Re: rndis/cdc_ether usb device causing Oops in 4.4rc1+ with NULL dereference

[Oliver Neukum]

On Sun, 2016-01-03 at 20:50 +0100, Bjørn Mork wrote:
> 
> But like you, I cannot find the commit supposed to fix this.  There is
> no such commit in net, net-next, usb or usb-next AFAICS.  And I can't
> find any other relevant commit after the one introducing this bug
> either.  Did you forget to submit it maybe, Oliver?

Hi,

it seems I am becoming forgetful. Vasily, could you test?

Regards
Oliver


From f78b52d522f9adfae32af8d7313b51f3af2fcf30 Mon Sep 17 00:00:00 2001
From: Oliver Neukum 
Date: Tue, 22 Sep 2015 15:45:21 +0200
Subject: [PATCH] cdc-acm: fix NULL pointer reference

The union descriptor must be checked. Its usage was conditional
before the parser was introduced.

Signed-off-by: Oliver Neukum 
---
 drivers/net/usb/cdc_ether.c | 8 +++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/net/usb/cdc_ether.c b/drivers/net/usb/cdc_ether.c
index c78d3cb..437d9db 100644
--- a/drivers/net/usb/cdc_ether.c
+++ b/drivers/net/usb/cdc_ether.c
@@ -160,6 +160,12 @@ int usbnet_generic_cdc_bind(struct usbnet *dev, struct usb_interface *intf)
 	info->u = header.usb_cdc_union_desc;
 	info->header = header.usb_cdc_header_desc;
 	info->ether = header.usb_cdc_ether_desc;
+	if (!info->u) {
+		if (rndis)
+			goto skip;
+		else /* in that case a quirk is mandatory */
+			goto bad_desc;
+	}
 	/* we need a master/control interface (what we're
 	 * probed with) and a slave/data interface; union
 	 * descriptors sort this all out.
@@ -256,7 +262,7 @@ skip:
 			goto bad_desc;
 		}
 
-	} else if (!info->header || !info->u || (!rndis && !info->ether)) {
+	} else if (!info->header || (!rndis && !info->ether)) {
 		dev_dbg(>dev, "missing cdc %s%s%sdescriptor\n",
 			info->header ? "" : "header ",
 			info->u ? "" : "union ",
-- 
2.1.4

Re: rndis/cdc_ether usb device causing Oops in 4.4rc1+ with NULL dereference

[Bjørn Mork]

Vasily Galkin  writes:

> I reverted 823bd3433424aa959499e6fd8f2da842430a8d42 and recompiled cdc_ether 
> module for debian's 4.4rc6.
> Device begin working normally as usual, no any Oopses or problems.
>
> Attaching lsusb output for this kernel.

[..]

> Interface Descriptor:
>   bLength 9
>   bDescriptorType 4
>   bInterfaceNumber0
>   bAlternateSetting   0
>   bNumEndpoints   1
>   bInterfaceClass   224 Wireless
>   bInterfaceSubClass  1 Radio Frequency
>   bInterfaceProtocol  3 RNDIS
>   iInterface  0 
>   ** UNRECOGNIZED:  05 24 01 00 01
>   ** UNRECOGNIZED:  04 24 02 00
>   ** UNRECOGNIZED:  05 24 02 00 01

Fascinating!  A nice example of why we should never trust descriptors,
even for real, presumably non-malicious, devices.  The last descriptor
there is invalid, and should probably have been "05 24 06 00 01".
I.e. a CDC Union pointing to intf #0 as master and #1 as slave.

Anyway, we won't consider that a union descriptor. And oops we go when
we unconditionally dereference info->u.

But like you, I cannot find the commit supposed to fix this.  There is
no such commit in net, net-next, usb or usb-next AFAICS.  And I can't
find any other relevant commit after the one introducing this bug
either.  Did you forget to submit it maybe, Oliver?

