USB: serial: don't call release without attach

This patch (as1295) fixes a recently-added bug in the USB serial core.
If certain kinds of errors occur during probing, the core may call a
serial driver's release method without previously calling the attach
method.  This causes some drivers (io_ti in particular) to perform an
invalid memory access.

The patch adds a new flag to keep track of whether or not attach has
been called.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Tested-by: Jean-Denis Girard <jd.girard@sysnux.pf>
CC: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This commit is contained in:
Alan Stern 2009-10-09 12:43:12 -04:00 committed by Greg Kroah-Hartman
parent ba6b702f85
commit a4720c650b
2 changed files with 6 additions and 1 deletions

View File

@ -156,6 +156,7 @@ static void destroy_serial(struct kref *kref)
if (serial->minor != SERIAL_TTY_NO_MINOR)
return_serial(serial);
if (serial->attached)
serial->type->release(serial);
/* Now that nothing is using the ports, they can be freed */
@ -1059,12 +1060,15 @@ int usb_serial_probe(struct usb_interface *interface,
module_put(type->driver.owner);
if (retval < 0)
goto probe_error;
serial->attached = 1;
if (retval > 0) {
/* quietly accept this device, but don't bind to a
serial port as it's about to disappear */
serial->num_ports = 0;
goto exit;
}
} else {
serial->attached = 1;
}
if (get_free_serial(serial, num_ports, &minor) == NULL) {

View File

@ -150,6 +150,7 @@ struct usb_serial {
struct usb_interface *interface;
unsigned char disconnected:1;
unsigned char suspending:1;
unsigned char attached:1;
unsigned char minor;
unsigned char num_ports;
unsigned char num_port_pointers;