| From 35be1a71d70775e7bd7e45fa6d2897342ff4c9d2 Mon Sep 17 00:00:00 2001 |
| From: Johan Hovold <johan@kernel.org> |
| Date: Sun, 8 May 2016 20:07:58 +0200 |
| Subject: USB: serial: keyspan: fix use-after-free in probe error path |
| |
| From: Johan Hovold <johan@kernel.org> |
| |
| commit 35be1a71d70775e7bd7e45fa6d2897342ff4c9d2 upstream. |
| |
| The interface instat and indat URBs were submitted in attach, but never |
| unlinked in release before deallocating the corresponding transfer |
| buffers. |
| |
| In the case of a late probe error (e.g. due to failed minor allocation), |
| disconnect would not have been called before release, causing the |
| buffers to be freed while the URBs are still in use. We'd also end up |
| with active URBs for an unbound interface. |
| |
| Fixes: f9c99bb8b3a1 ("USB: usb-serial: replace shutdown with disconnect, |
| release") |
| Signed-off-by: Johan Hovold <johan@kernel.org> |
| Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/usb/serial/keyspan.c | 4 ++++ |
| 1 file changed, 4 insertions(+) |
| |
| --- a/drivers/usb/serial/keyspan.c |
| +++ b/drivers/usb/serial/keyspan.c |
| @@ -2376,6 +2376,10 @@ static void keyspan_release(struct usb_s |
| |
| s_priv = usb_get_serial_data(serial); |
| |
| + /* Make sure to unlink the URBs submitted in attach. */ |
| + usb_kill_urb(s_priv->instat_urb); |
| + usb_kill_urb(s_priv->indat_urb); |
| + |
| usb_free_urb(s_priv->instat_urb); |
| usb_free_urb(s_priv->indat_urb); |
| usb_free_urb(s_priv->glocont_urb); |
