| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20180303222716.26640-37-alexander.levin@microsoft.com>
Date: Sat, 3 Mar 2018 22:28:17 +0000
From: Sasha Levin <Alexander.Levin@...rosoft.com>
To: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"stable@...r.kernel.org" <stable@...r.kernel.org>
CC: Oliver Neukum <oneukum@...e.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Sasha Levin <Alexander.Levin@...rosoft.com>
Subject: [PATCH AUTOSEL for 4.9 037/219] usb: misc: lvs: fix race condition in
disconnect handling
From: Oliver Neukum <oneukum@...e.com>
[ Upstream commit c4ba329cabca7c839ab48fb58b5bcc2582951a48 ]
There is a small window during which the an URB may
remain active after disconnect has returned. If in that case
already freed memory may be accessed and executed.
The fix is to poison the URB befotre the work is flushed.
Signed-off-by: Oliver Neukum <oneukum@...e.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Signed-off-by: Sasha Levin <alexander.levin@...rosoft.com>
---
drivers/usb/misc/lvstest.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/usb/misc/lvstest.c b/drivers/usb/misc/lvstest.c
index d3d124753266..bd6e06ef88ac 100644
--- a/drivers/usb/misc/lvstest.c
+++ b/drivers/usb/misc/lvstest.c
@@ -433,6 +433,7 @@ static void lvs_rh_disconnect(struct usb_interface *intf)
struct lvs_rh *lvs = usb_get_intfdata(intf);
sysfs_remove_group(&intf->dev.kobj, &lvs_attr_group);
+ usb_poison_urb(lvs->urb); /* used in scheduled work */
flush_work(&lvs->rh_work);
usb_free_urb(lvs->urb);
}
--
2.14.1
Powered by blists - more mailing lists