From: Oliver Neukum <oneukum@xxxxxxxx>
commit b41c1fa155ba56d125885b0191aabaf3c508d0a3 upstream.
TIOCGSERIAL is an ioctl. Thus it must be atomic. It returns
two values. Racing with set_serial it can return an inconsistent
result. The mutex must be taken.
In terms of logic the bug is as old as the driver. In terms of
code it goes back to the conversion to the get_serial and
set_serial methods.
Signed-off-by: Oliver Neukum <oneukum@xxxxxxxx>
Cc: stable <stable@xxxxxxxxxx>
Fixes: 99f75a1fcd865 ("cdc-acm: switch to ->[sg]et_serial()")
Link: https://lore.kernel.org/r/20240912141916.1044393-1-oneukum@xxxxxxxx
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/usb/class/cdc-acm.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -962,10 +962,12 @@ static int get_serial_info(struct tty_st
struct acm *acm = tty->driver_data;
ss->line = acm->minor;
+ mutex_lock(&acm->port.mutex);
ss->close_delay = jiffies_to_msecs(acm->port.close_delay) / 10;
ss->closing_wait = acm->port.closing_wait == ASYNC_CLOSING_WAIT_NONE ?
ASYNC_CLOSING_WAIT_NONE :
jiffies_to_msecs(acm->port.closing_wait) / 10;
+ mutex_unlock(&acm->port.mutex);
return 0;
}
Patches currently in stable-queue which might be from oneukum@xxxxxxxx are
queue-6.11/usbnet-fix-cyclical-race-on-disconnect-with-work-queue.patch
queue-6.11/usb-appledisplay-close-race-between-probe-and-completion-handler.patch
queue-6.11/usb-class-cdc-acm-fix-race-between-get_serial-and-set_serial.patch
queue-6.11/usb-misc-cypress_cy7c63-check-for-short-transfer.patch
queue-6.11/usb-misc-yurex-fix-race-between-read-and-write.patch
