From 4a3e818181e1baf970e9232ca8b747e233176b87 Mon Sep 17 00:00:00 2001 From: Denis Joseph Barrow Date: Tue, 25 Nov 2008 00:27:50 -0800 Subject: [PATCH] hso: Fix crashes on close. Moved serial_open_count in hso_serial_open to prevent crashes owing to the serial structure being made NULL when hso_serial_close is called even though hso_serial_open returned -ENODEV, Alan Cox pointed out this happens, also put in sanity check in hso_serial_close to check for a valid serial structure which should prevent the most reproducable crash in the driver when the hso device is disconnected while in use. Signed-off-by: Denis Joseph Barrow Signed-off-by: David S. Miller --- drivers/net/usb/hso.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c index cee1d2a280b..d5857321979 100644 --- a/drivers/net/usb/hso.c +++ b/drivers/net/usb/hso.c @@ -1235,6 +1235,11 @@ static int hso_serial_open(struct tty_struct *tty, struct file *filp) } mutex_lock(&serial->parent->mutex); + /* check for port already opened, if not set the termios */ + /* The serial->open count needs to be here as hso_serial_close + * will be called even if hso_serial_open returns -ENODEV. + */ + serial->open_count++; result = usb_autopm_get_interface(serial->parent->interface); if (result < 0) goto err_out; @@ -1246,8 +1251,6 @@ static int hso_serial_open(struct tty_struct *tty, struct file *filp) tty->driver_data = serial; serial->tty = tty; - /* check for port already opened, if not set the termios */ - serial->open_count++; if (serial->open_count == 1) { tty->low_latency = 1; serial->rx_state = RX_IDLE; @@ -1285,6 +1288,10 @@ static void hso_serial_close(struct tty_struct *tty, struct file *filp) u8 usb_gone; D1("Closing serial port"); + if (serial == NULL || serial->magic != HSO_SERIAL_MAGIC) { + D1("invalid serial structure bailing out.\n"); + return; + } mutex_lock(&serial->parent->mutex); usb_gone = serial->parent->usb_gone;