diff options
| author | Johan Hovold <jhovold@gmail.com> | 2013-03-19 04:21:26 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2013-03-21 18:59:05 -0400 |
| commit | fc98ab873aa3dbe783ce56a2ffdbbe7c7609521a (patch) | |
| tree | 8a59e188a28a92b02d424589fc039e80aa2b2890 | |
| parent | 43a66b4c417ad15f6d2f632ce67ad195bdf999e8 (diff) | |
USB: ti_usb_3410_5052: fix use-after-free in TIOCMIWAIT
Use the port wait queue and make sure to check the serial disconnected
flag before accessing private port data after waking up.
This is is needed as the private port data (including the wait queue
itself) can be gone when waking up after a disconnect.
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | drivers/usb/serial/ti_usb_3410_5052.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/drivers/usb/serial/ti_usb_3410_5052.c b/drivers/usb/serial/ti_usb_3410_5052.c index 39cb9b807c3c..73deb029fc05 100644 --- a/drivers/usb/serial/ti_usb_3410_5052.c +++ b/drivers/usb/serial/ti_usb_3410_5052.c | |||
| @@ -74,7 +74,6 @@ struct ti_port { | |||
| 74 | int tp_flags; | 74 | int tp_flags; |
| 75 | int tp_closing_wait;/* in .01 secs */ | 75 | int tp_closing_wait;/* in .01 secs */ |
| 76 | struct async_icount tp_icount; | 76 | struct async_icount tp_icount; |
| 77 | wait_queue_head_t tp_msr_wait; /* wait for msr change */ | ||
| 78 | wait_queue_head_t tp_write_wait; | 77 | wait_queue_head_t tp_write_wait; |
| 79 | struct ti_device *tp_tdev; | 78 | struct ti_device *tp_tdev; |
| 80 | struct usb_serial_port *tp_port; | 79 | struct usb_serial_port *tp_port; |
| @@ -432,7 +431,6 @@ static int ti_port_probe(struct usb_serial_port *port) | |||
| 432 | else | 431 | else |
| 433 | tport->tp_uart_base_addr = TI_UART2_BASE_ADDR; | 432 | tport->tp_uart_base_addr = TI_UART2_BASE_ADDR; |
| 434 | tport->tp_closing_wait = closing_wait; | 433 | tport->tp_closing_wait = closing_wait; |
| 435 | init_waitqueue_head(&tport->tp_msr_wait); | ||
| 436 | init_waitqueue_head(&tport->tp_write_wait); | 434 | init_waitqueue_head(&tport->tp_write_wait); |
| 437 | if (kfifo_alloc(&tport->write_fifo, TI_WRITE_BUF_SIZE, GFP_KERNEL)) { | 435 | if (kfifo_alloc(&tport->write_fifo, TI_WRITE_BUF_SIZE, GFP_KERNEL)) { |
| 438 | kfree(tport); | 436 | kfree(tport); |
| @@ -784,9 +782,13 @@ static int ti_ioctl(struct tty_struct *tty, | |||
| 784 | dev_dbg(&port->dev, "%s - TIOCMIWAIT\n", __func__); | 782 | dev_dbg(&port->dev, "%s - TIOCMIWAIT\n", __func__); |
| 785 | cprev = tport->tp_icount; | 783 | cprev = tport->tp_icount; |
| 786 | while (1) { | 784 | while (1) { |
| 787 | interruptible_sleep_on(&tport->tp_msr_wait); | 785 | interruptible_sleep_on(&port->delta_msr_wait); |
| 788 | if (signal_pending(current)) | 786 | if (signal_pending(current)) |
| 789 | return -ERESTARTSYS; | 787 | return -ERESTARTSYS; |
| 788 | |||
| 789 | if (port->serial->disconnected) | ||
| 790 | return -EIO; | ||
| 791 | |||
| 790 | cnow = tport->tp_icount; | 792 | cnow = tport->tp_icount; |
| 791 | if (cnow.rng == cprev.rng && cnow.dsr == cprev.dsr && | 793 | if (cnow.rng == cprev.rng && cnow.dsr == cprev.dsr && |
| 792 | cnow.dcd == cprev.dcd && cnow.cts == cprev.cts) | 794 | cnow.dcd == cprev.dcd && cnow.cts == cprev.cts) |
| @@ -1392,7 +1394,7 @@ static void ti_handle_new_msr(struct ti_port *tport, __u8 msr) | |||
| 1392 | icount->dcd++; | 1394 | icount->dcd++; |
| 1393 | if (msr & TI_MSR_DELTA_RI) | 1395 | if (msr & TI_MSR_DELTA_RI) |
| 1394 | icount->rng++; | 1396 | icount->rng++; |
| 1395 | wake_up_interruptible(&tport->tp_msr_wait); | 1397 | wake_up_interruptible(&tport->tp_port->delta_msr_wait); |
| 1396 | spin_unlock_irqrestore(&tport->tp_lock, flags); | 1398 | spin_unlock_irqrestore(&tport->tp_lock, flags); |
| 1397 | } | 1399 | } |
| 1398 | 1400 | ||