On Wed, 12 Sep 2012, Alexander Shishkin wrote:
> Commit ff823c79a5c33194c2e5594f7c4686ea3547910c ("usb: move children
> to struct usb_port") forgot to consider the hub_disconnect sequence,
> which releases ports before quiescing the hub, which will lead to a
> use-after-free, since hub_quiesce() will try to disconnect ports'
> children, which are already deallocated. Simple modprobe dummy_hcd &&
> rmmod dummy_hcd will illustrate the problem.
>
> This patch moves deallocation of hub's ports after hub_quiesce() call
> in hub_disconnect().
>
> Cc: Lan Tianyu <tianyu.lan@xxxxxxxxx>
> Signed-off-by: Alexander Shishkin <alexander.shishkin@xxxxxxxxxxxxxxx>
Good fix, thank you.
Acked-by: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
