xhci: fix possible null pointer deref during xhci urb enqueue - kernel

diff options

author	Mathias Nyman <[email protected]>	2023-12-01 15:06:47 +0000
committer	Greg Kroah-Hartman <[email protected]>	2023-12-04 06:50:40 +0000
commit	e2e2aacf042f52854c92775b7800ba668e0bdfe4 (patch)
tree	21989b2474be1b90e2bdd0f5730d13540c587ea4 /drivers/usb/cdns3/cdnsp-debug.h
parent	xhci: Reconfigure endpoint 0 max packet size only during endpoint reset (diff)
download	kernel-e2e2aacf042f52854c92775b7800ba668e0bdfe4.tar.gz kernel-e2e2aacf042f52854c92775b7800ba668e0bdfe4.zip

xhci: fix possible null pointer deref during xhci urb enqueue

There is a short gap between urb being submitted and actually added to the endpoint queue (linked). If the device is disconnected during this time then usb core is not yet aware of the pending urb, and device may be freed just before xhci_urq_enqueue() continues, dereferencing the freed device. Freeing the device is protected by the xhci spinlock, so make sure we take and keep the lock while checking that device exists, dereference it, and add the urb to the queue. Remove the unnecessary URB check, usb core checks it before calling xhci_urb_enqueue() Suggested-by: Kuen-Han Tsai <[email protected]> Signed-off-by: Mathias Nyman <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>

Diffstat (limited to 'drivers/usb/cdns3/cdnsp-debug.h')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: