aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/usb/serial/ssu100.c
diff options
context:
space:
mode:
authorJohan Hovold <jhovold@gmail.com>2013-03-19 04:21:25 -0400
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2013-03-21 18:59:05 -0400
commit43a66b4c417ad15f6d2f632ce67ad195bdf999e8 (patch)
treec0211faa5c8df0612640b6e6dc39baad0ebd08d5 /drivers/usb/serial/ssu100.c
parentdbcea7615d8d7d58f6ff49d2c5568113f70effe9 (diff)
USB: ssu100: fix use-after-free in TIOCMIWAIT
Use the port wait queue and make sure to check the serial disconnected flag before accessing private port data after waking up. This is is needed as the private port data (including the wait queue itself) can be gone when waking up after a disconnect. Cc: stable <stable@vger.kernel.org> Signed-off-by: Johan Hovold <jhovold@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/usb/serial/ssu100.c')
-rw-r--r--drivers/usb/serial/ssu100.c12
1 files changed, 7 insertions, 5 deletions
diff --git a/drivers/usb/serial/ssu100.c b/drivers/usb/serial/ssu100.c
index b57cf841c5b6..4b2a19757b4d 100644
--- a/drivers/usb/serial/ssu100.c
+++ b/drivers/usb/serial/ssu100.c
@@ -61,7 +61,6 @@ struct ssu100_port_private {
61 spinlock_t status_lock; 61 spinlock_t status_lock;
62 u8 shadowLSR; 62 u8 shadowLSR;
63 u8 shadowMSR; 63 u8 shadowMSR;
64 wait_queue_head_t delta_msr_wait; /* Used for TIOCMIWAIT */
65 struct async_icount icount; 64 struct async_icount icount;
66}; 65};
67 66
@@ -355,8 +354,9 @@ static int wait_modem_info(struct usb_serial_port *port, unsigned int arg)
355 spin_unlock_irqrestore(&priv->status_lock, flags); 354 spin_unlock_irqrestore(&priv->status_lock, flags);
356 355
357 while (1) { 356 while (1) {
358 wait_event_interruptible(priv->delta_msr_wait, 357 wait_event_interruptible(port->delta_msr_wait,
359 ((priv->icount.rng != prev.rng) || 358 (port->serial->disconnected ||
359 (priv->icount.rng != prev.rng) ||
360 (priv->icount.dsr != prev.dsr) || 360 (priv->icount.dsr != prev.dsr) ||
361 (priv->icount.dcd != prev.dcd) || 361 (priv->icount.dcd != prev.dcd) ||
362 (priv->icount.cts != prev.cts))); 362 (priv->icount.cts != prev.cts)));
@@ -364,6 +364,9 @@ static int wait_modem_info(struct usb_serial_port *port, unsigned int arg)
364 if (signal_pending(current)) 364 if (signal_pending(current))
365 return -ERESTARTSYS; 365 return -ERESTARTSYS;
366 366
367 if (port->serial->disconnected)
368 return -EIO;
369
367 spin_lock_irqsave(&priv->status_lock, flags); 370 spin_lock_irqsave(&priv->status_lock, flags);
368 cur = priv->icount; 371 cur = priv->icount;
369 spin_unlock_irqrestore(&priv->status_lock, flags); 372 spin_unlock_irqrestore(&priv->status_lock, flags);
@@ -445,7 +448,6 @@ static int ssu100_port_probe(struct usb_serial_port *port)
445 return -ENOMEM; 448 return -ENOMEM;
446 449
447 spin_lock_init(&priv->status_lock); 450 spin_lock_init(&priv->status_lock);
448 init_waitqueue_head(&priv->delta_msr_wait);
449 451
450 usb_set_serial_port_data(port, priv); 452 usb_set_serial_port_data(port, priv);
451 453
@@ -537,7 +539,7 @@ static void ssu100_update_msr(struct usb_serial_port *port, u8 msr)
537 priv->icount.dcd++; 539 priv->icount.dcd++;
538 if (msr & UART_MSR_TERI) 540 if (msr & UART_MSR_TERI)
539 priv->icount.rng++; 541 priv->icount.rng++;
540 wake_up_interruptible(&priv->delta_msr_wait); 542 wake_up_interruptible(&port->delta_msr_wait);
541 } 543 }
542} 544}
543 545
generated by cgit v1.2.2 (git 2.25.0) at 2024-10-15 02:17:01 -0400