1. 14 4月, 2011 7 次提交
  2. 24 3月, 2011 3 次提交
    • J
      USB: cdc-acm: fix potential null-pointer dereference on disconnect · 7e7797e7
      Johan Hovold 提交于
      Fix potential null-pointer exception on disconnect introduced by commit
      11ea859d (USB: additional power savings
      for cdc-acm devices that support remote wakeup).
      
      Only access acm->dev after making sure it is non-null in control urb
      completion handler.
      
      Cc: stable <stable@kernel.org>
      Signed-off-by: NJohan Hovold <jhovold@gmail.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>
      7e7797e7
    • J
      USB: cdc-acm: fix potential null-pointer dereference · 15e5bee3
      Johan Hovold 提交于
      Must check return value of tty_port_tty_get.
      
      Cc: stable <stable@kernel.org>
      Signed-off-by: NJohan Hovold <jhovold@gmail.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>
      15e5bee3
    • J
      USB: cdc-acm: fix memory corruption / panic · 23b80550
      Johan Hovold 提交于
      Prevent read urbs from being resubmitted from tasklet after port close.
      
      The receive tasklet was not disabled on port close, which could lead to
      corruption of receive lists on consecutive port open. In particular,
      read urbs could be re-submitted before port open, added to free list in
      open, and then added a second time to the free list in the completion
      handler.
      
