| From 33dc29e1e6bc2d9eab5c99eb8598fe7b6bb855ec Mon Sep 17 00:00:00 2001 |
| From: Johan Hovold <johan@kernel.org> |
| Date: Tue, 15 Oct 2019 19:55:22 +0200 |
| Subject: [PATCH] USB: usblp: fix use-after-free on disconnect |
| |
| commit 7a759197974894213621aa65f0571b51904733d6 upstream. |
| |
| A recent commit addressing a runtime PM use-count regression, introduced |
| a use-after-free by not making sure we held a reference to the struct |
| usb_interface for the lifetime of the driver data. |
| |
| Fixes: 9a31535859bf ("USB: usblp: fix runtime PM after driver unbind") |
| Cc: stable <stable@vger.kernel.org> |
| Reported-by: syzbot+cd24df4d075c319ebfc5@syzkaller.appspotmail.com |
| Signed-off-by: Johan Hovold <johan@kernel.org> |
| Link: https://lore.kernel.org/r/20191015175522.18490-1-johan@kernel.org |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/drivers/usb/class/usblp.c b/drivers/usb/class/usblp.c |
| index 502e9bf1746f..4a80103675d5 100644 |
| --- a/drivers/usb/class/usblp.c |
| +++ b/drivers/usb/class/usblp.c |
| @@ -445,6 +445,7 @@ static void usblp_cleanup(struct usblp *usblp) |
| kfree(usblp->readbuf); |
| kfree(usblp->device_id_string); |
| kfree(usblp->statusbuf); |
| + usb_put_intf(usblp->intf); |
| kfree(usblp); |
| } |
| |
| @@ -1107,7 +1108,7 @@ static int usblp_probe(struct usb_interface *intf, |
| init_waitqueue_head(&usblp->wwait); |
| init_usb_anchor(&usblp->urbs); |
| usblp->ifnum = intf->cur_altsetting->desc.bInterfaceNumber; |
| - usblp->intf = intf; |
| + usblp->intf = usb_get_intf(intf); |
| |
| /* Malloc device ID string buffer to the largest expected length, |
| * since we can re-query it on an ioctl and a dynamic string |
| @@ -1196,6 +1197,7 @@ static int usblp_probe(struct usb_interface *intf, |
| kfree(usblp->readbuf); |
| kfree(usblp->statusbuf); |
| kfree(usblp->device_id_string); |
| + usb_put_intf(usblp->intf); |
| kfree(usblp); |
| abort_ret: |
| return retval; |
| -- |
| 2.7.4 |
| |