aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJohan Hovold <jhovold@gmail.com>2013-03-19 04:21:23 -0400
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2013-03-21 18:59:05 -0400
commit69f87f40d2b98e8b4ab82a121fd2bd584690b887 (patch)
tree51f4e310d5db5cd0bc727a2554f7c90bcba22c6c
parent40509ca982c00c4b70fc00be887509feca0bff15 (diff)
USB: quatech2: fix use-after-free in TIOCMIWAIT
Use the port wait queue and make sure to check the serial disconnected flag before accessing private port data after waking up. This is is needed as the private port data (including the wait queue itself) can be gone when waking up after a disconnect. Cc: stable <stable@vger.kernel.org> Signed-off-by: Johan Hovold <jhovold@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat
-rw-r--r--drivers/usb/serial/quatech2.c12
1 files changed, 7 insertions, 5 deletions
diff --git a/drivers/usb/serial/quatech2.c b/drivers/usb/serial/quatech2.c
index d643a4d4d770..75f125ddb0c9 100644
--- a/drivers/usb/serial/quatech2.c
+++ b/drivers/usb/serial/quatech2.c
@@ -128,7 +128,6 @@ struct qt2_port_private {
128 u8 shadowLSR; 128 u8 shadowLSR;
129 u8 shadowMSR; 129 u8 shadowMSR;
130 130
131 wait_queue_head_t delta_msr_wait; /* Used for TIOCMIWAIT */
132 struct async_icount icount; 131 struct async_icount icount;
133 132
134 struct usb_serial_port *port; 133 struct usb_serial_port *port;
@@ -506,8 +505,9 @@ static int wait_modem_info(struct usb_serial_port *port, unsigned int arg)
506 spin_unlock_irqrestore(&priv->lock, flags); 505 spin_unlock_irqrestore(&priv->lock, flags);
507 506
508 while (1) { 507 while (1) {
509 wait_event_interruptible(priv->delta_msr_wait, 508 wait_event_interruptible(port->delta_msr_wait,
510 ((priv->icount.rng != prev.rng) || 509 (port->serial->disconnected ||
510 (priv->icount.rng != prev.rng) ||
511 (priv->icount.dsr != prev.dsr) || 511 (priv->icount.dsr != prev.dsr) ||
512 (priv->icount.dcd != prev.dcd) || 512 (priv->icount.dcd != prev.dcd) ||
513 (priv->icount.cts != prev.cts))); 513 (priv->icount.cts != prev.cts)));
@@ -515,6 +515,9 @@ static int wait_modem_info(struct usb_serial_port *port, unsigned int arg)
515 if (signal_pending(current)) 515 if (signal_pending(current))
516 return -ERESTARTSYS; 516 return -ERESTARTSYS;
517 517
518 if (port->serial->disconnected)
519 return -EIO;
520
518 spin_lock_irqsave(&priv->lock, flags); 521 spin_lock_irqsave(&priv->lock, flags);
519 cur = priv->icount; 522 cur = priv->icount;
520 spin_unlock_irqrestore(&priv->lock, flags); 523 spin_unlock_irqrestore(&priv->lock, flags);
@@ -827,7 +830,6 @@ static int qt2_port_probe(struct usb_serial_port *port)
827 830
828 spin_lock_init(&port_priv->lock); 831 spin_lock_init(&port_priv->lock);
829 spin_lock_init(&port_priv->urb_lock); 832 spin_lock_init(&port_priv->urb_lock);
830 init_waitqueue_head(&port_priv->delta_msr_wait);
831 port_priv->port = port; 833 port_priv->port = port;
832 834
833 port_priv->write_urb = usb_alloc_urb(0, GFP_KERNEL); 835 port_priv->write_urb = usb_alloc_urb(0, GFP_KERNEL);
@@ -970,7 +972,7 @@ static void qt2_update_msr(struct usb_serial_port *port, unsigned char *ch)
970 if (newMSR & UART_MSR_TERI) 972 if (newMSR & UART_MSR_TERI)
971 port_priv->icount.rng++; 973 port_priv->icount.rng++;
972 974
973 wake_up_interruptible(&port_priv->delta_msr_wait); 975 wake_up_interruptible(&port->delta_msr_wait);
974 } 976 }
975} 977}
976 978
generated by cgit v1.2.2 (git 2.25.0) at 2024-10-13 10:30:24 -0400