提交 00d6058a 编写于 作者: I Ian Abbott 提交者: Greg Kroah-Hartman

[PATCH] USB serial visor: fix race in open/close

The anti user-DoS mechanism in the USB serial 'visor' driver can fail in
the following way:

visor_open: priv->outstanding_urbs = 0
visor_write: ++priv->outstanding_urbs
visor_close:
visor_open: priv->outstanding_urbs = 0
visor_write_bulk_callback: --priv->outstanding_urbs

So priv->outstanding_urbs ends up as (unsigned long)(-1).  Not good!

I haven't seen this happen with the visor driver as I don't have the
hardware, but I have seen it while testing a patch to implement the same
functionality in the ftdi_sio driver (patch not yet submitted).

The fix is pretty simple: don't reinitialize outstanding_urbs in
visor_open.  (Again, I haven't tested the fix in visor, but I have
tested it in ftdi_sio.)
Signed-off-by: NIan Abbott <abbotti@mev.co.uk>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>
上级 5650b4dd
...@@ -302,7 +302,6 @@ static int visor_open (struct usb_serial_port *port, struct file *filp) ...@@ -302,7 +302,6 @@ static int visor_open (struct usb_serial_port *port, struct file *filp)
spin_lock_irqsave(&priv->lock, flags); spin_lock_irqsave(&priv->lock, flags);
priv->bytes_in = 0; priv->bytes_in = 0;
priv->bytes_out = 0; priv->bytes_out = 0;
priv->outstanding_urbs = 0;
priv->throttled = 0; priv->throttled = 0;
spin_unlock_irqrestore(&priv->lock, flags); spin_unlock_irqrestore(&priv->lock, flags);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册