1
linux/drivers
Aristeu Rozanski 9a6b1efa6f USB: usb_serial: clean tty reference in the last close
When a usb serial adapter is used as console, the usb serial console
driver bumps the open_count on the port struct used but doesn't attach
a real tty to it (only a fake one temporaly). If this port is opened later
using the regular character device interface, the open method won't
initialize the port, which is the expected, and will receive a brand new
tty struct created by tty layer, which will be stored in port->tty.

When the last close is issued, open_count won't be 0 because of the
console usage and the port->tty will still contain the old tty value. This
is the last ttyUSB<n> close so the allocated tty will be freed by the
tty layer. The usb_serial and usb_serial_port are still in use by the
console, so port_free() won't be called (serial_close() ->
usb_serial_put() -> destroy_serial() -> port_free()), so the scheduled
work (port->work, usb_serial_port_work()) will still run. And
usb_serial_port_work() does:
(...)
        tty = port->tty;
        if (!tty)
                return;

        tty_wakeup(tty);
which causes (manually copied):

Faulting instruction address: 0x6b6b6b68
Oops: Kernel access of bad area, sig: 11 [#1]
PREEMPT PowerMac
Modules linked in: binfmt_misc ipv6 nfs lockd nfs_acl sunrpc dm_snapshot dm_mirror dm_mod hfsplus uinput ams input_polldev genrtc cpufreq_powersave i2c_powermac therm_adt746x snd_aoa_codec_tas snd_aoa_fabric_layout snd_aoa joydev snd_aoa_i2sbus snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc pmac_zilog serial_core evdev ide_cd cdrom snd appletouch soundcore snd_aoa_soundbus bcm43xx firmware_class usbhid ieee80211softmac ff_memless firewire_ohci firewire_core ieee80211 ieee80211_crypt crc_itu_t sungem sungem_phy uninorth_agp agpart ssb
NIP: 6b6b6b68 LR: c01b2108 CTR: 6b6b6b6b
REGS: c106de80 TRAP: 0400   Not tainted  (2.6.24-rc2)
MSR: 40009032 <EE,ME,IR,DR>  CR: 82004024  XER: 00000000
TASK = c106b4c0[5] 'events/0' THREAD: c106c000
GPR00: 6b6b6b6b c106df30 c106b4c0 c2d613a0 00009032 00000001 00001a00 00000001
GPR08: 00000008 00000000 00000000 c106c000 42004028 00000000 016ffbe0 0171a724
GPR16: 016ffcf4 00240e24 00240e70 016fee68 016ff9a4 c03046c4 c0327f50 c03046fc
GPR24: c106b6b9 c106b4c0 c101d610 c106c000 c02160fc c1eac1dc c2d613ac c2d613a0
NIP [6b6b6b68] 0x6b6b6b68
LR [c01b2108] tty_wakeup+0x6c/0x9c
Call Trace:
[c106df30] [c01b20e8] tty_wakeup+0x4c/0x9c (unreliable)
[c106df40] [c0216138] usb_serial_port_work+0x3c/0x78
[c106df50] [c00432e8] run_workqueue+0xc4/0x15c
[c106df90] [c0043798] worker_thread+0xa0/0x124
[c106dfd0] [c0048224] kthread+0x48/0x84
[c106dff0] [c00129bc] kernel_thread+0x44/0x60
Instruction dump:
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
Slab corruption: size-2048 start=c2d613a0, len=2048
Redzone: 0x9f911029d74e35b/0x9f911029d74e35b.
Last user: [<c01b16d8>](release_one_tty+0xbc/0xf4)
050: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
Prev obj: start=c2d60b88, len=2048
Redzone: 0x9f911029d74e35b/0x9f911029d74e35b.
Last user: [<c00f30ec>](show_stat+0x410/0x428)
000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b

This patch avoids this, clearing port->tty considering if the port is
used as serial console or not

