From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Wolfgang Frisch <wfpub@roembden.net>,
Johan Hovold <jhovold@gmail.com>
Subject: [ 33/44] USB: io_ti: Fix NULL dereference in chase_port()
Date: Wed, 5 Jun 2013 14:12:31 -0700 [thread overview]
Message-ID: <20130605211225.293610823@linuxfoundation.org> (raw)
In-Reply-To: <20130605211221.858177087@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wolfgang Frisch <wfpub@roembden.net>
commit 1ee0a224bc9aad1de496c795f96bc6ba2c394811 upstream.
The tty is NULL when the port is hanging up.
chase_port() needs to check for this.
This patch is intended for stable series.
The behavior was observed and tested in Linux 3.2 and 3.7.1.
Johan Hovold submitted a more elaborate patch for the mainline kernel.
[ 56.277883] usb 1-1: edge_bulk_in_callback - nonzero read bulk status received: -84
[ 56.278811] usb 1-1: USB disconnect, device number 3
[ 56.278856] usb 1-1: edge_bulk_in_callback - stopping read!
[ 56.279562] BUG: unable to handle kernel NULL pointer dereference at 00000000000001c8
[ 56.280536] IP: [<ffffffff8144e62a>] _raw_spin_lock_irqsave+0x19/0x35
[ 56.281212] PGD 1dc1b067 PUD 1e0f7067 PMD 0
[ 56.282085] Oops: 0002 [#1] SMP
[ 56.282744] Modules linked in:
[ 56.283512] CPU 1
[ 56.283512] Pid: 25, comm: khubd Not tainted 3.7.1 #1 innotek GmbH VirtualBox/VirtualBox
[ 56.283512] RIP: 0010:[<ffffffff8144e62a>] [<ffffffff8144e62a>] _raw_spin_lock_irqsave+0x19/0x35
[ 56.283512] RSP: 0018:ffff88001fa99ab0 EFLAGS: 00010046
[ 56.283512] RAX: 0000000000000046 RBX: 00000000000001c8 RCX: 0000000000640064
[ 56.283512] RDX: 0000000000010000 RSI: ffff88001fa99b20 RDI: 00000000000001c8
[ 56.283512] RBP: ffff88001fa99b20 R08: 0000000000000000 R09: 0000000000000000
[ 56.283512] R10: 0000000000000000 R11: ffffffff812fcb4c R12: ffff88001ddf53c0
[ 56.283512] R13: 0000000000000000 R14: 00000000000001c8 R15: ffff88001e19b9f4
[ 56.283512] FS: 0000000000000000(0000) GS:ffff88001fd00000(0000) knlGS:0000000000000000
[ 56.283512] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 56.283512] CR2: 00000000000001c8 CR3: 000000001dc51000 CR4: 00000000000006e0
[ 56.283512] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 56.283512] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 56.283512] Process khubd (pid: 25, threadinfo ffff88001fa98000, task ffff88001fa94f80)
[ 56.283512] Stack:
[ 56.283512] 0000000000000046 00000000000001c8 ffffffff810578ec ffffffff812fcb4c
[ 56.283512] ffff88001e19b980 0000000000002710 ffffffff812ffe81 0000000000000001
[ 56.283512] ffff88001fa94f80 0000000000000202 ffffffff00000001 0000000000000296
[ 56.283512] Call Trace:
[ 56.283512] [<ffffffff810578ec>] ? add_wait_queue+0x12/0x3c
[ 56.283512] [<ffffffff812fcb4c>] ? usb_serial_port_work+0x28/0x28
[ 56.283512] [<ffffffff812ffe81>] ? chase_port+0x84/0x2d6
[ 56.283512] [<ffffffff81063f27>] ? try_to_wake_up+0x199/0x199
[ 56.283512] [<ffffffff81263a5c>] ? tty_ldisc_hangup+0x222/0x298
[ 56.283512] [<ffffffff81300171>] ? edge_close+0x64/0x129
[ 56.283512] [<ffffffff810612f7>] ? __wake_up+0x35/0x46
[ 56.283512] [<ffffffff8106135b>] ? should_resched+0x5/0x23
[ 56.283512] [<ffffffff81264916>] ? tty_port_shutdown+0x39/0x44
[ 56.283512] [<ffffffff812fcb4c>] ? usb_serial_port_work+0x28/0x28
[ 56.283512] [<ffffffff8125d38c>] ? __tty_hangup+0x307/0x351
[ 56.283512] [<ffffffff812e6ddc>] ? usb_hcd_flush_endpoint+0xde/0xed
