Bug 74041

Summary: [PATCH]kernel NULL pointer dereference in symbolserial
Product: Drivers Reporter: Vadim Zelenin (VadimZelenin)
Component: USBAssignee: Greg Kroah-Hartman (greg)
Status: NEW ---    
Severity: normal CC: alan, mike
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 3.10, 3.12 Subsystem:
Regression: Yes Bisected commit-id:
Attachments: Patсh for fix this bug

Description Vadim Zelenin 2014-04-14 10:48:18 UTC 
Created attachment 132151 [details]
Patсh for fix this bug

When connecting a barcode scanner Motorola Symbol DS4208 in the mode "Smiple COM port emulation" kernel reported an error in the driver symbolserial.

I prefer ALT Linux, so I see with 3.10.34-std-def-alt1 x86_64:

[   54.290502] usb 1-1.5: new full-speed USB device number 3 using ehci-pci
[   54.435435] usbcore: registered new interface driver usbserial
[   54.435443] usbcore: registered new interface driver usbserial_generic
[   54.435449] usbserial: USB Serial support registered for generic
[   54.435783] usbcore: registered new interface driver symbolserial
[   54.435793] usbserial: USB Serial support registered for symbol
[   54.435802] symbolserial 1-1.5:1.0: symbol converter detected
[   54.435873] usb 1-1.5: symbol converter now attached to ttyUSB0
[   54.511060] BUG: unable to handle kernel NULL pointer dereference at        
  (null)
[   54.511300] IP: [<ffffffff81043a19>] __ticket_spin_lock+0x9/0x30
[   54.511481] PGD 429323067 PUD 429315067 PMD 0 
[   54.511624] Oops: 0002 [#1] SMP 
[   54.511728] Modules linked in: symbolserial usbserial nvidia(PO) drm
vhost_net bnep tun macvtap macvlan uinput bluetooth af_packet vboxnetadp(O)
vboxnetflt(O) ipv6 pci_stub vboxpci(O) vboxdrv(O) hid_generic usbhid hid
coretemp intel_powerclamp kvm_intel kvm snd_hda_codec_hdmi eeepc_wmi
crc32_pclmul asus_wmi crc32c_intel ghash_clmulni_intel i2c_i801 i2c_core cryptd
sparse_keymap rfkill hwmon pci_hotplug sr_mod cdrom iTCO_wdt xhci_hcd pcspkr
acpi_cpufreq iTCO_vendor_support mperf microcode ehci_pci ehci_hcd r8169
usbcore snd_hda_codec_realtek snd_hda_intel snd_hda_codec mxm_wmi mii snd_hwdep
snd_pcm usb_common processor lpc_ich snd_seq_midi snd_seq_midi_event snd_seq
snd_page_alloc wmi snd_rawmidi snd_seq_device video snd_timer snd soundcore
button dm_mod ext4 crc16 mbcache jbd2 sd_mod crc_t10dif ahci
[   54.514183]  libahci libata evdev scsi_mod autofs4
[   54.514312] CPU: 0 PID: 912 Comm: ModemManager Tainted: P           O
3.10.34-std-def-alt1 #1
[   54.514555] Hardware name: System manufacturer System Product Name/P8Z68-V
LX, BIOS 0703 10/21/2011
[   54.514814] task: ffff88042ab78700 ti: ffff880428cb2000 task.ti:
ffff880428cb2000
[   54.515027] RIP: 0010:[<ffffffff81043a19>]  [<ffffffff81043a19>]
__ticket_spin_lock+0x9/0x30
[   54.515274] RSP: 0018:ffff880428cb3ab8  EFLAGS: 00010082
[   54.515426] RAX: 0000000000000100 RBX: 0000000000000286 RCX:
0000000000000000
[   54.515630] RDX: 0000000000000003 RSI: 0000000000000286 RDI:
