[Bug 217862] [BUG] Alauda driver causes oops when inserted with card in with transfer buffer is on stack, throws errors if card is inserted afterwards.

[bugzilla-daemon@kernel.org]

https://bugzilla.kernel.org/show_bug.cgi?id=217862

--- Comment #5 from pawlick3r@proton.me ---
(In reply to Alan Stern from comment #4)
> Created attachment 305027 [details]
> Fix IO buffer on stack in alauda subdriver
> 
> Try the attached patch.  It should fix all the other instances of I/O done
> to a buffer on the stack in the alauda driver.

It fixes that error, but not the deference error:

[   63.134053] usb 1-1.2: new full-speed USB device number 6 using ehci-pci
[   63.260694] usb 1-1.2: New USB device found, idVendor=0584, idProduct=0008,
bcdDevice= 1.02
[   63.260715] usb 1-1.2: New USB device strings: Mfr=1, Product=2,
SerialNumber=0
[   63.260721] usb 1-1.2: Product: USB SmartMedia Adapter
[   63.260726] usb 1-1.2: Manufacturer: YAMAICHI ELECTRONICS Co.,Ltd.
[   63.341974] usbcore: registered new interface driver usb-storage
[   63.348722] ums-alauda 1-1.2:1.0: USB Mass Storage device detected
[   63.348926] scsi host6: usb-storage 1-1.2:1.0
[   63.349032] usbcore: registered new interface driver ums-alauda
[   64.355307] scsi 6:0:0:0: Direct-Access     Fujifilm DPC-R1 (Alauda)  0102
PQ: 0 ANSI: 0 CCS
[   64.355494] scsi 6:0:0:1: Direct-Access     Fujifilm DPC-R1 (Alauda)  0102
PQ: 0 ANSI: 0 CCS
[   64.356335] sd 6:0:0:0: Attached scsi generic sg1 type 0
[   64.356814] sd 6:0:0:0: [sdb] Media removed, stopped polling
[   64.356970] sd 6:0:0:1: Attached scsi generic sg2 type 0
[   64.357651] sd 6:0:0:0: [sdb] Attached SCSI removable disk
[   95.571120] usb 1-1.2: reset full-speed USB device number 6 using ehci-pci
[   95.686034] sd 6:0:0:1: [sdc] 16000 512-byte logical blocks: (8.19 MB/7.81
MiB)
[   95.686147] sd 6:0:0:1: [sdc] Test WP failed, assume Write Enabled
[   95.686243] sd 6:0:0:1: [sdc] Asking for cache data failed
[   95.686260] sd 6:0:0:1: [sdc] Assuming drive cache: write through
[  126.209261] BUG: kernel NULL pointer dereference, address: 0000000000000000
[  126.209295] #PF: supervisor read access in kernel mode
[  126.209306] #PF: error_code(0x0000) - not-present page
[  126.209453] PGD 0 P4D 0 
[  126.209474] Oops: 0000 [#1] PREEMPT SMP PTI
[  126.209491] CPU: 3 PID: 2777 Comm: usb-storage Not tainted 6.5.1-custom #3
[  126.209507] Hardware name: LENOVO 42872VU/42872VU, BIOS 8DET54WW (1.24 )
10/18/2011
[  126.209513] RIP: 0010:alauda_transport+0x4e6/0x12e2 [ums_alauda]
[  126.209538] Code: 0f 4c 8b b1 98 00 00 00 49 83 fe 01 0f 87 6f 0a 00 00 4b
8d 0c 76 44 89 e8 44 8b 6d a8 48 c1 e1 04 48 8b 4c 0b 20 48 8b 04 c1 <42> 0f b7
04 68 66 83 f8 ff 0f 84 18 ff ff ff 44 0f b7 f8 49 83 fe
[  126.209546] RSP: 0018:ffffa17ac0bb3cd0 EFLAGS: 00010206
[  126.209555] RAX: 0000000000000000 RBX: ffff8ab097457a80 RCX:
ffff8ab1913c6ac8
[  126.209561] RDX: 00000000019c2003 RSI: ffffd88bc0000000 RDI:
0000000000000000
[  126.209567] RBP: ffffa17ac0bb3db0 R08: 0000000000000000 R09:
0000000000000000
[  126.209573] R10: 0000000000000001 R11: 0000000000000000 R12:
ffff8ab08121c000
[  126.209578] R13: 0000000000000000 R14: 0000000000000001 R15:
ffff8ab081915138
[  126.209584] FS:  0000000000000000(0000) GS:ffff8ab19a2c0000(0000)
knlGS:0000000000000000
[  126.209591] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  126.209597] CR2: 0000000000000000 CR3: 000000008e03c006 CR4:
00000000000606e0
[  126.209604] Call Trace:
[  126.209610]  <TASK>
[  126.209618]  ? show_regs+0x6e/0x80
[  126.209632]  ? __die+0x29/0x70
