dfc6d0b8ec2468a1c9c6f30633461e6a01ef7118
[glsdk/meta-ti-glsdk.git] / recipes-kernel / linux / linux-ti33x-psp-3.2 / 3.2.1 / 0029-usbfs-Fix-oops-related-to-user-namespace-conversion.patch
1 From 6b544616a14b48a670d0c7ce10a5f8de1246cc96 Mon Sep 17 00:00:00 2001
2 From: Sarah Sharp <sarah.a.sharp@linux.intel.com>
3 Date: Fri, 16 Dec 2011 11:26:30 -0800
4 Subject: [PATCH 29/49] usbfs: Fix oops related to user namespace conversion.
6 commit 1b41c8321e495337e877ca02d0b9680bc4112eff upstream.
8 When running the Point Grey "flycap" program for their USB 3.0 camera
9 (which was running as a USB 2.0 device for some reason), I trigger this
10 oops whenever I try to open a video stream:
12 Dec 15 16:48:34 puck kernel: [ 1798.715559] BUG: unable to handle kernel NULL pointer dereference at (null)
13 Dec 15 16:48:34 puck kernel: [ 1798.719153] IP: [<ffffffff8147841e>] free_async+0x1e/0x70
14 Dec 15 16:48:34 puck kernel: [ 1798.720991] PGD 6f833067 PUD 6fc56067 PMD 0
15 Dec 15 16:48:34 puck kernel: [ 1798.722815] Oops: 0002 [#1] SMP
16 Dec 15 16:48:34 puck kernel: [ 1798.724627] CPU 0
17 Dec 15 16:48:34 puck kernel: [ 1798.724636] Modules linked in: ecryptfs encrypted_keys sha1_generic trusted binfmt_misc sha256_generic aesni_intel cryptd aes_x86_64 aes_generic parport_pc dm_crypt ppdev joydev snd_hda_codec_hdmi snd_hda_codec_conexant arc4 iwlwifi snd_hda_intel snd_hda_codec snd_hwdep snd_pcm thinkpad_acpi mac80211 snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq snd_timer btusb uvcvideo snd_seq_device bluetooth videodev psmouse snd v4l2_compat_ioctl32 serio_raw tpm_tis cfg80211 tpm tpm_bios nvram soundcore snd_page_alloc lp parport i915 xhci_hcd ahci libahci drm_kms_helper drm sdhci_pci sdhci e1000e i2c_algo_bit video
18 Dec 15 16:48:34 puck kernel: [ 1798.734212]
19 Dec 15 16:48:34 puck kernel: [ 1798.736162] Pid: 2713, comm: FlyCap2 Not tainted 3.2.0-rc5+ #28 LENOVO 4286CTO/4286CTO
20 Dec 15 16:48:34 puck kernel: [ 1798.738148] RIP: 0010:[<ffffffff8147841e>] [<ffffffff8147841e>] free_async+0x1e/0x70
21 Dec 15 16:48:34 puck kernel: [ 1798.740134] RSP: 0018:ffff88005715fd78 EFLAGS: 00010296
22 Dec 15 16:48:34 puck kernel: [ 1798.742118] RAX: 00000000fffffff4 RBX: ffff88006fe8f900 RCX: 0000000000004118
23 Dec 15 16:48:34 puck kernel: [ 1798.744116] RDX: 0000000001000000 RSI: 0000000000016390 RDI: 0000000000000000
24 Dec 15 16:48:34 puck kernel: [ 1798.746087] RBP: ffff88005715fd88 R08: 0000000000000000 R09: ffffffff8146f22e
25 Dec 15 16:48:34 puck kernel: [ 1798.748018] R10: ffff88006e520ac0 R11: 0000000000000001 R12: ffff88005715fe28
26 Dec 15 16:48:34 puck kernel: [ 1798.749916] R13: ffff88005d31df00 R14: ffff88006fe8f900 R15: 00007f688c995cb8
27 Dec 15 16:48:34 puck kernel: [ 1798.751785] FS: 00007f68a366da40(0000) GS:ffff880100200000(0000) knlGS:0000000000000000
28 Dec 15 16:48:34 puck kernel: [ 1798.753659] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
29 Dec 15 16:48:34 puck kernel: [ 1798.755509] CR2: 0000000000000000 CR3: 00000000706bb000 CR4: 00000000000406f0
30 Dec 15 16:48:34 puck kernel: [ 1798.757334] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
31 Dec 15 16:48:34 puck kernel: [ 1798.759124] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
32 Dec 15 16:48:34 puck kernel: [ 1798.760871] Process FlyCap2 (pid: 2713, threadinfo ffff88005715e000, task ffff88006c675b80)
33 Dec 15 16:48:34 puck kernel: [ 1798.762605] Stack:
34 Dec 15 16:48:34 puck kernel: [ 1798.764297] ffff88005715fe28 0000000000000000 ffff88005715fe08 ffffffff81479058
35 Dec 15 16:48:34 puck kernel: [ 1798.766020] 0000000000000000 ffffea0000004000 ffff880000004118 0000000000000000
36 Dec 15 16:48:34 puck kernel: [ 1798.767750] ffff880000000001 ffff88006e520ac0 fffffff46fd81180 0000000000000000
37 Dec 15 16:48:34 puck kernel: [ 1798.769472] Call Trace:
38 Dec 15 16:48:34 puck kernel: [ 1798.771147] [<ffffffff81479058>] proc_do_submiturb+0x778/0xa00
