All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] usb: gadget: pch_udc: fix use after free
@ 2019-11-06  8:38 Pan Bian
  2019-11-06  8:54 ` Andy Shevchenko
  0 siblings, 1 reply; 3+ messages in thread
From: Pan Bian @ 2019-11-06  8:38 UTC (permalink / raw)
  To: Felipe Balbi, Greg Kroah-Hartman, Colin Ian King,
	Andy Shevchenko, Bjorn Helgaas, Chuhong Yuan
  Cc: linux-usb, linux-kernel, Pan Bian

The next field of the DMA descriptor is written after releasing the
descriptor, which may result in a use-after-free issue. Set the value of
the field before it is released to fix the bug.

Signed-off-by: Pan Bian <bianpan2016@163.com>
---
 drivers/usb/gadget/udc/pch_udc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/udc/pch_udc.c b/drivers/usb/gadget/udc/pch_udc.c
index 265dab2bbfac..c5b8ec908aab 100644
--- a/drivers/usb/gadget/udc/pch_udc.c
+++ b/drivers/usb/gadget/udc/pch_udc.c
@@ -1518,8 +1518,8 @@ static void pch_udc_free_dma_chain(struct pch_udc_dev *dev,
 		/* do not free first desc., will be done by free for request */
 		td = phys_to_virt(addr);
 		addr2 = (dma_addr_t)td->next;
-		dma_pool_free(dev->data_requests, td, addr);
 		td->next = 0x00;
+		dma_pool_free(dev->data_requests, td, addr);
 		addr = addr2;
 	}
 	req->chain_len = 1;
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] usb: gadget: pch_udc: fix use after free
  2019-11-06  8:38 [PATCH] usb: gadget: pch_udc: fix use after free Pan Bian
@ 2019-11-06  8:54 ` Andy Shevchenko
  2019-11-06 20:35   ` Gustavo A. R. Silva
  0 siblings, 1 reply; 3+ messages in thread
From: Andy Shevchenko @ 2019-11-06  8:54 UTC (permalink / raw)
  To: Pan Bian, Gustavo A. R. Silva
  Cc: Felipe Balbi, Greg Kroah-Hartman, Colin Ian King,
	Andy Shevchenko, Bjorn Helgaas, Chuhong Yuan, USB,
	Linux Kernel Mailing List

On Wed, Nov 6, 2019 at 10:41 AM Pan Bian <bianpan2016@163.com> wrote:
>
> The next field of the DMA descriptor is written after releasing the
> descriptor, which may result in a use-after-free issue. Set the value of
> the field before it is released to fix the bug.
>

Had you chance to read the discussion [1]?
I Cc to Gustavo to hear from him about destiny of the change.

[1]: http://lkml.iu.edu/hypermail/linux/kernel/1702.1/00843.html

> Signed-off-by: Pan Bian <bianpan2016@163.com>
> ---
>  drivers/usb/gadget/udc/pch_udc.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/usb/gadget/udc/pch_udc.c b/drivers/usb/gadget/udc/pch_udc.c
> index 265dab2bbfac..c5b8ec908aab 100644
> --- a/drivers/usb/gadget/udc/pch_udc.c
> +++ b/drivers/usb/gadget/udc/pch_udc.c
> @@ -1518,8 +1518,8 @@ static void pch_udc_free_dma_chain(struct pch_udc_dev *dev,
>                 /* do not free first desc., will be done by free for request */
>                 td = phys_to_virt(addr);
>                 addr2 = (dma_addr_t)td->next;
> -               dma_pool_free(dev->data_requests, td, addr);
>                 td->next = 0x00;
> +               dma_pool_free(dev->data_requests, td, addr);
>                 addr = addr2;
>         }
>         req->chain_len = 1;
> --
> 2.7.4
>


-- 
With Best Regards,
Andy Shevchenko

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] usb: gadget: pch_udc: fix use after free
  2019-11-06  8:54 ` Andy Shevchenko
@ 2019-11-06 20:35   ` Gustavo A. R. Silva
  0 siblings, 0 replies; 3+ messages in thread
From: Gustavo A. R. Silva @ 2019-11-06 20:35 UTC (permalink / raw)
  To: Andy Shevchenko, Pan Bian
  Cc: Felipe Balbi, Greg Kroah-Hartman, Colin Ian King,
	Andy Shevchenko, Bjorn Helgaas, Chuhong Yuan, USB,
	Linux Kernel Mailing List



On 11/6/19 02:54, Andy Shevchenko wrote:
> On Wed, Nov 6, 2019 at 10:41 AM Pan Bian <bianpan2016@163.com> wrote:
>>
>> The next field of the DMA descriptor is written after releasing the
>> descriptor, which may result in a use-after-free issue. Set the value of
>> the field before it is released to fix the bug.
>>
> 
> Had you chance to read the discussion [1]?
> I Cc to Gustavo to hear from him about destiny of the change.
> 

Wow, thanks for reminding me about this thread, Andy.
I had totally forgotten about this for more than two years... :|

Here is the final version:

https://lore.kernel.org/lkml/20191106202821.GA20347@embeddedor/

Thanks
--
Gustavo


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-11-06 21:42 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-06  8:38 [PATCH] usb: gadget: pch_udc: fix use after free Pan Bian
2019-11-06  8:54 ` Andy Shevchenko
2019-11-06 20:35   ` Gustavo A. R. Silva

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.