Received: by 10.213.65.68 with SMTP id h4csp1775365imn;
        Mon, 19 Mar 2018 12:57:28 -0700 (PDT)
X-Google-Smtp-Source: AG47ELssBPSL4PqMZFCk++CnQUQjRmKR9PgyLSkOGViD70mT4kdlEGL8RiKo7fmxSdbmJu6GQXdp
X-Received: by 10.99.120.198 with SMTP id t189mr10320248pgc.0.1521489448498;
        Mon, 19 Mar 2018 12:57:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1521489448; cv=none;
        d=google.com; s=arc-20160816;
        b=uePQSPFNgbkTh07K1FN34C0r0v4ETwD7DuoTK2y3cMDTGxjqJr8nO8FaA2YHUw8XbM
         3aLZtBPM/8nPwOEizpEO1RInjSnzWkkG60bVQqcHsoi3cyMIMInkNAvll6CvKynJieQt
         p9QBz230x2ik0NmhFaURZyoJ3jNxpk6spXTZWI+WcUrfXrJiX44ntHc9soB37XSd6Yzj
         EoPV1Em0Z132u/PB9CtloBAFOWtigASQnVt7Vf/IcqJVTSVxr7YMnw54CRrlsHzeSjbo
         QPBJGg1tc0q1n+cThwVAAl80NI3F+YfHo123jqiyl0NXhT+3pHTIG7Up04iypCDAV8Wv
         shKQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=bVYeul09x2/KTk9nBRa6BhjUwVQgthjmgDPHM5zubAk=;
        b=fO7Ys7eklje10PjH1evcPDyQV/J4Gdvd8vNjLVsLyA3U4VxgF4Tdl3siL+6+9icrzx
         wGkubralItzwjCuGqUyRhpLmNsvF+MRaLsXsJcSM+7WFVj/IwzU5GwMlMLoSAcNrPoJx
         H+IRwsbKApPrYkeat+h9YzwFgGoH9aDXqmxi2X6x/gXHT0eY2PGOr/Lsnb5DjiGr5YFg
         393YI0S+c2BPVlwmL8MtnToLKtOlOko1GKDtJD5ZBfUooEJ0of3VBGI/bJ18Jqbfh5cx
         Q04Yi4/7izMI6L28NN+dpAbxmLklQiQdp6CSWbvIoFLlSpf6lCDpMFLiNrU1kMwlc07D
         T5SQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 34-v6si590578plp.252.2018.03.19.12.57.14;
        Mon, 19 Mar 2018 12:57:28 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S969432AbeCSTz2 (ORCPT <rfc822;carmate383@gmail.com> + 99 others);
        Mon, 19 Mar 2018 15:55:28 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:47098 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S969382AbeCSSTW (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 19 Mar 2018 14:19:22 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 2E12C1110;
        Mon, 19 Mar 2018 18:19:22 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Oliver Neukum <oneukum@suse.com>,
        Sasha Levin <alexander.levin@microsoft.com>
Subject: [PATCH 4.9 035/241] usb: misc: lvs: fix race condition in disconnect handling
Date:   Mon, 19 Mar 2018 19:05:00 +0100
Message-Id: <20180319180752.635543182@linuxfoundation.org>
X-Mailer: git-send-email 2.16.2
In-Reply-To: <20180319180751.172155436@linuxfoundation.org>
References: <20180319180751.172155436@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Oliver Neukum <oneukum@suse.com>


[ Upstream commit c4ba329cabca7c839ab48fb58b5bcc2582951a48 ]

There is a small window during which the an URB may
remain active after disconnect has returned. If in that case
already freed memory may be accessed and executed.

The fix is to poison the URB befotre the work is flushed.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/misc/lvstest.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/usb/misc/lvstest.c
+++ b/drivers/usb/misc/lvstest.c
@@ -433,6 +433,7 @@ static void lvs_rh_disconnect(struct usb
 	struct lvs_rh *lvs = usb_get_intfdata(intf);
 
 	sysfs_remove_group(&intf->dev.kobj, &lvs_attr_group);
+	usb_poison_urb(lvs->urb); /* used in scheduled work */
 	flush_work(&lvs->rh_work);
 	usb_free_urb(lvs->urb);
 }