releases/3.7.4/usb-io_ti-fix-null-dereference-in-chase_port.patch

   1 From 1ee0a224bc9aad1de496c795f96bc6ba2c394811 Mon Sep 17 00:00:00 2001
   2 From: Wolfgang Frisch <wfpub@roembden.net>
   3 Date: Thu, 17 Jan 2013 01:07:02 +0100
   4 Subject: USB: io_ti: Fix NULL dereference in chase_port()
   5
   6 From: Wolfgang Frisch <wfpub@roembden.net>
   7
   8 commit 1ee0a224bc9aad1de496c795f96bc6ba2c394811 upstream.
   9
  10 The tty is NULL when the port is hanging up.
  11 chase_port() needs to check for this.
  12
  13 This patch is intended for stable series.
  14 The behavior was observed and tested in Linux 3.2 and 3.7.1.
  15
  16 Johan Hovold submitted a more elaborate patch for the mainline kernel.
  17
  18 [   56.277883] usb 1-1: edge_bulk_in_callback - nonzero read bulk status received: -84
  19 [   56.278811] usb 1-1: USB disconnect, device number 3
  20 [   56.278856] usb 1-1: edge_bulk_in_callback - stopping read!
  21 [   56.279562] BUG: unable to handle kernel NULL pointer dereference at 00000000000001c8
  22 [   56.280536] IP: [<ffffffff8144e62a>] _raw_spin_lock_irqsave+0x19/0x35
  23 [   56.281212] PGD 1dc1b067 PUD 1e0f7067 PMD 0
  24 [   56.282085] Oops: 0002 [#1] SMP
  25 [   56.282744] Modules linked in:
  26 [   56.283512] CPU 1
  27 [   56.283512] Pid: 25, comm: khubd Not tainted 3.7.1 #1 innotek GmbH VirtualBox/VirtualBox
  28 [   56.283512] RIP: 0010:[<ffffffff8144e62a>]  [<ffffffff8144e62a>] _raw_spin_lock_irqsave+0x19/0x35
  29 [   56.283512] RSP: 0018:ffff88001fa99ab0  EFLAGS: 00010046
  30 [   56.283512] RAX: 0000000000000046 RBX: 00000000000001c8 RCX: 0000000000640064
  31 [   56.283512] RDX: 0000000000010000 RSI: ffff88001fa99b20 RDI: 00000000000001c8
  32 [   56.283512] RBP: ffff88001fa99b20 R08: 0000000000000000 R09: 0000000000000000
  33 [   56.283512] R10: 0000000000000000 R11: ffffffff812fcb4c R12: ffff88001ddf53c0
  34 [   56.283512] R13: 0000000000000000 R14: 00000000000001c8 R15: ffff88001e19b9f4
  35 [   56.283512] FS:  0000000000000000(0000) GS:ffff88001fd00000(0000) knlGS:0000000000000000
  36 [   56.283512] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
  37 [   56.283512] CR2: 00000000000001c8 CR3: 000000001dc51000 CR4: 00000000000006e0
  38 [   56.283512] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  39 [   56.283512] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
  40 [   56.283512] Process khubd (pid: 25, threadinfo ffff88001fa98000, task ffff88001fa94f80)
  41 [   56.283512] Stack:
  42 [   56.283512]  0000000000000046 00000000000001c8 ffffffff810578ec ffffffff812fcb4c
  43 [   56.283512]  ffff88001e19b980 0000000000002710 ffffffff812ffe81 0000000000000001
  44 [   56.283512]  ffff88001fa94f80 0000000000000202 ffffffff00000001 0000000000000296
  45 [   56.283512] Call Trace:
  46 [   56.283512]  [<ffffffff810578ec>] ? add_wait_queue+0x12/0x3c
  47 [   56.283512]  [<ffffffff812fcb4c>] ? usb_serial_port_work+0x28/0x28
  48 [   56.283512]  [<ffffffff812ffe81>] ? chase_port+0x84/0x2d6
