From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
alan@lxorguk.ukuu.org.uk, Wolfgang Frisch <wfpub@roembden.net>,
Johan Hovold <jhovold@gmail.com>
Subject: [ 23/33] USB: io_ti: Fix NULL dereference in chase_port()
Date: Fri, 18 Jan 2013 17:16:48 -0800 [thread overview]
Message-ID: <20130119010354.155541713@linuxfoundation.org> (raw)
In-Reply-To: <20130119010345.885772698@linuxfoundation.org>
3.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wolfgang Frisch <wfpub@roembden.net>
commit 1ee0a224bc9aad1de496c795f96bc6ba2c394811 upstream.
The tty is NULL when the port is hanging up.
chase_port() needs to check for this.
This patch is intended for stable series.
The behavior was observed and tested in Linux 3.2 and 3.7.1.
Johan Hovold submitted a more elaborate patch for the mainline kernel.
[ 56.277883] usb 1-1: edge_bulk_in_callback - nonzero read bulk status received: -84
[ 56.278811] usb 1-1: USB disconnect, device number 3
[ 56.278856] usb 1-1: edge_bulk_in_callback - stopping read!
[ 56.279562] BUG: unable to handle kernel NULL pointer dereference at 00000000000001c8
[ 56.280536] IP: [<ffffffff8144e62a>] _raw_spin_lock_irqsave+0x19/0x35
[ 56.281212] PGD 1dc1b067 PUD 1e0f7067 PMD 0
[ 56.282085] Oops: 0002 [#1] SMP
[ 56.282744] Modules linked in:
[ 56.283512] CPU 1
[ 56.283512] Pid: 25, comm: khubd Not tainted 3.7.1 #1 innotek GmbH VirtualBox/VirtualBox
[ 56.283512] RIP: 0010:[<ffffffff8144e62a>] [<ffffffff8144e62a>] _raw_spin_lock_irqsave+0x19/0x35
[ 56.283512] RSP: 0018:ffff88001fa99ab0 EFLAGS: 00010046
[ 56.283512] RAX: 0000000000000046 RBX: 00000000000001c8 RCX: 0000000000640064
[ 56.283512] RDX: 0000000000010000 RSI: ffff88001fa99b20 RDI: 00000000000001c8
[ 56.283512] RBP: ffff88001fa99b20 R08: 0000000000000000 R09: 0000000000000000
[ 56.283512] R10: 0000000000000000 R11: ffffffff812fcb4c R12: ffff88001ddf53c0
[ 56.283512] R13: 0000000000000000 R14: 00000000000001c8 R15: ffff88001e19b9f4
[ 56.283512] FS: 0000000000000000(0000) GS:ffff88001fd00000(0000) knlGS:0000000000000000
[ 56.283512] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 56.283512] CR2: 00000000000001c8 CR3: 000000001dc51000 CR4: 00000000000006e0
[ 56.283512] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 56.283512] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 56.283512] Process khubd (pid: 25, threadinfo ffff88001fa98000, task ffff88001fa94f80)
[ 56.283512] Stack:
[ 56.283512] 0000000000000046 00000000000001c8 ffffffff810578ec ffffffff812fcb4c
[ 56.283512] ffff88001e19b980 0000000000002710 ffffffff812ffe81 0000000000000001
[ 56.283512] ffff88001fa94f80 0000000000000202 ffffffff00000001 0000000000000296
[ 56.283512] Call Trace:
[ 56.283512] [<ffffffff810578ec>] ? add_wait_queue+0x12/0x3c
[ 56.283512] [<ffffffff812fcb4c>] ? usb_serial_port_work+0x28/0x28
[ 56.283512] [<ffffffff812ffe81>] ? chase_port+0x84/0x2d6
[ 56.283512] [<ffffffff81063f27>] ? try_to_wake_up+0x199/0x199
[ 56.283512] [<ffffffff81263a5c>] ? tty_ldisc_hangup+0x222/0x298
[ 56.283512] [<ffffffff81300171>] ? edge_close+0x64/0x129
