• Alan Stern's avatar
    USB: fix invalid memory access in hub_activate() · 7d7ded54
    Alan Stern authored
    commit e50293ef upstream.
    
    Commit 8520f380 ("USB: change hub initialization sleeps to
    delayed_work") changed the hub_activate() routine to make part of it
    run in a workqueue.  However, the commit failed to take a reference to
    the usb_hub structure or to lock the hub interface while doing so.  As
    a result, if a hub is plugged in and quickly unplugged before the work
    routine can run, the routine will try to access memory that has been
    deallocated.  Or, if the hub is unplugged while the routine is
    running, the memory may be deallocated while it is in active use.
    
    This patch fixes the problem by taking a reference to the usb_hub at
    the start of hub_activate() and releasing it at the end (when the work
    is finished), and by locking the hub interface while the work routine
    is running.  It also adds a check at the start of the routine to see
    if the hub has already been disconnected, in which nothing should be
    done.
    Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
    Reported-by: default avatarAlexandru Cornea <alexandru.cornea@intel.com>
    Tested-by: default avatarAlexandru Cornea <alexandru.cornea@intel.com>
    Fixes: 8520f380 ("USB: change hub initialization sleeps to delayed_work")
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    [ luis: backported to 3.16:
      - Added forward declaration of hub_release() which mainline had with commit
        32a69589 ("usb: hub: convert khubd into workqueue") ]
    Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
    7d7ded54
hub.c 163 KB