diff options
| author | Havard Skinnemoen <hskinnemoen@google.com> | 2011-11-09 16:47:38 -0500 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@suse.de> | 2011-11-14 16:47:49 -0500 |
| commit | 5dc2470c602da8851907ec18942cd876c3b4ecc1 (patch) | |
| tree | a6ef0bac36a5d207ebb9cdfe3e5285bba0d53e40 /drivers/usb | |
| parent | 60c71ca972a2dd3fd9d0165b405361c8ad48349b (diff) | |
USB: cdc-acm: Fix disconnect() vs close() race
There's a race between the USB disconnect handler and the TTY close
handler which may cause the acm object to be freed while it's still
being used. This may lead to things like
http://article.gmane.org/gmane.linux.usb.general/54250
and
https://lkml.org/lkml/2011/5/29/64
This is the simplest fix I could come up with. Holding on to open_mutex
while closing the TTY device prevents acm_disconnect() from freeing the
acm object between acm->port.count drops to 0 and the TTY side of the
cleanups are finalized.
Signed-off-by: Havard Skinnemoen <hskinnemoen@google.com>
Cc: Oliver Neukum <oliver@neukum.name>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'drivers/usb')
| -rw-r--r-- | drivers/usb/class/cdc-acm.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c index 6960715c5063..e8c564a53346 100644 --- a/drivers/usb/class/cdc-acm.c +++ b/drivers/usb/class/cdc-acm.c | |||
| @@ -539,7 +539,6 @@ static void acm_port_down(struct acm *acm) | |||
| 539 | { | 539 | { |
| 540 | int i; | 540 | int i; |
| 541 | 541 | ||
| 542 | mutex_lock(&open_mutex); | ||
| 543 | if (acm->dev) { | 542 | if (acm->dev) { |
| 544 | usb_autopm_get_interface(acm->control); | 543 | usb_autopm_get_interface(acm->control); |
| 545 | acm_set_control(acm, acm->ctrlout = 0); | 544 | acm_set_control(acm, acm->ctrlout = 0); |
| @@ -551,14 +550,15 @@ static void acm_port_down(struct acm *acm) | |||
| 551 | acm->control->needs_remote_wakeup = 0; | 550 | acm->control->needs_remote_wakeup = 0; |
| 552 | usb_autopm_put_interface(acm->control); | 551 | usb_autopm_put_interface(acm->control); |
| 553 | } | 552 | } |
| 554 | mutex_unlock(&open_mutex); | ||
| 555 | } | 553 | } |
| 556 | 554 | ||
| 557 | static void acm_tty_hangup(struct tty_struct *tty) | 555 | static void acm_tty_hangup(struct tty_struct *tty) |
| 558 | { | 556 | { |
| 559 | struct acm *acm = tty->driver_data; | 557 | struct acm *acm = tty->driver_data; |
| 560 | tty_port_hangup(&acm->port); | 558 | tty_port_hangup(&acm->port); |
| 559 | mutex_lock(&open_mutex); | ||
| 561 | acm_port_down(acm); | 560 | acm_port_down(acm); |
| 561 | mutex_unlock(&open_mutex); | ||
| 562 | } | 562 | } |
| 563 | 563 | ||
| 564 | static void acm_tty_close(struct tty_struct *tty, struct file *filp) | 564 | static void acm_tty_close(struct tty_struct *tty, struct file *filp) |
| @@ -569,8 +569,9 @@ static void acm_tty_close(struct tty_struct *tty, struct file *filp) | |||
| 569 | shutdown */ | 569 | shutdown */ |
| 570 | if (!acm) | 570 | if (!acm) |
| 571 | return; | 571 | return; |
| 572 | |||
| 573 | mutex_lock(&open_mutex); | ||
| 572 | if (tty_port_close_start(&acm->port, tty, filp) == 0) { | 574 | if (tty_port_close_start(&acm->port, tty, filp) == 0) { |
| 573 | mutex_lock(&open_mutex); | ||
| 574 | if (!acm->dev) { | 575 | if (!acm->dev) { |
| 575 | tty_port_tty_set(&acm->port, NULL); | 576 | tty_port_tty_set(&acm->port, NULL); |
| 576 | acm_tty_unregister(acm); | 577 | acm_tty_unregister(acm); |
| @@ -582,6 +583,7 @@ static void acm_tty_close(struct tty_struct *tty, struct file *filp) | |||
| 582 | acm_port_down(acm); | 583 | acm_port_down(acm); |
| 583 | tty_port_close_end(&acm->port, tty); | 584 | tty_port_close_end(&acm->port, tty); |
| 584 | tty_port_tty_set(&acm->port, NULL); | 585 | tty_port_tty_set(&acm->port, NULL); |
| 586 | mutex_unlock(&open_mutex); | ||
| 585 | } | 587 | } |
| 586 | 588 | ||
| 587 | static int acm_tty_write(struct tty_struct *tty, | 589 | static int acm_tty_write(struct tty_struct *tty, |