On Mon, Feb 20, 2017 at 03:38:42PM +0100, Oliver Neukum wrote: > There is a small window during which the an URB may > remain active after disconnect has returned. If in that case > already freed memory may be accessed and executed. > > The fix is to poison the URB befotre the work is flushed. > > Signed-off-by: Oliver Neukum <oneukum@xxxxxxxx> > --- > drivers/usb/misc/lvstest.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/usb/misc/lvstest.c b/drivers/usb/misc/lvstest.c > index 7717651..e5d2500 100644 > --- a/drivers/usb/misc/lvstest.c > +++ b/drivers/usb/misc/lvstest.c > @@ -429,6 +429,8 @@ static void lvs_rh_disconnect(struct usb_interface *intf) > struct lvs_rh *lvs = usb_get_intfdata(intf); > > sysfs_remove_group(&intf->dev.kobj, &lvs_attr_group); > + usb_poison_urb(lvs->urb); /* used in scheduled work */ > + (lvs->urb); Is that second line really needed? -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
