From: bugzilla-daemon@kernel.org
To: linux-usb@vger.kernel.org
Subject: [Bug 220052] New: The usb/cdc-acm driver uses memory after it is freed
Date: Thu, 24 Apr 2025 14:31:20 +0000 [thread overview]
Message-ID: <bug-220052-208809@https.bugzilla.kernel.org/> (raw)
https://bugzilla.kernel.org/show_bug.cgi?id=220052
Bug ID: 220052
Summary: The usb/cdc-acm driver uses memory after it is freed
Product: Drivers
Version: 2.5
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P3
Component: USB
Assignee: drivers_usb@kernel-bugs.kernel.org
Reporter: ben.maan@aimvalley.com
Regression: No
Created attachment 308013
--> https://bugzilla.kernel.org/attachment.cgi?id=308013&action=edit
A patch file that solves the kernel panic.
In the cdc-acm driver, memory is used after it is freed. The code is in
drivers/usb/class/cdc-acm.c, in the acm_softint function. The problem manifests
when a usb connection is disconnected by unplugging a cable and can result in a
kernel panic. The panic is not always seen but only when the freed memory is
claimed and used by an other process, somewhere between the for loop and the
acm_submit_read_urbs.
A solution is attached in the form of a patch where 2 lines of code are
exchanged with 2 other lines. The patch is based on kernel version
linux-6.15-rc3.
The kernel panic is shown below.
cdc_acm 1-1.3:1.2: urb 0 failed submission with -2
Unable to handle kernel NULL pointer dereference at virtual address 00000030
Mem abort info:
Exception class = DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
Data abort info:
ISV = 0, ISS = 0x00000004
CM = 0, WnR = 0
user pgtable: 4k pages, 48-bit VAs, pgd = ffff8000bbab6000
[0000000000000030] *pgd=0000000000000000
Internal error: Oops: 96000004 [#1] PREEMPT SMP
Modules linked in: 8021q garp stp mrp ax88179_178a usbnet crc32_ce crct10dif_ce
galcore(O)
CPU: 0 PID: 1740 Comm: kworker/0:3 Tainted: G O
4.14.98-imx_4.14.98_2.0.0_ga+g5d6cbeafb80c #1
Hardware name: Freescale i.MX8MQ EVK (DT)
Workqueue: events acm_softint
task: ffff8000baa12880 task.stack: ffff00000d448000
PC is at usb_autopm_put_interface+0x14/0x48
LR is at acm_softint+0xb8/0xd8
pc : [<ffff0000088e3abc>] lr : [<ffff0000089480b8>] pstate: 40000145
sp : ffff00000d44bda0
x29: ffff00000d44bda0 x28: 0000000000000000
x27: 0000000000000000 x26: ffff000009222ec0
x25: ffff0000080e7760 x24: ffff8000b6386788
x23: 0000000000000000 x22: ffff8000bff60580
x21: ffff8000b6385f88 x20: ffff8000b6386000
x19: ffff8000b6386788 x18: 0000000000000001
x17: 0000ffffb6667098 x16: ffff000008261920
x15: ffff000009752000 x14: 00000000fffffff0
x13: ffff0000098e5150 x12: ffff000009738df8
x11: ffff000008663128 x10: ffff0000098e4000
x9 : 0000000000000006 x8 : 6d6275732064656c
x7 : 6961662030206272 x6 : 0000000000000514
x5 : 0000000000000000 x4 : 0000000000000000
x3 : 0000000000000330 x2 : 00000000fffefa67
x1 : ffff000009736000 x0 : 0000000000000000
Process kworker/0:3 (pid: 1740, stack limit = 0xffff00000d448000)
Call trace:
Exception stack(0xffff00000d44bc60 to 0xffff00000d44bda0)
bc60: 0000000000000000 ffff000009736000 00000000fffefa67 0000000000000330
bc80: 0000000000000000 0000000000000000 0000000000000514 6961662030206272
bca0: 6d6275732064656c 0000000000000006 ffff0000098e4000 ffff000008663128
bcc0: ffff000009738df8 ffff0000098e5150 00000000fffffff0 ffff000009752000
bce0: ffff000008261920 0000ffffb6667098 0000000000000001 ffff8000b6386788
bd00: ffff8000b6386000 ffff8000b6385f88 ffff8000bff60580 0000000000000000
bd20: ffff8000b6386788 ffff0000080e7760 ffff000009222ec0 0000000000000000
bd40: 0000000000000000 ffff00000d44bda0 ffff0000089480b8 ffff00000d44bda0
bd60: ffff0000088e3abc 0000000040000145 00000000014000c0 ffff8000bff60580
bd80: ffffffffffffffff ffff0000089480b0 ffff00000d44bda0 ffff0000088e3abc
[<ffff0000088e3abc>] usb_autopm_put_interface+0x14/0x48
[<ffff0000089480b8>] acm_softint+0xb8/0xd8
[<ffff0000080e75ec>] process_one_work+0x1d4/0x348
[<ffff0000080e77a8>] worker_thread+0x48/0x470
[<ffff0000080edaac>] kthread+0x12c/0x130
[<ffff000008084ed8>] ret_from_fork+0x10/0x18
Code: f0007281 910cc003 910003fd f9454022 (f9401801)
---[ end trace 1b12fec59341c199 ]---
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
next reply other threads:[~2025-04-24 14:31 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-24 14:31 bugzilla-daemon [this message]
2025-04-24 15:26 ` [Bug 220052] New: The usb/cdc-acm driver uses memory after it is freed Greg KH
2025-04-30 12:56 ` Ben Maan
2025-04-24 15:26 ` [Bug 220052] " bugzilla-daemon
2025-04-30 12:48 ` bugzilla-daemon
2025-04-30 12:56 ` bugzilla-daemon
2025-05-05 9:27 ` Oliver Neukum
2025-05-05 9:27 ` bugzilla-daemon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-220052-208809@https.bugzilla.kernel.org/ \
--to=bugzilla-daemon@kernel.org \
--cc=linux-usb@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.