projects
/
platform
/
kernel
/
linux-rpi.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
e3f4456
)
USB: legousbtower: fix use-after-free on release
author
Johan Hovold
<johan@kernel.org>
Wed, 9 Oct 2019 15:38:47 +0000
(17:38 +0200)
committer
Greg Kroah-Hartman
<gregkh@linuxfoundation.org>
Thu, 17 Oct 2019 20:45:08 +0000
(13:45 -0700)
commit
726b55d0e22ca72c69c947af87785c830289ddbc
upstream.
The driver was accessing its struct usb_device in its release()
callback without holding a reference. This would lead to a
use-after-free whenever the device was disconnected while the character
device was still open.
Fixes:
fef526cae700
("USB: legousbtower: remove custom debug macro")
Cc: stable <stable@vger.kernel.org> # 3.12
Signed-off-by: Johan Hovold <johan@kernel.org>
Link:
https://lore.kernel.org/r/20191009153848.8664-5-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/usb/misc/legousbtower.c
patch
|
blob
|
history
diff --git
a/drivers/usb/misc/legousbtower.c
b/drivers/usb/misc/legousbtower.c
index
44d6a33
..
9d4c52a
100644
(file)
--- a/
drivers/usb/misc/legousbtower.c
+++ b/
drivers/usb/misc/legousbtower.c
@@
-296,6
+296,7
@@
static inline void tower_delete (struct lego_usb_tower *dev)
kfree (dev->read_buffer);
kfree (dev->interrupt_in_buffer);
kfree (dev->interrupt_out_buffer);
kfree (dev->read_buffer);
kfree (dev->interrupt_in_buffer);
kfree (dev->interrupt_out_buffer);
+ usb_put_dev(dev->udev);
kfree (dev);
}
kfree (dev);
}
@@
-810,7
+811,7
@@
static int tower_probe (struct usb_interface *interface, const struct usb_device
mutex_init(&dev->lock);
mutex_init(&dev->lock);
- dev->udev = u
dev
;
+ dev->udev = u
sb_get_dev(udev)
;
dev->open_count = 0;
dev->disconnected = 0;
dev->open_count = 0;
dev->disconnected = 0;