From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org,
torvalds@linux-foundation.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
izumi2005@soft.fujitsu.com, rmk@arm.linux.org.uk,
kaneshige.kenji@jp.fujitsu.com
Subject: [patch 25/33] Fix possible NULL pointer access in 8250 serial driver
Date: Thu, 26 Apr 2007 09:56:55 -0700 [thread overview]
Message-ID: <20070426165655.GZ1898@kroah.com> (raw)
In-Reply-To: <20070426165445.GA1898@kroah.com>
[-- Attachment #1: fix-possible-null-pointer-access-in-8250-serial-driver.patch --]
[-- Type: text/plain, Size: 4121 bytes --]
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Taku Izumi <izumi2005@soft.fujitsu.com>
I encountered the following kernel panic. The cause of this problem was
NULL pointer access in check_modem_status() in 8250.c. I confirmed this
problem is fixed by the attached patch, but I don't know this is the
correct fix.
sadc[4378]: NaT consumption 2216203124768 [1]
Modules linked in: binfmt_misc dm_mirror dm_mod thermal processor fan
container button sg e100 eepro100 mii ehci_hcd ohci_hcd
Pid: 4378, CPU 0, comm: sadc
psr : 00001210085a2010 ifs : 8000000000000289 ip : [<a000000100482071>]
Not tainted
ip is at check_modem_status+0xf1/0x360
unat: 0000000000000000 pfs : 0000000000000289 rsc : 0000000000000003
rnat: 800000000000cc18 bsps: 0000000000000000 pr : 0000000000aa6a99
ldrs: 0000000000000000 ccv : 0000000000000000 fpsr: 0009804c8a70033f
csd : 0000000000000000 ssd : 0000000000000000
b0 : a000000100481fb0 b6 : a0000001004822e0 b7 : a000000100477f20
f6 : 1003e2222222222222222 f7 : 0ffdba200000000000000
f8 : 100018000000000000000 f9 : 10002a000000000000000
f10 : 0fffdccccccccc8c00000 f11 : 1003e0000000000000000
r1 : a000000100b9af40 r2 : 0000000000000008 r3 : a000000100ad4e21
r8 : 00000000000000bb r9 : 0000000000000001 r10 : 0000000000000000
r11 : a000000100ad4d58 r12 : e0000000037b7df0 r13 : e0000000037b0000
r14 : 0000000000000001 r15 : 0000000000000018 r16 : a000000100ad4d6c
r17 : 0000000000000000 r18 : 0000000000000000 r19 : 0000000000000000
r20 : a00000010099bc88 r21 : 00000000000000bb r22 : 00000000000000bb
r23 : c003fffffc0ff3fe r24 : c003fffffc000000 r25 : 00000000000ff3fe
r26 : a0000001009b7ad0 r27 : 0000000000000001 r28 : a0000001009b7ad8
r29 : 0000000000000000 r30 : a0000001009b7ad0 r31 : a0000001009b7ad0
Call Trace:
[<a000000100013940>] show_stack+0x40/0xa0
sp=e0000000037b7810 bsp=e0000000037b1118
[<a0000001000145a0>] show_regs+0x840/0x880
sp=e0000000037b79e0 bsp=e0000000037b10c0
[<a0000001000368e0>] die+0x1c0/0x2c0
sp=e0000000037b79e0 bsp=e0000000037b1078
[<a000000100036a30>] die_if_kernel+0x50/0x80
sp=e0000000037b7a00 bsp=e0000000037b1048
[<a000000100037c40>] ia64_fault+0x11e0/0x1300
sp=e0000000037b7a00 bsp=e0000000037b0fe8
[<a00000010000bdc0>] ia64_leave_kernel+0x0/0x280
sp=e0000000037b7c20 bsp=e0000000037b0fe8
[<a000000100482070>] check_modem_status+0xf0/0x360
sp=e0000000037b7df0 bsp=e0000000037b0fa0
[<a000000100482300>] serial8250_get_mctrl+0x20/0xa0
sp=e0000000037b7df0 bsp=e0000000037b0f80
[<a000000100478170>] uart_read_proc+0x250/0x860
sp=e0000000037b7df0 bsp=e0000000037b0ee0
[<a0000001001c16d0>] proc_file_read+0x1d0/0x4c0
sp=e0000000037b7e10 bsp=e0000000037b0e80
[<a0000001001394b0>] vfs_read+0x1b0/0x300
sp=e0000000037b7e20 bsp=e0000000037b0e30
[<a000000100139cd0>] sys_read+0x70/0xe0
sp=e0000000037b7e20 bsp=e0000000037b0db0
[<a00000010000bc20>] ia64_ret_from_syscall+0x0/0x20
sp=e0000000037b7e30 bsp=e0000000037b0db0
[<a000000000010620>] __kernel_syscall_via_break+0x0/0x20
sp=e0000000037b8000 bsp=e0000000037b0db0
Fix the possible NULL pointer access in check_modem_status() in 8250.c. The
check_modem_status() would access 'info' member of uart_port structure, but it
is not initialized before uart_open() is called. The check_modem_status() can
be called through /proc/tty/driver/serial before uart_open() is called.
