Hi,
Something like the patch below is necessary to fix a new NULL pointer deref
in usb_serial_probe() that appeared after the recent kfifo changes (in short,
the kfifo changes modified the semantics of kfifo_alloc() that
usb_serial_probe() reiled on).
Thanks,
Rafael
---
drivers/usb/serial/usb-serial.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
Index: linux-2.6/drivers/usb/serial/usb-serial.c
===================================================================
--- linux-2.6.orig/drivers/usb/serial/usb-serial.c
+++ linux-2.6/drivers/usb/serial/usb-serial.c
@@ -595,8 +595,10 @@ static void port_release(struct device *
usb_free_urb(port->write_urb);
usb_free_urb(port->interrupt_in_urb);
usb_free_urb(port->interrupt_out_urb);
- if (!IS_ERR(port->write_fifo) && port->write_fifo)
+ if (port->write_fifo) {
kfifo_free(port->write_fifo);
+ kfree(port->write_fifo);
+ }
kfree(port->bulk_in_buffer);
kfree(port->bulk_out_buffer);
kfree(port->interrupt_in_buffer);
@@ -939,6 +941,12 @@ int usb_serial_probe(struct usb_interfac
dev_err(&interface->dev, "No free urbs available\n");
goto probe_error;
}
+ port->write_fifo = kzalloc(sizeof(struct kfifo), GFP_KERNEL);
+ if (!port->write_fifo) {
+ dev_err(&interface->dev,
+ "Couldn't allocate write_fifo\n");
+ goto probe_error;
+ }
if (kfifo_alloc(port->write_fifo, PAGE_SIZE, GFP_KERNEL))
goto probe_error;
buffer_size = le16_to_cpu(endpoint->wMaxPacketSize);
On Wed, 23 Dec 2009, Rafael J. Wysocki wrote:
> Hi,
>
> Something like the patch below is necessary to fix a new NULL pointer deref
> in usb_serial_probe() that appeared after the recent kfifo changes (in short,
> the kfifo changes modified the semantics of kfifo_alloc() that
> usb_serial_probe() reiled on).
>
> Thanks,
> Rafael
>
> ---
> drivers/usb/serial/usb-serial.c | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
> Index: linux-2.6/drivers/usb/serial/usb-serial.c
> ===================================================================
> --- linux-2.6.orig/drivers/usb/serial/usb-serial.c
> +++ linux-2.6/drivers/usb/serial/usb-serial.c
> @@ -595,8 +595,10 @@ static void port_release(struct device *
> usb_free_urb(port->write_urb);
> usb_free_urb(port->interrupt_in_urb);
> usb_free_urb(port->interrupt_out_urb);
> - if (!IS_ERR(port->write_fifo) && port->write_fifo)
> + if (port->write_fifo) {
> kfifo_free(port->write_fifo);
> + kfree(port->write_fifo);
> + }
> kfree(port->bulk_in_buffer);
> kfree(port->bulk_out_buffer);
> kfree(port->interrupt_in_buffer);
> @@ -939,6 +941,12 @@ int usb_serial_probe(struct usb_interfac
> dev_err(&interface->dev, "No free urbs available\n");
> goto probe_error;
> }
> + port->write_fifo = kzalloc(sizeof(struct kfifo), GFP_KERNEL);
> + if (!port->write_fifo) {
> + dev_err(&interface->dev,
> + "Couldn't allocate write_fifo\n");
> + goto probe_error;
> + }
> if (kfifo_alloc(port->write_fifo, PAGE_SIZE, GFP_KERNEL))
> goto probe_error;
> buffer_size = le16_to_cpu(endpoint->wMaxPacketSize);
Although this would mean further changes elsewhere, doesn't it make
more sense to embed the struct kfifo directly in the usb_serial_port
structure instead of allocating it dynamically?
Alan Stern
On Wed, Dec 23, 2009 at 02:51:31AM +0100, Rafael J. Wysocki wrote:
> Hi,
>
> Something like the patch below is necessary to fix a new NULL pointer deref
> in usb_serial_probe() that appeared after the recent kfifo changes (in short,
> the kfifo changes modified the semantics of kfifo_alloc() that
> usb_serial_probe() reiled on).
What semantic changed? I thought that the kfifo patches came with
patches that also fixed up any changed that were needed. What went
wrong here?
