From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
Domenico Andreoli <cavokz@gmail.com>, Willy Tarreau <w@1wt.eu>,
Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
Jake Edge <jake@lwn.net>, Eugene Teo <eteo@redhat.com>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk,
Marcin Slusarz <marcin.slusarz@gmail.com>,
David Woodhouse <dwmw2@infradead.org>
Subject: [patch 14/85] USB: emi26: fix oops on load
Date: Thu, 15 Jan 2009 13:59:22 -0800 [thread overview]
Message-ID: <20090115215922.GO17227@kroah.com> (raw)
In-Reply-To: <20090115215812.GA17227@kroah.com>
[-- Attachment #1: usb-emi26-fix-oops-on-load.patch --]
[-- Type: text/plain, Size: 3918 bytes --]
2.6.27-stable review patch. If anyone has any objections, please let us know.
------------------
From: Marcin Slusarz <marcin.slusarz@gmail.com>
commit 327d74f6b65ddc8a042c43c11fdd4be0bb354668 upstream.
Fix oops introduced by commit ae93a55bf948753de0bb8e43fa9c027f786abb05
(emi26: use request_firmware()):
usb 1-1: new full speed USB device using uhci_hcd and address 2
usb 1-1: configuration #1 chosen from 1 choice
emi26 - firmware loader 1-1:1.0: emi26_probe start
usb 1-1: firmware: requesting emi26/loader.fw
usb 1-1: firmware: requesting emi26/bitstream.fw
usb 1-1: firmware: requesting emi26/firmware.fw
usb 1-1: emi26_set_reset - 1
usb 1-1: emi26_set_reset - 0
BUG: unable to handle kernel NULL pointer dereference at 00000000
IP: [<f80dc487>] emi26_probe+0x2f7/0x620 [emi26]
*pde = 00000000
Oops: 0000 [#1] SMP
last sysfs file: /sys/devices/pci0000:00/0000:00:1d.0/usb1/1-1/firmware/1-1/loading
Modules linked in: emi26(+) ipv6 cpufreq_ondemand coretemp arc4 ecb iwl3945 irtty_sir sir_dev nsc_ircc ehci_hcd uhci_hcd mac80211 irda usbcore snd_hda_intel thinkpad_acpi rfkill hwmon led_class e1000e snd_pcm cfg80211 snd_timer crc_ccitt snd snd_page_alloc aes_generic
Pid: 5082, comm: modprobe Not tainted (2.6.28 #2) 17023QG
EIP: 0060:[<f80dc487>] EFLAGS: 00010206 CPU: 0
EIP is at emi26_probe+0x2f7/0x620 [emi26]
EAX: 0000015c EBX: 00000000 ECX: c1ffd9c0 EDX: 00000000
ESI: 0000015c EDI: f6bb215c EBP: f6bb0400 ESP: f00ebcfc
DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Process modprobe (pid: 5082, ti=f00ea000 task=f5c7c700 task.ti=f00ea000)
Stack:
0000015c 000000a5 f6a67cb8 f80dc7e0 c01c6262 fbef2986 f6bb2000 00008fe0
0000015c f715f748 f715f740 f715f738 f715f748 f6a67c00 f80dd040 f80dcfc0
f6bb0400 fbacb290 f6a67c94 fbae0160 c01c70bf 00000000 f6a67c1c 00000000
Call Trace:
[<c01c6262>] sysfs_add_one+0x12/0x50
[<fbacb290>] usb_probe_interface+0xa0/0x140 [usbcore]
[<c01c70bf>] sysfs_create_link+0xf/0x20
[<c02dead2>] driver_probe_device+0x82/0x180
[<fbac9eeb>] usb_match_id+0x3b/0x50 [usbcore]
[<c02dec4e>] __driver_attach+0x7e/0x80
[<c02de27a>] bus_for_each_dev+0x3a/0x60
[<c02de956>] driver_attach+0x16/0x20
