tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

USB: serial: don't call release without attach

This patch (as1295) fixes a recently-added bug in the USB serial core.
If certain kinds of errors occur during probing, the core may call a
serial driver's release method without previously calling the attach
method. This causes some drivers (io_ti in particular) to perform an
invalid memory access.

The patch adds a new flag to keep track of whether or not attach has
been called.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Tested-by: Jean-Denis Girard <jd.girard@sysnux.pf>
CC: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

authored by

Alan Stern and committed by
Greg Kroah-Hartman a4720c65 ba6b702f

+6 -1
+5 -1
drivers/usb/serial/usb-serial.c
··· 156 156 if (serial->minor != SERIAL_TTY_NO_MINOR) 157 157 return_serial(serial); 158 158 159 - serial->type->release(serial); 159 + if (serial->attached) 160 + serial->type->release(serial); 160 161 161 162 /* Now that nothing is using the ports, they can be freed */ 162 163 for (i = 0; i < serial->num_port_pointers; ++i) { ··· 1060 1059 module_put(type->driver.owner); 1061 1060 if (retval < 0) 1062 1061 goto probe_error; 1062 + serial->attached = 1; 1063 1063 if (retval > 0) { 1064 1064 /* quietly accept this device, but don't bind to a 1065 1065 serial port as it's about to disappear */ 1066 1066 serial->num_ports = 0; 1067 1067 goto exit; 1068 1068 } 1069 + } else { 1070 + serial->attached = 1; 1069 1071 } 1070 1072 1071 1073 if (get_free_serial(serial, num_ports, &minor) == NULL) {
+1
include/linux/usb/serial.h
··· 150 150 struct usb_interface *interface; 151 151 unsigned char disconnected:1; 152 152 unsigned char suspending:1; 153 + unsigned char attached:1; 153 154 unsigned char minor; 154 155 unsigned char num_ports; 155 156 unsigned char num_port_pointers;