Re: [PATCH] usb: gadget: function: use after free in printer_close()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Dan,

I'm fine with either symmetrically removing the DBG() from "printer_open()"
or with this version of the patch.

It seems to me that this version better fits "fixing UAF", though.
Whether the driver is too verbose is another matter, and if it is,
it deserves its own patch because DBG() invocations are sprinkled
here and there.

W dniu 21.11.2022 o 15:44, Dan Carpenter pisze:
The printer_dev_free() function frees "dev" but then it is dereferenced
by the debug code on the next line.  Flip the order to avoid the use after
free.

Fixes: e8d5f92b8d30 ("usb: gadget: function: printer: fix use-after-free in __lock_acquire")
Signed-off-by: Dan Carpenter <error27@xxxxxxxxx>

Acked-by: Andrzej Pietrasiewicz <andrzej.p@xxxxxxxxxxxxx>


---
v2: In the v1, I just deleted the printk but Andrzej thought it was
worth preserving.

  drivers/usb/gadget/function/f_printer.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/function/f_printer.c b/drivers/usb/gadget/function/f_printer.c
index a881c69b1f2b..01e842e1ba2f 100644
--- a/drivers/usb/gadget/function/f_printer.c
+++ b/drivers/usb/gadget/function/f_printer.c
@@ -381,8 +381,8 @@ printer_close(struct inode *inode, struct file *fd)
  	dev->printer_status &= ~PRINTER_SELECTED;
  	spin_unlock_irqrestore(&dev->lock, flags);
- kref_put(&dev->kref, printer_dev_free);
  	DBG(dev, "printer_close\n");
+	kref_put(&dev->kref, printer_dev_free);
return 0;
  }




[Index of Archives]     [Kernel Development]     [Kernel Announce]     [Kernel Newbies]     [Linux Networking Development]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Device Mapper]

  Powered by Linux