      cdc-acm.c: Entering acm_tty_open.
      cdc-acm.c: acm_control_msg: rq: 0x22 val: 0x3 len: 0x0 result: 0
      cdc-acm.c: Entering acm_rx_tasklet
      cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da280, rcv 0xf57fbc24, buf 0xf57fbd64
      cdc-acm.c: set line: 115200 0 0 8
      cdc-acm.c: acm_control_msg: rq: 0x20 val: 0x0 len: 0x7 result: 7
      cdc-acm.c: acm_tty_close
      cdc-acm.c: acm_port_down
      cdc-acm.c: acm_control_msg: rq: 0x22 val: 0x0 len: 0x0 result: 0
      cdc-acm.c: acm_ctrl_irq - urb shutting down with status: -2
      cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da300, rcv 0xf57fbc10, buf 0xf57fbd50
      cdc-acm.c: Entering acm_read_bulk with status -2
      cdc_acm 4-1:1.1: Aborting, acm not ready
      cdc-acm.c: Entering acm_read_bulk with status -2
      cdc_acm 4-1:1.1: Aborting, acm not ready
      cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da380, rcv 0xf57fbbfc, buf 0xf57fbd3c
      cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da400, rcv 0xf57fbbe8, buf 0xf57fbd28
      cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da480, rcv 0xf57fbbd4, buf 0xf57fbd14
      cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da900, rcv 0xf57fbbc0, buf 0xf57fbd00
      cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da980, rcv 0xf57fbbac, buf 0xf57fbcec
      cdc-acm.c: acm_rx_tasklet: sending urb 0xf50daa00, rcv 0xf57fbb98, buf 0xf57fbcd8
      cdc-acm.c: acm_rx_tasklet: sending urb 0xf50daa80, rcv 0xf57fbb84, buf 0xf57fbcc4
      cdc-acm.c: acm_rx_tasklet: sending urb 0xf50dab00, rcv 0xf57fbb70, buf 0xf57fbcb0
      cdc-acm.c: acm_rx_tasklet: sending urb 0xf50dab80, rcv 0xf57fbb5c, buf 0xf57fbc9c
      cdc-acm.c: acm_rx_tasklet: sending urb 0xf50dac00, rcv 0xf57fbb48, buf 0xf57fbc88
      cdc-acm.c: acm_rx_tasklet: sending urb 0xf50dac80, rcv 0xf57fbb34, buf 0xf57fbc74
      cdc-acm.c: acm_rx_tasklet: sending urb 0xf50dad00, rcv 0xf57fbb20, buf 0xf57fbc60
      cdc-acm.c: acm_rx_tasklet: sending urb 0xf50dad80, rcv 0xf57fbb0c, buf 0xf57fbc4c
      cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da880, rcv 0xf57fbaf8, buf 0xf57fbc38
      cdc-acm.c: Entering acm_tty_open.
      cdc-acm.c: acm_control_msg: rq: 0x22 val: 0x3 len: 0x0 result: 0
      cdc-acm.c: Entering acm_rx_tasklet
      cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da280, rcv 0xf57fbc24, buf 0xf57fbd64
      cdc-acm.c: Entering acm_tty_write to write 3 bytes,
      cdc-acm.c: Get 3 bytes...
      cdc-acm.c: acm_write_start susp_count: 0
      cdc-acm.c: Entering acm_read_bulk with status 0
      ------------[ cut here ]------------
      WARNING: at /home/johan/src/linux/linux-2.6/lib/list_debug.c:57 list_del+0x10c/0x120()
      Hardware name: Vostro 1520
      list_del corruption. next->prev should be f57fbc10, but was f57fbaf8
      Modules linked in: cdc_acm
      Pid: 3, comm: ksoftirqd/0 Not tainted 2.6.37+ #39
      Call Trace:
       [<c103c7e2>] warn_slowpath_common+0x72/0xa0
       [<c11dd8ac>] ? list_del+0x10c/0x120
       [<c11dd8ac>] ? list_del+0x10c/0x120
       [<c103c8b3>] warn_slowpath_fmt+0x33/0x40
       [<c11dd8ac>] list_del+0x10c/0x120
       [<f8051dbf>] acm_rx_tasklet+0xef/0x3e0 [cdc_acm]
       [<c135465d>] ? net_rps_action_and_irq_enable+0x6d/0x80
       [<c1042bb6>] tasklet_action+0xe6/0x140
       [<c104342f>] __do_softirq+0xaf/0x210
       [<c1043380>] ? __do_softirq+0x0/0x210
       <IRQ>  [<c1042c9a>] ? run_ksoftirqd+0x8a/0x1c0
       [<c1042c10>] ? run_ksoftirqd+0x0/0x1c0
       [<c105ac24>] ? kthread+0x74/0x80
       [<c105abb0>] ? kthread+0x0/0x80
       [<c100337a>] ? kernel_thread_helper+0x6/0x10
      ---[ end trace efd9a11434f0082e ]---
      ------------[ cut here ]------------
      WARNING: at /home/johan/src/linux/linux-2.6/lib/list_debug.c:57 list_del+0x10c/0x120()
      Hardware name: Vostro 1520
      list_del corruption. next->prev should be f57fbd50, but was f57fbdb0
      Modules linked in: cdc_acm
      Pid: 3, comm: ksoftirqd/0 Tainted: G        W   2.6.37+ #39
      Call Trace:
       [<c103c7e2>] warn_slowpath_common+0x72/0xa0
       [<c11dd8ac>] ? list_del+0x10c/0x120
       [<c11dd8ac>] ? list_del+0x10c/0x120
       [<c103c8b3>] warn_slowpath_fmt+0x33/0x40
       [<c11dd8ac>] list_del+0x10c/0x120
       [<f8051dd6>] acm_rx_tasklet+0x106/0x3e0 [cdc_acm]
       [<c135465d>] ? net_rps_action_and_irq_enable+0x6d/0x80
       [<c1042bb6>] tasklet_action+0xe6/0x140
       [<c104342f>] __do_softirq+0xaf/0x210
       [<c1043380>] ? __do_softirq+0x0/0x210
       <IRQ>  [<c1042c9a>] ? run_ksoftirqd+0x8a/0x1c0
       [<c1042c10>] ? run_ksoftirqd+0x0/0x1c0
       [<c105ac24>] ? kthread+0x74/0x80
       [<c105abb0>] ? kthread+0x0/0x80
       [<c100337a>] ? kernel_thread_helper+0x6/0x10
      ---[ end trace efd9a11434f0082f ]---
      cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da300, rcv 0xf57fbc10, buf 0xf57fbd50
      cdc-acm.c: disconnected from network
      cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da380, rcv 0xf57fbbfc, buf 0xf57fbd3c
      cdc-acm.c: Entering acm_rx_tasklet
      ------------[ cut here ]------------
      WARNING: at /home/johan/src/linux/linux-2.6/lib/list_debug.c:48 list_del+0xd5/0x120()
      Hardware name: Vostro 1520
      list_del corruption, next is LIST_POISON1 (00100100)
      Modules linked in: cdc_acm
      Pid: 3, comm: ksoftirqd/0 Tainted: G        W   2.6.37+ #39
      Call Trace:
       [<c103c7e2>] warn_slowpath_common+0x72/0xa0
       [<c11dd875>] ? list_del+0xd5/0x120
       [<c11dd875>] ? list_del+0xd5/0x120
       [<c103c8b3>] warn_slowpath_fmt+0x33/0x40
       [<c11dd875>] list_del+0xd5/0x120
       [<f8051fac>] acm_rx_tasklet+0x2dc/0x3e0 [cdc_acm]
       [<c106dbab>] ? trace_hardirqs_on+0xb/0x10
       [<c1042b30>] ? tasklet_action+0x60/0x140
       [<c1042bb6>] tasklet_action+0xe6/0x140
       [<c104342f>] __do_softirq+0xaf/0x210
       [<c1043380>] ? __do_softirq+0x0/0x210
       <IRQ>  [<c1042c9a>] ? run_ksoftirqd+0x8a/0x1c0
       [<c1042c10>] ? run_ksoftirqd+0x0/0x1c0
       [<c105ac24>] ? kthread+0x74/0x80
       [<c105abb0>] ? kthread+0x0/0x80
       [<c100337a>] ? kernel_thread_helper+0x6/0x10
      ---[ end trace efd9a11434f00830 ]---
      BUG: unable to handle kernel paging request at 00200200
      IP: [<c11dd7bd>] list_del+0x1d/0x120
      *pde = 00000000
      Oops: 0000 [#1] PREEMPT SMP
      last sysfs file: /sys/devices/pci0000:00/0000:00:1a.1/usb4/4-1/4-1:1.0/tty/ttyACM0/uevent
      Modules linked in: cdc_acm
      Pid: 3, comm: ksoftirqd/0 Tainted: G        W   2.6.37+ #39 0T816J/Vostro 1520
      EIP: 0060:[<c11dd7bd>] EFLAGS: 00010046 CPU: 0
      EIP is at list_del+0x1d/0x120
      EAX: f57fbd3c EBX: f57fb800 ECX: ffff8000 EDX: 00200200
      ESI: f57fbe90 EDI: f57fbd3c EBP: f600bf54 ESP: f600bf3c
       DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
      Process ksoftirqd/0 (pid: 3, ti=f600a000 task=f60791c0 task.ti=f6082000)
      Stack:
       c1527e84 00000030 c1527e54 00100100 f57fb800 f57fbd3c f600bf98 f8051fac
       f8053104 f8052b94 f600bf6c c106dbab f600bf80 00000286 f60791c0 c1042b30
       f57fbda8 f57f5800 f57fbdb0 f57fbd80 f57fbe7c c1656b04 00000000 f600bfb0
      Call Trace:
       [<f8051fac>] ? acm_rx_tasklet+0x2dc/0x3e0 [cdc_acm]
       [<c106dbab>] ? trace_hardirqs_on+0xb/0x10
       [<c1042b30>] ? tasklet_action+0x60/0x140
       [<c1042bb6>] ? tasklet_action+0xe6/0x140
       [<c104342f>] ? __do_softirq+0xaf/0x210
       [<c1043380>] ? __do_softirq+0x0/0x210
       <IRQ>
       [<c1042c9a>] ? run_ksoftirqd+0x8a/0x1c0
       [<c1042c10>] ? run_ksoftirqd+0x0/0x1c0
       [<c105ac24>] ? kthread+0x74/0x80
       [<c105abb0>] ? kthread+0x0/0x80
       [<c100337a>] ? kernel_thread_helper+0x6/0x10
      Code: ff 48 14 e9 57 ff ff ff 90 90 90 90 90 90 55 89 e5 83 ec 18 81 38 00 01 10 00 0f 84 9c 00 00 00 8b 50 04 81 fa 00 02 20 00 74 33 <8b> 12 39 d0 75 5c 8b 10 8b 4a 04 39 c8 0f 85 b5 00 00 00 8b 48
      EIP: [<c11dd7bd>] list_del+0x1d/0x120 SS:ESP 0068:f600bf3c
      CR2: 0000000000200200
      ---[ end trace efd9a11434f00831 ]---
      Kernel panic - not syncing: Fatal exception in interrupt
      Pid: 3, comm: ksoftirqd/0 Tainted: G      D W   2.6.37+ #39
      Call Trace:
       [<c13fede1>] ? printk+0x1d/0x24
       [<c13fecce>] panic+0x66/0x15c
       [<c10067df>] oops_end+0x8f/0x90
       [<c1025476>] no_context+0xc6/0x160
       [<c10255a8>] __bad_area_nosemaphore+0x98/0x140
       [<c103cf68>] ? release_console_sem+0x1d8/0x210
       [<c1025667>] bad_area_nosemaphore+0x17/0x20
       [<c1025a49>] do_page_fault+0x279/0x420
       [<c1006a8f>] ? show_trace+0x1f/0x30
       [<c13fede1>] ? printk+0x1d/0x24
       [<c10257d0>] ? do_page_fault+0x0/0x420
       [<c140333b>] error_code+0x5f/0x64
       [<c103007b>] ? select_task_rq_fair+0x37b/0x6a0
       [<c10257d0>] ? do_page_fault+0x0/0x420
       [<c11dd7bd>] ? list_del+0x1d/0x120
       [<f8051fac>] acm_rx_tasklet+0x2dc/0x3e0 [cdc_acm]
       [<c106dbab>] ? trace_hardirqs_on+0xb/0x10
       [<c1042b30>] ? tasklet_action+0x60/0x140
       [<c1042bb6>] tasklet_action+0xe6/0x140
       [<c104342f>] __do_softirq+0xaf/0x210
       [<c1043380>] ? __do_softirq+0x0/0x210
       <IRQ>  [<c1042c9a>] ? run_ksoftirqd+0x8a/0x1c0
       [<c1042c10>] ? run_ksoftirqd+0x0/0x1c0
       [<c105ac24>] ? kthread+0x74/0x80
       [<c105abb0>] ? kthread+0x0/0x80
       [<c100337a>] ? kernel_thread_helper+0x6/0x10
      panic occurred, switching back to text console
      ------------[ cut here ]------------
      
