget/ci13xxx_udc.c
@@ -2731,8 +2731,10 @@ static int ci13xxx_stop(struct usb_gadget_driver *driver)
 	for (i = 0; i < hw_ep_max; i++) {
 		struct ci13xxx_ep *mEp = &udc->ci13xxx_ep[i];
 
+#if 0
 		if (!list_empty(&mEp->ep.ep_list))
 			list_del_init(&mEp->ep.ep_list);
+#endif
 
 		if (mEp->qh.ptr != NULL)
 			dma_pool_free(udc->qh_pool, mEp->qh.ptr, mEp->qh.dma);
-- 
1.7.6.3

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux