From d1d818cf4cfd82466398848d695fc262636f6494 Mon Sep 17 00:00:00 2001
From: Benoit Goby <benoit@android.com>
Date: Fri, 4 Mar 2011 14:01:56 -0800
Subject: [PATCH] mdm6600: Fix possible use after free

If a disconnect happens while the ril runs a tiocmset ioctl, the usb
interface will get freed. Then before returning, autopm_put_interface
will access the interface struct after it has been freed. Get an
interface reference to prevent it from being freed before the tty
has been released.

Change-Id: Ia009995c3fcdfa2e590b36e0c413433ea5f97b59
Signed-off-by: Benoit Goby <benoit@android.com>
---
 drivers/usb/serial/mdm6600.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/usb/serial/mdm6600.c b/drivers/usb/serial/mdm6600.c
index a7407beaeb6d..e4f9c6e48cbb 100644
--- a/drivers/usb/serial/mdm6600.c
+++ b/drivers/usb/serial/mdm6600.c
@@ -263,6 +263,7 @@ static int mdm6600_attach(struct usb_serial *serial)
 					"mdm6600_write.%d", modem->number);
 	wake_lock_init(&modem->writelock, WAKE_LOCK_SUSPEND, modem->writelock_name);
 
+	usb_get_intf(serial->interface);
 	usb_enable_autosuspend(serial->dev);
 	usb_mark_last_busy(serial->dev);
 
@@ -373,6 +374,7 @@ static void mdm6600_release(struct usb_serial *serial)
 	}
 
 	usb_set_serial_data(serial, NULL);
+	usb_put_intf(serial->interface);
 	kfree(modem);
 }
 
-- 
2.34.1