From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Chris Ruehl <chris.ruehl@gtsys.com.hk>,
Johan Hovold <jhovold@gmail.com>
Subject: [ 14/86] USB: serial: fix null-pointer dereferences on disconnect
Date: Tue, 26 Feb 2013 16:07:22 -0800 [thread overview]
Message-ID: <20130226235914.374632628@linuxfoundation.org> (raw)
In-Reply-To: <20130226235912.881663118@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <jhovold@gmail.com>
commit b2ca699076573c94fee9a73cb0d8645383b602a0 upstream.
Make sure serial-driver dtr_rts is called with disc_mutex held after
checking the disconnected flag.
Due to a bug in the tty layer, dtr_rts may get called after a device has
been disconnected and the tty-device unregistered. Some drivers have had
individual checks for disconnect to make sure the disconnected interface
was not accessed, but this should really be handled in usb-serial core
(at least until the long-standing tty-bug has been fixed).
Note that the problem has been made more acute with commit 0998d0631001
("device-core: Ensure drvdata = NULL when no driver is bound") as the
port data is now also NULL when dtr_rts is called resulting in further
oopses.
Reported-by: Chris Ruehl <chris.ruehl@gtsys.com.hk>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/ftdi_sio.c | 20 +++++++++-----------
drivers/usb/serial/mct_u232.c | 22 +++++++++-------------
drivers/usb/serial/sierra.c | 8 +-------
drivers/usb/serial/ssu100.c | 19 ++++++++-----------
drivers/usb/serial/usb-serial.c | 14 ++++++++++++--
drivers/usb/serial/usb_wwan.c | 8 +++-----
6 files changed, 42 insertions(+), 49 deletions(-)
--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -1919,24 +1919,22 @@ static void ftdi_dtr_rts(struct usb_seri
{
struct ftdi_private *priv = usb_get_serial_port_data(port);
- mutex_lock(&port->serial->disc_mutex);
- if (!port->serial->disconnected) {
- /* Disable flow control */
- if (!on && usb_control_msg(port->serial->dev,
+ /* Disable flow control */
+ if (!on) {
+ if (usb_control_msg(port->serial->dev,
usb_sndctrlpipe(port->serial->dev, 0),
FTDI_SIO_SET_FLOW_CTRL_REQUEST,
FTDI_SIO_SET_FLOW_CTRL_REQUEST_TYPE,
0, priv->interface, NULL, 0,
WDR_TIMEOUT) < 0) {
- dev_err(&port->dev, "error from flowcontrol urb\n");
+ dev_err(&port->dev, "error from flowcontrol urb\n");
}
- /* drop RTS and DTR */
- if (on)
- set_mctrl(port, TIOCM_DTR | TIOCM_RTS);
- else
- clear_mctrl(port, TIOCM_DTR | TIOCM_RTS);
}
- mutex_unlock(&port->serial->disc_mutex);
+ /* drop RTS and DTR */
+ if (on)
+ set_mctrl(port, TIOCM_DTR | TIOCM_RTS);
+ else
+ clear_mctrl(port, TIOCM_DTR | TIOCM_RTS);
}
/*
--- a/drivers/usb/serial/mct_u232.c
+++ b/drivers/usb/serial/mct_u232.c
@@ -514,19 +514,15 @@ static void mct_u232_dtr_rts(struct usb_
unsigned int control_state;
struct mct_u232_private *priv = usb_get_serial_port_data(port);
- mutex_lock(&port->serial->disc_mutex);
- if (!port->serial->disconnected) {
- /* drop DTR and RTS */
- spin_lock_irq(&priv->lock);
- if (on)
- priv->control_state |= TIOCM_DTR | TIOCM_RTS;
- else
- priv->control_state &= ~(TIOCM_DTR | TIOCM_RTS);
- control_state = priv->control_state;
- spin_unlock_irq(&priv->lock);
