diff options
author | Taku Izumi <izumi2005@soft.fujitsu.com> | 2007-04-23 14:41:00 -0700 |
---|---|---|
committer | Linus Torvalds <torvalds@woody.linux-foundation.org> | 2007-04-24 08:23:07 -0700 |
commit | fdc30b3d448bf86dd45f9df3e8ac0d36a3bdd9b2 (patch) | |
tree | e434f6c805916d51f288d2e4848a5e86b374edc1 | |
parent | 650a7c974f1b91de9732c0f720e792837f8abfd6 (diff) | |
download | op-kernel-dev-fdc30b3d448bf86dd45f9df3e8ac0d36a3bdd9b2.zip op-kernel-dev-fdc30b3d448bf86dd45f9df3e8ac0d36a3bdd9b2.tar.gz |
Fix possible NULL pointer access in 8250 serial driver
I encountered the following kernel panic. The cause of this problem was
NULL pointer access in check_modem_status() in 8250.c. I confirmed this
problem is fixed by the attached patch, but I don't know this is the
correct fix.
sadc[4378]: NaT consumption 2216203124768 [1]
Modules linked in: binfmt_misc dm_mirror dm_mod thermal processor fan
container button sg e100 eepro100 mii ehci_hcd ohci_hcd
Pid: 4378, CPU 0, comm: sadc
psr : 00001210085a2010 ifs : 8000000000000289 ip : [<a000000100482071>]
Not tainted
ip is at check_modem_status+0xf1/0x360
Call Trace:
[<a000000100013940>] show_stack+0x40/0xa0
[<a0000001000145a0>] show_regs+0x840/0x880
[<a0000001000368e0>] die+0x1c0/0x2c0
[<a000000100036a30>] die_if_kernel+0x50/0x80
[<a000000100037c40>] ia64_fault+0x11e0/0x1300
[<a00000010000bdc0>] ia64_leave_kernel+0x0/0x280
[<a000000100482070>] check_modem_status+0xf0/0x360
[<a000000100482300>] serial8250_get_mctrl+0x20/0xa0
[<a000000100478170>] uart_read_proc+0x250/0x860
[<a0000001001c16d0>] proc_file_read+0x1d0/0x4c0
[<a0000001001394b0>] vfs_read+0x1b0/0x300
[<a000000100139cd0>] sys_read+0x70/0xe0
[<a00000010000bc20>] ia64_ret_from_syscall+0x0/0x20
[<a000000000010620>] __kernel_syscall_via_break+0x0/0x20
Fix the possible NULL pointer access in check_modem_status() in 8250.c. The
check_modem_status() would access 'info' member of uart_port structure, but it
is not initialized before uart_open() is called. The check_modem_status() can
be called through /proc/tty/driver/serial before uart_open() is called.
Signed-off-by: Kenji Kaneshige <kaneshige.kenji@jp.fujitsu.com>
Signed-off-by: Taku Izumi <izumi2005@soft.fujitsu.com>
Cc: Russell King <rmk@arm.linux.org.uk>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r-- | drivers/serial/8250.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/serial/8250.c b/drivers/serial/8250.c index c129a0e..c0c472a 100644 --- a/drivers/serial/8250.c +++ b/drivers/serial/8250.c @@ -1310,7 +1310,8 @@ static unsigned int check_modem_status(struct uart_8250_port *up) { unsigned int status = serial_in(up, UART_MSR); - if (status & UART_MSR_ANY_DELTA && up->ier & UART_IER_MSI) { + if (status & UART_MSR_ANY_DELTA && up->ier & UART_IER_MSI && + up->port.info != NULL) { if (status & UART_MSR_TERI) up->port.icount.rng++; if (status & UART_MSR_DDSR) |