[<c02debd0>] __driver_attach+0x0/0x80
[<c02de7b1>] bus_add_driver+0x1a1/0x220
[<c02dee4d>] driver_register+0x4d/0x120
[<c024e622>] idr_get_empty_slot+0xf2/0x290
[<fbacab71>] usb_register_driver+0x81/0x100 [usbcore]
[<f806c000>] emi26_init+0x0/0x14 [emi26]
[<c0101126>] do_one_initcall+0x36/0x1b0
[<c01c5e70>] sysfs_ilookup_test+0x0/0x10
[<c0197a61>] ifind+0x31/0x90
[<c01c6229>] __sysfs_add_one+0x59/0x80
[<c01c64e4>] sysfs_addrm_finish+0x14/0x1c0
[<c0175ca3>] __vunmap+0xa3/0xd0
[<c014b854>] load_module+0x1544/0x1640
[<c014b9d7>] sys_init_module+0x87/0x1b0
[<c0187f41>] sys_read+0x41/0x70
[<c01032a5>] sysenter_do_call+0x12/0x21
[<c03d0000>] wait_for_common+0x40/0x110
Code: 66 c1 e8 08 66 09 d0 75 a5 31 d2 89 e8 e8 72 fc ff ff 85 c0 0f 88 9a 02 00 00 b8 fa 00 00 00 e8 30 46 05 c8 8b 74 24 28 8b 5e 04 <8b> 03 89 44 24 1c 0f c8 89 44 24 1c 0f b7 4b 04 c7 44 24 20 00
EIP: [<f80dc487>] emi26_probe+0x2f7/0x620 [emi26] SS:ESP 0068:f00ebcfc
---[ end trace 2eefa13825431230 ]---
After the last "package" of firmware data is sent to the device, we dereference
NULL pointer (on access to rec->addr). Fix it.
Reported--by: David Flatz <david@upcs.at>
Tested-by: David Flatz <david@upcs.at>
Signed-off-by: Marcin Slusarz <marcin.slusarz@gmail.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/usb/misc/emi26.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/misc/emi26.c
+++ b/drivers/usb/misc/emi26.c
@@ -157,7 +157,7 @@ static int emi26_load_firmware (struct u
err("%s - error loading firmware: error = %d", __func__, err);
goto wraperr;
}
- } while (i > 0);
+ } while (rec);
/* Assert reset (stop the CPU in the EMI) */
err = emi26_set_reset(dev,1);
next prev parent reply other threads:[~2009-01-15 22:10 UTC|newest]
Thread overview: 105+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20090115215237.906089480@mini.kroah.org>
2009-01-15 21:58 ` [patch 00/85] 2.6.27.12-stable review Greg KH
2009-01-15 21:58 ` [patch 01/85] ALSA: caiaq - Fix Oops with MIDI Greg KH
2009-01-15 21:58 ` [patch 02/85] ALSA: hda - Add quirk for HP6730B laptop Greg KH
2009-01-15 21:58 ` [patch 03/85] cgroups: fix a race between cgroup_clone and umount Greg KH
2009-01-15 21:58 ` [patch 04/85] devices cgroup: allow mkfifo Greg KH
2009-01-15 21:59 ` [patch 05/85] dm log: fix dm_io_client leak on error paths Greg KH
2009-01-15 21:59 ` [patch 06/85] dm raid1: fix error count Greg KH
2009-01-15 21:59 ` [patch 07/85] ioat: fix self test for multi-channel case Greg KH
2009-01-15 21:59 ` [patch 08/85] iwlwifi: use GFP_KERNEL to allocate Rx SKB memory Greg KH
2009-01-15 21:59 ` [patch 09/85] md: fix bitmap-on-external-file bug Greg KH
2009-01-15 21:59 ` [patch 10/85] minix: fix add links wrong position calculation Greg KH
2009-01-15 21:59 ` [patch 11/85] sched_clock: prevent scd->clock from moving backwards, take #2 Greg KH
