From: Nicolai Stange <nicstange@gmail.com>
To: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Cc: alsa-devel@alsa-project.org, Takashi Iwai <tiwai@suse.de>,
Shuah Khan <shuahkh@osg.samsung.com>,
linux-kernel@vger.kernel.org,
Nicolai Stange <nicstange@gmail.com>
Subject: Re: [PATCH] [media] sound/usb: fix NULL dereference in usb_audio_probe()
Date: Tue, 15 Mar 2016 16:00:04 +0100 [thread overview]
Message-ID: <87vb4nokgb.fsf@gmail.com> (raw)
In-Reply-To: <20160315115339.2a50466a@recife.lan> (Mauro Carvalho Chehab's message of "Tue, 15 Mar 2016 11:53:39 -0300")
Mauro Carvalho Chehab <mchehab@osg.samsung.com> writes:
> Em Tue, 15 Mar 2016 13:41:28 +0100
> Takashi Iwai <tiwai@suse.de> escreveu:
>
>> On Tue, 15 Mar 2016 13:35:06 +0100,
>> Nicolai Stange wrote:
>> >
>> > With commit
>> >
>> > aebb2b89bff0 ("[media] sound/usb: Use Media Controller API to share
>> > media resources")
>> >
>> > an access to quirk->media_device without checking for quirk != NULL has
>> > been introduced in usb_audio_probe().
>> >
>> > With a Plantronics USB headset (device ID 0x047f:0xc010) attached,
>> > this results in the following splat at boot time:
>> >
>> > BUG: unable to handle kernel NULL pointer dereference at 0000000000000014
>> > IP: [<ffffffffa089aa6c>] usb_audio_probe+0x2cc/0x9a0 [snd_usb_audio]
>> > Oops: 0000 [#1] SMP
>> > [...]
>> > CPU: 2 PID: 696 Comm: systemd-udevd Not tainted 4.5.0-next-20160315 #13
>> > Hardware name: Dell Inc. Latitude E6540/0725FP, BIOS A10 06/26/2014
>> > task: ffff88021c88d7c0 ti: ffff88003d5b0000 task.ti: ffff88003d5b0000
>> > RIP: 0010:[<ffffffffa089aa6c>] [<ffffffffa089aa6c>]
>> > usb_audio_probe+0x2cc/0x9a0 [snd_usb_audio]
>> > [...]
>> > Call Trace:
>> > [<ffffffff815a8e16>] usb_probe_interface+0x136/0x2d0
>> > [<ffffffff81509edc>] driver_probe_device+0x22c/0x440
>> > [<ffffffff8150a1c1>] __driver_attach+0xd1/0xf0
>> > [<ffffffff8150a0f0>] ? driver_probe_device+0x440/0x440
>> > [<ffffffff815077ec>] bus_for_each_dev+0x6c/0xc0
>> > [<ffffffff815095ce>] driver_attach+0x1e/0x20
>> > [<ffffffff81509013>] bus_add_driver+0x1c3/0x280
>> > [<ffffffff8150ab10>] driver_register+0x60/0xe0
>> > [<ffffffff815a7711>] usb_register_driver+0x81/0x140
>> > [<ffffffffa08c7000>] ? 0xffffffffa08c7000
>> > [<ffffffffa08c701e>] usb_audio_driver_init+0x1e/0x1000 [snd_usb_audio]
>> > [<ffffffff81002123>] do_one_initcall+0xb3/0x1f0
>> > [<ffffffff811fb091>] ? __vunmap+0x81/0xd0
>> > [<ffffffff8121b8d2>] ? kmem_cache_alloc_trace+0x182/0x1d0
>> > [<ffffffff811b0267>] ? do_init_module+0x27/0x1d8
>> > [<ffffffff811b029f>] do_init_module+0x5f/0x1d8
>> > [<ffffffff8112ce35>] load_module+0x1fe5/0x27a0
>> > [<ffffffff81129870>] ? __symbol_put+0x60/0x60
>> > [<ffffffff81241690>] ? vfs_read+0x110/0x130
>> > [<ffffffff8112d866>] SYSC_finit_module+0xe6/0x120
>> > [<ffffffff8112d8be>] SyS_finit_module+0xe/0x10
>> > [<ffffffff81003d94>] do_syscall_64+0x64/0x110
>> > [<ffffffff817c0b61>] entry_SYSCALL64_slow_path+0x25/0x25
>> >
>> > After encountering this, the system-udevd process seems to be blocked
>> > until it is killed when hitting its timeout of 3min.