  49 [   56.283512]  [<ffffffff81063f27>] ? try_to_wake_up+0x199/0x199
  50 [   56.283512]  [<ffffffff81263a5c>] ? tty_ldisc_hangup+0x222/0x298
  51 [   56.283512]  [<ffffffff81300171>] ? edge_close+0x64/0x129
  52 [   56.283512]  [<ffffffff810612f7>] ? __wake_up+0x35/0x46
  53 [   56.283512]  [<ffffffff8106135b>] ? should_resched+0x5/0x23
  54 [   56.283512]  [<ffffffff81264916>] ? tty_port_shutdown+0x39/0x44
  55 [   56.283512]  [<ffffffff812fcb4c>] ? usb_serial_port_work+0x28/0x28
  56 [   56.283512]  [<ffffffff8125d38c>] ? __tty_hangup+0x307/0x351
  57 [   56.283512]  [<ffffffff812e6ddc>] ? usb_hcd_flush_endpoint+0xde/0xed
  58 [   56.283512]  [<ffffffff8144e625>] ? _raw_spin_lock_irqsave+0x14/0x35
  59 [   56.283512]  [<ffffffff812fd361>] ? usb_serial_disconnect+0x57/0xc2
  60 [   56.283512]  [<ffffffff812ea99b>] ? usb_unbind_interface+0x5c/0x131
  61 [   56.283512]  [<ffffffff8128d738>] ? __device_release_driver+0x7f/0xd5
  62 [   56.283512]  [<ffffffff8128d9cd>] ? device_release_driver+0x1a/0x25
  63 [   56.283512]  [<ffffffff8128d393>] ? bus_remove_device+0xd2/0xe7
  64 [   56.283512]  [<ffffffff8128b7a3>] ? device_del+0x119/0x167
  65 [   56.283512]  [<ffffffff812e8d9d>] ? usb_disable_device+0x6a/0x180
  66 [   56.283512]  [<ffffffff812e2ae0>] ? usb_disconnect+0x81/0xe6
  67 [   56.283512]  [<ffffffff812e4435>] ? hub_thread+0x577/0xe82
  68 [   56.283512]  [<ffffffff8144daa7>] ? __schedule+0x490/0x4be
  69 [   56.283512]  [<ffffffff8105798f>] ? abort_exclusive_wait+0x79/0x79
  70 [   56.283512]  [<ffffffff812e3ebe>] ? usb_remote_wakeup+0x2f/0x2f
  71 [   56.283512]  [<ffffffff812e3ebe>] ? usb_remote_wakeup+0x2f/0x2f
  72 [   56.283512]  [<ffffffff810570b4>] ? kthread+0x81/0x89
  73 [   56.283512]  [<ffffffff81057033>] ? __kthread_parkme+0x5c/0x5c
  74 [   56.283512]  [<ffffffff8145387c>] ? ret_from_fork+0x7c/0xb0
  75 [   56.283512]  [<ffffffff81057033>] ? __kthread_parkme+0x5c/0x5c
  76 [   56.283512] Code: 8b 7c 24 08 e8 17 0b c3 ff 48 8b 04 24 48 83 c4 10 c3 53 48 89 fb 41 50 e8 e0 0a c3 ff 48 89 04 24 e8 e7 0a c3 ff ba 00 00 01 00
  77 <f0> 0f c1 13 48 8b 04 24 89 d1 c1 ea 10 66 39 d1 74 07 f3 90 66
  78 [   56.283512] RIP  [<ffffffff8144e62a>] _raw_spin_lock_irqsave+0x19/0x35
  79 [   56.283512]  RSP <ffff88001fa99ab0>
  80 [   56.283512] CR2: 00000000000001c8
  81 [   56.283512] ---[ end trace 49714df27e1679ce ]---
  82
  83 Signed-off-by: Wolfgang Frisch <wfpub@roembden.net>
  84 Cc: Johan Hovold <jhovold@gmail.com>
  85 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  86
  87 ---
  88  drivers/usb/serial/io_ti.c |    3 +++
  89  1 file changed, 3 insertions(+)
  90
  91 --- a/drivers/usb/serial/io_ti.c
  92 +++ b/drivers/usb/serial/io_ti.c
  93 @@ -534,6 +534,9 @@ static void chase_port(struct edgeport_p
  94         wait_queue_t wait;
  95         unsigned long flags;
  96
  97 +       if (!tty)
  98 +               return;
  99 +
 100         if (!timeout)
 101                 timeout = (HZ * EDGE_CLOSING_WAIT)/100;
 102