Re: rndis/cdc_ether usb device causing Oops in 4.4rc1+ with NULL dereference
On Sun, 2016-01-03 at 20:50 +0100, Bjørn Mork wrote: > > But like you, I cannot find the commit supposed to fix this. There is > no such commit in net, net-next, usb or usb-next AFAICS. And I can't > find any other relevant commit after the one introducing this bug > either. Did you forget to submit it maybe, Oliver? Hi, it seems I am becoming forgetful. Vasily, could you test? Regards Oliver From f78b52d522f9adfae32af8d7313b51f3af2fcf30 Mon Sep 17 00:00:00 2001 From: Oliver Neukum Date: Tue, 22 Sep 2015 15:45:21 +0200 Subject: [PATCH] cdc-acm: fix NULL pointer reference The union descriptor must be checked. Its usage was conditional before the parser was introduced. Signed-off-by: Oliver Neukum --- drivers/net/usb/cdc_ether.c | 8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/net/usb/cdc_ether.c b/drivers/net/usb/cdc_ether.c index c78d3cb..437d9db 100644 --- a/drivers/net/usb/cdc_ether.c +++ b/drivers/net/usb/cdc_ether.c @@ -160,6 +160,12 @@ int usbnet_generic_cdc_bind(struct usbnet *dev, struct usb_interface *intf) info->u = header.usb_cdc_union_desc; info->header = header.usb_cdc_header_desc; info->ether = header.usb_cdc_ether_desc; + if (!info->u) { + if (rndis) + goto skip; + else /* in that case a quirk is mandatory */ + goto bad_desc; + } /* we need a master/control interface (what we're * probed with) and a slave/data interface; union * descriptors sort this all out. @@ -256,7 +262,7 @@ skip: goto bad_desc; } - } else if (!info->header || !info->u || (!rndis && !info->ether)) { + } else if (!info->header || (!rndis && !info->ether)) { dev_dbg(&intf->dev, "missing cdc %s%s%sdescriptor\n", info->header ? "" : "header ", info->u ? "" : "union ", -- 2.1.4
Re: rndis/cdc_ether usb device causing Oops in 4.4rc1+ with NULL dereference
Vasily Galkin writes: > I reverted 823bd3433424aa959499e6fd8f2da842430a8d42 and recompiled cdc_ether > module for debian's 4.4rc6. > Device begin working normally as usual, no any Oopses or problems. > > Attaching lsusb output for this kernel. [..] > Interface Descriptor: > bLength 9 > bDescriptorType 4 > bInterfaceNumber0 > bAlternateSetting 0 > bNumEndpoints 1 > bInterfaceClass 224 Wireless > bInterfaceSubClass 1 Radio Frequency > bInterfaceProtocol 3 RNDIS > iInterface 0 > ** UNRECOGNIZED: 05 24 01 00 01 > ** UNRECOGNIZED: 04 24 02 00 > ** UNRECOGNIZED: 05 24 02 00 01 Fascinating! A nice example of why we should never trust descriptors, even for real, presumably non-malicious, devices. The last descriptor there is invalid, and should probably have been "05 24 06 00 01". I.e. a CDC Union pointing to intf #0 as master and #1 as slave. Anyway, we won't consider that a union descriptor. And oops we go when we unconditionally dereference info->u. But like you, I cannot find the commit supposed to fix this. There is no such commit in net, net-next, usb or usb-next AFAICS. And I can't find any other relevant commit after the one introducing this bug either. Did you forget to submit it maybe, Oliver? BTW, it would be great if any reference to commit id's included the title, like 'commit 823bd3433424 ("cdc-ether: switch to common CDC parser")'. That makes it easier to spot any cutnpaste error or such. Bjørn -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Trouble posting from gmail, was Re: rndis/cdc_ether usb device causing Oops in 4.4rc1+ with NULL dereference
I'm sorry for breaking in, but this is a test to see if I can reach the mailing list at all. All my direct emails have been triggering error messages instead of getting through, even though as far as I know I have followed the instructions to stop them being misunderstood as list commands. PML. On 03/01/2016, Vasily Galkin wrote: >> On Sat, 2016-01-02 at 06:11 +0300, Vasily Galkin wrote: >> >>> I reverted 823bd3433424aa959499e6fd8f2da842430a8d42 and recompiled >>> cdc_ether module for debian's 4.4rc6. >>> Device begin working normally as usual, no any Oopses or problems. >>> >>> Attaching lsusb output for this kernel. >>> >>> Note that this device uses usb mode switching: initially it appears as >>> 1076:8001 storage with drivers, and then is swithced to actual networking >>> device 1076:8002. >>> I\m attaching lsusb -v output for both modes. >> >> Your analysis seems entirely correct, but that doesn't >> explain how info->u can be NULL, as commit >> f78b52d522f9adfae32af8d7313b51f3af2fcf30 >> introduces a check for that. >> Does your kernel tree have that commit? >> >> Regards >> Oliver > > I'm sorry - I'm not a git expert so maybe I misundestood meaning of the sha > reference you gived, > but I failed to find this commit in master branch. What branch/repo do you > mean? > > https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f78b52d522f9adfae32af8d7313b51f3af2fcf30 > says "bad commit reference" > > and > https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/blob/?id=f78b52d522f9adfae32af8d7313b51f3af2fcf30 > says "Internal server error". > -- > To unsubscribe from this list: send the line "unsubscribe linux-usb" in > the body of a message to majord...@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: rndis/cdc_ether usb device causing Oops in 4.4rc1+ with NULL dereference
