Commit c4ba329c authored Mar 14, 2017 by Oliver Neukum Committed by Greg Kroah-Hartman Mar 16, 2017

usb: misc: lvs: fix race condition in disconnect handling



There is a small window during which the an URB may
remain active after disconnect has returned. If in that case
already freed memory may be accessed and executed.

The fix is to poison the URB befotre the work is flushed.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent e4ecd155

drivers/usb/misc/lvstest.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -429,6 +429,7 @@ static void lvs_rh_disconnect(struct usb_interface *intf)
		struct lvs_rh *lvs = usb_get_intfdata(intf);

		sysfs_remove_group(&intf->dev.kobj, &lvs_attr_group);
		usb_poison_urb(lvs->urb); /* used in scheduled work */
		flush_work(&lvs->rh_work);
		usb_free_urb(lvs->urb);
		}