diff options
| author | Johan Hovold <jhovold@gmail.com> | 2013-03-19 04:21:18 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2013-03-21 18:59:04 -0400 |
| commit | cf1d24443677a0758cfa88ca40f24858b89261c0 (patch) | |
| tree | 03cb96d63c95169454ecc5e5ae12be8aaf97b52d | |
| parent | 7b2459690584f239650a365f3411ba2ec1c6d1e0 (diff) | |
USB: mct_u232: fix use-after-free in TIOCMIWAIT
Use the port wait queue and make sure to check the serial disconnected
flag before accessing private port data after waking up.
This is is needed as the private port data (including the wait queue
itself) can be gone when waking up after a disconnect.
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | drivers/usb/serial/mct_u232.c | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c index a64d420f687b..06d5a60be2c4 100644 --- a/drivers/usb/serial/mct_u232.c +++ b/drivers/usb/serial/mct_u232.c | |||
| @@ -114,8 +114,6 @@ struct mct_u232_private { | |||
| 114 | unsigned char last_msr; /* Modem Status Register */ | 114 | unsigned char last_msr; /* Modem Status Register */ |
| 115 | unsigned int rx_flags; /* Throttling flags */ | 115 | unsigned int rx_flags; /* Throttling flags */ |
| 116 | struct async_icount icount; | 116 | struct async_icount icount; |
| 117 | wait_queue_head_t msr_wait; /* for handling sleeping while waiting | ||
| 118 | for msr change to happen */ | ||
| 119 | }; | 117 | }; |
| 120 | 118 | ||
| 121 | #define THROTTLED 0x01 | 119 | #define THROTTLED 0x01 |
| @@ -409,7 +407,6 @@ static int mct_u232_port_probe(struct usb_serial_port *port) | |||
| 409 | return -ENOMEM; | 407 | return -ENOMEM; |
| 410 | 408 | ||
| 411 | spin_lock_init(&priv->lock); | 409 | spin_lock_init(&priv->lock); |
| 412 | init_waitqueue_head(&priv->msr_wait); | ||
| 413 | 410 | ||
| 414 | usb_set_serial_port_data(port, priv); | 411 | usb_set_serial_port_data(port, priv); |
| 415 | 412 | ||
| @@ -601,7 +598,7 @@ static void mct_u232_read_int_callback(struct urb *urb) | |||
| 601 | tty_kref_put(tty); | 598 | tty_kref_put(tty); |
| 602 | } | 599 | } |
| 603 | #endif | 600 | #endif |
| 604 | wake_up_interruptible(&priv->msr_wait); | 601 | wake_up_interruptible(&port->delta_msr_wait); |
| 605 | spin_unlock_irqrestore(&priv->lock, flags); | 602 | spin_unlock_irqrestore(&priv->lock, flags); |
| 606 | exit: | 603 | exit: |
| 607 | retval = usb_submit_urb(urb, GFP_ATOMIC); | 604 | retval = usb_submit_urb(urb, GFP_ATOMIC); |
| @@ -810,13 +807,17 @@ static int mct_u232_ioctl(struct tty_struct *tty, | |||
| 810 | cprev = mct_u232_port->icount; | 807 | cprev = mct_u232_port->icount; |
| 811 | spin_unlock_irqrestore(&mct_u232_port->lock, flags); | 808 | spin_unlock_irqrestore(&mct_u232_port->lock, flags); |
| 812 | for ( ; ; ) { | 809 | for ( ; ; ) { |
| 813 | prepare_to_wait(&mct_u232_port->msr_wait, | 810 | prepare_to_wait(&port->delta_msr_wait, |
| 814 | &wait, TASK_INTERRUPTIBLE); | 811 | &wait, TASK_INTERRUPTIBLE); |
| 815 | schedule(); | 812 | schedule(); |
| 816 | finish_wait(&mct_u232_port->msr_wait, &wait); | 813 | finish_wait(&port->delta_msr_wait, &wait); |
| 817 | /* see if a signal did it */ | 814 | /* see if a signal did it */ |
| 818 | if (signal_pending(current)) | 815 | if (signal_pending(current)) |
| 819 | return -ERESTARTSYS; | 816 | return -ERESTARTSYS; |
| 817 | |||
| 818 | if (port->serial->disconnected) | ||
| 819 | return -EIO; | ||
| 820 | |||
| 820 | spin_lock_irqsave(&mct_u232_port->lock, flags); | 821 | spin_lock_irqsave(&mct_u232_port->lock, flags); |
| 821 | cnow = mct_u232_port->icount; | 822 | cnow = mct_u232_port->icount; |
| 822 | spin_unlock_irqrestore(&mct_u232_port->lock, flags); | 823 | spin_unlock_irqrestore(&mct_u232_port->lock, flags); |