aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJohan Hovold <jhovold@gmail.com>2010-02-27 10:24:49 -0500
committerGreg Kroah-Hartman <gregkh@suse.de>2010-03-19 10:24:03 -0400
commiteb8878a881c306ff3eab6e741ab8fc94096f4e1a (patch)
treea6dee42012439d65e48bb89e274d44c95246f5e1
parent6313620228624ff4dcb78b1dbd459d0c208df126 (diff)
USB: serial: use port endpoint size to determine if ep is available
It is possible to have a multi-port device with a port lacking an in or out bulk endpoint. Only checking for num_bulk_in or num_bulk_out is thus not sufficient to determine whether a specific port has an in or out bulk endpoint. This fixes potential null pointer dereferences in the generic open and write routines, as well as access to uninitialised fifo in write_room and chars_in_buffer. Also let write fail with ENODEV (instead of 0) on missing out endpoint (also on zero-length writes). Signed-off-by: Johan Hovold <jhovold@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r--drivers/usb/serial/generic.c30
1 files changed, 19 insertions, 11 deletions
diff --git a/drivers/usb/serial/generic.c b/drivers/usb/serial/generic.c
index 214bf25bc3b5..f804acb138ec 100644
--- a/drivers/usb/serial/generic.c
+++ b/drivers/usb/serial/generic.c
@@ -130,7 +130,7 @@ int usb_serial_generic_open(struct tty_struct *tty, struct usb_serial_port *port
130 spin_unlock_irqrestore(&port->lock, flags); 130 spin_unlock_irqrestore(&port->lock, flags);
131 131
132 /* if we have a bulk endpoint, start reading from it */ 132 /* if we have a bulk endpoint, start reading from it */
133 if (serial->num_bulk_in) { 133 if (port->bulk_in_size) {
134 /* Start reading from the device */ 134 /* Start reading from the device */
135 usb_fill_bulk_urb(port->read_urb, serial->dev, 135 usb_fill_bulk_urb(port->read_urb, serial->dev,
136 usb_rcvbulkpipe(serial->dev, 136 usb_rcvbulkpipe(serial->dev,
@@ -159,10 +159,10 @@ static void generic_cleanup(struct usb_serial_port *port)
159 dbg("%s - port %d", __func__, port->number); 159 dbg("%s - port %d", __func__, port->number);
160 160
161 if (serial->dev) { 161 if (serial->dev) {
162 /* shutdown any bulk reads that might be going on */ 162 /* shutdown any bulk transfers that might be going on */
163 if (serial->num_bulk_out) 163 if (port->bulk_out_size)
164 usb_kill_urb(port->write_urb); 164 usb_kill_urb(port->write_urb);
165 if (serial->num_bulk_in) 165 if (port->bulk_in_size)
166 usb_kill_urb(port->read_urb); 166 usb_kill_urb(port->read_urb);
167 } 167 }
168} 168}
@@ -333,15 +333,15 @@ int usb_serial_generic_write(struct tty_struct *tty,
333 333
334 dbg("%s - port %d", __func__, port->number); 334 dbg("%s - port %d", __func__, port->number);
335 335
336 /* only do something if we have a bulk out endpoint */
337 if (!port->bulk_out_size)
338 return -ENODEV;
339
336 if (count == 0) { 340 if (count == 0) {
337 dbg("%s - write request of 0 bytes", __func__); 341 dbg("%s - write request of 0 bytes", __func__);
338 return 0; 342 return 0;
339 } 343 }
340 344
341 /* only do something if we have a bulk out endpoint */
342 if (!serial->num_bulk_out)
343 return 0;
344
345 if (serial->type->max_in_flight_urbs) 345 if (serial->type->max_in_flight_urbs)
346 return usb_serial_multi_urb_write(tty, port, 346 return usb_serial_multi_urb_write(tty, port,
347 buf, count); 347 buf, count);
@@ -364,14 +364,19 @@ int usb_serial_generic_write_room(struct tty_struct *tty)
364 int room = 0; 364 int room = 0;
365 365
366 dbg("%s - port %d", __func__, port->number); 366 dbg("%s - port %d", __func__, port->number);
367
368 if (!port->bulk_out_size)
369 return 0;
370
367 spin_lock_irqsave(&port->lock, flags); 371 spin_lock_irqsave(&port->lock, flags);
368 if (serial->type->max_in_flight_urbs) { 372 if (serial->type->max_in_flight_urbs) {
369 if (port->urbs_in_flight < serial->type->max_in_flight_urbs) 373 if (port->urbs_in_flight < serial->type->max_in_flight_urbs)
370 room = port->bulk_out_size * 374 room = port->bulk_out_size *
371 (serial->type->max_in_flight_urbs - 375 (serial->type->max_in_flight_urbs -
372 port->urbs_in_flight); 376 port->urbs_in_flight);
373 } else if (serial->num_bulk_out) 377 } else {
374 room = kfifo_avail(&port->write_fifo); 378 room = kfifo_avail(&port->write_fifo);
379 }
375 spin_unlock_irqrestore(&port->lock, flags); 380 spin_unlock_irqrestore(&port->lock, flags);
376 381
377 dbg("%s - returns %d", __func__, room); 382 dbg("%s - returns %d", __func__, room);
@@ -382,15 +387,18 @@ int usb_serial_generic_chars_in_buffer(struct tty_struct *tty)
382{ 387{
383 struct usb_serial_port *port = tty->driver_data; 388 struct usb_serial_port *port = tty->driver_data;
384 struct usb_serial *serial = port->serial; 389 struct usb_serial *serial = port->serial;
385 int chars = 0;
386 unsigned long flags; 390 unsigned long flags;
391 int chars;
387 392
388 dbg("%s - port %d", __func__, port->number); 393 dbg("%s - port %d", __func__, port->number);
389 394
395 if (!port->bulk_out_size)
396 return 0;
397
390 spin_lock_irqsave(&port->lock, flags); 398 spin_lock_irqsave(&port->lock, flags);
391 if (serial->type->max_in_flight_urbs) 399 if (serial->type->max_in_flight_urbs)
392 chars = port->tx_bytes_flight; 400 chars = port->tx_bytes_flight;
393 else if (serial->num_bulk_out) 401 else
394 chars = kfifo_len(&port->write_fifo); 402 chars = kfifo_len(&port->write_fifo);
395 spin_unlock_irqrestore(&port->lock, flags); 403 spin_unlock_irqrestore(&port->lock, flags);
396 404