Does your patch solve the oops?
thanks,
greg k-h
Am Dienstag, den 22.12.2009, 21:37 -0800 schrieb Greg KH:
> On Wed, Dec 23, 2009 at 02:51:31AM +0100, Rafael J. Wysocki wrote:
> > Hi,
> >
> > Something like the patch below is necessary to fix a new NULL pointer deref
> > in usb_serial_probe() that appeared after the recent kfifo changes (in short,
> > the kfifo changes modified the semantics of kfifo_alloc() that
> > usb_serial_probe() reiled on).
>
> What semantic changed? I thought that the kfifo patches came with
> patches that also fixed up any changed that were needed. What went
> wrong here?
>
This one is a new user of the kfifo API, so it forget to port it to the
new kfifo API.
Please make the write_fifo in place. Here is my patch to fix the
regression and full ported version.
Stefani
Signed-off-by: Stefani Seibold <[email protected]>
---
drivers/usb/serial/generic.c | 12 ++++++------
drivers/usb/serial/usb-serial.c | 5 ++---
include/linux/usb/serial.h | 3 ++-
3 files changed, 10 insertions(+), 10 deletions(-)
diff -u -N -r -p old/drivers/usb/serial/generic.c new/drivers/usb/serial/generic.c
--- old/drivers/usb/serial/generic.c 2009-12-23 08:54:06.966476248 +0100
+++ new/drivers/usb/serial/generic.c 2009-12-23 09:06:25.778474708 +0100
@@ -276,7 +276,7 @@ static int usb_serial_generic_write_star
if (port->write_urb_busy)
start_io = false;
else {
- start_io = (kfifo_len(port->write_fifo) != 0);
+ start_io = (kfifo_len(&port->write_fifo) != 0);
port->write_urb_busy = start_io;
}
spin_unlock_irqrestore(&port->lock, flags);
@@ -285,7 +285,7 @@ static int usb_serial_generic_write_star
return 0;
data = port->write_urb->transfer_buffer;
- count = kfifo_out_locked(port->write_fifo, data, port->bulk_out_size, &port->lock);
+ count = kfifo_out_locked(&port->write_fifo, data, port->bulk_out_size, &port->lock);
usb_serial_debug_data(debug, &port->dev, __func__, count, data);
/* set up our urb */
@@ -345,7 +345,7 @@ int usb_serial_generic_write(struct tty_
return usb_serial_multi_urb_write(tty, port,
buf, count);
- count = kfifo_in_locked(port->write_fifo, buf, count, &port->lock);
+ count = kfifo_in_locked(&port->write_fifo, buf, count, &port->lock);
result = usb_serial_generic_write_start(port);
if (result >= 0)
@@ -370,7 +370,7 @@ int usb_serial_generic_write_room(struct
(serial->type->max_in_flight_urbs -
port->urbs_in_flight);
} else if (serial->num_bulk_out)
- room = port->write_fifo->size - kfifo_len(port->write_fifo);
+ room = kfifo_avail(&port->write_fifo);
spin_unlock_irqrestore(&port->lock, flags);
dbg("%s - returns %d", __func__, room);
@@ -391,7 +391,7 @@ int usb_serial_generic_chars_in_buffer(s
chars = port->tx_bytes_flight;
spin_unlock_irqrestore(&port->lock, flags);
} else if (serial->num_bulk_out)
- chars = kfifo_len(port->write_fifo);
+ chars = kfifo_len(&port->write_fifo);
dbg("%s - returns %d", __func__, chars);
return chars;
@@ -507,7 +507,7 @@ void usb_serial_generic_write_bulk_callb
if (status) {
dbg("%s - nonzero multi-urb write bulk status "
"received: %d", __func__, status);
- kfifo_reset(port->write_fifo);
+ kfifo_reset_out(&port->write_fifo);
} else
usb_serial_generic_write_start(port);
}
diff -u -N -r -p old/drivers/usb/serial/usb-serial.c new/drivers/usb/serial/usb-serial.c
--- old/drivers/usb/serial/usb-serial.c 2009-12-23 08:54:23.204476351 +0100
+++ new/drivers/usb/serial/usb-serial.c 2009-12-23 09:06:39.664475312 +0100
@@ -595,8 +595,7 @@ static void port_release(struct device *
usb_free_urb(port->write_urb);
usb_free_urb(port->interrupt_in_urb);
usb_free_urb(port->interrupt_out_urb);
- if (!IS_ERR(port->write_fifo) && port->write_fifo)
- kfifo_free(port->write_fifo);
+ kfifo_free(&port->write_fifo);
kfree(port->bulk_in_buffer);
kfree(port->bulk_out_buffer);
