2008-07-23 12:59:36

by Andrei Popa

[permalink] [raw]
Subject: kernel oops


Hello,

I installed gnokii-0.6.22-r2 and gave the command "gnokii --identify"
and the kernel oopsed:

BUG: unable to handle kernel NULL pointer dereference at 00000458
IP: [<c0444b52>] mutex_unlock+0x0/0xb
*pde = 00000000
Oops: 0002 [#1] PREEMPT SMP

Pid: 19043, comm: gnokii Not tainted (2.6.26-ineo7 #2)
EIP: 0060:[<c0444b52>] EFLAGS: 00010246 CPU: 0
EIP is at mutex_unlock+0x0/0xb
EAX: 00000458 EBX: 00000000 ECX: df90a000 EDX: dc722100
ESI: df90a000 EDI: 00000458 EBP: 00000100 ESP: dc736e54
DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Process gnokii (pid: 19043, ti=dc736000 task=dfb3c6c0 task.ti=dc736000)
Stack: c03830ae 00000000 dc736e84 00000000 ffffffea ffffffed c0383062
dc722100
00000100 c023cbfd 0902e0ff 0a600000 df90a000 00000000 df857544
dc713240
00000000 c023ca9e c016951c dc722100 00000000 dc722100 dc713240
00000000
Call Trace:
[<c03830ae>] acm_tty_open+0x4c/0x214
[<c0383062>] acm_tty_open+0x0/0x214
[<c023cbfd>] tty_open+0x15f/0x2a6
[<c023ca9e>] tty_open+0x0/0x2a6
[<c016951c>] chrdev_open+0x98/0x149
[<c0169484>] chrdev_open+0x0/0x149
[<c0165dde>] __dentry_open+0xfd/0x222
[<c0165f96>] nameidata_to_filp+0x2e/0x53
[<c016f80b>] do_filp_open+0x1bb/0x64f
[<c016610e>] get_unused_fd_flags+0xb3/0xe3
[<c016d383>] do_getname+0x4b/0x82
[<c0166239>] do_sys_open+0x50/0xdd
[<c01662f2>] sys_open+0x2c/0x3c
[<c0102eb1>] sysenter_past_esp+0x6a/0x91
[<c0440000>] init_chipset_sis5513+0x1b2/0x1c5
=======================
Code: 44 24 38 ec 2a 13 c0 e8 06 ff ff ff 8b 5c 24 48 8b 74 24 4c 8b 7c
24 50 8b 6c 24 54 83 c4 58 c3 f0 ff 08 79 05 e8 9e 00 00 00 c3 <f0> ff
00 7f 05 e8 01 00 00 00 c3 83 ec 08 89 74 24 04 8d 70 04
EIP: [<c0444b52>] mutex_unlock+0x0/0xb SS:ESP 0068:dc736e54
---[ end trace 2723488af998d371 ]---
Nms ~ #


2008-07-23 13:24:24

by Alexey Dobriyan

[permalink] [raw]
Subject: [PATCH] cdc-acm: don't unlock acm->mutex on error path

On Wed, Jul 23, 2008 at 03:52:36PM +0300, Andrei Popa wrote:
> I installed gnokii-0.6.22-r2 and gave the command "gnokii --identify"
> and the kernel oopsed:
>
> BUG: unable to handle kernel NULL pointer dereference at 00000458
> IP: [<c0444b52>] mutex_unlock+0x0/0xb
> [<c03830ae>] acm_tty_open+0x4c/0x214

Try this:

[PATCH] cdc-acm: don't unlock acm->mutex on error path

Signed-off-by: Alexey Dobriyan <[email protected]>
---

drivers/usb/class/cdc-acm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -595,8 +595,8 @@ static int acm_tty_open(struct tty_struct *tty, struct file *filp)
tasklet_schedule(&acm->urb_task);

done:
-err_out:
mutex_unlock(&acm->mutex);
+err_out:
mutex_unlock(&open_mutex);
return rv;

2008-07-23 13:36:24

by Andrei Popa

[permalink] [raw]
Subject: Re: [PATCH] cdc-acm: don't unlock acm->mutex on error path


It's ok now, thanks.

