usb: misc: lvs: fix race condition in disconnect handling

[ Upstream commit c4ba329cabca7c839ab48fb58b5bcc2582951a48 ] There is a small window during which the an URB may remain active after disconnect has returned. If in that case already freed memory may be accessed and executed. The fix is to poison the URB befotre the work is flushed. Signed-off-by: Oliver Neukum <oneukum@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Oliver Neukum <oneukum@suse.com> 2017-03-14 12:05:07 +0100
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-03-22 09:17:40 +0100
commit: e6e868c7504502cda721c0a814d3eac2594760f0 (patch)
tree: 32b359d958d9f40c0de51f7c2533f99034e89c15 /drivers/usb/misc
parent: 84b63638ca812f02f9fc79ee358146f9f8d310ab (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/usb/misc/lvstest.c b/drivers/usb/misc/lvstest.c
index d3d124753266..bd6e06ef88ac 100644
--- a/drivers/usb/misc/lvstest.c
+++ b/drivers/usb/misc/lvstest.c
@@ -433,6 +433,7 @@ static void lvs_rh_disconnect(struct usb_interface *intf)
 	struct lvs_rh *lvs = usb_get_intfdata(intf);
 
 	sysfs_remove_group(&intf->dev.kobj, &lvs_attr_group);
+	usb_poison_urb(lvs->urb); /* used in scheduled work */
 	flush_work(&lvs->rh_work);
 	usb_free_urb(lvs->urb);
 }
author	Oliver Neukum <oneukum@suse.com>	2017-03-14 12:05:07 +0100
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2018-03-22 09:17:40 +0100
commit	e6e868c7504502cda721c0a814d3eac2594760f0 (patch)
tree	32b359d958d9f40c0de51f7c2533f99034e89c15 /drivers/usb/misc
parent	84b63638ca812f02f9fc79ee358146f9f8d310ab (diff)