>> >
>> > In analogy to the other accesses to members of quirk in usb_audio_probe(),
>> > check for quirk != NULL before accessing its ->media_device.
>> >
>> > Fixes: aebb2b89bff0 ("[media] sound/usb: Use Media Controller API to share
>> > media resources")
>> > Signed-off-by: Nicolai Stange <nicstange@gmail.com>
>>
>> Reviewed-by: Takashi Iwai <tiwai@suse.de>
>>
>> Mauro, please merge through your tree. I haven't merged MC changes
>> into my tree yet.
>
> OK, I'll send this fix together with some other patches in a couple
> of days (it needs to go first to linux-next ;) ).
>
Thank you all!
Nicolai
>>
>>
>> > ---
>> > Applicable to linux-next-20160315.
>> >
>> > sound/usb/card.c | 2 +-
>> > 1 file changed, 1 insertion(+), 1 deletion(-)
>> >
>> > diff --git a/sound/usb/card.c b/sound/usb/card.c
>> > index 63244bb..479621e 100644
>> > --- a/sound/usb/card.c
>> > +++ b/sound/usb/card.c
>> > @@ -612,7 +612,7 @@ static int usb_audio_probe(struct usb_interface *intf,
>> > if (err < 0)
>> > goto __error;
>> >
>> > - if (quirk->media_device) {
>> > + if (quirk && quirk->media_device) {
>> > /* don't want to fail when media_snd_device_create() fails */
>> > media_snd_device_create(chip, intf);
>> > }
>> > --
>> > 2.7.2
>> >
>> >
WARNING: multiple messages have this Message-ID (diff)
From: Nicolai Stange <nicstange@gmail.com>
To: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Cc: Takashi Iwai <tiwai@suse.de>,
Nicolai Stange <nicstange@gmail.com>,
Jaroslav Kysela <perex@perex.cz>,
alsa-devel@alsa-project.org, Shuah Khan <shuahkh@osg.samsung.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] [media] sound/usb: fix NULL dereference in usb_audio_probe()
Date: Tue, 15 Mar 2016 16:00:04 +0100 [thread overview]
Message-ID: <87vb4nokgb.fsf@gmail.com> (raw)
In-Reply-To: <20160315115339.2a50466a@recife.lan> (Mauro Carvalho Chehab's message of "Tue, 15 Mar 2016 11:53:39 -0300")
Mauro Carvalho Chehab <mchehab@osg.samsung.com> writes:
> Em Tue, 15 Mar 2016 13:41:28 +0100
> Takashi Iwai <tiwai@suse.de> escreveu:
>
>> On Tue, 15 Mar 2016 13:35:06 +0100,
>> Nicolai Stange wrote:
>> >
>> > With commit
>> >
>> > aebb2b89bff0 ("[media] sound/usb: Use Media Controller API to share
>> > media resources")
>> >
>> > an access to quirk->media_device without checking for quirk != NULL has
>> > been introduced in usb_audio_probe().
>> >
>> > With a Plantronics USB headset (device ID 0x047f:0xc010) attached,
>> > this results in the following splat at boot time:
>> >
>> > BUG: unable to handle kernel NULL pointer dereference at 0000000000000014
>> > IP: [<ffffffffa089aa6c>] usb_audio_probe+0x2cc/0x9a0 [snd_usb_audio]
>> > Oops: 0000 [#1] SMP
>> > [...]
>> > CPU: 2 PID: 696 Comm: systemd-udevd Not tainted 4.5.0-next-20160315 #13
>> > Hardware name: Dell Inc. Latitude E6540/0725FP, BIOS A10 06/26/2014
>> > task: ffff88021c88d7c0 ti: ffff88003d5b0000 task.ti: ffff88003d5b0000
>> > RIP: 0010:[<ffffffffa089aa6c>] [<ffffffffa089aa6c>]
>> > usb_audio_probe+0x2cc/0x9a0 [snd_usb_audio]
>> > [...]