On Wed, 2008-07-23 at 17:23 +0400, Alexey Dobriyan wrote:
> On Wed, Jul 23, 2008 at 03:52:36PM +0300, Andrei Popa wrote:
> > I installed gnokii-0.6.22-r2 and gave the command "gnokii --identify"
> > and the kernel oopsed:
> >
> > BUG: unable to handle kernel NULL pointer dereference at 00000458
> > IP: [<c0444b52>] mutex_unlock+0x0/0xb
> > [<c03830ae>] acm_tty_open+0x4c/0x214
>
> Try this:
>
> [PATCH] cdc-acm: don't unlock acm->mutex on error path
>
> Signed-off-by: Alexey Dobriyan <[email protected]>
> ---
>
> drivers/usb/class/cdc-acm.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> --- a/drivers/usb/class/cdc-acm.c
> +++ b/drivers/usb/class/cdc-acm.c
> @@ -595,8 +595,8 @@ static int acm_tty_open(struct tty_struct *tty, struct file *filp)
> tasklet_schedule(&acm->urb_task);
>
> done:
> -err_out:
> mutex_unlock(&acm->mutex);
> +err_out:
> mutex_unlock(&open_mutex);
> return rv;
>
>

2008-07-23 15:12:01

by Vegard Nossum

[permalink] [raw]
Subject: Re: kernel oops

Hi,

On Wed, Jul 23, 2008 at 2:52 PM, Andrei Popa <[email protected]> wrote:
>
> Hello,
>
> I installed gnokii-0.6.22-r2 and gave the command "gnokii --identify"
> and the kernel oopsed:
>
> BUG: unable to handle kernel NULL pointer dereference at 00000458
> IP: [<c0444b52>] mutex_unlock+0x0/0xb
> *pde = 00000000
> Oops: 0002 [#1] PREEMPT SMP
>
> Pid: 19043, comm: gnokii Not tainted (2.6.26-ineo7 #2)
> EIP: 0060:[<c0444b52>] EFLAGS: 00010246 CPU: 0
> EIP is at mutex_unlock+0x0/0xb
...
> [<c03830ae>] acm_tty_open+0x4c/0x214

This shouldn't be too hard; the code is trying to unlock the mutex
&acm->mutex even when "acm" is NULL. It seems that the label "err_out"
is otherwise unused, so it makes sense to move this one step further
down, so that it doesn't try to unlock the non-existant mutex.

If the problem is reproducible, you could try the patch below!


Vegard

PS: I actually think the code has some other problems too. Shouldn't
&acm->mutex be locked before we even inspect acm->dev?


Reported-by: Andrei Popa <[email protected]>
Signed-off-by: Vegard Nossum <[email protected]>

diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
index 63c3404..74d03a7 100644
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -525,8 +525,8 @@ static int acm_tty_open(struct tty_struct *tty, struct file *filp)
tasklet_schedule(&acm->urb_task);

done:
-err_out:
mutex_unlock(&acm->mutex);
+err_out:
mutex_unlock(&open_mutex);
return rv;

