linux

mirror of https://github.com/torvalds/linux synced 2024-09-25 14:01:32 +00:00

History

Sarah Sharp 1b41c8321e usbfs: Fix oops related to user namespace conversion. When running the Point Grey "flycap" program for their USB 3.0 camera (which was running as a USB 2.0 device for some reason), I trigger this oops whenever I try to open a video stream: Dec 15 16:48:34 puck kernel: [ 1798.715559] BUG: unable to handle kernel NULL pointer dereference at (null) Dec 15 16:48:34 puck kernel: [ 1798.719153] IP: [<ffffffff8147841e>] free_async+0x1e/0x70 Dec 15 16:48:34 puck kernel: [ 1798.720991] PGD 6f833067 PUD 6fc56067 PMD 0 Dec 15 16:48:34 puck kernel: [ 1798.722815] Oops: 0002 [#1] SMP Dec 15 16:48:34 puck kernel: [ 1798.724627] CPU 0 Dec 15 16:48:34 puck kernel: [ 1798.724636] Modules linked in: ecryptfs encrypted_keys sha1_generic trusted binfmt_misc sha256_generic aesni_intel cryptd aes_x86_64 aes_generic parport_pc dm_crypt ppdev joydev snd_hda_codec_hdmi snd_hda_codec_conexant arc4 iwlwifi snd_hda_intel snd_hda_codec snd_hwdep snd_pcm thinkpad_acpi mac80211 snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq snd_timer btusb uvcvideo snd_seq_device bluetooth videodev psmouse snd v4l2_compat_ioctl32 serio_raw tpm_tis cfg80211 tpm tpm_bios nvram soundcore snd_page_alloc lp parport i915 xhci_hcd ahci libahci drm_kms_helper drm sdhci_pci sdhci e1000e i2c_algo_bit video Dec 15 16:48:34 puck kernel: [ 1798.734212] Dec 15 16:48:34 puck kernel: [ 1798.736162] Pid: 2713, comm: FlyCap2 Not tainted 3.2.0-rc5+ #28 LENOVO 4286CTO/4286CTO Dec 15 16:48:34 puck kernel: [ 1798.738148] RIP: 0010:[<ffffffff8147841e>] [<ffffffff8147841e>] free_async+0x1e/0x70 Dec 15 16:48:34 puck kernel: [ 1798.740134] RSP: 0018:ffff88005715fd78 EFLAGS: 00010296 Dec 15 16:48:34 puck kernel: [ 1798.742118] RAX: 00000000fffffff4 RBX: ffff88006fe8f900 RCX: 0000000000004118 Dec 15 16:48:34 puck kernel: [ 1798.744116] RDX: 0000000001000000 RSI: 0000000000016390 RDI: 0000000000000000 Dec 15 16:48:34 puck kernel: [ 1798.746087] RBP: ffff88005715fd88 R08: 0000000000000000 R09: ffffffff8146f22e Dec 15 16:48:34 puck kernel: [ 1798.748018] R10: ffff88006e520ac0 R11: 0000000000000001 R12: ffff88005715fe28 Dec 15 16:48:34 puck kernel: [ 1798.749916] R13: ffff88005d31df00 R14: ffff88006fe8f900 R15: 00007f688c995cb8 Dec 15 16:48:34 puck kernel: [ 1798.751785] FS: 00007f68a366da40(0000) GS:ffff880100200000(0000) knlGS:0000000000000000 Dec 15 16:48:34 puck kernel: [ 1798.753659] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 Dec 15 16:48:34 puck kernel: [ 1798.755509] CR2: 0000000000000000 CR3: 00000000706bb000 CR4: 00000000000406f0 Dec 15 16:48:34 puck kernel: [ 1798.757334] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 Dec 15 16:48:34 puck kernel: [ 1798.759124] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Dec 15 16:48:34 puck kernel: [ 1798.760871] Process FlyCap2 (pid: 2713, threadinfo ffff88005715e000, task ffff88006c675b80) Dec 15 16:48:34 puck kernel: [ 1798.762605] Stack: Dec 15 16:48:34 puck kernel: [ 1798.764297] ffff88005715fe28 0000000000000000 ffff88005715fe08 ffffffff81479058 Dec 15 16:48:34 puck kernel: [ 1798.766020] 0000000000000000 ffffea0000004000 ffff880000004118 0000000000000000 Dec 15 16:48:34 puck kernel: [ 