From: Ian Abbott Date: Mon, 26 Jun 2006 10:44:22 +0000 (+0100) Subject: [PATCH] USB serial visor: fix race in open/close X-Git-Tag: v2.6.18-rc2~97^2~21 X-Git-Url: http://pilppa.com/gitweb/?a=commitdiff_plain;h=00d6058ac93048b525b86fa48b413dcb87ac2728;p=linux-2.6-omap-h63xx.git [PATCH] USB serial visor: fix race in open/close The anti user-DoS mechanism in the USB serial 'visor' driver can fail in the following way: visor_open: priv->outstanding_urbs = 0 visor_write: ++priv->outstanding_urbs visor_close: visor_open: priv->outstanding_urbs = 0 visor_write_bulk_callback: --priv->outstanding_urbs So priv->outstanding_urbs ends up as (unsigned long)(-1). Not good! I haven't seen this happen with the visor driver as I don't have the hardware, but I have seen it while testing a patch to implement the same functionality in the ftdi_sio driver (patch not yet submitted). The fix is pretty simple: don't reinitialize outstanding_urbs in visor_open. (Again, I haven't tested the fix in visor, but I have tested it in ftdi_sio.) Signed-off-by: Ian Abbott Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/usb/serial/visor.c b/drivers/usb/serial/visor.c index cbc21465f4f..32c3c628898 100644 --- a/drivers/usb/serial/visor.c +++ b/drivers/usb/serial/visor.c @@ -302,7 +302,6 @@ static int visor_open (struct usb_serial_port *port, struct file *filp) spin_lock_irqsave(&priv->lock, flags); priv->bytes_in = 0; priv->bytes_out = 0; - priv->outstanding_urbs = 0; priv->throttled = 0; spin_unlock_irqrestore(&priv->lock, flags);