kfree(port->interrupt_in_buffer);
@@ -939,7 +938,7 @@ int usb_serial_probe(struct usb_interfac
dev_err(&interface->dev, "No free urbs available\n");
goto probe_error;
}
- if (kfifo_alloc(port->write_fifo, PAGE_SIZE, GFP_KERNEL))
+ if (kfifo_alloc(&port->write_fifo, PAGE_SIZE, GFP_KERNEL))
goto probe_error;
buffer_size = le16_to_cpu(endpoint->wMaxPacketSize);
port->bulk_out_size = buffer_size;
diff -u -N -r -p old/include/linux/usb/serial.h new/include/linux/usb/serial.h
--- old/include/linux/usb/serial.h 2009-12-23 08:54:34.368476110 +0100
+++ new/include/linux/usb/serial.h 2009-12-23 09:06:32.870725683 +0100
@@ -16,6 +16,7 @@
#include <linux/kref.h>
#include <linux/mutex.h>
#include <linux/sysrq.h>
+#include <linux/kfifo.h>
#define SERIAL_TTY_MAJOR 188 /* Nice legal number now */
#define SERIAL_TTY_MINORS 254 /* loads of devices :) */
@@ -94,7 +95,7 @@ struct usb_serial_port {
unsigned char *bulk_out_buffer;
int bulk_out_size;
struct urb *write_urb;
- struct kfifo *write_fifo;
+ struct kfifo write_fifo;
int write_urb_busy;
__u8 bulk_out_endpointAddress;
On Wednesday 23 December 2009, Greg KH wrote:
> On Wed, Dec 23, 2009 at 02:51:31AM +0100, Rafael J. Wysocki wrote:
> > Hi,
> >
> > Something like the patch below is necessary to fix a new NULL pointer deref
> > in usb_serial_probe() that appeared after the recent kfifo changes (in short,
> > the kfifo changes modified the semantics of kfifo_alloc() that
> > usb_serial_probe() reiled on).
>
> What semantic changed? I thought that the kfifo patches came with
> patches that also fixed up any changed that were needed. What went
> wrong here?
Previously write_fifo was allocated by kfifo_alloc() along with the structure
members. Now kfifo_alloc() expects to get a pointer to existing structure.
> Does your patch solve the oops?
Sure, that's why I posted it. :-)
Rafael
On Wednesday 23 December 2009, Alan Stern wrote:
> On Wed, 23 Dec 2009, Rafael J. Wysocki wrote:
>
> > Hi,
> >
> > Something like the patch below is necessary to fix a new NULL pointer deref
> > in usb_serial_probe() that appeared after the recent kfifo changes (in short,
> > the kfifo changes modified the semantics of kfifo_alloc() that
> > usb_serial_probe() reiled on).
> >
> > Thanks,
> > Rafael
> >
> > ---
> > drivers/usb/serial/usb-serial.c | 10 +++++++++-
> > 1 file changed, 9 insertions(+), 1 deletion(-)
> >
> > Index: linux-2.6/drivers/usb/serial/usb-serial.c
> > ===================================================================
> > --- linux-2.6.orig/drivers/usb/serial/usb-serial.c
> > +++ linux-2.6/drivers/usb/serial/usb-serial.c
> > @@ -595,8 +595,10 @@ static void port_release(struct device *
> > usb_free_urb(port->write_urb);
> > usb_free_urb(port->interrupt_in_urb);
> > usb_free_urb(port->interrupt_out_urb);
> > - if (!IS_ERR(port->write_fifo) && port->write_fifo)
> > + if (port->write_fifo) {
> > kfifo_free(port->write_fifo);
> > + kfree(port->write_fifo);
> > + }
> > kfree(port->bulk_in_buffer);
> > kfree(port->bulk_out_buffer);
> > kfree(port->interrupt_in_buffer);
> > @@ -939,6 +941,12 @@ int usb_serial_probe(struct usb_interfac
> > dev_err(&interface->dev, "No free urbs available\n");
> > goto probe_error;
> > }
> > + port->write_fifo = kzalloc(sizeof(struct kfifo), GFP_KERNEL);
> > + if (!port->write_fifo) {
> > + dev_err(&interface->dev,
> > + "Couldn't allocate write_fifo\n");
> > + goto probe_error;
> > + }
> > if (kfifo_alloc(port->write_fifo, PAGE_SIZE, GFP_KERNEL))
> > goto probe_error;
> > buffer_size = le16_to_cpu(endpoint->wMaxPacketSize);
>
> Although this would mean further changes elsewhere, doesn't it make
> more sense to embed the struct kfifo directly in the usb_serial_port
> structure instead of allocating it dynamically?
