USB: serial: fix potential use-after-free after failed probe
authorJohan Hovold <johan@kernel.org>
Wed, 18 Feb 2015 03:34:50 +0000 (10:34 +0700)
committerBen Hutchings <ben@decadent.org.uk>
Sat, 9 May 2015 22:16:21 +0000 (23:16 +0100)
commit 07fdfc5e9f1c966be8722e8fa927e5ea140df5ce upstream.

Fix return value in probe error path, which could end up returning
success (0) on errors. This could in turn lead to use-after-free or
double free (e.g. in port_remove) when the port device is removed.

Fixes: c706ebdfc895 ("USB: usb-serial: call port_probe and port_remove
at the right times")
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Greg Kroah-Hartman <greg@kroah.com>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
drivers/usb/serial/bus.c

index 7f547dc..020b515 100644 (file)
@@ -73,7 +73,7 @@ static int usb_serial_device_probe(struct device *dev)
        retval = device_create_file(dev, &dev_attr_port_number);
        if (retval) {
                if (driver->port_remove)
-                       retval = driver->port_remove(port);
+                       driver->port_remove(port);
                goto exit;
        }