github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-08 14:42:37 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
Linux kernel source tree
798,254 Commits 1 Branch 934 Tags 20 GiB
C 97%
Assembly 1%
Shell 0.6%
Rust 0.5%
Python 0.4%
Other 0.3%
70a6e4e9d6
Go to file
Tom Rix 70a6e4e9d6 USB: c67x00: fix use after free in c67x00_giveback_urb 
commit 211f083473 upstream.

clang static analysis flags this error

c67x00-sched.c:489:55: warning: Use of memory after it is freed [unix.Malloc]
        usb_hcd_giveback_urb(c67x00_hcd_to_hcd(c67x00), urb, urbp->status);
                                                             ^~~~~~~~~~~~
Problem happens in this block of code

	c67x00_release_urb(c67x00, urb);
	usb_hcd_unlink_urb_from_ep(c67x00_hcd_to_hcd(c67x00), urb);
	spin_unlock(&c67x00->lock);
	usb_hcd_giveback_urb(c67x00_hcd_to_hcd(c67x00), urb, urbp->status);

In the call to c67x00_release_urb has this freeing of urbp

	urbp = urb->hcpriv;
	urb->hcpriv = NULL;
	list_del(&urbp->hep_node);
	kfree(urbp);

And so urbp is freed before usb_hcd_giveback_urb uses it as its 3rd
parameter.

Since all is required is the status, pass the status directly as is
done in c64x00_urb_dequeue

Fixes: e9b29ffc51 ("USB: add Cypress c67x00 OTG controller HCD driver")
Signed-off-by: Tom Rix <trix@redhat.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200708131243.24336-1-trix@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-07-22 09:32:08 +02:00
arch copy_xstate_to_kernel: Fix typo which caused GDB regression 2020-07-22 09:32:06 +02:00
block block: release bip in a right way in error path 2020-07-16 08:17:23 +02:00
certs export.h: remove VMLINUX_SYMBOL() and VMLINUX_SYMBOL_STR() 2018-08-22 23:21:44 +09:00
crypto crypto: af_alg - fix use-after-free in af_alg_accept() due to bh_lock_sock() 2020-07-09 09:37:10 +02:00
Documentation doc: dt: bindings: usb: dwc3: Update entries for disabling SS instances in park mode 2020-07-22 09:32:04 +02:00
drivers USB: c67x00: fix use after free in c67x00_giveback_urb 2020-07-22 09:32:08 +02:00
firmware Fix built-in early-load Intel microcode alignment 2020-01-23 08:21:29 +01:00
fs gfs2: read-only mounts should grab the sd_freeze_gl glock 2020-07-22 09:32:01 +02:00
include vlan: consolidate VLAN parsing code and limit max parsing depth 2020-07-22 09:32:00 +02:00
init x86: Fix early boot crash on gcc-10, third try 2020-05-20 08:18:49 +02:00
ipc ipc/util.c: sysvipc_find_ipc() incorrectly updates position index 2020-05-20 08:18:40 +02:00
kernel cgroup: fix cgroup_sk_alloc() for sk_clone_lock() 2020-07-22 09:32:00 +02:00
lib lib/zlib: remove outdated and incorrect pre-increment optimization 2020-06-25 15:33:02 +02:00
LICENSES LICENSES: Remove CC-BY-SA-4.0 license text 2018-10-18 11:28:50 +02:00
mm mm/slub: fix stack overruns with SLUB_STATS 2020-07-09 09:37:09 +02:00
net sched: consistently handle layer3 header accesses in the presence of VLANs 2020-07-22 09:32:00 +02:00
samples samples: bpf: Fix build error 2020-06-03 08:19:31 +02:00
scripts kbuild: improve cc-option to clean up all temporary files 2020-06-30 23:17:15 -04:00
security apparmor: ensure that dfa state tables have entries 2020-07-22 09:32:06 +02:00
sound ALSA: hda/realtek - Enable Speaker for ASUS UX533 and UX534 2020-07-22 09:32:08 +02:00
tools perf stat: Zero all the 'ena' and 'run' array slot stats for interval mode 2020-07-22 09:32:06 +02:00
usr initramfs: restore default compression behavior 2020-04-13 10:44:59 +02:00
virt KVM: arm64: Synchronize sysreg state on injecting an AArch32 exception 2020-06-22 09:05:09 +02:00
.clang-format clang-format: Set IndentWrappedFunctionNames false 2018-08-01 18:38:51 +02:00
.cocciconfig
.get_maintainer.ignore
.gitattributes .gitattributes: set git diff driver for C source code files 2016-10-07 18:46:30 -07:00
.gitignore Kbuild updates for v4.17 (2nd) 2018-04-15 17:21:30 -07:00
.mailmap libnvdimm-for-4.19_misc 2018-08-25 18:13:10 -07:00
COPYING COPYING: use the new text with points to the license files 2018-03-23 12:41:45 -06:00
CREDITS 9p: remove Ron Minnich from MAINTAINERS 2018-08-17 16:20:26 -07:00
Kbuild Kbuild updates for v4.15 2017-11-17 17:45:29 -08:00
Kconfig kconfig: move the "Executable file formats" menu to fs/Kconfig.binfmt 2018-08-02 08:06:55 +09:00
MAINTAINERS MAINTAINERS: Update drm/i915 bug filing URL 2020-02-28 16:38:49 +01:00
Makefile Linux 4.19.133 2020-07-16 08:17:28 +02:00
README Docs: Added a pointer to the formatted docs to README 2018-03-21 09:02:53 -06:00

README 

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.
See Documentation/00-INDEX for a list of what is contained in each file.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.