www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Alan Stern <stern@rowland.harvard.edu>
	Wed, 16 Dec 2015 18:32:38 +0000 (13:32 -0500)
committer	Chuck Anderson <chuck.anderson@oracle.com>
	Thu, 5 May 2016 20:55:15 +0000 (13:55 -0700)
commit	7c1b0f8ef1ab499a5cc67c2e86dc3234dba7fe05
tree	ad025669b931d89a8d6ecee6ece82562f57be25b	tree
parent	0f52206299285275d2f4c3a659fd1e2ee0194870	commit \| diff

USB: fix invalid memory access in hub_activate()

Commit 8520f38099cc ("USB: change hub initialization sleeps to
delayed_work") changed the hub_activate() routine to make part of it
run in a workqueue.  However, the commit failed to take a reference to
the usb_hub structure or to lock the hub interface while doing so.  As
a result, if a hub is plugged in and quickly unplugged before the work
routine can run, the routine will try to access memory that has been
deallocated.  Or, if the hub is unplugged while the routine is
running, the memory may be deallocated while it is in active use.

This patch fixes the problem by taking a reference to the usb_hub at
the start of hub_activate() and releasing it at the end (when the work
is finished), and by locking the hub interface while the work routine
is running.  It also adds a check at the start of the routine to see
if the hub has already been disconnected, in which nothing should be
done.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Alexandru Cornea <alexandru.cornea@intel.com>
Tested-by: Alexandru Cornea <alexandru.cornea@intel.com>
Fixes: 8520f38099cc ("USB: change hub initialization sleeps to delayed_work")
CC: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit e50293ef9775c5f1cf3fcc093037dd6a8c5684ea)

Orabug: 22876651
CVE: CVE-2015-8816

Signed-off-by: Manjunath Govindashetty <manjunath.govindashetty@oracle.com>