diff options
author | Luiz Fernando Capitulino <lcapitulino@mandriva.com.br> | 2005-11-28 19:16:07 -0200 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2006-01-04 13:48:35 -0800 |
commit | 8a4613f01f5bb850cab34e3db572d97251d997b3 (patch) | |
tree | 3ce08f8c75cf8696f7902dd33298a95016ed4e14 | |
parent | 487f9c6710e7dff338e59820f6cfaeaaa87cb532 (diff) | |
download | op-kernel-dev-8a4613f01f5bb850cab34e3db572d97251d997b3.zip op-kernel-dev-8a4613f01f5bb850cab34e3db572d97251d997b3.tar.gz |
[PATCH] USB: usbserial: race-condition fix.
There is a race-condition in usb-serial driver that can be triggered if
a processes does 'port->tty->driver_data = NULL' in serial_close() while
other processes is in kernel-space about to call serial_ioctl() on the
same port.
This happens because a process can open the device while there is
another one closing it.
The patch below fixes that by adding a semaphore to ensure that no
process will open the device while another process is closing it.
Note that we can't use spinlocks here, since serial_open() and
serial_close() can sleep.
Signed-off-by: Luiz Capitulino <lcapitulino@mandriva.com.br>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r-- | drivers/usb/serial/usb-serial.c | 14 | ||||
-rw-r--r-- | drivers/usb/serial/usb-serial.h | 4 |
2 files changed, 17 insertions, 1 deletions
diff --git a/drivers/usb/serial/usb-serial.c b/drivers/usb/serial/usb-serial.c index 5bc023c..8bc8337 100644 --- a/drivers/usb/serial/usb-serial.c +++ b/drivers/usb/serial/usb-serial.c @@ -30,6 +30,7 @@ #include <linux/list.h> #include <linux/smp_lock.h> #include <asm/uaccess.h> +#include <asm/semaphore.h> #include <linux/usb.h> #include "usb-serial.h" #include "pl2303.h" @@ -190,6 +191,9 @@ static int serial_open (struct tty_struct *tty, struct file * filp) port = serial->port[portNumber]; if (!port) return -ENODEV; + + if (down_interruptible(&port->sem)) + return -ERESTARTSYS; ++port->open_count; @@ -215,6 +219,7 @@ static int serial_open (struct tty_struct *tty, struct file * filp) goto bailout_module_put; } + up(&port->sem); return 0; bailout_module_put: @@ -222,6 +227,7 @@ bailout_module_put: bailout_kref_put: kref_put(&serial->kref, destroy_serial); port->open_count = 0; + up(&port->sem); return retval; } @@ -234,8 +240,10 @@ static void serial_close(struct tty_struct *tty, struct file * filp) dbg("%s - port %d", __FUNCTION__, port->number); + down(&port->sem); + if (port->open_count == 0) - return; + goto out; --port->open_count; if (port->open_count == 0) { @@ -253,6 +261,9 @@ static void serial_close(struct tty_struct *tty, struct file * filp) } kref_put(&port->serial->kref, destroy_serial); + +out: + up(&port->sem); } static int serial_write (struct tty_struct * tty, const unsigned char *buf, int count) @@ -774,6 +785,7 @@ int usb_serial_probe(struct usb_interface *interface, port->number = i + serial->minor; port->serial = serial; spin_lock_init(&port->lock); + sema_init(&port->sem, 1); INIT_WORK(&port->work, usb_serial_port_softint, port); serial->port[i] = port; } diff --git a/drivers/usb/serial/usb-serial.h b/drivers/usb/serial/usb-serial.h index 238a5a8..d7d27c3 100644 --- a/drivers/usb/serial/usb-serial.h +++ b/drivers/usb/serial/usb-serial.h @@ -16,6 +16,7 @@ #include <linux/config.h> #include <linux/kref.h> +#include <asm/semaphore.h> #define SERIAL_TTY_MAJOR 188 /* Nice legal number now */ #define SERIAL_TTY_MINORS 255 /* loads of devices :) */ @@ -30,6 +31,8 @@ * @serial: pointer back to the struct usb_serial owner of this port. * @tty: pointer to the corresponding tty for this port. * @lock: spinlock to grab when updating portions of this structure. + * @sem: semaphore used to synchronize serial_open() and serial_close() + * access for this port. * @number: the number of the port (the minor number). * @interrupt_in_buffer: pointer to the interrupt in buffer for this port. * @interrupt_in_urb: pointer to the interrupt in struct urb for this port. @@ -60,6 +63,7 @@ struct usb_serial_port { struct usb_serial * serial; struct tty_struct * tty; spinlock_t lock; + struct semaphore sem; unsigned char number; unsigned char * interrupt_in_buffer; |