I guess it would, but I wanted to avoid making any further changes.
Rafael
On Wednesday 23 December 2009, Stefani Seibold wrote:
> Am Dienstag, den 22.12.2009, 21:37 -0800 schrieb Greg KH:
> > On Wed, Dec 23, 2009 at 02:51:31AM +0100, Rafael J. Wysocki wrote:
> > > Hi,
> > >
> > > Something like the patch below is necessary to fix a new NULL pointer deref
> > > in usb_serial_probe() that appeared after the recent kfifo changes (in short,
> > > the kfifo changes modified the semantics of kfifo_alloc() that
> > > usb_serial_probe() reiled on).
> >
> > What semantic changed? I thought that the kfifo patches came with
> > patches that also fixed up any changed that were needed. What went
> > wrong here?
> >
>
> This one is a new user of the kfifo API, so it forget to port it to the
> new kfifo API.
>
> Please make the write_fifo in place. Here is my patch to fix the
> regression and full ported version.
>
> Stefani
>
> Signed-off-by: Stefani Seibold <[email protected]>
Tested-by: Rafael J. Wysocki <[email protected]>
> ---
> drivers/usb/serial/generic.c | 12 ++++++------
> drivers/usb/serial/usb-serial.c | 5 ++---
> include/linux/usb/serial.h | 3 ++-
> 3 files changed, 10 insertions(+), 10 deletions(-)
>
> diff -u -N -r -p old/drivers/usb/serial/generic.c new/drivers/usb/serial/generic.c
> --- old/drivers/usb/serial/generic.c 2009-12-23 08:54:06.966476248 +0100
> +++ new/drivers/usb/serial/generic.c 2009-12-23 09:06:25.778474708 +0100
> @@ -276,7 +276,7 @@ static int usb_serial_generic_write_star
> if (port->write_urb_busy)
> start_io = false;
> else {
> - start_io = (kfifo_len(port->write_fifo) != 0);
> + start_io = (kfifo_len(&port->write_fifo) != 0);
> port->write_urb_busy = start_io;
> }
> spin_unlock_irqrestore(&port->lock, flags);
> @@ -285,7 +285,7 @@ static int usb_serial_generic_write_star
> return 0;
>
> data = port->write_urb->transfer_buffer;
> - count = kfifo_out_locked(port->write_fifo, data, port->bulk_out_size, &port->lock);
> + count = kfifo_out_locked(&port->write_fifo, data, port->bulk_out_size, &port->lock);
> usb_serial_debug_data(debug, &port->dev, __func__, count, data);
>
> /* set up our urb */
> @@ -345,7 +345,7 @@ int usb_serial_generic_write(struct tty_
> return usb_serial_multi_urb_write(tty, port,
> buf, count);
>
> - count = kfifo_in_locked(port->write_fifo, buf, count, &port->lock);
> + count = kfifo_in_locked(&port->write_fifo, buf, count, &port->lock);
> result = usb_serial_generic_write_start(port);
>
> if (result >= 0)
> @@ -370,7 +370,7 @@ int usb_serial_generic_write_room(struct
> (serial->type->max_in_flight_urbs -
> port->urbs_in_flight);
> } else if (serial->num_bulk_out)
> - room = port->write_fifo->size - kfifo_len(port->write_fifo);
> + room = kfifo_avail(&port->write_fifo);
> spin_unlock_irqrestore(&port->lock, flags);
>
> dbg("%s - returns %d", __func__, room);
> @@ -391,7 +391,7 @@ int usb_serial_generic_chars_in_buffer(s
> chars = port->tx_bytes_flight;
> spin_unlock_irqrestore(&port->lock, flags);
> } else if (serial->num_bulk_out)
> - chars = kfifo_len(port->write_fifo);
> + chars = kfifo_len(&port->write_fifo);
>
> dbg("%s - returns %d", __func__, chars);
> return chars;
> @@ -507,7 +507,7 @@ void usb_serial_generic_write_bulk_callb
> if (status) {
> dbg("%s - nonzero multi-urb write bulk status "
> "received: %d", __func__, status);
> - kfifo_reset(port->write_fifo);
> + kfifo_reset_out(&port->write_fifo);
> } else
> usb_serial_generic_write_start(port);
> }
> diff -u -N -r -p old/drivers/usb/serial/usb-serial.c new/drivers/usb/serial/usb-serial.c
> --- old/drivers/usb/serial/usb-serial.c 2009-12-23 08:54:23.204476351 +0100
