Hi,
"J" and I discovered some races in usb-serial, this series fixes some of
them. "J" has made additional patches that fix some more races.
I haven't tested this due to lack of hardware. I consider this material
for 2.4.21.
I've split this up in three incremental pieces to make review easier.
The bugs fixed:
1) serial_table must be locked
CPU A CPU B
serial = serial_table[index]
kref_put(serial)
destroy_serial(serial->kref)
kref_get(serial) -> access to freed memory
A spin_lock is used to make the lookup and the kref_get() atomic.
2) there's a race with module unload
CPU A CPU B
type = search_serial_device(interface)
usb_serial_deregister()
module unload
try_module_get(type->driver.owner) -> access to freed memory
The traditional solution of taking BKL is used.
3) there's a race between open() and probe()
CPU A CPU B
get_free_serial()
open()
here we open an
unattached device
retval = type->attach (serial);
get_free_serial() is moved to later in probe()
4) disconnect() cannot cope with unbinding through sysfs
CPU A CPU B
usb_submit_urb()
echo "...."
>/.../unbind
disconnect()
probe()
IO completes
Call usb_kill_urb() in disconnect()
5) The correct errorcode if a write cannot be completed because
a device has been disconnected is -ENODEV. Obvious fix.
Regards
Oliver
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
linux-usb-devel@lists.sourceforge.net
To unsubscribe, use the last form field at:
https://lists.sourceforge.net/lists/listinfo/linux-usb-devel
