USB: cdc-acm: fix use-after-free after probe failure

commit 4e49bf376c0451ad2eae2592e093659cde12be9a upstream. If tty-device registration fails the driver would fail to release the data interface. When the device is later disconnected, the disconnect callback would still be called for the data interface and would go about releasing already freed resources. Fixes: c93d81955005 ("usb: cdc-acm: fix error handling in acm_probe()") Cc: stable@vger.kernel.org # 3.9 Cc: Alexey Khoroshilov <khoroshilov@ispras.ru> Acked-by: Oliver Neukum <oneukum@suse.com> Signed-off-by: Johan Hovold <johan@kernel.org> Link: https://lore.kernel.org/r/20210322155318.9837-3-johan@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Johan Hovold <johan@kernel.org> 2021-03-22 16:53:12 +0100
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-04-07 12:48:51 +0200
commit: 27b936e21df6d2dadefac8d0977653e4fd3df1fe (patch)
tree: 73c8c8d652a3b9bd370ae871fd439e962f139bd5
parent: 3d45948f5ebd4b3b4c1e137408c4ebea080bf209 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
index 50d2c8e01cdd..a1fa16a03ab9 100644
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1561,6 +1561,11 @@ skip_countries:
 
 	return 0;
 alloc_fail6:
+	if (!acm->combined_interfaces) {
+		/* Clear driver data so that disconnect() returns early. */
+		usb_set_intfdata(data_interface, NULL);
+		usb_driver_release_interface(&acm_driver, data_interface);
+	}
 	if (acm->country_codes) {
 		device_remove_file(&acm->control->dev,
 				&dev_attr_wCountryCodes);
author	Johan Hovold <johan@kernel.org>	2021-03-22 16:53:12 +0100
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-04-07 12:48:51 +0200
commit	27b936e21df6d2dadefac8d0977653e4fd3df1fe (patch)
tree	73c8c8d652a3b9bd370ae871fd439e962f139bd5
parent	3d45948f5ebd4b3b4c1e137408c4ebea080bf209 (diff)