      Cc: stable <stable@kernel.org>
      Signed-off-by: NJohan Hovold <jhovold@gmail.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>
      23b80550
  3. 18 2月, 2011 3 次提交
  4. 05 2月, 2011 1 次提交
  5. 23 10月, 2010 1 次提交
  6. 04 9月, 2010 3 次提交
  7. 11 8月, 2010 1 次提交
  8. 27 7月, 2010 1 次提交
  9. 19 7月, 2010 1 次提交
  10. 05 6月, 2010 1 次提交
    • A
      USB: cdc-acm: fix resource reclaim in error path of acm_probe · c2572b78
      Axel Lin 提交于
      This patch fixes resource reclaim in error path of acm_probe:
      
      1. In the case of "out of memory (read urbs usb_alloc_urb)\n")", there
         is no need to call acm_read_buffers_free(acm) here.  Fix it by goto
         alloc_fail6 instead of alloc_fail7.
      2. In the case of "out of memory (write urbs usb_alloc_urb)",
         usb_alloc_urb may fail in any iteration of the for loop.  Current
         implementation does not properly free allocated snd->urb.  Fix it by
         goto alloc_fail8 instead of alloc_fail7.
      3. In the case of device_create_file(&intf->dev,&dev_attr_iCountryCodeRelDate)
         fail, acm->country_codes is kfreed. As a result, device_remove_file
         for dev_attr_wCountryCodes will not be executed in acm_disconnect.
         Fix it by calling device_remove_file for dev_attr_wCountryCodes
         before goto skip_countries.
      Signed-off-by: NAxel Lin <axel.lin@gmail.com>
      Acked-by: NOliver Neukum <oneukum@suse.de>
      Cc: stable <stable@kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>
      c2572b78
  11. 21 5月, 2010 1 次提交
  12. 01 5月, 2010 1 次提交
  13. 19 3月, 2010 1 次提交
  14. 03 3月, 2010 7 次提交
  15. 12 12月, 2009 1 次提交
    • A
      USB: Exposing second ACM channel as tty for Nokia S60 phones. · c1479a92
      Adrian Taylor 提交于
      Nokia S60 phones expose two ACM channels. The first is a modem and is picked
      up by the standard AT-command interface information in the CDC-ACM driver. The
      second is marked as having a vendor-specific protocol. Normally, we don't
      expose those as ttys. (On some other devices, they may be claimed by the
      rndis_host driver and used as a network interface).
      
      But on S60 this second ACM channel is the way that third-party S60 application
      developers are expected to communicate over USB. It acts as a serial device
      at the S60 end, and so it should on Linux too.
      
