usb: gadget: function: use after free in printer_close()

Message ID	Y3dwwNlBoS13VcIR@kili (mailing list archive)
State	Superseded
Headers	show Return-Path: <linux-usb-owner@kernel.org> From: Dan Carpenter <error27@gmail.com> Date: Fri, 18 Nov 2022 14:47:12 +0300 To: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Albert Briscoe <albertsbriscoe@gmail.com>, Felipe Balbi <balbi@kernel.org>, Zqiang <qiang.zhang@windriver.com>, linux-usb@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [PATCH] usb: gadget: function: use after free in printer_close() Message-ID: <Y3dwwNlBoS13VcIR@kili> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Precedence: bulk
Series	usb: gadget: function: use after free in printer_close() \| expand usb: gadget: function: use after free in printer_close()

Message ID

Y3dwwNlBoS13VcIR@kili (mailing list archive)

State

Superseded

Headers

From: Dan Carpenter <error27@gmail.com>
Date: Fri, 18 Nov 2022 14:47:12 +0300
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Albert Briscoe <albertsbriscoe@gmail.com>,
        Felipe Balbi <balbi@kernel.org>,
        Zqiang <qiang.zhang@windriver.com>, linux-usb@vger.kernel.org,
        kernel-janitors@vger.kernel.org
Subject: [PATCH] usb: gadget: function: use after free in printer_close()
Message-ID: <Y3dwwNlBoS13VcIR@kili>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Precedence: bulk

Series

usb: gadget: function: use after free in printer_close() | expand

Commit Message

Dan Carpenter Nov. 18, 2022, 11:47 a.m. UTC

The printer_dev_free() function frees "dev" but then it is dereferenced
by the debug code on the next line.  The debug printk only prints the
function name so it's probably okay to just delete it.

Fixes: e8d5f92b8d30 ("usb: gadget: function: printer: fix use-after-free in __lock_acquire")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 drivers/usb/gadget/function/f_printer.c | 1 -
 1 file changed, 1 deletion(-)

Comments

Andrzej Pietrasiewicz Nov. 21, 2022, 12:37 p.m. UTC | #1

Hi Dan,

W dniu 18.11.2022 o 12:47, Dan Carpenter pisze:
> The printer_dev_free() function frees "dev" but then it is dereferenced
> by the debug code on the next line.  The debug printk only prints the
> function name so it's probably okay to just delete it.
> 
> Fixes: e8d5f92b8d30 ("usb: gadget: function: printer: fix use-after-free in __lock_acquire")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
>   drivers/usb/gadget/function/f_printer.c | 1 -
>   1 file changed, 1 deletion(-)
> 
> diff --git a/drivers/usb/gadget/function/f_printer.c b/drivers/usb/gadget/function/f_printer.c
> index a881c69b1f2b..7354bfe1e682 100644
> --- a/drivers/usb/gadget/function/f_printer.c
> +++ b/drivers/usb/gadget/function/f_printer.c
> @@ -382,7 +382,6 @@ printer_close(struct inode *inode, struct file *fd)
>   	spin_unlock_irqrestore(&dev->lock, flags);
>   
>   	kref_put(&dev->kref, printer_dev_free);
> -	DBG(dev, "printer_close\n");

I think that if you delete the DBG() here, it should also be deleted in
printer_open(). Alternatively this patch should reverse the order of
calls to kref_put() and DBG().

Regards,

Andrzej

>   
>   	return 0;
>   }

diff --git a/drivers/usb/gadget/function/f_printer.c b/drivers/usb/gadget/function/f_printer.c
index a881c69b1f2b..7354bfe1e682 100644
--- a/drivers/usb/gadget/function/f_printer.c
+++ b/drivers/usb/gadget/function/f_printer.c
@@ -382,7 +382,6 @@  printer_close(struct inode *inode, struct file *fd)
 	spin_unlock_irqrestore(&dev->lock, flags);
 
 	kref_put(&dev->kref, printer_dev_free);
-	DBG(dev, "printer_close\n");
 
 	return 0;
 }

usb: gadget: function: use after free in printer_close()

Commit Message

Comments

Patch