Patch "USB: mos7840: fix race in register handling" has been added to the 3.4-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is a note to let you know that I've just added the patch titled

    USB: mos7840: fix race in register handling

to the 3.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     usb-mos7840-fix-race-in-register-handling.patch
and it can be found in the queue-3.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 6380025aff7900370d4488ee4bfd95ac6c6491d5 Mon Sep 17 00:00:00 2001
From: Johan Hovold <jhovold@xxxxxxxxx>
Date: Fri, 26 Jul 2013 11:55:17 +0200
Subject: USB: mos7840: fix race in register handling

From: Johan Hovold <jhovold@xxxxxxxxx>

commit d8a083cc746664916d9d36ed9e4d08a29525f245 upstream.

Fix race in mos7840_get_reg which unconditionally manipulated the
control urb (which may already be in use) by adding a control-urb busy
flag.

Signed-off-by: Johan Hovold <jhovold@xxxxxxxxx>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
Cc: Yang Yingliang <yangyingliang@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
 drivers/usb/serial/mos7840.c |   18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

--- a/drivers/usb/serial/mos7840.c
+++ b/drivers/usb/serial/mos7840.c
@@ -185,6 +185,10 @@
 #define URB_TRANSFER_BUFFER_SIZE        32	/* URB Size  */
 
 
+enum mos7840_flag {
+	MOS7840_FLAG_CTRL_BUSY,
+};
+
 static const struct usb_device_id moschip_port_id_table[] = {
 	{USB_DEVICE(USB_VENDOR_ID_MOSCHIP, MOSCHIP_DEVICE_ID_7840)},
 	{USB_DEVICE(USB_VENDOR_ID_MOSCHIP, MOSCHIP_DEVICE_ID_7820)},
@@ -258,6 +262,8 @@ struct moschip_port {
 	struct urb *write_urb_pool[NUM_URBS];
 	char busy[NUM_URBS];
 	bool read_urb_busy;
+
+	unsigned long flags;
 };
 
 
@@ -519,11 +525,11 @@ static void mos7840_control_callback(str
 		/* this urb is terminated, clean up */
 		dbg("%s - urb shutting down with status: %d", __func__,
 		    status);
-		return;
+		goto out;
 	default:
 		dbg("%s - nonzero urb status received: %d", __func__,
 		    status);
-		return;
+		goto out;
 	}
 
 	dbg("%s urb buffer size is %d", __func__, urb->actual_length);
@@ -536,6 +542,8 @@ static void mos7840_control_callback(str
 		mos7840_handle_new_msr(mos7840_port, regval);
 	else if (mos7840_port->MsrLsr == 1)
 		mos7840_handle_new_lsr(mos7840_port, regval);
+out:
+	clear_bit_unlock(MOS7840_FLAG_CTRL_BUSY, &mos7840_port->flags);
 }
 
 static int mos7840_get_reg(struct moschip_port *mcs, __u16 Wval, __u16 reg,
@@ -546,6 +554,9 @@ static int mos7840_get_reg(struct moschi
 	unsigned char *buffer = mcs->ctrl_buf;
 	int ret;
 
+	if (test_and_set_bit_lock(MOS7840_FLAG_CTRL_BUSY, &mcs->flags))
+		return -EBUSY;
+
 	dr->bRequestType = MCS_RD_RTYPE;
 	dr->bRequest = MCS_RDREQ;
 	dr->wValue = cpu_to_le16(Wval);	/* 0 */
@@ -557,6 +568,9 @@ static int mos7840_get_reg(struct moschi
 			     mos7840_control_callback, mcs);
 	mcs->control_urb->transfer_buffer_length = 2;
 	ret = usb_submit_urb(mcs->control_urb, GFP_ATOMIC);
+	if (ret)
+		clear_bit_unlock(MOS7840_FLAG_CTRL_BUSY, &mcs->flags);
+
 	return ret;
 }
 


Patches currently in stable-queue which might be from jhovold@xxxxxxxxx are

queue-3.4/usb-mos7840-fix-memory-leak-in-open.patch
queue-3.4/usb-oti6858-fix-use-after-free-in-tiocmiwait.patch
queue-3.4/usb-io_ti-fix-use-after-free-in-tiocmiwait.patch
queue-3.4/usb-pl2303-fix-device-initialisation-at-open.patch
queue-3.4/usb-ch341-fix-use-after-free-in-tiocmiwait.patch
queue-3.4/usb-io_edgeport-fix-use-after-free-in-tiocmiwait.patch
queue-3.4/usb-ftdi_sio-fix-use-after-free-in-tiocmiwait.patch
queue-3.4/usb-ark3116-fix-use-after-free-in-tiocmiwait.patch
queue-3.4/usb-pl2303-fix-use-after-free-in-tiocmiwait.patch
queue-3.4/usb-cypress_m8-fix-use-after-free-in-tiocmiwait.patch
queue-3.4/usb-ssu100-fix-use-after-free-in-tiocmiwait.patch
queue-3.4/usb-keyspan-fix-null-deref-at-disconnect-and-release.patch
queue-3.4/usb-mct_u232-fix-use-after-free-in-tiocmiwait.patch
queue-3.4/usb-spcp8x5-fix-use-after-free-in-tiocmiwait.patch
queue-3.4/usb-adutux-fix-big-endian-device-type-reporting.patch
queue-3.4/usb-ti_usb_3410_5052-fix-use-after-free-in-tiocmiwait.patch
queue-3.4/usb-spcp8x5-fix-device-initialisation-at-open.patch
queue-3.4/usb-mos7840-fix-race-in-register-handling.patch
queue-3.4/usb-ftdi_sio-fixed-handling-of-unsupported-csize-setting.patch
queue-3.4/usb-mos7840-fix-broken-tiocmiwait.patch
queue-3.4/usb-serial-fix-hang-when-opening-port.patch
queue-3.4/usb-mos7840-fix-use-after-free-in-tiocmiwait.patch
queue-3.4/usb-ti_usb_3410_5052-fix-big-endian-firmware-handling.patch
queue-3.4/usb-serial-add-modem-status-change-wait-queue.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]