| From 4e49bf376c0451ad2eae2592e093659cde12be9a Mon Sep 17 00:00:00 2001 |
| From: Johan Hovold <johan@kernel.org> |
| Date: Mon, 22 Mar 2021 16:53:12 +0100 |
| Subject: USB: cdc-acm: fix use-after-free after probe failure |
| |
| From: Johan Hovold <johan@kernel.org> |
| |
| commit 4e49bf376c0451ad2eae2592e093659cde12be9a upstream. |
| |
| If tty-device registration fails the driver would fail to release the |
| data interface. When the device is later disconnected, the disconnect |
| callback would still be called for the data interface and would go about |
| releasing already freed resources. |
| |
| Fixes: c93d81955005 ("usb: cdc-acm: fix error handling in acm_probe()") |
| Cc: stable@vger.kernel.org # 3.9 |
| Cc: Alexey Khoroshilov <khoroshilov@ispras.ru> |
| Acked-by: Oliver Neukum <oneukum@suse.com> |
| Signed-off-by: Johan Hovold <johan@kernel.org> |
| Link: https://lore.kernel.org/r/20210322155318.9837-3-johan@kernel.org |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/usb/class/cdc-acm.c | 5 +++++ |
| 1 file changed, 5 insertions(+) |
| |
| --- a/drivers/usb/class/cdc-acm.c |
| +++ b/drivers/usb/class/cdc-acm.c |
| @@ -1529,6 +1529,11 @@ skip_countries: |
| |
| return 0; |
| alloc_fail6: |
| + if (!acm->combined_interfaces) { |
| + /* Clear driver data so that disconnect() returns early. */ |
| + usb_set_intfdata(data_interface, NULL); |
| + usb_driver_release_interface(&acm_driver, data_interface); |
| + } |
| if (acm->country_codes) { |
| device_remove_file(&acm->control->dev, |
| &dev_attr_wCountryCodes); |