diff options
author | Greg Kroah-Hartman <gregkh@suse.de> | 2006-05-12 11:42:23 -0700 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2006-05-12 11:42:23 -0700 |
commit | cee3516e1b9b6ffa824e66b287b6a0dc18f96f87 (patch) | |
tree | 8a11bc1a82ef9b560c8a63725487cbdfe93587e6 /usb | |
parent | c359a9586e92f7994da83357ac5067a1d48cc7d2 (diff) | |
download | patches-cee3516e1b9b6ffa824e66b287b6a0dc18f96f87.tar.gz |
added 2 usbserial bugfixes
Diffstat (limited to 'usb')
-rw-r--r-- | usb/usb-console-fix-disconnection-issues.patch | 20 | ||||
-rw-r--r-- | usb/usb-console-prevent-enodev-on-node.patch | 2 | ||||
-rw-r--r-- | usb/usb-serial-ark3116.patch | 20 | ||||
-rw-r--r-- | usb/usb-serial-dynamic-id.patch | 6 | ||||
-rw-r--r-- | usb/usbserial-fixes-leak-in-serial_open-error-path.patch | 63 | ||||
-rw-r--r-- | usb/usbserial-fixes-use-after-free-in-serial_open.patch | 38 |
6 files changed, 130 insertions, 19 deletions
diff --git a/usb/usb-console-fix-disconnection-issues.patch b/usb/usb-console-fix-disconnection-issues.patch index 55fc79b559eb0..68af8f90f6a37 100644 --- a/usb/usb-console-fix-disconnection-issues.patch +++ b/usb/usb-console-fix-disconnection-issues.patch @@ -71,16 +71,16 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> /***************************************************************************** * Driver tty interface functions *****************************************************************************/ -@@ -225,7 +230,7 @@ static int serial_open (struct tty_struc - bailout_module_put: - module_put(serial->type->driver.owner); +@@ -232,7 +237,7 @@ bailout_mutex_unlock: + port->open_count = 0; + mutex_unlock(&port->mutex); bailout_kref_put: - kref_put(&serial->kref, destroy_serial); + usb_serial_put(serial); - port->open_count = 0; - mutex_unlock(&port->mutex); return retval; -@@ -263,7 +268,7 @@ static void serial_close(struct tty_stru + } + +@@ -268,7 +273,7 @@ static void serial_close(struct tty_stru } mutex_unlock(&port->mutex); @@ -89,7 +89,7 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> } static int serial_write (struct tty_struct * tty, const unsigned char *buf, int count) -@@ -271,7 +276,7 @@ static int serial_write (struct tty_stru +@@ -276,7 +281,7 @@ static int serial_write (struct tty_stru struct usb_serial_port *port = tty->driver_data; int retval = -EINVAL; @@ -98,7 +98,7 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> goto exit; dbg("%s - port %d, %d byte(s)", __FUNCTION__, port->number, count); -@@ -468,7 +473,7 @@ static int serial_read_proc (char *page, +@@ -473,7 +478,7 @@ static int serial_read_proc (char *page, begin += length; length = 0; } @@ -107,7 +107,7 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> } *eof = 1; done: -@@ -980,6 +985,7 @@ void usb_serial_disconnect(struct usb_in +@@ -985,6 +990,7 @@ void usb_serial_disconnect(struct usb_in struct device *dev = &interface->dev; struct usb_serial_port *port; @@ -115,7 +115,7 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> dbg ("%s", __FUNCTION__); usb_set_intfdata (interface, NULL); -@@ -991,7 +997,7 @@ void usb_serial_disconnect(struct usb_in +@@ -996,7 +1002,7 @@ void usb_serial_disconnect(struct usb_in } /* let the last holder of this object * cause it to be cleaned up */ diff --git a/usb/usb-console-prevent-enodev-on-node.patch b/usb/usb-console-prevent-enodev-on-node.patch index e48b8b2ff832f..54c2ab4ec0170 100644 --- a/usb/usb-console-prevent-enodev-on-node.patch +++ b/usb/usb-console-prevent-enodev-on-node.patch @@ -20,7 +20,7 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> --- gregkh-2.6.orig/drivers/usb/serial/usb-serial.c +++ gregkh-2.6/drivers/usb/serial/usb-serial.c -@@ -197,12 +197,12 @@ static int serial_open (struct tty_struc +@@ -201,12 +201,12 @@ static int serial_open (struct tty_struc ++port->open_count; diff --git a/usb/usb-serial-ark3116.patch b/usb/usb-serial-ark3116.patch index 50aa5c8c9b236..556ebcfb1f474 100644 --- a/usb/usb-serial-ark3116.patch +++ b/usb/usb-serial-ark3116.patch @@ -1,9 +1,21 @@ +From foo@baz Tue Apr 9 12:12:43 2002 +Date: Fri, 12 May 2006 11:05:29 -0700 +To: Greg KH <greg@kroah.com> +From: Greg Kroah-Hartman <gregkh@suse.de> +Subject: USB: add ark3116 usb to serial driver + +Based on Simon's original driver, with some minor code cleanups and +tidying by me. + +Cc: Simon Schulz <simon@auctionant.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + --- drivers/usb/serial/Kconfig | 10 drivers/usb/serial/Makefile | 1 - drivers/usb/serial/ark3116.c | 467 +++++++++++++++++++++++++++++++++++++++++++ + drivers/usb/serial/ark3116.c | 465 +++++++++++++++++++++++++++++++++++++++++++ drivers/usb/serial/generic.c | 1 - 4 files changed, 479 insertions(+) + 4 files changed, 477 insertions(+) --- gregkh-2.6.orig/drivers/usb/serial/Kconfig +++ gregkh-2.6/drivers/usb/serial/Kconfig @@ -36,7 +48,7 @@ obj-$(CONFIG_USB_SERIAL_CYBERJACK) += cyberjack.o --- /dev/null +++ gregkh-2.6/drivers/usb/serial/ark3116.c -@@ -0,0 +1,467 @@ +@@ -0,0 +1,465 @@ +/* + * ark3116 + * - implements a driver for the arkmicro ark3116 chipset (vendor=0x6547, @@ -361,8 +373,6 @@ + return; +} + -+/* strange, if this is used something goes wrong and the port is unusable */ -+/* maybe timing problem ?! */ +static int ark3116_open(struct usb_serial_port *port, struct file *filp) +{ + struct termios tmp_termios; diff --git a/usb/usb-serial-dynamic-id.patch b/usb/usb-serial-dynamic-id.patch index 37a9a2ef35e99..698ba043ec4c5 100644 --- a/usb/usb-serial-dynamic-id.patch +++ b/usb/usb-serial-dynamic-id.patch @@ -201,7 +201,7 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> .name = "usbserial", .probe = usb_serial_probe, .disconnect = usb_serial_disconnect, -@@ -582,6 +582,39 @@ static struct usb_serial * create_serial +@@ -587,6 +587,39 @@ static struct usb_serial * create_serial return serial; } @@ -241,7 +241,7 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> static struct usb_serial_driver *search_serial_device(struct usb_interface *iface) { struct list_head *p; -@@ -591,11 +624,9 @@ static struct usb_serial_driver *search_ +@@ -596,11 +629,9 @@ static struct usb_serial_driver *search_ /* Check if the usb id matches a known device */ list_for_each(p, &usb_serial_driver_list) { t = list_entry(p, struct usb_serial_driver, driver_list); @@ -255,7 +255,7 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> } return NULL; -@@ -647,7 +678,7 @@ int usb_serial_probe(struct usb_interfac +@@ -652,7 +683,7 @@ int usb_serial_probe(struct usb_interfac return -EIO; } diff --git a/usb/usbserial-fixes-leak-in-serial_open-error-path.patch b/usb/usbserial-fixes-leak-in-serial_open-error-path.patch new file mode 100644 index 0000000000000..0265181218e32 --- /dev/null +++ b/usb/usbserial-fixes-leak-in-serial_open-error-path.patch @@ -0,0 +1,63 @@ +From