openkylin
/
platform_kernel-5.15
mirror of https://gitee.com/openkylin/platform_kernel-5.15.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity
platform_kernel-5.15/drivers
History
Johan Hovold 33b69bf80a Bluetooth: hci_ldisc: fix NULL-pointer dereference on tty_close 
Do not close protocol driver until device has been unregistered.

This fixes a race between tty_close and hci_dev_open which can result in
a NULL-pointer dereference.

The line discipline closes the protocol driver while we may still have
hci_dev_open sleeping on the req_lock mutex resulting in a NULL-pointer
dereference when lock is acquired and hci_init_req called.

Bug is 100% reproducible using hciattach and a disconnected serial port:

0. # hciattach -n ttyO1 any noflow

1. hci_dev_open called from hci_power_on grabs req lock
2. hci_init_req executes but device fails to initialise (times out
   eventually)
3. hci_dev_open is called from hci_sock_ioctl and sleeps on req lock
4. hci_uart_tty_close detaches protocol driver and cancels init req
5. hci_dev_open (1) releases req lock
6. hci_dev_open (3) grabs req lock, calls hci_init_req, which triggers oops
   when request is prepared in hci_uart_send_frame

[  137.201263] Unable to handle kernel NULL pointer dereference at virtual address 00000028
[  137.209838] pgd = c0004000
[  137.212677] [00000028] *pgd=00000000
[  137.216430] Internal error: Oops: 17 [#1]
[  137.220642] Modules linked in:
[  137.223846] CPU: 0    Tainted: G        W     (3.3.0-rc6-dirty #406)
[  137.230529] PC is at __lock_acquire+0x5c/0x1ab0
[  137.235290] LR is at lock_acquire+0x9c/0x128
[  137.239776] pc : [<c0071490>]    lr : [<c00733f8>]    psr: 20000093
[  137.239776] sp : cf869dd8  ip : c0529554  fp : c051c730
[  137.251800] r10: 00000000  r9 : cf8673c0  r8 : 00000080
[  137.257293] r7 : 00000028  r6 : 00000002  r5 : 00000000  r4 : c053fd70
[  137.264129] r3 : 00000000  r2 : 00000000  r1 : 00000000  r0 : 00000001
[  137.270965] Flags: nzCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment kernel
[  137.278717] Control: 10c5387d  Table: 8f0f4019  DAC: 00000015
[  137.284729] Process kworker/u:1 (pid: 7, stack limit = 0xcf8682e8)
[  137.291229] Stack: (0xcf869dd8 to 0xcf86a000)
[  137.295776] 9dc0:                                                       c0529554 00000000
[  137.304351] 9de0: cf8673c0 cf868000 d03ea1ef cf868000 000001ef 00000470 00000000 00000002
[  137.312927] 9e00: cf8673c0 00000001 c051c730 c00716ec 0000000c 00000440 c0529554 00000001
[  137.321533] 9e20: c051c730 cf868000 d03ea1f3 00000000 c053b978 00000000 00000028 cf868000
