aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLuiz Fernando Capitulino <lcapitulino@mandriva.com.br>2005-11-28 16:16:07 -0500
committerGreg Kroah-Hartman <gregkh@suse.de>2006-01-04 16:48:35 -0500
commit8a4613f01f5bb850cab34e3db572d97251d997b3 (patch)
tree3ce08f8c75cf8696f7902dd33298a95016ed4e14
parent487f9c6710e7dff338e59820f6cfaeaaa87cb532 (diff)
[PATCH] USB: usbserial: race-condition fix.
There is a race-condition in usb-serial driver that can be triggered if a processes does 'port->tty->driver_data = NULL' in serial_close() while other processes is in kernel-space about to call serial_ioctl() on the same port. This happens because a process can open the device while there is another one closing it. The patch below fixes that by adding a semaphore to ensure that no process will open the device while another process is closing it. Note that we can't use spinlocks here, since serial_open() and serial_close() can sleep. Signed-off-by: Luiz Capitulino <lcapitulino@mandriva.com.br> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r--drivers/usb/serial/usb-serial.c14
-rw-r--r--drivers/usb/serial/usb-serial.h4
2 files changed, 17 insertions, 1 deletions
diff --git a/drivers/usb/serial/usb-serial.c b/drivers/usb/serial/usb-serial.c
index 5bc023c73893..8bc8337c99c4 100644
--- a/drivers/usb/serial/usb-serial.c
+++ b/drivers/usb/serial/usb-serial.c
@@ -30,6 +30,7 @@
30#include <linux/list.h> 30#include <linux/list.h>
31#include <linux/smp_lock.h> 31#include <linux/smp_lock.h>
32#include <asm/uaccess.h> 32#include <asm/uaccess.h>
33#include <asm/semaphore.h>
33#include <linux/usb.h> 34#include <linux/usb.h>
34#include "usb-serial.h" 35#include "usb-serial.h"
35#include "pl2303.h" 36#include "pl2303.h"
@@ -190,6 +191,9 @@ static int serial_open (struct tty_struct *tty, struct file * filp)
190 port = serial->port[portNumber]; 191 port = serial->port[portNumber];
191 if (!port) 192 if (!port)
192 return -ENODEV; 193 return -ENODEV;
194
195 if (down_interruptible(&port->sem))
196 return -ERESTARTSYS;
193 197
194 ++port->open_count; 198 ++port->open_count;
195 199
@@ -215,6 +219,7 @@ static int serial_open (struct tty_struct *tty, struct file * filp)
215 goto bailout_module_put; 219 goto bailout_module_put;
216 } 220 }
217 221
222 up(&port->sem);
218 return 0; 223 return 0;
219 224
220bailout_module_put: 225bailout_module_put:
@@ -222,6 +227,7 @@ bailout_module_put:
222bailout_kref_put: 227bailout_kref_put:
223 kref_put(&serial->kref, destroy_serial); 228 kref_put(&serial->kref, destroy_serial);
224 port->open_count = 0; 229 port->open_count = 0;
230 up(&port->sem);
225 return retval; 231 return retval;
226} 232}
227 233
@@ -234,8 +240,10 @@ static void serial_close(struct tty_struct *tty, struct file * filp)
234 240
235 dbg("%s - port %d", __FUNCTION__, port->number); 241 dbg("%s - port %d", __FUNCTION__, port->number);
236 242
243 down(&port->sem);
244
237 if (port->open_count == 0) 245 if (port->open_count == 0)
238 return; 246 goto out;
239 247
240 --port->open_count; 248 --port->open_count;
241 if (port->open_count == 0) { 249 if (port->open_count == 0) {
@@ -253,6 +261,9 @@ static void serial_close(struct tty_struct *tty, struct file * filp)
253 } 261 }
254 262
255 kref_put(&port->serial->kref, destroy_serial); 263 kref_put(&port->serial->kref, destroy_serial);
264
265out:
266 up(&port->sem);
256} 267}
257 268
258static int serial_write (struct tty_struct * tty, const unsigned char *buf, int count) 269static int serial_write (struct tty_struct * tty, const unsigned char *buf, int count)
@@ -774,6 +785,7 @@ int usb_serial_probe(struct usb_interface *interface,
774 port->number = i + serial->minor; 785 port->number = i + serial->minor;
775 port->serial = serial; 786 port->serial = serial;
776 spin_lock_init(&port->lock); 787 spin_lock_init(&port->lock);
788 sema_init(&port->sem, 1);
777 INIT_WORK(&port->work, usb_serial_port_softint, port); 789 INIT_WORK(&port->work, usb_serial_port_softint, port);
778 serial->port[i] = port; 790 serial->port[i] = port;
779 } 791 }
diff --git a/drivers/usb/serial/usb-serial.h b/drivers/usb/serial/usb-serial.h
index 238a5a871ed6..d7d27c3385b3 100644
--- a/drivers/usb/serial/usb-serial.h
+++ b/drivers/usb/serial/usb-serial.h
@@ -16,6 +16,7 @@
16 16
17#include <linux/config.h> 17#include <linux/config.h>
18#include <linux/kref.h> 18#include <linux/kref.h>
19#include <asm/semaphore.h>
19 20
20#define SERIAL_TTY_MAJOR 188 /* Nice legal number now */ 21#define SERIAL_TTY_MAJOR 188 /* Nice legal number now */
21#define SERIAL_TTY_MINORS 255 /* loads of devices :) */ 22#define SERIAL_TTY_MINORS 255 /* loads of devices :) */
@@ -30,6 +31,8 @@
30 * @serial: pointer back to the struct usb_serial owner of this port. 31 * @serial: pointer back to the struct usb_serial owner of this port.
31 * @tty: pointer to the corresponding tty for this port. 32 * @tty: pointer to the corresponding tty for this port.
32 * @lock: spinlock to grab when updating portions of this structure. 33 * @lock: spinlock to grab when updating portions of this structure.
34 * @sem: semaphore used to synchronize serial_open() and serial_close()
35 * access for this port.
33 * @number: the number of the port (the minor number). 36 * @number: the number of the port (the minor number).
34 * @interrupt_in_buffer: pointer to the interrupt in buffer for this port. 37 * @interrupt_in_buffer: pointer to the interrupt in buffer for this port.
35 * @interrupt_in_urb: pointer to the interrupt in struct urb for this port. 38 * @interrupt_in_urb: pointer to the interrupt in struct urb for this port.
@@ -60,6 +63,7 @@ struct usb_serial_port {
60 struct usb_serial * serial; 63 struct usb_serial * serial;
61 struct tty_struct * tty; 64 struct tty_struct * tty;
62 spinlock_t lock; 65 spinlock_t lock;
66 struct semaphore sem;
63 unsigned char number; 67 unsigned char number;
64 68
65 unsigned char * interrupt_in_buffer; 69 unsigned char * interrupt_in_buffer;