aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlan Stern <stern@rowland.harvard.edu>2009-10-09 12:43:12 -0400
committerGreg Kroah-Hartman <gregkh@suse.de>2009-10-09 16:52:05 -0400
commita4720c650b68a5fe7faed2edeb0ad12645f7ae63 (patch)
tree829c32036a25279bb9aa1fc6077af5fa52f8f29e
parentba6b702f85a61561d329c4c11d3ed95604924f9a (diff)
USB: serial: don't call release without attach
This patch (as1295) fixes a recently-added bug in the USB serial core. If certain kinds of errors occur during probing, the core may call a serial driver's release method without previously calling the attach method. This causes some drivers (io_ti in particular) to perform an invalid memory access. The patch adds a new flag to keep track of whether or not attach has been called. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Tested-by: Jean-Denis Girard <jd.girard@sysnux.pf> CC: stable <stable@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r--drivers/usb/serial/usb-serial.c6
-rw-r--r--include/linux/usb/serial.h1
2 files changed, 6 insertions, 1 deletions
diff --git a/drivers/usb/serial/usb-serial.c b/drivers/usb/serial/usb-serial.c
index aa6b2ae951ae..2d0f75d63ff0 100644
--- a/drivers/usb/serial/usb-serial.c
+++ b/drivers/usb/serial/usb-serial.c
@@ -156,7 +156,8 @@ static void destroy_serial(struct kref *kref)
156 if (serial->minor != SERIAL_TTY_NO_MINOR) 156 if (serial->minor != SERIAL_TTY_NO_MINOR)
157 return_serial(serial); 157 return_serial(serial);
158 158
159 serial->type->release(serial); 159 if (serial->attached)
160 serial->type->release(serial);
160 161
161 /* Now that nothing is using the ports, they can be freed */ 162 /* Now that nothing is using the ports, they can be freed */
162 for (i = 0; i < serial->num_port_pointers; ++i) { 163 for (i = 0; i < serial->num_port_pointers; ++i) {
@@ -1059,12 +1060,15 @@ int usb_serial_probe(struct usb_interface *interface,
1059 module_put(type->driver.owner); 1060 module_put(type->driver.owner);
1060 if (retval < 0) 1061 if (retval < 0)
1061 goto probe_error; 1062 goto probe_error;
1063 serial->attached = 1;
1062 if (retval > 0) { 1064 if (retval > 0) {
1063 /* quietly accept this device, but don't bind to a 1065 /* quietly accept this device, but don't bind to a
1064 serial port as it's about to disappear */ 1066 serial port as it's about to disappear */
1065 serial->num_ports = 0; 1067 serial->num_ports = 0;
1066 goto exit; 1068 goto exit;
1067 } 1069 }
1070 } else {
1071 serial->attached = 1;
1068 } 1072 }
1069 1073
1070 if (get_free_serial(serial, num_ports, &minor) == NULL) { 1074 if (get_free_serial(serial, num_ports, &minor) == NULL) {
diff --git a/include/linux/usb/serial.h b/include/linux/usb/serial.h
index c17eb64d7213..ce911ebf91e8 100644
--- a/include/linux/usb/serial.h
+++ b/include/linux/usb/serial.h
@@ -150,6 +150,7 @@ struct usb_serial {
150 struct usb_interface *interface; 150 struct usb_interface *interface;
151 unsigned char disconnected:1; 151 unsigned char disconnected:1;
152 unsigned char suspending:1; 152 unsigned char suspending:1;
153 unsigned char attached:1;
153 unsigned char minor; 154 unsigned char minor;
154 unsigned char num_ports; 155 unsigned char num_ports;
155 unsigned char num_port_pointers; 156 unsigned char num_port_pointers;