On Tue, Jan 14, 2020 at 01:18:57PM +0100, Greg Kroah-Hartman wrote:
On Tue, Jan 14, 2020 at 12:01:46PM +0100, Johan Hovold wrote:
Make sure to stop any submitted write URBs on close(). This specifically avoids a NULL-pointer dereference or use-after-free in case of a late completion event after driver unbind.
Fixes: 648d4e16567e ("USB: serial: opticon: add write support") Cc: stable stable@vger.kernel.org # 2.6.30: xxx: USB: serial: opticon: add chars_in_buffer() implementation Signed-off-by: Johan Hovold johan@kernel.org
Reviewed-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
Thanks for the review.
I just submitted a patch preventing individual ports from being unbound, which almost no USB-serial driver can handle generally without crashing.
And as USB core handles the case were the USB interface driver is unbound, this one doesn't fix anything critical.
So I'll apply this for -next with the following updated commit message:
USB: serial: opticon: stop all I/O on close()
Make sure to stop any submitted write URBs on close().
Note that the tty layer will wait up to 30 seconds for the buffers to drain before close() is called.
and drop the Fixes and stable tags instead.
Johan