diff options
| author | Oleksandr Kozaruk <oleksandr.kozaruk@ti.com> | 2013-06-06 11:08:51 +0300 |
|---|---|---|
| committer | James Wylder <jwylder@motorola.com> | 2014-03-05 17:47:32 -0600 |
| commit | f70e4b39b092e288bbeee699a8f75138af14eb27 (patch) | |
| tree | 0a4614bf7c1b4368a33a6b9aadaa276b3ec226c1 /drivers/misc/ti-st/tty_hci.c | |
| parent | 294b9f935d6a315f41f8827a3fe45e0ae247c722 (diff) | |
| download | olio-linux-3.10-f70e4b39b092e288bbeee699a8f75138af14eb27.tar.xz olio-linux-3.10-f70e4b39b092e288bbeee699a8f75138af14eb27.zip | |
ti-st: tty_hci: Fix race condition in hci_tty_open.
Race condition is possible in the hci_tty driver.
The race result in NULL pointer dereference due to
struct sk_buff_head rx_list is used without prior
initialization.
The error condition can easily reproduced with the script
and COM-7 wilink hardware module:
while [ 1 ]; do echo -n "fail" > /dev/nfc; sleep 2; done
[ 56.229614] Unable to handle kernel NULL pointer dereference at virtual address 00000000
[ 56.238494] pgd = c0004000
[ 56.241485] [00000000] *pgd=00000000
[ 56.245513] Internal error: Oops: 805 [#1] PREEMPT SMP ARM
[ 56.251586] Modules linked in: rproc_drm(O) tf_driver(O) gps_drv wl18xx(O) wl12xx(O) wlcore(O) mac80211(O) pvrsrvkm_sgx544_112(O) cfg80211(O) compat(O) [last unloaded: wlcore_sdio]
[ 56.270141] CPU: 0 Tainted: G W O (3.4.34-01546-g66a9034 #82)
[ 56.277618] PC is at skb_queue_tail+0x2c/0x50
[ 56.282409] LR is at _raw_spin_lock_irqsave+0x10/0x14
[ 56.287994] pc : [<c04eeb04>] lr : [<c0686618>] psr: 60000193
[ 56.287994] sp : d6cbde60 ip : d6cbde50 fp : d6cbde7c
[ 56.300628] r10: d6ecf5d4 r9 : d6ecf558 r8 : 00000000
[ 56.306335] r7 : d6ecf5ac r6 : cb78347c r5 : d67c6500 r4 : cb783470
[ 56.313537] r3 : 00000000 r2 : a0000193 r1 : d67c6500 r0 : a0000193
[ 56.320648] Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel
[ 56.328796] Control: 10c5387d Table: 8b6a804a DAC: 00000015
[skiped ...]
[ 57.452667] Backtrace:
[ 57.455474] [<c04eead8>] (skb_queue_tail+0x0/0x50) from [<c0300bec>] (st_receive+0x18/0x34)
[ 57.464630] r6:d5920c59 r5:00000004 r4:cb783440 r3:c0300bd4
[ 57.471191] [<c0300bd4>] (st_receive+0x0/0x34) from [<c02fe924>] (st_send_frame+0x50/0xac)
[ 57.480255] r4:d6ecf540 r3:c0300bd4
[ 57.484344] [<c02fe8d4>] (st_send_frame+0x0/0xac) from [<c02ff13c>] (st_int_recv+0x1fc/0x3a0)
[ 57.493713] r5:00000000 r4:d6ecf540
[ 57.497894] [<c02fef40>] (st_int_recv+0x0/0x3a0) from [<c02fe548>] (st_tty_receive+0x24/0x28)
[ 57.507171] [<c02fe524>] (st_tty_receive+0x0/0x28) from [<c02bbac0>] (flush_to_ldisc+0x150/0x1b4)
[ 57.516906] [<c02bb970>] (flush_to_ldisc+0x0/0x1b4) from [<c0061950>] (process_one_work+0x134/0x4ac)
[ 57.526916] [<c006181c>] (process_one_work+0x0/0x4ac) from [<c0061e54>] (worker_thread+0x18c/0x3d8)
[ 57.536865] [<c0061cc8>] (worker_thread+0x0/0x3d8) from [<c00668d0>] (kthread+0x90/0x9c)
[ 57.545684] [<c0066840>] (kthread+0x0/0x9c) from [<c004a8a8>] (do_exit+0x0/0x804)
[ 57.553894] r6:c004a8a8 r5:c0066840 r4:d6c5dec4
Change-Id: Ife34d53b4fad45d1db600d71450b06dce0328b2c
Signed-off-by: Oleksandr Kozaruk <oleksandr.kozaruk@ti.com>
Diffstat (limited to 'drivers/misc/ti-st/tty_hci.c')
| -rw-r--r-- | drivers/misc/ti-st/tty_hci.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/drivers/misc/ti-st/tty_hci.c b/drivers/misc/ti-st/tty_hci.c index 42009bc458c..d1e618fe050 100644 --- a/drivers/misc/ti-st/tty_hci.c +++ b/drivers/misc/ti-st/tty_hci.c @@ -147,6 +147,9 @@ int hci_tty_open(struct inode *inod, struct file *file) file->private_data = hst; + skb_queue_head_init(&hst->rx_list); + init_waitqueue_head(&hst->data_q); + for (i = 0; i < MAX_BT_CHNL_IDS; i++) { ti_st_proto[i].priv_data = hst; ti_st_proto[i].max_frame_size = 1026; @@ -212,9 +215,6 @@ done: } } - skb_queue_head_init(&hst->rx_list); - init_waitqueue_head(&hst->data_q); - return 0; error: |