aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/usb/misc/lvstest.c
diff options
context:
space:
mode:
authorOliver Neukum <oneukum@suse.com>2017-03-14 07:05:07 -0400
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2017-03-16 05:01:02 -0400
commitc4ba329cabca7c839ab48fb58b5bcc2582951a48 (patch)
treeb04794ac64f6884a77d2fab730266f95cb085963 /drivers/usb/misc/lvstest.c
parente4ecd155d2a62246fc7722aeaa5819262904f40b (diff)
usb: misc: lvs: fix race condition in disconnect handling
There is a small window during which the an URB may remain active after disconnect has returned. If in that case already freed memory may be accessed and executed. The fix is to poison the URB befotre the work is flushed. Signed-off-by: Oliver Neukum <oneukum@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/usb/misc/lvstest.c')
-rw-r--r--drivers/usb/misc/lvstest.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/usb/misc/lvstest.c b/drivers/usb/misc/lvstest.c
index c7c210421217..b7fc978724de 100644
--- a/drivers/usb/misc/lvstest.c
+++ b/drivers/usb/misc/lvstest.c
@@ -429,6 +429,7 @@ static void lvs_rh_disconnect(struct usb_interface *intf)
429 struct lvs_rh *lvs = usb_get_intfdata(intf); 429 struct lvs_rh *lvs = usb_get_intfdata(intf);
430 430
431 sysfs_remove_group(&intf->dev.kobj, &lvs_attr_group); 431 sysfs_remove_group(&intf->dev.kobj, &lvs_attr_group);
432 usb_poison_urb(lvs->urb); /* used in scheduled work */
432 flush_work(&lvs->rh_work); 433 flush_work(&lvs->rh_work);
433 usb_free_urb(lvs->urb); 434 usb_free_urb(lvs->urb);
434} 435}
generated by cgit v1.2.2 (git 2.25.0) at 2025-08-12 13:23:05 -0400