Kernel OOPS in usb_submit_urb in drivers/usb/core/urb.c

Damjan <gdamjan@xxxxxxxxx> · Thu, 26 Jul 2012 23:25:44 +0200

While playing with my custom made i2c-tiny-usb adapter I triggered this 
kernel OOPS in usb_submit_urb in the drivers/usb/core/urb.c file.

From looking at the file, before line 329 it needs to check if 
&ep->desc is NULL, before it sends it to the usb_endpoint_type (inline) 
function.

As seen in the oops, I suppose that it tried to send some usb packets 
even after the device got disconnected, which is another problem, but it 
still shouldn't oops the kernel.

The attached patch, seems to fix the usb_submit_urb/usbcore part of the 
problem just fine.

I'm just not sure if -EINVAL is a correct error number to return?

--
дамјан
[14408.224132] usb 2-1: USB disconnect, device number 13
[14408.224141] usb 2-1.4: USB disconnect, device number 15
[14412.152093] usb 2-1: new full-speed USB device number 16 using uhci_hcd
[14412.327151] hub 2-1:1.0: USB hub found
[14412.328106] hub 2-1:1.0: 4 ports detected
[14412.609106] usb 2-1.4: new low-speed USB device number 17 using uhci_hcd
[14412.748192] i2c-tiny-usb 2-1.4:1.0: version 2.05 found at bus 002 address 017
[14412.751268] i2c i2c-7: connected i2c-tiny-usb device
[14428.039942] i2c i2c-7: failure writing data
[14428.043914] i2c i2c-7: failure writing data
[14428.047911] i2c i2c-7: failure writing data
[14428.051911] i2c i2c-7: failure writing data
[14428.055911] i2c i2c-7: failure writing data
[14428.059916] i2c i2c-7: failure writing data
[14428.063909] i2c i2c-7: failure writing data
[14428.067920] i2c i2c-7: failure writing data
[14428.071911] i2c i2c-7: failure writing data
[14428.075910] i2c i2c-7: failure writing data
[14428.079916] i2c i2c-7: failure writing data
[14428.083907] i2c i2c-7: failure writing data
[14428.087925] i2c i2c-7: failure writing data
[14428.087929] usb 2-1.4: USB disconnect, device number 17
[14428.087980] i2c i2c-7: failure writing data
[14428.087992] i2c i2c-7: failure writing data
[14428.088019] i2c i2c-7: failure writing data
[14428.088031] i2c i2c-7: failure writing data
[14428.088041] i2c i2c-7: failure writing data
[14428.088051] i2c i2c-7: failure writing data
[14428.088060] i2c i2c-7: failure writing data
[14428.088070] i2c i2c-7: failure writing data
[14428.088079] i2c i2c-7: failure writing data
[14428.088089] i2c i2c-7: failure writing data
[14428.088098] i2c i2c-7: failure writing data
[14428.088108] i2c i2c-7: failure writing data
[14428.088117] i2c i2c-7: failure writing data
[14428.088127] i2c i2c-7: failure writing data
[14428.088136] i2c i2c-7: failure writing data
[14428.088146] i2c i2c-7: failure writing data
[14428.088162] i2c J\xffffffe9\xfffffff17: failure writing data
[14428.088172]  (null): failure writing data
[14428.088180]  (null): failure writing data
[14428.088189]  (null): failure writing data
[14428.088197]  (null): failure writing data
[14428.088205]  (null): failure writing data
[14428.088213]  (null): failure writing data
[14428.088221]  (null): failure writing data
[14428.088230]  (null): failure writing data
[14428.088238]  (null): failure writing data
[14428.088246]  (null): failure writing data
[14428.088254]  (null): failure writing data
[14428.088262]  (null): failure writing data
[14428.088270]  (null): failure writing data
[14428.088278]  (null): failure writing data
[14428.088286]  (null): failure writing data
[14428.088326] BUG: unable to handle kernel NULL pointer dereference at 00000004
[14428.088456] IP: [<f8136f45>] usb_submit_urb+0x75/0x310 [usbcore]
[14428.088571] *pde = 00000000 
[14428.088622] Oops: 0000 [#1] SMP 
[14428.088681] Modules linked in: i2c_dev i2c_tiny_usb binfmt_misc cdc_acm fuse aes_i586 aes_generic af_packet rfcomm bnep bridge stp llc btusb bluetooth snd_hda_codec_analog arc4 nsc_ircc iwl3945 iwlegacy thinkpad_acpi nvram mac80211 cfg80211 rfkill firewire_ohci firewire_core pcmcia e1000e snd_hda_intel sdhci_pci snd_hda_codec snd_hwdep snd_pcm snd_page_alloc snd_timer snd yenta_socket pcmcia_rsrc pcmcia_core soundcore pcspkr joydev sdhci mmc_core crc_itu_t microcode firmware_class battery psmouse serio_raw i2c_i801 ac thermal irda crc_ccitt coretemp acpi_cpufreq mperf processor kvm_intel kvm tp_smapi hdaps thinkpad_ec nfs nfs_acl auth_rpcgss lockd sunrpc ipv6 autofs4 uhci_hcd ehci_hcd usb_storage usbcore usb_common
