added 2 usbserial bugfixes

6 files changed, 130 insertions, 19 deletions

diff --git a/usb/usb-console-fix-disconnection-issues.patch b/usb/usb-console-fix-disconnection-issues.patch
index 55fc79b559eb07..68af8f90f6a37b 100644
--- a/usb/usb-console-fix-disconnection-issues.patch
+++ b/usb/usb-console-fix-disconnection-issues.patch
@@ -71,16 +71,16 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  /*****************************************************************************
   * Driver tty interface functions
   *****************************************************************************/
-@@ -225,7 +230,7 @@ static int serial_open (struct tty_struc
- bailout_module_put:
- 	module_put(serial->type->driver.owner);
+@@ -232,7 +237,7 @@ bailout_mutex_unlock:
+ 	port->open_count = 0;
+ 	mutex_unlock(&port->mutex);
  bailout_kref_put:
 -	kref_put(&serial->kref, destroy_serial);
 +	usb_serial_put(serial);
- 	port->open_count = 0;
- 	mutex_unlock(&port->mutex);
  	return retval;
-@@ -263,7 +268,7 @@ static void serial_close(struct tty_stru
+ }
+ 
+@@ -268,7 +273,7 @@ static void serial_close(struct tty_stru
  	}
  
  	mutex_unlock(&port->mutex);
@@ -89,7 +89,7 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  }
  
  static int serial_write (struct tty_struct * tty, const unsigned char *buf, int count)
-@@ -271,7 +276,7 @@ static int serial_write (struct tty_stru
+@@ -276,7 +281,7 @@ static int serial_write (struct tty_stru
  	struct usb_serial_port *port = tty->driver_data;
  	int retval = -EINVAL;
  
@@ -98,7 +98,7 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  		goto exit;
  
  	dbg("%s - port %d, %d byte(s)", __FUNCTION__, port->number, count);
-@@ -468,7 +473,7 @@ static int serial_read_proc (char *page,
+@@ -473,7 +478,7 @@ static int serial_read_proc (char *page,
  			begin += length;
  			length = 0;
  		}
@@ -107,7 +107,7 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  	}
  	*eof = 1;
  done:
-@@ -980,6 +985,7 @@ void usb_serial_disconnect(struct usb_in
+@@ -985,6 +990,7 @@ void usb_serial_disconnect(struct usb_in
  	struct device *dev = &interface->dev;
  	struct usb_serial_port *port;
  
@@ -115,7 +115,7 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  	dbg ("%s", __FUNCTION__);
  
  	usb_set_intfdata (interface, NULL);
-@@ -991,7 +997,7 @@ void usb_serial_disconnect(struct usb_in
+@@ -996,7 +1002,7 @@ void usb_serial_disconnect(struct usb_in
  		}
  		/* let the last holder of this object 
  		 * cause it to be cleaned up */
diff --git a/usb/usb-console-prevent-enodev-on-node.patch b/usb/usb-console-prevent-enodev-on-node.patch
index e48b8b2ff832fd..54c2ab4ec0170c 100644
--- a/usb/usb-console-prevent-enodev-on-node.patch
+++ b/usb/usb-console-prevent-enodev-on-node.patch
@@ -20,7 +20,7 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
 
 --- gregkh-2.6.orig/drivers/usb/serial/usb-serial.c
 +++ gregkh-2.6/drivers/usb/serial/usb-serial.c
-@@ -197,12 +197,12 @@ static int serial_open (struct tty_struc
+@@ -201,12 +201,12 @@ static int serial_open (struct tty_struc
  	 
