On Tue, Dec 18, 2018 at 06:00:20PM +0800, Jia-Ju Bai wrote: > The function r8a66597_endpoint_disable() and r8a66597_urb_enqueue() may > be concurrently executed. > The two functions both access a possible shared variable "hep->hcpriv". > > This shared variable is freed by r8a66597_endpoint_disable() via the > call path: > r8a66597_endpoint_disable > kfree(hep->hcpriv) (line 1995 in Linux-4.19) > > This variable is read by r8a66597_urb_enqueue() via the call path: > r8a66597_urb_enqueue > spin_lock_irqsave(&r8a66597->lock); > init_pipe_info > enable_r8a66597_pipe > pipe = hep->hcpriv (line 802 in Linux-4.19) > > The read operation is protected by a spinlock, but the free operation > is not protected by this spinlock, thus a concurrency use-after-free bug > may occur. > > To fix this bug, the spin-lock and spin-unlock function calls in > r8a66597_endpoint_disable() are moved to protect the free operation. > > Signed-off-by: Jia-Ju Bai <baijiaju1990@xxxxxxxxx> > --- > drivers/usb/host/r8a66597-hcd.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/usb/host/r8a66597-hcd.c b/drivers/usb/host/r8a66597-hcd.c > index 984892dd72f5..1495ce14ad22 100644 > --- a/drivers/usb/host/r8a66597-hcd.c > +++ b/drivers/usb/host/r8a66597-hcd.c > @@ -1991,13 +1991,14 @@ static void r8a66597_endpoint_disable(struct usb_hcd *hcd, > return; > pipenum = pipe->info.pipenum; > > + spin_lock_irqsave(&r8a66597->lock, flags); Don't you also need the __aquires/__releases markings on this function in order to properly annotate it, like the rest of the driver has? Otherwise this seems to look good to me. thanks, greg k-h