0000000000000000
[   54.515833] RBP: ffff880428cb3ab8 R08: 0000000000000000 R09:
0000000000000001
[   54.516036] R10: 0000000000000000 R11: 0000000000000000 R12:
ffff88041505a000
[   54.516240] R13: ffff88041505a008 R14: ffff8804285e3c00 R15:
ffff8804285e3c00
[   54.516444] FS:  00007f861fd647c0(0000) GS:ffff88043f400000(0000)
knlGS:0000000000000000
[   54.516674] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   54.516839] CR2: 0000000000000000 CR3: 0000000428c9e000 CR4:
00000000000407f0
[   54.517042] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[   54.517246] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
0000000000000400
[   54.517449] Stack:
[   54.517506]  ffff880428cb3ac8 ffffffff81043ad3 ffff880428cb3ae8
ffffffff814d96c7
[   54.517739]  0000000000000000 ffff88041505a000 ffff880428cb3b08
ffffffffa04ca03c
[   54.523667]  ffff88041a977b68 ffff88041a977b00 ffff880428cb3b48
ffffffffa05792f5
[   54.529614] Call Trace:
[   54.535534]  [<ffffffff81043ad3>] default_spin_lock_flags+0x13/0x20
[   54.541599]  [<ffffffff814d96c7>] _raw_spin_lock_irqsave+0x47/0x60
[   54.547545]  [<ffffffffa04ca03c>] symbol_open+0x1c/0x70 [symbolserial]
[   54.553430]  [<ffffffffa05792f5>] serial_port_activate+0x75/0xa0 [usbserial]
[   54.559309]  [<ffffffff81346163>] ? tty_port_tty_set+0x63/0xa0
[   54.565139]  [<ffffffff81346870>] tty_port_open+0xb0/0x100
[   54.570957]  [<ffffffffa057963d>] serial_open+0x1d/0x20 [usbserial]
[   54.576732]  [<ffffffff8133d6fc>] tty_open+0x17c/0x5a0
[   54.582327]  [<ffffffff811835a3>] chrdev_open+0xb3/0x1b0
[   54.587772]  [<ffffffff8117c903>] do_dentry_open+0x203/0x290
[   54.593072]  [<ffffffff811834f0>] ? cdev_put+0x30/0x30
[   54.598187]  [<ffffffff8117c9c0>] finish_open+0x30/0x40
[   54.603149]  [<ffffffff8118d8e9>] do_last+0x6f9/0xef0
[   54.607973]  [<ffffffff8118a3ff>] ? link_path_walk+0x6f/0x870
[   54.612656]  [<ffffffff8119d6ff>] ? mntput+0x1f/0x30
[   54.617181]  [<ffffffff8118898d>] ? path_put+0x1d/0x30
[   54.621590]  [<ffffffff8118e191>] path_openat+0xb1/0x4c0
[   54.625865]  [<ffffffff81144e8d>] ? handle_mm_fault+0x2ad/0x3c0
[   54.630033]  [<ffffffff814dd4b4>] ? __do_page_fault+0x224/0x520
[   54.634074]  [<ffffffff8118ee3c>] do_filp_open+0x3c/0x90
[   54.637988]  [<ffffffff8119b935>] ? __alloc_fd+0xd5/0x130
[   54.641777]  [<ffffffff8117dcbf>] do_sys_open+0xef/0x1d0
[   54.645499]  [<ffffffff8101fdb0>] ? syscall_trace_enter+0x20/0x240
[   54.649318]  [<ffffffff8117ddbd>] SyS_open+0x1d/0x20
[   54.653135]  [<ffffffff814e1d37>] tracesys+0xdd/0xe2
[   54.656937] Code: 00 00 48 c7 c1 31 38 04 81 48 c7 c2 2e 38 04 81 e9 dd fe
ff ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 55 b8 00 01 00 00 48 89 e5 <f0> 66
0f c1 07 0f b6 d4 38 c2 74 0c 0f 1f 00 f3 90 0f b6 07 38 
[   54.669149] RIP  [<ffffffff81043a19>] __ticket_spin_lock+0x9/0x30
[   54.673182]  RSP <ffff880428cb3ab8>
[   54.677189] CR2: 0000000000000000
[   54.681217] ---[ end trace 8da18c5391c8fa84 ]---

