linux/drivers/usb/core
Alan Stern e50293ef97 USB: fix invalid memory access in hub_activate()
Commit 8520f38099 ("USB: change hub initialization sleeps to
delayed_work") changed the hub_activate() routine to make part of it
run in a workqueue.  However, the commit failed to take a reference to
the usb_hub structure or to lock the hub interface while doing so.  As
a result, if a hub is plugged in and quickly unplugged before the work
routine can run, the routine will try to access memory that has been
deallocated.  Or, if the hub is unplugged while the routine is
running, the memory may be deallocated while it is in active use.

This patch fixes the problem by taking a reference to the usb_hub at
the start of hub_activate() and releasing it at the end (when the work
is finished), and by locking the hub interface while the work routine
is running.  It also adds a check at the start of the routine to see
if the hub has already been disconnected, in which nothing should be
done.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Alexandru Cornea <alexandru.cornea@intel.com>
Tested-by: Alexandru Cornea <alexandru.cornea@intel.com>
Fixes: 8520f38099 ("USB: change hub initialization sleeps to delayed_work")
CC: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2015-12-18 09:30:34 -08:00
..
buffer.c Usb: core: buffer: fixed the checkpatch warning 2015-05-10 15:44:10 +02:00
config.c usb: Use the USB_SS_MULT() macro to decode burst multiplier for log message 2015-12-01 14:45:52 -08:00
devices.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-02-26 20:16:07 -08:00
devio.c usb: devio: fix spacing 2015-08-08 15:17:17 -07:00
driver.c usb: core: driver: Use kmalloc_array 2015-10-04 10:47:19 +01:00
endpoint.c usb: endpoint: convert spaces to tabs 2015-08-14 16:50:36 -07:00
file.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-11-13 15:34:18 +09:00
generic.c staging: usbip: convert usbip-host driver to usb_device_driver 2014-02-07 10:54:30 -08:00
hcd-pci.c USB / PM: Drop CONFIG_PM_RUNTIME from the USB core 2014-12-04 00:51:54 +01:00
hcd.c usb: hcd: use USB_DT_* 2015-10-16 23:40:06 -07:00
hub.c USB: fix invalid memory access in hub_activate() 2015-12-18 09:30:34 -08:00
hub.h usb: hub: convert khubd into workqueue 2014-09-23 22:33:19 -07:00
Kconfig usb: kconfig: fix warning of select USB_OTG 2015-11-19 16:31:42 -08:00
Makefile USB: core: remove CONFIG_USB_DEBUG usage 2013-12-21 16:01:00 -08:00
message.c usb: message: remove redundant declaration 2015-10-04 10:45:11 +01:00
notify.c
otg_whitelist.h usb: otg_whitelist: remove whitespace 2015-08-14 16:50:36 -07:00
port.c usb: Quiet down false peer failure messages 2015-12-04 08:19:55 -08:00
quirks.c USB: add quirk for devices with broken LPM 2015-12-11 15:40:51 -08:00
sysfs.c usb: interface authorization: SysFS part of USB interface authorization 2015-09-22 12:08:40 -07:00
urb.c USB: core: Codestyle fix in urb.c 2015-10-26 04:04:48 +09:00
usb-acpi.c usb: find internal hub tier mismatch via acpi 2014-05-27 16:38:52 -07:00
usb.c usb: interface authorization: Use a flag for the default device authorization 2015-09-22 12:08:40 -07:00
usb.h usb: interface authorization: Introduces the USB interface authorization 2015-09-22 12:08:40 -07:00