| From 028c49f5e02a257c94129cd815f7c8485f51d4ef Mon Sep 17 00:00:00 2001 |
| From: Johan Hovold <johan@kernel.org> |
| Date: Sun, 8 May 2016 20:08:02 +0200 |
| Subject: USB: serial: quatech2: fix use-after-free in probe error path |
| |
| From: Johan Hovold <johan@kernel.org> |
| |
| commit 028c49f5e02a257c94129cd815f7c8485f51d4ef upstream. |
| |
| The interface read URB is submitted in attach, but was only unlinked by |
| the driver at disconnect. |
| |
| In case of a late probe error (e.g. due to failed minor allocation), |
| disconnect is never called and we would end up with active URBs for an |
| unbound interface. This in turn could lead to deallocated memory being |
| dereferenced in the completion callback. |
| |
| Fixes: f7a33e608d9a ("USB: serial: add quatech2 usb to serial driver") |
| Signed-off-by: Johan Hovold <johan@kernel.org> |
| Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/usb/serial/quatech2.c | 1 + |
| 1 file changed, 1 insertion(+) |
| |
| --- a/drivers/usb/serial/quatech2.c |
| +++ b/drivers/usb/serial/quatech2.c |
| @@ -141,6 +141,7 @@ static void qt2_release(struct usb_seria |
| |
| serial_priv = usb_get_serial_data(serial); |
| |
| + usb_kill_urb(serial_priv->read_urb); |
| usb_free_urb(serial_priv->read_urb); |
| kfree(serial_priv->read_buffer); |
| kfree(serial_priv); |