[  126.209641]  ? page_fault_oops+0x154/0x4a0
[  126.209654]  ? alauda_transport+0x4e6/0x12e2 [ums_alauda]
[  126.209671]  ? search_exception_tables+0x65/0x70
[  126.209686]  ? kernelmode_fixup_or_oops+0xa2/0x120
[  126.209697]  ? __bad_area_nosemaphore+0x179/0x280
[  126.209712]  ? bad_area_nosemaphore+0x16/0x20
[  126.209725]  ? do_user_addr_fault+0x2ce/0x6b0
[  126.209741]  ? exc_page_fault+0x7d/0x190
[  126.209755]  ? asm_exc_page_fault+0x2b/0x30
[  126.209774]  ? alauda_transport+0x4e6/0x12e2 [ums_alauda]
[  126.209799]  ? __schedule+0x3cb/0x15d0
[  126.209825]  usb_stor_invoke_transport+0x45/0x520 [usb_storage]
[  126.209856]  ? __wait_for_common+0x15b/0x190
[  126.209868]  ? __pfx_schedule_timeout+0x10/0x10
[  126.209881]  usb_stor_transparent_scsi_command+0x12/0x20 [usb_storage]
[  126.209905]  usb_stor_control_thread+0x20b/0x2d0 [usb_storage]
[  126.209931]  ? __pfx_usb_stor_control_thread+0x10/0x10 [usb_storage]
[  126.209955]  kthread+0xfb/0x130
[  126.209967]  ? __pfx_kthread+0x10/0x10
[  126.209978]  ret_from_fork+0x40/0x60
[  126.209988]  ? __pfx_kthread+0x10/0x10
[  126.209998]  ret_from_fork_asm+0x1b/0x30
[  126.210016]  </TASK>
[  126.210020] Modules linked in: ums_alauda usb_storage rfcomm ccm bnep
intel_rapl_msr mei_hdcp snd_hda_codec_hdmi snd_ctl_led snd_hda_codec_conexant
snd_hda_codec_generic uvcvideo videobuf2_vmalloc uvc snd_hda_intel btusb
snd_intel_dspcfg btrtl snd_intel_sdw_acpi videobuf2_memops btbcm btintel btmtk
videobuf2_v4l2 bluetooth snd_hda_codec videodev videobuf2_common mc
ecdh_generic intel_rapl_common x86_pkg_temp_thermal intel_powerclamp coretemp
binfmt_misc snd_hda_core rapl snd_hwdep intel_cstate iwldvm snd_pcm
nls_iso8859_1 think_lmi input_leds joydev mac80211 at24 serio_raw
firmware_attributes_class wmi_bmof libarc4 snd_seq_midi snd_seq_midi_event
iwlwifi snd_rawmidi thinkpad_acpi snd_seq snd_seq_device nvram snd_timer
ledtrig_audio mei_me platform_profile cfg80211 snd mei soundcore mac_hid
sch_fq_codel msr parport_pc ppdev lp pstore_blk parport ramoops pstore_zone
reed_solomon efi_pstore ip_tables x_tables autofs4 i915 drm_buddy i2c_algo_bit
ttm crct10dif_pclmul drm_display_helper crc32_pclmul ghash_clmulni_intel cec
[  126.210212]  sha512_ssse3 rc_core aesni_intel sdhci_pci crypto_simd
drm_kms_helper ahci cryptd cqhci psmouse i2c_i801 libahci drm i2c_smbus lpc_ich
e1000e sdhci video wmi
[  126.210262] CR2: 0000000000000000
[  126.210270] ---[ end trace 0000000000000000 ]---
[  126.974625] RIP: 0010:alauda_transport+0x4e6/0x12e2 [ums_alauda]
[  126.974660] Code: 0f 4c 8b b1 98 00 00 00 49 83 fe 01 0f 87 6f 0a 00 00 4b
8d 0c 76 44 89 e8 44 8b 6d a8 48 c1 e1 04 48 8b 4c 0b 20 48 8b 04 c1 <42> 0f b7
04 68 66 83 f8 ff 0f 84 18 ff ff ff 44 0f b7 f8 49 83 fe
[  126.974670] RSP: 0018:ffffa17ac0bb3cd0 EFLAGS: 00010206
[  126.974680] RAX: 0000000000000000 RBX: ffff8ab097457a80 RCX:
ffff8ab1913c6ac8
[  126.974687] RDX: 00000000019c2003 RSI: ffffd88bc0000000 RDI:
0000000000000000
[  126.974693] RBP: ffffa17ac0bb3db0 R08: 0000000000000000 R09:
0000000000000000
[  126.974698] R10: 0000000000000001 R11: 0000000000000000 R12:
ffff8ab08121c000
[  126.974703] R13: 0000000000000000 R14: 0000000000000001 R15:
ffff8ab081915138
[  126.974709] FS:  0000000000000000(0000) GS:ffff8ab19a2c0000(0000)
knlGS:0000000000000000
[  126.974716] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  126.974722] CR2: 0000000000000000 CR3: 0000000113a8a005 CR4:
00000000000606e0
[  126.974729] note: usb-storage[2777] exited with irqs disabled

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.