[ 56.283512] [<ffffffff8144e625>] ? _raw_spin_lock_irqsave+0x14/0x35
[ 56.283512] [<ffffffff812fd361>] ? usb_serial_disconnect+0x57/0xc2
[ 56.283512] [<ffffffff812ea99b>] ? usb_unbind_interface+0x5c/0x131
[ 56.283512] [<ffffffff8128d738>] ? __device_release_driver+0x7f/0xd5
[ 56.283512] [<ffffffff8128d9cd>] ? device_release_driver+0x1a/0x25
[ 56.283512] [<ffffffff8128d393>] ? bus_remove_device+0xd2/0xe7
[ 56.283512] [<ffffffff8128b7a3>] ? device_del+0x119/0x167
[ 56.283512] [<ffffffff812e8d9d>] ? usb_disable_device+0x6a/0x180
[ 56.283512] [<ffffffff812e2ae0>] ? usb_disconnect+0x81/0xe6
[ 56.283512] [<ffffffff812e4435>] ? hub_thread+0x577/0xe82
[ 56.283512] [<ffffffff8144daa7>] ? __schedule+0x490/0x4be
[ 56.283512] [<ffffffff8105798f>] ? abort_exclusive_wait+0x79/0x79
[ 56.283512] [<ffffffff812e3ebe>] ? usb_remote_wakeup+0x2f/0x2f
[ 56.283512] [<ffffffff812e3ebe>] ? usb_remote_wakeup+0x2f/0x2f
[ 56.283512] [<ffffffff810570b4>] ? kthread+0x81/0x89
[ 56.283512] [<ffffffff81057033>] ? __kthread_parkme+0x5c/0x5c
[ 56.283512] [<ffffffff8145387c>] ? ret_from_fork+0x7c/0xb0
[ 56.283512] [<ffffffff81057033>] ? __kthread_parkme+0x5c/0x5c
[ 56.283512] Code: 8b 7c 24 08 e8 17 0b c3 ff 48 8b 04 24 48 83 c4 10 c3 53 48 89 fb 41 50 e8 e0 0a c3 ff 48 89 04 24 e8 e7 0a c3 ff ba 00 00 01 00
<f0> 0f c1 13 48 8b 04 24 89 d1 c1 ea 10 66 39 d1 74 07 f3 90 66
[ 56.283512] RIP [<ffffffff8144e62a>] _raw_spin_lock_irqsave+0x19/0x35
[ 56.283512] RSP <ffff88001fa99ab0>
[ 56.283512] CR2: 00000000000001c8
[ 56.283512] ---[ end trace 49714df27e1679ce ]---
Signed-off-by: Wolfgang Frisch <wfpub@roembden.net>
Cc: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/io_ti.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/serial/io_ti.c
+++ b/drivers/usb/serial/io_ti.c
@@ -550,6 +550,9 @@ static void chase_port(struct edgeport_p
wait_queue_t wait;
unsigned long flags;
+ if (!tty)
+ return;
+
if (!timeout)
timeout = (HZ * EDGE_CLOSING_WAIT)/100;
next prev parent reply other threads:[~2013-06-05 21:12 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-05 21:11 [ 00/44] 3.4.48-stable review Greg Kroah-Hartman
2013-06-05 21:11 ` [ 01/44] avr32: fix relocation check for signed 18-bit offset Greg Kroah-Hartman
2013-06-05 21:12 ` [ 02/44] ARM: plat-orion: Fix num_resources and id for ge10 and ge11 Greg Kroah-Hartman
2013-06-05 21:12 ` [ 03/44] staging: vt6656: use free_netdev instead of kfree Greg Kroah-Hartman
2013-06-05 21:12 ` [ 04/44] usb: option: Add Telewell TW-LTE 4G Greg Kroah-Hartman
2013-06-05 21:12 ` [ 05/44] USB: option: add device IDs for Dell 5804 (Novatel E371) WWAN card Greg Kroah-Hartman
2013-06-05 21:12 ` [ 06/44] USB: ftdi_sio: Add support for Newport CONEX motor drivers Greg Kroah-Hartman
2013-06-05 21:12 ` [ 07/44] USB: cxacru: potential underflow in cxacru_cm_get_array() Greg Kroah-Hartman
2013-06-05 21:12 ` [ 08/44] TTY: Fix tty miss restart after we turn off flow-control Greg Kroah-Hartman
2013-06-05 21:12 ` [ 09/44] USB: Blacklisted Cinterions PLxx WWAN Interface Greg Kroah-Hartman
2013-06-05 21:12 ` [ 10/44] USB: reset resume quirk needed by a hub Greg Kroah-Hartman
2013-06-05 21:12 ` [ 11/44] USB: xHCI: override bogus bulk wMaxPacketSize values Greg Kroah-Hartman
2013-06-05 21:12 ` [ 12/44] USB: UHCI: fix for suspend of virtual HP controller Greg Kroah-Hartman
2013-06-05 21:12 ` [ 13/44] cifs: only set ops for inodes in I_NEW state Greg Kroah-Hartman
