USB: sierra close race

From: Oliver Neukum
Date: Tue Mar 20 2007 - 08:54:05 EST

Next message: Ben Nizette: "Re: 2.6.21-rc4-mm1 [PATCH] init/missing_syscalls.h fix"
Previous message: Alexey Dobriyan: "Re: [RFC][PATCH -mm take3 6/6][resend] add ioctls for adding/removing target"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

the sierra driver does not directly use usb_kill_urb(). It uses a wrapper.
This wrapper means that callbacks which are running are not killed during
close, resubmitting and illicitly pushing data into the tty layer.
The whole purpose of usb_kill_urb() is subverted. The wrapper must be removed.
The same problem as the option driver.

Signed-off-by: Oliver Neukum <oneukum@xxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>

---
drivers/usb/serial/sierra.c | 14 ++++----------
1 file changed, 4 insertions(+), 10 deletions(-)

--- a/drivers/usb/serial/sierra.c
+++ b/drivers/usb/serial/sierra.c
@@ -456,12 +456,6 @@ static int sierra_open(struct usb_serial
return (0);
}

-static inline void stop_urb(struct urb *urb)
-{
- if (urb && urb->status == -EINPROGRESS)
- usb_kill_urb(urb);
-}
-
static void sierra_close(struct usb_serial_port *port, struct file *filp)
{
int i;
@@ -479,9 +473,9 @@ static void sierra_close(struct usb_seri

/* Stop reading/writing urbs */
for (i = 0; i < N_IN_URB; i++)
- stop_urb(portdata->in_urbs[i]);
+ usb_unlink_urb(portdata->in_urbs[i]);
for (i = 0; i < N_OUT_URB; i++)
- stop_urb(portdata->out_urbs[i]);
+ usb_unlink_urb(portdata->out_urbs[i]);
}
port->tty = NULL;
}
@@ -585,9 +579,9 @@ static void sierra_shutdown(struct usb_s
port = serial->port[i];
portdata = usb_get_serial_port_data(port);
for (j = 0; j < N_IN_URB; j++)
- stop_urb(portdata->in_urbs[j]);
+ usb_unlink_urb(portdata->in_urbs[j]);
for (j = 0; j < N_OUT_URB; j++)
- stop_urb(portdata->out_urbs[j]);
+ usb_unlink_urb(portdata->out_urbs[j]);
}

/* Now free them */

--WIyZ46R2i8wDzkSu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="sierra.patch"

---
drivers/usb/serial/sierra.c | 11 +++++++++++
1 file changed, 11 insertions(+)

--- a/drivers/usb/serial/sierra.c
+++ b/drivers/usb/serial/sierra.c
@@ -577,7 +577,12 @@ static void sierra_shutdown(struct usb_s
/* Stop reading/writing urbs */
for (i = 0; i < serial->num_ports; ++i) {
port = serial->port[i];
+ if (!port)
+ continue;
portdata = usb_get_serial_port_data(port);
+ if (!portdata)
+ continue;
+
for (j = 0; j < N_IN_URB; j++)
usb_unlink_urb(portdata->in_urbs[j]);
for (j = 0; j < N_OUT_URB; j++)
@@ -587,7 +592,11 @@ static void sierra_shutdown(struct usb_s
/* Now free them */
for (i = 0; i < serial->num_ports; ++i) {
port = serial->port[i];
+ if (!port)
+ continue;
portdata = usb_get_serial_port_data(port);
+ if (!portdata)
+ continue;

for (j = 0; j < N_IN_URB; j++) {
if (portdata->in_urbs[j]) {
@@ -606,6 +615,8 @@ static void sierra_shutdown(struct usb_s
/* Now free per port private data */
for (i = 0; i < serial->num_ports; i++) {
port = serial->port[i];
+ if (!port)
+ continue;
kfree(usb_get_serial_port_data(port));
}
}

--WIyZ46R2i8wDzkSu--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Ben Nizette: "Re: 2.6.21-rc4-mm1 [PATCH] init/missing_syscalls.h fix"
Previous message: Alexey Dobriyan: "Re: [RFC][PATCH -mm take3 6/6][resend] add ioctls for adding/removing target"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]