  	++port->open_count;
  
diff --git a/usb/usb-serial-ark3116.patch b/usb/usb-serial-ark3116.patch
index 50aa5c8c9b2362..556ebcfb1f4744 100644
--- a/usb/usb-serial-ark3116.patch
+++ b/usb/usb-serial-ark3116.patch
@@ -1,9 +1,21 @@
+From foo@baz Tue Apr  9 12:12:43 2002
+Date: Fri, 12 May 2006 11:05:29 -0700
+To: Greg KH <greg@kroah.com>
+From: Greg Kroah-Hartman <gregkh@suse.de>
+Subject: USB: add ark3116 usb to serial driver
+
+Based on Simon's original driver, with some minor code cleanups and
+tidying by me.
+
+Cc: Simon Schulz <simon@auctionant.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
 ---
  drivers/usb/serial/Kconfig   |   10 
  drivers/usb/serial/Makefile  |    1 
- drivers/usb/serial/ark3116.c |  467 +++++++++++++++++++++++++++++++++++++++++++
+ drivers/usb/serial/ark3116.c |  465 +++++++++++++++++++++++++++++++++++++++++++
  drivers/usb/serial/generic.c |    1 
- 4 files changed, 479 insertions(+)
+ 4 files changed, 477 insertions(+)
 
 --- gregkh-2.6.orig/drivers/usb/serial/Kconfig
 +++ gregkh-2.6/drivers/usb/serial/Kconfig
@@ -36,7 +48,7 @@
  obj-$(CONFIG_USB_SERIAL_CYBERJACK)		+= cyberjack.o
 --- /dev/null
 +++ gregkh-2.6/drivers/usb/serial/ark3116.c
-@@ -0,0 +1,467 @@
+@@ -0,0 +1,465 @@
 +/*
 + * ark3116
 + * - implements a driver for the arkmicro ark3116 chipset (vendor=0x6547,
@@ -361,8 +373,6 @@
 +	return;
 +}
 +
-+/* strange, if this is used something goes wrong and the port is unusable */
-+/* maybe timing problem ?! */
 +static int ark3116_open(struct usb_serial_port *port, struct file *filp)
 +{
 +	struct termios tmp_termios;
diff --git a/usb/usb-serial-dynamic-id.patch b/usb/usb-serial-dynamic-id.patch
index 37a9a2ef35e994..698ba043ec4c58 100644
--- a/usb/usb-serial-dynamic-id.patch
+++ b/usb/usb-serial-dynamic-id.patch
@@ -201,7 +201,7 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  	.name =		"usbserial",
  	.probe =	usb_serial_probe,
  	.disconnect =	usb_serial_disconnect,
-@@ -582,6 +582,39 @@ static struct usb_serial * create_serial
+@@ -587,6 +587,39 @@ static struct usb_serial * create_serial
  	return serial;
  }
  
@@ -241,7 +241,7 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  static struct usb_serial_driver *search_serial_device(struct usb_interface *iface)
  {
  	struct list_head *p;
-@@ -591,11 +624,9 @@ static struct usb_serial_driver *search_
+@@ -596,11 +629,9 @@ static struct usb_serial_driver *search_
  	/* Check if the usb id matches a known device */
  	list_for_each(p, &usb_serial_driver_list) {
  		t = list_entry(p, struct usb_serial_driver, driver_list);
@@ -255,7 +255,7 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  	}
  
  	return NULL;
-@@ -647,7 +678,7 @@ int usb_serial_probe(struct usb_interfac
+@@ -652,7 +683,7 @@ int usb_serial_probe(struct usb_interfac
  			return -EIO;
  		}
  