Signed-off-by: Kenji Kaneshige <kaneshige.kenji@jp.fujitsu.com>
Signed-off-by: Taku Izumi <izumi2005@soft.fujitsu.com>
Cc: Russell King <rmk@arm.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/serial/8250.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/serial/8250.c
+++ b/drivers/serial/8250.c
@@ -1289,7 +1289,8 @@ static unsigned int check_modem_status(s
{
unsigned int status = serial_in(up, UART_MSR);
- if (status & UART_MSR_ANY_DELTA && up->ier & UART_IER_MSI) {
+ if (status & UART_MSR_ANY_DELTA && up->ier & UART_IER_MSI &&
+ up->port.info != NULL) {
if (status & UART_MSR_TERI)
up->port.icount.rng++;
if (status & UART_MSR_DDSR)
--
next prev parent reply other threads:[~2007-04-26 17:07 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20070426165111.393445007@mini.kroah.org>
2007-04-26 16:54 ` [patch 00/33] 2.6.20-stable review Greg KH
2007-04-26 16:48 ` David Lang
2007-04-26 17:30 ` Greg KH
2007-04-26 17:45 ` [stable] " Chris Wright
2007-04-26 16:54 ` [patch 01/33] knfsd: Use a spinlock to protect sk_info_authunix Greg KH
2007-04-26 16:54 ` Greg KH
2007-04-26 16:55 ` [patch 02/33] IB/mthca: Fix data corruption after FMR unmap on Sinai Greg KH
2007-04-26 16:55 ` [patch 03/33] HID: zeroing of bytes in output fields is bogus Greg KH
2007-04-26 16:55 ` [patch 04/33] KVM: MMU: Fix guest writes to nonpae pde Greg KH
2007-04-26 16:55 ` Greg KH
2007-04-26 16:55 ` [patch 05/33] KVM: MMU: Fix host memory corruption on i386 with >= 4GB ram Greg KH
2007-04-26 16:55 ` Greg KH
2007-04-26 16:55 ` [patch 06/33] holepunch: fix shmem_truncate_range punching too far Greg KH
2007-04-26 16:55 ` [patch 07/33] holepunch: fix shmem_truncate_range punch locking Greg KH
2007-04-26 16:55 ` [patch 08/33] holepunch: fix disconnected pages after second truncate Greg KH
2007-04-26 16:55 ` [patch 09/33] holepunch: fix mmap_sem i_mutex deadlock Greg KH
2007-04-26 16:55 ` [patch 10/33] Fix sparc64 SBUS IOMMU allocator Greg KH
2007-04-26 16:55 ` [patch 11/33] Fix qlogicpti DMA unmapping Greg KH
2007-04-26 16:55 ` [patch 12/33] Fix compat sys_ipc() on sparc64 Greg KH
2007-04-26 16:55 ` [patch 13/33] Fix bogus inline directive in sparc64 PCI code Greg KH
2007-04-26 16:55 ` [patch 14/33] Fix errors in tcp_memcalculations Greg KH
2007-04-26 16:56 ` [patch 15/33] Fix netpoll UDP input path Greg KH
2007-04-26 16:56 ` [patch 16/33] Fix IRDA oopser Greg KH
2007-04-26 16:56 ` [patch 17/33] cache_k8_northbridges() overflows beyond allocation Greg KH
2007-04-26 16:56 ` [patch 18/33] exec.c: fix coredump to pipe problem and obscure "security hole" Greg KH
2007-04-26 16:56 ` [patch 19/33] NFS: Fix an Oops in nfs_setattr() Greg KH
2007-04-26 16:56 ` [patch 20/33] x86: Dont probe for DDC on VBE1.2 Greg KH
2007-04-26 16:56 ` [patch 21/33] vt: fix potential race in VT_WAITACTIVE handler Greg KH
2007-04-26 16:56 ` [patch 22/33] 3w-xxxx: fix oops caused by incorrect REQUEST_SENSE handling Greg KH
2007-04-26 16:56 ` [patch 23/33] fix bogon in /dev/mem mmaping on nommu Greg KH
2007-04-26 16:56 ` [patch 24/33] fix OOM killing processes wrongly thought MPOL_BIND Greg KH
2007-04-26 16:56 ` Greg KH [this message]
2007-04-26 16:56 ` [patch 26/33] page migration: fix NR_FILE_PAGES accounting Greg KH
2007-04-26 16:57 ` [patch 27/33] Taskstats fix the structure members alignment issue Greg KH
2007-04-26 16:57 ` [patch 28/33] reiserfs: fix xattr root locking/refcount bug Greg KH
2007-04-26 16:57 ` [patch 29/33] hwmon/w83627ehf: Fix the fan5 clock divider write Greg KH
2007-04-26 16:57 ` [patch 30/33] ALSA: intel8x0 - Fix speaker output after S2RAM Greg KH
2007-04-26 16:57 ` [patch 31/33] AGPGART: intel_agp: fix G965 GTT size detect Greg KH
2007-04-26 16:57 ` [patch 32/33] cfq-iosched: fix alias + front merge bug Greg KH
2007-04-26 16:57 ` [patch 33/33] Revert "adjust legacy IDE resource setting (v2)" Greg KH
2007-04-26 17:01 ` [patch 00/33] 2.6.20-stable review Greg KH
2007-04-26 20:29 ` Chuck Ebbert
2007-04-27 10:15 ` Wu, Bryan
2007-04-27 11:05 ` Jesper Juhl
2007-04-27 13:47 ` Chuck Ebbert
2007-04-27 15:13 ` Greg KH
2007-04-28 4:21 ` Bryan WU
2007-04-28 5:48 ` Greg KH
2007-04-28 6:46 ` Bryan WU
2007-04-28 7:01 ` Greg KH
2007-04-28 16:24 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070426165655.GZ1898@kroah.com \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cebbert@redhat.com \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=izumi2005@soft.fujitsu.com \
--cc=jmforbes@linuxtx.org \
--cc=kaneshige.kenji@jp.fujitsu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mkrufky@linuxtv.org \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=rmk@arm.linux.org.uk \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.