Home Explore Help
Sign In
PUBLIC_REPOS
/
ti-processor-sdk-linux
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

serial: core: Prevent unsafe uart port access, part 3

For tty operations which may expect uart port to have been removed
but still have other necessary work to accomplish, check for NULL
uart port; specifically uart_close(), uart_hangup() and sub-functions
(uart_shutdown() and uart_port_shutdown()).

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Peter Hurley 9 years ago
parent
9ed19428a5
commit
af224ca2df
1 changed files with 20 additions and 10 deletions
Split View Show Diff Stats
  1. 20 10
      drivers/tty/serial/serial_core.c

+ 20 - 10
drivers/tty/serial/serial_core.c
View File 

@@ -257,6 +257,8 @@ static int uart_startup(struct tty_struct *tty, struct uart_state *state,
 
  * This routine will shutdown a serial port; interrupts are disabled, and
 
  * DTR is dropped if the hangup on close termio flag is on.  Calls to
 
  * uart_shutdown are serialised by the per-port semaphore.
 
+ *
 
+ * uport == NULL if uart_port has already been removed
 
  */
 
 static void uart_shutdown(struct tty_struct *tty, struct uart_state *state)
 
 {
 
@@ -275,7 +277,7 @@ static void uart_shutdown(struct tty_struct *tty, struct uart_state *state)
 
 		/*
 
 		 * Turn off DTR and RTS early.
 
 		 */
 
-		if (uart_console(uport) && tty)
 
+		if (uport && uart_console(uport) && tty)
 
 			uport->cons->cflag = tty->termios.c_cflag;
 
 
 		if (!tty || C_HUPCL(tty))
 
@@ -1460,7 +1462,6 @@ out:
 
  * Calls to uart_close() are serialised via the tty_lock in
 
  *   drivers/tty/tty_io.c:tty_release()
 
  *   drivers/tty/tty_io.c:do_tty_hangup()
 
- * This runs from a workqueue and can sleep for a _short_ time only.
 
  */
 
 static void uart_close(struct tty_struct *tty, struct file *filp)
 
 {
 
@@ -1479,18 +1480,21 @@ static void uart_close(struct tty_struct *tty, struct file *filp)
 
 		return;
 
 	}
 
 
-	uport = state->uart_port;
 
 	port = &state->port;
 
 	pr_debug("uart_close(%d) called\n", tty->index);
 
 
-	if (!port->count || tty_port_close_start(port, tty, filp) == 0)
 
+	if (tty_port_close_start(port, tty, filp) == 0)
 
 		return;
 
 
+	mutex_lock(&port->mutex);
 
+	uport = uart_port_check(state);
 
+
 
 	/*
 
 	 * At this point, we stop accepting input.  To do this, we
 
 	 * disable the receive line status interrupts.
 
 	 */
 
-	if (tty_port_initialized(port)) {
 
+	if (tty_port_initialized(port) &&
 
+	    !WARN(!uport, "detached port still initialized!\n")) {
 
 		spin_lock_irq(&uport->lock);
 
 		uport->ops->stop_rx(uport);
 
 		spin_unlock_irq(&uport->lock);
 
@@ -1502,7 +1506,6 @@ static void uart_close(struct tty_struct *tty, struct file *filp)
 
 		uart_wait_until_sent(tty, uport->timeout);
 
 	}
 
 
-	mutex_lock(&port->mutex);
 
 	uart_shutdown(tty, state);
 
 	tty_port_tty_set(port, NULL);
 
 
@@ -1513,7 +1516,7 @@ static void uart_close(struct tty_struct *tty, struct file *filp)
 
 		if (port->close_delay)
 
 			msleep_interruptible(jiffies_to_msecs(port->close_delay));
 
 		spin_lock_irq(&port->lock);
 
-	} else if (!uart_console(uport)) {
 
+	} else if (uport && !uart_console(uport)) {
 
 		spin_unlock_irq(&port->lock);
 
 		uart_change_pm(state, UART_PM_STATE_OFF);
 
 		spin_lock_irq(&port->lock);
 
@@ -1600,11 +1603,15 @@ static void uart_hangup(struct tty_struct *tty)
 
 {
 
 	struct uart_state *state = tty->driver_data;
 
 	struct tty_port *port = &state->port;
 
+	struct uart_port *uport;
 
 	unsigned long flags;
 
 
 	pr_debug("uart_hangup(%d)\n", tty->index);
 
 
 	mutex_lock(&port->mutex);
 
+	uport = uart_port_check(state);
 
+	WARN(!uport, "hangup of detached port!\n");
 
+
 
 	if (tty_port_active(port)) {
 
 		uart_flush_buffer(tty);
 
 		uart_shutdown(tty, state);
 
@@ -1613,7 +1620,7 @@ static void uart_hangup(struct tty_struct *tty)
 
 		spin_unlock_irqrestore(&port->lock, flags);
 
 		tty_port_set_active(port, 0);
 
 		tty_port_tty_set(port, NULL);
 
-		if (!uart_console(state->uart_port))
 
+		if (uport && !uart_console(uport))
 
 			uart_change_pm(state, UART_PM_STATE_OFF);
 
 		wake_up_interruptible(&port->open_wait);
 
 		wake_up_interruptible(&port->delta_msr_wait);
 
@@ -1621,6 +1628,7 @@ static void uart_hangup(struct tty_struct *tty)
 
 	mutex_unlock(&port->mutex);
 
 }
 
 
+/* uport == NULL if uart_port has already been removed */
 
 static void uart_port_shutdown(struct tty_port *port)
 
 {
 
 	struct uart_state *state = container_of(port, struct uart_state, port);
 
@@ -1638,12 +1646,14 @@ static void uart_port_shutdown(struct tty_port *port)
 
 	/*
 
 	 * Free the IRQ and disable the port.
 
 	 */
 
-	uport->ops->shutdown(uport);
 
+	if (uport)
 
+		uport->ops->shutdown(uport);
 
 
 	/*
 
 	 * Ensure that the IRQ handler isn't running on another CPU.
 
 	 */
 
-	synchronize_irq(uport->irq);
 
+	if (uport)
 
+		synchronize_irq(uport->irq);
 
 }
 
 
 static int uart_carrier_raised(struct tty_port *port)