diff options
| author | Johan Hovold <jhovold@gmail.com> | 2013-03-19 04:21:11 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2013-03-21 18:59:02 -0400 |
| commit | 5018860321dc7a9e50a75d5f319bc981298fb5b7 (patch) | |
| tree | 252272fa6a60fe30638bef7184a329ff65558148 | |
| parent | e5b33dc9d16053c2ae4c2c669cf008829530364b (diff) | |
USB: ark3116: fix use-after-free in TIOCMIWAIT
Use the port wait queue and make sure to check the serial disconnected
flag before accessing private port data after waking up.
This is is needed as the private port data (including the wait queue
itself) can be gone when waking up after a disconnect.
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | drivers/usb/serial/ark3116.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/drivers/usb/serial/ark3116.c b/drivers/usb/serial/ark3116.c index cbd904b8fba5..4775f8209e55 100644 --- a/drivers/usb/serial/ark3116.c +++ b/drivers/usb/serial/ark3116.c | |||
| @@ -62,7 +62,6 @@ static int is_irda(struct usb_serial *serial) | |||
| 62 | } | 62 | } |
| 63 | 63 | ||
| 64 | struct ark3116_private { | 64 | struct ark3116_private { |
| 65 | wait_queue_head_t delta_msr_wait; | ||
| 66 | struct async_icount icount; | 65 | struct async_icount icount; |
| 67 | int irda; /* 1 for irda device */ | 66 | int irda; /* 1 for irda device */ |
| 68 | 67 | ||
| @@ -146,7 +145,6 @@ static int ark3116_port_probe(struct usb_serial_port *port) | |||
| 146 | if (!priv) | 145 | if (!priv) |
| 147 | return -ENOMEM; | 146 | return -ENOMEM; |
| 148 | 147 | ||
| 149 | init_waitqueue_head(&priv->delta_msr_wait); | ||
| 150 | mutex_init(&priv->hw_lock); | 148 | mutex_init(&priv->hw_lock); |
| 151 | spin_lock_init(&priv->status_lock); | 149 | spin_lock_init(&priv->status_lock); |
| 152 | 150 | ||
| @@ -456,10 +454,14 @@ static int ark3116_ioctl(struct tty_struct *tty, | |||
| 456 | case TIOCMIWAIT: | 454 | case TIOCMIWAIT: |
| 457 | for (;;) { | 455 | for (;;) { |
| 458 | struct async_icount prev = priv->icount; | 456 | struct async_icount prev = priv->icount; |
| 459 | interruptible_sleep_on(&priv->delta_msr_wait); | 457 | interruptible_sleep_on(&port->delta_msr_wait); |
| 460 | /* see if a signal did it */ | 458 | /* see if a signal did it */ |
| 461 | if (signal_pending(current)) | 459 | if (signal_pending(current)) |
| 462 | return -ERESTARTSYS; | 460 | return -ERESTARTSYS; |
| 461 | |||
| 462 | if (port->serial->disconnected) | ||
| 463 | return -EIO; | ||
| 464 | |||
| 463 | if ((prev.rng == priv->icount.rng) && | 465 | if ((prev.rng == priv->icount.rng) && |
| 464 | (prev.dsr == priv->icount.dsr) && | 466 | (prev.dsr == priv->icount.dsr) && |
| 465 | (prev.dcd == priv->icount.dcd) && | 467 | (prev.dcd == priv->icount.dcd) && |
| @@ -580,7 +582,7 @@ static void ark3116_update_msr(struct usb_serial_port *port, __u8 msr) | |||
| 580 | priv->icount.dcd++; | 582 | priv->icount.dcd++; |
| 581 | if (msr & UART_MSR_TERI) | 583 | if (msr & UART_MSR_TERI) |
| 582 | priv->icount.rng++; | 584 | priv->icount.rng++; |
| 583 | wake_up_interruptible(&priv->delta_msr_wait); | 585 | wake_up_interruptible(&port->delta_msr_wait); |
| 584 | } | 586 | } |
| 585 | } | 587 | } |
| 586 | 588 | ||