aboutsummaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorJohan Hovold <jhovold@gmail.com>2013-03-19 04:21:12 -0400
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2013-03-21 18:59:03 -0400
commitfa1e11d5231c001c80a479160b5832933c5d35fb (patch)
tree5f10a8edfd7a4060285f60694cd8a68d20047278 /drivers
parent5018860321dc7a9e50a75d5f319bc981298fb5b7 (diff)
USB: ch341: fix use-after-free in TIOCMIWAIT
Use the port wait queue and make sure to check the serial disconnected flag before accessing private port data after waking up. This is is needed as the private port data (including the wait queue itself) can be gone when waking up after a disconnect. Cc: stable <stable@vger.kernel.org> Signed-off-by: Johan Hovold <jhovold@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/usb/serial/ch341.c11
1 files changed, 6 insertions, 5 deletions
diff --git a/drivers/usb/serial/ch341.c b/drivers/usb/serial/ch341.c
index d255f66e708e..07d4650a32ab 100644
--- a/drivers/usb/serial/ch341.c
+++ b/drivers/usb/serial/ch341.c
@@ -80,7 +80,6 @@ MODULE_DEVICE_TABLE(usb, id_table);
80 80
81struct ch341_private { 81struct ch341_private {
82 spinlock_t lock; /* access lock */ 82 spinlock_t lock; /* access lock */
83 wait_queue_head_t delta_msr_wait; /* wait queue for modem status */
84 unsigned baud_rate; /* set baud rate */ 83 unsigned baud_rate; /* set baud rate */
85 u8 line_control; /* set line control value RTS/DTR */ 84 u8 line_control; /* set line control value RTS/DTR */
86 u8 line_status; /* active status of modem control inputs */ 85 u8 line_status; /* active status of modem control inputs */
@@ -252,7 +251,6 @@ static int ch341_port_probe(struct usb_serial_port *port)
252 return -ENOMEM; 251 return -ENOMEM;
253 252
254 spin_lock_init(&priv->lock); 253 spin_lock_init(&priv->lock);
255 init_waitqueue_head(&priv->delta_msr_wait);
256 priv->baud_rate = DEFAULT_BAUD_RATE; 254 priv->baud_rate = DEFAULT_BAUD_RATE;
257 priv->line_control = CH341_BIT_RTS | CH341_BIT_DTR; 255 priv->line_control = CH341_BIT_RTS | CH341_BIT_DTR;
258 256
@@ -298,7 +296,7 @@ static void ch341_dtr_rts(struct usb_serial_port *port, int on)
298 priv->line_control &= ~(CH341_BIT_RTS | CH341_BIT_DTR); 296 priv->line_control &= ~(CH341_BIT_RTS | CH341_BIT_DTR);
299 spin_unlock_irqrestore(&priv->lock, flags); 297 spin_unlock_irqrestore(&priv->lock, flags);
300 ch341_set_handshake(port->serial->dev, priv->line_control); 298 ch341_set_handshake(port->serial->dev, priv->line_control);
301 wake_up_interruptible(&priv->delta_msr_wait); 299 wake_up_interruptible(&port->delta_msr_wait);
302} 300}
303 301
304static void ch341_close(struct usb_serial_port *port) 302static void ch341_close(struct usb_serial_port *port)
@@ -491,7 +489,7 @@ static void ch341_read_int_callback(struct urb *urb)
491 tty_kref_put(tty); 489 tty_kref_put(tty);
492 } 490 }
493 491
494 wake_up_interruptible(&priv->delta_msr_wait); 492 wake_up_interruptible(&port->delta_msr_wait);
495 } 493 }
496 494
497exit: 495exit:
@@ -517,11 +515,14 @@ static int wait_modem_info(struct usb_serial_port *port, unsigned int arg)
517 spin_unlock_irqrestore(&priv->lock, flags); 515 spin_unlock_irqrestore(&priv->lock, flags);
518 516
519 while (!multi_change) { 517 while (!multi_change) {
520 interruptible_sleep_on(&priv->delta_msr_wait); 518 interruptible_sleep_on(&port->delta_msr_wait);
521 /* see if a signal did it */ 519 /* see if a signal did it */
522 if (signal_pending(current)) 520 if (signal_pending(current))
523 return -ERESTARTSYS; 521 return -ERESTARTSYS;
524 522
523 if (port->serial->disconnected)
524 return -EIO;
525
525 spin_lock_irqsave(&priv->lock, flags); 526 spin_lock_irqsave(&priv->lock, flags);
526 status = priv->line_status; 527 status = priv->line_status;
527 multi_change = priv->multi_status_change; 528 multi_change = priv->multi_status_change;