- mct_u232_set_modem_ctrl(port->serial, control_state);
- }
- mutex_unlock(&port->serial->disc_mutex);
+ spin_lock_irq(&priv->lock);
+ if (on)
+ priv->control_state |= TIOCM_DTR | TIOCM_RTS;
+ else
+ priv->control_state &= ~(TIOCM_DTR | TIOCM_RTS);
+ control_state = priv->control_state;
+ spin_unlock_irq(&priv->lock);
+
+ mct_u232_set_modem_ctrl(port->serial, control_state);
}
static void mct_u232_close(struct usb_serial_port *port)
--- a/drivers/usb/serial/sierra.c
+++ b/drivers/usb/serial/sierra.c
@@ -890,19 +890,13 @@ static int sierra_open(struct tty_struct
static void sierra_dtr_rts(struct usb_serial_port *port, int on)
{
- struct usb_serial *serial = port->serial;
struct sierra_port_private *portdata;
portdata = usb_get_serial_port_data(port);
portdata->rts_state = on;
portdata->dtr_state = on;
- if (serial->dev) {
- mutex_lock(&serial->disc_mutex);
- if (!serial->disconnected)
- sierra_send_setup(port);
- mutex_unlock(&serial->disc_mutex);
- }
+ sierra_send_setup(port);
}
static int sierra_startup(struct usb_serial *serial)
--- a/drivers/usb/serial/ssu100.c
+++ b/drivers/usb/serial/ssu100.c
@@ -532,19 +532,16 @@ static void ssu100_dtr_rts(struct usb_se
dbg("%s\n", __func__);
- mutex_lock(&port->serial->disc_mutex);
- if (!port->serial->disconnected) {
- /* Disable flow control */
- if (!on &&
- ssu100_setregister(dev, 0, UART_MCR, 0) < 0)
+ /* Disable flow control */
+ if (!on) {
+ if (ssu100_setregister(dev, 0, UART_MCR, 0) < 0)
dev_err(&port->dev, "error from flowcontrol urb\n");
- /* drop RTS and DTR */
- if (on)
- set_mctrl(dev, TIOCM_DTR | TIOCM_RTS);
- else
- clear_mctrl(dev, TIOCM_DTR | TIOCM_RTS);
}
- mutex_unlock(&port->serial->disc_mutex);
+ /* drop RTS and DTR */
+ if (on)
+ set_mctrl(dev, TIOCM_DTR | TIOCM_RTS);
+ else
+ clear_mctrl(dev, TIOCM_DTR | TIOCM_RTS);
}
static void ssu100_update_msr(struct usb_serial_port *port, u8 msr)
--- a/drivers/usb/serial/usb-serial.c
+++ b/drivers/usb/serial/usb-serial.c
@@ -699,10 +699,20 @@ static int serial_carrier_raised(struct
static void serial_dtr_rts(struct tty_port *port, int on)
{
struct usb_serial_port *p = container_of(port, struct usb_serial_port, port);
- struct usb_serial_driver *drv = p->serial->type;
+ struct usb_serial *serial = p->serial;
+ struct usb_serial_driver *drv = serial->type;
- if (drv->dtr_rts)
+ if (!drv->dtr_rts)
+ return;
+ /*
+ * Work-around bug in the tty-layer which can result in dtr_rts
+ * being called after a disconnect (and tty_unregister_device
+ * has returned). Remove once bug has been squashed.
+ */
+ mutex_lock(&serial->disc_mutex);
+ if (!serial->disconnected)
drv->dtr_rts(p, on);
+ mutex_unlock(&serial->disc_mutex);
}
static const struct tty_port_operations serial_port_ops = {
--- a/drivers/usb/serial/usb_wwan.c
+++ b/drivers/usb/serial/usb_wwan.c
@@ -41,7 +41,6 @@ static bool debug;
void usb_wwan_dtr_rts(struct usb_serial_port *port, int on)
{
- struct usb_serial *serial = port->serial;
struct usb_wwan_port_private *portdata;
struct usb_wwan_intf_private *intfdata;
@@ -54,12 +53,11 @@ void usb_wwan_dtr_rts(struct usb_serial_
return;
portdata = usb_get_serial_port_data(port);
- mutex_lock(&serial->disc_mutex);
+ /* FIXME: locking */
portdata->rts_state = on;
portdata->dtr_state = on;
- if (serial->dev)
- intfdata->send_setup(port);
- mutex_unlock(&serial->disc_mutex);
+
+ intfdata->send_setup(port);
}
EXPORT_SYMBOL(usb_wwan_dtr_rts);
next prev parent reply other threads:[~2013-02-27 0:08 UTC|newest]
Thread overview: 98+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-27 0:07 [ 00/86] 3.4.34-stable review Greg Kroah-Hartman
2013-02-27 0:07 ` [ 01/86] x86-32, mm: Rip out x86_32 NUMA remapping code Greg Kroah-Hartman
2013-02-27 0:07 ` [ 02/86] x86-32, mm: Remove reference to resume_map_numa_kva() Greg Kroah-Hartman
2013-02-27 0:07 ` [ 03/86] x86-32, mm: Remove reference to alloc_remap() Greg Kroah-Hartman
2013-02-27 0:07 ` [ 04/86] mm: fix pageblock bitmap allocation Greg Kroah-Hartman
2013-02-27 0:07 ` [ 05/86] timeconst.pl: Eliminate Perl warning Greg Kroah-Hartman
2013-02-27 0:07 ` [ 06/86] genirq: Avoid deadlock in spurious handling Greg Kroah-Hartman
2013-02-27 0:07 ` [ 07/86] posix-cpu-timers: Fix nanosleep task_struct leak Greg Kroah-Hartman
2013-02-27 0:07 ` [ 08/86] hrtimer: Prevent hrtimer_enqueue_reprogram race Greg Kroah-Hartman
2013-02-27 0:07 ` [ 09/86] x86: Hyper-V: register clocksource only if its advertised Greg Kroah-Hartman
2013-02-27 0:07 ` [ 10/86] ALSA: ali5451: remove irq enabling in pointer callback Greg Kroah-Hartman
2013-02-27 0:07 ` [ 11/86] ALSA: rme32.c irq enabling after spin_lock_irq Greg Kroah-Hartman
2013-02-27 0:07 ` [ 12/86] tty: Prevent deadlock in n_gsm driver Greg Kroah-Hartman
2013-02-27 0:07 ` [ 13/86] tty: set_termios/set_termiox should not return -EINTR Greg Kroah-Hartman
2013-02-27 0:07 ` Greg Kroah-Hartman [this message]
2013-02-27 0:07 ` [ 15/86] b43: Increase number of RX DMA slots Greg Kroah-Hartman
2013-02-27 0:07 ` [ 16/86] rtlwifi: rtl8192cu: Add new USB ID Greg Kroah-Hartman
2013-02-27 0:07 ` [ 17/86] rtlwifi: usb: allocate URB control message setup_packet and data buffer separately Greg Kroah-Hartman
2013-02-27 0:07 ` [ 18/86] xen: Send spinlock IPI to all waiters Greg Kroah-Hartman
2013-02-27 0:07 ` [ 19/86] xen: close evtchn port if binding to irq fails Greg Kroah-Hartman
2013-02-27 0:07 ` [ 20/86] Driver core: treat unregistered bus_types as having no devices Greg Kroah-Hartman
2013-02-27 0:07 ` [ 21/86] mm: mmu_notifier: have mmu_notifiers use a global SRCU so they may safely schedule Greg Kroah-Hartman
2013-02-27 0:07 ` [ 22/86] mm: mmu_notifier: make the mmu_notifier srcu static Greg Kroah-Hartman
2013-02-27 0:07 ` [ 23/86] mmu_notifier_unregister NULL Pointer deref and multiple ->release() callouts Greg Kroah-Hartman
2013-02-27 0:07 ` [ 24/86] KVM: s390: Handle hosts not supporting s390-virtio Greg Kroah-Hartman
2013-02-27 0:07 ` [ 25/86] s390/kvm: Fix store status for ACRS/FPRS Greg Kroah-Hartman
2013-02-27 0:07 ` [ 26/86] futex: Revert "futex: Mark get_robust_list as deprecated" Greg Kroah-Hartman
2013-02-27 0:07 ` [ 27/86] inotify: remove broken mask checks causing unmount to be EINVAL Greg Kroah-Hartman
2013-02-27 0:07 ` [ 28/86] fs/block_dev.c: page cache wrongly left invalidated after revalidate_disk() Greg Kroah-Hartman
2013-02-27 0:07 ` [ 29/86] ocfs2: unlock super lock if lockres refresh failed Greg Kroah-Hartman
