Ubuntu
linux-oem-5.10 package

usb_audio_probe null ptr deref

Bug #1920648 reported by Liz Fong-Jones
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux-oem-5.10 (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Bug introduced between 5.10.0-1016-oem and 5.10.0-1017-oem when attempting to initialize the Blue Yeti.

```
[ 14.369344] BUG: kernel NULL pointer dereference, address: 0000000000000012
[ 14.369347] #PF: supervisor read access in kernel mode
[ 14.369348] #PF: error_code(0x0000) - not-present page
[ 14.369348] PGD 0 P4D 0
[ 14.369350] Oops: 0000 [#1] SMP NOPTI
[ 14.369352] CPU: 2 PID: 762 Comm: systemd-udevd Not tainted 5.10.0-1017-oem #18-Ubuntu
[ 14.369353] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./B550 Phantom Gaming-ITX/ax, BIOS P2.00 02/25/2021
[ 14.369361] RIP: 0010:usb_audio_probe+0x2e3/0x5c0 [snd_usb_audio]
[ 14.369362] Code: 48 83 7d b8 00 48 8b 7d c8 74 17 48 8b 45 b8 80 78 14 00 74 0d 48 8b 75 b0 e8 59 81 01 00 48 8b 7d c8 48 8b 45 b8 48 8b 75 b0 <0f> b7 40 12 66 89 87 9c 00 00 00 48 63 07 48 89 3c c5 60 da 24 c1
[ 14.369363] RSP: 0018:ffffb976810afa40 EFLAGS: 00010246
[ 14.369364] RAX: 0000000000000000 RBX: ffffffffc124dc60 RCX: ffff973f85278748
[ 14.369365] RDX: ffff973f85279348 RSI: ffff973f952d7c00 RDI: ffff973f8dab78b8
[ 14.369365] RBP: ffffb976810afaa0 R08: 0000000000000048 R09: 0000000000000025
[ 14.369366] R10: 0000000000000006 R11: ffffffffffffffff R12: 0000000000000000
[ 14.369367] R13: ffffffffc124dc60 R14: 0000000000000002 R15: ffffffffc124dd60
[ 14.369368] FS: 00007f4d6fc9e880(0000) GS:ffff97469ea80000(0000) knlGS:0000000000000000
[ 14.369369] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 14.369369] CR2: 0000000000000012 CR3: 000000010ed84000 CR4: 0000000000750ee0
[ 14.369370] PKRU: 55555554
[ 14.369370] Call Trace:
[ 14.369375] usb_probe_interface+0xed/0x290
[ 14.369378] really_probe+0xfb/0x420
[ 14.369379] driver_probe_device+0xe9/0x160
[ 14.369380] device_driver_attach+0x5d/0x70
[ 14.369381] __driver_attach+0x8f/0x150
[ 14.369382] ? device_driver_attach+0x70/0x70
[ 14.369383] bus_for_each_dev+0x7e/0xc0
[ 14.369384] driver_attach+0x1e/0x20
[ 14.369385] bus_add_driver+0x152/0x1f0
[ 14.369386] driver_register+0x74/0xd0
[ 14.369388] usb_register_driver+0x89/0x130
[ 14.369389] ? 0xffffffffc0fb1000
[ 14.369393] usb_audio_driver_init+0x23/0x1000 [snd_usb_audio]
[ 14.369396] do_one_initcall+0x48/0x1d0
[ 14.369398] ? _cond_resched+0x19/0x30
[ 14.369400] ? kmem_cache_alloc_trace+0x37a/0x430
[ 14.369402] ? do_init_module+0x28/0x250
[ 14.369403] do_init_module+0x62/0x250
[ 14.369405] load_module+0x10b8/0x1280
[ 14.369407] ? security_kernel_post_read_file+0x5c/0x70
[ 14.369408] ? security_kernel_post_read_file+0x5c/0x70
[ 14.369409] __do_sys_finit_module+0xc2/0x120
[ 14.369410] ? __do_sys_finit_module+0xc2/0x120
[ 14.369412] __x64_sys_finit_module+0x1a/0x20
[ 14.369414] do_syscall_64+0x38/0x90
[ 14.369415] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 14.369416] RIP: 0033:0x7f4d7022089d
[ 14.369417] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d c3 f5 0c 00 f7 d8 64 89 01 48
[ 14.369418] RSP: 002b:00007fff8704bf98 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[ 14.369419] RAX: ffffffffffffffda RBX: 000055b61445ab30 RCX: 00007f4d7022089d
[ 14.369420] RDX: 0000000000000000 RSI: 000055b61445a8d0 RDI: 0000000000000018
[ 14.369420] RBP: 0000000000020000 R08: 0000000000000000 R09: 0000000000000000
[ 14.369421] R10: 0000000000000018 R11: 0000000000000246 R12: 000055b61445a8d0
[ 14.369422] R13: 0000000000000000 R14: 000055b6142121a0 R15: 000055b61445ab30
[ 14.369423] Modules linked in: nls_iso8859_1 snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg soundwire_intel soundwire_generic_allocation soundwire_cadence snd_hda_codec snd_usb_audio(+) snd_hda_core iwlmvm soundwire_bus snd_soc_core snd_usbmidi_lib snd_hwdep mac80211 uvcvideo snd_seq_midi snd_compress gspca_vc032x edac_mce_amd snd_seq_midi_event gspca_main videobuf2_vmalloc videobuf2_memops kvm_amd videobuf2_v4l2 snd_rawmidi ac97_bus libarc4 snd_pcm_dmaengine videobuf2_common snd_pcm kvm videodev snd_seq efi_pstore wmi_bmof apple_mfi_fastcharge mc k10temp rapl snd_seq_device btusb iwlwifi input_leds snd_timer btrtl btbcm btintel joydev ccp snd bluetooth cfg80211 soundcore ecdh_generic ecc mac_hid sch_fq_codel parport_pc ppdev lp parport ip_tables x_tables autofs4 dm_crypt hid_apple hid_generic usbhid hid amdgpu iommu_v2 gpu_sched i2c_algo_bit ttm drm_kms_helper crct10dif_pclmul crc32_pclmul ghash_clmulni_intel syscopyarea
[ 14.369448] aesni_intel sysfillrect sysimgblt fb_sys_fops cec crypto_simd rc_core cryptd glue_helper drm nvme i2c_piix4 igc ahci nvme_core xhci_pci libahci xhci_pci_renesas wmi gpio_amdpt gpio_generic
[ 14.369456] CR2: 0000000000000012
[ 14.369458] ---[ end trace a51037772f1dee55 ]---
[ 14.505127] RIP: 0010:usb_audio_probe+0x2e3/0x5c0 [snd_usb_audio]
[ 14.505128] Code: 48 83 7d b8 00 48 8b 7d c8 74 17 48 8b 45 b8 80 78 14 00 74 0d 48 8b 75 b0 e8 59 81 01 00 48 8b 7d c8 48 8b 45 b8 48 8b 75 b0 <0f> b7 40 12 66 89 87 9c 00 00 00 48 63 07 48 89 3c c5 60 da 24 c1
[ 14.505129] RSP: 0018:ffffb976810afa40 EFLAGS: 00010246
[ 14.505130] RAX: 0000000000000000 RBX: ffffffffc124dc60 RCX: ffff973f85278748
[ 14.505130] RDX: ffff973f85279348 RSI: ffff973f952d7c00 RDI: ffff973f8dab78b8
[ 14.505131] RBP: ffffb976810afaa0 R08: 0000000000000048 R09: 0000000000000025
[ 14.505132] R10: 0000000000000006 R11: ffffffffffffffff R12: 0000000000000000
[ 14.505132] R13: ffffffffc124dc60 R14: 0000000000000002 R15: ffffffffc124dd60
[ 14.505133] FS: 00007f4d6fc9e880(0000) GS:ffff97469ea80000(0000) knlGS:0000000000000000
[ 14.505134] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 14.505134] CR2: 0000000000000012 CR3: 000000010ed84000 CR4: 0000000000750ee0
[ 14.505135] PKRU: 55555554

