releases/3.4.96/usb-sierra-fix-use-after-free-at-suspend-resume.patch

   1 From 8452727de70f6ad850cd6d0aaa18b5d9050aa63b Mon Sep 17 00:00:00 2001
   2 From: Johan Hovold <jhovold@gmail.com>
   3 Date: Mon, 26 May 2014 19:22:51 +0200
   4 Subject: USB: sierra: fix use after free at suspend/resume
   5
   6 From: Johan Hovold <jhovold@gmail.com>
   7
   8 commit 8452727de70f6ad850cd6d0aaa18b5d9050aa63b upstream.
   9
  10 Fix use after free or NULL-pointer dereference during suspend and
  11 resume.
  12
  13 The port data may never have been allocated (port probe failed)
  14 or may already have been released by port_remove (e.g. driver is
  15 unloaded) when suspend and resume are called.
  16
  17 Fixes: e6929a9020ac ("USB: support for autosuspend in sierra while
  18 online")
  19
  20 Signed-off-by: Johan Hovold <jhovold@gmail.com>
  21 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  22
  23 ---
  24  drivers/usb/serial/sierra.c |    6 ++++++
  25  1 file changed, 6 insertions(+)
  26
  27 --- a/drivers/usb/serial/sierra.c
  28 +++ b/drivers/usb/serial/sierra.c
  29 @@ -999,6 +999,7 @@ static void sierra_release(struct usb_se
  30                 portdata = usb_get_serial_port_data(port);
  31                 if (!portdata)
  32                         continue;
  33 +               usb_set_serial_port_data(port, NULL);
  34                 kfree(portdata);
  35         }
  36         kfree(serial->private);
  37 @@ -1015,6 +1016,8 @@ static void stop_read_write_urbs(struct
  38         for (i = 0; i < serial->num_ports; ++i) {
  39                 port = serial->port[i];
  40                 portdata = usb_get_serial_port_data(port);
  41 +               if (!portdata)
  42 +                       continue;
  43                 sierra_stop_rx_urbs(port);
  44                 usb_kill_anchored_urbs(&portdata->active);
  45         }
  46 @@ -1057,6 +1060,9 @@ static int sierra_resume(struct usb_seri
  47                 port = serial->port[i];
  48                 portdata = usb_get_serial_port_data(port);
  49
  50 +               if (!portdata)
  51 +                       continue;
  52 +
  53                 while ((urb = usb_get_from_anchor(&portdata->delayed))) {
  54                         usb_anchor_urb(urb, &portdata->active);
  55                         intfdata->in_flight++;