github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-07 14:04:54 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
c34fa06f4b
linux/drivers
History
Udipto Goswami 3a49d3b677 FROMGIT: usb: f_fs: Fix use-after-free for epfile 
Consider a case where ffs_func_eps_disable is called from
ffs_func_disable as part of composition switch and at the
same time ffs_epfile_release get called from userspace.
ffs_epfile_release will free up the read buffer and call
ffs_data_closed which in turn destroys ffs->epfiles and
mark it as NULL. While this was happening the driver has
already initialized the local epfile in ffs_func_eps_disable
which is now freed and waiting to acquire the spinlock. Once
spinlock is acquired the driver proceeds with the stale value
of epfile and tries to free the already freed read buffer
causing use-after-free.

Following is the illustration of the race:

      CPU1                                  CPU2

   ffs_func_eps_disable
   epfiles (local copy)
					ffs_epfile_release
					ffs_data_closed
					if (last file closed)
					ffs_data_reset
					ffs_data_clear
					ffs_epfiles_destroy
spin_lock
dereference epfiles

Fix this races by taking epfiles local copy & assigning it under
spinlock and if epfiles(local) is null then update it in ffs->epfiles
then finally destroy it.
Extending the scope further from the race, protecting the ep related
structures, and concurrent accesses.

Fixes: a9e6f83c2d (usb: gadget: f_fs: stop sleeping in ffs_func_eps_disable)
Reviewed-by: John Keeping <john@metanate.com>
Signed-off-by: Pratham Pratap <quic_ppratap@quicinc.com>
Co-developed-by: Udipto Goswami <quic_ugoswami@quicinc.com>
Signed-off-by: Udipto Goswami <quic_ugoswami@quicinc.com>
Link: https://lore.kernel.org/r/1643256595-10797-1-git-send-email-quic_ugoswami@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

(cherry picked from commit ebe2b1add1
https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-linus)

