usb: misc: lvs: fix race condition in disconnect handling

There is a small window during which the an URB may
remain active after disconnect has returned. If in that case
already freed memory may be accessed and executed.

The fix is to poison the URB befotre the work is flushed.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/usb/misc/lvstest.c b/drivers/usb/misc/lvstest.c
index c7c210421217b228574e4565b7200600d2856814..b7fc978724de64998a8c322c54b7518df599a33f 100644 (file)
--- a/drivers/usb/misc/lvstest.c
+++ b/drivers/usb/misc/lvstest.c
@@ -429,6 +429,7 @@ static void lvs_rh_disconnect(struct usb_interface *intf)
        struct lvs_rh *lvs = usb_get_intfdata(intf);
 
        sysfs_remove_group(&intf->dev.kobj, &lvs_attr_group);
+       usb_poison_urb(lvs->urb); /* used in scheduled work */
        flush_work(&lvs->rh_work);
        usb_free_urb(lvs->urb);
 }