gadgetfs regression (NULL ptr deref) since v4.4-rc7

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Vegard Nossum <vegard.nossum@oracle.com>
To: Ruslan Bilovol <ruslan.bilovol@gmail.com>,
	Maxime Ripard <maxime.ripard@free-electrons.com>,
	Marek Szyprowski <m.szyprowski@samsung.com>,
	Peter Chen <peter.chen@freescale.com>,
	Felipe Balbi <balbi@ti.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	LKML <linux-kernel@vger.kernel.org>,
	linux-usb@vger.kernel.org
Subject: gadgetfs regression (NULL ptr deref) since v4.4-rc7
Date: Mon, 8 Feb 2016 00:27:05 +0100	[thread overview]
Message-ID: <56B7D2C9.5070301@oracle.com> (raw)

Hi,

Using gadgetfs on latest mainline, I get the following NULL pointer 
dereference:

BUG: unable to handle kernel NULL pointer dereference at           (null)
IP: [<ffffffff81138e89>] __list_del_entry+0x29/0xc0
PGD 34f067 PUD 355067 PMD 0
Oops: 0000 [#1] DEBUG_PAGEALLOC
CPU: 0 PID: 35 Comm: afl-fuzz Not tainted 4.5.0-rc2 #1
task: ffff8800002b1ec0 ti: ffff88000033c000 task.ti: ffff88000033c000
RIP: 0010:[<ffffffff81138e89>]  [<ffffffff81138e89>] 
__list_del_entry+0x29/0xc0
RSP: 0018:ffff88000033fe30  EFLAGS: 00010207
RAX: 0000000000000000 RBX: ffffffff8138c108 RCX: dead000000000200
RDX: 0000000000000000 RSI: 0000000000000061 RDI: ffffffff8138c108
RBP: ffff88000033fe30 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: ffffffff8138b928
R13: ffffffff8138c040 R14: ffff88000ec0da20 R15: ffff88000033ff58
FS:  00007ffff7ff2740(0000) GS:ffffffff8135d000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000000335000 CR4: 00000000001406b0
Stack:
  ffff88000033fe48 ffffffff81138f2d ffffffff8138bbd0 ffff88000033fe70
  ffffffff811c880b ffff8800002f3000 ffff88000ec109a0 ffff880000298aa0
  ffff88000033fe88 ffffffff811ce040 ffff88000034cdc0 ffff88000033feb8
Call Trace:
  [<ffffffff81138f2d>] list_del+0xd/0x30
  [<ffffffff811c880b>] usb_gadget_unregister_driver+0xdb/0xf0
  [<ffffffff811ce040>] dev_release+0x20/0x60
  [<ffffffff810b464c>] __fput+0x4c/0x130
  [<ffffffff810b4769>] ____fput+0x9/0x10
  [<ffffffff81048577>] task_work_run+0x67/0xa0
  [<ffffffff81000dcf>] exit_to_usermode_loop+0x8f/0xa0
  [<ffffffff8100105d>] syscall_return_slowpath+0x3d/0x40
  [<ffffffff81278b89>] int_ret_from_sys_call+0x25/0x8f
Code: ff ff 55 48 8b 07 48 b9 00 01 00 00 00 00 ad de 48 8b 57 08 48 89 
e5 48 39 c8 74 29 48 b9 00 02 00 00 00 00 ad de 48 39 ca 74 3a <4c> 8b 
02 4c 39 c7 75 52 4c 8b 40 08 4c 39 c7 75 66 48 89 50 08
RIP  [<ffffffff81138e89>] __list_del_entry+0x29/0xc0
  RSP <ffff88000033fe30>
CR2: 0000000000000000
---[ end trace e6cfe1de661dcffe ]---

Reverting this commit fixes the problem for me:

commit 855ed04a3758b205e84b269f92d26ab36ed8e2f7
Author: Ruslan Bilovol <ruslan.bilovol@gmail.com>
Date:   Mon Nov 23 09:56:38 2015 +0100

     usb: gadget: udc-core: independent registration of gadgets and 
gadget drivers

Though I am still seeing some occasional lockups. Thanks,


Vegard

next             reply	other threads:[~2016-02-07 23:27 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-02-07 23:27 Vegard Nossum [this message]
2016-02-08  9:46 ` gadgetfs regression (NULL ptr deref) since v4.4-rc7 Ruslan Bilovol
2016-02-08 10:19   ` Marek Szyprowski
2016-02-08 11:07     ` Vegard Nossum
2016-02-08 11:12 ` [PATCH] usb: gadget: provide interface for legacy gadgets to get UDC name Marek Szyprowski
2016-02-08 11:31   ` Vegard Nossum
2016-02-08 12:26     ` [PATCH v2] " Marek Szyprowski
2016-02-08 12:29     ` [PATCH] " Marek Szyprowski
2016-02-18 10:34     ` [PATCH v3] " Marek Szyprowski
2016-02-08 12:15 ` [PATCH] usb: gadget: gadgetfs: unregister gadget only if it got successfully registered Marek Szyprowski
2016-02-08 12:33   ` Vegard Nossum
2016-02-17 14:48     ` Felipe Balbi
2016-02-18  7:58 ` [PATCH v2 RESEND] usb: gadget: provide interface for legacy gadgets to get UDC name Marek Szyprowski
2016-02-18  8:11   ` Felipe Balbi
2016-02-18  7:59 ` [PATCH RESEND] usb: gadget: gadgetfs: unregister gadget only if it got successfully registered Marek Szyprowski

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=56B7D2C9.5070301@oracle.com \
    --to=vegard.nossum@oracle.com \
    --cc=balbi@ti.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=m.szyprowski@samsung.com \
    --cc=maxime.ripard@free-electrons.com \
    --cc=peter.chen@freescale.com \
    --cc=ruslan.bilovol@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.