From: Greg KH <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Johan Hovold <jhovold@gmail.com>
Subject: [ 19/59] USB: serial: fix race between probe and open
Date: Thu, 19 Apr 2012 14:06:30 -0700 [thread overview]
Message-ID: <20120419210612.721548600@linuxfoundation.org> (raw)
In-Reply-To: <20120419210623.GA12156@kroah.com>
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <jhovold@gmail.com>
commit a65a6f14dc24a90bde3f5d0073ba2364476200bf upstream.
Fix race between probe and open by making sure that the disconnected
flag is not cleared until all ports have been registered.
A call to tty_open while probe is running may get a reference to the
serial structure in serial_install before its ports have been
registered. This may lead to usb_serial_core calling driver open before
port is fully initialised.
With ftdi_sio this result in the following NULL-pointer dereference as
the private data has not been initialised at open:
[ 199.698286] IP: [<f811a089>] ftdi_open+0x59/0xe0 [ftdi_sio]
[ 199.698297] *pde = 00000000
[ 199.698303] Oops: 0000 [#1] PREEMPT SMP
[ 199.698313] Modules linked in: ftdi_sio usbserial
[ 199.698323]
[ 199.698327] Pid: 1146, comm: ftdi_open Not tainted 3.2.11 #70 Dell Inc. Vostro 1520/0T816J
[ 199.698339] EIP: 0060:[<f811a089>] EFLAGS: 00010286 CPU: 0
[ 199.698344] EIP is at ftdi_open+0x59/0xe0 [ftdi_sio]
[ 199.698348] EAX: 0000003e EBX: f5067000 ECX: 00000000 EDX: 80000600
[ 199.698352] ESI: f48d8800 EDI: 00000001 EBP: f515dd54 ESP: f515dcfc
[ 199.698356] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
[ 199.698361] Process ftdi_open (pid: 1146, ti=f515c000 task=f481e040 task.ti=f515c000)
[ 199.698364] Stack:
[ 199.698368] f811a9fe f811a9e0 f811b3ef 00000000 00000000 00001388 00000000 f4a86800
[ 199.698387] 00000002 00000000 f806e68e 00000000 f532765c f481e040 00000246 22222222
[ 199.698479] 22222222 22222222 22222222 f5067004 f5327600 f5327638 f515dd74 f806e6ab
[ 199.698496] Call Trace:
[ 199.698504] [<f806e68e>] ? serial_activate+0x2e/0x70 [usbserial]
[ 199.698511] [<f806e6ab>] serial_activate+0x4b/0x70 [usbserial]
[ 199.698521] [<c126380c>] tty_port_open+0x7c/0xd0
[ 199.698527] [<f806e660>] ? serial_set_termios+0xa0/0xa0 [usbserial]
[ 199.698534] [<f806e76f>] serial_open+0x2f/0x70 [usbserial]
[ 199.698540] [<c125d07c>] tty_open+0x20c/0x510
[ 199.698546] [<c10e9eb7>] chrdev_open+0xe7/0x230
[ 199.698553] [<c10e48f2>] __dentry_open+0x1f2/0x390
[ 199.698559] [<c144bfec>] ? _raw_spin_unlock+0x2c/0x50
[ 199.698565] [<c10e4b76>] nameidata_to_filp+0x66/0x80
[ 199.698570] [<c10e9dd0>] ? cdev_put+0x20/0x20
[ 199.698576] [<c10f3e08>] do_last+0x198/0x730
[ 199.698581] [<c10f4440>] path_openat+0xa0/0x350
[ 199.698587] [<c10f47d5>] do_filp_open+0x35/0x80
[ 199.698593] [<c144bfec>] ? _raw_spin_unlock+0x2c/0x50
[ 199.698599] [<c10ff110>] ? alloc_fd+0xc0/0x100
[ 199.698605] [<c10f0b72>] ? getname_flags+0x72/0x120
[ 199.698611] [<c10e4450>] do_sys_open+0xf0/0x1c0
[ 199.698617] [<c11fcc08>] ? trace_hardirqs_on_thunk+0xc/0x10
[ 199.698623] [<c10e458e>] sys_open+0x2e/0x40
[ 199.698628] [<c144c990>] sysenter_do_call+0x12/0x36
[ 199.698632] Code: 85 89 00 00 00 8b 16 8b 4d c0 c1 e2 08 c7 44 24 14 88 13 00 00 81 ca 00 00 00 80 c7 44 24 10 00 00 00 00 c7 44 24 0c 00 00 00 00 <0f> b7 41 78 31 c9 89 44 24 08 c7 44 24 04 00 00 00 00 c7 04 24
[ 199.698884] EIP: [<f811a089>] ftdi_open+0x59/0xe0 [ftdi_sio] SS:ESP 0068:f515dcfc
[ 199.698893] CR2: 0000000000000078
[ 199.698925] ---[ end trace 77c43ec023940cff ]---
Reported-and-tested-by: Ken Huang <csuhgw@gmail.com>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/usb-serial.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/usb/serial/usb-serial.c
+++ b/drivers/usb/serial/usb-serial.c
@@ -1059,6 +1059,12 @@ int usb_serial_probe(struct usb_interfac
serial->attached = 1;
}
+ /* Avoid race with tty_open and serial_install by setting the
+ * disconnected flag and not clearing it until all ports have been
+ * registered.
