From: Oliver Neukum Date: Tue, 14 Mar 2017 11:05:07 +0000 (+0100) Subject: usb: misc: lvs: fix race condition in disconnect handling X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=c4ba329cabca7c839ab48fb58b5bcc2582951a48;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git usb: misc: lvs: fix race condition in disconnect handling There is a small window during which the an URB may remain active after disconnect has returned. If in that case already freed memory may be accessed and executed. The fix is to poison the URB befotre the work is flushed. Signed-off-by: Oliver Neukum Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/usb/misc/lvstest.c b/drivers/usb/misc/lvstest.c index c7c210421217..b7fc978724de 100644 --- a/drivers/usb/misc/lvstest.c +++ b/drivers/usb/misc/lvstest.c @@ -429,6 +429,7 @@ static void lvs_rh_disconnect(struct usb_interface *intf) struct lvs_rh *lvs = usb_get_intfdata(intf); sysfs_remove_group(&intf->dev.kobj, &lvs_attr_group); + usb_poison_urb(lvs->urb); /* used in scheduled work */ flush_work(&lvs->rh_work); usb_free_urb(lvs->urb); }