diff options
| author | Jia-Ju Bai <baijiaju1990@gmail.com> | 2018-12-18 20:04:25 +0800 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-01-13 10:05:29 +0100 |
| commit | a5d6edaafdcfa43f6c7aaa66d1bd1faba9a04cb4 (patch) | |
| tree | d4e5d56dfca4af2346ea7a10ed6f42b0e6032ad6 /scripts/objdiff | |
| parent | bef5854270bad17164af00861b9ecb3dede5cf88 (diff) | |
usb: r8a66597: Fix a possible concurrency use-after-free bug in r8a66597_endpoint_disable()
commit c85400f886e3d41e69966470879f635a2b50084c upstream.
The function r8a66597_endpoint_disable() and r8a66597_urb_enqueue() may
be concurrently executed.
The two functions both access a possible shared variable "hep->hcpriv".
This shared variable is freed by r8a66597_endpoint_disable() via the
call path:
r8a66597_endpoint_disable
kfree(hep->hcpriv) (line 1995 in Linux-4.19)
This variable is read by r8a66597_urb_enqueue() via the call path:
r8a66597_urb_enqueue
spin_lock_irqsave(&r8a66597->lock)
init_pipe_info
enable_r8a66597_pipe
pipe = hep->hcpriv (line 802 in Linux-4.19)
The read operation is protected by a spinlock, but the free operation
is not protected by this spinlock, thus a concurrency use-after-free bug
may occur.
To fix this bug, the spin-lock and spin-unlock function calls in
r8a66597_endpoint_disable() are moved to protect the free operation.
Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'scripts/objdiff')
0 files changed, 0 insertions, 0 deletions