+ */
+ serial->disconnected = 1;
+
if (get_free_serial(serial, num_ports, &minor) == NULL) {
dev_err(&interface->dev, "No more free serial devices\n");
goto probe_error;
@@ -1083,6 +1089,8 @@ int usb_serial_probe(struct usb_interfac
}
}
+ serial->disconnected = 0;
+
usb_serial_console_init(debug, minor);
exit:
next prev parent reply other threads:[~2012-04-19 21:06 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-04-19 21:06 [ 00/59] 3.0.29-stable review Greg KH
2012-04-19 21:06 ` [ 01/59] drm/i915/ringbuffer: Exclude last 2 cachlines of ring on 845g Greg KH
2012-04-19 21:06 ` [ 02/59] drm/radeon: only add the mm i2c bus if the hw_i2c module param is set Greg KH
2012-04-19 21:06 ` [ 03/59] rtlwifi: Add missing DMA buffer unmapping for PCI drivers Greg KH
2012-04-19 21:06 ` [ 04/59] ARM: 7384/1: ThumbEE: Disable userspace TEEHBR access for !CONFIG_ARM_THUMBEE Greg KH
2012-04-19 21:06 ` [ 05/59] [PATCH] Bluetooth: uart-ldisc: Fix memory leak Greg KH
2012-04-19 21:06 ` [ 06/59] Bluetooth: hci_ldisc: fix NULL-pointer dereference on tty_close Greg KH
2012-04-19 21:06 ` [ 07/59] ia64: fix futex_atomic_cmpxchg_inatomic() Greg KH
2012-04-19 21:06 ` [ 08/59] drivers/rtc/rtc-pl031.c: enable clock on all ST variants Greg KH
2012-04-19 21:06 ` [ 09/59] hugetlb: fix race condition in hugetlb_fault() Greg KH
2012-04-19 21:06 ` [ 10/59] staging: iio: hmc5843: Fix crash in probe function Greg KH
2012-04-19 21:06 ` [ 11/59] tty: serial: altera_uart: Check for NULL platform_data in probe Greg KH
2012-04-19 21:06 ` [ 12/59] sparc64: Eliminate obsolete __handle_softirq() function Greg KH
2012-04-19 21:06 ` [ 13/59] sparc64: Fix bootup crash on sun4v Greg KH
2012-04-19 21:06 ` [ 14/59] cciss: Initialize scsi host max_sectors for tape drive support Greg KH
2012-04-19 21:06 ` [ 15/59] cciss: Fix scsi tape io with more than 255 scatter gather elements Greg KH
2012-04-19 21:06 ` [ 16/59] perf hists: Catch and handle out-of-date hist entry maps Greg KH
2012-04-19 21:06 ` [ 17/59] video:uvesafb: Fix oops that uvesafb try to execute NX-protected page Greg KH
2012-04-19 21:06 ` [ 18/59] nohz: Fix stale jiffies update in tick_nohz_restart() Greg KH
2012-04-19 21:06 ` Greg KH [this message]
2012-04-19 21:06 ` [ 20/59] USB: pl2303: fix DTR/RTS being raised on baud rate change Greg KH
2012-04-19 21:06 ` [ 21/59] USB: option: re-add NOVATELWIRELESS_PRODUCT_HSPA_HIGHSPEED to option_id array Greg KH
2012-04-19 21:06 ` [ 22/59] USB: sierra: add support for Sierra Wireless MC7710 Greg KH
2012-04-19 21:06 ` [ 23/59] USB: dont clear urb->dev in scatter-gather library Greg KH
2012-04-19 21:06 ` [ 24/59] xhci: dont re-enable IE constantly Greg KH
2012-04-19 21:06 ` [ 25/59] xhci: Dont write zeroed pointers to xHC registers Greg KH
2012-04-19 21:06 ` [ 26/59] xhci: Restore event ring dequeue pointer on resume Greg KH
2012-04-19 21:06 ` [ 27/59] xHCI: Correct the #define XHCI_LEGACY_DISABLE_SMI Greg KH