On Thu, 2015-12-31 at 07:22 +0300, Vasily Galkin wrote: > rm *rc1*dmesgAfter switching from 4.3 to 4.4rc-s plugging device ID 1076:8002 > GCT Semiconductor, Inc. LU150 LTE Modem [Yota LU150] causes kernel Oops. > > The Oops is always reproducible when this device is plugged or system is > booted with it. > Oops reproduced with debian's 4.4.rc6 and vanilla 4.4rcs > (http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.4-rc1+cod1-wily/, tryied > without nvidia blob) > After the oops system is semioperable - for example lsusb and rebooting hangs. > > With debian's 4.3.0 and vanilla 4.3.3 > (http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.3.3-wily/) all works neraly > fine - device never causes Oops but rarely silently doesn't work showing that > cdc_ether driver is in use instead of typical rndis_host. > > Here is the most interesting parts of Oops, full in attahced dmesg Please try reverting 823bd3433424aa959499e6fd8f2da842430a8d42 and provide lsusb -v of your device. Regards Oliver -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
rndis/cdc_ether usb device causing Oops in 4.4rc1+ with NULL dereference
rm *rc1*dmesgAfter switching from 4.3 to 4.4rc-s plugging device ID 1076:8002 GCT Semiconductor, Inc. LU150 LTE Modem [Yota LU150] causes kernel Oops. The Oops is always reproducible when this device is plugged or system is booted with it. Oops reproduced with debian's 4.4.rc6 and vanilla 4.4rcs (http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.4-rc1+cod1-wily/, tryied without nvidia blob) After the oops system is semioperable - for example lsusb and rebooting hangs. With debian's 4.3.0 and vanilla 4.3.3 (http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.3.3-wily/) all works neraly fine - device never causes Oops but rarely silently doesn't work showing that cdc_ether driver is in use instead of typical rndis_host. Here is the most interesting parts of Oops, full in attahced dmesg [ 7.321232] BUG: unable to handle kernel NULL pointer dereference at 0003 [ 7.321340] IP: [] usbnet_generic_cdc_bind+0x156/0x6e0 [cdc_ether] [ 7.323831] CPU: 2 PID: 374 Comm: systemd-udevd Tainted: P O 4.4.0-rc6-amd64 #1 Debian 4.4~rc6-1~exp1 [ 7.324050] RIP: 0010:[] [] usbnet_generic_cdc_bind+0x156/0x6e0 [cdc_ether] [ 7.324157] RSP: 0018:8802362939f8 EFLAGS: 00010286 [ 7.324210] RAX: RBX: 880232cf5840 RCX: 0003 [ 7.325282] Call Trace: [ 7.325336] [] ? pcpu_alloc_area+0x220/0x3e0 [ 7.325395] [] ? generic_rndis_bind+0x60/0x510 [rndis_host] [ 7.325469] [] ? usbnet_probe+0x31c/0x8d0 [usbnet] [ 7.325527] [] ? __pm_runtime_set_status+0x185/0x230 [ 7.325597] [] ? usb_probe_interface+0x1b3/0x300 [usbcore] [ 7.325655] [] ? driver_probe_device+0x212/0x480 [ 7.325711] [] ? __driver_attach+0x7b/0x80 [ 7.325766] [] ? driver_probe_device+0x480/0x480 [ 7.325822] [] ? bus_for_each_dev+0x67/0xb0 [ 7.325877] [] ? bus_add_driver+0x1df/0x270 [ 7.325932] [] ? driver_register+0x57/0xc0 [ 7.325997] [] ? usb_register_driver+0x7d/0x130 [usbcore] [ 7.326053] [] ? 0xa0dd7000 [ 7.326108] [] ? do_one_initcall+0xb2/0x200 [ 7.326164] [] ? do_init_module+0x5b/0x1dc [ 7.326220] [] ? load_module+0x2173/0x2780 [ 7.326275] [] ? __symbol_put+0x60/0x60 [ 7.326330] [] ? kernel_read+0x4b/0x70 [ 7.326386] [] ? SyS_finit_module+0xae/0xe0 [ 7.326442] [] ? system_call_fast_compare_end+0xc/0x67 Since lsusb is not working on problemtic kernels with plugged device attaching lsusb -v output from 4.3 kernel and lsusb -v output from 4.4 kernel with unplugged device. Also attaching dmesg of good boot with 4.3 and disassembly with debug symbols of cdc_ether module corresponding to Oops trace. According to disassembly symbols kernel oopses while trying to read adress 0x3 while executing drivers/net/usb/cdc_ether.c line 167-168: info->control = usb_ifnum_to_if(dev->udev, info->u->bMasterInterface0); with info->u=%rax somehow appears to be NULL (and bMasterInterface0 is offset 3). This code was changed last time in b0f85fa11aefc4f3e03306b4cd47f113bd57dcba and merged into mainline with b0f85fa11aefc4f3e03306b4cd47f113bd57dcba at 2015-11-04 Attachments in archive: 44rndis_oops/4.3.0-debian.dmesg 44rndis_oops/4.3.0-debian.lsusb-v 44rndis_oops/4.4rc1-vanilla-without-device.lsusb-t 44rndis_oops/4.3.0-debian.lsusb-t 44rndis_oops/4.4rc6-debian.dmesg 44rndis_oops/4.4rc6-debian.cdc_ether.objdump 44rndis_oops/4.4rc1-vanilla-without-device.lsusb-v 44rndis_oops.tar.gz Description: GNU Zip compressed data