Re: usb/gadget: use-after-free in gadgetfs_setup

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, 12 Dec 2016, Krzysztof Opasiak wrote:

> > Ah, good, that clears it up.  The problem is that stop_activity() nukes 
> > all the endpoints except for endpoint 0!
> > 
> > The patch below should fix the problem.
> > 
> > Alan Stern
> > 
> > 
> > 
> > Index: usb-4.x/drivers/usb/gadget/udc/dummy_hcd.c
> > ===================================================================
> > --- usb-4.x.orig/drivers/usb/gadget/udc/dummy_hcd.c
> > +++ usb-4.x/drivers/usb/gadget/udc/dummy_hcd.c
> > @@ -338,6 +338,7 @@ static void stop_activity(struct dummy *
> >  	/* The timer is left running so that outstanding URBs can fail */
> >  
> >  	/* nuke any pending requests first, so driver i/o is quiesced */
> > +	nuke(dum, &dum->ep[0]);
> >  	list_for_each_entry(ep, &dum->gadget.ep_list, ep.ep_list)
> >  		nuke(dum, ep);
> 
> Pretty nasty error. We had the same in vUDC. Maybe it would be a good
> idea to iterate over ep[] array which is inside struct dummy instead
> adding this special case for ep[0]. In addition it's the only place
> where dummy_hcd iterates over this list instead of ep array;)

Yeah, that's a good idea.  Here's a revised patch; it should work just 
as well as the original.

Alan Stern



Index: usb-4.x/drivers/usb/gadget/udc/dummy_hcd.c
===================================================================
--- usb-4.x.orig/drivers/usb/gadget/udc/dummy_hcd.c
+++ usb-4.x/drivers/usb/gadget/udc/dummy_hcd.c
@@ -330,7 +330,7 @@ static void nuke(struct dummy *dum, stru
 /* caller must hold lock */
 static void stop_activity(struct dummy *dum)
 {
-	struct dummy_ep	*ep;
+	int i;
 
 	/* prevent any more requests */
 	dum->address = 0;
@@ -338,8 +338,8 @@ static void stop_activity(struct dummy *
 	/* The timer is left running so that outstanding URBs can fail */
 
 	/* nuke any pending requests first, so driver i/o is quiesced */
-	list_for_each_entry(ep, &dum->gadget.ep_list, ep.ep_list)
-		nuke(dum, ep);
+	for (i = 0; i < DUMMY_ENDPOINTS; ++i)
+		nuke(dum, &dum->ep[i]);
 
 	/* driver now does any non-usb quiescing necessary */
 }

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux