From patchwork Sun Oct 25 17:45:47 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 290221 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.1 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7F15DC55178 for ; Sun, 25 Oct 2020 17:48:05 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 4657D21D41 for ; Sun, 25 Oct 2020 17:48:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1603648085; bh=LPrg6dLW7sGXa35L0giBDfda+ByF0261ZFvh0hJ1k2g=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=xLFy0oOJt0B2Iuou9MZw1B3jqzVmNaEiOEoeBq8J9fBypTo5UXfxCDwzdGri8N/mw xMvVEcb1LnkaGPnj6xk7zNVgiMdrPZYQPkBqw/HUjGrcld3FDO/xomHXkDPWdA2DBE Xk4yHxCCuOU/z0/DJ6T8CP4U/AKzz0+UQrFSZXs0= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1417722AbgJYRqj (ORCPT ); Sun, 25 Oct 2020 13:46:39 -0400 Received: from mail-lj1-f194.google.com ([209.85.208.194]:38412 "EHLO mail-lj1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1417705AbgJYRqi (ORCPT ); Sun, 25 Oct 2020 13:46:38 -0400 Received: by mail-lj1-f194.google.com with SMTP id m20so7303258ljj.5; Sun, 25 Oct 2020 10:46:36 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ryLZzM6AeLljw7FhT9jJjorgcKimBmMyaAgnsuFGOJ8=; b=sw5KEo9n0mtrgSpZuX/PubMGgcYb3gohfDN5lssABBRCO+RvKNN64gML3g10fjGosE a36zHJouFKw+7bkVI+EcGta0Yt0mvlvYX3pyspeR/Yv5y6FFjGmXOKztJ+2UlEqhH5Z7 WAYKRlH2mx7wawrPgo+e++z2usFodGWwmhVgRE/PK20yj6KqNSQyiAh7dsFvZlimqctO tRDAoAhhdbUuk5IcAanZluJQnQfc1p20am79AcnHbvrlFl7R+8kb/rOTB+92Pzf7bl/E 73H6GQr/58lHDF71G/DKI3zCKNvtWTz12+K9CrjWorFxdL04h7NN09U1CpM/lR9xy6+O 9bdg== X-Gm-Message-State: AOAM532BJ4aMpf+sR+TGy66kdxwf5MmedfpzHxy25sGHjfK5YdU9CKCb 0+CzPGf1cfeTzEwUTMreoGbHIMQQWMTfxA== X-Google-Smtp-Source: ABdhPJzp9+8tU7hNK8dUch6AG4rzoM8aZWmKlQbR7EyEo7boJbW7ZHtMArRSx2nMe9x4IKw+v/7V6A== X-Received: by 2002:a2e:8096:: with SMTP id i22mr3937528ljg.176.1603647995906; Sun, 25 Oct 2020 10:46:35 -0700 (PDT) Received: from xi.terra (c-beaee455.07-184-6d6c6d4.bbcust.telenor.se. [85.228.174.190]) by smtp.gmail.com with ESMTPSA id d7sm875735ljg.140.2020.10.25.10.46.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 25 Oct 2020 10:46:34 -0700 (PDT) Received: from johan by xi.terra with local (Exim 4.93.0.4) (envelope-from ) id 1kWk6I-0007HA-G8; Sun, 25 Oct 2020 18:46:38 +0100 From: Johan Hovold To: linux-usb@vger.kernel.org Cc: "Ahmed S . Darwish" , Sebastian Andrzej Siewior , Thomas Gleixner , linux-kernel@vger.kernel.org, Johan Hovold , stable Subject: [PATCH 01/14] USB: serial: keyspan_pda: fix dropped unthrottle interrupts Date: Sun, 25 Oct 2020 18:45:47 +0100 Message-Id: <20201025174600.27896-2-johan@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20201025174600.27896-1-johan@kernel.org> References: <20201025174600.27896-1-johan@kernel.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org Commit c528fcb116e6 ("USB: serial: keyspan_pda: fix receive sanity checks") broke write-unthrottle handling by dropping well-formed unthrottle-interrupt packets which are precisely two bytes long. This could lead to blocked writers not being woken up when buffer space again becomes available. Instead, stop unconditionally printing the third byte which is (presumably) only valid on modem-line changes. Fixes: c528fcb116e6 ("USB: serial: keyspan_pda: fix receive sanity checks") Cc: stable # 4.11 Signed-off-by: Johan Hovold --- drivers/usb/serial/keyspan_pda.