Signed-off-by: Aristeu Rozanski <arozansk@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-02-01 14:34:50 -08:00
..
acorn/char
acpi x86: don't disable TSC in any C states on AMD Fam10h 2008-01-30 13:32:41 +01:00
amba
ata Merge branch 'linux-2.6' 2008-01-31 11:25:51 +11:00
atm [ATM]: [he] fixing compilation when you define USE_RBPS_POOL/USE_RBPL_POOL 2008-01-28 15:00:15 -08:00
auxdisplay
base Merge git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-2.6 2008-01-31 09:31:37 +11:00
block USB: Remove unnecessary zeroing from ub 2008-02-01 14:34:47 -08:00
bluetooth
cdrom
char unexport add_disk_randomness 2008-02-01 09:26:32 +01:00
clocksource
connector [NETNS]: Consolidate kernel netlink socket destruction. 2008-01-28 15:08:07 -08:00
cpufreq cpufreq: fix obvious condition statement error 2008-01-30 13:33:34 +01:00
cpuidle
crypto
dca
dio
dma
edac Merge branch 'linux-2.6' 2008-01-31 11:25:51 +11:00
eisa
firewire firewire: fw-sbp2: Use sbp2 device-provided mgt orb timeout for logins 2008-01-30 22:22:29 +01:00
firmware x86: left over fix for leak of early_ioremp in dmi_scan 2008-01-30 13:33:32 +01:00
hid
hwmon
i2c
ide ide-cd: fix leftover data BUG 2008-02-01 09:26:33 +01:00
ieee1394 ieee1394: ohci1394: don't schedule IT tasklets on IR events 2008-01-30 22:22:21 +01:00
infiniband [SCSI] remove use_sg_chaining 2008-01-30 13:14:02 -06:00
input [ALSA] Remove sound/driver.h 2008-01-31 17:29:48 +01:00
isdn
leds
lguest lguest: fix mis-merge against hpa's TSS renaming 2008-01-31 19:59:44 +11:00
macintosh Merge branch 'linux-2.6' 2008-01-31 11:25:51 +11:00
mca
md
media [ALSA] Remove sound/driver.h 2008-01-31 17:29:48 +01:00
message
mfd
misc
mmc
mtd
net Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2008-02-01 21:06:29 +11:00
nubus
of
oprofile
parisc [PARISC]: Fix build after ipv4_is_*() changes. 2008-01-28 14:58:20 -08:00
parport
pci Merge branch 'linux-2.6' 2008-01-31 11:25:51 +11:00
pcmcia
pnp git-x86: drivers/pnp/pnpbios/bioscalls.c build fix 2008-01-30 13:32:31 +01:00
power
ps3
rapidio Merge branch 'linux-2.6' 2008-01-31 11:25:51 +11:00
rtc
s390 [SCSI] zfcp: fix sense_buffer access bug 2008-01-30 13:03:39 -06:00
sbus
scsi [SCSI] Revert "[SCSI] aacraid: fib context lock for management ioctls" 2008-01-30 13:14:26 -06:00
serial m68knommu: use container_of in mcf.c 2008-02-01 21:00:01 +11:00
sh
sn
spi Merge branch 'linux-2.6' 2008-01-31 11:25:51 +11:00
ssb ssb: Add boardflags_hi field to the sprom data structure 2008-01-28 15:09:52 -08:00
tc
telephony
uio
usb USB: usb_serial: clean tty reference in the last close 2008-02-01 14:34:50 -08:00
video USB: sisusb: *_ioctl32_conversion functions do not exist in recent kernels 2008-02-01 14:34:48 -08:00
virtio
w1
watchdog [WATCHDOG] use SGI_HAS_INDYDOG for INDYDOG depends 2008-01-29 12:58:38 +00:00
xen
zorro
Kconfig KVM: Move arch dependent files to new directory arch/x86/kvm/ 2008-01-30 18:01:18 +02:00
Makefile Merge git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux-2.6-for-linus 2008-01-31 09:35:32 +11:00