39 Dec 15 16:48:34 puck kernel: [ 1798.772798] [<ffffffff8147a5fd>] usbdev_do_ioctl+0x24d/0x1200
40 Dec 15 16:48:34 puck kernel: [ 1798.774410] [<ffffffff8147b5de>] usbdev_ioctl+0xe/0x20
41 Dec 15 16:48:34 puck kernel: [ 1798.775975] [<ffffffff81189259>] do_vfs_ioctl+0x99/0x600
42 Dec 15 16:48:34 puck kernel: [ 1798.777534] [<ffffffff81189851>] sys_ioctl+0x91/0xa0
43 Dec 15 16:48:34 puck kernel: [ 1798.779088] [<ffffffff816247c2>] system_call_fastpath+0x16/0x1b
44 ec 15 16:48:34 puck kernel: [ 1798.780634] Code: 51 ff ff ff e9 29 ff ff ff 0f 1f 40 00 55 48 89 e5 53 48 83 ec 08 66 66 66 66 90 48 89 fb 48 8b 7f 18 e8 a6 ea c0 ff 4
45 8 8b 7b 20 <f0> ff 0f 0f 94 c0 84 c0 74 05 e8 d3 99 c1 ff 48 8b 43 40 48 8b
46 Dec 15 16:48:34 puck kernel: [ 1798.783970] RIP [<ffffffff8147841e>] free_async+0x1e/0x70
47 Dec 15 16:48:34 puck kernel: [ 1798.785630] RSP <ffff88005715fd78>
48 Dec 15 16:48:34 puck kernel: [ 1798.787274] CR2: 0000000000000000
49 Dec 15 16:48:34 puck kernel: [ 1798.794728] ---[ end trace 52894d3355f88d19 ]---
51 markup_oops.pl says the oops is in put_cred:
53 ffffffff81478401: 48 89 e5 mov %rsp,%rbp
54 ffffffff81478404: 53 push %rbx
55 ffffffff81478405: 48 83 ec 08 sub $0x8,%rsp
56 ffffffff81478409: e8 f2 c0 1a 00 callq ffffffff81624500 <mcount>
57 ffffffff8147840e: 48 89 fb mov %rdi,%rbx | %ebx => ffff88006fe8f900
58 put_pid(as->pid);
59 ffffffff81478411: 48 8b 7f 18 mov 0x18(%rdi),%rdi
60 ffffffff81478415: e8 a6 ea c0 ff callq ffffffff81086ec0 <put_pid>
61 put_cred(as->cred);
62 ffffffff8147841a: 48 8b 7b 20 mov 0x20(%rbx),%rdi | %edi => 0 %ebx = ffff88006fe8f900
63 */
64 static inline int atomic_dec_and_test(atomic_t *v)
65 {
66 unsigned char c;
68 asm volatile(LOCK_PREFIX "decl %0; sete %1"
69 *ffffffff8147841e: f0 ff 0f lock decl (%rdi) | %edi = 0 <--- faulting instruction
70 ffffffff81478421: 0f 94 c0 sete %al
71 static inline void put_cred(const struct cred *_cred)
72 {
73 struct cred *cred = (struct cred *) _cred;
75 validate_creds(cred);
76 if (atomic_dec_and_test(&(cred)->usage))
77 ffffffff81478424: 84 c0 test %al,%al
78 ffffffff81478426: 74 05 je ffffffff8147842d <free_async+0x2d>
79 __put_cred(cred);
80 ffffffff81478428: e8 d3 99 c1 ff callq ffffffff81091e00 <__put_cred>
81 kfree(as->urb->transfer_buffer);
82 ffffffff8147842d: 48 8b 43 40 mov 0x40(%rbx),%rax
83 ffffffff81478431: 48 8b 78 68 mov 0x68(%rax),%rdi
84 ffffffff81478435: e8 a6 e1 ce ff callq ffffffff811665e0 <kfree>
85 kfree(as->urb->setup_packet);
86 ffffffff8147843a: 48 8b 43 40 mov 0x40(%rbx),%rax
87 ffffffff8147843e: 48 8b b8 90 00 00 00 mov 0x90(%rax),%rdi
88 ffffffff81478445: e8 96 e1 ce ff callq ffffffff811665e0 <kfree>
89 usb_free_urb(as->urb);
90 ffffffff8147844a: 48 8b 7b 40 mov 0x40(%rbx),%rdi
91 ffffffff8147844e: e8 0d 6b ff ff callq ffffffff8146ef60 <usb_free_urb>
93 This bug seems to have been introduced by commit
94 d178bc3a708f39cbfefc3fab37032d3f2511b4ec "user namespace: usb: make usb
95 urbs user namespace aware (v2)"
97 I'm not sure if this is right fix, but it does stop the oops.
99 Unfortunately, the Point Grey software still refuses to work, but it's a
100 closed source app, so I can't fix it.
102 Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
103 Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
104 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
105 ---
106 drivers/usb/core/devio.c | 3 ++-
107 1 files changed, 2 insertions(+), 1 deletions(-)
109 diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
110 index e3beaf2..7abf060 100644
111 --- a/drivers/usb/core/devio.c
112 +++ b/drivers/usb/core/devio.c
113 @@ -249,7 +249,8 @@ static struct async *alloc_async(unsigned int numisoframes)
114 static void free_async(struct async *as)
115 {
116 put_pid(as->pid);
117 - put_cred(as->cred);
118 + if (as->cred)
119 + put_cred(as->cred);
120 kfree(as->urb->transfer_buffer);
121 kfree(as->urb->setup_packet);
122 usb_free_urb(as->urb);
123 --
124 1.7.7.4