diff --git a/usb/usbserial-fixes-leak-in-serial_open-error-path.patch b/usb/usbserial-fixes-leak-in-serial_open-error-path.patch
new file mode 100644
index 00000000000000..0265181218e32c
--- /dev/null
+++ b/usb/usbserial-fixes-leak-in-serial_open-error-path.patch
@@ -0,0 +1,63 @@
+From lcapitulino@mandriva.com.br Thu May 11 18:31:41 2006
+Date: Thu, 11 May 2006 22:34:24 -0300
+From: Luiz Fernando Capitulino <lcapitulino@mandriva.com.br>
+To: gregkh@suse.de
+Subject: usbserial: Fixes leak in serial_open() error path.
+Message-ID: <20060511223424.7e7df2fc@home.brethil>
+
+
+If serial_open() fails at the port assignment or mutex_lock_interruptible()
+is interrupted, the 'serial' object will never be freed.
+
+We should call kref_put() when those errors happens.
+
+Signed-off-by: Luiz Fernando N. Capitulino <lcapitulino@mandriva.com.br>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/serial/usb-serial.c |   17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+--- gregkh-2.6.orig/drivers/usb/serial/usb-serial.c
++++ gregkh-2.6/drivers/usb/serial/usb-serial.c
+@@ -189,11 +189,15 @@ static int serial_open (struct tty_struc
+ 
+ 	portNumber = tty->index - serial->minor;
+ 	port = serial->port[portNumber];
+-	if (!port)
+-		return -ENODEV;
++	if (!port) {
++		retval = -ENODEV;
++		goto bailout_kref_put;
++	}
+ 
+-	if (mutex_lock_interruptible(&port->mutex))
+-		return -ERESTARTSYS;
++	if (mutex_lock_interruptible(&port->mutex)) {
++		retval = -ERESTARTSYS;
++		goto bailout_kref_put;
++	}
+ 	 
+ 	++port->open_count;
+ 
+@@ -209,7 +213,7 @@ static int serial_open (struct tty_struc
+ 		 * safe because we are called with BKL held */
+ 		if (!try_module_get(serial->type->driver.owner)) {
+ 			retval = -ENODEV;
+-			goto bailout_kref_put;
++			goto bailout_mutex_unlock;
+ 		}
+ 
+ 		/* only call the device specific open if this 
+@@ -224,9 +228,10 @@ static int serial_open (struct tty_struc
+ 
+ bailout_module_put:
+ 	module_put(serial->type->driver.owner);
+-bailout_kref_put:
++bailout_mutex_unlock:
+ 	port->open_count = 0;
+ 	mutex_unlock(&port->mutex);
++bailout_kref_put:
+ 	kref_put(&serial->kref, destroy_serial);
+ 	return retval;
+ }
diff --git a/usb/usbserial-fixes-use-after-free-in-serial_open.patch b/usb/usbserial-fixes-use-after-free-in-serial_open.patch
new file mode 100644
index 00000000000000..f38489d11cd462
--- /dev/null
+++ b/usb/usbserial-fixes-use-after-free-in-serial_open.patch
@@ -0,0 +1,38 @@
+From lcapitulino@mandriva.com.br Thu May 11 18:31:36 2006
+Date: Thu, 11 May 2006 22:34:17 -0300
+From: Luiz Fernando Capitulino <lcapitulino@mandriva.com.br>
+To: gregkh@suse.de
+Subject: usbserial: Fixes use-after-free in serial_open().
+Message-ID: <20060511223417.7433e19b@home.brethil>
+
+
+If the device is disconnected while serial_open() is executing and
+either try_module_get() or the device specific open function fails, the
+kref_put() call in the 'bailout_kref_put' label will free the memory
+pointed out by 'port'.
+
+The subsequent dereferences in the 'bailout_kref_put' label will be
+invalid.
+
+The fix is just to assure kref_put() is called after any 'port' usage.
+
+Signed-off-by: Luiz Fernando N. Capitulino <lcapitulino@mandriva.com.br>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/serial/usb-serial.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- gregkh-2.6.orig/drivers/usb/serial/usb-serial.c
++++ gregkh-2.6/drivers/usb/serial/usb-serial.c
+@@ -225,9 +225,9 @@ static int serial_open (struct tty_struc
+ bailout_module_put:
+ 	module_put(serial->type->driver.owner);
+ bailout_kref_put:
+-	kref_put(&serial->kref, destroy_serial);
+ 	port->open_count = 0;
+ 	mutex_unlock(&port->mutex);
++	kref_put(&serial->kref, destroy_serial);
+ 	return retval;
+ }
+