USB: cdc-acm: fix minor-number release

If the driver runs out of minor numbers it would release minor 0 and
allow another device to claim the minor while still in use.

Fortunately, registering the tty class device of the second device would
fail (with a stack dump) due to the sysfs name collision so no memory is
leaked.

Fixes: cae2bc768d17 ("usb: cdc-acm: Decrement tty port's refcount if probe() fail")
Cc: stable@vger.kernel.org      # 4.19
Cc: Jaejoong Kim <climbbb.kim@gmail.com>
Acked-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20210907082318.7757-1-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
index 8bbd8e2..4e2f155 100644 (file)
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -726,7 +726,8 @@ static void acm_port_destruct(struct tty_port *port)
 {
        struct acm *acm = container_of(port, struct acm, port);
 
-       acm_release_minor(acm);
+       if (acm->minor != ACM_MINOR_INVALID)
+               acm_release_minor(acm);
        usb_put_intf(acm->control);
        kfree(acm->country_codes);
        kfree(acm);
@@ -1323,8 +1324,10 @@ made_compressed_probe:
        usb_get_intf(acm->control); /* undone in destruct() */
 
        minor = acm_alloc_minor(acm);
-       if (minor < 0)
+       if (minor < 0) {
+               acm->minor = ACM_MINOR_INVALID;
                goto err_put_port;
+       }
 
        acm->minor = minor;
        acm->dev = usb_dev;

diff --git a/drivers/usb/class/cdc-acm.h b/drivers/usb/class/cdc-acm.h
index 8aef5eb..3aa7f0a 100644 (file)
--- a/drivers/usb/class/cdc-acm.h
+++ b/drivers/usb/class/cdc-acm.h
@@ -22,6 +22,8 @@
 #define ACM_TTY_MAJOR          166
 #define ACM_TTY_MINORS         256
 
+#define ACM_MINOR_INVALID      ACM_TTY_MINORS
+
 /*
  * Requests.
  */