Hi:
When using Healer(https://github.com/SunHao-0/healer/tree/dev) to fuzz
the Linux kernel, I found a use-after-free vulnerability in cdev_del.
I found that Syzkaller had reported this bug a long time ago, but the
problem still exists.
Now I have collected the KASAN report and a reproduction program, I
hope this information can help you locate and solve the problem.
Here is the detailed information:
commit: 5e46d1b78a03d52306f21f77a4e4a144b6d31486
version: Linux 5.12-rc5
git tree: upstream
kernel config and reproducing program can be found in the attachment.
KASAN report:
==================================================================
BUG: KASAN: use-after-free in cdev_del+0x8b/0x90 -origin/fs/char_dev.c:596
Read of size 4 at addr ffff888011e20864 by task executor/8066
CPU: 1 PID: 8066 Comm: executor Not tainted 5.12.0-rc5+ #7
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
__dump_stack -origin/lib/dump_stack.c:79 [inline]
dump_stack+0xfa/0x151 -origin/lib/dump_stack.c:120
print_address_description.constprop.0.cold+0x82/0x32c
-origin/mm/kasan/report.c:232
__kasan_report -origin/mm/kasan/report.c:399 [inline]
kasan_report.cold+0x7c/0xd8 -origin/mm/kasan/report.c:416
cdev_del+0x8b/0x90 -origin/fs/char_dev.c:596
tty_unregister_device -origin/drivers/tty/tty_io.c:3343 [inline]
tty_unregister_device+0x112/0x1b0 -origin/drivers/tty/tty_io.c:3338
gsmld_detach_gsm -origin/drivers/tty/n_gsm.c:2409 [inline]
gsmld_close+0xb3/0x1f0 -origin/drivers/tty/n_gsm.c:2478
tty_ldisc_close.isra.0+0x110/0x190 -origin/drivers/tty/tty_ldisc.c:488
tty_ldisc_kill+0x94/0x150 -origin/drivers/tty/tty_ldisc.c:636
tty_ldisc_hangup+0x2d0/0x630 -origin/drivers/tty/tty_ldisc.c:756
__tty_hangup.part.0+0x2f0/0x700 -origin/drivers/tty/tty_io.c:639
__tty_hangup -origin/drivers/tty/tty_io.c:595 [inline]
tty_vhangup -origin/drivers/tty/tty_io.c:712 [inline]
tty_ioctl+0x992/0x14f0 -origin/drivers/tty/tty_io.c:2742
vfs_ioctl -origin/fs/ioctl.c:48 [inline]
__do_sys_ioctl -origin/fs/ioctl.c:753 [inline]
__se_sys_ioctl -origin/fs/ioctl.c:739 [inline]
__x64_sys_ioctl+0x193/0x200 -origin/fs/ioctl.c:739
do_syscall_64+0x2d/0x70 -origin/arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x47338d
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ff4d8de3c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 000000000059c128 RCX: 000000000047338d
RDX: 0000000000000000 RSI: 0000000000005437 RDI: 0000000000000003
RBP: 00000000004e8e5d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000059c128
R13: 00007fff86f0a5ef R14: 00007fff86f0a790 R15: 00007ff4d8de3dc0
Besides, the 'refcount bug in cdev_del' bug still exists too.
Here is the detailed information:
commit: 5e46d1b78a03d52306f21f77a4e4a144b6d31486
version: Linux 5.12-rc5
git tree: upstream
kernel config (KASAN not enabled) and reproducing program can be found
in the attachment.
