linux/drivers/usb/serial
Wolfgang Frisch 1ee0a224bc USB: io_ti: Fix NULL dereference in chase_port()
The tty is NULL when the port is hanging up.
chase_port() needs to check for this.

This patch is intended for stable series.
The behavior was observed and tested in Linux 3.2 and 3.7.1.

Johan Hovold submitted a more elaborate patch for the mainline kernel.

[   56.277883] usb 1-1: edge_bulk_in_callback - nonzero read bulk status received: -84
[   56.278811] usb 1-1: USB disconnect, device number 3
[   56.278856] usb 1-1: edge_bulk_in_callback - stopping read!
[   56.279562] BUG: unable to handle kernel NULL pointer dereference at 00000000000001c8
[   56.280536] IP: [<ffffffff8144e62a>] _raw_spin_lock_irqsave+0x19/0x35
[   56.281212] PGD 1dc1b067 PUD 1e0f7067 PMD 0
[   56.282085] Oops: 0002 [#1] SMP
[   56.282744] Modules linked in:
[   56.283512] CPU 1
[   56.283512] Pid: 25, comm: khubd Not tainted 3.7.1 #1 innotek GmbH VirtualBox/VirtualBox
[   56.283512] RIP: 0010:[<ffffffff8144e62a>]  [<ffffffff8144e62a>] _raw_spin_lock_irqsave+0x19/0x35
[   56.283512] RSP: 0018:ffff88001fa99ab0  EFLAGS: 00010046
[   56.283512] RAX: 0000000000000046 RBX: 00000000000001c8 RCX: 0000000000640064
[   56.283512] RDX: 0000000000010000 RSI: ffff88001fa99b20 RDI: 00000000000001c8
[   56.283512] RBP: ffff88001fa99b20 R08: 0000000000000000 R09: 0000000000000000
[   56.283512] R10: 0000000000000000 R11: ffffffff812fcb4c R12: ffff88001ddf53c0
[   56.283512] R13: 0000000000000000 R14: 00000000000001c8 R15: ffff88001e19b9f4
[   56.283512] FS:  0000000000000000(0000) GS:ffff88001fd00000(0000) knlGS:0000000000000000
[   56.283512] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[   56.283512] CR2: 00000000000001c8 CR3: 000000001dc51000 CR4: 00000000000006e0
[   56.283512] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   56.283512] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[   56.283512] Process khubd (pid: 25, threadinfo ffff88001fa98000, task ffff88001fa94f80)
[   56.283512] Stack:
[   56.283512]  0000000000000046 00000000000001c8 ffffffff810578ec ffffffff812fcb4c
[   56.283512]  ffff88001e19b980 0000000000002710 ffffffff812ffe81 0000000000000001
[   56.283512]  ffff88001fa94f80 0000000000000202 ffffffff00000001 0000000000000296
[   56.283512] Call Trace:
[   56.283512]  [<ffffffff810578ec>] ? add_wait_queue+0x12/0x3c
[   56.283512]  [<ffffffff812fcb4c>] ? usb_serial_port_work+0x28/0x28
[   56.283512]  [<ffffffff812ffe81>] ? chase_port+0x84/0x2d6
[   56.283512]  [<ffffffff81063f27>] ? try_to_wake_up+0x199/0x199
[   56.283512]  [<ffffffff81263a5c>] ? tty_ldisc_hangup+0x222/0x298
[   56.283512]  [<ffffffff81300171>] ? edge_close+0x64/0x129
[   56.283512]  [<ffffffff810612f7>] ? __wake_up+0x35/0x46
[   56.283512]  [<ffffffff8106135b>] ? should_resched+0x5/0x23
[   56.283512]  [<ffffffff81264916>] ? tty_port_shutdown+0x39/0x44
[   56.283512]  [<ffffffff812fcb4c>] ? usb_serial_port_work+0x28/0x28
[   56.283512]  [<ffffffff8125d38c>] ? __tty_hangup+0x307/0x351
[   56.283512]  [<ffffffff812e6ddc>] ? usb_hcd_flush_endpoint+0xde/0xed
[   56.283512]  [<ffffffff8144e625>] ? _raw_spin_lock_irqsave+0x14/0x35
[   56.283512]  [<ffffffff812fd361>] ? usb_serial_disconnect+0x57/0xc2
[   56.283512]  [<ffffffff812ea99b>] ? usb_unbind_interface+0x5c/0x131
[   56.283512]  [<ffffffff8128d738>] ? __device_release_driver+0x7f/0xd5
