blob: 9d76b4b6e014bbcf0c898407b7f3ca524a238e8e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
From ian.abbott@mev.co.uk Mon Jun 26 03:44:29 2006
Message-ID: <449FBA86.5070800@mev.co.uk>
Date: Mon, 26 Jun 2006 11:44:22 +0100
From: Ian Abbott <abbotti@mev.co.uk>
Cc: Greg KH <greg@kroah.com>
Subject: USB serial visor: fix race in open/close
From: Ian Abbott <abbotti@mev.co.uk>
The anti user-DoS mechanism in the USB serial 'visor' driver can fail in
the following way:
visor_open: priv->outstanding_urbs = 0
visor_write: ++priv->outstanding_urbs
visor_close:
visor_open: priv->outstanding_urbs = 0
visor_write_bulk_callback: --priv->outstanding_urbs
So priv->outstanding_urbs ends up as (unsigned long)(-1). Not good!
I haven't seen this happen with the visor driver as I don't have the
hardware, but I have seen it while testing a patch to implement the same
functionality in the ftdi_sio driver (patch not yet submitted).
The fix is pretty simple: don't reinitialize outstanding_urbs in
visor_open. (Again, I haven't tested the fix in visor, but I have
tested it in ftdi_sio.)
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/usb/serial/visor.c | 1 -
1 file changed, 1 deletion(-)
--- gregkh-2.6.orig/drivers/usb/serial/visor.c
+++ gregkh-2.6/drivers/usb/serial/visor.c
@@ -302,7 +302,6 @@ static int visor_open (struct usb_serial
spin_lock_irqsave(&priv->lock, flags);
priv->bytes_in = 0;
priv->bytes_out = 0;
- priv->outstanding_urbs = 0;
priv->throttled = 0;
spin_unlock_irqrestore(&priv->lock, flags);
|
