summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIan Abbott <abbotti@mev.co.uk>2006-06-26 14:44:22 +0400
committerGreg Kroah-Hartman <gregkh@suse.de>2006-07-13 03:03:22 +0400
commit00d6058ac93048b525b86fa48b413dcb87ac2728 (patch)
tree8d5eab6af613e8832ba182e54ec9d7f634517a26
parent5650b4dd141e823c2b1bc248cb9ad3e9ac88cf19 (diff)
downloadlinux-00d6058ac93048b525b86fa48b413dcb87ac2728.tar.xz
[PATCH] USB serial visor: fix race in open/close
The anti user-DoS mechanism in the USB serial 'visor' driver can fail in the following way: visor_open: priv->outstanding_urbs = 0 visor_write: ++priv->outstanding_urbs visor_close: visor_open: priv->outstanding_urbs = 0 visor_write_bulk_callback: --priv->outstanding_urbs So priv->outstanding_urbs ends up as (unsigned long)(-1). Not good! I haven't seen this happen with the visor driver as I don't have the hardware, but I have seen it while testing a patch to implement the same functionality in the ftdi_sio driver (patch not yet submitted). The fix is pretty simple: don't reinitialize outstanding_urbs in visor_open. (Again, I haven't tested the fix in visor, but I have tested it in ftdi_sio.) Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r--drivers/usb/serial/visor.c1
1 files changed, 0 insertions, 1 deletions
diff --git a/drivers/usb/serial/visor.c b/drivers/usb/serial/visor.c
index cbc21465f4fb..32c3c6288985 100644
--- a/drivers/usb/serial/visor.c
+++ b/drivers/usb/serial/visor.c
@@ -302,7 +302,6 @@ static int visor_open (struct usb_serial_port *port, struct file *filp)
spin_lock_irqsave(&priv->lock, flags);
priv->bytes_in = 0;
priv->bytes_out = 0;
- priv->outstanding_urbs = 0;
priv->throttled = 0;
spin_unlock_irqrestore(&priv->lock, flags);