Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp1090215pxb; Fri, 26 Feb 2021 02:12:12 -0800 (PST) X-Google-Smtp-Source: ABdhPJzOfkciz+fpKf9Q58ypWVICec28W2l4N/gsJyaaLBlBT/EH09XtQWjQuy2qyxlig0QIIJho X-Received: by 2002:a17:906:4f02:: with SMTP id t2mr2463789eju.121.1614334331973; Fri, 26 Feb 2021 02:12:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614334331; cv=none; d=google.com; s=arc-20160816; b=DsBJOKY9ppPISxTcR0uLNoux7vqg3sg8qlyLL6QiIhW6JDxLLw1c1+xuL8bAlyToCj Hr9FuHBi3qmapk8yem+Et9u3bNwBooW/vDJ+rMxER4SGGv/qKReoY+ROFiZSx7x1sQRg kL+4TEwntQw/RknI8Ux+9DiwrVFp4qpKwmgFJ+Poen7c6u/hjJbSRh4xNRBE++F/qz2Q ekRJCFShzRV3kaVlZ+at8oBEWDoWzYJ1DJgp3H3PWHByC+9dTX2fHzJ3TJ82pEoY1CTX WOfOZzwY1Gn0aN3g6oPBaRSsrqX364MuIcIb6eGWt0VE5XRRLbrQbYF8Uf2fbhWE9esJ gy5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=X/l45CatAyHoD6Y/0zTN+iY6AA27UjAuqN/bGG1uvJE=; b=DTUjCOO6o6hC3PXkPleKBGI+CiMyzw/X+O5hwxkdh/NYgprpwSz0yZmMxwsHn5+fgZ cCbd7VJqPgH7Pq8yvdBNvRW7bRt2ra1vUyZ/sgqMSoJzHtsLkvr7MssVDk0y25aa698Z LUvuz0k7ErB52xVXmaapJtqDkgCpZEtvlggnrkgvrE+t7tZussVWYXhvxeNALSSkcbgn A39y2efr+eY0jQAZ5O7WIjWaBDC2rLHCDOHPlUqeGiBjUMhW6zsQYXlH+Y1vhoQjiN0b B5hq6bUMNopi2BKsHJgRqPiQpdNMbilKedOib222lTT7k1L2gdA5fh54HRQT3Y9kknzT IALA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=p2dVoMxm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v25si4979838ejw.423.2021.02.26.02.11.49; Fri, 26 Feb 2021 02:12:11 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=p2dVoMxm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231142AbhBZKLR (ORCPT + 99 others); Fri, 26 Feb 2021 05:11:17 -0500 Received: from mail.kernel.org ([198.145.29.99]:36458 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230466AbhBZKJL (ORCPT ); Fri, 26 Feb 2021 05:09:11 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 999A964EED; Fri, 26 Feb 2021 10:08:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1614334110; bh=+vSapguqVi3xqBZItpVDSazJWi5j4QeV+Jglua/0Ul8=; h=From:To:Cc:Subject:Date:From; b=p2dVoMxmr0REiGruLYydcIFsMId1dYK2ZpW0uA5jRZYlAuqwPSUYWFNPdcLDRptlE OFzF2WzQ4IY1FY1uGQqoWgCTwppg3EVA/Mf0VaE7+UE5detHV1MORv+SUZ1CDQHXeS rFeC/9J5bIea84mdhvn4CU44cw1xYJGg8p7om4JJ1kZq0Gwg3H37UfveRyRe9xJMbO xvVH5jZ/iLk89HfNjIa66Zy9OrwSm7R/o66FcBj3JdBQmvsha9e/Brn96QvTAw8zbl res01ueFB+AslXJ4JAhcSj5Pfr5ye4LyS5pvsD2QRmye/6lIRlGwZuGzqxocyJrtb0 dgBUdozDBGWRQ== Received: from johan by xi.lan with local (Exim 4.93.0.4) (envelope-from ) id 1lFa3G-0004wz-S7; Fri, 26 Feb 2021 11:08:50 +0100 From: Johan Hovold To: linux-usb@vger.kernel.org Cc: Mauro Carvalho Chehab , linux-kernel@vger.kernel.org, Johan Hovold , Manivannan Sadhasivam Subject: [PATCH] USB: serial: xr: fix NULL-deref on disconnect Date: Fri, 26 Feb 2021 11:08:26 +0100 Message-Id: <20210226100826.18987-1-johan@kernel.org> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Claiming the sibling control interface is a bit more involved and specifically requires adding support to USB-serial core for managing either interface being unbound first, something which could otherwise lead to a NULL-pointer dereference. Similarly, additional infrastructure is also needed to handle suspend properly. Since the driver currently isn't actually using the control interface, we can defer this for now by simply not claiming the control interface. Fixes: c2d405aa86b4 ("USB: serial: add MaxLinear/Exar USB to Serial driver") Reported-by: Mauro Carvalho Chehab Cc: Manivannan Sadhasivam Signed-off-by: Johan Hovold --- drivers/usb/serial/xr_serial.c | 25 ------------------------- 1 file changed, 25 deletions(-) diff --git a/drivers/usb/serial/xr_serial.c b/drivers/usb/serial/xr_serial.c index 483d07dee19d..0ca04906da4b 100644 --- a/drivers/usb/serial/xr_serial.c +++ b/drivers/usb/serial/xr_serial.c @@ -545,37 +545,13 @@ static void xr_close(struct usb_serial_port *port) static int xr_probe(struct usb_serial *serial, const struct usb_device_id *id) { - struct usb_driver *driver = serial->type->usb_driver; - struct usb_interface *control_interface; - int ret; - /* Don't bind to control interface */ if (serial->interface->cur_altsetting->desc.bInterfaceNumber == 0) return -ENODEV; - /* But claim the control interface during data interface probe */ - control_interface = usb_ifnum_to_if(serial->dev, 0); - if (!control_interface) - return -ENODEV; - - ret = usb_driver_claim_interface(driver, control_interface, NULL); - if (ret) { - dev_err(&serial->interface->dev, "Failed to claim control interface\n"); - return ret; - } - return 0; } -static void xr_disconnect(struct usb_serial *serial) -{ - struct usb_driver *driver = serial->type->usb_driver; - struct usb_interface *control_interface; - - control_interface = usb_ifnum_to_if(serial->dev, 0); - usb_driver_release_interface(driver, control_interface); -} - static const struct usb_device_id id_table[] = { { USB_DEVICE(0x04e2, 0x1410) }, /* XR21V141X */ { } @@ -590,7 +566,6 @@ static struct usb_serial_driver xr_device = { .id_table = id_table, .num_ports = 1, .probe = xr_probe, - .disconnect = xr_disconnect, .open = xr_open, .close = xr_close, .break_ctl = xr_break_ctl, -- 2.26.2