tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

usb: hcd: Fix use after free in usb_hcd_pci_remove()

On the removal stage we put a reference to the controller structure and
if it's not used anymore it gets freed, but later we try to dereference
a pointer to a member of that structure.

Copy necessary field to a temporary variable to avoid use after free.

Fixes: 306c54d0edb6 ("usb: hcd: Try MSI interrupts on PCI devices")
Reported-by: John Garry <john.garry@huawei.com>
Link: https://lore.kernel.org/linux-usb/30a8c4ca-64c2-863b-cfcd-0970599c0ba3@huawei.com/
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://lore.kernel.org/r/20200814182218.71957-1-andriy.shevchenko@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Andy Shevchenko and committed by
Greg Kroah-Hartman 7b2816dd bed97b30

+4 -1
+4 -1
drivers/usb/core/hcd-pci.c
··· 315 315 void usb_hcd_pci_remove(struct pci_dev *dev) 316 316 { 317 317 struct usb_hcd *hcd; 318 + int hcd_driver_flags; 318 319 319 320 hcd = pci_get_drvdata(dev); 320 321 if (!hcd) 321 322 return; 323 + 324 + hcd_driver_flags = hcd->driver->flags; 322 325 323 326 if (pci_dev_run_wake(dev)) 324 327 pm_runtime_get_noresume(&dev->dev); ··· 350 347 up_read(&companions_rwsem); 351 348 } 352 349 usb_put_hcd(hcd); 353 - if ((hcd->driver->flags & HCD_MASK) < HCD_USB3) 350 + if ((hcd_driver_flags & HCD_MASK) < HCD_USB3) 354 351 pci_free_irq_vectors(dev); 355 352 pci_disable_device(dev); 356 353 }