lcapitulino@mandriva.com.br Thu May 11 18:31:41 2006 +Date: Thu, 11 May 2006 22:34:24 -0300 +From: Luiz Fernando Capitulino <lcapitulino@mandriva.com.br> +To: gregkh@suse.de +Subject: usbserial: Fixes leak in serial_open() error path. +Message-ID: <20060511223424.7e7df2fc@home.brethil> + + +If serial_open() fails at the port assignment or mutex_lock_interruptible() +is interrupted, the 'serial' object will never be freed. + +We should call kref_put() when those errors happens. + +Signed-off-by: Luiz Fernando N. Capitulino <lcapitulino@mandriva.com.br> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/usb/serial/usb-serial.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +--- gregkh-2.6.orig/drivers/usb/serial/usb-serial.c ++++ gregkh-2.6/drivers/usb/serial/usb-serial.c +@@ -189,11 +189,15 @@ static int serial_open (struct tty_struc + + portNumber = tty->index - serial->minor; + port = serial->port[portNumber]; +- if (!port) +- return -ENODEV; ++ if (!port) { ++ retval = -ENODEV; ++ goto bailout_kref_put; ++ } + +- if (mutex_lock_interruptible(&port->mutex)) +- return -ERESTARTSYS; ++ if (mutex_lock_interruptible(&port->mutex)) { ++ retval = -ERESTARTSYS; ++ goto bailout_kref_put; ++ } + + ++port->open_count; + +@@ -209,7 +213,7 @@ static int serial_open (struct tty_struc + * safe because we are called with BKL held */ + if (!try_module_get(serial->type->driver.owner)) { + retval = -ENODEV; +- goto bailout_kref_put; ++ goto bailout_mutex_unlock; + } + + /* only call the device specific open if this +@@ -224,9 +228,10 @@ static int serial_open (struct tty_struc + + bailout_module_put: + module_put(serial->type->driver.owner); +-bailout_kref_put: ++bailout_mutex_unlock: + port->open_count = 0; + mutex_unlock(&port->mutex); ++bailout_kref_put: + kref_put(&serial->kref, destroy_serial); + return retval; + } diff --git a/usb/usbserial-fixes-use-after-free-in-serial_open.patch b/usb/usbserial-fixes-use-after-free-in-serial_open.patch new file mode 100644 index 0000000000000..f38489d11cd46 --- /dev/null +++ b/usb/usbserial-fixes-use-after-free-in-serial_open.patch @@ -0,0 +1,38 @@ +From lcapitulino@mandriva.com.br Thu May 11 18:31:36 2006 +Date: Thu, 11 May 2006 22:34:17 -0300 +From: Luiz Fernando Capitulino <lcapitulino@mandriva.com.br> +To: gregkh@suse.de +Subject: usbserial: Fixes use-after-free in serial_open(). +Message-ID: <20060511223417.7433e19b@home.brethil> + + +If the device is disconnected while serial_open() is executing and +either try_module_get() or the device specific open function fails, the +kref_put() call in the 'bailout_kref_put' label will free the memory +pointed out by 'port'. + +The subsequent dereferences in the 'bailout_kref_put' label will be +invalid. + +The fix is just to assure kref_put() is called after any 'port' usage. + +Signed-off-by: Luiz Fernando N. Capitulino <lcapitulino@mandriva.com.br> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/usb/serial/usb-serial.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- gregkh-2.6.orig/drivers/usb/serial/usb-serial.c ++++ gregkh-2.6/drivers/usb/serial/usb-serial.c +@@ -225,9 +225,9 @@ static int serial_open (struct tty_struc + bailout_module_put: + module_put(serial->type->driver.owner); + bailout_kref_put: +- kref_put(&serial->kref, destroy_serial); + port->open_count = 0; + mutex_unlock(&port->mutex); ++ kref_put(&serial->kref, destroy_serial); + return retval; + } + |