2008-08-18 16:33:52

by Vegard Nossum

[permalink] [raw]
Subject: Re: kernel oops

On Wed, Jul 23, 2008 at 7:11 PM, Vegard Nossum <[email protected]> wrote:
> On Wed, Jul 23, 2008 at 2:52 PM, Andrei Popa <[email protected]> wrote:
>>
>> I installed gnokii-0.6.22-r2 and gave the command "gnokii --identify"
>> and the kernel oopsed:
>>
>> BUG: unable to handle kernel NULL pointer dereference at 00000458
>> IP: [<c0444b52>] mutex_unlock+0x0/0xb
>> *pde = 00000000
>> Oops: 0002 [#1] PREEMPT SMP
>>
>> Pid: 19043, comm: gnokii Not tainted (2.6.26-ineo7 #2)
>> EIP: 0060:[<c0444b52>] EFLAGS: 00010246 CPU: 0
>> EIP is at mutex_unlock+0x0/0xb
> ...
>> [<c03830ae>] acm_tty_open+0x4c/0x214
>
> This shouldn't be too hard; the code is trying to unlock the mutex
> &acm->mutex even when "acm" is NULL. It seems that the label "err_out"
> is otherwise unused, so it makes sense to move this one step further
> down, so that it doesn't try to unlock the non-existent mutex.
>
> If the problem is reproducible, you could try the patch below!
>
>
> Vegard
>
> PS: I actually think the code has some other problems too. Shouldn't
> &acm->mutex be locked before we even inspect acm->dev?
>
>
> Reported-by: Andrei Popa <[email protected]>
> Signed-off-by: Vegard Nossum <[email protected]>
>
> diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
> index 63c3404..74d03a7 100644
> --- a/drivers/usb/class/cdc-acm.c
> +++ b/drivers/usb/class/cdc-acm.c
> @@ -525,8 +525,8 @@ static int acm_tty_open(struct tty_struct *tty, struct file *filp)
> tasklet_schedule(&acm->urb_task);
>
> done:
> -err_out:
> mutex_unlock(&acm->mutex);
> +err_out:
> mutex_unlock(&open_mutex);
> return rv;
>
>

Hi,

Latest -git seems to have the same problem, and this was about three
weeks ago, so.. Ping?


Vegard

--
"The animistic metaphor of the bug that maliciously sneaked in while
the programmer was not looking is intellectually dishonest as it
disguises that the error is the programmer's own creation."
-- E. W. Dijkstra, EWD1036

2008-08-18 16:42:53

by Greg KH

[permalink] [raw]
Subject: Re: kernel oops

On Mon, Aug 18, 2008 at 06:33:42PM +0200, Vegard Nossum wrote:
> On Wed, Jul 23, 2008 at 7:11 PM, Vegard Nossum <[email protected]> wrote:
> > On Wed, Jul 23, 2008 at 2:52 PM, Andrei Popa <[email protected]> wrote:
> >>
> >> I installed gnokii-0.6.22-r2 and gave the command "gnokii --identify"
> >> and the kernel oopsed:
> >>
> >> BUG: unable to handle kernel NULL pointer dereference at 00000458
> >> IP: [<c0444b52>] mutex_unlock+0x0/0xb
> >> *pde = 00000000
> >> Oops: 0002 [#1] PREEMPT SMP
> >>
> >> Pid: 19043, comm: gnokii Not tainted (2.6.26-ineo7 #2)
> >> EIP: 0060:[<c0444b52>] EFLAGS: 00010246 CPU: 0
> >> EIP is at mutex_unlock+0x0/0xb
> > ...
> >> [<c03830ae>] acm_tty_open+0x4c/0x214
> >
> > This shouldn't be too hard; the code is trying to unlock the mutex
> > &acm->mutex even when "acm" is NULL. It seems that the label "err_out"
> > is otherwise unused, so it makes sense to move this one step further
> > down, so that it doesn't try to unlock the non-existent mutex.
> >
> > If the problem is reproducible, you could try the patch below!
> >
> >
> > Vegard
> >
> > PS: I actually think the code has some other problems too. Shouldn't
> > &acm->mutex be locked before we even inspect acm->dev?
> >
> >
> > Reported-by: Andrei Popa <[email protected]>
> > Signed-off-by: Vegard Nossum <[email protected]>
> >
> > diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
> > index 63c3404..74d03a7 100644
> > --- a/drivers/usb/class/cdc-acm.c
> > +++ b/drivers/usb/class/cdc-acm.c
> > @@ -525,8 +525,8 @@ static int acm_tty_open(struct tty_struct *tty, struct file *filp)
> > tasklet_schedule(&acm->urb_task);
> >
> > done:
> > -err_out:
> > mutex_unlock(&acm->mutex);
> > +err_out:
> > mutex_unlock(&open_mutex);
> > return rv;
> >
> >
>
> Hi,
>
> Latest -git seems to have the same problem, and this was about three
> weeks ago, so.. Ping?

Hm, I thought I took a patch to fix this a few weeks ago.

Oliver, have I missed anything recently?

thanks,

greg k-h