2009-01-15 21:59 ` [patch 12/85] SCSI: aha152x_cs: Fix regression that keeps driver from using shared interrupts Greg KH
2009-01-15 21:59 ` [patch 13/85] SCSI: eata: fix the data buffer accessors conversion regression Greg KH
2009-01-15 21:59 ` Greg KH [this message]
2009-01-15 21:59 ` [patch 15/85] USB: isp1760: use a specific PLX bridge instead of any bdridge Greg KH
2009-01-15 21:59 ` [patch 16/85] USB: unusual_devs.h additions for Pentax K10D Greg KH
2009-01-15 21:59 ` [patch 17/85] x86: default to SWIOTLB=y on x86_64 Greg KH
2009-01-15 21:59 ` [patch 18/85] x86: fix incorrect __read_mostly on _boot_cpu_pda Greg KH
2009-01-15 21:59 ` [patch 19/85] x86, UV: remove erroneous BAU initialization Greg KH
2009-01-15 21:59 ` [patch 20/85] inotify: fix type errors in interfaces Greg KH
2009-01-15 21:59 ` [patch 21/85] [PATCH 01/44] [CVE-2009-0029] Move compat system call declarations to compat header file Greg KH
2009-01-15 21:59 ` [patch 22/85] [PATCH 02/44] [CVE-2009-0029] Convert all system calls to return a long Greg KH
2009-01-18 22:17 ` Christoph Hellwig
2009-01-18 23:50 ` Greg KH
2009-01-19 10:09 ` Heiko Carstens
2009-01-15 21:59 ` [patch 23/85] [PATCH 03/44] [CVE-2009-0029] Rename old_readdir to sys_old_readdir Greg KH
2009-01-15 21:59 ` [patch 24/85] [PATCH 04/44] [CVE-2009-0029] Remove __attribute__((weak)) from sys_pipe/sys_pipe2 Greg KH
2009-01-15 21:59 ` [patch 25/85] [PATCH 05/44] [CVE-2009-0029] Make sys_pselect7 static Greg KH
2009-01-15 21:59 ` [patch 26/85] [PATCH 06/44] [CVE-2009-0029] Make sys_syslog a conditional system call Greg KH
2009-01-15 21:59 ` [patch 27/85] [PATCH 07/44] [CVE-2009-0029] System call wrapper infrastructure Greg KH
2009-01-15 22:46 ` Jiri Slaby
2009-01-15 23:42 ` [stable] " Greg KH
2009-01-16 8:37 ` Heiko Carstens
2009-01-16 8:44 ` Jiri Slaby
2009-01-16 8:44 ` Christian Borntraeger
2009-01-16 9:57 ` Heiko Carstens
2009-01-16 10:09 ` Christian Borntraeger
2009-01-15 21:59 ` [patch 28/85] [PATCH 08/44] [CVE-2009-0029] powerpc: Enable syscall wrappers for 64-bit Greg KH
2009-01-15 21:59 ` [patch 29/85] [PATCH 09/44] [CVE-2009-0029] s390: enable system call wrappers Greg KH
2009-01-15 21:59 ` [patch 30/85] [PATCH 10/44] [CVE-2009-0029] System call wrapper special cases Greg KH
2009-01-15 21:59 ` [patch 31/85] [PATCH 11/44] [CVE-2009-0029] System call wrappers part 01 Greg KH
2009-01-15 21:59 ` [patch 32/85] [PATCH 12/44] [CVE-2009-0029] System call wrappers part 02 Greg KH
2009-01-15 22:00 ` [patch 33/85] [PATCH 13/44] [CVE-2009-0029] System call wrappers part 03 Greg KH
2009-01-15 22:00 ` [patch 34/85] [PATCH 14/44] [CVE-2009-0029] System call wrappers part 04 Greg KH
2009-01-15 22:00 ` [patch 35/85] [PATCH 15/44] [CVE-2009-0029] System call wrappers part 05 Greg KH