[   56.283512]  [<ffffffff8128d9cd>] ? device_release_driver+0x1a/0x25
[   56.283512]  [<ffffffff8128d393>] ? bus_remove_device+0xd2/0xe7
[   56.283512]  [<ffffffff8128b7a3>] ? device_del+0x119/0x167
[   56.283512]  [<ffffffff812e8d9d>] ? usb_disable_device+0x6a/0x180
[   56.283512]  [<ffffffff812e2ae0>] ? usb_disconnect+0x81/0xe6
[   56.283512]  [<ffffffff812e4435>] ? hub_thread+0x577/0xe82
[   56.283512]  [<ffffffff8144daa7>] ? __schedule+0x490/0x4be
[   56.283512]  [<ffffffff8105798f>] ? abort_exclusive_wait+0x79/0x79
[   56.283512]  [<ffffffff812e3ebe>] ? usb_remote_wakeup+0x2f/0x2f
[   56.283512]  [<ffffffff812e3ebe>] ? usb_remote_wakeup+0x2f/0x2f
[   56.283512]  [<ffffffff810570b4>] ? kthread+0x81/0x89
[   56.283512]  [<ffffffff81057033>] ? __kthread_parkme+0x5c/0x5c
[   56.283512]  [<ffffffff8145387c>] ? ret_from_fork+0x7c/0xb0
[   56.283512]  [<ffffffff81057033>] ? __kthread_parkme+0x5c/0x5c
[   56.283512] Code: 8b 7c 24 08 e8 17 0b c3 ff 48 8b 04 24 48 83 c4 10 c3 53 48 89 fb 41 50 e8 e0 0a c3 ff 48 89 04 24 e8 e7 0a c3 ff ba 00 00 01 00
<f0> 0f c1 13 48 8b 04 24 89 d1 c1 ea 10 66 39 d1 74 07 f3 90 66
[   56.283512] RIP  [<ffffffff8144e62a>] _raw_spin_lock_irqsave+0x19/0x35
[   56.283512]  RSP <ffff88001fa99ab0>
[   56.283512] CR2: 00000000000001c8
[   56.283512] ---[ end trace 49714df27e1679ce ]---

Signed-off-by: Wolfgang Frisch <wfpub@roembden.net>
Cc: Johan Hovold <jhovold@gmail.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-01-17 17:34:39 -08:00
..
aircable.c USB: serial: remove driver version information 2012-10-31 12:48:06 -07:00
ark3116.c USB: serial: remove driver version information 2012-10-31 12:48:06 -07:00
belkin_sa.c USB: serial: remove driver version information 2012-10-31 12:48:06 -07:00
belkin_sa.h
bus.c usb-core: remove CONFIG_HOTPLUG ifdefs 2012-11-21 13:27:16 -08:00
ch341.c USB: ch341: fix port-data memory leak 2012-10-25 09:36:57 -07:00
console.c USB merge for 3.7-rc1 2012-10-01 13:23:01 -07:00
cp210x.c USB: cp210x: add Virtenio Preon32 device id 2012-11-26 14:57:20 -08:00
cyberjack.c USB: serial: remove driver version information 2012-10-31 12:48:06 -07:00
cypress_m8.c USB: serial: remove driver version information 2012-10-31 12:48:06 -07:00
cypress_m8.h
digi_acceleport.c USB: serial: remove driver version information 2012-10-31 12:48:06 -07:00
empeg.c USB: serial: remove driver version information 2012-10-31 12:48:06 -07:00
ezusb_convert.pl
f81232.c USB: f81232: fix port-data memory leak 2012-10-17 13:47:58 -07:00
ftdi_sio_ids.h usb: ftdi_sio: Crucible Technologies COMET Caller ID - pid added 2013-01-13 13:44:23 -08:00
ftdi_sio.c usb: ftdi_sio: Crucible Technologies COMET Caller ID - pid added 2013-01-13 13:44:23 -08:00
ftdi_sio.h
funsoft.c USB: serial: funsoft.c: remove debug module parameter 2012-09-14 12:31:27 -07:00
garmin_gps.c USB: fix port probing and removal in garmin_gps 2012-10-16 10:25:55 -07:00
generic.c USB: serial: export usb_serial_generic_chars_in_buffer 2012-10-30 13:19:30 -07:00
hp4x.c USB: serial: remove driver version information 2012-10-31 12:48:06 -07:00
io_16654.h
io_edgeport.c USB: serial: remove driver version information 2012-10-31 12:48:06 -07:00
io_edgeport.h
io_ionsp.h
io_tables.h USB: io_edgeport: fix port-data memory leak 2012-10-17 13:47:58 -07:00
io_ti.c USB: io_ti: Fix NULL dereference in chase_port() 2013-01-17 17:34:39 -08:00
io_ti.h
io_usbvend.h
ipaq.c USB: serial: remove driver version information 2012-10-31 12:48:06 -07:00
