diff options
author | Stefan Agner <stefan.agner@toradex.com> | 2014-02-04 14:47:41 +0100 |
---|---|---|
committer | Stefan Agner <stefan.agner@toradex.com> | 2014-02-04 15:10:39 +0100 |
commit | c31f1057056c95e005af348cf36c41271987465d (patch) | |
tree | 53efc3272a2039496dba49d4511c0673709b63b8 | |
parent | c52df3630a69f07dbe6fec453924c0f08d98561b (diff) |
serial: mvf: fix NULL pointer dereference in rx_work
When a process is closed while work is pending, the receiving tty
might be closed when the work is actually scheduled. This leads
to a kernel NULL pointer dereference. Check if tty is still there
before submitting new data.
Unable to handle kernel NULL pointer dereference at virtual address 000000bc
pgd = c0004000
[000000bc] *pgd=00000000
Internal error: Oops: 17 [#1] PREEMPT
Modules linked in:
CPU: 0 Not tainted (3.0.15-00021-gc52df36 #198)
PC is at tty_flip_buffer_push+0x28/0x84
LR is at rx_work+0x20/0x2c
pc : [<c025a380>] lr : [<c026ba9c>] psr: 200f0093
sp : ca015f78 ip : 00000001 fp : 00000000
r10: 00000000 r9 : c026ba7c r8 : 00000000
r7 : cfff0a00 r6 : c067d2ec r5 : cfebc31c r4 : 00000000
r3 : ca014000 r2 : 200f0013 r1 : 00000001 r0 : 00000000
Flags: nzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel
Control: 10c53c7d Table: 8a19c059 DAC: 00000015
Process kworker/0:0 (pid: 558, stack limit = 0xca0142e8)
Stack: (0xca015f78 to 0xca016000)
5f60: cfebc31c c026ba9c
5f80: cf83ce80 c005dff4 cfff0a05 cf83ce80 ca014000 c067d2ec c06d804c cf83ce90
5fa0: 00000009 c067d2ec 00000000 c005e35c ca197f3c cf83ce80 c005e188 00000013
5fc0: 00000000 00000000 00000000 c0062d08 00000000 00000000 cf83ce80 00000000
5fe0: ca015fe0 ca015fe0 ca197f3c c0062c8c c00350e8 c00350e8 00000000 00000000
[<c025a380>] (tty_flip_buffer_push+0x28/0x84) from [<c026ba9c>] (rx_work+0x20/0x2c)
[<c026ba9c>] (rx_work+0x20/0x2c) from [<c005dff4>] (process_one_work+0x1f4/0x35c)
[<c005dff4>] (process_one_work+0x1f4/0x35c) from [<c005e35c>] (worker_thread+0x1d4/0x314)
[<c005e35c>] (worker_thread+0x1d4/0x314) from [<c0062d08>] (kthread+0x7c/0x88)
[<c0062d08>] (kthread+0x7c/0x88) from [<c00350e8>] (kernel_thread_exit+0x0/0x8)
Code: e3c3303f e5931004 e2811001 e5831004 (e59030bc)
---[ end trace d9cc3df0e23f6c96 ]---
-rw-r--r-- | drivers/tty/serial/mvf.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/tty/serial/mvf.c b/drivers/tty/serial/mvf.c index 814a7daa56f0..36713c6c3983 100644 --- a/drivers/tty/serial/mvf.c +++ b/drivers/tty/serial/mvf.c @@ -373,7 +373,8 @@ static void rx_work(struct work_struct *w) struct imx_port *sport = container_of(w, struct imx_port, tsk_rx); struct tty_struct *tty = sport->port.state->port.tty; - if (sport->rx_bytes) { + /* check if tty is valid, since the process might be gone... */ + if (sport->rx_bytes && tty) { tty_flip_buffer_push(tty); sport->rx_bytes = 0; } |