BUG: 217829161
Change-Id: Iab64af51aece85df3208afd7b6cd108b955eae45
Signed-off-by: Udipto Goswami <quic_ugoswami@quicinc.com>
2022-02-04 22:09:50 +00:00
..
accessibility
acpi This is the 5.10.80 stable release 2021-11-19 11:50:41 +01:00
amba This is the 5.10.78 stable release 2021-11-06 14:22:24 +01:00
android UPSTREAM: binder: fix async_free_space accounting for empty parcels 2022-01-31 22:16:28 +00:00
ata libata: fix checking of DMA state 2021-11-18 14:03:46 +01:00
atm atm: nicstar: register the interrupt handler in the right place 2021-07-19 09:44:52 +02:00
auxdisplay auxdisplay: ht16k33: Fix frame buffer device blanking 2021-11-18 14:04:24 +01:00
base This is the 5.10.80 stable release 2021-11-19 11:50:41 +01:00
bcma bcma: Fix memory leak for internally-handled cores 2021-09-15 09:50:45 +02:00
block This is the 5.10.81 stable release 2021-11-21 14:29:02 +01:00
bluetooth This is the 5.10.80 stable release 2021-11-19 11:50:41 +01:00
bus bus: ti-sysc: Fix timekeeping_suspended warning on resume 2021-11-18 14:04:15 +01:00
cdrom
char This is the 5.10.80 stable release 2021-11-19 11:50:41 +01:00
clk Merge tag 'android12-5.10.81_r00' into android12-5.10 2022-01-21 09:35:04 +01:00
clocksource Merge tag 'android12-5.10.81_r00' into android12-5.10 2022-01-21 09:35:04 +01:00
connector
counter counter: 104-quad-8: Return error when invalid mode during ceiling_write 2021-09-15 09:50:38 +02:00
cpufreq Merge branch 'android12-5.10' into android12-5.10-lts 2021-11-19 09:15:03 +01:00
cpuidle This is the 5.10.80 stable release 2021-11-19 11:50:41 +01:00
crypto This is the 5.10.80 stable release 2021-11-19 11:50:41 +01:00
dax
dca
devfreq
dio
dma This is the 5.10.80 stable release 2021-11-19 11:50:41 +01:00
dma-buf Merge tag 'android12-5.10.81_r00' into android12-5.10 2022-01-21 09:35:04 +01:00
edac EDAC/amd64: Handle three rank interleaving mode 2021-11-18 14:04:06 +01:00
eisa
extcon extcon: intel-mrfld: Sync hardware and software state on init 2021-07-19 09:45:00 +02:00
firewire
firmware This is the 5.10.80 stable release 2021-11-19 11:50:41 +01:00
fpga fpga: machxo2-spi: Fix missing error code in machxo2_write_complete() 2021-09-30 10:11:04 +02:00
fsi fsi: Add missing MODULE_DEVICE_TABLE 2021-07-20 16:05:42 +02:00
gnss
gpio This is the 5.10.80 stable release 2021-11-19 11:50:41 +01:00
gpu This is the 5.10.80 stable release 2021-11-19 11:50:41 +01:00
greybus
hid Merge tag 'android12-5.10.81_r00' into android12-5.10 2022-01-21 09:35:04 +01:00
hsi
hv hyperv/vmbus: include linux/bitops.h 2021-11-18 14:03:42 +01:00
hwmon This is the 5.10.80 stable release 2021-11-19 11:50:41 +01:00
hwspinlock
hwtracing UPSTREAM: coresight: trbe: Defer the probe on offline CPUs 2022-01-24 20:33:50 +00:00
i2c This is the 5.10.80 stable release 2021-11-19 11:50:41 +01:00
i3c
ide
idle
iio iio: adis: do not disabe IRQs in 'adis_init()' 2021-11-18 14:04:19 +01:00
infiniband This is the 5.10.80 stable release 2021-11-19 11:50:41 +01:00
input This is the 5.10.80 stable release 2021-11-19 11:50:41 +01:00
interconnect Revert "treewide: Change list_sort to use const pointers" 2021-10-04 11:07:40 +02:00
iommu Merge tag 'android12-5.10.81_r00' into android12-5.10 2022-01-21 09:35:04 +01:00
ipack ipack: ipoctal: fix module reference leak 2021-10-06 15:56:01 +02:00
irqchip Revert half of "ANDROID: gic-v3: Add vendor hook to GIC v3" 2022-01-21 13:11:10 +01:00
isdn mISDN: Fix return values of the probe function 2021-11-18 14:03:41 +01:00
leds leds: trigger: audio: Add an activate callback to ensure the initial brightness is set 2021-09-15 09:50:36 +02:00
lightnvm
macintosh
mailbox soc: mediatek: cmdq: add address shift in jump 2021-09-18 13:40:16 +02:00
mcb mcb: fix error handling in mcb_alloc_bus() 2021-09-30 10:11:00 +02:00
md This is the 5.10.80 stable release 2021-11-19 11:50:41 +01:00
media This is the 5.10.80 stable release 2021-11-19 11:50:41 +01:00
memory This is the 5.10.80 stable release 2021-11-19 11:50:41 +01:00
memstick memstick: jmb38x_ms: use appropriate free function in jmb38x_ms_alloc_host() 2021-11-18 14:04:07 +01:00
