diff options
author | Bjørn Mork <bjorn@mork.no> | 2012-05-09 13:53:23 +0200 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2012-05-11 15:19:22 -0700 |
commit | 6286d85e8efdb59252d1ceb99a56fa6b0b11526c (patch) | |
tree | 37b91b39c74370899aedd708921f6774850cd52a /drivers/usb/class/cdc-wdm.c | |
parent | 6b0b79d38806481c1c8fffa7c5842f3c83679a42 (diff) | |
download | op-kernel-dev-6286d85e8efdb59252d1ceb99a56fa6b0b11526c.zip op-kernel-dev-6286d85e8efdb59252d1ceb99a56fa6b0b11526c.tar.gz |
USB: cdc-wdm: remove from device list on disconnect
Prevents dereferencing an invalid struct usb_interface
pointer.
Always delete entry from device list whether or not the
rest of the device state cleanup is postponed. The device
list uses desc->intf as key, and wdm_open will dereference
this key while searching for a matching device. A device
should not appear in the list unless probe() has succeeded
and disconnect() has not finished.
Cc: Oliver Neukum <oliver@neukum.org>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/usb/class/cdc-wdm.c')
-rw-r--r-- | drivers/usb/class/cdc-wdm.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c index 90bc916..631bb95 100644 --- a/drivers/usb/class/cdc-wdm.c +++ b/drivers/usb/class/cdc-wdm.c @@ -309,9 +309,6 @@ static void free_urbs(struct wdm_device *desc) static void cleanup(struct wdm_device *desc) { - spin_lock(&wdm_device_list_lock); - list_del(&desc->device_list); - spin_unlock(&wdm_device_list_lock); kfree(desc->sbuf); kfree(desc->inbuf); kfree(desc->orq); @@ -782,6 +779,9 @@ static int wdm_create(struct usb_interface *intf, struct usb_endpoint_descriptor out: return rv; err: + spin_lock(&wdm_device_list_lock); + list_del(&desc->device_list); + spin_unlock(&wdm_device_list_lock); cleanup(desc); return rv; } @@ -907,6 +907,12 @@ static void wdm_disconnect(struct usb_interface *intf) cancel_work_sync(&desc->rxwork); mutex_unlock(&desc->wlock); mutex_unlock(&desc->rlock); + + /* the desc->intf pointer used as list key is now invalid */ + spin_lock(&wdm_device_list_lock); + list_del(&desc->device_list); + spin_unlock(&wdm_device_list_lock); + if (!desc->count) cleanup(desc); else |