Report:
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 1 PID: 8923 at lib/refcount.c:28
refcount_warn_saturate+0x1cf/0x210 -origin/lib/refcount.c:28
Modules linked in:
CPU: 1 PID: 8923 Comm: executor Not tainted 5.12.0-rc5+ #8
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:refcount_warn_saturate+0x1cf/0x210 -origin/lib/refcount.c:28
Code: 4f ff ff ff e8 32 fa b5 fe 48 c7 c7 3d f8 f6 86 e8 d6 ab c6 fe
c6 05 7c 34 67 04 01 48 c7 c7 68 f8 6d 86 31 c0 e8 81 2e 9d fe <0f> 0b
e9 22 ff ff ff e8 05 fa b5 fe 48 c7 c7 3e f8 f6 86 e8 a9 ab
RSP: 0018:ffffc90001633c60 EFLAGS: 00010246
RAX: 15d08b2e34b77800 RBX: 0000000000000003 RCX: ffff88804c056c80
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000003 R08: ffffffff813767aa R09: 0001ffffffffffff
R10: 0001ffffffffffff R11: ffff88804c056c80 R12: ffff888040b7d000
R13: ffff88804c206938 R14: ffff88804c206900 R15: ffff888041b18488
FS: 00000000022c9940(0000) GS:ffff88807ec00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f9f9b122008 CR3: 0000000044b4b000 CR4: 0000000000750ee0
PKRU: 55555554
Call Trace:
__refcount_sub_and_test -origin/./include/linux/refcount.h:283 [inline]
__refcount_dec_and_test -origin/./include/linux/refcount.h:315 [inline]
refcount_dec_and_test -origin/./include/linux/refcount.h:333 [inline]
kref_put -origin/./include/linux/kref.h:64 [inline]
kobject_put+0x17b/0x180 -origin/lib/kobject.c:753
cdev_del+0x4b/0x50 -origin/fs/char_dev.c:597
tty_unregister_device+0x99/0xd0 -origin/drivers/tty/tty_io.c:3343
gsmld_detach_gsm -origin/drivers/tty/n_gsm.c:2409 [inline]
gsmld_close+0x6c/0x140 -origin/drivers/tty/n_gsm.c:2478
tty_ldisc_close -origin/drivers/tty/tty_ldisc.c:488 [inline]
tty_ldisc_kill -origin/drivers/tty/tty_ldisc.c:636 [inline]
tty_ldisc_release+0x1b6/0x400 -origin/drivers/tty/tty_ldisc.c:809
tty_release_struct+0x19/0xb0 -origin/drivers/tty/tty_io.c:1714
tty_release+0x9ad/0xa00 -origin/drivers/tty/tty_io.c:1885
__fput+0x260/0x4e0 -origin/fs/file_table.c:280
____fput+0x11/0x20 -origin/fs/file_table.c:313
task_work_run+0x8e/0x110 -origin/kernel/task_work.c:140
tracehook_notify_resume -origin/./include/linux/tracehook.h:189 [inline]
exit_to_user_mode_loop -origin/kernel/entry/common.c:174 [inline]
exit_to_user_mode_prepare+0x16b/0x1a0 -origin/kernel/entry/common.c:208
__syscall_exit_to_user_mode_work -origin/kernel/entry/common.c:290 [inline]
syscall_exit_to_user_mode+0x20/0x40 -origin/kernel/entry/common.c:301
do_syscall_64+0x45/0x80 -origin/arch/x86/entry/common.c:56
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x419f1b
Code: 03 00 00 00 0f 05 48 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c
24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d
00 f0 ff ff 77 2f 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44
RSP: 002b:00007fffd6e9a4f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000419f1b
RDX: 0000001b31520000 RSI: 00000000089df867 RDI: 0000000000000003
RBP: 0000000000000004 R08: 0000000000000000 R09: 00000000005a0108
R10: 00007fffd6e9a620 R11: 0000000000000293 R12: 00000000005280c0
R13: 00000000005a01a0 R14: 00000000005a01a8 R15: 0000000000003cc6
Hao Sun <[email protected]> 于2021年4月4日周日 下午4:45写道:
>
> Hi:
>
> When using Healer(https://github.com/SunHao-0/healer/tree/dev) to fuzz
> the Linux kernel, I found a use-after-free vulnerability in cdev_del.
> I found that Syzkaller had reported this bug a long time ago, but the
> problem still exists.
> Now I have collected the KASAN report and a reproduction program, I
> hope this information can help you locate and solve the problem.
>
> Here is the detailed information:
> commit: 5e46d1b78a03d52306f21f77a4e4a144b6d31486
> version: Linux 5.12-rc5
> git tree: upstream
> kernel config and reproducing program can be found in the attachment.
> KASAN report:
> ==================================================================
> BUG: KASAN: use-after-free in cdev_del+0x8b/0x90 -origin/fs/char_dev.c:596
> Read of size 4 at addr ffff888011e20864 by task executor/8066
> CPU: 1 PID: 8066 Comm: executor Not tainted 5.12.0-rc5+ #7
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> 1.13.0-1ubuntu1.1 04/01/2014
> Call Trace:
> __dump_stack -origin/lib/dump_stack.c:79 [inline]
> dump_stack+0xfa/0x151 -origin/lib/dump_stack.c:120
> print_address_description.constprop.0.cold+0x82/0x32c
> -origin/mm/kasan/report.c:232
> __kasan_report -origin/mm/kasan/report.c:399 [inline]
> kasan_report.cold+0x7c/0xd8 -origin/mm/kasan/report.c:416
> cdev_del+0x8b/0x90 -origin/fs/char_dev.c:596
> tty_unregister_device -origin/drivers/tty/tty_io.c:3343 [inline]
> tty_unregister_device+0x112/0x1b0 -origin/drivers/tty/tty_io.c:3338
> gsmld_detach_gsm -origin/drivers/tty/n_gsm.c:2409 [inline]
> gsmld_close+0xb3/0x1f0 -origin/drivers/tty/n_gsm.c:2478
> tty_ldisc_close.isra.0+0x110/0x190 -origin/drivers/tty/tty_ldisc.c:488
> tty_ldisc_kill+0x94/0x150 -origin/drivers/tty/tty_ldisc.c:636
> tty_ldisc_hangup+0x2d0/0x630 -origin/drivers/tty/tty_ldisc.c:756
> __tty_hangup.part.0+0x2f0/0x700 -origin/drivers/tty/tty_io.c:639
> __tty_hangup -origin/drivers/tty/tty_io.c:595 [inline]
> tty_vhangup -origin/drivers/tty/tty_io.c:712 [inline]
> tty_ioctl+0x992/0x14f0 -origin/drivers/tty/tty_io.c:2742
> vfs_ioctl -origin/fs/ioctl.c:48 [inline]
> __do_sys_ioctl -origin/fs/ioctl.c:753 [inline]
> __se_sys_ioctl -origin/fs/ioctl.c:739 [inline]
> __x64_sys_ioctl+0x193/0x200 -origin/fs/ioctl.c:739
> do_syscall_64+0x2d/0x70 -origin/arch/x86/entry/common.c:46
> entry_SYSCALL_64_after_hwframe+0x44/0xae
> RIP: 0033:0x47338d
> Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
> 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
> 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ff4d8de3c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 000000000059c128 RCX: 000000000047338d
> RDX: 0000000000000000 RSI: 0000000000005437 RDI: 0000000000000003
> RBP: 00000000004e8e5d R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 000000000059c128
> R13: 00007fff86f0a5ef R14: 00007fff86f0a790 R15: 00007ff4d8de3dc0
On Sun, Apr 04, 2021 at 08:39:34PM +0800, Hillf Danton wrote:
> On Sun, 4 Apr 2021 17:05:17 Hao Sun wrote:
> > Besides, the 'refcount bug in cdev_del' bug still exists too.
>
> Thanks for your report, Hao.
> >
> > Here is the detailed information:
> > commit: 5e46d1b78a03d52306f21f77a4e4a144b6d31486
> > version: Linux 5.12-rc5
> > git tree: upstream
> > kernel config (KASAN not enabled) and reproducing program can be found
> > in the attachment.
> > Report:
> > ------------[ cut here ]------------
> > refcount_t: underflow; use-after-free.
> > WARNING: CPU: 1 PID: 8923 at lib/refcount.c:28
> > refcount_warn_saturate+0x1cf/0x210 -origin/lib/refcount.c:28
> > Modules linked in:
> > CPU: 1 PID: 8923 Comm: executor Not tainted 5.12.0-rc5+ #8
> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> > 1.13.0-1ubuntu1.1 04/01/2014
> > RIP: 0010:refcount_warn_saturate+0x1cf/0x210 -origin/lib/refcount.c:28
> > Code: 4f ff ff ff e8 32 fa b5 fe 48 c7 c7 3d f8 f6 86 e8 d6 ab c6 fe
> > c6 05 7c 34 67 04 01 48 c7 c7 68 f8 6d 86 31 c0 e8 81 2e 9d fe <0f> 0b
> > e9 22 ff ff ff e8 05 fa b5 fe 48 c7 c7 3e f8 f6 86 e8 a9 ab
> > RSP: 0018:ffffc90001633c60 EFLAGS: 00010246
> > RAX: 15d08b2e34b77800 RBX: 0000000000000003 RCX: ffff88804c056c80
> > RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
> > RBP: 0000000000000003 R08: ffffffff813767aa R09: 0001ffffffffffff
> > R10: 0001ffffffffffff R11: ffff88804c056c80 R12: ffff888040b7d000
> > R13: ffff88804c206938 R14: ffff88804c206900 R15: ffff888041b18488
> > FS: 00000000022c9940(0000) GS:ffff88807ec00000(0000) knlGS:000000000000000=
> > 0
> > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 00007f9f9b122008 CR3: 0000000044b4b000 CR4: 0000000000750ee0
> > PKRU: 55555554
> > Call Trace:
> > __refcount_sub_and_test -origin/./include/linux/refcount.h:283 [inline]
> > __refcount_dec_and_test -origin/./include/linux/refcount.h:315 [inline]
> > refcount_dec_and_test -origin/./include/linux/refcount.h:333 [inline]
> > kref_put -origin/./include/linux/kref.h:64 [inline]
> > kobject_put+0x17b/0x180 -origin/lib/kobject.c:753
> > cdev_del+0x4b/0x50 -origin/fs/char_dev.c:597
> > tty_unregister_device+0x99/0xd0 -origin/drivers/tty/tty_io.c:3343
> > gsmld_detach_gsm -origin/drivers/tty/n_gsm.c:2409 [inline]
> > gsmld_close+0x6c/0x140 -origin/drivers/tty/n_gsm.c:2478
> > tty_ldisc_close -origin/drivers/tty/tty_ldisc.c:488 [inline]
> > tty_ldisc_kill -origin/drivers/tty/tty_ldisc.c:636 [inline]
> > tty_ldisc_release+0x1b6/0x400 -origin/drivers/tty/tty_ldisc.c:809
> > tty_release_struct+0x19/0xb0 -origin/drivers/tty/tty_io.c:1714
> > tty_release+0x9ad/0xa00 -origin/drivers/tty/tty_io.c:1885
> > __fput+0x260/0x4e0 -origin/fs/file_table.c:280
> > ____fput+0x11/0x20 -origin/fs/file_table.c:313
> > task_work_run+0x8e/0x110 -origin/kernel/task_work.c:140
> > tracehook_notify_resume -origin/./include/linux/tracehook.h:189 [inline]
> > exit_to_user_mode_loop -origin/kernel/entry/common.c:174 [inline]
> > exit_to_user_mode_prepare+0x16b/0x1a0 -origin/kernel/entry/common.c:208
> > __syscall_exit_to_user_mode_work -origin/kernel/entry/common.c:290 [inline]
> > syscall_exit_to_user_mode+0x20/0x40 -origin/kernel/entry/common.c:301
> > do_syscall_64+0x45/0x80 -origin/arch/x86/entry/common.c:56
> > entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> No error check on registering tty device - add it.
> And roll back in case of error.
