From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Johan Hovold <johan@kernel.org>
Subject: [PATCH 3.14 15/20] USB: serial: quatech2: fix use-after-free in probe error path
Date: Mon, 30 May 2016 13:49:46 -0700 [thread overview]
Message-ID: <20160530204934.962352258@linuxfoundation.org> (raw)
In-Reply-To: <20160530204934.262210466@linuxfoundation.org>
3.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 028c49f5e02a257c94129cd815f7c8485f51d4ef upstream.
The interface read URB is submitted in attach, but was only unlinked by
the driver at disconnect.
In case of a late probe error (e.g. due to failed minor allocation),
disconnect is never called and we would end up with active URBs for an
unbound interface. This in turn could lead to deallocated memory being
dereferenced in the completion callback.
Fixes: f7a33e608d9a ("USB: serial: add quatech2 usb to serial driver")
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/quatech2.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/serial/quatech2.c
+++ b/drivers/usb/serial/quatech2.c
@@ -141,6 +141,7 @@ static void qt2_release(struct usb_seria
serial_priv = usb_get_serial_data(serial);
+ usb_kill_urb(serial_priv->read_urb);
usb_free_urb(serial_priv->read_urb);
kfree(serial_priv->read_buffer);
kfree(serial_priv);
next prev parent reply other threads:[~2016-05-30 20:50 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-30 20:49 [PATCH 3.14 00/20] 3.14.71-stable review Greg Kroah-Hartman
2016-05-30 20:49 ` [PATCH 3.14 01/20] Btrfs: dont use src fd for printk Greg Kroah-Hartman
2016-05-30 20:49 ` [PATCH 3.14 02/20] arm/arm64: KVM: Enforce Break-Before-Make on Stage-2 page tables Greg Kroah-Hartman
2016-05-30 20:49 ` [PATCH 3.14 03/20] remove directory incorrectly tries to set delete on close on non-empty directories Greg Kroah-Hartman
2016-05-30 20:49 ` [PATCH 3.14 04/20] fs/cifs: correctly to anonymous authentication via NTLMSSP Greg Kroah-Hartman
2016-05-30 20:49 ` [PATCH 3.14 05/20] ring-buffer: Use long for nr_pages to avoid overflow failures Greg Kroah-Hartman
2016-05-30 20:49 ` [PATCH 3.14 06/20] ring-buffer: Prevent overflow of size in ring_buffer_resize() Greg Kroah-Hartman
2016-05-30 20:49 ` [PATCH 3.14 07/20] crypto: caam - fix caam_jr_alloc() ret code Greg Kroah-Hartman
2016-05-30 20:49 ` [PATCH 3.14 08/20] mfd: omap-usb-tll: Fix scheduling while atomic BUG Greg Kroah-Hartman
2016-05-30 20:49 ` [PATCH 3.14 09/20] mmc: mmc: Fix partition switch timeout for some eMMCs Greg Kroah-Hartman
2016-05-30 20:49 ` [PATCH 3.14 10/20] ACPI / osi: Fix an issue that acpi_osi=!* cannot disable ACPICA internal strings Greg Kroah-Hartman
2016-05-30 20:49 ` [PATCH 3.14 11/20] mmc: longer timeout for long read time quirk Greg Kroah-Hartman
2016-05-30 20:49 ` [PATCH 3.14 12/20] Bluetooth: vhci: purge unhandled skbs Greg Kroah-Hartman
2016-05-30 20:49 ` [PATCH 3.14 13/20] USB: serial: mxuport: fix use-after-free in probe error path Greg Kroah-Hartman
2016-05-30 20:49 ` [PATCH 3.14 14/20] USB: serial: keyspan: " Greg Kroah-Hartman
2016-05-30 20:49 ` Greg Kroah-Hartman [this message]
2016-05-30 20:49 ` [PATCH 3.14 16/20] USB: serial: io_edgeport: fix memory leaks in attach " Greg Kroah-Hartman
2016-05-30 20:49 ` [PATCH 3.14 17/20] USB: serial: io_edgeport: fix memory leaks in probe " Greg Kroah-Hartman
2016-05-30 20:49 ` [PATCH 3.14 18/20] USB: serial: option: add support for Cinterion PH8 and AHxx Greg Kroah-Hartman
2016-05-30 20:49 ` [PATCH 3.14 19/20] tty: vt, return error when con_startup fails Greg Kroah-Hartman
2016-05-30 20:49 ` [PATCH 3.14 20/20] serial: samsung: Reorder the sequence of clock control when call s3c24xx_serial_set_termios() Greg Kroah-Hartman
2016-06-01 5:23 ` [PATCH 3.14 00/20] 3.14.71-stable review Guenter Roeck
2016-06-01 14:19 ` Shuah Khan
2016-06-01 16:16 ` Greg Kroah-Hartman
[not found] ` <574e993f.92981c0a.59c4b.ffff8936@mx.google.com>
2016-06-01 16:17 ` Greg Kroah-Hartman
2016-06-01 17:38 ` Kevin Hilman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160530204934.962352258@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=johan@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).