| Message ID | 20200113172213.30869-1-johan@kernel.org (mailing list archive) |
|---|---|
| State | Mainlined |
| Commit | 5e28055f340275a8616eee88ef19186631b4d136 |
| Headers | show |
| Series | USB: serial: opticon: fix control-message timeouts | expand |
On Mon, Jan 13, 2020 at 06:22:13PM +0100, Johan Hovold wrote: > The driver was issuing synchronous uninterruptible control requests > without using a timeout. This could lead to the driver hanging > on open() or tiocmset() due to a malfunctioning (or malicious) device > until the device is physically disconnected. > > The USB upper limit of five seconds per request should be more than > enough. > > Fixes: 309a057932ab ("USB: opticon: add rts and cts support") > Cc: stable <stable@vger.kernel.org> # 2.6.39 > Cc: Martin Jansen <martin.jansen@opticon.com> > Signed-off-by: Johan Hovold <johan@kernel.org> Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
On Mon, Jan 13, 2020 at 07:25:46PM +0100, Greg Kroah-Hartman wrote: > On Mon, Jan 13, 2020 at 06:22:13PM +0100, Johan Hovold wrote: > > The driver was issuing synchronous uninterruptible control requests > > without using a timeout. This could lead to the driver hanging > > on open() or tiocmset() due to a malfunctioning (or malicious) device > > until the device is physically disconnected. > > > > The USB upper limit of five seconds per request should be more than > > enough. > > > > Fixes: 309a057932ab ("USB: opticon: add rts and cts support") > > Cc: stable <stable@vger.kernel.org> # 2.6.39 > > Cc: Martin Jansen <martin.jansen@opticon.com> > > Signed-off-by: Johan Hovold <johan@kernel.org> > > Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Thanks for reviewing these. This one; now applied. Johan
diff --git a/drivers/usb/serial/opticon.c b/drivers/usb/serial/opticon.c index cb7aac9cd9e7..ed2b4e6dca38 100644 --- a/drivers/usb/serial/opticon.c +++ b/drivers/usb/serial/opticon.c @@ -113,7 +113,7 @@ static int send_control_msg(struct usb_serial_port *port, u8 requesttype, retval = usb_control_msg(serial->dev, usb_sndctrlpipe(serial->dev, 0), requesttype, USB_DIR_OUT|USB_TYPE_VENDOR|USB_RECIP_INTERFACE, - 0, 0, buffer, 1, 0); + 0, 0, buffer, 1, USB_CTRL_SET_TIMEOUT); kfree(buffer); if (retval < 0)
The driver was issuing synchronous uninterruptible control requests without using a timeout. This could lead to the driver hanging on open() or tiocmset() due to a malfunctioning (or malicious) device until the device is physically disconnected. The USB upper limit of five seconds per request should be more than enough. Fixes: 309a057932ab ("USB: opticon: add rts and cts support") Cc: stable <stable@vger.kernel.org> # 2.6.39 Cc: Martin Jansen <martin.jansen@opticon.com> Signed-off-by: Johan Hovold <johan@kernel.org> --- This was reported to me off-list to be an issue with some opticon devices. Let's address the obvious bug while waiting for a bug report to be sent to the list. Johan drivers/usb/serial/opticon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)