>
> --- x/drivers/tty/n_gsm.c
> +++ y/drivers/tty/n_gsm.c
> @@ -2384,8 +2384,19 @@ static int gsmld_attach_gsm(struct tty_s
> /* Don't register device 0 - this is the control channel and not
> a usable tty interface */
> base = mux_num_to_base(gsm); /* Base for this MUX */
> - for (i = 1; i < NUM_DLCI; i++)
> - tty_register_device(gsm_tty_driver, base + i, NULL);
> + for (i = 1; i < NUM_DLCI; i++) {
> + struct device *dev;
> +
> + dev = tty_register_device(gsm_tty_driver,
> + base + i, NULL);
> + if (IS_ERR(dev)) {
> + for (i--; i >= 1; i--)
> + tty_unregister_device(gsm_tty_driver,
> + base + i);
> + ret = PTR_ERR(dev);
> + return ret;
> + }
> + }
> }
> return ret;
> }
Are you testing these patches somehow? Can you do that and then submit
them correctly?
thanks,
greg k-h
> Happy to do it once Hao will echo confirming it works for him.
It looks like the patch solved the problem, nice!
Here's what I did. First, I compiled the kernel (5e46d1b7) with the
attached configuration, then I ran the reproducing program
(repro.cprog) and the same vulnerability was triggered, which means
the reproduction was successful. Then I added the patch from the email
to the gsmld_attach_gsm function and compiled it again with the same
configuration, this time after running the reproducing program, the
vulnerability was not triggered.
However, my operations are only carried out in x86_64 qemu virtual
machines, not sure whether the results will be the same under other
architectures, which need to be discussed further.
Reported-and-tested-by: SunHao-0/healer at dev (github.com)
Hillf Danton <[email protected]> 于2021年4月5日周一 下午7:02写道:
>
> On Mon, 5 Apr 2021 12:19:10 Greg KH wrote:
> >On Sun, Apr 04, 2021 at 08:39:34PM +0800, Hillf Danton wrote:
> >> On Sun, 4 Apr 2021 17:05:17 Hao Sun wrote:
> >> > Besides, the 'refcount bug in cdev_del' bug still exists too.
> >>
> >> Thanks for your report, Hao.
> >> >
> >> > Here is the detailed information:
> >> > commit: 5e46d1b78a03d52306f21f77a4e4a144b6d31486
> >> > version: Linux 5.12-rc5
> >> > git tree: upstream
> >> > kernel config (KASAN not enabled) and reproducing program can be found
> >> > in the attachment.
> >> > Report:
> >> > ------------[ cut here ]------------
> >> > refcount_t: underflow; use-after-free.
> >> > WARNING: CPU: 1 PID: 8923 at lib/refcount.c:28
> >> > refcount_warn_saturate+0x1cf/0x210 -origin/lib/refcount.c:28
> >> > Modules linked in:
> >> > CPU: 1 PID: 8923 Comm: executor Not tainted 5.12.0-rc5+ #8
> >> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> >> > 1.13.0-1ubuntu1.1 04/01/2014
> >> > RIP: 0010:refcount_warn_saturate+0x1cf/0x210 -origin/lib/refcount.c:28
> >> > Code: 4f ff ff ff e8 32 fa b5 fe 48 c7 c7 3d f8 f6 86 e8 d6 ab c6 fe
> >> > c6 05 7c 34 67 04 01 48 c7 c7 68 f8 6d 86 31 c0 e8 81 2e 9d fe <0f> 0b
> >> > e9 22 ff ff ff e8 05 fa b5 fe 48 c7 c7 3e f8 f6 86 e8 a9 ab
> >> > RSP: 0018:ffffc90001633c60 EFLAGS: 00010246
> >> > RAX: 15d08b2e34b77800 RBX: 0000000000000003 RCX: ffff88804c056c80
> >> > RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
> >> > RBP: 0000000000000003 R08: ffffffff813767aa R09: 0001ffffffffffff
