USB: serial: Fix use after free in debug printk

Message ID	7d0481da-5852-4566-9adb-3a8bb74cb159@stanley.mountain (mailing list archive)
State	New
Headers	show Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C6EC91482E8 for <linux-usb@vger.kernel.org>; Thu, 31 Oct 2024 06:59:15 +0000 (UTC) Date: Thu, 31 Oct 2024 09:59:10 +0300 From: Dan Carpenter <dan.carpenter@linaro.org> To: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Johan Hovold <johan@kernel.org>, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [PATCH] USB: serial: Fix use after free in debug printk Message-ID: <7d0481da-5852-4566-9adb-3a8bb74cb159@stanley.mountain> Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline
Series	USB: serial: Fix use after free in debug printk \| expand USB: serial: Fix use after free in debug printk

Message ID

7d0481da-5852-4566-9adb-3a8bb74cb159@stanley.mountain (mailing list archive)

State

New

Headers

Date: Thu, 31 Oct 2024 09:59:10 +0300
From: Dan Carpenter <dan.carpenter@linaro.org>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Johan Hovold <johan@kernel.org>, linux-usb@vger.kernel.org,
	linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [PATCH] USB: serial: Fix use after free in debug printk
Message-ID: <7d0481da-5852-4566-9adb-3a8bb74cb159@stanley.mountain>
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Series

USB: serial: Fix use after free in debug printk | expand

Commit Message

Dan Carpenter Oct. 31, 2024, 6:59 a.m. UTC

The dev_dbg() call dereferences "urb" but it was already freed on the
previous line.  Move the debug output earlier in the function.

Fixes: 984f68683298 ("USB: serial: io_edgeport.c: remove dbg() usage")
Cc: stable@vger.kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
 drivers/usb/serial/io_edgeport.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

Comments

Johan Hovold Oct. 31, 2024, 9:07 a.m. UTC | #1

On Thu, Oct 31, 2024 at 09:59:10AM +0300, Dan Carpenter wrote:
> The dev_dbg() call dereferences "urb" but it was already freed on the
> previous line.  Move the debug output earlier in the function.

Thanks for catching this, but please use a temporary variable for the
struct device pointer instead of changing the flow.

Also make sure to include the driver name in the patch summary prefix
(i.e. "USB: serial: io_edgeport: ..."):

> Fixes: 984f68683298 ("USB: serial: io_edgeport.c: remove dbg() usage")
> Cc: stable@vger.kernel.org
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

Johan

Dan Carpenter Oct. 31, 2024, 9:35 a.m. UTC | #2

On Thu, Oct 31, 2024 at 10:07:42AM +0100, Johan Hovold wrote:
> On Thu, Oct 31, 2024 at 09:59:10AM +0300, Dan Carpenter wrote:
> > The dev_dbg() call dereferences "urb" but it was already freed on the
> > previous line.  Move the debug output earlier in the function.
> 
> Thanks for catching this, but please use a temporary variable for the
> struct device pointer instead of changing the flow.
> 

Why?  The output is the same either way and this way is cleaner code.

> Also make sure to include the driver name in the patch summary prefix
> (i.e. "USB: serial: io_edgeport: ..."):

Sure.

regards,
dan carpenter

Dan Carpenter Oct. 31, 2024, 9:39 a.m. UTC | #3

On Thu, Oct 31, 2024 at 12:35:31PM +0300, Dan Carpenter wrote:
> On Thu, Oct 31, 2024 at 10:07:42AM +0100, Johan Hovold wrote:
> > On Thu, Oct 31, 2024 at 09:59:10AM +0300, Dan Carpenter wrote:
> > > The dev_dbg() call dereferences "urb" but it was already freed on the
> > > previous line.  Move the debug output earlier in the function.
> > 
> > Thanks for catching this, but please use a temporary variable for the
> > struct device pointer instead of changing the flow.
> > 
> 
> Why?  The output is the same either way and this way is cleaner code.
> 

Nah, you're right.  A temporary variable is nicer.  It avoids having two if
statements.

regards,
dan carpenter

Johan Hovold Oct. 31, 2024, 1:21 p.m. UTC | #4

On Thu, Oct 31, 2024 at 12:39:10PM +0300, Dan Carpenter wrote:
> On Thu, Oct 31, 2024 at 12:35:31PM +0300, Dan Carpenter wrote:
> > On Thu, Oct 31, 2024 at 10:07:42AM +0100, Johan Hovold wrote:
> > > On Thu, Oct 31, 2024 at 09:59:10AM +0300, Dan Carpenter wrote:
> > > > The dev_dbg() call dereferences "urb" but it was already freed on the
> > > > previous line.  Move the debug output earlier in the function.
> > > 
> > > Thanks for catching this, but please use a temporary variable for the
> > > struct device pointer instead of changing the flow.
> > 
> > Why?  The output is the same either way and this way is cleaner code.
> 
> Nah, you're right.  A temporary variable is nicer.  It avoids having two if
> statements.

Yeah, and the debug printk belongs with the return.

v2 now applied, thanks.

Johan

diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c
index c7d6b5e3f898..b8f1bd41fb24 100644
--- a/drivers/usb/serial/io_edgeport.c
+++ b/drivers/usb/serial/io_edgeport.c
@@ -775,7 +775,10 @@  static void edge_bulk_out_cmd_callback(struct urb *urb)
 	atomic_dec(&CmdUrbs);
 	dev_dbg(&urb->dev->dev, "%s - FREE URB %p (outstanding %d)\n",
 		__func__, urb, atomic_read(&CmdUrbs));
-
+	if (status)
+		dev_dbg(&urb->dev->dev,
+			"%s - nonzero write bulk status received: %d\n",
+			__func__, status);
 
 	/* clean up the transfer buffer */
 	kfree(urb->transfer_buffer);
@@ -783,12 +786,8 @@  static void edge_bulk_out_cmd_callback(struct urb *urb)
 	/* Free the command urb */
 	usb_free_urb(urb);
 
-	if (status) {
-		dev_dbg(&urb->dev->dev,
-			"%s - nonzero write bulk status received: %d\n",
-			__func__, status);
+	if (status)
 		return;
-	}
 
 	/* tell the tty driver that something has changed */
 	if (edge_port->open)

USB: serial: Fix use after free in debug printk

Commit Message

Comments

Patch