2013-02-27 0:07 ` [ 30/86] drivers/video/backlight/adp88?0_bl.c: fix resume Greg Kroah-Hartman
2013-02-27 0:07 ` [ 31/86] tmpfs: fix use-after-free of mempolicy object Greg Kroah-Hartman
2013-02-27 0:07 ` [ 32/86] mm/fadvise.c: drain all pagevecs if POSIX_FADV_DONTNEED fails to discard all pages Greg Kroah-Hartman
2013-02-27 0:07 ` [ 33/86] drivercore: Fix ordering between deferred_probe and exiting initcalls Greg Kroah-Hartman
2013-02-27 0:07 ` [ 34/86] umount oops when remove blocklayoutdriver first Greg Kroah-Hartman
2013-02-27 0:07 ` [ 35/86] NLM: Ensure that we resend all pending blocking locks after a reclaim Greg Kroah-Hartman
2013-02-27 0:07 ` [ 36/86] p54usb: corrected USB ID for T-Com Sinus 154 data II Greg Kroah-Hartman
2013-02-27 0:07 ` [ 37/86] ALSA: usb-audio: fix Roland A-PRO support Greg Kroah-Hartman
2013-02-27 0:07 ` [ 38/86] ALSA: usb: Fix Processing Unit Descriptor parsers Greg Kroah-Hartman
2013-02-27 0:07 ` [ 39/86] ALSA: hda - Release assigned pin/cvt at error path of hdmi_pcm_open() Greg Kroah-Hartman
2013-02-27 0:07 ` [ 40/86] ALSA: hda - Workaround for silent output on Sony Vaio VGC-LN51JGB with ALC889 Greg Kroah-Hartman
2013-02-27 0:07 ` [ 41/86] ALSA: hda - hdmi: ELD shouldnt be valid after unplug Greg Kroah-Hartman
2013-02-27 0:07 ` [ 42/86] sunvdc: Fix off-by-one in generic_request() Greg Kroah-Hartman
2013-02-27 0:07 ` [ 43/86] drm/radeon/dce6: fix display powergating Greg Kroah-Hartman
2013-02-27 0:07 ` [ 44/86] drm/udl: make usage as a console safer Greg Kroah-Hartman
2013-02-27 0:07 ` [ 45/86] drm/udl: disable fb_defio by default Greg Kroah-Hartman
2013-02-27 0:07 ` [ 46/86] vgacon/vt: clear buffer attributes when we load a 512 character font (v2) Greg Kroah-Hartman
2013-02-27 0:07 ` [ 47/86] drm: dont add inferred modes for monitors that dont support them Greg Kroah-Hartman
2013-02-27 0:07 ` [ 48/86] drm: Fill depth/bits_per_pixel for C8 format Greg Kroah-Hartman
2013-02-27 0:07 ` [ 49/86] drm: Use C8 instead of RGB332 when determining the format from depth/bpp Greg Kroah-Hartman
2013-02-27 0:07 ` [ 50/86] drm/usb: bind driver to correct device Greg Kroah-Hartman
2013-02-27 0:07 ` [ 51/86] target: Fix divide by zero bug in fabric_max_sectors for unconfigured devices Greg Kroah-Hartman
2013-02-27 0:08 ` [ 52/86] intel/iommu: force writebuffer-flush quirk on Gen 4 Chipsets Greg Kroah-Hartman
2013-02-27 0:08 ` [ 53/86] drm/i915: disable shared panel fitter for pipe Greg Kroah-Hartman
2013-02-27 0:08 ` [ 54/86] drm/i915: Set i9xx sdvo clock limits according to specifications Greg Kroah-Hartman
2013-02-27 10:11 ` Patrik Jakobsson
2013-02-27 10:19 ` Chris Wilson
2013-02-27 10:23 ` Patrik Jakobsson
2013-02-27 0:08 ` [ 55/86] staging: comedi: disallow COMEDI_DEVCONFIG on non-board minors Greg Kroah-Hartman
2013-02-27 0:08 ` [ 56/86] staging: vt6656: Fix URB submitted while active warning Greg Kroah-Hartman
2013-02-27 0:08 ` [ 57/86] ASoC: wm2200: correct IN2L and IN3L digital mute Greg Kroah-Hartman
2013-02-27 0:08 ` [ 58/86] ARM: PXA3xx: program the CSMSADRCFG register Greg Kroah-Hartman
2013-02-27 0:08 ` [ 59/86] ARM: samsung: fix assembly syntax for new gas Greg Kroah-Hartman
2013-02-27 0:08 ` [ 60/86] ARM: 7643/1: sched: correct update_sched_clock() Greg Kroah-Hartman
2013-02-27 0:08 ` [ 61/86] powerpc/kexec: Disable hard IRQ before kexec Greg Kroah-Hartman
2013-02-27 0:08 ` [ 62/86] [PARISC] Purge existing TLB entries in set_pte_at and ptep_set_wrprotect Greg Kroah-Hartman
2013-02-27 0:08 ` [ 63/86] pcmcia/vrc4171: Add missing spinlock init Greg Kroah-Hartman
2013-02-27 0:08 ` [ 64/86] drivers/video: fsl-diu-fb: fix pixel formats for 24 and 16 bpp Greg Kroah-Hartman
2013-02-27 0:08 ` [ 65/86] fbcon: dont lose the console font across generic->chip driver switch Greg Kroah-Hartman
2013-02-27 0:08 ` [ 66/86] fb: rework locking to fix lock ordering on takeover Greg Kroah-Hartman
2013-02-27 0:08 ` [ 67/86] fb: Yet another band-aid for fixing lockdep mess Greg Kroah-Hartman
2013-02-27 0:08 ` [ 68/86] mmc: sdhci-esdhc-imx: fix host version read Greg Kroah-Hartman
2013-02-27 0:08 ` [ 69/86] HID: wiimote: fix nunchuck button parser Greg Kroah-Hartman
2013-02-27 0:08 ` [ 70/86] bridge: set priority of STP packets Greg Kroah-Hartman
2013-02-27 0:08 ` [ 71/86] net: fix infinite loop in __skb_recv_datagram() Greg Kroah-Hartman
2013-02-27 0:08 ` [ 72/86] xen-netback: correctly return errors from netbk_count_requests() Greg Kroah-Hartman
2013-02-27 0:08 ` [ 73/86] xen-netback: cancel the credit timer when taking the vif down Greg Kroah-Hartman
2013-02-27 0:08 ` [ 74/86] net: fix a compile error when SOCK_REFCNT_DEBUG is enabled Greg Kroah-Hartman
2013-02-27 0:08 ` [ 75/86] ipv4: fix a bug in ping_err() Greg Kroah-Hartman
2013-02-27 0:08 ` [ 76/86] ipv6: use a stronger hash for tcp Greg Kroah-Hartman
2013-02-27 0:08 ` [ 77/86] sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Greg Kroah-Hartman
2013-02-27 0:08 ` [ 78/86] vlan: adjust vlan_set_encap_proto() for its callers Greg Kroah-Hartman
2013-02-27 0:08 ` [ 79/86] USB: ehci-omap: Dont free gpios that we didnt request Greg Kroah-Hartman
2013-02-27 7:52 ` Roger Quadros
2013-02-27 17:20 ` Luis Henriques
2013-02-28 10:16 ` Roger Quadros
2013-02-28 10:37 ` Luis Henriques
2013-02-27 17:37 ` Greg Kroah-Hartman
2013-02-27 0:08 ` [ 80/86] dca: check against empty dca_domains list before unregister provider Greg Kroah-Hartman
2013-02-27 0:08 ` [ 81/86] USB: option: add and update Alcatel modems Greg Kroah-Hartman
2013-02-27 0:08 ` [ 82/86] USB: option: add Yota / Megafon M100-1 4g modem Greg Kroah-Hartman
2013-02-27 0:08 ` [ 83/86] USB: option: add Huawei "ACM" devices using protocol = vendor Greg Kroah-Hartman
2013-02-27 0:08 ` [ 84/86] USB: ehci-omap: Fix autoloading of module Greg Kroah-Hartman
2013-02-27 0:08 ` [ 85/86] USB: storage: properly handle the endian issues of idProduct Greg Kroah-Hartman
2013-02-27 0:08 ` [ 86/86] USB: usb-storage: unusual_devs update for Super TOP SATA bridge Greg Kroah-Hartman
2013-02-27 16:50 ` [ 00/86] 3.4.34-stable review Shuah Khan
2013-02-28 14:54 ` Satoru Takeuchi
2013-02-28 14:59 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130226235914.374632628@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=chris.ruehl@gtsys.com.hk \
--cc=jhovold@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.