releases/2.6.20.2/usb-fix-concurrent-buffer-access-in-the-hub-driver.patch

   1 From stable-bounces@linux.kernel.org Mon Feb  5 06:57:55 2007
   2 From: Alan Stern <stern@rowland.harvard.edu>
   3 Date: Mon, 5 Feb 2007 09:56:15 -0500 (EST)
   4 Subject: USB: fix concurrent buffer access in the hub driver
   5 To: Greg KH <greg@kroah.com>
   6 Cc: stable@kernel.org, USB development list <linux-usb-devel@lists.sourceforge.net>, Adrian Bunk <bunk@stusta.de>
   7 Message-ID: <Pine.LNX.4.44L0.0702050950390.3533-100000@iolanthe.rowland.org>
   8
   9
  10 This patch (as849) fixes a bug in the USB hub driver.  A single
  11 pre-allocated buffer is used for all port status reads, but nothing
  12 guarantees exclusive use of the buffer.  A mutex is added to provide
  13 this guarantee.
  14
  15 Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
  16 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  17
  18 ---
  19  drivers/usb/core/hub.c |    6 ++++++
  20  1 file changed, 6 insertions(+)
  21
  22 --- linux-2.6.20.1.orig/drivers/usb/core/hub.c
  23 +++ linux-2.6.20.1/drivers/usb/core/hub.c
  24 @@ -44,6 +44,7 @@ struct usb_hub {
  25                 struct usb_hub_status   hub;
  26                 struct usb_port_status  port;
  27         }                       *status;        /* buffer for status reports */
  28 +       struct mutex            status_mutex;   /* for the status buffer */
  29
  30         int                     error;          /* last reported error */
  31         int                     nerrors;        /* track consecutive errors */
  32 @@ -538,6 +539,7 @@ static int hub_hub_status(struct usb_hub
  33  {
  34         int ret;
  35
  36 +       mutex_lock(&hub->status_mutex);
  37         ret = get_hub_status(hub->hdev, &hub->status->hub);
  38         if (ret < 0)
  39                 dev_err (hub->intfdev,
  40 @@ -547,6 +549,7 @@ static int hub_hub_status(struct usb_hub
  41                 *change = le16_to_cpu(hub->status->hub.wHubChange);
  42                 ret = 0;
  43         }
  44 +       mutex_unlock(&hub->status_mutex);
  45         return ret;
  46  }
  47
  48 @@ -620,6 +623,7 @@ static int hub_configure(struct usb_hub
  49                 ret = -ENOMEM;
  50                 goto fail;
  51         }
  52 +       mutex_init(&hub->status_mutex);
  53
  54         hub->descriptor = kmalloc(sizeof(*hub->descriptor), GFP_KERNEL);
  55         if (!hub->descriptor) {
  56 @@ -1418,6 +1422,7 @@ static int hub_port_status(struct usb_hu
  57  {
  58         int ret;
  59
  60 +       mutex_lock(&hub->status_mutex);
  61         ret = get_port_status(hub->hdev, port1, &hub->status->port);
  62         if (ret < 4) {
  63                 dev_err (hub->intfdev,
  64 @@ -1429,6 +1434,7 @@ static int hub_port_status(struct usb_hu
  65                 *change = le16_to_cpu(hub->status->port.wPortChange);
  66                 ret = 0;
  67         }
  68 +       mutex_unlock(&hub->status_mutex);
  69         return ret;
  70  }
  71