tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

tty: Fix a USB serial crash/scribble

The port lock is used to protect the port state. However the port structure
is freed on a hangup, then the lock taken on a close. The right fix is to
drop the port on tty->shutdown() but we can't yet do that due to sleep v
non-sleeping rules. Instead do the next best thing and fix it up when we are
not in -rc season.

Reported-by: Daniel Mack <daniel@caiaq.de>
Signed-off-by: Alan Cox <alan@linux.intel.com>
Tested-by: Daniel Mack <daniel@caiaq.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by Alan Cox and committed by Linus Torvalds b68f2fb9 6a31d4ae

+18 -1
unified split
+18 -1
drivers/usb/serial/usb-serial.c
··· 340 340 341 341 dbg("%s - port %d", __func__, port->number); 342 342 343 + /* FIXME: 344 + This leaves a very narrow race. Really we should do the 345 + serial_do_free() on tty->shutdown(), but tty->shutdown can 346 + be called from IRQ context and serial_do_free can sleep. 347 + 348 + The right fix is probably to make the tty free (which is rare) 349 + and thus tty->shutdown() occur via a work queue and simplify all 350 + the drivers that use it. 351 + */ 352 + if (tty_hung_up_p(filp)) { 353 + /* serial_hangup already called serial_down at this point. 354 + Another user may have already reopened the port but 355 + serial_do_free is refcounted */ 356 + serial_do_free(port); 357 + return; 358 + } 343 359 344 360 if (tty_port_close_start(&port->port, tty, filp) == 0) 345 361 return; ··· 371 355 struct usb_serial_port *port = tty->driver_data; 372 356 serial_do_down(port); 373 357 tty_port_hangup(&port->port); 374 - serial_do_free(port); 358 + /* We must not free port yet - the USB serial layer depends on it's 359 + continued existence */ 375 360 } 376 361 377 362 static int serial_write(struct tty_struct *tty, const unsigned char *buf,