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/usb/serial/keyspan_pda.c b/drivers/usb/serial/keyspan_pda.c index c1333919716b..2d5ad579475a 100644 --- a/drivers/usb/serial/keyspan_pda.c +++ b/drivers/usb/serial/keyspan_pda.c @@ -172,11 +172,11 @@ static void keyspan_pda_rx_interrupt(struct urb *urb) break; case 1: /* status interrupt */ - if (len < 3) { + if (len < 2) { dev_warn(&port->dev, "short interrupt message received\n"); break; } - dev_dbg(&port->dev, "rx int, d1=%d, d2=%d\n", data[1], data[2]); + dev_dbg(&port->dev, "rx int, d1=%d\n", data[1]); switch (data[1]) { case 1: /* modemline change */ break; From patchwork Sun Oct 25 17:45:50 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 290222 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.1 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id AA09AC55178 for ; Sun, 25 Oct 2020 17:47:54 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 7042321D41 for ; Sun, 25 Oct 2020 17:47:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1603648074; bh=noUNEYlylHnzHTY2CrwJfTMODh4hhkeYQ9BH/0VZmYs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=LE+NUIAZo6dvtq7la3XQ2LJUl6VbmhABX0+7xy9Bc5MsBWu06tFzQa7IA+GfNXmHk qnng8P0iVWC01n8/CG1KH99p9uJNK68IFIk8tDjy8vSgg5K4vYkxQB7QVwM5oQamB3 2p9GlxCT/HJ5P0OKdxi+g/MIbZq6KeW8bNIY+0T8= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1417852AbgJYRrw (ORCPT ); Sun, 25 Oct 2020 13:47:52 -0400 Received: from mail-lf1-f67.google.com ([209.85.167.67]:44306 "EHLO mail-lf1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1417714AbgJYRqk (ORCPT ); Sun, 25 Oct 2020 13:46:40 -0400 Received: by mail-lf1-f67.google.com with SMTP id b1so8902342lfp.11; Sun, 25 Oct 2020 10:46:38 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=mLH2jEE7RKRcoLwhkzgaqRtvr7bnr4NSOoTQehYo+/Y=; b=Xjxtzz1LK6LO3HD8pQsXTS/iV5qEUHxTR5bytGUfmHoF8eBnUMAiH7orhn63C+NJ8F gWi9oxbpP2XcugGYtZngexfeeUWYCSr1EjUUlSmZrQoeqvopAH8DjbXMrHP6LI/8V1lL OZELH7DMyJLcaiw403lRxTDPPBWl1krq0enjnw4Fy5ghApqxIcjPA6qIZJ90Tm8ubipA bHlSr0AfVZdihzhVZJOVYPKXKN3GyYhFJVFKi2/1lkWoeETiyPXa2Gqw5ceSN3jyVqG6 BAnS/GFPkWUUgNEDEf4zCDVWfnAjDSEQNZbaUMNbjsqnd8Pe7fWcJeFKce/T3MMv+p5N 0DgQ== X-Gm-Message-State: AOAM5312DOIdYYyBQbyDeaEuN8M4n47LabFdFiRGlwfCSKONv4YDPgJd iKZjhzHAHUy7RLF/MTdMbl25HdCoSjPswQ== X-Google-Smtp-Source: ABdhPJwIu5JxZA5EikW7OmQwczCYOMug3Pz2X03kVWfXjycmiVx42exfzXnPBhNcDMbR5/FXYpDbzg== X-Received: by 2002:ac2:5a03:: with SMTP id q3mr4135228lfn.527.1603647997449; Sun, 25 Oct 2020 10:46:37 -0700 (PDT) Received: from xi.terra (c-beaee455.07-184-6d6c6d4.bbcust.telenor.se. [85.228.174.190]) by smtp.gmail.com with ESMTPSA id l6sm799335lfk.267.2020.10.25.10.46.