@@ -42,6 +42,8 @@ struct opticon_private {
bool cts;
int outstanding_urbs;
int outstanding_bytes;
+
+ struct usb_anchor anchor;
};
@@ -150,6 +152,15 @@ static int opticon_open(struct tty_struct *tty, struct usb_serial_port *port)
return res;
}
+static void opticon_close(struct usb_serial_port *port)
+{
+ struct opticon_private *priv = usb_get_serial_port_data(port);
+
+ usb_kill_anchored_urbs(&priv->anchor);
+
+ usb_serial_generic_close(port);
+}
+
static void opticon_write_control_callback(struct urb *urb)
{
struct usb_serial_port *port = urb->context;
@@ -226,10 +237,13 @@ static int opticon_write(struct tty_struct *tty, struct usb_serial_port *port,
(unsigned char *)dr, buffer, count,
opticon_write_control_callback, port);
+ usb_anchor_urb(urb, priv->anchor);
+
/* send it down the pipe */
ret = usb_submit_urb(urb, GFP_ATOMIC);
if (ret) {
dev_err(&port->dev, "failed to submit write urb: %d\n", ret);
+ usb_unanchor_urb(urb);
goto error;
}
@@ -364,6 +378,7 @@ static int opticon_port_probe(struct usb_serial_port *port)
return -ENOMEM;
spin_lock_init(&priv->lock);
+ init_usb_anchor(&priv->anchor);
usb_set_serial_port_data(port, priv);
@@ -391,6 +406,7 @@ static struct usb_serial_driver opticon_device = {
.port_probe = opticon_port_probe,
.port_remove = opticon_port_remove,
.open = opticon_open,
+ .close = opticon_close,
.write = opticon_write,
.write_room = opticon_write_room,
.chars_in_buffer = opticon_chars_in_buffer,
Make sure to stop any submitted write URBs on close(). This specifically avoids a NULL-pointer dereference or use-after-free in case of a late completion event after driver unbind. Fixes: 648d4e16567e ("USB: serial: opticon: add write support") Cc: stable <stable@vger.kernel.org> # 2.6.30: xxx: USB: serial: opticon: add chars_in_buffer() implementation Signed-off-by: Johan Hovold <johan@kernel.org> --- drivers/usb/serial/opticon.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+)