2012-04-19 21:06 ` [ 28/59] xHCI: add XHCI_RESET_ON_RESUME quirk for VIA xHCI host Greg KH
2012-04-19 21:06 ` [ 29/59] serial: PL011: clear pending interrupts Greg KH
2012-04-19 21:06 ` [ 30/59] serial: PL011: move interrupt clearing Greg KH
2012-04-19 21:06 ` [ 31/59] fcaps: clear the same personality flags as suid when fcaps are used Greg KH
2012-04-19 21:06 ` [ 32/59] [PATCH] ath9k: fix max noise floor threshold Greg KH
2012-04-19 21:06 ` [ 33/59] xhci: Fix register save/restore order Greg KH
2012-04-19 21:06 ` [ 34/59] Bluetooth: hci_core: fix NULL-pointer dereference at unregister Greg KH
2012-04-19 21:06 ` [ 35/59] pch_phub: Fix register miss-setting issue Greg KH
2012-04-19 21:06 ` [ 36/59] pch_phub: Care FUNCSEL register in PM Greg KH
2012-04-19 21:06 ` [ 37/59] pch_phub: Improve ADE(Address Decode Enable) control Greg KH
2012-04-19 21:06 ` [ 38/59] usb: gadget: pch_udc: Fix disconnect issue Greg KH
2012-04-19 21:06 ` [ 39/59] usb: gadget: pch_udc: Fix wrong return value Greg KH
2012-04-19 21:06 ` [ 40/59] usb: gadget: pch_udc: Fix USB suspend issue Greg KH
2012-04-19 21:06 ` [ 41/59] usb: gadget: pch_udc: Fix usb/gadget/pch_udc: Fix ether gadget connect/disconnect issue Greg KH
2012-04-19 21:06 ` [ 42/59] usb: gadget: pch_udc: Reduce redundant interrupt Greg KH
2012-04-19 21:06 ` [ 43/59] USB: pch_udc: Support new device LAPIS Semiconductor ML7831 IOH Greg KH
2012-04-19 21:06 ` [ 44/59] ACPICA: Fix to allow region arguments to reference other scopes Greg KH
2012-04-19 21:06 ` [ 45/59] security: fix compile error in commoncap.c Greg KH
2012-04-19 21:06 ` [ 46/59] pch_uart: Set PCIe bus number using probe parameter Greg KH
2012-04-19 21:06 ` [ 47/59] 8250_pci: Fix kernel panic when pch_uart is disabled Greg KH
2012-04-19 21:06 ` [ 48/59] pch_dma: fix DMA issue(ch8-ch11) Greg KH
2012-04-19 21:07 ` [ 49/59] pch_dma: Fix channel locking Greg KH
2012-04-19 21:07 ` [ 50/59] pch_dma: Fix CTL register access issue Greg KH
2012-04-19 21:07 ` [ 51/59] pch_dma: Fix suspend issue Greg KH
2012-04-19 21:07 ` [ 52/59] pch_dma: Support new device LAPIS Semiconductor ML7831 IOH Greg KH
2012-04-19 21:07 ` [ 53/59] md/bitmap: prevent bitmap_daemon_work running while initialising bitmap Greg KH
2012-04-19 21:07 ` [ 54/59] Bluetooth: Adding USB device 13d3:3375 as an Atheros AR3012 Greg KH
2012-04-19 21:07 ` [ 55/59] Bluetooth: Add Atheros maryann PIDVID support Greg KH
2012-04-19 21:07 ` [ 56/59] futex: Do not leak robust list to unprivileged process Greg KH
2012-04-19 21:07 ` [ 57/59] drm/radeon/kms: fix the regression of DVI connector check Greg KH
2012-04-19 21:07 ` [ 58/59] drm/radeon: disable MSI on RV515 Greg KH
2012-04-19 21:07 ` [ 59/59] drm/radeon: fix load detect on rn50 with hardcoded EDIDs Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120419210612.721548600@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=jhovold@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).