[linux-usb-devel] [PATCH 2.5.63] USB: Fix crash in read/write/ioctl in scanner driver

Tue, 25 Feb 2003 08:56:44 -0800 

Hi,

Avoid crashing when read/write/ioctl is called after disconnecting the
device. Keep scn until the device is closed and check scn->present in
read/write/ioctl. 

The patch is ontop of the devfs name patch I just have sent.

Bye,
  Henning
  
diff -u -r linux-2.5.63-minor/drivers/usb/image/scanner.c 
linux-2.5.63-nocrash/drivers/usb/image/scanner.c
--- linux-2.5.63-minor/drivers/usb/image/scanner.c      2003-02-25 15:32:02.000000000 
+0100
+++ linux-2.5.63-nocrash/drivers/usb/image/scanner.c    2003-02-25 15:55:22.000000000 
+0100
@@ -350,6 +350,9 @@
  *    - Added vendor/product ids for Artec, Avision, Brother, Medion, Primax,
  *      Prolink, Fujitsu, Plustek, and SYSCAN scanners.
  *    - Fixed generation of devfs names if dynamic minors are disabled.
+ *    - Avoid crashing when read/write/ioctl is called after disconnecting the
+ *      device. Keep scn until the device is closed and check scn->present in
+ *      read/write/ioctl.
  *
  * TODO
  *    - Performance
@@ -519,7 +522,12 @@
        file->private_data = NULL;
 
        up(&scn_mutex);
-       up(&(scn->sem));
+       if (scn->present) {
+               up(&(scn->sem));
+       } else {
+               up(&(scn->sem));
+               kfree (scn);
+       }
 
        return 0;
 }
@@ -546,6 +554,12 @@
 
        down(&(scn->sem));
 
+       if (!scn->present) {
+               /* Disconnected */
+               up(&(scn->sem));
+               return -EINVAL;
+       }
+
        if (!scn->bulk_out_ep) {
                /* This scanner does not have a bulk-out endpoint */
                up(&(scn->sem));
@@ -639,6 +653,12 @@
 
        down(&(scn->sem));
 
+       if (!scn->present) {
+               /* Disconnected */
+               up(&(scn->sem));
+               return -EINVAL;
+       }
+
        scn_minor = scn->scn_minor;
 
        ibuf = scn->ibuf;
@@ -747,6 +767,12 @@
        scn_minor = USB_SCN_MINOR(inode);
        down(&(scn->sem));
 
+       if (!scn->present) {
+               /* Disconnected */
+               up(&(scn->sem));
+               return -EINVAL;
+       }
+
        dev = scn->scn_dev;
 
        switch (cmd)
@@ -1107,8 +1133,13 @@
                devfs_unregister(scn->devfs);
                usb_deregister_dev(1, scn->scn_minor);
                usb_free_urb(scn->scn_irq);
-               up (&(scn->sem));
-               kfree (scn);
+               if (scn->isopen) {
+                       scn->present = 0;
+                       up (&(scn->sem));
+               } else {
+                       up (&(scn->sem));
+                       kfree (scn);
+               }
                up (&scn_mutex);
        }
 }


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
[EMAIL PROTECTED]
To unsubscribe, use the last form field at:
https://lists.sourceforge.net/lists/listinfo/linux-usb-devel

Reply via email to