From: Greg Kroah-Hartman Date: Tue, 10 Jan 2012 18:25:23 +0000 (-0800) Subject: 3.2-stable patches X-Git-Tag: v3.2.1~6 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=06554f1949e435530f26092b0ff4fd234aeae503;p=thirdparty%2Fkernel%2Fstable-queue.git 3.2-stable patches added patches: usb-cdc-acm-fix-acm_tty_hangup-vs.-acm_tty_close-race.patch --- diff --git a/queue-3.2/series b/queue-3.2/series index 358401b996d..565c760f42b 100644 --- a/queue-3.2/series +++ b/queue-3.2/series @@ -45,3 +45,4 @@ usb-ch9-fix-up-maxstreams-helper.patch igmp-avoid-zero-delay-when-receiving-odd-mixture-of-igmp-queries.patch asix-fix-infinite-loop-in-rx_fixup.patch bonding-fix-error-handling-if-slave-is-busy-v2.patch +usb-cdc-acm-fix-acm_tty_hangup-vs.-acm_tty_close-race.patch diff --git a/queue-3.2/usb-cdc-acm-fix-acm_tty_hangup-vs.-acm_tty_close-race.patch b/queue-3.2/usb-cdc-acm-fix-acm_tty_hangup-vs.-acm_tty_close-race.patch new file mode 100644 index 00000000000..563892f9897 --- /dev/null +++ b/queue-3.2/usb-cdc-acm-fix-acm_tty_hangup-vs.-acm_tty_close-race.patch @@ -0,0 +1,63 @@ +From thilo@ginkel.com Tue Jan 10 10:21:14 2012 +From: Thilo-Alexander Ginkel +Date: Sat, 17 Dec 2011 10:55:10 +0100 +Subject: usb: cdc-acm: Fix acm_tty_hangup() vs. acm_tty_close() race +To: oliver@neukum.name, gregkh@suse.de +Cc: jhovold@gmail.com, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Thilo-Alexander Ginkel +Message-ID: <1324115710-14756-1-git-send-email-thilo@ginkel.com> + +From: Thilo-Alexander Ginkel + +[Not upstream as it was fixed differently for 3.3 with a much more +"intrusive" rework of the driver - gregkh] + +There is a race condition involving acm_tty_hangup() and acm_tty_close() +where hangup() would attempt to access tty->driver_data without proper +locking and NULL checking after close() has potentially already set it +to NULL. One possibility to (sporadically) trigger this behavior is to +perform a suspend/resume cycle with a running WWAN data connection. + +This patch addresses the issue by introducing a NULL check for +tty->driver_data in acm_tty_hangup() protected by open_mutex and exiting +gracefully when hangup() is invoked on a device that has already been +closed. + +Signed-off-by: Thilo-Alexander Ginkel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/class/cdc-acm.c | 12 ++++++++++-- + 1 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c +index a8078d0..97f2e58 100644 +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -554,10 +554,18 @@ static void acm_port_down(struct acm *acm) + + static void acm_tty_hangup(struct tty_struct *tty) + { +- struct acm *acm = tty->driver_data; +- tty_port_hangup(&acm->port); ++ struct acm *acm; ++ + mutex_lock(&open_mutex); ++ acm = tty->driver_data; ++ ++ if (!acm) ++ goto out; ++ ++ tty_port_hangup(&acm->port); + acm_port_down(acm); ++ ++out: + mutex_unlock(&open_mutex); + } + +-- +1.7.5.4 + +-- +To unsubscribe from this list: send the line "unsubscribe linux-usb" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html +