> >> > R10: 0001ffffffffffff R11: ffff88804c056c80 R12: ffff888040b7d000
> >> > R13: ffff88804c206938 R14: ffff88804c206900 R15: ffff888041b18488
> >> > FS: 00000000022c9940(0000) GS:ffff88807ec00000(0000) knlGS:000000000000000=
> >> > 0
> >> > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> >> > CR2: 00007f9f9b122008 CR3: 0000000044b4b000 CR4: 0000000000750ee0
> >> > PKRU: 55555554
> >> > Call Trace:
> >> > __refcount_sub_and_test -origin/./include/linux/refcount.h:283 [inline]
> >> > __refcount_dec_and_test -origin/./include/linux/refcount.h:315 [inline]
> >> > refcount_dec_and_test -origin/./include/linux/refcount.h:333 [inline]
> >> > kref_put -origin/./include/linux/kref.h:64 [inline]
> >> > kobject_put+0x17b/0x180 -origin/lib/kobject.c:753
> >> > cdev_del+0x4b/0x50 -origin/fs/char_dev.c:597
> >> > tty_unregister_device+0x99/0xd0 -origin/drivers/tty/tty_io.c:3343
> >> > gsmld_detach_gsm -origin/drivers/tty/n_gsm.c:2409 [inline]
> >> > gsmld_close+0x6c/0x140 -origin/drivers/tty/n_gsm.c:2478
> >> > tty_ldisc_close -origin/drivers/tty/tty_ldisc.c:488 [inline]
> >> > tty_ldisc_kill -origin/drivers/tty/tty_ldisc.c:636 [inline]
> >> > tty_ldisc_release+0x1b6/0x400 -origin/drivers/tty/tty_ldisc.c:809
> >> > tty_release_struct+0x19/0xb0 -origin/drivers/tty/tty_io.c:1714
> >> > tty_release+0x9ad/0xa00 -origin/drivers/tty/tty_io.c:1885
> >> > __fput+0x260/0x4e0 -origin/fs/file_table.c:280
> >> > ____fput+0x11/0x20 -origin/fs/file_table.c:313
> >> > task_work_run+0x8e/0x110 -origin/kernel/task_work.c:140
> >> > tracehook_notify_resume -origin/./include/linux/tracehook.h:189 [inline]
> >> > exit_to_user_mode_loop -origin/kernel/entry/common.c:174 [inline]
> >> > exit_to_user_mode_prepare+0x16b/0x1a0 -origin/kernel/entry/common.c:208
> >> > __syscall_exit_to_user_mode_work -origin/kernel/entry/common.c:290 [inline]
> >> > syscall_exit_to_user_mode+0x20/0x40 -origin/kernel/entry/common.c:301
> >> > do_syscall_64+0x45/0x80 -origin/arch/x86/entry/common.c:56
> >> > entry_SYSCALL_64_after_hwframe+0x44/0xae
> >>
> >> No error check on registering tty device - add it.
> >> And roll back in case of error.
> >>
> >> --- x/drivers/tty/n_gsm.c
> >> +++ y/drivers/tty/n_gsm.c
> >> @@ -2384,8 +2384,19 @@ static int gsmld_attach_gsm(struct tty_s
> >> /* Don't register device 0 - this is the control channel and not
> >> a usable tty interface */
> >> base = mux_num_to_base(gsm); /* Base for this MUX */
> >> - for (i = 1; i < NUM_DLCI; i++)
> >> - tty_register_device(gsm_tty_driver, base + i, NULL);
> >> + for (i = 1; i < NUM_DLCI; i++) {
> >> + struct device *dev;
> >> +
> >> + dev = tty_register_device(gsm_tty_driver,
> >> + base + i, NULL);
> >> + if (IS_ERR(dev)) {
> >> + for (i--; i >= 1; i--)
> >> + tty_unregister_device(gsm_tty_driver,
> >> + base + i);
> >> + ret = PTR_ERR(dev);
> >> + return ret;
> >> + }
> >> + }
> >> }
> >> return ret;
> >> }
> >
> >Are you testing these patches somehow?
>
> No Sir because I am now having no access to the gsm hardware.
>
> >Can you do that and then submit them correctly?
>
> Happy to do it once Hao will echo confirming it works for him.
>
> Hillf