| Message ID | 20180514082120.10443-2-kai.heng.feng@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | Fix null pointer dereference when xHCI gets unplugged | expand |
On Mon, May 14, 2018 at 04:21:20PM +0800, Kai-Heng Feng wrote: > From: Zhengjun Xing <zhengjun.xing@linux.intel.com> > > BugLink: https://bugs.launchpad.net/bugs/1768852 > > tty_unregister_driver may be called more than 1 time in some > hotplug cases,it will cause the kernel oops. This patch checked > dbc_tty_driver to make sure it is unregistered only 1 time. > > [ 175.741404] BUG: unable to handle kernel NULL pointer dereference at 0000000000000034 > [ 175.742309] IP: tty_unregister_driver+0x9/0x70 > [ 175.743148] PGD 0 P4D 0 > [ 175.743981] Oops: 0000 [#1] SMP PTI > [ 175.753904] RIP: 0010:tty_unregister_driver+0x9/0x70 > [ 175.754817] RSP: 0018:ffffa8ff831d3bb0 EFLAGS: 00010246 > [ 175.755753] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 > [ 175.756685] RDX: ffff92089c616000 RSI: ffffe64fe1b26080 RDI: 0000000000000000 > [ 175.757608] RBP: ffff92086c988230 R08: 000000006c982701 R09: 00000001801e0016 > [ 175.758533] R10: ffffa8ff831d3b48 R11: ffff92086c982100 R12: ffff92086c98827c > [ 175.759462] R13: ffff92086c988398 R14: 0000000000000060 R15: ffff92089c5e9b40 > [ 175.760401] FS: 0000000000000000(0000) GS:ffff9208a0100000(0000) knlGS:0000000000000000 > [ 175.761334] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 175.762270] CR2: 0000000000000034 CR3: 000000011800a003 CR4: 00000000003606e0 > [ 175.763225] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > [ 175.764164] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > [ 175.765091] Call Trace: > [ 175.766014] xhci_dbc_tty_unregister_driver+0x11/0x30 > [ 175.766960] xhci_dbc_exit+0x2a/0x40 > [ 175.767889] xhci_stop+0x57/0x1c0 > [ 175.768824] usb_remove_hcd+0x100/0x250 > [ 175.769708] usb_hcd_pci_remove+0x68/0x130 > [ 175.770574] pci_device_remove+0x3b/0xc0 > [ 175.771435] device_release_driver_internal+0x157/0x230 > [ 175.772343] pci_stop_bus_device+0x74/0xa0 > [ 175.773205] pci_stop_bus_device+0x2b/0xa0 > [ 175.774061] pci_stop_bus_device+0x2b/0xa0 > [ 175.774907] pci_stop_bus_device+0x2b/0xa0 > [ 175.775741] pci_stop_bus_device+0x2b/0xa0 > [ 175.776618] pci_stop_bus_device+0x2b/0xa0 > [ 175.777452] pci_stop_bus_device+0x2b/0xa0 > [ 175.778273] pci_stop_bus_device+0x2b/0xa0 > [ 175.779092] pci_stop_bus_device+0x2b/0xa0 > [ 175.779908] pci_stop_bus_device+0x2b/0xa0 > [ 175.780750] pci_stop_bus_device+0x2b/0xa0 > [ 175.781543] pci_stop_and_remove_bus_device+0xe/0x20 > [ 175.782338] pciehp_unconfigure_device+0xb8/0x160 > [ 175.783128] pciehp_disable_slot+0x4f/0xd0 > [ 175.783920] pciehp_power_thread+0x82/0xa0 > [ 175.784766] process_one_work+0x147/0x3c0 > [ 175.785564] worker_thread+0x4a/0x440 > [ 175.786376] kthread+0xf8/0x130 > [ 175.787174] ? rescuer_thread+0x360/0x360 > [ 175.787964] ? kthread_associate_blkcg+0x90/0x90 > [ 175.788798] ret_from_fork+0x35/0x40 > > Cc: <stable@vger.kernel.org> # 4.16 > Fixes: dfba2174dc42 ("usb: xhci: Add DbC support in xHCI driver") > Signed-off-by: Zhengjun Xing <zhengjun.xing@linux.intel.com> > Tested-by: Christian Kellner <christian@kellner.me> > Reviewed-by: Christian Kellner <christian@kellner.me> > Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > (cherry picked from commit 7fc65d4c2ba9e5006c629669146c6876b65aa233) > Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com> > --- > drivers/usb/host/xhci-dbgtty.c | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) > > diff --git a/drivers/usb/host/xhci-dbgtty.c b/drivers/usb/host/xhci-dbgtty.c > index 48811d72a94c..f64307fcaca0 100644 > --- a/drivers/usb/host/xhci-dbgtty.c > +++ b/drivers/usb/host/xhci-dbgtty.c > @@ -318,9 +318,11 @@ int xhci_dbc_tty_register_driver(struct xhci_hcd *xhci) > > void xhci_dbc_tty_unregister_driver(void) > { > - tty_unregister_driver(dbc_tty_driver); > - put_tty_driver(dbc_tty_driver); > - dbc_tty_driver = NULL; > + if (dbc_tty_driver) { > + tty_unregister_driver(dbc_tty_driver); > + put_tty_driver(dbc_tty_driver); > + dbc_tty_driver = NULL; > + } > } > > static void dbc_rx_push(unsigned long _port) > -- > 2.17.0 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team Clean cherry-pick, looks to do what is claimed. Seems safe enough. Acked-by: Andy Whitcroft <apw@canonical.com>
diff --git a/drivers/usb/host/xhci-dbgtty.c b/drivers/usb/host/xhci-dbgtty.c index 48811d72a94c..f64307fcaca0 100644 --- a/drivers/usb/host/xhci-dbgtty.c +++ b/drivers/usb/host/xhci-dbgtty.c @@ -318,9 +318,11 @@ int xhci_dbc_tty_register_driver(struct xhci_hcd *xhci) void xhci_dbc_tty_unregister_driver(void) { - tty_unregister_driver(dbc_tty_driver); - put_tty_driver(dbc_tty_driver); - dbc_tty_driver = NULL; + if (dbc_tty_driver) { + tty_unregister_driver(dbc_tty_driver); + put_tty_driver(dbc_tty_driver); + dbc_tty_driver = NULL; + } } static void dbc_rx_push(unsigned long _port)