2009-01-15 22:00 ` [patch 36/85] [PATCH 16/44] [CVE-2009-0029] System call wrappers part 06 Greg KH
2009-01-15 22:00 ` [patch 37/85] [PATCH 17/44] [CVE-2009-0029] System call wrappers part 07 Greg KH
2009-01-15 22:00 ` [patch 38/85] [PATCH 18/44] [CVE-2009-0029] System call wrappers part 08 Greg KH
2009-01-15 22:00 ` [patch 39/85] [PATCH 19/44] [CVE-2009-0029] System call wrappers part 09 Greg KH
2009-01-15 22:00 ` [patch 40/85] [PATCH 20/44] [CVE-2009-0029] System call wrappers part 10 Greg KH
2009-01-15 22:00 ` [patch 41/85] [PATCH 21/44] [CVE-2009-0029] System call wrappers part 11 Greg KH
2009-01-15 22:00 ` [patch 42/85] [PATCH 22/44] [CVE-2009-0029] System call wrappers part 12 Greg KH
2009-01-15 22:00 ` [patch 43/85] [PATCH 23/44] [CVE-2009-0029] System call wrappers part 13 Greg KH
2009-01-15 22:00 ` [patch 44/85] [PATCH 24/44] [CVE-2009-0029] System call wrappers part 14 Greg KH
2009-01-15 22:00 ` [patch 45/85] [PATCH 25/44] [CVE-2009-0029] System call wrappers part 15 Greg KH
2009-01-15 22:00 ` [patch 46/85] [PATCH 26/44] [CVE-2009-0029] System call wrappers part 16 Greg KH
2009-01-15 22:00 ` [patch 47/85] [PATCH 27/44] [CVE-2009-0029] System call wrappers part 17 Greg KH
2009-01-15 22:00 ` [patch 48/85] [PATCH 28/44] [CVE-2009-0029] System call wrappers part 18 Greg KH
2009-01-15 22:00 ` [patch 49/85] [PATCH 29/44] [CVE-2009-0029] System call wrappers part 19 Greg KH
2009-01-15 22:00 ` [patch 50/85] [PATCH 30/44] [CVE-2009-0029] System call wrappers part 20 Greg KH
2009-01-15 22:00 ` [patch 51/85] [PATCH 31/44] [CVE-2009-0029] System call wrappers part 21 Greg KH
2009-01-15 22:00 ` [patch 52/85] [PATCH 32/44] [CVE-2009-0029] System call wrappers part 22 Greg KH
2009-01-15 22:00 ` [patch 53/85] [PATCH 33/44] [CVE-2009-0029] System call wrappers part 23 Greg KH
2009-01-15 22:00 ` [patch 54/85] [PATCH 34/44] [CVE-2009-0029] System call wrappers part 24 Greg KH
2009-01-15 22:01 ` [patch 55/85] [PATCH 35/44] [CVE-2009-0029] System call wrappers part 25 Greg KH
2009-01-15 22:01 ` [patch 56/85] [PATCH 36/44] [CVE-2009-0029] System call wrappers part 26 Greg KH
2009-01-15 22:01 ` [patch 57/85] [PATCH 37/44] [CVE-2009-0029] System call wrappers part 27 Greg KH
2009-01-15 22:01 ` [patch 58/85] [PATCH 38/44] [CVE-2009-0029] System call wrappers part 28 Greg KH
2009-01-15 22:01 ` [patch 59/85] [PATCH 39/44] [CVE-2009-0029] System call wrappers part 29 Greg KH
2009-01-15 22:01 ` [patch 60/85] [PATCH 40/44] [CVE-2009-0029] System call wrappers part 30 Greg KH
2009-01-15 22:01 ` [patch 61/85] [PATCH 41/44] [CVE-2009-0029] System call wrappers part 31 Greg KH
2009-01-15 22:01 ` [patch 62/85] [PATCH 42/44] [CVE-2009-0029] System call wrappers part 32 Greg KH
2009-01-15 22:01 ` [patch 63/85] [PATCH 43/44] [CVE-2009-0029] System call wrappers Greg KH
2009-01-15 22:01 ` [patch 64/85] [PATCH 44/44] [CVE-2009-0029] s390 specific system " Greg KH
