Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp664421pxf; Thu, 18 Mar 2021 08:55:54 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwQlWlD/dW1XCR4AHM4KEwt2tZnx/kxk2qcpuruCc9Ui6vcPG32St/0+VjUEqqhzBnZMHB1 X-Received: by 2002:a17:907:971a:: with SMTP id jg26mr42613413ejc.317.1616082953619; Thu, 18 Mar 2021 08:55:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616082953; cv=none; d=google.com; s=arc-20160816; b=Cf/4mInjRhJ8O+ksIu99Y3QSZcr/9cHRJ61m2e/23Tf6BZFspF05TJyf6vKqSWlAjn 9lu3V8oeT1Z2xfecYwwvxm8ESnld6VY84HH6zfZKgWwXWdfFZe/6ZSI3z//Lql6gpbQ2 l9x7e4XRqXMu54ja/fD0qIhjYyIx2ShwRgFdKlnAoMpcAcE7je3b/4Fxba2mBk9urSl9 lqwsVuTEvyruulAZFl6D5f8Qi+DQlUoNoIQvjHepQ8JXGGPd3sfvHdHw57TkxdwwlICP zai479vfM6nvOnFsTQ9vc7x9rQG6W37U53u5Uhry9K9XMWQ3qlBfVqBZqoCPZT98FqY4 VcOQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=Hb8lD0G4o/a0NQ3Tah1F6WE6O46zcIL3WLI17Dgk/5k=; b=W3ZwNZdKv5tsf+AjMPCLlK58vxVYDBoadj3kdL8tAmNPUqk84uhpO9ppQmUM7nXxM4 K9Cr0JJdkcpJeg8y/2Gtu/mdT9VdDs61H99VQDMhAD/dPhDSsnFuPiHplLsJowcgMaDL oLn8Jk+0aDaCabuIG2NN30+6qkL8RLM/+RRhOTY6D43F7ZPjyef/kCSaf/DIyb7QtAPU dpvoyBpzRzIX2TKq3RNlW8AlqTlkmroi9ypEIYfvPVRXBVrfM7AC+zEOT9nSrshfNxZD qhqknygphd5C2QPWluESFUdPt8IaKovAlUjvSsgQiGH+d84IRS4jzEHWiNNj85AZXMEU n2FQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=GQPYdIV1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s20si1721906edd.177.2021.03.18.08.55.31; Thu, 18 Mar 2021 08:55:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=GQPYdIV1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231950AbhCRPw2 (ORCPT + 99 others); Thu, 18 Mar 2021 11:52:28 -0400 Received: from mail.kernel.org ([198.145.29.99]:54664 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231273AbhCRPwA (ORCPT ); Thu, 18 Mar 2021 11:52:00 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 32EC664F3B; Thu, 18 Mar 2021 15:52:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1616082720; bh=qO3rm93arLtFLEEeNwJWlSISTAbncxMUvYOkKzvd61k=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=GQPYdIV1eZImNBox0Vy5sSgjatrMZjWFAKn7P4c0XeG1cAH2Oz/Gio9sfOmJUzsUg J5IY3MNFolABuheKHRXB+TZupyKfhVZB2pmEHszJauk/bW6gmT0bhkSBS9n7AqWD6k PzPmioIQjm+YOH0M6+bvMxXCXODbwxYEwWqW4bUh9NiqYgLqR3Lpeqny3uIwfE/QXu YpZK3/mUVdrJrtYBWEhHE4miuS18HZE3Q09ZuQYqhwUwey1ReGLMjhNDf/ZcE/5Ezj QYD8qHdsWpr3Q1uYfbMjKoubSt1mtiIudlMqq006AikKSqwwkClH5L8ZY2hdcox9i8 4P5eY6TY13NrA== Received: from johan by xi.lan with local (Exim 4.93.0.4) (envelope-from ) id 1lMuwc-0005nS-2b; Thu, 18 Mar 2021 16:52:18 +0100 From: Johan Hovold To: Oliver Neukum , Greg Kroah-Hartman Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold , stable@vger.kernel.org, Alexey Khoroshilov Subject: [PATCH 2/7] USB: cdc-acm: fix use-after-free after probe failure Date: Thu, 18 Mar 2021 16:51:57 +0100 Message-Id: <20210318155202.22230-3-johan@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20210318155202.22230-1-johan@kernel.org> References: <20210318155202.22230-1-johan@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org If tty-device registration fails the driver would fail to release the data interface. When the device is later disconnected, the disconnect callback would still be called for the data interface and would go about releasing already freed resources. Fixes: c93d81955005 ("usb: cdc-acm: fix error handling in acm_probe()") Cc: stable@vger.kernel.org # 3.9 Cc: Alexey Khoroshilov Signed-off-by: Johan Hovold --- drivers/usb/class/cdc-acm.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c index d75a78ad464d..dfc2480add91 100644 --- a/drivers/usb/class/cdc-acm.c +++ b/drivers/usb/class/cdc-acm.c @@ -1503,6 +1503,11 @@ static int acm_probe(struct usb_interface *intf, return 0; alloc_fail6: + if (!acm->combined_interfaces) { + /* Clear driver data so that disconnect() returns early. */ + usb_set_intfdata(data_interface, NULL); + usb_driver_release_interface(&acm_driver, data_interface); + } if (acm->country_codes) { device_remove_file(&acm->control->dev, &dev_attr_wCountryCodes); -- 2.26.2