[  137.330078] 9e40: 00000000 00000000 00000002 00000000 00000000 c00733f8 00000002 00000080
[  137.338684] 9e60: 00000000 c02a1d50 00000000 00000001 60000013 c0969a1c 60000093 c053b96c
[  137.347259] 9e80: 00000002 00000018 20000013 c02a1d50 cf0ac000 00000000 00000002 cf868000
[  137.355834] 9ea0: 00000089 c0374130 00000002 00000000 c02a1d50 cf0ac000 0000000c cf0fc540
[  137.364410] 9ec0: 00000018 c02a1d50 cf0fc540 00000000 cf0fc540 c0282238 c028220c cf178d80
[  137.372985] 9ee0: 127525d8 c02821cc 9a1fa451 c032727c 9a1fa451 127525d8 cf0fc540 cf0ac4ec
[  137.381561] 9f00: cf0ac000 cf0fc540 cf0ac584 c03285f4 c0328580 cf0ac4ec cf85c740 c05510cc
[  137.390136] 9f20: ce825400 c004c914 00000002 00000000 c004c884 ce8254f5 cf869f48 00000000
[  137.398712] 9f40: c0328580 ce825415 c0a7f914 c061af64 00000000 c048cf3c cf8673c0 cf85c740
[  137.407287] 9f60: c05510cc c051a66c c05510ec c05510c4 cf85c750 cf868000 00000089 c004d6ac
[  137.415863] 9f80: 00000000 c0073d14 00000001 cf853ed8 cf85c740 c004d558 00000013 00000000
[  137.424438] 9fa0: 00000000 00000000 00000000 c00516b0 00000000 00000000 cf85c740 00000000
[  137.433013] 9fc0: 00000001 dead4ead ffffffff ffffffff c0551674 00000000 00000000 c0450aa4
[  137.441589] 9fe0: cf869fe0 cf869fe0 cf853ed8 c005162c c0013b30 c0013b30 00ffff00 00ffff00
[  137.450164] [<c0071490>] (__lock_acquire+0x5c/0x1ab0) from [<c00733f8>] (lock_acquire+0x9c/0x128)
[  137.459503] [<c00733f8>] (lock_acquire+0x9c/0x128) from [<c0374130>] (_raw_spin_lock_irqsave+0x44/0x58)
[  137.469360] [<c0374130>] (_raw_spin_lock_irqsave+0x44/0x58) from [<c02a1d50>] (skb_queue_tail+0x18/0x48)
[  137.479339] [<c02a1d50>] (skb_queue_tail+0x18/0x48) from [<c0282238>] (h4_enqueue+0x2c/0x34)
[  137.488189] [<c0282238>] (h4_enqueue+0x2c/0x34) from [<c02821cc>] (hci_uart_send_frame+0x34/0x68)
[  137.497497] [<c02821cc>] (hci_uart_send_frame+0x34/0x68) from [<c032727c>] (hci_send_frame+0x50/0x88)
[  137.507171] [<c032727c>] (hci_send_frame+0x50/0x88) from [<c03285f4>] (hci_cmd_work+0x74/0xd4)
[  137.516204] [<c03285f4>] (hci_cmd_work+0x74/0xd4) from [<c004c914>] (process_one_work+0x1a0/0x4ec)
[  137.525604] [<c004c914>] (process_one_work+0x1a0/0x4ec) from [<c004d6ac>] (worker_thread+0x154/0x344)
[  137.535278] [<c004d6ac>] (worker_thread+0x154/0x344) from [<c00516b0>] (kthread+0x84/0x90)
[  137.543975] [<c00516b0>] (kthread+0x84/0x90) from [<c0013b30>] (kernel_thread_exit+0x0/0x8)
[  137.552734] Code: e59f4e5c e5941000 e3510000 0a000031 (e5971000)
[  137.559234] ---[ end trace 1b75b31a2719ed1e ]---

Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
 		2012-03-28 12:02:29 -03:00
..
accessibility vt:tackle kbd_table 2012-03-08 10:50:35 -08:00
acpi
amba
ata ata: remove the second argument of k[un]map_atomic() 2012-03-20 21:48:16 +08:00
atm eni: fix driver remove function and driver probe error path. 2012-03-16 23:13:20 -07:00
auxdisplay
base Core device tree changes for Linux v3.4 2012-03-21 10:30:03 -07:00
bcma bcma: silence PMU warning for BCM4331 2012-03-07 13:56:37 -05:00
block Merge branch 'kmap_atomic' of git://github.com/congwang/linux 2012-03-21 09:40:26 -07:00
bluetooth Bluetooth: hci_ldisc: fix NULL-pointer dereference on tty_close 2012-03-28 12:02:29 -03:00
cdrom
char Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2012-03-21 13:25:04 -07:00
clk
clocksource Power management updates for 3.4 2012-03-21 10:15:51 -07:00
connector
cpufreq
cpuidle Merge branch 'perf/urgent' into perf/core 2012-03-05 09:20:08 +01:00
crypto Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2012-03-21 13:20:43 -07:00
dca
devfreq PM / devfreq: add relation of recommended frequency. 2012-03-17 21:51:34 +01:00
dio
dma Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2012-03-20 21:12:50 -07:00
edac edac: remove the second argument of k[un]map_atomic() 2012-03-20 21:48:17 +08:00
eisa
firewire
firmware
gpio irq_domain/powerpc: Replace custom xlate functions with library functions 2012-02-16 06:11:24 -07:00
gpu Merge branch 'kmap_atomic' of git://github.com/congwang/linux 2012-03-21 09:40:26 -07:00
hid Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid 2012-03-20 21:11:42 -07:00
hv Tools: hv: Support enumeration from all the pools 2012-03-16 13:36:04 -07:00
hwmon hwmon changes for v3.4 2012-03-21 10:37:25 -07:00
hwspinlock
i2c i2c-algo-bit: Fix spurious SCL timeouts under heavy load 2012-03-15 18:11:05 +01:00
ide ide: remove the second argument of k[un]map_atomic() 2012-03-20 21:48:17 +08:00
idle intel_idle: Revert change of auto_demotion_disable_flags for Nehalem 2012-02-15 22:27:15 -08:00
ieee802154
infiniband InfiniBand/RDMA changes for the 3.4 merge window. Nothing big really 2012-03-21 10:33:42 -07:00
input driver core merge for 3.4-rc1 2012-03-20 11:16:20 -07:00
iommu Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2012-03-20 21:12:50 -07:00
isdn Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2012-03-20 21:04:47 -07:00
leds
lguest
macintosh Core device tree changes for Linux v3.4 2012-03-21 10:30:03 -07:00
mca
md Merge branch 'kmap_atomic' of git://github.com/congwang/linux 2012-03-21 09:40:26 -07:00
media Merge branch 'kmap_atomic' of git://github.com/congwang/linux 2012-03-21 09:40:26 -07:00
memstick memstick: remove the second argument of k[un]map_atomic() 2012-03-20 21:48:19 +08:00
message
mfd regulator: Updates for 3.4 2012-03-21 10:34:56 -07:00
misc tty and serial merge for 3.4-rc1 2012-03-20 11:24:39 -07:00
mmc Power management updates for 3.4 2012-03-21 10:15:51 -07:00
mtd Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2012-03-20 21:12:50 -07:00
net rtlwifi: rtl8192ce: rtl8192cu: rtl8192de: Fix low-gain setting when scanning 2012-03-26 15:07:30 -04:00
nfc NFC: Remove the rf mode parameter from the DEP link up routine 2012-03-06 15:16:23 -05:00
nubus
of Core device tree changes for Linux v3.4 2012-03-21 10:30:03 -07:00
oprofile
parisc [PARISC] include <linux/prefetch.h> in drivers/parisc/iommu-helpers.h 2012-02-27 09:44:15 -06:00
parport
pci Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2012-03-20 21:04:47 -07:00
pcmcia Merge 3.3-rc6 into driver-core-next 2012-03-09 12:35:53 -08:00
pinctrl
platform Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2012-03-20 21:12:50 -07:00
pnp
power Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2012-03-20 21:12:50 -07:00
pps pps: class_create() returns an ERR_PTR, not NULL 2012-03-05 15:49:43 -08:00
ps3
ptp phc: Update author's email address. 2012-03-17 01:41:43 -07:00
rapidio rapidio/tsi721: fix bug in register offset definitions 2012-03-15 17:03:03 -07:00
regulator regulator: Updates for 3.4 2012-03-21 10:34:56 -07:00
rtc Merge branch 'timers-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2012-03-20 10:32:09 -07:00
s390 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2012-03-20 21:04:47 -07:00
sbus
scsi cnic: Fix parity error code conflict 2012-03-21 21:57:36 -04:00
sfi
sh
sn
spi SPI changes for v3.4. 2012-03-21 10:32:00 -07:00
ssb Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2012-03-20 21:04:47 -07:00
staging Merge branch 'kmap_atomic' of git://github.com/congwang/linux 2012-03-21 09:40:26 -07:00
target Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2012-03-21 13:25:04 -07:00
tc
thermal
tty Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2012-03-20 21:12:50 -07:00
uio
usb USB merge for 3.4-rc1 2012-03-20 11:26:30 -07:00
uwb
vhost vhost: remove the second argument of k[un]map_atomic() 2012-03-20 21:48:21 +08:00
video drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode 2012-03-15 17:03:04 -07:00
virt
virtio virtio: balloon: leak / fill balloon across S4 2012-03-01 09:28:41 +10:30
vlynq
w1 DS2781 Maxim Stand-Alone Fuel Gauge battery and w1 slave drivers 2012-03-08 11:15:33 -08:00
watchdog watchdog: fix GETTIMEOUT ioctl in booke_wdt 2012-02-29 09:46:13 +01:00
xen Merge branch 'pm-sleep' 2012-03-04 23:11:14 +01:00
zorro
Kconfig
Makefile