projects / firefly-linux-kernel-4.4.55.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 14a13cb)
mdm6600: Fix possible use after free
authorBenoit Goby <benoit@android.com>
Fri, 4 Mar 2011 22:01:56 +0000 (14:01 -0800)
committerBenoit Goby <benoit@android.com>
Fri, 4 Mar 2011 23:06:11 +0000 (15:06 -0800)
If a disconnect happens while the ril runs a tiocmset ioctl, the usb
interface will get freed. Then before returning, autopm_put_interface
will access the interface struct after it has been freed. Get an
interface reference to prevent it from being freed before the tty
has been released.

Change-Id: Ia009995c3fcdfa2e590b36e0c413433ea5f97b59
Signed-off-by: Benoit Goby <benoit@android.com>
drivers/usb/serial/mdm6600.c patch | blob | history

diff --git a/drivers/usb/serial/mdm6600.c b/drivers/usb/serial/mdm6600.c
index a7407beaeb6d4122cad7f18ad81b4e39816e2956..e4f9c6e48cbbc80b166eacfb95c873c47285caa7 100644 (file)
--- a/drivers/usb/serial/mdm6600.c
+++ b/drivers/usb/serial/mdm6600.c
@@ -263,6 +263,7 @@ static int mdm6600_attach(struct usb_serial *serial)
                                        "mdm6600_write.%d", modem->number);
        wake_lock_init(&modem->writelock, WAKE_LOCK_SUSPEND, modem->writelock_name);
 
+       usb_get_intf(serial->interface);
        usb_enable_autosuspend(serial->dev);
        usb_mark_last_busy(serial->dev);
 
@@ -373,6 +374,7 @@ static void mdm6600_release(struct usb_serial *serial)
        }
 
        usb_set_serial_data(serial, NULL);
+       usb_put_intf(serial->interface);
        kfree(modem);
 }
 
Unnamed repository; edit this file 'description' to name the repository.