2009-01-15 22:01 ` [patch 65/85] e1000e: fix IPMI traffic Greg KH
2009-01-15 22:01 ` [patch 66/85] eCryptfs: check readlink result was not an error before using it Greg KH
2009-01-15 22:01 ` [patch 67/85] fix switch_names() breakage in short-to-short case Greg KH
2009-01-15 22:01 ` [patch 68/85] fs: symlink write_begin allocation context fix Greg KH
2009-01-15 22:31 ` Greg KH
2009-01-16 2:53 ` Nick Piggin
2009-01-16 22:48 ` Greg KH
2009-01-15 22:01 ` [patch 69/85] [SCSI] ibmvfc: Delay NPIV login retry and add retries Greg KH
2009-01-15 22:01 ` [patch 70/85] [SCSI] ibmvfc: Improve async event handling Greg KH
2009-01-15 22:01 ` [patch 71/85] mm: fix assertion Greg KH
2009-01-15 22:01 ` [patch 72/85] mm lockless pagecache barrier fix Greg KH
2009-01-15 22:01 ` [patch 73/85] [SCSI] mvsas: increase port type detection delay to suit Seagates 10k6 drive ST3450856SS 0003 Greg KH
2009-01-15 22:01 ` [patch 74/85] nfs: remove redundant tests on reading new pages Greg KH
2009-01-15 22:01 ` [patch 75/85] powerpc: Disable Collaborative Memory Manager for kdump Greg KH
2009-01-15 22:01 ` [patch 76/85] USB: another unusual_devs entry for another bad Argosy storage device Greg KH
2009-01-15 22:01 ` [patch 77/85] USB: storage: extend unusual range for 067b:3507 Greg KH
2009-01-15 22:01 ` [patch 78/85] USB: storage: recognizing and enabling Nokia 5200 cell phoes Greg KH
2009-01-15 22:01 ` [patch 79/85] x86: avoid theoretical vmalloc fault loop Greg KH
2009-01-15 22:02 ` [patch 80/85] x86, cpa: dont use large pages for kernel identity mapping with DEBUG_PAGEALLOC Greg KH
2009-01-15 22:02 ` [patch 81/85] x86: fix RIP printout in early_idt_handler Greg KH
2009-01-16 3:27 ` Jike Song
2009-01-16 4:13 ` Greg KH
2009-01-16 8:47 ` Jiri Slaby
2009-01-15 22:02 ` [patch 82/85] PCI: Rework default handling of suspend and resume Greg KH
2009-01-15 22:02 ` [patch 83/85] PCI: Suspend and resume PCI Express ports with interrupts disabled Greg KH
2009-01-15 22:02 ` [patch 84/85] PCI: handle PCI state saving " Greg KH
2009-01-15 22:02 ` [patch 85/85] PCI PM: Split PCI Express port suspend-resume Greg KH
2009-01-15 22:54 ` [patch 00/85] 2.6.27.12-stable review Grant Coady
2009-01-15 23:05 ` Greg KH
2009-01-16 23:20 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090115215922.GO17227@kroah.com \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cavokz@gmail.com \
--cc=cebbert@redhat.com \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=dwmw2@infradead.org \
--cc=eteo@redhat.com \
--cc=jake@lwn.net \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marcin.slusarz@gmail.com \
--cc=mkrufky@linuxtv.org \
--cc=rbranco@la.checkpoint.com \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=w@1wt.eu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox