From patchwork Thu Mar 18 15:51:57 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 404525 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-19.2 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 460D6C4332E for ; Thu, 18 Mar 2021 15:52:55 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 0D2C664F18 for ; Thu, 18 Mar 2021 15:52:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231890AbhCRPwV (ORCPT ); Thu, 18 Mar 2021 11:52:21 -0400 Received: from mail.kernel.org ([198.145.29.99]:54664 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231273AbhCRPwA (ORCPT ); Thu, 18 Mar 2021 11:52:00 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 32EC664F3B; Thu, 18 Mar 2021 15:52:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1616082720; bh=qO3rm93arLtFLEEeNwJWlSISTAbncxMUvYOkKzvd61k=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=GQPYdIV1eZImNBox0Vy5sSgjatrMZjWFAKn7P4c0XeG1cAH2Oz/Gio9sfOmJUzsUg J5IY3MNFolABuheKHRXB+TZupyKfhVZB2pmEHszJauk/bW6gmT0bhkSBS9n7AqWD6k PzPmioIQjm+YOH0M6+bvMxXCXODbwxYEwWqW4bUh9NiqYgLqR3Lpeqny3uIwfE/QXu YpZK3/mUVdrJrtYBWEhHE4miuS18HZE3Q09ZuQYqhwUwey1ReGLMjhNDf/ZcE/5Ezj QYD8qHdsWpr3Q1uYfbMjKoubSt1mtiIudlMqq006AikKSqwwkClH5L8ZY2hdcox9i8 4P5eY6TY13NrA== Received: from johan by xi.lan with local (Exim 4.93.0.4) (envelope-from ) id 1lMuwc-0005nS-2b; Thu, 18 Mar 2021 16:52:18 +0100 From: Johan Hovold To: Oliver Neukum , Greg Kroah-Hartman Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold , stable@vger.kernel.org, Alexey Khoroshilov Subject: [PATCH 2/7] USB: cdc-acm: fix use-after-free after probe failure Date: Thu, 18 Mar 2021 16:51:57 +0100 Message-Id: <20210318155202.22230-3-johan@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20210318155202.22230-1-johan@kernel.org> References: <20210318155202.22230-1-johan@kernel.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org If tty-device registration fails the driver would fail to release the data interface. When the device is later disconnected, the disconnect callback would still be called for the data interface and would go about releasing already freed resources. Fixes: c93d81955005 ("usb: cdc-acm: fix error handling in acm_probe()") Cc: stable@vger.kernel.org # 3.9 Cc: Alexey Khoroshilov Signed-off-by: Johan Hovold Acked-by: Oliver Neukum --- drivers/usb/class/cdc-acm.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c index d75a78ad464d..dfc2480add91 100644 --- a/drivers/usb/class/cdc-acm.c +++ b/drivers/usb/class/cdc-acm.c @@ -1503,6 +1503,11 @@ static int acm_probe(struct usb_interface *intf, return 0; alloc_fail6: + if (!acm->combined_interfaces) { + /* Clear driver data so that disconnect() returns early. */ + usb_set_intfdata(data_interface, NULL); + usb_driver_release_interface(&acm_driver, data_interface); + } if (acm->country_codes) { device_remove_file(&acm->control->dev, &dev_attr_wCountryCodes);