usb: core: Fix use after free for hub usb device (24956f26) · Commits · e / devices / android_kernel_sony_msm8994

drivers/usb/core/hub.c

+10 −0

Original line number	Diff line number	Diff line
		@@ -4751,6 +4751,14 @@ static void hub_events(void)

		hub = list_entry(tmp, struct usb_hub, event_list);
		kref_get(&hub->kref);

		/* make sure hdev is not freed before accessing it */
		if (hub->disconnected) {
		spin_unlock_irq(&hub_event_lock);
		goto hub_disconnected;
		} else {
		usb_get_dev(hub->hdev);
		}
		spin_unlock_irq(&hub_event_lock);

		hdev = hub->hdev;
		@@ -4968,6 +4976,8 @@ static void hub_events(void)
		usb_autopm_put_interface(intf);
		loop_disconnected:
		usb_unlock_device(hdev);
		usb_put_dev(hdev);
		hub_disconnected:
		kref_put(&hub->kref, hub_release);

		} /* end while (1) */