1798.767750] ffff880000000001 ffff88006e520ac0 fffffff46fd81180 0000000000000000 Dec 15 16:48:34 puck kernel: [ 1798.769472] Call Trace: Dec 15 16:48:34 puck kernel: [ 1798.771147] [<ffffffff81479058>] proc_do_submiturb+0x778/0xa00 Dec 15 16:48:34 puck kernel: [ 1798.772798] [<ffffffff8147a5fd>] usbdev_do_ioctl+0x24d/0x1200 Dec 15 16:48:34 puck kernel: [ 1798.774410] [<ffffffff8147b5de>] usbdev_ioctl+0xe/0x20 Dec 15 16:48:34 puck kernel: [ 1798.775975] [<ffffffff81189259>] do_vfs_ioctl+0x99/0x600 Dec 15 16:48:34 puck kernel: [ 1798.777534] [<ffffffff81189851>] sys_ioctl+0x91/0xa0 Dec 15 16:48:34 puck kernel: [ 1798.779088] [<ffffffff816247c2>] system_call_fastpath+0x16/0x1b ec 15 16:48:34 puck kernel: [ 1798.780634] Code: 51 ff ff ff e9 29 ff ff ff 0f 1f 40 00 55 48 89 e5 53 48 83 ec 08 66 66 66 66 90 48 89 fb 48 8b 7f 18 e8 a6 ea c0 ff 4 8 8b 7b 20 <f0> ff 0f 0f 94 c0 84 c0 74 05 e8 d3 99 c1 ff 48 8b 43 40 48 8b Dec 15 16:48:34 puck kernel: [ 1798.783970] RIP [<ffffffff8147841e>] free_async+0x1e/0x70 Dec 15 16:48:34 puck kernel: [ 1798.785630] RSP <ffff88005715fd78> Dec 15 16:48:34 puck kernel: [ 1798.787274] CR2: 0000000000000000 Dec 15 16:48:34 puck kernel: [ 1798.794728] ---[ end trace 52894d3355f88d19 ]--- markup_oops.pl says the oops is in put_cred: ffffffff81478401: 48 89 e5 mov %rsp,%rbp ffffffff81478404: 53 push %rbx ffffffff81478405: 48 83 ec 08 sub $0x8,%rsp ffffffff81478409: e8 f2 c0 1a 00 callq ffffffff81624500 <mcount> ffffffff8147840e: 48 89 fb mov %rdi,%rbx \| %ebx => ffff88006fe8f900 put_pid(as->pid); ffffffff81478411: 48 8b 7f 18 mov 0x18(%rdi),%rdi ffffffff81478415: e8 a6 ea c0 ff callq ffffffff81086ec0 <put_pid> put_cred(as->cred); ffffffff8147841a: 48 8b 7b 20 mov 0x20(%rbx),%rdi \| %edi => 0 %ebx = ffff88006fe8f900 / static inline int atomic_dec_and_test(atomic_t v) { unsigned char c; asm volatile(LOCK_PREFIX "decl %0; sete %1" ffffffff8147841e: f0 ff 0f lock decl (%rdi) \| %edi = 0 <--- faulting instruction ffffffff81478421: 0f 94 c0 sete %al static inline void put_cred(const struct cred _cred) { struct cred cred = (struct cred ) _cred; validate_creds(cred); if (atomic_dec_and_test(&(cred)->usage)) ffffffff81478424: 84 c0 test %al,%al ffffffff81478426: 74 05 je ffffffff8147842d <free_async+0x2d> __put_cred(cred); ffffffff81478428: e8 d3 99 c1 ff callq ffffffff81091e00 <__put_cred> kfree(as->urb->transfer_buffer); ffffffff8147842d: 48 8b 43 40 mov 0x40(%rbx),%rax ffffffff81478431: 48 8b 78 68 mov 0x68(%rax),%rdi ffffffff81478435: e8 a6 e1 ce ff callq ffffffff811665e0 <kfree> kfree(as->urb->setup_packet); ffffffff8147843a: 48 8b 43 40 mov 0x40(%rbx),%rax ffffffff8147843e: 48 8b b8 90 00 00 00 mov 0x90(%rax),%rdi ffffffff81478445: e8 96 e1 ce ff callq ffffffff811665e0 <kfree> usb_free_urb(as->urb); ffffffff8147844a: 48 8b 7b 40 mov 0x40(%rbx),%rdi ffffffff8147844e: e8 0d 6b ff ff callq ffffffff8146ef60 <usb_free_urb> This bug seems to have been introduced by commit `d178bc3a70` "user namespace: usb: make usb urbs user namespace aware (v2)" I'm not sure if this is right fix, but it does stop the oops. Unfortunately, the Point Grey software still refuses to work, but it's a closed source app, so I can't fix it. Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>		2011-12-22 14:07:09 -08:00
..
accessibility
acpi	pstore: pass allocated memory region back to caller	2011-11-17 12:58:07 -08:00
amba
ata	libata: fix build without BMDMA	2011-11-17 02:11:42 -05:00
atm
auxdisplay
base	PM / Driver core: leave runtime PM enabled during system shutdown	2011-12-07 22:26:56 +01:00
bcma
block	paride: fix potential information leak in pg_read()	2011-11-16 09:21:50 +01:00
bluetooth	Merge branch 'for-davem' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless	2011-11-09 16:22:15 -05:00
cdrom
char	fix typo/thinko in get_random_bytes()	2011-11-17 11:42:54 -02:00
clk
clocksource
connector
cpufreq	[CPUFREQ] db8500: fix build error due to undeclared i variable	2011-11-11 22:28:33 -05:00
cpuidle
crypto	Merge git://github.com/herbertx/crypto	2011-11-25 21:55:07 -08:00
dca
devfreq	PM / devfreq: correct Kconfig dependency	2011-11-14 23:31:35 +01:00
dio
dma
edac	drivers/edac/mpc85xx_edac.c: fix memory controller compatible for edac	2011-11-24 01:59:38 -06:00
eisa
firewire
firmware	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound	2011-12-02 08:10:51 -08:00
gpio	gpio: fix a build failure on KS8695 GPIO	2011-12-05 15:30:33 -08:00
gpu	vmwgfx: Use kcalloc instead of kzalloc to allocate array	2011-12-07 10:44:41 +00:00
hid	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid	2011-12-02 08:25:46 -08:00
hv	NLS: improve UTF8 -> UTF16 string conversion routine	2011-11-18 10:51:01 -08:00
hwmon	hwmon: convert drivers/hwmon/* to use module_platform_driver()	2011-11-26 09:48:20 -08:00
hwspinlock	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/paulg/linux	2011-11-08 18:34:16 -08:00
i2c	Merge branch 'fixes' of http://ftp.arm.linux.org.uk/pub/linux/arm/kernel/git-cur/linux-2.6-arm	2011-12-01 11:53:54 -08:00
ide	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/ide	2011-11-18 22:04:12 -02:00
idle
ieee802154
infiniband	Merge branches 'cxgb4', 'ipoib', 'misc' and 'qib' into for-next	2011-11-29 18:01:53 -08:00
input	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input	2011-11-22 09:18:06 -08:00
iommu	intr_remapping: Fix section mismatch in ir_dev_scope_init()	2011-12-05 18:22:53 +01:00
isdn	isdn: avoid copying too long drvid	2011-11-29 18:39:37 -05:00
leds	Revert "leds: save the delay values after a successful call to blink_set()"	2011-11-15 22:41:50 -02:00
lguest
macintosh	m68k/irq: Remove obsolete IRQ_FLG_* users	2011-11-08 22:35:48 +01:00
mca
md	md: raid5 crash during degradation	2011-12-09 14:26:11 +11:00
media	Merge branch 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media	2011-11-12 00:03:50 -02:00
memstick
message
mfd
misc	Merge branch 'char-misc-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc	2011-11-21 20:36:05 -08:00
mmc	arm/imx: fix imx6q mmc error when mounting rootfs	2011-11-11 16:53:35 +01:00
mtd
net	Merge git://git.kernel.org/pub/scm/linux/kernel/git/cmetcalf/linux-tile	2011-12-09 08:08:57 -08:00
nfc
nubus
of	of/irq: Get rid of NO_IRQ usage	2011-12-07 09:06:37 -08:00
oprofile	Merge branch 'urgent' of git://amd64.org/linux/rric into perf/urgent	2011-11-15 11:03:30 +01:00
parisc
parport
pci	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jbarnes/pci	2011-11-23 14:58:46 -08:00
pcmcia
pinctrl	pinctrl: hide subsystem from the populace	2011-11-10 09:02:12 +01:00
platform	toshiba_acpi: Fix machines that don't support HCI_SYSTEM_EVENT	2011-12-05 13:07:28 -05:00
pnp
power	x86/mrst: Battery fixes	2011-12-05 17:06:37 +01:00
pps
ps3
ptp	ptp: Fix clock_getres() implementation	2011-12-06 11:38:32 +01:00
rapidio	rapidio/tsi721: modify PCIe capability settings	2011-12-09 07:50:29 -08:00
regulator	regulator: twl: fix twl4030 support for smps regulators	2011-11-28 18:58:31 +00:00
rtc	drivers/rtc/rtc-s3c.c: fix driver clock enable/disable balance issues	2011-12-09 07:50:28 -08:00
s390	[S390] ap: Setup timer for sending messages after reset.	2011-12-01 13:32:18 +01:00
sbus
scsi	[SCSI] hpsa: Disable ASPM	2011-11-14 10:47:01 -06:00
sfi
sh	Merge branches 'sh/pm-runtime' and 'common/clkfwk' into sh-fixes-for-linus	2011-11-11 16:16:25 +09:00
sn
spi	spi/gpio: fix section mismatch warning	2011-12-07 22:17:39 +01:00
ssb
staging	Merge branch 'staging-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging	2011-12-02 13:30:25 -08:00
target	iscsi-target: Fix hex2bin warn_unused compile message	2011-12-06 06:00:59 +00:00
tc
telephony
thermal
tty	Merge branch 'tty-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty	2011-11-21 20:36:46 -08:00
uio
usb	usbfs: Fix oops related to user namespace conversion.	2011-12-22 14:07:09 -08:00
uwb	uwb: Use kcalloc instead of kzalloc to allocate array	2011-12-09 16:18:20 -08:00
vhost
video	viafb: correct sync polarity for OLPC DCON	2011-11-22 00:56:17 +00:00
virt
virtio	virtio-pci: make reset operation safer	2011-11-24 13:04:48 +10:30
vlynq
w1
watchdog	watchdog: fix initialisation printout in s3c2410_wdt	2011-11-16 22:04:17 +01:00
xen	xen-gntalloc: signedness bug in add_grefs()	2011-11-16 12:13:48 -05:00
zorro
Kconfig
Makefile