BTW, it would be great if any reference to commit id's included the
title, like 'commit 823bd3433424 ("cdc-ether: switch to common CDC
parser")'. That makes it easier to spot any cutnpaste error or such.


Bjørn
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Trouble posting from gmail, was Re: rndis/cdc_ether usb device causing Oops in 4.4rc1+ with NULL dereference

[Peter Lawrence]

I'm sorry for breaking in, but this is a test to see if I can reach
the mailing list at all. All my direct emails have been triggering
error messages instead of getting through, even though as far as I
know I have followed the instructions to stop them being misunderstood
as list commands.  PML.

On 03/01/2016, Vasily Galkin  wrote:
>> On Sat, 2016-01-02 at 06:11 +0300, Vasily Galkin wrote:
>>
>>> I reverted 823bd3433424aa959499e6fd8f2da842430a8d42 and recompiled
>>> cdc_ether module for debian's 4.4rc6.
>>> Device begin working normally as usual, no any Oopses or problems.
>>>
>>> Attaching lsusb output for this kernel.
>>>
>>> Note that this device uses usb mode switching: initially it appears as
>>> 1076:8001 storage with drivers, and then is swithced to actual networking
>>> device 1076:8002.
>>> I\m attaching lsusb -v output for both modes.
>>
>> Your analysis seems entirely correct, but that doesn't
>> explain how info->u can be NULL, as commit
>> f78b52d522f9adfae32af8d7313b51f3af2fcf30
>> introduces a check for that.
>> Does your kernel tree have that commit?
>>
>> Regards
>> Oliver
>
> I'm sorry - I'm not a git expert so maybe I misundestood meaning of the sha
> reference you gived,
> but I failed to find this commit in master branch. What branch/repo do you
> mean?
>
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f78b52d522f9adfae32af8d7313b51f3af2fcf30
> says "bad commit reference"
>
> and
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/blob/?id=f78b52d522f9adfae32af8d7313b51f3af2fcf30
> says "Internal server error".
> --
> To unsubscribe from this list: send the line "unsubscribe linux-usb" in
> the body of a message to majord...@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: rndis/cdc_ether usb device causing Oops in 4.4rc1+ with NULL dereference

[Oliver Neukum]

On Thu, 2015-12-31 at 07:22 +0300, Vasily Galkin wrote:
> rm *rc1*dmesgAfter switching from 4.3 to 4.4rc-s plugging device ID 1076:8002 
> GCT Semiconductor, Inc. LU150 LTE Modem [Yota LU150] causes kernel Oops.
> 
> The Oops is always reproducible when this device is plugged or system is 
> booted with it.
> Oops reproduced with debian's 4.4.rc6 and vanilla 4.4rcs 
> (http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.4-rc1+cod1-wily/, tryied 
> without nvidia blob)
> After the oops system is semioperable - for example lsusb and rebooting hangs.
> 
> With debian's 4.3.0 and vanilla 4.3.3 
> (http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.3.3-wily/) all works neraly 
> fine - device never causes Oops but rarely silently doesn't work showing that 
> cdc_ether driver is in use instead of typical rndis_host.
> 
> Here is the most interesting parts of Oops, full in attahced dmesg

Please try reverting 823bd3433424aa959499e6fd8f2da842430a8d42
and provide lsusb -v of your device.

Regards
Oliver



--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

rndis/cdc_ether usb device causing Oops in 4.4rc1+ with NULL dereference

[Vasily Galkin]

rm *rc1*dmesgAfter switching from 4.3 to 4.4rc-s plugging device ID 1076:8002 
GCT Semiconductor, Inc. LU150 LTE Modem [Yota LU150] causes kernel Oops.

The Oops is always reproducible when this device is plugged or system is booted 
with it.
Oops reproduced with debian's 4.4.rc6 and vanilla 4.4rcs 
(http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.4-rc1+cod1-wily/, tryied 
without nvidia blob)
After the oops system is semioperable - for example lsusb and rebooting hangs.