[14428.089943] 
[14428.089971] Pid: 14017, comm: i2cdetect Not tainted 3.5.0-dg+ #10 LENOVO 17045UG/17045UG
[14428.090106] EIP: 0060:[<f8136f45>] EFLAGS: 00010202 CPU: 0
[14428.090200] EIP is at usb_submit_urb+0x75/0x310 [usbcore]
[14428.090283] EAX: f5624b80 EBX: f510ae24 ECX: 00000001 EDX: f510ade4
[14428.090379] ESI: f510ac00 EDI: 00000000 EBP: 000007d0 ESP: c3bb5d34
[14428.090474]  DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
[14428.090557] CR0: 8005003b CR2: 00000004 CR3: 31e52000 CR4: 000007d0
[14428.090652] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[14428.090747] DR6: ffff0ff0 DR7: 00000400
[14428.090807] Process i2cdetect (pid: 14017, ti=c3bb4000 task=cfcf84e0 task.ti=c3bb4000)
[14428.090926] Stack:
[14428.090959]  45434956 32692b3d 00000010 f5624b80 00000001 c3bb5d8c 000007d0 f813816c
[14428.091111]  00000000 f8130000 c3bb5d5c c3bb5d5c f5624b80 f1e94418 00000001 00000001
[14428.091262]  00000030 f81383e7 f8130007 c1bb5d80 f510ac00 90b40080 f1e94418 00000007
[14428.091413] Call Trace:
[14428.091471]  [<f813816c>] ? usb_start_wait_urb+0x4c/0xc0 [usbcore]
[14428.091576]  [<f8130000>] ? hub_activate+0x380/0x450 [usbcore]
[14428.091678]  [<f81383e7>] ? usb_control_msg+0xb7/0x110 [usbcore]
[14428.091779]  [<f8130007>] ? hub_activate+0x387/0x450 [usbcore]
[14428.091872]  [<f86b6050>] ? usb_read.isra.6+0x50/0x60 [i2c_tiny_usb]
[14428.091971]  [<f86b62ba>] ? usb_xfer+0x4a/0x1a0 [i2c_tiny_usb]
[14428.092010]  [<c04260bc>] ? i2c_transfer+0xac/0xf0
[14428.092010]  [<c0426388>] ? i2c_smbus_xfer+0x1e8/0x530
[14428.092010]  [<c015c07d>] ? enqueue_entity+0xcd/0x390
[14428.092010]  [<c015458a>] ? check_preempt_curr+0x6a/0x80
[14428.092010]  [<c0156c1d>] ? try_to_wake_up+0x17d/0x240
[14428.092010]  [<c0151a24>] ? __wake_up_common+0x44/0x70
[14428.092010]  [<c02e6183>] ? _copy_from_user+0x33/0xc0
[14428.092010]  [<f86be375>] ? i2cdev_ioctl_smbus+0xd5/0x210 [i2c_dev]
[14428.092010]  [<c0149b67>] ? remove_wait_queue+0x17/0x50
[14428.092010]  [<f86bea21>] ? i2cdev_ioctl+0x51/0x1d4 [i2c_dev]
[14428.092010]  [<f86be9d0>] ? i2cdev_ioctl_rdrw.isra.10+0x200/0x200 [i2c_dev]
[14428.092010]  [<c020e112>] ? do_vfs_ioctl+0x82/0x5b0
[14428.092010]  [<c0350b9b>] ? put_ldisc+0x4b/0xa0
[14428.092010]  [<c01feb32>] ? vfs_write+0x122/0x170
[14428.092010]  [<c020e66e>] ? sys_ioctl+0x2e/0x60
[14428.092010]  [<c04e9458>] ? sysenter_do_call+0x12/0x28
[14428.092010] Code: 02 00 00 f6 c1 80 0f 44 d3 c1 e9 0f 83 e1 0f 8b 0c 8a 85 c9 0f 84 92 02 00 00 89 48 2c c7 40 38 8d ff ff ff c7 40 58 00 00 00 00 <0f> b6 51 03 80 e2 03 88 54 24 03 0f b6 d2 85 d2 89 54 24 04 74 
[14428.092010] EIP: [<f8136f45>] usb_submit_urb+0x75/0x310 [usbcore] SS:ESP 0068:c3bb5d34
[14428.092010] CR2: 0000000000000004
[14428.135104] ---[ end trace 9baf8f9c81bed80d ]---
>From adf870d98e60e4756cd49ed1f11c9c44b7f80477 Mon Sep 17 00:00:00 2001
From: Damjan Georgievski <gdamjan@xxxxxxxxx>
Date: Thu, 26 Jul 2012 23:23:40 +0200
Subject: [PATCH] Fix for NULL pointer dereference in usb_submit_urb

A check if &ep->desc is NULL, before it's sent to
the usb_endpoint_type (inline) function.
---
 drivers/usb/core/urb.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/usb/core/urb.c b/drivers/usb/core/urb.c
index 9d912bf..5102ee6 100644
--- a/drivers/usb/core/urb.c
+++ b/drivers/usb/core/urb.c
@@ -326,6 +326,8 @@ int usb_submit_urb(struct urb *urb, gfp_t mem_flags)
 	/* Lots of sanity checks, so HCDs can rely on clean data
 	 * and don't need to duplicate tests
 	 */
+	if (!&ep->desc)
+		return -EINVAL;
 	xfertype = usb_endpoint_type(&ep->desc);
 	if (xfertype == USB_ENDPOINT_XFER_CONTROL) {
 		struct usb_ctrlrequest *setup =
-- 
1.7.11.3





