[PATCH v2 2/2] USB: serial: opticon: stop all I/O on close() - Linux-stable-mirror

14 Jan 2020

Make sure to stop any submitted write URBs on close(). This specifically
avoids a NULL-pointer dereference or use-after-free in case of a late
completion event after driver unbind.
Fixes: 648d4e16567e ("USB: serial: opticon: add write support")
Cc: stable stable@vger.kernel.org	# 2.6.30: xxx: USB: serial: opticon: add chars_in_buffer() implementation
Signed-off-by: Johan Hovold johan@kernel.org
---
v2
 - add missing address-of operator that was never commit before
   generating the patch
drivers/usb/serial/opticon.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/drivers/usb/serial/opticon.c b/drivers/usb/serial/opticon.c
index f7bccf14a71f..0af76800bd78 100644
--- a/drivers/usb/serial/opticon.c
+++ b/drivers/usb/serial/opticon.c
@@ -42,6 +42,8 @@ struct opticon_private {
    bool cts;
    int outstanding_urbs;
    int outstanding_bytes;
+
+	struct usb_anchor anchor;
 };
@@ -150,6 +152,15 @@ static int opticon_open(struct tty_struct *tty, struct usb_serial_port *port)
    return res;
 }
+static void opticon_close(struct usb_serial_port *port)
+{
+	struct opticon_private *priv = usb_get_serial_port_data(port);
+
+	usb_kill_anchored_urbs(&priv->anchor);
+
+	usb_serial_generic_close(port);
+}
+
 static void opticon_write_control_callback(struct urb *urb)
 {
    struct usb_serial_port *port = urb->context;
@@ -226,10 +237,13 @@ static int opticon_write(struct tty_struct *tty, struct usb_serial_port *port,
    	(unsigned char *)dr, buffer, count,
    	opticon_write_control_callback, port);
+	usb_anchor_urb(urb, &priv->anchor);
+
    /* send it down the pipe */
    ret = usb_submit_urb(urb, GFP_ATOMIC);
    if (ret) {
    	dev_err(&port->dev, "failed to submit write urb: %d\n", ret);
+		usb_unanchor_urb(urb);
    	goto error;
    }
@@ -364,6 +378,7 @@ static int opticon_port_probe(struct usb_serial_port *port)
    	return -ENOMEM;
spin_lock_init(&priv->lock);
+	init_usb_anchor(&priv->anchor);
usb_set_serial_port_data(port, priv);
@@ -391,6 +406,7 @@ static struct usb_serial_driver opticon_device = {
    .port_probe =		opticon_port_probe,
    .port_remove =		opticon_port_remove,
    .open =			opticon_open,
+	.close =		opticon_close,
    .write =		opticon_write,
    .write_room = 		opticon_write_room,
    .chars_in_buffer =	opticon_chars_in_buffer,
-- 
2.24.1


    