2013-03-15 21:30:49

by Alexey Khoroshilov

[permalink] [raw]
Subject: [PATCH] usb: cdc-acm: fix error handling in acm_probe()

acm_probe() ignores errors in tty_port_register_device()
and leaves intfdata pointing to freed memory on alloc_fail7
error path. The patch fixes the both issues.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Alexey Khoroshilov <[email protected]>
---
drivers/usb/class/cdc-acm.c | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
index 8ac25ad..c125b61 100644
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -977,6 +977,8 @@ static int acm_probe(struct usb_interface *intf,
int num_rx_buf;
int i;
int combined_interfaces = 0;
+ struct device *tty_dev;
+ int rv = -ENOMEM;

/* normal quirks */
quirks = (unsigned long)id->driver_info;
@@ -1339,11 +1341,24 @@ skip_countries:
usb_set_intfdata(data_interface, acm);

usb_get_intf(control_interface);
- tty_port_register_device(&acm->port, acm_tty_driver, minor,
+ tty_dev = tty_port_register_device(&acm->port, acm_tty_driver, minor,
&control_interface->dev);
+ if (IS_ERR(tty_dev)) {
+ rv = PTR_ERR(tty_dev);
+ goto alloc_fail8;
+ }

return 0;
+alloc_fail8:
+ if (acm->country_codes) {
+ device_remove_file(&acm->control->dev,
+ &dev_attr_wCountryCodes);
+ device_remove_file(&acm->control->dev,
+ &dev_attr_iCountryCodeRelDate);
+ }
+ device_remove_file(&acm->control->dev, &dev_attr_bmCapabilities);
alloc_fail7:
+ usb_set_intfdata(intf, NULL);
for (i = 0; i < ACM_NW; i++)
usb_free_urb(acm->wb[i].urb);
alloc_fail6:
@@ -1359,7 +1374,7 @@ alloc_fail2:
acm_release_minor(acm);
kfree(acm);
alloc_fail:
- return -ENOMEM;
+ return rv;
}

static void stop_data_traffic(struct acm *acm)
--
1.7.9.5


2013-03-17 18:16:10

by Oliver Neukum

[permalink] [raw]
Subject: Re: [PATCH] usb: cdc-acm: fix error handling in acm_probe()

On Saturday 16 March 2013 01:30:32 Alexey Khoroshilov wrote:
> acm_probe() ignores errors in tty_port_register_device()
> and leaves intfdata pointing to freed memory on alloc_fail7
> error path. The patch fixes the both issues.
>
> Found by Linux Driver Verification project (linuxtesting.org).
>
> Signed-off-by: Alexey Khoroshilov <[email protected]>
Acked-by: Oliver Neukum <[email protected]>