With 3.12.16-std-def-alt1 x86_64:

[   88.461810] usb 3-1.5: new full-speed USB device number 3 using ehci-pci
[   88.631979] usbcore: registered new interface driver usbserial
[   88.631991] usbcore: registered new interface driver usbserial_generic
[   88.632000] usbserial: USB Serial support registered for generic
[   88.632439] usbcore: registered new interface driver symbolserial
[   88.632450] usbserial: USB Serial support registered for symbol
[   88.632463] symbolserial 3-1.5:1.0: symbol converter detected
[   88.632532] usb 3-1.5: symbol converter now attached to ttyUSB0
[   88.711811] BUG: unable to handle kernel NULL pointer dereference at        
  (null)
[   88.728682] IP: [<ffffffff8150b09a>] _raw_spin_lock_irqsave+0x2a/0x80
[   88.737141] PGD 42887a067 PUD 429e56067 PMD 0 
[   88.745398] Oops: 0002 [#1] SMP 
[   88.753385] Modules linked in: symbolserial usbserial nvidia(PO) drm
vhost_net tun vhost macvtap macvlan bnep kvm_intel uinput kvm bluetooth
af_packet vboxnetadp(O) vboxnetflt(O) pci_stub vboxpci(O) ipv6 vboxdrv(O)
hid_generic usbhid hid snd_hda_codec_hdmi snd_hda_codec_realtek xhci_hcd
eeepc_wmi asus_wmi i2c_i801 sparse_keymap ehci_pci rfkill snd_hda_intel
snd_hda_codec ehci_hcd hwmon usbcore iTCO_wdt snd_hwdep snd_pcm
iTCO_vendor_support usb_common snd_page_alloc sr_mod i2c_core r8169 cdrom
lpc_ich mii pcspkr mxm_wmi processor wmi video snd_seq_midi snd_seq_midi_event
snd_seq snd_rawmidi snd_seq_device snd_timer snd soundcore button dm_mod ext4
crc16 mbcache jbd2 sd_mod crc_t10dif crct10dif_common ahci libahci libata evdev
scsi_mod autofs4
[   88.821371] CPU: 0 PID: 978 Comm: ModemManager Tainted: P           O
3.12.16-std-def-alt1 #1
[   88.830388] Hardware name: System manufacturer System Product Name/P8Z68-V
LX, BIOS 0703 10/21/2011
[   88.848247] task: ffff880428f260c0 ti: ffff880428f9a000 task.ti:
ffff880428f9a000
[   88.857460] RIP: 0010:[<ffffffff8150b09a>]  [<ffffffff8150b09a>]
_raw_spin_lock_irqsave+0x2a/0x80
[   88.866921] RSP: 0018:ffff880428f9baf0  EFLAGS: 00010086
[   88.876318] RAX: 0000000000000282 RBX: 0000000000000000 RCX:
0000000000000002
[   88.885827] RDX: 0000000000000200 RSI: ffff880428bd6000 RDI:
0000000000000000
[   88.895389] RBP: ffff880428f9bb08 R08: 0000000000000282 R09:
00000000002ffeb4
[   88.904926] R10: 0000000000004328 R11: 0000000000000000 R12:
ffff880428bd6000
[   88.914412] R13: ffff880428bd6008 R14: ffff880418542800 R15:
ffff880418542800
[   88.923894] FS:  00007ffa58c227c0(0000) GS:ffff88043f400000(0000)
knlGS:0000000000000000
[   88.933627] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   88.943270] CR2: 0000000000000000 CR3: 0000000428bfa000 CR4:
00000000000407f0
[   88.953043] Stack:
[   88.962758]  ffffffffa03f103c ffff880418a8a7e8 ffff880418a8a780
ffff880428f9bb48
[   88.972876]  ffffffffa0586325 ffff880428f9bb48 ffffffff8137948c
ffff880428bd6008
[   88.983015]  ffff880418542800 ffff880428bd6110 ffff88042a9da080
ffff880428f9bb88
[   88.993168] Call Trace:
[   89.003256]  [<ffffffffa03f103c>] ? symbol_open+0x1c/0x70 [symbolserial]
[   89.013604]  [<ffffffffa0586325>] serial_port_activate+0x75/0xa0 [usbserial]
[   89.023950]  [<ffffffff8137948c>] ? tty_port_tty_set+0x6c/0xb0
[   89.034236]  [<ffffffff81379bfe>] tty_port_open+0xae/0x170
[   89.044421]  [<ffffffff8137019a>] ? tty_init_dev+0xaa/0x1d0
[   89.054385]  [<ffffffffa05865ed>] serial_open+0x1d/0x20 [usbserial]
[   89.064191]  [<ffffffff81370a65>] tty_open+0x165/0x5c0
[   89.073861]  [<ffffffff8119c026>] chrdev_open+0x96/0x1c0
[   89.083415]  [<ffffffff81195313>] do_dentry_open+0x203/0x290
[   89.092961]  [<ffffffff8119bf90>] ? cdev_put+0x30/0x30
[   89.102318]  [<ffffffff811953d0>] finish_open+0x30/0x40
[   89.111419]  [<ffffffff811a67d6>] do_last+0x6d6/0xf80
[   89.120265]  [<ffffffff811a713d>] path_openat+0xbd/0x670
[   89.128866]  [<ffffffff811a2bab>] ? getname_flags.part.25+0x2b/0x140
[   89.137316]  [<ffffffff811a7f1e>] do_filp_open+0x3e/0xa0
[   89.145468]  [<ffffffff811b422e>] ? __alloc_fd+0xce/0x120
[   89.153346]  [<ffffffff81196837>] do_sys_open+0x137/0x220
[   89.160963]  [<ffffffff8119693d>] SyS_open+0x1d/0x20
[   89.168362]  [<ffffffff81513987>] tracesys+0xdd/0xe2
[   89.175500] Code: 00 48 83 3d 68 fa 28 00 00 74 30 9c 58 66 66 90 66 90 48
83 3d 67 fa 28 00 00 49 89 c0 74 4a fa 66 66 90 66 66 90 ba 00 02 00 00 <f0> 66
0f c1 17 0f b6 ce 38 d1 75 06 4c 89 c0 c3 0f 0b 83 e1 fe 
[   89.197496] RIP  [<ffffffff8150b09a>] _raw_spin_lock_irqsave+0x2a/0x80
[   89.204639]  RSP <ffff880428f9baf0>
[   89.211646] CR2: 0000000000000000
[   89.218652] ---[ end trace 39155a05d64827ec ]---
Comment 1 Greg Kroah-Hartman 2014-04-14 13:50:45 UTC 
On Mon, Apr 14, 2014 at 10:48:18AM +0000, bugzilla-daemon@bugzilla.kernel.org wrote:
> https://bugzilla.kernel.org/show_bug.cgi?id=74041
> 
>             Bug ID: 74041
>            Summary: kernel NULL pointer dereference in symbolserial

We can't take patches through bugzilla, please resend it to the
linux-usb@vger.kernel.org mailing list after reading
Documentation/SubmittingPatches for what the proper format is to send it
in.