From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Wolfgang Frisch <wfpub@roembden.net>,
Johan Hovold <jhovold@gmail.com>
Subject: [ 26/33] USB: io_ti: Fix NULL dereference in chase_port()
Date: Wed, 5 Jun 2013 13:53:04 -0700 [thread overview]
Message-ID: <20130605204708.469990919@linuxfoundation.org> (raw)
In-Reply-To: <20130605204702.359510786@linuxfoundation.org>
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wolfgang Frisch <wfpub@roembden.net>
commit 1ee0a224bc9aad1de496c795f96bc6ba2c394811 upstream.
The tty is NULL when the port is hanging up.
chase_port() needs to check for this.
This patch is intended for stable series.
The behavior was observed and tested in Linux 3.2 and 3.7.1.
Johan Hovold submitted a more elaborate patch for the mainline kernel.
[ 56.277883] usb 1-1: edge_bulk_in_callback - nonzero read bulk status received: -84
[ 56.278811] usb 1-1: USB disconnect, device number 3
[ 56.278856] usb 1-1: edge_bulk_in_callback - stopping read!
[ 56.279562] BUG: unable to handle kernel NULL pointer dereference at 00000000000001c8
[ 56.280536] IP: [<ffffffff8144e62a>] _raw_spin_lock_irqsave+0x19/0x35
[ 56.281212] PGD 1dc1b067 PUD 1e0f7067 PMD 0
[ 56.282085] Oops: 0002 [#1] SMP
[ 56.282744] Modules linked in:
[ 56.283512] CPU 1
[ 56.283512] Pid: 25, comm: khubd Not tainted 3.7.1 #1 innotek GmbH VirtualBox/VirtualBox
[ 56.283512] RIP: 0010:[<ffffffff8144e62a>] [<ffffffff8144e62a>] _raw_spin_lock_irqsave+0x19/0x35
[ 56.283512] RSP: 0018:ffff88001fa99ab0 EFLAGS: 00010046
[ 56.283512] RAX: 0000000000000046 RBX: 00000000000001c8 RCX: 0000000000640064
[ 56.283512] RDX: 0000000000010000 RSI: ffff88001fa99b20 RDI: 00000000000001c8
[ 56.283512] RBP: ffff88001fa99b20 R08: 0000000000000000 R09: 0000000000000000
[ 56.283512] R10: 0000000000000000 R11: ffffffff812fcb4c R12: ffff88001ddf53c0
[ 56.283512] R13: 0000000000000000 R14: 00000000000001c8 R15: ffff88001e19b9f4
[ 56.283512] FS: 0000000000000000(0000) GS:ffff88001fd00000(0000) knlGS:0000000000000000
[ 56.283512] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 56.283512] CR2: 00000000000001c8 CR3: 000000001dc51000 CR4: 00000000000006e0
[ 56.283512] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 56.283512] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 56.283512] Process khubd (pid: 25, threadinfo ffff88001fa98000, task ffff88001fa94f80)
[ 56.283512] Stack:
[ 56.283512] 0000000000000046 00000000000001c8 ffffffff810578ec ffffffff812fcb4c
[ 56.283512] ffff88001e19b980 0000000000002710 ffffffff812ffe81 0000000000000001
[ 56.283512] ffff88001fa94f80 0000000000000202 ffffffff00000001 0000000000000296
[ 56.283512] Call Trace:
[ 56.283512] [<ffffffff810578ec>] ? add_wait_queue+0x12/0x3c
[ 56.283512] [<ffffffff812fcb4c>] ? usb_serial_port_work+0x28/0x28
[ 56.283512] [<ffffffff812ffe81>] ? chase_port+0x84/0x2d6
[ 56.283512] [<ffffffff81063f27>] ? try_to_wake_up+0x199/0x199
[ 56.283512] [<ffffffff81263a5c>] ? tty_ldisc_hangup+0x222/0x298
[ 56.283512] [<ffffffff81300171>] ? edge_close+0x64/0x129