[ 56.283512] [<ffffffff810612f7>] ? __wake_up+0x35/0x46
[ 56.283512] [<ffffffff8106135b>] ? should_resched+0x5/0x23
[ 56.283512] [<ffffffff81264916>] ? tty_port_shutdown+0x39/0x44
[ 56.283512] [<ffffffff812fcb4c>] ? usb_serial_port_work+0x28/0x28
[ 56.283512] [<ffffffff8125d38c>] ? __tty_hangup+0x307/0x351
[ 56.283512] [<ffffffff812e6ddc>] ? usb_hcd_flush_endpoint+0xde/0xed
[ 56.283512] [<ffffffff8144e625>] ? _raw_spin_lock_irqsave+0x14/0x35
[ 56.283512] [<ffffffff812fd361>] ? usb_serial_disconnect+0x57/0xc2
[ 56.283512] [<ffffffff812ea99b>] ? usb_unbind_interface+0x5c/0x131
[ 56.283512] [<ffffffff8128d738>] ? __device_release_driver+0x7f/0xd5
[ 56.283512] [<ffffffff8128d9cd>] ? device_release_driver+0x1a/0x25
[ 56.283512] [<ffffffff8128d393>] ? bus_remove_device+0xd2/0xe7
[ 56.283512] [<ffffffff8128b7a3>] ? device_del+0x119/0x167
[ 56.283512] [<ffffffff812e8d9d>] ? usb_disable_device+0x6a/0x180
[ 56.283512] [<ffffffff812e2ae0>] ? usb_disconnect+0x81/0xe6
[ 56.283512] [<ffffffff812e4435>] ? hub_thread+0x577/0xe82
[ 56.283512] [<ffffffff8144daa7>] ? __schedule+0x490/0x4be
[ 56.283512] [<ffffffff8105798f>] ? abort_exclusive_wait+0x79/0x79
[ 56.283512] [<ffffffff812e3ebe>] ? usb_remote_wakeup+0x2f/0x2f
[ 56.283512] [<ffffffff812e3ebe>] ? usb_remote_wakeup+0x2f/0x2f
[ 56.283512] [<ffffffff810570b4>] ? kthread+0x81/0x89
[ 56.283512] [<ffffffff81057033>] ? __kthread_parkme+0x5c/0x5c
[ 56.283512] [<ffffffff8145387c>] ? ret_from_fork+0x7c/0xb0
[ 56.283512] [<ffffffff81057033>] ? __kthread_parkme+0x5c/0x5c
[ 56.283512] Code: 8b 7c 24 08 e8 17 0b c3 ff 48 8b 04 24 48 83 c4 10 c3 53 48 89 fb 41 50 e8 e0 0a c3 ff 48 89 04 24 e8 e7 0a c3 ff ba 00 00 01 00
<f0> 0f c1 13 48 8b 04 24 89 d1 c1 ea 10 66 39 d1 74 07 f3 90 66
[ 56.283512] RIP [<ffffffff8144e62a>] _raw_spin_lock_irqsave+0x19/0x35
[ 56.283512] RSP <ffff88001fa99ab0>
[ 56.283512] CR2: 00000000000001c8
[ 56.283512] ---[ end trace 49714df27e1679ce ]---
Signed-off-by: Wolfgang Frisch <wfpub@roembden.net>
Cc: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/io_ti.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/serial/io_ti.c
+++ b/drivers/usb/serial/io_ti.c
@@ -534,6 +534,9 @@ static void chase_port(struct edgeport_p
wait_queue_t wait;
unsigned long flags;
+ if (!tty)
+ return;
+
if (!timeout)
timeout = (HZ * EDGE_CLOSING_WAIT)/100;
next prev parent reply other threads:[~2013-01-19 1:31 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-19 1:16 [ 00/33] 3.7.4-stable review Greg Kroah-Hartman
2013-01-19 1:16 ` [ 01/33] ALSA: hda/hdmi - Work around "alsactl restore" errors Greg Kroah-Hartman
2013-01-19 1:16 ` [ 02/33] sh: Fix FDPIC binary loader Greg Kroah-Hartman
2013-01-19 1:16 ` [ 03/33] firmware: make sure the fw file size is not 0 Greg Kroah-Hartman
2013-01-19 1:16 ` [ 04/33] arm64: mm: only wrprotect clean ptes if they are present Greg Kroah-Hartman
2013-01-19 1:16 ` [ 05/33] target: use correct sense code for LUN communication failure Greg Kroah-Hartman
2013-01-19 1:16 ` [ 06/33] tcm_fc: Do not indicate retry capability to initiators Greg Kroah-Hartman
