From d5c024f3761dbd512329d3b7234a07dcf7580f0a Mon Sep 17 00:00:00 2001 From: =?utf8?q?Felix=20H=C3=A4dicke?= Date: Thu, 17 Nov 2016 19:26:58 +0100 Subject: [PATCH] usb: gadget: serial: fix possible Oops caused by calling kthread_stop(NULL) MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Add check for NULL before calling kthread_stop(). There were cases in which gserial_console_exit() was called, but the console thread was not started. This resulted in an invalid kthread_stop(NULL) call. Without this, the following Oops may occur: BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 IP: [] kthread_stop+0x16/0x110 ... CPU: 2 PID: 853 Comm: rmmod Not tainted 4.9.0-rc5 #3 Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Z77 Extreme3, BIOS P1.50 07/11/2013 task: ffff880419f6a100 task.stack: ffffc90002e8c000 RIP: 0010:[] [] kthread_stop+0x16/0x110 RSP: 0018:ffffc90002e8fdb0 EFLAGS: 00010286 RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000001 RSI: 0000000000000246 RDI: 0000000000000000 RBP: ffffc90002e8fdc8 R08: 0000000000000000 R09: 0000000000000001 R10: 000000000000019d R11: 000000000000001f R12: 0000000000000000 R13: ffff88041b8d8400 R14: 0000000000000001 R15: 000055fd59f5a1e0 FS: 00007f82500be700(0000) GS:ffff88042f280000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000018 CR3: 000000041bee2000 CR4: 00000000001406e0 Stack: 0000000000000000 ffffffffc0b8e720 ffff88041b8d8400 ffffc90002e8fdf0 ffffffffc0b8bb52 ffff88041a106300 0000000000000001 ffff880419fc2ea8 ffffc90002e8fe08 ffffffffc0aed749 ffffffffc0aef600 ffffc90002e8fe20 Call Trace: [] gserial_free_line+0x72/0xb0 [u_serial] [] acm_free_instance+0x19/0x30 [usb_f_acm] [] usb_put_function_instance+0x20/0x30 [libcomposite] [] gs_unbind+0x3b/0x70 [g_serial] [] __composite_unbind+0x61/0xb0 [libcomposite] [] composite_unbind+0x13/0x20 [libcomposite] [] usb_gadget_remove_driver+0x3d/0x90 [udc_core] [] usb_gadget_unregister_driver+0x6e/0xc0 [udc_core] [] usb_composite_unregister+0x12/0x20 [libcomposite] [] cleanup+0x10/0xda8 [g_serial] [] SyS_delete_module+0x192/0x270 [] ? exit_to_usermode_loop+0x90/0xb0 [] entry_SYSCALL_64_fastpath+0x1e/0xad Code: 89 c6 e8 6e ff ff ff 48 89 df e8 06 bd fd ff 5b 5d c3 0f 1f 00 0f 1f 44 00 00 55 48 89 e5 41 55 41 54 49 89 fc 53 0f 1f 44 00 00 41 ff 44 24 18 4c 89 e7 e8 bc f1 ff ff 48 85 c0 48 89 c3 74 RIP [] kthread_stop+0x16/0x110 RSP CR2: 0000000000000018 ---[ end trace 5b3336a407e1698c ]--- Signed-off-by: Felix Hädicke Tested-by: Peter Chen Signed-off-by: Felipe Balbi --- drivers/usb/gadget/function/u_serial.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/usb/gadget/function/u_serial.c b/drivers/usb/gadget/function/u_serial.c index 62ec842874aa..000677c991b0 100644 --- a/drivers/usb/gadget/function/u_serial.c +++ b/drivers/usb/gadget/function/u_serial.c @@ -1256,7 +1256,8 @@ static void gserial_console_exit(void) struct gscons_info *info = &gscons_info; unregister_console(&gserial_cons); - kthread_stop(info->console_thread); + if (info->console_thread != NULL) + kthread_stop(info->console_thread); gs_buf_free(&info->con_buf); } -- 2.20.1