Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a4720c65 authored by Alan Stern's avatar Alan Stern Committed by Greg Kroah-Hartman
Browse files

USB: serial: don't call release without attach 



This patch (as1295) fixes a recently-added bug in the USB serial core.
If certain kinds of errors occur during probing, the core may call a
serial driver's release method without previously calling the attach
method.  This causes some drivers (io_ti in particular) to perform an
invalid memory access.

The patch adds a new flag to keep track of whether or not attach has
been called.

Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
Tested-by: default avatarJean-Denis Girard <jd.girard@sysnux.pf>
CC: stable <stable@kernel.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
parent ba6b702f

drivers/usb/serial/usb-serial.c

+5 −1
Original line number Diff line number Diff line
@@ -156,6 +156,7 @@ static void destroy_serial(struct kref *kref) 
	if (serial->minor != SERIAL_TTY_NO_MINOR)

		return_serial(serial);



	if (serial->attached)

		serial->type->release(serial);



	/* Now that nothing is using the ports, they can be freed */
@@ -1059,12 +1060,15 @@ int usb_serial_probe(struct usb_interface *interface, 
		module_put(type->driver.owner);

		if (retval < 0)

			goto probe_error;

		serial->attached = 1;

		if (retval > 0) {

			/* quietly accept this device, but don't bind to a

			   serial port as it's about to disappear */

			serial->num_ports = 0;

			goto exit;

		}

	} else {

		serial->attached = 1;

	}



	if (get_free_serial(serial, num_ports, &minor) == NULL) {

include/linux/usb/serial.h

+1 −0
Original line number Diff line number Diff line
@@ -150,6 +150,7 @@ struct usb_serial { 
	struct usb_interface		*interface;

	unsigned char			disconnected:1;

	unsigned char			suspending:1;

	unsigned char			attached:1;

	unsigned char			minor;

	unsigned char			num_ports;

	unsigned char			num_port_pointers;