ipw.c USB: serial: remove driver version information 2012-10-31 12:48:06 -07:00
ir-usb.c USB merge for 3.7-rc1 2012-10-01 13:23:01 -07:00
iuu_phoenix.c USB: serial: remove driver version information 2012-10-31 12:48:06 -07:00
iuu_phoenix.h
Kconfig USB: ezusb: move ezusb.c from drivers/usb/serial to drivers/usb/misc 2012-09-26 14:20:28 -07:00
keyspan_pda.c USB: serial: remove driver version information 2012-10-31 12:48:06 -07:00
keyspan_usa26msg.h
keyspan_usa28msg.h
keyspan_usa49msg.h
keyspan_usa67msg.h
keyspan_usa90msg.h
keyspan.c Merge 3.7-rc6 into usb-next. 2012-11-16 18:46:21 -08:00
keyspan.h USB: keyspan: fix NULL-pointer dereferences and memory leaks 2012-10-25 09:37:13 -07:00
kl5kusb105.c USB: serial: remove driver version information 2012-10-31 12:48:06 -07:00
kl5kusb105.h
kobil_sct.c USB: serial: remove driver version information 2012-10-31 12:48:06 -07:00
kobil_sct.h
Makefile USB: ezusb: move ezusb.c from drivers/usb/serial to drivers/usb/misc 2012-09-26 14:20:28 -07:00
Makefile-keyspan_pda_fw
mct_u232.c USB: serial: remove driver version information 2012-10-31 12:48:06 -07:00
mct_u232.h
metro-usb.c USB: serial: remove driver version information 2012-10-31 12:48:06 -07:00
mos7720.c USB: serial: remove driver version information 2012-10-31 12:48:06 -07:00
mos7840.c USB: serial: remove driver version information 2012-10-31 12:48:06 -07:00
moto_modem.c
navman.c USB: Serial: navman.c: remove debug module parameter 2012-09-18 10:16:01 +01:00
omninet.c USB: serial: remove driver version information 2012-10-31 12:48:06 -07:00
opticon.c USB: opticon: switch to generic read implementation 2012-11-21 13:33:56 -08:00
option.c USB: option: add TP-LINK HSUPA Modem MA180 2013-01-17 17:34:39 -08:00
oti6858.c USB: serial: remove driver version information 2012-10-31 12:48:06 -07:00
oti6858.h
pl2303.c USB: pl2303: fix port-data memory leak 2012-10-16 10:25:54 -07:00
pl2303.h
qcaux.c USB: qcaux: add Pantech vendor class match 2012-09-21 09:42:02 -07:00
qcserial.c USB: qcserial: fix interface-data memory leak in error path 2012-10-25 09:39:38 -07:00
quatech2.c USB: serial: remove driver version information 2012-10-31 12:48:06 -07:00
safe_serial.c USB: serial: safe-serial: fix up printk() usage 2012-09-18 17:07:24 +01:00
siemens_mpi.c USB: serial: remove driver version information 2012-10-31 12:48:06 -07:00
sierra.c USB: serial: remove driver version information 2012-10-31 12:48:06 -07:00
spcp8x5.c USB: serial: remove driver version information 2012-10-31 12:48:06 -07:00
ssu100.c USB: serial: remove driver version information 2012-10-31 12:48:06 -07:00
symbolserial.c USB: Serial: symbolserial.c: remove debug module parameter 2012-09-18 10:16:20 +01:00
ti_usb_3410_5052.c USB: ti_usb_3410_5052: fix port-data memory leak 2012-10-17 13:47:59 -07:00
ti_usb_3410_5052.h
usb_debug.c
usb_wwan.c Merge 3.7-rc6 into usb-next. 2012-11-16 18:46:21 -08:00
usb-serial.c TTY: call tty_port_destroy in the rest of drivers 2012-11-15 17:20:58 -08:00
usb-wwan.h USB: usb-wwan: fix multiple memory leaks in error paths 2012-10-25 09:37:13 -07:00
visor.c USB: Serial: visor.c: remove debug module parameter 2012-09-18 10:16:28 +01:00
visor.h
vivopay-serial.c USB: serial: remove driver version information 2012-10-31 12:48:06 -07:00
whiteheat.c USB: whiteheat: fix port-data memory leak 2012-10-25 09:36:57 -07:00
whiteheat.h
zio.c
zte_ev.c