2013-01-19 1:16 ` [ 07/33] tcm_fc: Do not report target role when target is not defined Greg Kroah-Hartman
2013-01-19 1:16 ` [ 08/33] target: Fix missing CMD_T_ACTIVE bit regression for pending WRITEs Greg Kroah-Hartman
2013-01-19 1:16 ` [ 09/33] target: Fix use-after-free in LUN RESET handling Greg Kroah-Hartman
2013-01-19 1:16 ` [ 10/33] target: Release se_cmd when LUN lookup fails for TMR Greg Kroah-Hartman
2013-01-19 1:16 ` [ 11/33] s390/time: fix sched_clock() overflow Greg Kroah-Hartman
2013-01-19 1:16 ` [ 12/33] x86/Sandy Bridge: reserve pages when integrated graphics is present Greg Kroah-Hartman
2013-01-19 1:16 ` [ 13/33] ALSA: usb - fix race in creation of M-Audio Fast track pro driver Greg Kroah-Hartman
2013-01-19 1:16 ` [ 14/33] ext4: init pagevec in ext4_da_block_invalidatepages Greg Kroah-Hartman
2013-01-19 1:16 ` [ 15/33] usb: chipidea: Allow disabling streaming not only in udc mode Greg Kroah-Hartman
2013-01-19 1:16 ` [ 16/33] drm/radeon: fix NULL pointer dereference in UMS mode Greg Kroah-Hartman
2013-01-19 1:16 ` [ 17/33] drm/radeon: fix a bogus kfree Greg Kroah-Hartman
2013-01-19 1:16 ` [ 18/33] target: Add link_magic for fabric allow_link destination target_items Greg Kroah-Hartman
2013-01-19 1:16 ` [ 19/33] intel-iommu: Prevent devices with RMRRs from being placed into SI Domain Greg Kroah-Hartman
2013-01-19 1:16 ` [ 20/33] igb: release already assigned MSI-X interrupts if setup fails Greg Kroah-Hartman
2013-01-19 1:16 ` [ 21/33] xen/grant-table: correctly initialize grant table version 1 Greg Kroah-Hartman
2013-01-19 1:16 ` [ 22/33] xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS guests Greg Kroah-Hartman
2013-01-19 1:16 ` Greg Kroah-Hartman [this message]
2013-01-19 1:16 ` [ 24/33] USB: option: add TP-LINK HSUPA Modem MA180 Greg Kroah-Hartman
2013-01-19 1:16 ` [ 25/33] USB: option: blacklist network interface on ONDA MT8205 4G LTE Greg Kroah-Hartman
2013-01-19 1:16 ` [ 26/33] serial:ifx6x60:Delete SPI timer when shut down port Greg Kroah-Hartman
2013-01-19 1:16 ` [ 27/33] tty: serial: vt8500: fix return value check in vt8500_serial_probe() Greg Kroah-Hartman
2013-01-19 1:16 ` [ 28/33] tty: 8250_dw: Fix inverted arguments to serial_out in IRQ handler Greg Kroah-Hartman
2013-01-19 1:16 ` [ 29/33] 8250/16?50: Add support for Broadcom TruManage redirected serial port Greg Kroah-Hartman
2013-01-19 1:16 ` [ 30/33] staging: wlan-ng: Fix clamping of returned SSID length Greg Kroah-Hartman
2013-01-19 1:16 ` [ 31/33] staging: vt6656: Fix inconsistent structure packing Greg Kroah-Hartman
2013-01-19 1:16 ` [ 32/33] mxs: uart: fix setting RTS from software Greg Kroah-Hartman
2013-01-19 1:16 ` [ 33/33] pty: return EINVAL for TIOCGPTN for BSD ptys Greg Kroah-Hartman
2013-01-19 18:51 ` [ 00/33] 3.7.4-stable review Shuah Khan
2013-01-20 9:22 ` Satoru Takeuchi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130119010354.155541713@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=jhovold@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=wfpub@roembden.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.