[ 56.283512] [<ffffffff810612f7>] ? __wake_up+0x35/0x46
[ 56.283512] [<ffffffff8106135b>] ? should_resched+0x5/0x23
[ 56.283512] [<ffffffff81264916>] ? tty_port_shutdown+0x39/0x44
[ 56.283512] [<ffffffff812fcb4c>] ? usb_serial_port_work+0x28/0x28
[ 56.283512] [<ffffffff8125d38c>] ? __tty_hangup+0x307/0x351
[ 56.283512] [<ffffffff812e6ddc>] ? usb_hcd_flush_endpoint+0xde/0xed
[ 56.283512] [<ffffffff8144e625>] ? _raw_spin_lock_irqsave+0x14/0x35
[ 56.283512] [<ffffffff812fd361>] ? usb_serial_disconnect+0x57/0xc2
[ 56.283512] [<ffffffff812ea99b>] ? usb_unbind_interface+0x5c/0x131
[ 56.283512] [<ffffffff8128d738>] ? __device_release_driver+0x7f/0xd5
[ 56.283512] [<ffffffff8128d9cd>] ? device_release_driver+0x1a/0x25
[ 56.283512] [<ffffffff8128d393>] ? bus_remove_device+0xd2/0xe7
[ 56.283512] [<ffffffff8128b7a3>] ? device_del+0x119/0x167
[ 56.283512] [<ffffffff812e8d9d>] ? usb_disable_device+0x6a/0x180
[ 56.283512] [<ffffffff812e2ae0>] ? usb_disconnect+0x81/0xe6
[ 56.283512] [<ffffffff812e4435>] ? hub_thread+0x577/0xe82
[ 56.283512] [<ffffffff8144daa7>] ? __schedule+0x490/0x4be
[ 56.283512] [<ffffffff8105798f>] ? abort_exclusive_wait+0x79/0x79
[ 56.283512] [<ffffffff812e3ebe>] ? usb_remote_wakeup+0x2f/0x2f
[ 56.283512] [<ffffffff812e3ebe>] ? usb_remote_wakeup+0x2f/0x2f
[ 56.283512] [<ffffffff810570b4>] ? kthread+0x81/0x89
[ 56.283512] [<ffffffff81057033>] ? __kthread_parkme+0x5c/0x5c
[ 56.283512] [<ffffffff8145387c>] ? ret_from_fork+0x7c/0xb0
[ 56.283512] [<ffffffff81057033>] ? __kthread_parkme+0x5c/0x5c
[ 56.283512] Code: 8b 7c 24 08 e8 17 0b c3 ff 48 8b 04 24 48 83 c4 10 c3 53 48 89 fb 41 50 e8 e0 0a c3 ff 48 89 04 24 e8 e7 0a c3 ff ba 00 00 01 00
<f0> 0f c1 13 48 8b 04 24 89 d1 c1 ea 10 66 39 d1 74 07 f3 90 66
[ 56.283512] RIP [<ffffffff8144e62a>] _raw_spin_lock_irqsave+0x19/0x35
[ 56.283512] RSP <ffff88001fa99ab0>
[ 56.283512] CR2: 00000000000001c8
[ 56.283512] ---[ end trace 49714df27e1679ce ]---
Signed-off-by: Wolfgang Frisch <wfpub@roembden.net>
Cc: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/io_ti.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/serial/io_ti.c
+++ b/drivers/usb/serial/io_ti.c
@@ -558,6 +558,9 @@ static void chase_port(struct edgeport_p
wait_queue_t wait;
unsigned long flags;
+ if (!tty)
+ return;
+
if (!timeout)
timeout = (HZ * EDGE_CLOSING_WAIT)/100;
next prev parent reply other threads:[~2013-06-05 20:55 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-05 20:52 [ 00/33] 3.0.81-stable review Greg Kroah-Hartman
2013-06-05 20:52 ` [ 01/33] avr32: fix relocation check for signed 18-bit offset Greg Kroah-Hartman
2013-06-05 20:52 ` [ 02/33] ARM: plat-orion: Fix num_resources and id for ge10 and ge11 Greg Kroah-Hartman
2013-06-05 20:52 ` [ 03/33] staging: vt6656: use free_netdev instead of kfree Greg Kroah-Hartman
2013-06-05 20:52 ` [ 04/33] usb: option: Add Telewell TW-LTE 4G Greg Kroah-Hartman
2013-06-05 20:52 ` [ 05/33] USB: option: add device IDs for Dell 5804 (Novatel E371) WWAN card Greg Kroah-Hartman
2013-06-05 20:52 ` [ 06/33] USB: ftdi_sio: Add support for Newport CONEX motor drivers Greg Kroah-Hartman
