thunderbolt: Keep the domain reference while processing hotplug

We process hotplug events in a workqueue that may run after the domain
has been removed by tb_domain_remove(). For example if user unloads the
driver while at the same time plugging  a device router we may have
scheduled tb_handle_hotplug() to run. Avoid possible UAF in this case by
taking the domain reference before scheduling the hotplug handler in
tb_queue_hotplug().

Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>

diff --git a/drivers/thunderbolt/tb.c b/drivers/thunderbolt/tb.c
index c69c323e6952a36d98bb82f8d1c47f77fd25718e..34b7d18cce560cbdba2f2e8fa638fab0a7b188ba 100644 (file)
--- a/drivers/thunderbolt/tb.c
+++ b/drivers/thunderbolt/tb.c
@@ -98,7 +98,7 @@ static void tb_queue_hotplug(struct tb *tb, u64 route, u8 port, bool unplug)
        if (!ev)
                return;
 
-       ev->tb = tb;
+       ev->tb = tb_domain_get(tb);
        ev->route = route;
        ev->port = port;
        ev->unplug = unplug;
@@ -2527,6 +2527,9 @@ out:
        pm_runtime_mark_last_busy(&tb->dev);
        pm_runtime_put_autosuspend(&tb->dev);
 
+       /* Undo the refcount increased in tb_queue_hotplug() */
+       tb_domain_put(tb);
+
        kfree(ev);
 }