      The list of devices is largely derived from:
      http://wiki.forum.nokia.com/index.php/S60_Platform_and_device_identification_codes
      http://wiki.forum.nokia.com/index.php/Nokia_USB_Product_IDs
      and includes only the S60 3rd Edition+ devices documented there.
      
      There are many devices for which the USB device ID is not documented,
      including:
          Nokia 6290
          Nokia E63
          Nokia 5630 XpressMusic
          Nokia 5730 XpressMusic
          Nokia 6710 Navigator
          Nokia 6720 classic
          Nokia 6730 Classic
          Nokia 6760 slide
          Nokia 6790 slide
          Nokia 6790 Surge
          Nokia E52
          Nokia E55
          Nokia E71x (AT&T)
          Nokia E72
          Nokia E75
          Nokia E75 US+LTA variant
          Nokia N79
          Nokia N86 8MP
          Nokia 5230 (RM-588)
          Nokia 5230 (RM-594)
          Nokia 5530 XpressMusic
          Nokia 5530 XpressMusic (china)
          Nokia 5800 XM
          Nokia N97 (RM-506)
          Nokia N97 mini
          Nokia X6
      It would be good to add those subsequently.
      Signed-off-by: NAdrian Taylor <aat@realvnc.com>
      Acked-by: NOliver Neukum <oliver@neukum.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>
      c1479a92
  16. 18 11月, 2009 2 次提交
    • F
      USB: cdc_acm: Fix memory leak after hangup · 051522bb
      Francesco Lavra 提交于
      Am Donnerstag, 10. September 2009 15:43:53 schrieb Dietmar Hilbrich:
      > Hello,
      >
      > i have the following problem with the cdc-acm - driver:
      >
      > I'm using the driver with an "Ericsson F3507G" on a Thinkpad T400.
      >
      > If a disable the device (with the RFKill-Switch) while it is used by a
      > programm like ppp, the driver doesn't seem to correctly clean up the tty,
      > even after the program has been closed)
      >
      > The tty is still active (e.g. there still exists an entry in
      > /sys/dev/char/166:0 if ttyACM0 was used) and if a reacticate the device,
      > this device entry will be skipped and the Device-Nodes ttyACM1, ttyACM2
      > and ttyACM3 will be used.
      >
      > This problem was introduced with the commit
      > 10077d4a (before 2.6.31-rc1) and still
      > exists in 2.6.31.
      >
      > I was able the fix this problem with the following patch:
      >
      > diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
      > index 2bfc41e..0970d2f 100644
      > --- a/drivers/usb/class/cdc-acm.c
      > +++ b/drivers/usb/class/cdc-acm.c
      > @@ -676,6 +676,7 @@ static void acm_tty_hangup(struct tty_struct *tty)
      >         struct acm *acm = tty->driver_data;
      >         tty_port_hangup(&acm->port);
      >         acm_port_down(acm, 0);
      > +       acm_tty_unregister(acm);
      >  }
      
      I have the same problem with cdc-acm (I'm using a Samsung SGH-U900): when I
      unplug it from the USB port during a PPP connection, the ppp daemon gets the
      hangup correctly (and closes the device), but the struct acm corresponding to
      the device disconnected is not freed. Hence reconnecting the device results in
      creation of /dev/ttyACM(x+1). The same happens when the system is hibernated
      during a PPP connection.
      
      This memory leak is due to the fact that when the tty is hung up,
      tty_port_close_start() returns always zero, and acm_tty_close() never reaches
      the point where acm_tty_unregister() is called.
      
      Here is a fix for this.
      Signed-off-by: NFrancesco Lavra <francescolavra@interfree.it>
      Acked-by: NOliver Neukum <oliver@neukum.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>
      051522bb
    • H
      USB: cdc_acm: Fix race condition when opening tty · 18a77b5d
      Henry Gebhardt 提交于
      If acm_rx_tasklet() gets called before tty_port_block_til_ready()
      returns, then bulk IN urbs may not be sent. This fixes it.
      Signed-off-by: NHenry Gebhardt <gebhardt@astro.uni-tuebingen.de>
      Acked-by: NOliver Neukum <oliver@neukum.org>
      Cc: stable <stable@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>
      18a77b5d
  17. 23 9月, 2009 1 次提交
  18. 20 9月, 2009 1 次提交
  19. 08 8月, 2009 1 次提交
  20. 21 7月, 2009 1 次提交
  21. 13 7月, 2009 1 次提交