From mboxrd@z Thu Jan 1 00:00:00 1970 From: Greg KH Date: Fri, 22 Apr 2022 14:59:54 +0200 Subject: [PATCH] aspeed-vhub: epn: fix an incorrect member check on list iterator In-Reply-To: <20220327062431.5847-1-xiam0nd.tong@gmail.com> References: <20220327062431.5847-1-xiam0nd.tong@gmail.com> Message-ID: List-Id: To: linux-aspeed@lists.ozlabs.org MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On Sun, Mar 27, 2022 at 02:24:31PM +0800, Xiaomeng Tong wrote: > The bug is here: > if (&req->req == u_req) { > > The list iterator 'req' will point to a bogus position containing > HEAD if the list is empty or no element is found. This case must > be checked before any use of the iterator, otherwise it may bypass > the 'if (&req->req == u_req) {' check in theory, if '*u_req' obj is > just allocated in the same addr with '&req->req'. > > To fix this bug, just mova all thing inside the loop and return 0, > otherwise return error. > > Cc: stable at vger.kernel.org > Fixes: 7ecca2a4080cb ("usb/gadget: Add driver for Aspeed SoC virtual hub") > Signed-off-by: Xiaomeng Tong > --- > drivers/usb/gadget/udc/aspeed-vhub/epn.c | 23 ++++++++++------------- > 1 file changed, 10 insertions(+), 13 deletions(-) Does not apply anymore :( From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DFA15C433FE for ; Fri, 22 Apr 2022 13:00:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1445117AbiDVNC7 (ORCPT ); Fri, 22 Apr 2022 09:02:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39762 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1447763AbiDVNCy (ORCPT ); Fri, 22 Apr 2022 09:02:54 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3D5BB60E4; Fri, 22 Apr 2022 06:00:00 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id E5D14B82D2D; Fri, 22 Apr 2022 12:59:58 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 038CFC385A8; Fri, 22 Apr 2022 12:59:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1650632397; bh=EuI02HnZPhPPNa3QKg88JZRW0CEqpWBj8AMo5mHer+U=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=JecLKEygMG9ILc1dRzuK3b4RNTdFfnvWcZF9hCg/xrhiaMRzPmi4nkX9j9cttsj+E Q+DPYQlCUr90BGFxlMdtbFcEpV5ooPCAfjY2FUR2uGa9CDuPrgk1BzJu7WO7zv3E0i ac2V+8AmGIU96/YneETnRD7wZbHagqEmeSD3vPOU= Date: Fri, 22 Apr 2022 14:59:54 +0200 From: Greg KH To: Xiaomeng Tong Cc: balbi@kernel.org, joel@jms.id.au, andrew@aj.id.au, rentao.bupt@gmail.com, caihuoqing@baidu.com, benh@kernel.crashing.org, linux-usb@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-aspeed@lists.ozlabs.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH] aspeed-vhub: epn: fix an incorrect member check on list iterator Message-ID: References: <20220327062431.5847-1-xiam0nd.tong@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220327062431.5847-1-xiam0nd.tong@gmail.com> Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org On Sun, Mar 27, 2022 at 02:24:31PM +0800, Xiaomeng Tong wrote: > The bug is here: > if (&req->req == u_req) { > > The list iterator 'req' will point to a bogus position containing > HEAD if the list is empty or no element is found. This case must > be checked before any use of the iterator, otherwise it may bypass > the 'if (&req->req == u_req) {' check in theory, if '*u_req' obj is > just allocated in the same addr with '&req->req'. > > To fix this bug, just mova all thing inside the loop and return 0, > otherwise return error. > > Cc: stable@vger.kernel.org > Fixes: 7ecca2a4080cb ("usb/gadget: Add driver for Aspeed SoC virtual hub") > Signed-off-by: Xiaomeng Tong > --- > drivers/usb/gadget/udc/aspeed-vhub/epn.c | 23 ++++++++++------------- > 1 file changed, 10 insertions(+), 13 deletions(-) Does not apply anymore :( From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id E964EC433F5 for ; Fri, 22 Apr 2022 13:01:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=KT8wLfVnimT5z4DiR6ahccoZe9arYpnw4OtKiRNpOi4=; b=2YOuexRS+faSF8 7yiP+rMyTqYpXn3uIffaRFAl7s5lQ3y8nmvGCVQkGgnzMaCbGQwGJu/uF34PKT9AA3W6UATe9HiFX j6W8e8B8H2f2FSdty5FOa1wtREoMOloaH5ECHXpSKLYBD0W7ieqYMZfnVrCRBW0uCm+4QSgJFcljT nEVMd2yHZIztTU6HtaMCSLZCxndJV4VTK/x8ssx6Pbe8l4RoTmh+9xgPMcSoyLrnF+C06c1rxd8JJ 4PsajNQDANq6HDbj9OYqfROjSzt030KgFFUpMeYcDqk2QI7J4j6igRKMycMWJBO9IQlq0AAl6/qh6 AtwEmNawxbL0cEze6dqw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1nhstK-000VvU-9I; Fri, 22 Apr 2022 13:00:06 +0000 Received: from ams.source.kernel.org ([145.40.68.75]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1nhstG-000Vsv-O3 for linux-arm-kernel@lists.infradead.org; Fri, 22 Apr 2022 13:00:04 +0000 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id D5482B82D1F; Fri, 22 Apr 2022 12:59:58 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 038CFC385A8; Fri, 22 Apr 2022 12:59:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1650632397; bh=EuI02HnZPhPPNa3QKg88JZRW0CEqpWBj8AMo5mHer+U=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=JecLKEygMG9ILc1dRzuK3b4RNTdFfnvWcZF9hCg/xrhiaMRzPmi4nkX9j9cttsj+E Q+DPYQlCUr90BGFxlMdtbFcEpV5ooPCAfjY2FUR2uGa9CDuPrgk1BzJu7WO7zv3E0i ac2V+8AmGIU96/YneETnRD7wZbHagqEmeSD3vPOU= Date: Fri, 22 Apr 2022 14:59:54 +0200 From: Greg KH To: Xiaomeng Tong Cc: balbi@kernel.org, joel@jms.id.au, andrew@aj.id.au, rentao.bupt@gmail.com, caihuoqing@baidu.com, benh@kernel.crashing.org, linux-usb@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-aspeed@lists.ozlabs.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH] aspeed-vhub: epn: fix an incorrect member check on list iterator Message-ID: References: <20220327062431.5847-1-xiam0nd.tong@gmail.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20220327062431.5847-1-xiam0nd.tong@gmail.com> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220422_060002_971588_D49A80F0 X-CRM114-Status: GOOD ( 15.54 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Sun, Mar 27, 2022 at 02:24:31PM +0800, Xiaomeng Tong wrote: > The bug is here: > if (&req->req == u_req) { > > The list iterator 'req' will point to a bogus position containing > HEAD if the list is empty or no element is found. This case must > be checked before any use of the iterator, otherwise it may bypass > the 'if (&req->req == u_req) {' check in theory, if '*u_req' obj is > just allocated in the same addr with '&req->req'. > > To fix this bug, just mova all thing inside the loop and return 0, > otherwise return error. > > Cc: stable@vger.kernel.org > Fixes: 7ecca2a4080cb ("usb/gadget: Add driver for Aspeed SoC virtual hub") > Signed-off-by: Xiaomeng Tong > --- > drivers/usb/gadget/udc/aspeed-vhub/epn.c | 23 ++++++++++------------- > 1 file changed, 10 insertions(+), 13 deletions(-) Does not apply anymore :( _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel