Re: [PATCH 2/5] USB: ftdi_sio: fix use after free in TIOCMIWAIT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Mar 15, 2013 at 12:04:34PM -0700, Greg KH wrote:
> On Fri, Mar 15, 2013 at 06:16:07PM +0100, Johan Hovold wrote:
> > On Wed, Feb 27, 2013 at 01:52:27PM +0100, Johan Hovold wrote:
> > > Make sure to check the serial disconnected flag before accessing port
> > > private data after waking up.
> > > 
> > > This fixes a use after free in the ftdi_sio introduced by commit
> > > 876ae50d94b ("USB: ftdi_sio: fix race condition in TIOCMIWAIT, and abort
> > > of TIOCMIWAIT when the device is removed").
> > > 
> > > When switching to tty ports, some lifetime assumptions where changed.
> > > Specifically, close can now be called before the final tty reference is
> > > dropped as part of hangup at device disconnect. Even with the ftdi
> > > private-data refcounting this means that the port private data can be
> > > freed while a process is sleeping on modem-status changes and thus
> > > cannot be relied on to detect disconnects when woken up.
> > 
> > Greg, those changed life-times introduced a second use after free here
> > as well: the wait queue itself. This affects all usb-serial drivers with
> > private wait queues.
> > 
> > My third series with the TIOCMIWAIT-rework fixes this problem, but
> > I'll submit something that can more easily be backported to stable
> > first.
> > 
> > Can you hold back this patch and the two follow up series (or if you
> > prefer all three of my USB-series) and I'll respin and resubmit them
> > shortly?
> 
> Ok, I'm totally confused :)

Yeah, sorry about that. :)

> Care to resend me what you want to have applied to 3.9-final as one
> series, and then, anything you want to have for 3.10, as a separate
> series?  The second one can be "on top" of the first one, if you need it
> to be.

Will do.

> For now, consider all patches you have sent to me previously, that I
> have not applied, as dropped from my todo queues.

Great, but only the USB-ones, right?

Thanks,
Johan
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux