usb: r8a66597: Fix a possible concurrency use-after-free bug in r8a66597_endpoint_disable() - BMC/Intel-BMC/linux.git - Intel OpenBMC Linux kernel source tree (mirror)

diff options

author	Jia-Ju Bai <baijiaju1990@gmail.com>	2018-12-18 15:04:25 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2018-12-19 10:13:26 +0300
commit	c85400f886e3d41e69966470879f635a2b50084c (patch)
tree	c567f6146fb5ff13a0ed311085cf6ac622f7e189 /drivers/usb/class
parent	c710d0bb76ff0795d8b6c1cda1e01e6e1e661a4a (diff)
download	linux-c85400f886e3d41e69966470879f635a2b50084c.tar.xz

usb: r8a66597: Fix a possible concurrency use-after-free bug in r8a66597_endpoint_disable()

The function r8a66597_endpoint_disable() and r8a66597_urb_enqueue() may be concurrently executed. The two functions both access a possible shared variable "hep->hcpriv". This shared variable is freed by r8a66597_endpoint_disable() via the call path: r8a66597_endpoint_disable kfree(hep->hcpriv) (line 1995 in Linux-4.19) This variable is read by r8a66597_urb_enqueue() via the call path: r8a66597_urb_enqueue spin_lock_irqsave(&r8a66597->lock) init_pipe_info enable_r8a66597_pipe pipe = hep->hcpriv (line 802 in Linux-4.19) The read operation is protected by a spinlock, but the free operation is not protected by this spinlock, thus a concurrency use-after-free bug may occur. To fix this bug, the spin-lock and spin-unlock function calls in r8a66597_endpoint_disable() are moved to protect the free operation. Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Diffstat (limited to 'drivers/usb/class')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: