the driver sets intfdata to NULL without lock. Data structures can be
freed and accessed.
Signed-off-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
MODULE_PARM_DESC(debug, "debug=1 enables debugging messages");
static struct usb_driver iowarrior_driver;
MODULE_PARM_DESC(debug, "debug=1 enables debugging messages");
static struct usb_driver iowarrior_driver;
+static DEFINE_MUTEX(iowarrior_open_disc_lock);
/*--------------*/
/* data */
/*--------------*/
/* data */
+ mutex_lock(&iowarrior_open_disc_lock);
dev = usb_get_intfdata(interface);
dev = usb_get_intfdata(interface);
+ if (!dev) {
+ mutex_unlock(&iowarrior_open_disc_lock);
+ mutex_unlock(&iowarrior_open_disc_lock);
/* Only one process can open each device, no sharing. */
if (dev->opened) {
/* Only one process can open each device, no sharing. */
if (dev->opened) {
int minor;
dev = usb_get_intfdata(interface);
int minor;
dev = usb_get_intfdata(interface);
+ mutex_lock(&iowarrior_open_disc_lock);
usb_set_intfdata(interface, NULL);
minor = dev->minor;
usb_set_intfdata(interface, NULL);
minor = dev->minor;
dev->present = 0;
mutex_unlock(&dev->mutex);
dev->present = 0;
mutex_unlock(&dev->mutex);
+ mutex_unlock(&iowarrior_open_disc_lock);
if (dev->opened) {
/* There is a process that holds a filedescriptor to the device ,
if (dev->opened) {
/* There is a process that holds a filedescriptor to the device ,