```

Enumerating USB with lsusb also fails, in addition to device failing to initialize with pulseaudio etc.

This happens not just with one mic/one motherboard, but with two distinct microphone pieces of hardware and two distinct motherboards.

Revision history for this message
Liz Fong-Jones (lizthegrey) wrote :

lsusb identifies the device under -1016- as:
Bus 003 Device 009: ID b58e:9e84 Blue Microphones Yeti Stereo Microphone

Revision history for this message
Liz Fong-Jones (lizthegrey) wrote :

This appears to be the bug: https://<email address hidden>/

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in linux-oem-5.10 (Ubuntu):
status: New → Confirmed
Revision history for this message
Chris K. Jester-Young (cky) wrote :

I rebuilt the snd-usb-audio module with the linked patch and it does indeed fix the problem for me. The patch addresses bugs that make all USB audio devices totally unusable, and is a definite regression in 5.10.0-1017.18:

1. For devices with no quirks, you get a null pointer dereference when you connect it.
2. For devices with quirks, you get a use-after-free when you disconnect it.

Revision history for this message
Liz Fong-Jones (lizthegrey) wrote :

Still affected on 5.10.0-1019

5.10.0-1016 is the last known good version for this.

Revision history for this message
Liz Fong-Jones (lizthegrey) wrote :

Fixed by 5.10.0-1020.

in the changelog:

```
- ALSA: usb-audio: fix NULL ptr dereference in usb_audio_probe
```

Changed in linux-oem-5.10 (Ubuntu):
status: Confirmed → Fix Committed
Revision history for this message
Liz Fong-Jones (lizthegrey) wrote :

Also booted with USB mic connected and confirmed the new kernel was working.

Liz Fong-Jones (lizthegrey)
Changed in linux-oem-5.10 (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.