USB: fix use-after-free bug in usb_hcd_unlink_urb()

The usb_hcd_unlink_urb() routine in hcd.c contains two possible use-after-free errors. The dev_dbg() statement at the end of the routine dereferences urb and urb->dev even though both structures may have been deallocated. This patch fixes the problem by storing urb->dev in a local variable (avoiding the dereference of urb) and moving the dev_dbg() up before the usb_put_dev() call. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-by: Joe Lawrence <joe.lawrence@stratus.com> Tested-by: Joe Lawrence <joe.lawrence@stratus.com> CC: <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
author: Alan Stern <stern@rowland.harvard.edu> 2015-01-30 12:58:26 -0500
committer: Greg Kroah-Hartman <greg@kroah.com> 2015-01-31 12:05:06 -0500
commit: c99197902da284b4b723451c1471c45b18537cde (patch)
tree: ff9d749b80d391ccc7b2dcd769c475facdeb9897 /drivers/usb/core
parent: cefa9a31a5f0856b81d53030815485fcb1fe8aab (diff)
1 files changed, 8 insertions, 8 deletions
diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
index 11cee55ae397..45a915ccd71c 100644
--- a/drivers/usb/core/hcd.c
+++ b/drivers/usb/core/hcd.c
@@ -1618,6 +1618,7 @@ static int unlink1(struct usb_hcd *hcd, struct urb *urb, int status)
 int usb_hcd_unlink_urb (struct urb *urb, int status)
 {
        struct usb_hcd          *hcd;
+        struct usb_device       *udev = urb->dev;
        int                     retval = -EIDRM;
        unsigned long           flags;
@@ -1629,20 +1630,19 @@ int usb_hcd_unlink_urb (struct urb *urb, int status)
        spin_lock_irqsave(&hcd_urb_unlink_lock, flags);
        if (atomic_read(&urb->use_count) > 0) {
                retval = 0;
-                usb_get_dev(urb->dev);
+                usb_get_dev(udev);
        }
        spin_unlock_irqrestore(&hcd_urb_unlink_lock, flags);
        if (retval == 0) {
                hcd = bus_to_hcd(urb->dev->bus);
                retval = unlink1(hcd, urb, status);
-                usb_put_dev(urb->dev);
+                if (retval == 0)
+                        retval = -EINPROGRESS;
+                else if (retval != -EIDRM && retval != -EBUSY)
+                        dev_dbg(&udev->dev, "hcd_unlink_urb %p fail %d\n",
+                                        urb, retval);
+                usb_put_dev(udev);
        }
-        if (retval == 0)
-                retval = -EINPROGRESS;
-        else if (retval != -EIDRM && retval != -EBUSY)
-                dev_dbg(&urb->dev->dev, "hcd_unlink_urb %p fail %d\n",
-                                urb, retval);
        return retval;
 }
author	Alan Stern <stern@rowland.harvard.edu>	2015-01-30 12:58:26 -0500
committer	Greg Kroah-Hartman <greg@kroah.com>	2015-01-31 12:05:06 -0500
commit	c99197902da284b4b723451c1471c45b18537cde (patch)
tree	ff9d749b80d391ccc7b2dcd769c475facdeb9897 /drivers/usb/core
parent	cefa9a31a5f0856b81d53030815485fcb1fe8aab (diff)