tjh.dev
USB: fix race leading to a write after kfree in usbfs
this fixes a race between async_completed() and proc_reapurbnonblock().
CPU A CPU B
spin_lock(&ps->lock);
list_move_tail(&as->asynclist, &ps->async_completed);
spin_unlock(&ps->lock);
if (!(as = async_getcompleted(ps)))
return -EAGAIN;
return processcompl(as, (void __user * __user *)arg);
processcompl() calls free_async() which calls kfree(as)
as->status = urb->status;
if (as->signr) {
sinfo.si_signo = as->signr;
sinfo.si_errno = as->status;
sinfo.si_code = SI_ASYNCIO;
sinfo.si_addr = as->userurb;
kill_pid_info_as_uid(as->signr, &sinfo, as->pid, as->uid,
as->euid, as->secid);
}
snoop(&urb->dev->dev, "urb complete\n");
snoop_urb(urb, as->userurb);
write after kfree
Signed-off-by: Oliver Neukum <oliver@neukum.org>
authored by Oliver Neukum and committed by Greg Kroah-Hartman 516a1a07 7bae0a07