--- /dev/null
+From 44a182b9d17765514fa2b1cc911e4e65134eef93 Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Thu, 3 May 2018 17:30:07 +0300
+Subject: xhci: Fix use-after-free in xhci_free_virt_device
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit 44a182b9d17765514fa2b1cc911e4e65134eef93 upstream.
+
+KASAN found a use-after-free in xhci_free_virt_device+0x33b/0x38e
+where xhci_free_virt_device() sets slot id to 0 if udev exists:
+if (dev->udev && dev->udev->slot_id)
+ dev->udev->slot_id = 0;
+
+dev->udev will be true even if udev is freed because dev->udev is
+not set to NULL.
+
+set dev->udev pointer to NULL in xhci_free_dev()
+
+The original patch went to stable so this fix needs to be applied
+there as well.
+
+Fixes: a400efe455f7 ("xhci: zero usb device slot_id member when disabling and freeing a xhci slot")
+Cc: <stable@vger.kernel.org>
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Tested-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -3551,6 +3551,7 @@ static void xhci_free_dev(struct usb_hcd
+ del_timer_sync(&virt_dev->eps[i].stop_cmd_timer);
+ }
+
++ virt_dev->udev = NULL;
+ xhci_disable_slot(xhci, udev->slot_id);
+ /*
+ * Event command completion handler will free any data structures
projects / thirdparty / kernel / stable-queue.git / commitdiff
