Modify

Opened 10 years ago

Closed 10 years ago

#3836 closed defect (fixed)

[PATCH] cdc-acm: don't unlock acm->mutex on error path

Reported by: anonymous Owned by: developers
Priority: highest Milestone:
Component: kernel Version:
Keywords: Cc:

Description

I am using kamikaze trunk r12064 with USB modem (ACM compatible).

After hot unplug USB modem i get kernel OOPS on next pppd start:

BUG: unable to handle kernel NULL pointer dereference at 00000300
IP: [<c0276335>] mutex_unlock+0x1/0xb
*pde = 00000000
Oops: 0002 [#1] SMP
Modules linked in: cdc_acm ehci_hcd uhci_hcd ohci_hcd ath_pci wlan_xauth wlan_wep wlan_tkip wlan_ccmp wlan_acl ath_rate_minstrel ath_hal(P) wlan_scan_sta wlan_scan_ap wlan e100 ata_piix ahci sd_mod ppp_synctty nf_nat_snmp_basic nf_nat_sip nf_conntrack_sip nf_nat_rtsp nf_conntrack_rtsp nf_nat_pptp nf_conntrack_pptp nf_nat_h323 nf_conntrack_h323 nf_nat_proto_gre nf_conntrack_proto_gre nf_nat_tftp nf_conntrack_tftp nf_nat_irc nf_conntrack_irc nf_nat_ftp nf_conntrack_ftp ipt_REDIRECT ipt_NETMAP ipt_SET ipt_set ip_set_portmap ip_set_nethash ip_set_macipmap ip_set_iptreemap ip_set_iptree ip_set_ipporthash ip_set_ipmap ip_set_iphash ip_set xt_esp ipt_ah xt_iprange ipt_TTL xt_MARK ipt_ECN xt_CLASSIFY ipt_ttl xt_time ipt_time xt_tcpmss xt_statistic xt_mark xt_mac xt_length ipt_ecn xt_DSCP xt_dscp imq ipt_IMQ xt_string xt_layer7 ipt_ipp2p ipt_LOG xt_CHAOS xt_DELUDE xt_TARPIT xt_quota xt_portscan xt_pkttype xt_physdev iptable_raw xt_NOTRACK xt_CONNMARK ipt_recent xt_helper xt_conntrack xt_connmark xt_connbytes ebt_vlan ebt_ulog ebt_stp ebt_snat ebt_redirect ebt_pkttype ebt_mark_m ebt_mark ebt_log ebt_limit ebt_ip ebt_dnat ebt_arpreply ebt_arp ebt_among ebt_802_3 ebtable_nat ebtable_filter ebtable_broute ebtables bonding arptable_filter arpt_mangle arp_tables ppp_async ppp_generic slhc crc_ccitt loop isofs ext3 jbd libata usbcore scsi_mod nls_base [last unloaded: cdc_acm]

Pid: 1630, comm: pppd Tainted: P         (2.6.25.12 #1)
EIP: 0060:[<c0276335>] EFLAGS: 00010246 CPU: 0
EIP is at mutex_unlock+0x1/0xb
EAX: 00000300 EBX: 00000000 ECX: d8a424a8 EDX: d6cd4940
ESI: ffffffea EDI: 0a600000 EBP: 00000000 ESP: d66c3eb0
 DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
Process pppd (pid: 1630, ti=d66c2000 task=d7b8c5d0 task.ti=d66c2000)
Stack: d8a4261b 00000000 d6cd4940 0a600000 c01cbc55 00000802 00000000 d781b800
       00000000 d64d1e04 00000000 d66743dc c0154c06 d6cd4940 00000000 d6cd4940
       d66743dc 00000000 c0154ae8 c0151555 d780d120 d758ce54 d66c3f30 d6cd4940
Call Trace:
 [<d8a4261b>] __mod_vermagic5+0x45fb/0x46cc [cdc_acm]
 [<c01cbc55>] tty_open+0x169/0x29d
 [<c0154c06>] chrdev_open+0x11e/0x15b
 [<c0154ae8>] chrdev_open+0x0/0x15b
 [<c0151555>] __dentry_open+0xbe/0x16b
 [<c015161e>] nameidata_to_filp+0x1c/0x2c
 [<c015165a>] do_filp_open+0x2c/0x32
 [<c0151696>] do_sys_open+0x36/0x67
 [<c015170b>] sys_open+0x1e/0x23
 [<c0103c22>] syscall_call+0x7/0xb
 [<c0270000>] vlandev_seq_show+0x104/0x15c
 =======================
Code: 89 e9 89 54 24 10 8d 54 24 04 ff 74 24 34 8b 44 24 04 e8 49 ff ff ff 83 c4 24 5b 5e 5f 5d c3 90 ff 08 79 05 e8 31 01 00 00 c3 90 <ff> 00 7f 05 e8 cf 00 00 00 c3 e9 43 49 eb ff 80 3d 80 d3 30 c0
EIP: [<c0276335>] mutex_unlock+0x1/0xb SS:ESP 0068:d66c3eb0
---[ end trace 4affbbadff4c659f ]---
Clocksource tsc unstable (delta = 717860412 ns)

As solution i applied patch:

--- linux-2.6.25.12/drivers/usb/class/cdc-acm.c.bak     2008-08-03 16:42:38.000000000 +0300
+++ linux-2.6.25.12/drivers/usb/class/cdc-acm.c 2008-08-03 16:43:14.000000000 +0300
@@ -531,8 +531,8 @@
        tasklet_schedule(&acm->urb_task);

 done:
-err_out:
        mutex_unlock(&acm->mutex);
+err_out:
        mutex_unlock(&open_mutex);
        return rv;

That was posted on http://lkml.org/lkml/2008/7/23/102 and problem gone.

So the patch seems works for me too. Please add that one to trunk.

Attachments (0)

Change History (1)

comment:1 Changed 10 years ago by florian

  • Resolution set to fixed
  • Status changed from new to closed

Applied in [12154], thanks !

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.