From: izumi <izumi2005@soft.fujitsu.com>
To: linux-kernel@vger.kernel.org, linux-serial@vger.kernel.org
Subject: [PATCH][BUG] Fix possible NULL pointer access in 8250 serial driver
Date: Tue, 17 Apr 2007 11:15:46 +0900 [thread overview]
Message-ID: <46242DD2.7030207@soft.fujitsu.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 2914 bytes --]
Hi,
I encountered the following kernel panic. The cause of this problem was
NULL pointer access in check_modem_status() in 8250.c. I confirmed
this problem is fixed by the attached patch, but I don't know this
is the correct fix.
sadc[4378]: NaT consumption 2216203124768 [1]
Modules linked in: binfmt_misc dm_mirror dm_mod thermal processor fan
container button sg e100 eepro100 mii ehci_hcd ohci_hcd
Pid: 4378, CPU 0, comm: sadc
psr : 00001210085a2010 ifs : 8000000000000289 ip : [<a000000100482071>]
Not tainted
ip is at check_modem_status+0xf1/0x360
unat: 0000000000000000 pfs : 0000000000000289 rsc : 0000000000000003
rnat: 800000000000cc18 bsps: 0000000000000000 pr : 0000000000aa6a99
ldrs: 0000000000000000 ccv : 0000000000000000 fpsr: 0009804c8a70033f
csd : 0000000000000000 ssd : 0000000000000000
b0 : a000000100481fb0 b6 : a0000001004822e0 b7 : a000000100477f20
f6 : 1003e2222222222222222 f7 : 0ffdba200000000000000
f8 : 100018000000000000000 f9 : 10002a000000000000000
f10 : 0fffdccccccccc8c00000 f11 : 1003e0000000000000000
r1 : a000000100b9af40 r2 : 0000000000000008 r3 : a000000100ad4e21
r8 : 00000000000000bb r9 : 0000000000000001 r10 : 0000000000000000
r11 : a000000100ad4d58 r12 : e0000000037b7df0 r13 : e0000000037b0000
r14 : 0000000000000001 r15 : 0000000000000018 r16 : a000000100ad4d6c
r17 : 0000000000000000 r18 : 0000000000000000 r19 : 0000000000000000
r20 : a00000010099bc88 r21 : 00000000000000bb r22 : 00000000000000bb
r23 : c003fffffc0ff3fe r24 : c003fffffc000000 r25 : 00000000000ff3fe
r26 : a0000001009b7ad0 r27 : 0000000000000001 r28 : a0000001009b7ad8
r29 : 0000000000000000 r30 : a0000001009b7ad0 r31 : a0000001009b7ad0
Call Trace:
[<a000000100013940>] show_stack+0x40/0xa0
sp=e0000000037b7810 bsp=e0000000037b1118
[<a0000001000145a0>] show_regs+0x840/0x880
sp=e0000000037b79e0 bsp=e0000000037b10c0
[<a0000001000368e0>] die+0x1c0/0x2c0
sp=e0000000037b79e0 bsp=e0000000037b1078
[<a000000100036a30>] die_if_kernel+0x50/0x80
sp=e0000000037b7a00 bsp=e0000000037b1048
[<a000000100037c40>] ia64_fault+0x11e0/0x1300
sp=e0000000037b7a00 bsp=e0000000037b0fe8
[<a00000010000bdc0>] ia64_leave_kernel+0x0/0x280
sp=e0000000037b7c20 bsp=e0000000037b0fe8
[<a000000100482070>] check_modem_status+0xf0/0x360
sp=e0000000037b7df0 bsp=e0000000037b0fa0
[<a000000100482300>] serial8250_get_mctrl+0x20/0xa0
sp=e0000000037b7df0 bsp=e0000000037b0f80
[<a000000100478170>] uart_read_proc+0x250/0x860
sp=e0000000037b7df0 bsp=e0000000037b0ee0
[<a0000001001c16d0>] proc_file_read+0x1d0/0x4c0
sp=e0000000037b7e10 bsp=e0000000037b0e80
[<a0000001001394b0>] vfs_read+0x1b0/0x300
sp=e0000000037b7e20 bsp=e0000000037b0e30
[<a000000100139cd0>] sys_read+0x70/0xe0
sp=e0000000037b7e20 bsp=e0000000037b0db0
[<a00000010000bc20>] ia64_ret_from_syscall+0x0/0x20
sp=e0000000037b7e30 bsp=e0000000037b0db0
[<a000000000010620>] __kernel_syscall_via_break+0x0/0x20
sp=e0000000037b8000 bsp=e0000000037b0db0
Thanks,
Taku Izumi
[-- Attachment #2: serial8250.patch --]
[-- Type: text/plain, Size: 1138 bytes --]
Fix the possible NULL pointer access in check_modem_status() in
8250.c. The check_modem_status() would access 'info' member of
uart_port structure, but it is not initialized before uart_open() is
called. The check_modem_status() can be called through
/proc/tty/driver/serial before uart_open() is called.
Signed-off-by: Kenji Kaneshige <kaneshige.kenji@jp.fujitsu.com>
Signed-off-by: Taku Izumi <izumi2005@soft.fujitsu.com>
---
drivers/serial/8250.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletion(-)
Index: linux-2.6.21-rc5/drivers/serial/8250.c
===================================================================
--- linux-2.6.21-rc5.orig/drivers/serial/8250.c 2007-03-26 09:14:37.000000000 +0900
+++ linux-2.6.21-rc5/drivers/serial/8250.c 2007-04-13 12:06:52.000000000 +0900
@@ -1310,7 +1310,8 @@
{
unsigned int status = serial_in(up, UART_MSR);
- if (status & UART_MSR_ANY_DELTA && up->ier & UART_IER_MSI) {
+ if (status & UART_MSR_ANY_DELTA && up->ier & UART_IER_MSI &&
+ up->port.info != NULL) {
if (status & UART_MSR_TERI)
up->port.icount.rng++;
if (status & UART_MSR_DDSR)
next reply other threads:[~2007-04-17 2:17 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-04-17 2:15 izumi [this message]
2007-04-17 5:52 ` [PATCH][BUG] Fix possible NULL pointer access in 8250 serial driver Andrew Morton
2007-04-18 8:21 ` Kenji Kaneshige
2007-04-18 16:16 ` Andrew Morton
2007-04-18 19:18 ` Russell King
2007-04-19 2:28 ` izumi
2007-04-19 5:08 ` Andrew Morton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46242DD2.7030207@soft.fujitsu.com \
--to=izumi2005@soft.fujitsu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-serial@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.