Oops in 4.6-rc2: NULL pointer dereference in cdc-acm

[Gabriele Mazzotta <gabriele.mzt@gmail.com>]

Hi,

I'm getting a kernel oops when I plug some smartphone via USB to my
laptop, which is currently running the v4.6-rc2.

The problem seems to be caused by a81cf9799ad7 ("cdc-acm: implement
put_char() and flush_chars()").

A simple NULL pointer check prevents the crash, but since I have no
use of cdc-acm and I didn't read the code, I don't know if some other
changes are required.

Here below you can find the change I did to prevent the crash and
the dmesg showing the problem.

Regards,
Gabriele


diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
index 83fd30b..aa0c244 100644
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -754,8 +754,9 @@ static void acm_tty_flush_chars(struct tty_struct *tty)
 
        if (acm->susp_count)
                usb_anchor_urb(cur->urb, &acm->delayed);
-       else
+       else if (cur) {
                acm_start_wb(acm, cur);
+       }
 out:
        spin_unlock_irqrestore(&acm->write_lock, flags);
        return;


<6>[   46.942493] cdc_acm 2-1:1.0: ttyACM0: USB ACM device
<6>[   46.942716] usbcore: registered new interface driver cdc_acm
<6>[   46.942718] cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters
<6>[   46.946245] usb-storage 2-1:1.3: USB Mass Storage device detected
<1>[   46.946751] BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
<1>[   46.946790] IP: [<ffffffffa0331138>] acm_start_wb+0x18/0xb0 [cdc_acm]
<4>[   46.946824] PGD 0
<4>[   46.946836] Oops: 0000 [#1] SMP
<4>[   46.946855] Modules linked in: usb_storage(+) cdc_acm rfcomm ccm bnep uvcvideo videobuf2_vmalloc videobuf2_memops btusb videobuf2_v4l2 btintel videobuf2_core videodev bluetooth hid_multitouch media usbhid vboxpci(O) vboxnetadp(O) vboxnetflt(O) vboxdrv(O) arc4 joydev binfmt_misc nls_utf8 nls_cp437 dell_wmi sparse_keymap x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm iTCO_wdt irqbypass iTCO_vendor_support hid_rmi crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel dell_laptop dell_smbios dcdbas dell_smm_hwmon snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic mac80211 aesni_intel aes_x86_64 glue_helper lrw ablk_helper cryptd psmouse cfg80211 serio_raw sg snd_hda_intel rfkill snd_hda_codec snd_hwdep snd_hda_core xhci_pci ehci_pci xhci_hcd snd_pcm ehci_hcd usbcore snd_timer snd lpc_ich usb_common soundcore mfd_core shpchp i2c_i801 thermal wmi battery i2c_hid hid acpi_als kfifo_buf industrialio sdhci_acpi sdhci mmc_core
i2c_designware_platform i2c_designware_core evdev intel_rst ac parport_pc ppdev lp parport [last unloaded: iwlwifi]
<4>[   46.947425] CPU: 2 PID: 84 Comm: kworker/u8:3 Tainted: G     U     O    4.6.0-rc2+ #1
<4>[   46.947461] Hardware name: Dell Inc. XPS13 9333/0HP75V, BIOS A07 03/27/2015
<4>[   46.947496] Workqueue: events_unbound flush_to_ldisc
<4>[   46.947521] task: ffff88021541c100 ti: ffff8800d04c8000 task.ti: ffff8800d04c8000
<4>[   46.947555] RIP: 0010:[<ffffffffa0331138>]  [<ffffffffa0331138>] acm_start_wb+0x18/0xb0 [cdc_acm]
<4>[   46.947598] RSP: 0018:ffff8800d04cbd10  EFLAGS: 00010006
<4>[   46.947623] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000004
<4>[   46.947655] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff8800d056d000
<4>[   46.947688] RBP: ffff8800d056d000 R08: 0000000000000002 R09: 0000000000000000
<4>[   46.947720] R10: 0000000000000002 R11: ffff8800ac270040 R12: 0000000000000246
<4>[   46.947753] R13: 0000000000000000 R14: 0000000000000000 R15: ffffc90000f832a8
<4>[   46.947786] FS:  0000000000000000(0000) GS:ffff88021f300000(0000) knlGS:0000000000000000
<4>[   46.947823] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
<4>[   46.947850] CR2: 0000000000000018 CR3: 00000000cfc99000 CR4: 00000000001406e0
<4>[   46.947882] Stack:
<4>[   46.947892]  0000000000000009 ffff8800d056d000 ffff8800d056d744 ffffffffa03318ee
<4>[   46.947932]  ffff8801dac26c00 ffffc90000f81000 ffffc90000f81000 0000000000000009
<4>[   46.947971]  0000000000000000 ffffffff814032c5 ffff8802123cb420 ffffc90000f81000
<4>[   46.948010] Call Trace:
<4>[   46.948024]  [<ffffffffa03318ee>] ? acm_tty_flush_chars+0x5e/0x90 [cdc_acm]
<4>[   46.948057]  [<ffffffff814032c5>] ? n_tty_receive_buf_common+0x665/0xb30
<4>[   46.948090]  [<ffffffff8109aed0>] ? pick_next_task_fair+0xf0/0x440
<4>[   46.948120]  [<ffffffff81405dae>] ? flush_to_ldisc+0xbe/0x130
<4>[   46.948148]  [<ffffffff8107b9a4>] ? process_one_work+0x164/0x480
<4>[   46.948176]  [<ffffffff8107bd0a>] ? worker_thread+0x4a/0x4f0
<4>[   46.948203]  [<ffffffff8107bcc0>] ? process_one_work+0x480/0x480
<4>[   46.948232]  [<ffffffff8108146d>] ? kthread+0xbd/0xe0
<4>[   46.948258]  [<ffffffff816e0282>] ? ret_from_fork+0x22/0x40
<4>[   46.948285]  [<ffffffff810813b0>] ? kthread_create_on_node+0x180/0x180
<4>[   46.948315] Code: 40 09 c8 09 d0 c3 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 fd 53 48 89 f3 48 83 ec 08 83 87 40 07 00 00 01 <48> 8b 46 18 48 8b 16 48 89 50 68 48 8b 46 18 48 8b 56 08 48 89
<1>[   46.948488] RIP  [<ffffffffa0331138>] acm_start_wb+0x18/0xb0 [cdc_acm]
<4>[   46.948517]  RSP <ffff8800d04cbd10>
<4>[   46.948532] CR2: 0000000000000018
<4>[   46.959254] ---[ end trace 006fe18e3212a836 ]---