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 25 Oct 2020 10:46:34 -0700 (PDT) Received: from johan by xi.terra with local (Exim 4.93.0.4) (envelope-from ) id 1kWk6I-0007HP-P6; Sun, 25 Oct 2020 18:46:38 +0100 From: Johan Hovold To: linux-usb@vger.kernel.org Cc: "Ahmed S . Darwish" , Sebastian Andrzej Siewior , Thomas Gleixner , linux-kernel@vger.kernel.org, Johan Hovold , stable@vger.kernel.org Subject: [PATCH 04/14] USB: serial: keyspan_pda: fix write-wakeup use-after-free Date: Sun, 25 Oct 2020 18:45:50 +0100 Message-Id: <20201025174600.27896-5-johan@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20201025174600.27896-1-johan@kernel.org> References: <20201025174600.27896-1-johan@kernel.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org The driver's deferred write wakeup was never flushed on disconnect, something which could lead to the driver port data being freed while the wakeup work is still scheduled. Fix this by using the usb-serial write wakeup which gets cancelled properly on disconnect. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold --- drivers/usb/serial/keyspan_pda.c | 17 +++-------------- 1 file changed, 3 insertions(+), 14 deletions(-) diff --git a/drivers/usb/serial/keyspan_pda.c b/drivers/usb/serial/keyspan_pda.c index d6ebde779e85..d91180ab5f3b 100644 --- a/drivers/usb/serial/keyspan_pda.c +++ b/drivers/usb/serial/keyspan_pda.c @@ -43,8 +43,7 @@ struct keyspan_pda_private { int tx_room; int tx_throttled; - struct work_struct wakeup_work; - struct work_struct unthrottle_work; + struct work_struct unthrottle_work; struct usb_serial *serial; struct usb_serial_port *port; }; @@ -97,15 +96,6 @@ static const struct usb_device_id id_table_fake_xircom[] = { }; #endif -static void keyspan_pda_wakeup_write(struct work_struct *work) -{ - struct keyspan_pda_private *priv = - container_of(work, struct keyspan_pda_private, wakeup_work); - struct usb_serial_port *port = priv->port; - - tty_port_tty_wakeup(&port->port); -} - static void keyspan_pda_request_unthrottle(struct work_struct *work) { struct keyspan_pda_private *priv = @@ -183,7 +173,7 @@ static void keyspan_pda_rx_interrupt(struct urb *urb) case 2: /* tx unthrottle interrupt */ priv->tx_throttled = 0; /* queue up a wakeup at scheduler time */ - schedule_work(&priv->wakeup_work); + usb_serial_port_softint(port); break; default: break; @@ -563,7 +553,7 @@ static void keyspan_pda_write_bulk_callback(struct urb *urb) priv = usb_get_serial_port_data(port); /* queue up a wakeup at scheduler time */ - schedule_work(&priv->wakeup_work); + usb_serial_port_softint(port); } @@ -715,7 +705,6 @@ static int keyspan_pda_port_probe(struct usb_serial_port *port) if (!priv) return -ENOMEM; - INIT_WORK(&priv->wakeup_work, keyspan_pda_wakeup_write); INIT_WORK(&priv->unthrottle_work, keyspan_pda_request_unthrottle); priv->serial = port->serial; priv->port = port; From patchwork Sun Oct 25 17:45:51 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 290220 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.1 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6072BC55178 for ; Sun, 25 Oct 2020 17:48:11 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 2887521D41 for ; Sun, 25 Oct 2020 17:48:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1603648091; bh=ku5vLd5Iusn82tuAbgP5kPGe9nSMcfc94jRxyrE866M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=QAlJdVRRQ+3qoTZd81H9d4mV70l4k/9w3xVE96ebF6q4BNiHXjlviZCcQ188FFScy CAlYbdHOaSByQND3zH9lOIATmMyqg55ePXIzrhQg2b4JZ8N+7Iuzj1KUUYnVEpaakk En4TsNHjlKID/CpPiYMNDzDQTq6E5jCqWmFxCnn8= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1417709AbgJYRqi (ORCPT ); Sun, 25 Oct 2020 13:46:38 -0400 Received: from mail-lf1-f65.google.com ([209.85.167.65]:33302 "EHLO mail-lf1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1417703AbgJYRqi (ORCPT ); Sun, 25 Oct 2020 13:46:38 -0400 Received: by mail-lf1-f65.google.com with SMTP id l2so8946065lfk.0; Sun, 25 Oct 2020 10:46:36 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=DM3vq5KoxogYKwdBtmc66x0pBZlJ1K2bRpuSSZ/7cuI=; b=PV6HokVAeS0Hrokca8ZhpR5VV5hC0VgAq/HRz3BlUej8WxlwOOXhRhfO6Yo5j+B+5J TUpmxcPnzTXHjgiIDSAC/54Mc2x4iic0w8iG9uFWDQGuDZs2D2//Rcva90ABLgLsxLij x92JYF7G+cpTzbJCSnOB7UMdQYFiWj46sY0p6DoXg2Tl0rd4oq8uNX3rVyb2Cirnepbl m6FghfL6kWo5JCeHY5aPLgmmzr9KS9mtaYDX+d7kfTLAY8rnz8sUPzWZ2kagZ8utEtPb ULHz3E2Po/adGUZaLJxxTNshHCBL0lNRddfIrEfZw3sFFLKdlWh8EGBefST5yb4zqESq OFPw== X-Gm-Message-State: AOAM533hm79TIuoRpKrECCM6TPc1FWaludBX6VHIb7OIA90cWjFDjMsl Z/Nsll1/nGzUxCayhuUBmPCbnbrrehHInw== X-Google-Smtp-Source: ABdhPJz8eCUR10EUzfpCmmU3MRqzeq9ZIzxRab2NEJvy+Ss3yLa9zCaaM/4vWVutak0oImjYQDCWrg== X-Received: by 2002:ac2:4a88:: with SMTP id l8mr3563444lfp.380.1603647995602; Sun, 25 Oct 2020 10:46:35 -0700 (PDT) Received: from xi.terra (c-beaee455.07-184-6d6c6d4.bbcust.telenor.se. [85.228.174.190]) by smtp.gmail.com with ESMTPSA id j10sm880891ljb.93.2020.10.25.10.46.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 25 Oct 2020 10:46:35 -0700 (PDT) Received: from johan by xi.terra with local (Exim 4.93.0.4) (envelope-from ) id 1kWk6I-0007HT-S1; Sun, 25 Oct 2020 18:46:38 +0100 From: Johan Hovold To: linux-usb@vger.kernel.org Cc: "Ahmed S . Darwish" , Sebastian Andrzej Siewior , Thomas Gleixner , linux-kernel@vger.kernel.org, Johan Hovold , stable@vger.kernel.org Subject: [PATCH 05/14] USB: serial: keyspan_pda: fix tx-unthrottle use-after-free Date: Sun, 25 Oct 2020 18:45:51 +0100 Message-Id: <20201025174600.27896-6-johan@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20201025174600.27896-1-johan@kernel.org> References: <20201025174600.27896-1-johan@kernel.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org The driver's transmit-unthrottle work was never flushed on disconnect, something which could lead to the driver port data being freed while the unthrottle work is still scheduled. Fix this by cancelling the unthrottle work when shutting down the port. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold --- drivers/usb/serial/keyspan_pda.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/usb/serial/keyspan_pda.c b/drivers/usb/serial/keyspan_pda.c index d91180ab5f3b..781b6723379f 100644 --- a/drivers/usb/serial/keyspan_pda.c +++ b/drivers/usb/serial/keyspan_pda.c @@ -647,8 +647,12 @@ static int keyspan_pda_open(struct tty_struct *tty, } static void keyspan_pda_close(struct usb_serial_port *port) { + struct keyspan_pda_private *priv = usb_get_serial_port_data(port); + usb_kill_urb(port->write_urb); usb_kill_urb(port->interrupt_in_urb); + + cancel_work_sync(&priv->unthrottle_work); }