2013-06-05 21:12 ` [ 14/44] fat: fix possible overflow for fat_clusters Greg Kroah-Hartman
2013-06-05 21:12 ` [ 15/44] perf: net_dropmonitor: Fix trace parameter order Greg Kroah-Hartman
2013-06-05 21:12 ` [ 16/44] perf: net_dropmonitor: Fix symbol-relative addresses Greg Kroah-Hartman
2013-06-05 21:12 ` [ 17/44] ocfs2: goto out_unlock if ocfs2_get_clusters_nocache() failed in ocfs2_fiemap() Greg Kroah-Hartman
2013-06-05 21:12 ` [ 18/44] Kirkwood: Enable PCIe port 1 on QNAP TS-11x/TS-21x Greg Kroah-Hartman
2013-06-05 21:12 ` [ 19/44] drivers/leds/leds-ot200.c: fix error caused by shifted mask Greg Kroah-Hartman
2013-06-05 21:12 ` [ 20/44] mm compaction: fix of improper cache flush in migration code Greg Kroah-Hartman
2013-06-05 21:12 ` [ 21/44] klist: del waiter from klist_remove_waiters before wakeup waitting process Greg Kroah-Hartman
2013-06-05 21:12 ` [ 22/44] wait: fix false timeouts when using wait_event_timeout() Greg Kroah-Hartman
2013-06-05 21:12 ` [ 23/44] nilfs2: fix issue of nilfs_set_page_dirty() for page at EOF boundary Greg Kroah-Hartman
2013-06-05 21:12 ` [ 24/44] mm: mmu_notifier: re-fix freed page still mapped in secondary MMU Greg Kroah-Hartman
2013-06-05 21:12 ` [ 25/44] drivers/block/brd.c: fix brd_lookup_page() race Greg Kroah-Hartman
2013-06-05 21:12 ` [ 26/44] mm/pagewalk.c: walk_page_range should avoid VM_PFNMAP areas Greg Kroah-Hartman
2013-06-05 21:12 ` [ 27/44] mm/THP: use pmd_populate() to update the pmd with pgtable_t pointer Greg Kroah-Hartman
2013-06-05 21:12 ` [ 28/44] iscsi-target: fix heap buffer overflow on error Greg Kroah-Hartman
2013-06-05 21:12 ` [ 29/44] NFSv4: Fix a thinko in nfs4_try_open_cached Greg Kroah-Hartman
2013-06-05 21:12 ` [ 30/44] xfs: kill suid/sgid through the truncate path Greg Kroah-Hartman
2013-06-05 21:12 ` [ 31/44] drm/radeon: fix card_posted check for newer asics Greg Kroah-Hartman
2013-06-05 21:12 ` [ 32/44] cifs: fix potential buffer overrun when composing a new options string Greg Kroah-Hartman
2013-06-05 21:12 ` Greg Kroah-Hartman [this message]
2013-06-05 21:12 ` [ 34/44] ata_piix: add PCI IDs for Intel BayTail Greg Kroah-Hartman
2013-06-05 21:12 ` [ 35/44] libata: make ata_exec_internal_sg honor DMADIR Greg Kroah-Hartman
2013-06-05 21:12 ` [ 36/44] m68k/mac: Fix unexpected interrupt with CONFIG_EARLY_PRINTK Greg Kroah-Hartman
2013-06-05 21:12 ` [ 37/44] xen/events: Handle VIRQ_TIMER before any other hardirq in event loop Greg Kroah-Hartman
2013-06-05 21:12 ` [ 38/44] jfs: fix a couple races Greg Kroah-Hartman
2013-06-05 21:12 ` [ 39/44] xen-netback: remove skb in xen_netbk_alloc_page Greg Kroah-Hartman
2013-06-05 21:12 ` [ 40/44] iommu/amd: Re-enable IOMMU event log interrupt after handling Greg Kroah-Hartman
2013-06-05 21:12 ` [ 41/44] iommu/amd: Workaround for ERBT1312 Greg Kroah-Hartman
2013-06-05 21:12 ` [ 42/44] x86, um: Correct syscall table type attributes breaking gcc 4.8 Greg Kroah-Hartman
2013-06-05 21:12 ` [ 43/44] mac80211: close AP_VLAN interfaces before unregistering all Greg Kroah-Hartman
2013-06-05 21:12 ` [ 44/44] thinkpad-acpi: recognize latest V-Series using DMI_BIOS_VENDOR Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130605211225.293610823@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jhovold@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=wfpub@roembden.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox