summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDenis Joseph Barrow <D.Barow@option.com>2008-11-25 11:27:50 +0300
committerDavid S. Miller <davem@davemloft.net>2008-11-25 11:27:50 +0300
commit4a3e818181e1baf970e9232ca8b747e233176b87 (patch)
tree81b61003ba0ab52b89cca0792fab63c12aeff344
parentbab04c3adbb55aeb5e8db60522f14ce0bb0d4179 (diff)
downloadlinux-4a3e818181e1baf970e9232ca8b747e233176b87.tar.xz
hso: Fix crashes on close.
Moved serial_open_count in hso_serial_open to prevent crashes owing to the serial structure being made NULL when hso_serial_close is called even though hso_serial_open returned -ENODEV, Alan Cox pointed out this happens, also put in sanity check in hso_serial_close to check for a valid serial structure which should prevent the most reproducable crash in the driver when the hso device is disconnected while in use. Signed-off-by: Denis Joseph Barrow <D.Barow@option.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--drivers/net/usb/hso.c11
1 files changed, 9 insertions, 2 deletions
diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
index cee1d2a280bd..d5857321979b 100644
--- a/drivers/net/usb/hso.c
+++ b/drivers/net/usb/hso.c
@@ -1235,6 +1235,11 @@ static int hso_serial_open(struct tty_struct *tty, struct file *filp)
}
mutex_lock(&serial->parent->mutex);
+ /* check for port already opened, if not set the termios */
+ /* The serial->open count needs to be here as hso_serial_close
+ * will be called even if hso_serial_open returns -ENODEV.
+ */
+ serial->open_count++;
result = usb_autopm_get_interface(serial->parent->interface);
if (result < 0)
goto err_out;
@@ -1246,8 +1251,6 @@ static int hso_serial_open(struct tty_struct *tty, struct file *filp)
tty->driver_data = serial;
serial->tty = tty;
- /* check for port already opened, if not set the termios */
- serial->open_count++;
if (serial->open_count == 1) {
tty->low_latency = 1;
serial->rx_state = RX_IDLE;
@@ -1285,6 +1288,10 @@ static void hso_serial_close(struct tty_struct *tty, struct file *filp)
u8 usb_gone;
D1("Closing serial port");
+ if (serial == NULL || serial->magic != HSO_SERIAL_MAGIC) {
+ D1("invalid serial structure bailing out.\n");
+ return;
+ }
mutex_lock(&serial->parent->mutex);
usb_gone = serial->parent->usb_gone;