>> > Call Trace:
>> > [<ffffffff815a8e16>] usb_probe_interface+0x136/0x2d0
>> > [<ffffffff81509edc>] driver_probe_device+0x22c/0x440
>> > [<ffffffff8150a1c1>] __driver_attach+0xd1/0xf0
>> > [<ffffffff8150a0f0>] ? driver_probe_device+0x440/0x440
>> > [<ffffffff815077ec>] bus_for_each_dev+0x6c/0xc0
>> > [<ffffffff815095ce>] driver_attach+0x1e/0x20
>> > [<ffffffff81509013>] bus_add_driver+0x1c3/0x280
>> > [<ffffffff8150ab10>] driver_register+0x60/0xe0
>> > [<ffffffff815a7711>] usb_register_driver+0x81/0x140
>> > [<ffffffffa08c7000>] ? 0xffffffffa08c7000
>> > [<ffffffffa08c701e>] usb_audio_driver_init+0x1e/0x1000 [snd_usb_audio]
>> > [<ffffffff81002123>] do_one_initcall+0xb3/0x1f0
>> > [<ffffffff811fb091>] ? __vunmap+0x81/0xd0
>> > [<ffffffff8121b8d2>] ? kmem_cache_alloc_trace+0x182/0x1d0
>> > [<ffffffff811b0267>] ? do_init_module+0x27/0x1d8
>> > [<ffffffff811b029f>] do_init_module+0x5f/0x1d8
>> > [<ffffffff8112ce35>] load_module+0x1fe5/0x27a0
>> > [<ffffffff81129870>] ? __symbol_put+0x60/0x60
>> > [<ffffffff81241690>] ? vfs_read+0x110/0x130
>> > [<ffffffff8112d866>] SYSC_finit_module+0xe6/0x120
>> > [<ffffffff8112d8be>] SyS_finit_module+0xe/0x10
>> > [<ffffffff81003d94>] do_syscall_64+0x64/0x110
>> > [<ffffffff817c0b61>] entry_SYSCALL64_slow_path+0x25/0x25
>> >
>> > After encountering this, the system-udevd process seems to be blocked
>> > until it is killed when hitting its timeout of 3min.
>> >
>> > In analogy to the other accesses to members of quirk in usb_audio_probe(),
>> > check for quirk != NULL before accessing its ->media_device.
>> >
>> > Fixes: aebb2b89bff0 ("[media] sound/usb: Use Media Controller API to share
>> > media resources")
>> > Signed-off-by: Nicolai Stange <nicstange@gmail.com>
>>
>> Reviewed-by: Takashi Iwai <tiwai@suse.de>
>>
>> Mauro, please merge through your tree. I haven't merged MC changes
>> into my tree yet.
>
> OK, I'll send this fix together with some other patches in a couple
> of days (it needs to go first to linux-next ;) ).
>
Thank you all!
Nicolai
>>
>>
>> > ---
>> > Applicable to linux-next-20160315.
>> >
>> > sound/usb/card.c | 2 +-
>> > 1 file changed, 1 insertion(+), 1 deletion(-)
>> >
>> > diff --git a/sound/usb/card.c b/sound/usb/card.c
>> > index 63244bb..479621e 100644
>> > --- a/sound/usb/card.c
>> > +++ b/sound/usb/card.c
>> > @@ -612,7 +612,7 @@ static int usb_audio_probe(struct usb_interface *intf,
>> > if (err < 0)
>> > goto __error;
>> >
>> > - if (quirk->media_device) {
>> > + if (quirk && quirk->media_device) {
>> > /* don't want to fail when media_snd_device_create() fails */
>> > media_snd_device_create(chip, intf);
>> > }
>> > --
>> > 2.7.2
>> >
>> >
next prev parent reply other threads:[~2016-03-15 15:00 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-15 12:35 [PATCH] [media] sound/usb: fix NULL dereference in usb_audio_probe() Nicolai Stange
2016-03-15 12:41 ` Takashi Iwai
2016-03-15 12:41 ` Takashi Iwai
2016-03-15 14:53 ` Mauro Carvalho Chehab
2016-03-15 14:53 ` Mauro Carvalho Chehab
2016-03-15 15:00 ` Nicolai Stange [this message]
2016-03-15 15:00 ` Nicolai Stange
2016-03-15 13:37 ` Shuah Khan
2016-03-15 13:37 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87vb4nokgb.fsf@gmail.com \
--to=nicstange@gmail.com \
--cc=alsa-devel@alsa-project.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mchehab@osg.samsung.com \
--cc=shuahkh@osg.samsung.com \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.