> +++ new/drivers/usb/serial/usb-serial.c 2009-12-23 09:06:39.664475312 +0100
> @@ -595,8 +595,7 @@ static void port_release(struct device *
> usb_free_urb(port->write_urb);
> usb_free_urb(port->interrupt_in_urb);
> usb_free_urb(port->interrupt_out_urb);
> - if (!IS_ERR(port->write_fifo) && port->write_fifo)
> - kfifo_free(port->write_fifo);
> + kfifo_free(&port->write_fifo);
> kfree(port->bulk_in_buffer);
> kfree(port->bulk_out_buffer);
> kfree(port->interrupt_in_buffer);
> @@ -939,7 +938,7 @@ int usb_serial_probe(struct usb_interfac
> dev_err(&interface->dev, "No free urbs available\n");
> goto probe_error;
> }
> - if (kfifo_alloc(port->write_fifo, PAGE_SIZE, GFP_KERNEL))
> + if (kfifo_alloc(&port->write_fifo, PAGE_SIZE, GFP_KERNEL))
> goto probe_error;
> buffer_size = le16_to_cpu(endpoint->wMaxPacketSize);
> port->bulk_out_size = buffer_size;
> diff -u -N -r -p old/include/linux/usb/serial.h new/include/linux/usb/serial.h
> --- old/include/linux/usb/serial.h 2009-12-23 08:54:34.368476110 +0100
> +++ new/include/linux/usb/serial.h 2009-12-23 09:06:32.870725683 +0100
> @@ -16,6 +16,7 @@
> #include <linux/kref.h>
> #include <linux/mutex.h>
> #include <linux/sysrq.h>
> +#include <linux/kfifo.h>
>
> #define SERIAL_TTY_MAJOR 188 /* Nice legal number now */
> #define SERIAL_TTY_MINORS 254 /* loads of devices :) */
> @@ -94,7 +95,7 @@ struct usb_serial_port {
> unsigned char *bulk_out_buffer;
> int bulk_out_size;
> struct urb *write_urb;
> - struct kfifo *write_fifo;
> + struct kfifo write_fifo;
> int write_urb_busy;
> __u8 bulk_out_endpointAddress;
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
>
>
On Wed, Dec 23, 2009 at 09:10:48AM +0100, Stefani Seibold wrote:
> Am Dienstag, den 22.12.2009, 21:37 -0800 schrieb Greg KH:
> > On Wed, Dec 23, 2009 at 02:51:31AM +0100, Rafael J. Wysocki wrote:
> > > Hi,
> > >
> > > Something like the patch below is necessary to fix a new NULL pointer deref
> > > in usb_serial_probe() that appeared after the recent kfifo changes (in short,
> > > the kfifo changes modified the semantics of kfifo_alloc() that
> > > usb_serial_probe() reiled on).
> >
> > What semantic changed? I thought that the kfifo patches came with
> > patches that also fixed up any changed that were needed. What went
> > wrong here?
> >
>
> This one is a new user of the kfifo API, so it forget to port it to the
> new kfifo API.
>
> Please make the write_fifo in place. Here is my patch to fix the
> regression and full ported version.
Thanks, I'll queue this up and send it to Linus later today.
greg k-h
On Wed, Dec 23, 2009 at 09:17:31AM -0800, Greg KH wrote:
> On Wed, Dec 23, 2009 at 09:10:48AM +0100, Stefani Seibold wrote:
> > Am Dienstag, den 22.12.2009, 21:37 -0800 schrieb Greg KH:
> > > On Wed, Dec 23, 2009 at 02:51:31AM +0100, Rafael J. Wysocki wrote:
> > > > Hi,
> > > >
> > > > Something like the patch below is necessary to fix a new NULL pointer deref
> > > > in usb_serial_probe() that appeared after the recent kfifo changes (in short,
> > > > the kfifo changes modified the semantics of kfifo_alloc() that
> > > > usb_serial_probe() reiled on).
> > >
> > > What semantic changed? I thought that the kfifo patches came with
> > > patches that also fixed up any changed that were needed. What went
> > > wrong here?
> > >
> >
> > This one is a new user of the kfifo API, so it forget to port it to the
> > new kfifo API.
> >
> > Please make the write_fifo in place. Here is my patch to fix the
> > regression and full ported version.
>
> Thanks, I'll queue this up and send it to Linus later today.
Heh, nevermind, Linus took it already :)
thanks,
greg k-h