Re: [BUG] USB: ci13xxx_udc: nullpointer deref during rmmod of gadget driver

Pavan Kondeti <pkondeti@xxxxxxxxxxxxxx> · Tue, 11 Oct 2011 10:21:38 +0530

Hi Marc

On 10/10/2011 10:18 PM, Marc Kleine-Budde wrote:
> Hello,
> 
> without this hack the rmmod of a gadget driver will trigger this nullpoint
> deref:
> 
> Unable to handle kernel NULL pointer dereference at virtual address 00000000
> pgd = c7b88000
> [00000000] *pgd=47a31831, *pte=00000000, *ppte=00000000
> Internal error: Oops: 17 [#1]
> Modules linked in: g_ether(-)
> CPU: 0    Not tainted  (3.1.0-rc6+ #160)
> PC is at __list_del_entry+0x28/0xcc
> LR is at ci13xxx_stop+0x12c/0x1a8
> pc : [<c01da3a0>]    lr : [<c02292b0>]    psr: 80000093
> sp : c7b8fef8  ip : 00000002  fp : bec66e54
> r10: c781a18c  r9 : c7b8e000  r8 : a0000013
> r7 : 00000001  r6 : c781a000  r5 : c781a000  r4 : c0b4082c
> r3 : c781a18c  r2 : 00000000  r1 : 00000000  r0 : 00200200
> Flags: Nzcv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment user
> Control: 0005317f  Table: 47b88000  DAC: 00000015
> Process rmmod (pid: 116, stack limit = 0xc7b8e270)
> Stack: (0xc7b8fef8 to 0xc7b90000)
> fee0:                                                       c781a000 bf006ad0
> ff00: c781a018 c02292b0 c0229184 c79acc00 c05af488 c7b8e000 00000013 bec66bc0
> ff20: 00000000 c022867c bf006ad0 c02286f4 bf006e38 00000000 bf006eb0 c0065f2c
> ff40: c7b8e000 74655f67 00726568 c005b16c 00000013 c7aebc00 c7b8ff84 c7b8e000
> ff60: c00093b4 c7b90d60 00000001 60000010 00000002 40089000 bec66e54 0005b16c
> ff80: bf006eb0 00000880 c7b8ff8c 00000000 00015700 74655f67 00726568 00000081
> ffa0: c0009444 c00092a0 00015700 74655f67 bec66bc0 00000880 00000000 00000000
> ffc0: 00015700 74655f67 00726568 00000081 00000000 00000002 40089000 bec66e54
> ffe0: bec66bb8 bec66ba8 0001545c 401c4880 60000010 bec66bc0 00000000 00000000
> [<c01da3a0>] (__list_del_entry+0x28/0xcc) from [<c02292b0>] (ci13xxx_stop+0x12c/0x1a8)
> [<c02292b0>] (ci13xxx_stop+0x12c/0x1a8) from [<c022867c>] (usb_gadget_remove_driver+0x88/0x98)
> [<c022867c>] (usb_gadget_remove_driver+0x88/0x98) from [<c02286f4>] (usb_gadget_unregister_driver+0x68/0x88)
> [<c02286f4>] (usb_gadget_unregister_driver+0x68/0x88) from [<c0065f2c>] (sys_delete_module+0x1fc/0x26c)
> [<c0065f2c>] (sys_delete_module+0x1fc/0x26c) from [<c00092a0>] (ret_fast_syscall+0x0/0x38)
> Code: 0a00000c e59f0090 e1520000 0a00001b (e5920000)
> 
> Signed-off-by: Marc Kleine-Budde <mkl@xxxxxxxxxxxxxx>
> ---
>  drivers/usb/gadget/ci13xxx_udc.c |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)
> 
> diff --git a/drivers/usb/gadget/ci13xxx_udc.c b/drivers/usb/gadget/ci13xxx_udc.c
> index 8956a24..d07de8d 100644
> --- a/drivers/usb/gadget/ci13xxx_udc.c
> +++ b/drivers/usb/gadget/ci13xxx_udc.c
> @@ -2731,8 +2731,10 @@ static int ci13xxx_stop(struct usb_gadget_driver *driver)
>  	for (i = 0; i < hw_ep_max; i++) {
>  		struct ci13xxx_ep *mEp = &udc->ci13xxx_ep[i];
>  
> +#if 0
>  		if (!list_empty(&mEp->ep.ep_list))
>  			list_del_init(&mEp->ep.ep_list);
> +#endif
>  
>  		if (mEp->qh.ptr != NULL)
>  			dma_pool_free(udc->qh_pool, mEp->qh.ptr, mEp->qh.dma);

I guess it is because of accessing control Out (ep0)'s ep_list access.
It is __never__ initialized in the code. If you see ci13xxx_start(),
control In/Out endpoints are not added to udc->gadget.ep_list.

You can drop this code entirely (instead of making it dead code). You
can just add "INIT_LIST_HEAD(&udc->gadget.ep_list);" to make sure that
none of our endpoints are associated with this gadget struct.

Thanks for submitting the patch
Pavan

-- 
Sent by a consultant of the Qualcomm Innovation Center, Inc.
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum.
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html