summaryrefslogtreecommitdiff
path: root/drivers/usb/serial/usb-serial.c
diff options
context:
space:
mode:
authorLuiz Fernando Capitulino <lcapitulino@mandriva.com.br>2005-11-29 00:16:07 +0300
committerGreg Kroah-Hartman <gregkh@suse.de>2006-01-05 00:48:35 +0300
commit8a4613f01f5bb850cab34e3db572d97251d997b3 (patch)
tree3ce08f8c75cf8696f7902dd33298a95016ed4e14 /drivers/usb/serial/usb-serial.c
parent487f9c6710e7dff338e59820f6cfaeaaa87cb532 (diff)
downloadlinux-8a4613f01f5bb850cab34e3db572d97251d997b3.tar.xz
[PATCH] USB: usbserial: race-condition fix.
There is a race-condition in usb-serial driver that can be triggered if a processes does 'port->tty->driver_data = NULL' in serial_close() while other processes is in kernel-space about to call serial_ioctl() on the same port. This happens because a process can open the device while there is another one closing it. The patch below fixes that by adding a semaphore to ensure that no process will open the device while another process is closing it. Note that we can't use spinlocks here, since serial_open() and serial_close() can sleep. Signed-off-by: Luiz Capitulino <lcapitulino@mandriva.com.br> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'drivers/usb/serial/usb-serial.c')
-rw-r--r--drivers/usb/serial/usb-serial.c14
1 files changed, 13 insertions, 1 deletions
diff --git a/drivers/usb/serial/usb-serial.c b/drivers/usb/serial/usb-serial.c
index 5bc023c73893..8bc8337c99c4 100644
--- a/drivers/usb/serial/usb-serial.c
+++ b/drivers/usb/serial/usb-serial.c
@@ -30,6 +30,7 @@
#include <linux/list.h>
#include <linux/smp_lock.h>
#include <asm/uaccess.h>
+#include <asm/semaphore.h>
#include <linux/usb.h>
#include "usb-serial.h"
#include "pl2303.h"
@@ -190,6 +191,9 @@ static int serial_open (struct tty_struct *tty, struct file * filp)
port = serial->port[portNumber];
if (!port)
return -ENODEV;
+
+ if (down_interruptible(&port->sem))
+ return -ERESTARTSYS;
++port->open_count;
@@ -215,6 +219,7 @@ static int serial_open (struct tty_struct *tty, struct file * filp)
goto bailout_module_put;
}
+ up(&port->sem);
return 0;
bailout_module_put:
@@ -222,6 +227,7 @@ bailout_module_put:
bailout_kref_put:
kref_put(&serial->kref, destroy_serial);
port->open_count = 0;
+ up(&port->sem);
return retval;
}
@@ -234,8 +240,10 @@ static void serial_close(struct tty_struct *tty, struct file * filp)
dbg("%s - port %d", __FUNCTION__, port->number);
+ down(&port->sem);
+
if (port->open_count == 0)
- return;
+ goto out;
--port->open_count;
if (port->open_count == 0) {
@@ -253,6 +261,9 @@ static void serial_close(struct tty_struct *tty, struct file * filp)
}
kref_put(&port->serial->kref, destroy_serial);
+
+out:
+ up(&port->sem);
}
static int serial_write (struct tty_struct * tty, const unsigned char *buf, int count)
@@ -774,6 +785,7 @@ int usb_serial_probe(struct usb_interface *interface,
port->number = i + serial->minor;
port->serial = serial;
spin_lock_init(&port->lock);
+ sema_init(&port->sem, 1);
INIT_WORK(&port->work, usb_serial_port_softint, port);
serial->port[i] = port;
}