message
mfd mfd: dln2: Add cell for initializing DLN2 ADC 2021-11-18 14:04:30 +01:00
misc This is the 5.10.75 stable release 2021-10-20 11:53:41 +02:00
mmc This is the 5.10.80 stable release 2021-11-19 11:50:41 +01:00
most most: fix control-message timeouts 2021-11-18 14:03:51 +01:00
mtd Merge tag 'android12-5.10.81_r00' into android12-5.10 2022-01-21 09:35:04 +01:00
mux
net This is the 5.10.81 stable release 2021-11-21 14:29:02 +01:00
nfc nfc: pn533: Fix double free when pn533_fill_fragment_skbs() fails 2021-11-18 14:04:27 +01:00
ntb NTB: perf: Fix an error code in perf_setup_inbuf() 2021-09-22 12:28:02 +02:00
nubus
nvdimm libnvdimm/pmem: Fix crash triggered when I/O in-flight during unbind 2021-09-18 13:40:36 +02:00
nvme Merge tag 'android12-5.10.81_r00' into android12-5.10 2022-01-21 09:35:04 +01:00
nvmem nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells 2021-10-20 11:45:01 +02:00
of This is the 5.10.80 stable release 2021-11-19 11:50:41 +01:00
opp This is the 5.10.80 stable release 2021-11-19 11:50:41 +01:00
oprofile
parisc parisc: Move pci_dev_is_behind_card_dino to where it is used 2021-09-26 14:08:59 +02:00
parport parport: remove non-zero check on count 2021-09-18 13:40:34 +02:00
pci This is the 5.10.81 stable release 2021-11-21 14:29:02 +01:00
pcmcia pcmcia: i82092: fix a null pointer dereference bug 2021-08-12 13:22:16 +02:00
perf
phy phy: qcom-snps: Correct the FSEL_MASK 2021-11-18 14:04:20 +01:00
pinctrl This is the 5.10.80 stable release 2021-11-19 11:50:41 +01:00
platform This is the 5.10.80 stable release 2021-11-19 11:50:41 +01:00
pnp
power This is the 5.10.80 stable release 2021-11-19 11:50:41 +01:00
powercap
pps
ps3
ptp ptp_pch: Load module automatically if ID matches 2021-10-13 10:04:27 +02:00
pwm This is the 5.10.69 stable release 2021-09-30 18:36:17 +02:00
rapidio
ras
regulator This is the 5.10.80 stable release 2021-11-19 11:50:41 +01:00
remoteproc Merge tag 'android12-5.10.81_r00' into android12-5.10 2022-01-21 09:35:04 +01:00
reset This is the 5.10.80 stable release 2021-11-19 11:50:41 +01:00
rpmsg
rtc This is the 5.10.80 stable release 2021-11-19 11:50:41 +01:00
s390 This is the 5.10.80 stable release 2021-11-19 11:50:41 +01:00
sbus
scsi Merge tag 'android12-5.10.81_r00' into android12-5.10 2022-01-21 09:35:04 +01:00
sfi
sh
siox
slimbus slimbus: ngd: reset dma setup during runtime pm 2021-08-26 08:35:55 -04:00
soc This is the 5.10.80 stable release 2021-11-19 11:50:41 +01:00
soundwire soundwire: debugfs: use controller id and link_id for debugfs 2021-11-18 14:04:16 +01:00
spi Merge tag 'android12-5.10.81_r00' into android12-5.10 2022-01-21 09:35:04 +01:00
spmi
ssb
staging Merge tag 'android12-5.10.81_r00' into android12-5.10 2022-01-21 09:35:04 +01:00
target Merge tag 'android12-5.10.81_r00' into android12-5.10 2022-01-21 09:35:04 +01:00
tc
tee UPSTREAM: tee: handle lookup of shm with reference count 0 2022-01-26 09:07:27 +00:00
thermal thermal: Fix NULL pointer dereferences in of_thermal_ functions 2021-11-21 13:46:37 +01:00
thunderbolt thunderbolt: Fix port linking by checking all adapters 2021-09-18 13:40:27 +02:00
tty Merge tag 'android12-5.10.81_r00' into android12-5.10 2022-01-21 09:35:04 +01:00
uio
usb FROMGIT: usb: f_fs: Fix use-after-free for epfile 2022-02-04 22:09:50 +00:00
vdpa vdpa/mlx5: Avoid destroying MR on empty iotlb 2021-08-26 08:35:42 -04:00
vfio Merge 5.10.67 into android12-5.10-lts 2021-09-30 12:21:03 +02:00
vhost vhost-vdpa: Fix the wrong input in config_cb 2021-10-20 11:45:04 +02:00
video This is the 5.10.80 stable release 2021-11-19 11:50:41 +01:00
virt
virtio Merge tag 'android12-5.10.81_r00' into android12-5.10 2022-01-21 09:35:04 +01:00
visorbus visorbus: fix error return code in visorchipset_init() 2021-07-14 16:56:41 +02:00
vlynq
vme
w1 w1: ds2438: fixing bug that would always get page0 2021-07-20 16:05:39 +02:00
watchdog This is the 5.10.80 stable release 2021-11-19 11:50:41 +01:00
xen xen-pciback: Fix return in pm_ctrl_init() 2021-11-18 14:04:25 +01:00
zorro
Kconfig
Makefile