From: Benoit Goby <benoit@android.com>
Date: Fri, 4 Mar 2011 22:01:56 +0000 (-0800)
Subject: mdm6600: Fix possible use after free
X-Git-Tag: firefly_0821_release~9834^2~60
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=d1d818cf4cfd82466398848d695fc262636f6494;p=firefly-linux-kernel-4.4.55.git

mdm6600: Fix possible use after free

If a disconnect happens while the ril runs a tiocmset ioctl, the usb
interface will get freed. Then before returning, autopm_put_interface
will access the interface struct after it has been freed. Get an
interface reference to prevent it from being freed before the tty
has been released.

Change-Id: Ia009995c3fcdfa2e590b36e0c413433ea5f97b59
Signed-off-by: Benoit Goby <benoit@android.com>
---

diff --git a/drivers/usb/serial/mdm6600.c b/drivers/usb/serial/mdm6600.c
index a7407beaeb6d..e4f9c6e48cbb 100644
--- a/drivers/usb/serial/mdm6600.c
+++ b/drivers/usb/serial/mdm6600.c
@@ -263,6 +263,7 @@ static int mdm6600_attach(struct usb_serial *serial)
 					"mdm6600_write.%d", modem->number);
 	wake_lock_init(&modem->writelock, WAKE_LOCK_SUSPEND, modem->writelock_name);
 
+	usb_get_intf(serial->interface);
 	usb_enable_autosuspend(serial->dev);
 	usb_mark_last_busy(serial->dev);
 
@@ -373,6 +374,7 @@ static void mdm6600_release(struct usb_serial *serial)
 	}
 
 	usb_set_serial_data(serial, NULL);
+	usb_put_intf(serial->interface);
 	kfree(modem);
 }