Skip to content

Commit

Permalink
USB: serial: mos7720: fix use-after-free on probe errors
Browse files Browse the repository at this point in the history
The interrupt URB was submitted on probe but never stopped on probe
errors. This can lead to use-after-free issues in the completion
handler when accessing the freed usb-serial struct:

Unable to handle kernel paging request at virtual address 6b6b6be7
...
[<bf052e70>] (mos7715_interrupt_callback [mos7720]) from [<c052a894>] (__usb_hcd_giveback_urb+0x80/0x140)
[<c052a894>] (__usb_hcd_giveback_urb) from [<c052a9a4>] (usb_hcd_giveback_urb+0x50/0x138)
[<c052a9a4>] (usb_hcd_giveback_urb) from [<c0550684>] (musb_giveback+0xc8/0x1cc)

Fixes: b69578d ("USB: usbserial: mos7720: add support for parallel
port on moschip 7715")
Cc: stable <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
  • Loading branch information
jhovold committed Jan 4, 2017
1 parent b05aebc commit 91a1ff4
Showing 1 changed file with 5 additions and 1 deletion.
6 changes: 5 additions & 1 deletion drivers/usb/serial/mos7720.c
Original file line number Diff line number Diff line change
Expand Up @@ -1962,8 +1962,10 @@ static int mos7720_startup(struct usb_serial *serial)
#ifdef CONFIG_USB_SERIAL_MOS7715_PARPORT
if (product == MOSCHIP_DEVICE_ID_7715) {
ret_val = mos7715_parport_init(serial);
if (ret_val < 0)
if (ret_val < 0) {
usb_kill_urb(serial->port[0]->interrupt_in_urb);
return ret_val;
}
}
#endif
/* LSR For Port 1 */
Expand All @@ -1975,6 +1977,8 @@ static int mos7720_startup(struct usb_serial *serial)

static void mos7720_release(struct usb_serial *serial)
{
usb_kill_urb(serial->port[0]->interrupt_in_urb);

#ifdef CONFIG_USB_SERIAL_MOS7715_PARPORT
/* close the parallel port */

Expand Down

0 comments on commit 91a1ff4

Please sign in to comment.