There is a race condition involving acm_tty_hangup() and acm_tty_close() where
hangup() would attempt to access tty->driver_data without proper locking and
NULL checking after close() has potentially already set it to NULL.
One possibility to (sporadically) trigger this behavior is to perform a
suspend/resume cycle with a running WWAN data connection.
This patch addresses the issue by introducing a NULL check for
tty->driver_data in acm_tty_hangup() protected by open_mutex and exiting
gracefully when hangup() is invoked on a device that has already been closed.
Signed-off-by: Thilo-Alexander Ginkel <thilo@xxxxxxxxxx>
---
drivers/usb/class/cdc-acm.c | 12 ++++++++++--
1 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
index a8078d0..97f2e58 100644
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -554,10 +554,18 @@ static void acm_port_down(struct acm *acm)
static void acm_tty_hangup(struct tty_struct *tty)
{
- struct acm *acm = tty->driver_data;
- tty_port_hangup(&acm->port);
+ struct acm *acm;
+
mutex_lock(&open_mutex);
+ acm = tty->driver_data;
+
+ if (!acm)
+ goto out;
+
+ tty_port_hangup(&acm->port);
acm_port_down(acm);
+
+out:
mutex_unlock(&open_mutex);
}
--
1.7.5.4
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
