From: songjun.wu@atmel.com (Songjun Wu)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH] USB: gadget: udc: atmel: fix possible oops when unloading module
Date: Tue, 30 Dec 2014 17:49:27 +0800 [thread overview]
Message-ID: <1419932967-2694-1-git-send-email-songjun.wu@atmel.com> (raw)
Executing the 'insmod g_hid.ko', then executing the
'rmmod g_hid.ko', the NULL pointer oops will be triggered.
When unloading the module 'g_hid.ko', the urb request will be
dequeued and the completion routine will be excuted. If no urb
packet, the urb request will not be added to the endpoint queue
and the completion routine pointer in urb request is NULL.
Accessing to the NULL function pointer will cause the oops issue.
Add the code to check the urb request is in the endpoint queue
or not.If the urb request is not in the endpoint queue, a negative
error code will be returned.
This bug was introduced since the file 'atmel_usba_udc.c' was
initialized. Fixes: 914a3f3b3754 (USB: add atmel_usba_udc driver)
Cc: stable at vger.kernel.org # always been there...
oops dump log is shown in the following.
Unable to handle kernel NULL pointer dereference at virtual
address 00000000
pgd = dedf0000
[00000000] *pgd=3ede5831, *pte=00000000, *ppte=00000000
Internal error: Oops: 80000007 [#1] ARM
Modules linked in: g_hid(-) usb_f_hid libcomposite
Signed-off-by: Songjun Wu <songjun.wu@atmel.com>
---
drivers/usb/gadget/udc/atmel_usba_udc.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/udc/atmel_usba_udc.c b/drivers/usb/gadget/udc/atmel_usba_udc.c
index ce88237..48629cc 100644
--- a/drivers/usb/gadget/udc/atmel_usba_udc.c
+++ b/drivers/usb/gadget/udc/atmel_usba_udc.c
@@ -828,7 +828,7 @@ static int usba_ep_dequeue(struct usb_ep *_ep, struct usb_request *_req)
{
struct usba_ep *ep = to_usba_ep(_ep);
struct usba_udc *udc = ep->udc;
- struct usba_request *req = to_usba_req(_req);
+ struct usba_request *req;
unsigned long flags;
u32 status;
@@ -837,6 +837,16 @@ static int usba_ep_dequeue(struct usb_ep *_ep, struct usb_request *_req)
spin_lock_irqsave(&udc->lock, flags);
+ list_for_each_entry(req, &ep->queue, queue) {
+ if (&req->req == _req)
+ break;
+ }
+
+ if (&req->req != _req) {
+ spin_unlock_irqrestore(&udc->lock, flags);
+ return -EINVAL;
+ }
+
if (req->using_dma) {
/*
* If this request is currently being transferred,
--
1.7.9.5
next reply other threads:[~2014-12-30 9:49 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-30 9:49 Songjun Wu [this message]
2015-01-08 17:15 ` [PATCH] USB: gadget: udc: atmel: fix possible oops when unloading module Felipe Balbi
2015-01-09 16:11 ` [RESEND PATCH] " Nicolas Ferre
-- strict thread matches above, loose matches on Subject: below --
2014-12-22 9:26 [PATCH] " Songjun Wu
2014-12-23 16:24 ` Felipe Balbi
2014-12-24 1:14 ` Wu, Songjun
2014-12-26 15:27 ` Felipe Balbi
2014-12-29 9:37 ` Wu, Songjun
2014-12-29 9:42 ` Wu, Songjun
2014-12-29 15:54 ` Felipe Balbi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1419932967-2694-1-git-send-email-songjun.wu@atmel.com \
--to=songjun.wu@atmel.com \
--cc=linux-arm-kernel@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).