2013-06-05 20:52 ` [ 07/33] USB: cxacru: potential underflow in cxacru_cm_get_array() Greg Kroah-Hartman
2013-06-05 20:52 ` [ 08/33] TTY: Fix tty miss restart after we turn off flow-control Greg Kroah-Hartman
2013-06-05 20:52 ` [ 09/33] USB: Blacklisted Cinterions PLxx WWAN Interface Greg Kroah-Hartman
2013-06-05 20:52 ` [ 10/33] USB: reset resume quirk needed by a hub Greg Kroah-Hartman
2013-06-05 20:52 ` [ 11/33] USB: UHCI: fix for suspend of virtual HP controller Greg Kroah-Hartman
2013-06-05 20:52 ` [ 12/33] cifs: only set ops for inodes in I_NEW state Greg Kroah-Hartman
2013-06-05 20:52 ` [ 13/33] fat: fix possible overflow for fat_clusters Greg Kroah-Hartman
2013-06-05 20:52 ` [ 14/33] ocfs2: goto out_unlock if ocfs2_get_clusters_nocache() failed in ocfs2_fiemap() Greg Kroah-Hartman
2013-06-05 20:52 ` [ 15/33] Kirkwood: Enable PCIe port 1 on QNAP TS-11x/TS-21x Greg Kroah-Hartman
2013-06-05 20:52 ` [ 16/33] mm compaction: fix of improper cache flush in migration code Greg Kroah-Hartman
2013-06-05 20:52 ` [ 17/33] klist: del waiter from klist_remove_waiters before wakeup waitting process Greg Kroah-Hartman
2013-06-05 20:52 ` [ 18/33] wait: fix false timeouts when using wait_event_timeout() Greg Kroah-Hartman
2013-06-05 20:52 ` [ 19/33] nilfs2: fix issue of nilfs_set_page_dirty() for page at EOF boundary Greg Kroah-Hartman
2013-06-05 20:52 ` [ 20/33] mm: mmu_notifier: re-fix freed page still mapped in secondary MMU Greg Kroah-Hartman
2013-06-05 20:52 ` [ 21/33] drivers/block/brd.c: fix brd_lookup_page() race Greg Kroah-Hartman
2013-06-05 20:53 ` [ 22/33] mm/THP: use pmd_populate() to update the pmd with pgtable_t pointer Greg Kroah-Hartman
2013-06-05 20:53 ` [ 23/33] um: Serve io_remap_pfn_range() Greg Kroah-Hartman
2013-06-05 20:53 ` [ 24/33] drm/radeon: fix card_posted check for newer asics Greg Kroah-Hartman
2013-06-05 20:53 ` [ 25/33] cifs: fix potential buffer overrun when composing a new options string Greg Kroah-Hartman
2013-06-05 20:53 ` Greg Kroah-Hartman [this message]
2013-06-05 20:53 ` [ 27/33] libata: make ata_exec_internal_sg honor DMADIR Greg Kroah-Hartman
2013-06-05 20:53 ` [ 28/33] xen/events: Handle VIRQ_TIMER before any other hardirq in event loop Greg Kroah-Hartman
2013-06-05 20:53 ` [ 29/33] jfs: fix a couple races Greg Kroah-Hartman
2013-06-05 20:53 ` [ 30/33] ALSA: usb-audio: fix possible hang and overflow in parse_uac2_sample_rate_range() Greg Kroah-Hartman
2013-06-05 20:53 ` [ 31/33] ALSA: usb-audio: avoid integer overflow in create_fixed_stream_quirk() Greg Kroah-Hartman
2013-06-05 20:53 ` [ 32/33] mac80211: close AP_VLAN interfaces before unregistering all Greg Kroah-Hartman
2013-06-05 20:53 ` [ 33/33] thinkpad-acpi: recognize latest V-Series using DMI_BIOS_VENDOR Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130605204708.469990919@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jhovold@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=wfpub@roembden.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.