USB: serial: fix null-pointer dereferences on disconnect

Make sure serial-driver dtr_rts is called with disc_mutex held after
checking the disconnected flag.

Due to a bug in the tty layer, dtr_rts may get called after a device has
been disconnected and the tty-device unregistered. Some drivers have had
individual checks for disconnect to make sure the disconnected interface
was not accessed, but this should really be handled in usb-serial core
(at least until the long-standing tty-bug has been fixed).

Note that the problem has been made more acute with commit 0998d0631001
("device-core: Ensure drvdata = NULL when no driver is bound") as the
port data is now also NULL when dtr_rts is called resulting in further
oopses.

Reported-by: Chris Ruehl <chris.ruehl@gtsys.com.hk>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

1 files changed, 1 insertions, 7 deletions

diff --git a/drivers/usb/serial/sierra.c b/drivers/usb/serial/sierra.c
index af06f2f5f38b..d4426c038c32 100644
--- a/drivers/usb/serial/sierra.c
+++ b/drivers/usb/serial/sierra.c
@@ -861,19 +861,13 @@ static int sierra_open(struct tty_struct *tty, struct usb_serial_port *port)
 
 static void sierra_dtr_rts(struct usb_serial_port *port, int on)
 {
-        struct usb_serial *serial = port->serial;
         struct sierra_port_private *portdata;
 
         portdata = usb_get_serial_port_data(port);
         portdata->rts_state = on;
         portdata->dtr_state = on;
 
-        if (serial->dev) {
-                mutex_lock(&serial->disc_mutex);
-                if (!serial->disconnected)
-                        sierra_send_setup(port);
-                mutex_unlock(&serial->disc_mutex);
-        }
+        sierra_send_setup(port);
 }
 
 static int sierra_startup(struct usb_serial *serial)