diff options
author | Ian Abbott <abbotti@mev.co.uk> | 2006-06-26 06:44:22 -0400 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2006-07-12 19:03:22 -0400 |
commit | 00d6058ac93048b525b86fa48b413dcb87ac2728 (patch) | |
tree | 8d5eab6af613e8832ba182e54ec9d7f634517a26 /drivers/usb | |
parent | 5650b4dd141e823c2b1bc248cb9ad3e9ac88cf19 (diff) |
[PATCH] USB serial visor: fix race in open/close
The anti user-DoS mechanism in the USB serial 'visor' driver can fail in
the following way:
visor_open: priv->outstanding_urbs = 0
visor_write: ++priv->outstanding_urbs
visor_close:
visor_open: priv->outstanding_urbs = 0
visor_write_bulk_callback: --priv->outstanding_urbs
So priv->outstanding_urbs ends up as (unsigned long)(-1). Not good!
I haven't seen this happen with the visor driver as I don't have the
hardware, but I have seen it while testing a patch to implement the same
functionality in the ftdi_sio driver (patch not yet submitted).
The fix is pretty simple: don't reinitialize outstanding_urbs in
visor_open. (Again, I haven't tested the fix in visor, but I have
tested it in ftdi_sio.)
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'drivers/usb')
-rw-r--r-- | drivers/usb/serial/visor.c | 1 |
1 files changed, 0 insertions, 1 deletions
diff --git a/drivers/usb/serial/visor.c b/drivers/usb/serial/visor.c index cbc21465f4fb..32c3c6288985 100644 --- a/drivers/usb/serial/visor.c +++ b/drivers/usb/serial/visor.c | |||
@@ -302,7 +302,6 @@ static int visor_open (struct usb_serial_port *port, struct file *filp) | |||
302 | spin_lock_irqsave(&priv->lock, flags); | 302 | spin_lock_irqsave(&priv->lock, flags); |
303 | priv->bytes_in = 0; | 303 | priv->bytes_in = 0; |
304 | priv->bytes_out = 0; | 304 | priv->bytes_out = 0; |
305 | priv->outstanding_urbs = 0; | ||
306 | priv->throttled = 0; | 305 | priv->throttled = 0; |
307 | spin_unlock_irqrestore(&priv->lock, flags); | 306 | spin_unlock_irqrestore(&priv->lock, flags); |
308 | 307 | ||