From 51b6bd8d956443112d21cfabfc22f55e17b01456 Mon Sep 17 00:00:00 2001
From: Luke <luke.wilde@live.co.uk>
Date: Sat, 14 Aug 2021 22:09:41 +0100
Subject: [PATCH] Kernel/USB: Remove UAF in device removal

I was using a raw pointer instead of a RefPtr to keep the device alive
during removal.
---
 Kernel/Bus/USB/USBHub.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Kernel/Bus/USB/USBHub.cpp b/Kernel/Bus/USB/USBHub.cpp
index ffe1d8ff58..ef6cc67b71 100644
--- a/Kernel/Bus/USB/USBHub.cpp
+++ b/Kernel/Bus/USB/USBHub.cpp
@@ -297,7 +297,7 @@ void Hub::check_for_port_updates()
             } else {
                 dbgln("USB Hub: Device detached on port {}!", port_number);
 
-                Device* device_to_remove = nullptr;
+                RefPtr<Device> device_to_remove = nullptr;
                 for (auto& child : m_children) {
                     if (port_number == child.port()) {
                         device_to_remove = &child;
@@ -310,7 +310,7 @@ void Hub::check_for_port_updates()
                     SysFSUSBBusDirectory::the().unplug(*device_to_remove);
 
                     if (device_to_remove->device_descriptor().device_class == USB_CLASS_HUB) {
-                        auto* hub_child = static_cast<Hub*>(device_to_remove);
+                        auto* hub_child = static_cast<Hub*>(device_to_remove.ptr());
                         hub_child->remove_children_from_sysfs();
                     }
                 } else {