[PATCH] USB: usbserial: race-condition fix.
There is a race-condition in usb-serial driver that can be triggered if a processes does 'port->tty->driver_data = NULL' in serial_close() while other processes is in kernel-space about to call serial_ioctl() on the same port. This happens because a process can open the device while there is another one closing it. The patch below fixes that by adding a semaphore to ensure that no process will open the device while another process is closing it. Note that we can't use spinlocks here, since serial_open() and serial_close() can sleep. Signed-off-by: Luiz Capitulino <lcapitulino@mandriva.com.br> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This commit is contained in:
Luiz Fernando Capitulino
کامیت شده توسط
Greg Kroah-Hartman
Greg Kroah-Hartman
والد
487f9c6710
کامیت
8a4613f01f
@@ -30,6 +30,7 @@
|
||||
#include <linux/list.h>
|
||||
#include <linux/smp_lock.h>
|
||||
#include <asm/uaccess.h>
|
||||
#include <asm/semaphore.h>
|
||||
#include <linux/usb.h>
|
||||
#include "usb-serial.h"
|
||||
#include "pl2303.h"
|
||||
@@ -190,6 +191,9 @@ static int serial_open (struct tty_struct *tty, struct file * filp)
|
||||
port = serial->port[portNumber];
|
||||
if (!port)
|
||||
return -ENODEV;
|
||||
|
||||
if (down_interruptible(&port->sem))
|
||||
return -ERESTARTSYS;
|
||||
|
||||
++port->open_count;
|
||||
|
||||
@@ -215,6 +219,7 @@ static int serial_open (struct tty_struct *tty, struct file * filp)
|
||||
goto bailout_module_put;
|
||||
}
|
||||
|
||||
up(&port->sem);
|
||||
return 0;
|
||||
|
||||
bailout_module_put:
|
||||
@@ -222,6 +227,7 @@ bailout_module_put:
|
||||
bailout_kref_put:
|
||||
kref_put(&serial->kref, destroy_serial);
|
||||
port->open_count = 0;
|
||||
up(&port->sem);
|
||||
return retval;
|
||||
}
|
||||
|
||||
@@ -234,8 +240,10 @@ static void serial_close(struct tty_struct *tty, struct file * filp)
|
||||
|
||||
dbg("%s - port %d", __FUNCTION__, port->number);
|
||||
|
||||
down(&port->sem);
|
||||
|
||||
if (port->open_count == 0)
|
||||
return;
|
||||
goto out;
|
||||
|
||||
--port->open_count;
|
||||
if (port->open_count == 0) {
|
||||
@@ -253,6 +261,9 @@ static void serial_close(struct tty_struct *tty, struct file * filp)
|
||||
}
|
||||
|
||||
kref_put(&port->serial->kref, destroy_serial);
|
||||
|
||||
out:
|
||||
up(&port->sem);
|
||||
}
|
||||
|
||||
static int serial_write (struct tty_struct * tty, const unsigned char *buf, int count)
|
||||
@@ -774,6 +785,7 @@ int usb_serial_probe(struct usb_interface *interface,
|
||||
port->number = i + serial->minor;
|
||||
port->serial = serial;
|
||||
spin_lock_init(&port->lock);
|
||||
sema_init(&port->sem, 1);
|
||||
INIT_WORK(&port->work, usb_serial_port_softint, port);
|
||||
serial->port[i] = port;
|
||||
}
|
||||
|
||||
مرجع در شماره جدید
Block a user