From: Alan Stern Date: Fri, 9 Oct 2009 16:43:12 +0000 (-0400) Subject: USB: serial: don't call release without attach X-Git-Tag: v2.6.31.5~34 X-Git-Url: https://git.karo-electronics.de/?a=commitdiff_plain;h=dd02f3999f68aadaf7b3e61586fda3f5caac3ead;p=karo-tx-linux.git USB: serial: don't call release without attach commit a4720c650b68a5fe7faed2edeb0ad12645f7ae63 upstream. This patch (as1295) fixes a recently-added bug in the USB serial core. If certain kinds of errors occur during probing, the core may call a serial driver's release method without previously calling the attach method. This causes some drivers (io_ti in particular) to perform an invalid memory access. The patch adds a new flag to keep track of whether or not attach has been called. Signed-off-by: Alan Stern Tested-by: Jean-Denis Girard Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/usb/serial/usb-serial.c b/drivers/usb/serial/usb-serial.c index a0702db4e9a7..3292e0391e28 100644 --- a/drivers/usb/serial/usb-serial.c +++ b/drivers/usb/serial/usb-serial.c @@ -155,7 +155,8 @@ static void destroy_serial(struct kref *kref) if (serial->minor != SERIAL_TTY_NO_MINOR) return_serial(serial); - serial->type->release(serial); + if (serial->attached) + serial->type->release(serial); /* Now that nothing is using the ports, they can be freed */ for (i = 0; i < serial->num_port_pointers; ++i) { @@ -1060,12 +1061,15 @@ int usb_serial_probe(struct usb_interface *interface, module_put(type->driver.owner); if (retval < 0) goto probe_error; + serial->attached = 1; if (retval > 0) { /* quietly accept this device, but don't bind to a serial port as it's about to disappear */ serial->num_ports = 0; goto exit; } + } else { + serial->attached = 1; } if (get_free_serial(serial, num_ports, &minor) == NULL) { diff --git a/include/linux/usb/serial.h b/include/linux/usb/serial.h index 73f121ef4de0..20b12f3207ae 100644 --- a/include/linux/usb/serial.h +++ b/include/linux/usb/serial.h @@ -148,6 +148,7 @@ struct usb_serial { struct usb_interface *interface; unsigned char disconnected:1; unsigned char suspending:1; + unsigned char attached:1; unsigned char minor; unsigned char num_ports; unsigned char num_port_pointers;