With debian's 4.3.0 and vanilla 4.3.3 
(http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.3.3-wily/) all works neraly 
fine - device never causes Oops but rarely silently doesn't work showing that 
cdc_ether driver is in use instead of typical rndis_host.

Here is the most interesting parts of Oops, full in attahced dmesg

[ 7.321232] BUG: unable to handle kernel NULL pointer dereference at 
0003
[ 7.321340] IP: [] usbnet_generic_cdc_bind+0x156/0x6e0 
[cdc_ether]
[ 7.323831] CPU: 2 PID: 374 Comm: systemd-udevd Tainted: P O 4.4.0-rc6-amd64 #1 
Debian 4.4~rc6-1~exp1
[ 7.324050] RIP: 0010:[] [] 
usbnet_generic_cdc_bind+0x156/0x6e0 [cdc_ether]
[ 7.324157] RSP: 0018:8802362939f8 EFLAGS: 00010286
[ 7.324210] RAX:  RBX: 880232cf5840 RCX: 0003
[ 7.325282] Call Trace:
[ 7.325336] [] ? pcpu_alloc_area+0x220/0x3e0
[ 7.325395] [] ? generic_rndis_bind+0x60/0x510 [rndis_host]
[ 7.325469] [] ? usbnet_probe+0x31c/0x8d0 [usbnet]
[ 7.325527] [] ? __pm_runtime_set_status+0x185/0x230
[ 7.325597] [] ? usb_probe_interface+0x1b3/0x300 [usbcore]
[ 7.325655] [] ? driver_probe_device+0x212/0x480
[ 7.325711] [] ? __driver_attach+0x7b/0x80
[ 7.325766] [] ? driver_probe_device+0x480/0x480
[ 7.325822] [] ? bus_for_each_dev+0x67/0xb0
[ 7.325877] [] ? bus_add_driver+0x1df/0x270
[ 7.325932] [] ? driver_register+0x57/0xc0
[ 7.325997] [] ? usb_register_driver+0x7d/0x130 [usbcore]
[ 7.326053] [] ? 0xa0dd7000
[ 7.326108] [] ? do_one_initcall+0xb2/0x200
[ 7.326164] [] ? do_init_module+0x5b/0x1dc
[ 7.326220] [] ? load_module+0x2173/0x2780
[ 7.326275] [] ? __symbol_put+0x60/0x60
[ 7.326330] [] ? kernel_read+0x4b/0x70
[ 7.326386] [] ? SyS_finit_module+0xae/0xe0
[ 7.326442] [] ? system_call_fast_compare_end+0xc/0x67

Since lsusb is not working on problemtic kernels with plugged device attaching 
lsusb -v output from 4.3 kernel and lsusb -v output from 4.4 kernel with 
unplugged device.

Also attaching dmesg of good boot with 4.3 and disassembly with debug symbols 
of cdc_ether module corresponding to Oops trace.

According to disassembly symbols kernel oopses while trying to read adress 0x3 
while executing drivers/net/usb/cdc_ether.c line 167-168:
info->control = usb_ifnum_to_if(dev->udev,
info->u->bMasterInterface0);
with info->u=%rax somehow appears to be NULL (and bMasterInterface0 is offset 
3).

This code was changed last time in b0f85fa11aefc4f3e03306b4cd47f113bd57dcba and 
merged into mainline with b0f85fa11aefc4f3e03306b4cd47f113bd57dcba at 2015-11-04
Attachments in archive:
44rndis_oops/4.3.0-debian.dmesg
44rndis_oops/4.3.0-debian.lsusb-v
44rndis_oops/4.4rc1-vanilla-without-device.lsusb-t
44rndis_oops/4.3.0-debian.lsusb-t
44rndis_oops/4.4rc6-debian.dmesg
44rndis_oops/4.4rc6-debian.cdc_ether.objdump
44rndis_oops/4.4rc1-vanilla-without-device.lsusb-v


44rndis_oops.tar.gz
Description: GNU Zip compressed data