When the call to usb_new_device() in usb_hub_port_connect_change() fails and corresponding USB device is freed with usb_free_device(), we need to make sure that the pointer to it stored in dev->children[port] is removed as well, lest we risk usage-after-free.
This issue was observed when working with a device for which usb_set_address() would fail and trying to do "usb" right afterwards. Signed-off-by: Andrey Smirnov <[email protected]> --- drivers/usb/core/hub.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c index f44aea55a..70f633ed8 100644 --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -233,6 +233,7 @@ static void usb_hub_port_connect_change(struct usb_device *dev, int port) dev_dbg(&dev->dev, "hub: disabling port %d\n", port + 1); usb_clear_port_feature(dev, port + 1, USB_PORT_FEAT_ENABLE); usb_free_device(usb); + dev->children[port] = NULL; return; } -- 2.17.1 _______________________________________________ barebox mailing list [email protected] http://lists.infradead.org/mailman/listinfo/barebox
