diff options
author | Johan Hovold <jhovold@gmail.com> | 2010-02-27 10:24:49 -0500 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2010-03-19 10:24:03 -0400 |
commit | eb8878a881c306ff3eab6e741ab8fc94096f4e1a (patch) | |
tree | a6dee42012439d65e48bb89e274d44c95246f5e1 | |
parent | 6313620228624ff4dcb78b1dbd459d0c208df126 (diff) |
USB: serial: use port endpoint size to determine if ep is available
It is possible to have a multi-port device with a port lacking an in or
out bulk endpoint. Only checking for num_bulk_in or num_bulk_out is thus not
sufficient to determine whether a specific port has an in or out bulk
endpoint.
This fixes potential null pointer dereferences in the generic open and
write routines, as well as access to uninitialised fifo in write_room
and chars_in_buffer.
Also let write fail with ENODEV (instead of 0) on missing out endpoint
(also on zero-length writes).
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r-- | drivers/usb/serial/generic.c | 30 |
1 files changed, 19 insertions, 11 deletions
diff --git a/drivers/usb/serial/generic.c b/drivers/usb/serial/generic.c index 214bf25bc3b5..f804acb138ec 100644 --- a/drivers/usb/serial/generic.c +++ b/drivers/usb/serial/generic.c | |||
@@ -130,7 +130,7 @@ int usb_serial_generic_open(struct tty_struct *tty, struct usb_serial_port *port | |||
130 | spin_unlock_irqrestore(&port->lock, flags); | 130 | spin_unlock_irqrestore(&port->lock, flags); |
131 | 131 | ||
132 | /* if we have a bulk endpoint, start reading from it */ | 132 | /* if we have a bulk endpoint, start reading from it */ |
133 | if (serial->num_bulk_in) { | 133 | if (port->bulk_in_size) { |
134 | /* Start reading from the device */ | 134 | /* Start reading from the device */ |
135 | usb_fill_bulk_urb(port->read_urb, serial->dev, | 135 | usb_fill_bulk_urb(port->read_urb, serial->dev, |
136 | usb_rcvbulkpipe(serial->dev, | 136 | usb_rcvbulkpipe(serial->dev, |
@@ -159,10 +159,10 @@ static void generic_cleanup(struct usb_serial_port *port) | |||
159 | dbg("%s - port %d", __func__, port->number); | 159 | dbg("%s - port %d", __func__, port->number); |
160 | 160 | ||
161 | if (serial->dev) { | 161 | if (serial->dev) { |
162 | /* shutdown any bulk reads that might be going on */ | 162 | /* shutdown any bulk transfers that might be going on */ |
163 | if (serial->num_bulk_out) | 163 | if (port->bulk_out_size) |
164 | usb_kill_urb(port->write_urb); | 164 | usb_kill_urb(port->write_urb); |
165 | if (serial->num_bulk_in) | 165 | if (port->bulk_in_size) |
166 | usb_kill_urb(port->read_urb); | 166 | usb_kill_urb(port->read_urb); |
167 | } | 167 | } |
168 | } | 168 | } |
@@ -333,15 +333,15 @@ int usb_serial_generic_write(struct tty_struct *tty, | |||
333 | 333 | ||
334 | dbg("%s - port %d", __func__, port->number); | 334 | dbg("%s - port %d", __func__, port->number); |
335 | 335 | ||
336 | /* only do something if we have a bulk out endpoint */ | ||
337 | if (!port->bulk_out_size) | ||
338 | return -ENODEV; | ||
339 | |||
336 | if (count == 0) { | 340 | if (count == 0) { |
337 | dbg("%s - write request of 0 bytes", __func__); | 341 | dbg("%s - write request of 0 bytes", __func__); |
338 | return 0; | 342 | return 0; |
339 | } | 343 | } |
340 | 344 | ||
341 | /* only do something if we have a bulk out endpoint */ | ||
342 | if (!serial->num_bulk_out) | ||
343 | return 0; | ||
344 | |||
345 | if (serial->type->max_in_flight_urbs) | 345 | if (serial->type->max_in_flight_urbs) |
346 | return usb_serial_multi_urb_write(tty, port, | 346 | return usb_serial_multi_urb_write(tty, port, |
347 | buf, count); | 347 | buf, count); |
@@ -364,14 +364,19 @@ int usb_serial_generic_write_room(struct tty_struct *tty) | |||
364 | int room = 0; | 364 | int room = 0; |
365 | 365 | ||
366 | dbg("%s - port %d", __func__, port->number); | 366 | dbg("%s - port %d", __func__, port->number); |
367 | |||
368 | if (!port->bulk_out_size) | ||
369 | return 0; | ||
370 | |||
367 | spin_lock_irqsave(&port->lock, flags); | 371 | spin_lock_irqsave(&port->lock, flags); |
368 | if (serial->type->max_in_flight_urbs) { | 372 | if (serial->type->max_in_flight_urbs) { |
369 | if (port->urbs_in_flight < serial->type->max_in_flight_urbs) | 373 | if (port->urbs_in_flight < serial->type->max_in_flight_urbs) |
370 | room = port->bulk_out_size * | 374 | room = port->bulk_out_size * |
371 | (serial->type->max_in_flight_urbs - | 375 | (serial->type->max_in_flight_urbs - |
372 | port->urbs_in_flight); | 376 | port->urbs_in_flight); |
373 | } else if (serial->num_bulk_out) | 377 | } else { |
374 | room = kfifo_avail(&port->write_fifo); | 378 | room = kfifo_avail(&port->write_fifo); |
379 | } | ||
375 | spin_unlock_irqrestore(&port->lock, flags); | 380 | spin_unlock_irqrestore(&port->lock, flags); |
376 | 381 | ||
377 | dbg("%s - returns %d", __func__, room); | 382 | dbg("%s - returns %d", __func__, room); |
@@ -382,15 +387,18 @@ int usb_serial_generic_chars_in_buffer(struct tty_struct *tty) | |||
382 | { | 387 | { |
383 | struct usb_serial_port *port = tty->driver_data; | 388 | struct usb_serial_port *port = tty->driver_data; |
384 | struct usb_serial *serial = port->serial; | 389 | struct usb_serial *serial = port->serial; |
385 | int chars = 0; | ||
386 | unsigned long flags; | 390 | unsigned long flags; |
391 | int chars; | ||
387 | 392 | ||
388 | dbg("%s - port %d", __func__, port->number); | 393 | dbg("%s - port %d", __func__, port->number); |
389 | 394 | ||
395 | if (!port->bulk_out_size) | ||
396 | return 0; | ||
397 | |||
390 | spin_lock_irqsave(&port->lock, flags); | 398 | spin_lock_irqsave(&port->lock, flags); |
391 | if (serial->type->max_in_flight_urbs) | 399 | if (serial->type->max_in_flight_urbs) |
392 | chars = port->tx_bytes_flight; | 400 | chars = port->tx_bytes_flight; |
393 | else if (serial->num_bulk_out) | 401 | else |
394 | chars = kfifo_len(&port->write_fifo); | 402 | chars = kfifo_len(&port->write_fifo); |
395 | spin_unlock_irqrestore(&port->lock, flags); | 403 | spin_unlock_irqrestore(&port->lock, flags); |
396 | 404 | ||