Commit 1f2235b8 authored by Alexander Shishkin's avatar Alexander Shishkin Committed by Greg Kroah-Hartman

usb: move children deallocation after quiescing the hub

Commit ff823c79 ("usb: move children
to struct usb_port") forgot to consider the hub_disconnect sequence,
which releases ports before quiescing the hub, which will lead to a
use-after-free, since hub_quiesce() will try to disconnect ports'
children, which are already deallocated. Simple modprobe dummy_hcd &&
rmmod dummy_hcd will illustrate the problem.

This patch moves deallocation of hub's ports after hub_quiesce() call
in hub_disconnect().

Cc: Lan Tianyu <tianyu.lan@intel.com>
Signed-off-by: default avatarAlexander Shishkin <alexander.shishkin@linux.intel.com>
Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 58efc77c
...@@ -1584,9 +1584,6 @@ static void hub_disconnect(struct usb_interface *intf) ...@@ -1584,9 +1584,6 @@ static void hub_disconnect(struct usb_interface *intf)
struct usb_device *hdev = interface_to_usbdev(intf); struct usb_device *hdev = interface_to_usbdev(intf);
int i; int i;
for (i = 0; i < hdev->maxchild; i++)
usb_hub_remove_port_device(hub, i + 1);
/* Take the hub off the event list and don't let it be added again */ /* Take the hub off the event list and don't let it be added again */
spin_lock_irq(&hub_event_lock); spin_lock_irq(&hub_event_lock);
if (!list_empty(&hub->event_list)) { if (!list_empty(&hub->event_list)) {
...@@ -1601,6 +1598,9 @@ static void hub_disconnect(struct usb_interface *intf) ...@@ -1601,6 +1598,9 @@ static void hub_disconnect(struct usb_interface *intf)
hub_quiesce(hub, HUB_DISCONNECT); hub_quiesce(hub, HUB_DISCONNECT);
usb_set_intfdata (intf, NULL); usb_set_intfdata (intf, NULL);
for (i = 0; i < hdev->maxchild; i++)
usb_hub_remove_port_device(hub, i + 1);
hub->hdev->maxchild = 0; hub->hdev->maxchild = 0;
if (hub->hdev->speed == USB_SPEED_HIGH) if (hub->hdev->speed == USB_SPEED_HIGH)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment