USB: cdc-acm: fix use-after-free after probe failure

commit 4e49bf376c0451ad2eae2592e093659cde12be9a upstream. If tty-device registration fails the driver would fail to release the data interface. When the device is later disconnected, the disconnect callback would still be called for the data interface and would go about releasing already freed resources. Fixes: c93d81955005 ("usb: cdc-acm: fix error handling in acm_probe()") Cc: stable@vger.kernel.org # 3.9 Cc: Alexey Khoroshilov <khoroshilov@ispras.ru> Acked-by: Oliver Neukum <oneukum@suse.com> Signed-off-by: Johan Hovold <johan@kernel.org> Link: https://lore.kernel.org/r/20210322155318.9837-3-johan@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Johan Hovold <johan@kernel.org> 2021-03-22 16:53:12 +0100
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-04-07 12:47:04 +0200
commit: a110a1d03ac71d10ff18b0e3983efec607093187 (patch)
tree: f1168db56c34de0ead7e06c4f1ec39415e665306
parent: 88fc6e1ae2ff99d595ca07a3a572cd6f8caac90d (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
index 9e39056ce171..b2f67d7ace6d 100644
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1572,6 +1572,11 @@ skip_countries:
 
 	return 0;
 alloc_fail8:
+	if (!acm->combined_interfaces) {
+		/* Clear driver data so that disconnect() returns early. */
+		usb_set_intfdata(data_interface, NULL);
+		usb_driver_release_interface(&acm_driver, data_interface);
+	}
 	if (acm->country_codes) {
 		device_remove_file(&acm->control->dev,
 				&dev_attr_wCountryCodes);
author	Johan Hovold <johan@kernel.org>	2021-03-22 16:53:12 +0100
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-04-07 12:47:04 +0200
commit	a110a1d03ac71d10ff18b0e3983efec607093187 (patch)
tree	f1168db56c34de0ead7e06c4f1ec39415e665306
parent	88fc6e1ae2ff99d595ca07a3a572cd6f8caac90d (diff)