* [PATCH 1/7] USB: cdc-acm: fix double free on probe failure
[not found] <20210318155202.22230-1-johan@kernel.org>
@ 2021-03-18 15:51 ` Johan Hovold
2021-03-22 9:38 ` Oliver Neukum
2021-03-18 15:51 ` [PATCH 2/7] USB: cdc-acm: fix use-after-free after " Johan Hovold
1 sibling, 1 reply; 4+ messages in thread
From: Johan Hovold @ 2021-03-18 15:51 UTC (permalink / raw)
To: Oliver Neukum, Greg Kroah-Hartman
Cc: linux-usb, linux-kernel, Johan Hovold, stable, Jaejoong Kim
If tty-device registration fails the driver copy of any Country
Selection functional descriptor would end up being freed twice; first
explicitly in the error path and then again in the tty-port destructor.
Drop the first erroneous free that was left when fixing a tty-port
resource leak.
Fixes: cae2bc768d17 ("usb: cdc-acm: Decrement tty port's refcount if probe() fail")
Cc: stable@vger.kernel.org # 4.19
Cc: Jaejoong Kim <climbbb.kim@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
---
drivers/usb/class/cdc-acm.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
index 39ddb5585ded..d75a78ad464d 100644
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1508,7 +1508,6 @@ static int acm_probe(struct usb_interface *intf,
&dev_attr_wCountryCodes);
device_remove_file(&acm->control->dev,
&dev_attr_iCountryCodeRelDate);
- kfree(acm->country_codes);
}
device_remove_file(&acm->control->dev, &dev_attr_bmCapabilities);
alloc_fail5:
--
2.26.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/7] USB: cdc-acm: fix use-after-free after probe failure
[not found] <20210318155202.22230-1-johan@kernel.org>
2021-03-18 15:51 ` [PATCH 1/7] USB: cdc-acm: fix double free on probe failure Johan Hovold
@ 2021-03-18 15:51 ` Johan Hovold
2021-03-22 9:39 ` Oliver Neukum
1 sibling, 1 reply; 4+ messages in thread
From: Johan Hovold @ 2021-03-18 15:51 UTC (permalink / raw)
To: Oliver Neukum, Greg Kroah-Hartman
Cc: linux-usb, linux-kernel, Johan Hovold, stable, Alexey Khoroshilov
If tty-device registration fails the driver would fail to release the
data interface. When the device is later disconnected, the disconnect
callback would still be called for the data interface and would go about
releasing already freed resources.
Fixes: c93d81955005 ("usb: cdc-acm: fix error handling in acm_probe()")
Cc: stable@vger.kernel.org # 3.9
Cc: Alexey Khoroshilov <khoroshilov@ispras.ru>
Signed-off-by: Johan Hovold <johan@kernel.org>
---
drivers/usb/class/cdc-acm.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
index d75a78ad464d..dfc2480add91 100644
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1503,6 +1503,11 @@ static int acm_probe(struct usb_interface *intf,
return 0;
alloc_fail6:
+ if (!acm->combined_interfaces) {
+ /* Clear driver data so that disconnect() returns early. */
+ usb_set_intfdata(data_interface, NULL);
+ usb_driver_release_interface(&acm_driver, data_interface);
+ }
if (acm->country_codes) {
device_remove_file(&acm->control->dev,
&dev_attr_wCountryCodes);
--
2.26.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 1/7] USB: cdc-acm: fix double free on probe failure
2021-03-18 15:51 ` [PATCH 1/7] USB: cdc-acm: fix double free on probe failure Johan Hovold
@ 2021-03-22 9:38 ` Oliver Neukum
0 siblings, 0 replies; 4+ messages in thread
From: Oliver Neukum @ 2021-03-22 9:38 UTC (permalink / raw)
To: Johan Hovold, Greg Kroah-Hartman
Cc: linux-usb, linux-kernel, stable, Jaejoong Kim
Am Donnerstag, den 18.03.2021, 16:51 +0100 schrieb Johan Hovold:
> If tty-device registration fails the driver copy of any Country
> Selection functional descriptor would end up being freed twice; first
> explicitly in the error path and then again in the tty-port destructor.
>
> Drop the first erroneous free that was left when fixing a tty-port
> resource leak.
>
> Fixes: cae2bc768d17 ("usb: cdc-acm: Decrement tty port's refcount if probe() fail")
> Cc: stable@vger.kernel.org # 4.19
> Cc: Jaejoong Kim <climbbb.kim@gmail.com>
> Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Oliver Neukum <oneukum@suse.com>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 2/7] USB: cdc-acm: fix use-after-free after probe failure
2021-03-18 15:51 ` [PATCH 2/7] USB: cdc-acm: fix use-after-free after " Johan Hovold
@ 2021-03-22 9:39 ` Oliver Neukum
0 siblings, 0 replies; 4+ messages in thread
From: Oliver Neukum @ 2021-03-22 9:39 UTC (permalink / raw)
To: Johan Hovold, Greg Kroah-Hartman
Cc: linux-usb, linux-kernel, stable, Alexey Khoroshilov
Am Donnerstag, den 18.03.2021, 16:51 +0100 schrieb Johan Hovold:
> If tty-device registration fails the driver would fail to release the
> data interface. When the device is later disconnected, the disconnect
> callback would still be called for the data interface and would go about
> releasing already freed resources.
>
> Fixes: c93d81955005 ("usb: cdc-acm: fix error handling in acm_probe()")
> Cc: stable@vger.kernel.org # 3.9
> Cc: Alexey Khoroshilov <khoroshilov@ispras.ru>
> Signed-off-by: Johan Hovold <johan@kernel.org>]
Acked-by: Oliver Neukum <oneukum@suse.com>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-03-22 9:40 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20210318155202.22230-1-johan@kernel.org>
2021-03-18 15:51 ` [PATCH 1/7] USB: cdc-acm: fix double free on probe failure Johan Hovold
2021-03-22 9:38 ` Oliver Neukum
2021-03-18 15:51 ` [PATCH 2/7] USB: cdc-acm: fix use-after-free after " Johan Hovold
2021-03-22 9:39 ` Oliver Neukum
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).