[PATCH] USB: usbserial: race-condition fix.
There is a race-condition in usb-serial driver that can be triggered if a processes does 'port->tty->driver_data = NULL' in serial_close() while other processes is in kernel-space about to call serial_ioctl() on the same port. This happens because a process can open the device while there is another one closing it. The patch below fixes that by adding a semaphore to ensure that no process will open the device while another process is closing it. Note that we can't use spinlocks here, since serial_open() and serial_close() can sleep. Signed-off-by: Luiz Capitulino <lcapitulino@mandriva.com.br> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This commit is contained in:
parent
487f9c6710
commit
8a4613f01f
|
@ -30,6 +30,7 @@
|
||||||
#include <linux/list.h>
|
#include <linux/list.h>
|
||||||
#include <linux/smp_lock.h>
|
#include <linux/smp_lock.h>
|
||||||
#include <asm/uaccess.h>
|
#include <asm/uaccess.h>
|
||||||
|
#include <asm/semaphore.h>
|
||||||
#include <linux/usb.h>
|
#include <linux/usb.h>
|
||||||
#include "usb-serial.h"
|
#include "usb-serial.h"
|
||||||
#include "pl2303.h"
|
#include "pl2303.h"
|
||||||
|
@ -190,6 +191,9 @@ static int serial_open (struct tty_struct *tty, struct file * filp)
|
||||||
port = serial->port[portNumber];
|
port = serial->port[portNumber];
|
||||||
if (!port)
|
if (!port)
|
||||||
return -ENODEV;
|
return -ENODEV;
|
||||||
|
|
||||||
|
if (down_interruptible(&port->sem))
|
||||||
|
return -ERESTARTSYS;
|
||||||
|
|
||||||
++port->open_count;
|
++port->open_count;
|
||||||
|
|
||||||
|
@ -215,6 +219,7 @@ static int serial_open (struct tty_struct *tty, struct file * filp)
|
||||||
goto bailout_module_put;
|
goto bailout_module_put;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
up(&port->sem);
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
bailout_module_put:
|
bailout_module_put:
|
||||||
|
@ -222,6 +227,7 @@ bailout_module_put:
|
||||||
bailout_kref_put:
|
bailout_kref_put:
|
||||||
kref_put(&serial->kref, destroy_serial);
|
kref_put(&serial->kref, destroy_serial);
|
||||||
port->open_count = 0;
|
port->open_count = 0;
|
||||||
|
up(&port->sem);
|
||||||
return retval;
|
return retval;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -234,8 +240,10 @@ static void serial_close(struct tty_struct *tty, struct file * filp)
|
||||||
|
|
||||||
dbg("%s - port %d", __FUNCTION__, port->number);
|
dbg("%s - port %d", __FUNCTION__, port->number);
|
||||||
|
|
||||||
|
down(&port->sem);
|
||||||
|
|
||||||
if (port->open_count == 0)
|
if (port->open_count == 0)
|
||||||
return;
|
goto out;
|
||||||
|
|
||||||
--port->open_count;
|
--port->open_count;
|
||||||
if (port->open_count == 0) {
|
if (port->open_count == 0) {
|
||||||
|
@ -253,6 +261,9 @@ static void serial_close(struct tty_struct *tty, struct file * filp)
|
||||||
}
|
}
|
||||||
|
|
||||||
kref_put(&port->serial->kref, destroy_serial);
|
kref_put(&port->serial->kref, destroy_serial);
|
||||||
|
|
||||||
|
out:
|
||||||
|
up(&port->sem);
|
||||||
}
|
}
|
||||||
|
|
||||||
static int serial_write (struct tty_struct * tty, const unsigned char *buf, int count)
|
static int serial_write (struct tty_struct * tty, const unsigned char *buf, int count)
|
||||||
|
@ -774,6 +785,7 @@ int usb_serial_probe(struct usb_interface *interface,
|
||||||
port->number = i + serial->minor;
|
port->number = i + serial->minor;
|
||||||
port->serial = serial;
|
port->serial = serial;
|
||||||
spin_lock_init(&port->lock);
|
spin_lock_init(&port->lock);
|
||||||
|
sema_init(&port->sem, 1);
|
||||||
INIT_WORK(&port->work, usb_serial_port_softint, port);
|
INIT_WORK(&port->work, usb_serial_port_softint, port);
|
||||||
serial->port[i] = port;
|
serial->port[i] = port;
|
||||||
}
|
}
|
||||||
|
|
|
@ -16,6 +16,7 @@
|
||||||
|
|
||||||
#include <linux/config.h>
|
#include <linux/config.h>
|
||||||
#include <linux/kref.h>
|
#include <linux/kref.h>
|
||||||
|
#include <asm/semaphore.h>
|
||||||
|
|
||||||
#define SERIAL_TTY_MAJOR 188 /* Nice legal number now */
|
#define SERIAL_TTY_MAJOR 188 /* Nice legal number now */
|
||||||
#define SERIAL_TTY_MINORS 255 /* loads of devices :) */
|
#define SERIAL_TTY_MINORS 255 /* loads of devices :) */
|
||||||
|
@ -30,6 +31,8 @@
|
||||||
* @serial: pointer back to the struct usb_serial owner of this port.
|
* @serial: pointer back to the struct usb_serial owner of this port.
|
||||||
* @tty: pointer to the corresponding tty for this port.
|
* @tty: pointer to the corresponding tty for this port.
|
||||||
* @lock: spinlock to grab when updating portions of this structure.
|
* @lock: spinlock to grab when updating portions of this structure.
|
||||||
|
* @sem: semaphore used to synchronize serial_open() and serial_close()
|
||||||
|
* access for this port.
|
||||||
* @number: the number of the port (the minor number).
|
* @number: the number of the port (the minor number).
|
||||||
* @interrupt_in_buffer: pointer to the interrupt in buffer for this port.
|
* @interrupt_in_buffer: pointer to the interrupt in buffer for this port.
|
||||||
* @interrupt_in_urb: pointer to the interrupt in struct urb for this port.
|
* @interrupt_in_urb: pointer to the interrupt in struct urb for this port.
|
||||||
|
@ -60,6 +63,7 @@ struct usb_serial_port {
|
||||||
struct usb_serial * serial;
|
struct usb_serial * serial;
|
||||||
struct tty_struct * tty;
|
struct tty_struct * tty;
|
||||||
spinlock_t lock;
|
spinlock_t lock;
|
||||||
|
struct semaphore sem;
|
||||||
unsigned char number;
|
unsigned char number;
|
||||||
|
|
||||||
unsigned char * interrupt_in_buffer;
|
unsigned char * interrupt_in_buffer;
|
||||||
|
|
Loading…
Reference in New Issue