From: Andrzej Pietrasiewicz <andrzej.p@collabora.com>
To: Dan Carpenter <error27@gmail.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Albert Briscoe <albertsbriscoe@gmail.com>,
Zqiang <qiang.zhang@windriver.com>,
Felipe Balbi <balbi@kernel.org>,
linux-usb@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: Re: [PATCH] usb: gadget: function: use after free in printer_close()
Date: Mon, 21 Nov 2022 16:32:52 +0100 [thread overview]
Message-ID: <b7dcf498-51ea-3aaf-211f-09fa59c38768@collabora.com> (raw)
In-Reply-To: <Y3uOxcvowFq75Tzv@kili>
Hi Dan,
I'm fine with either symmetrically removing the DBG() from "printer_open()"
or with this version of the patch.
It seems to me that this version better fits "fixing UAF", though.
Whether the driver is too verbose is another matter, and if it is,
it deserves its own patch because DBG() invocations are sprinkled
here and there.
W dniu 21.11.2022 o 15:44, Dan Carpenter pisze:
> The printer_dev_free() function frees "dev" but then it is dereferenced
> by the debug code on the next line. Flip the order to avoid the use after
> free.
>
> Fixes: e8d5f92b8d30 ("usb: gadget: function: printer: fix use-after-free in __lock_acquire")
> Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Andrzej Pietrasiewicz <andrzej.p@collabora.com>
> ---
> v2: In the v1, I just deleted the printk but Andrzej thought it was
> worth preserving.
>
> drivers/usb/gadget/function/f_printer.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/usb/gadget/function/f_printer.c b/drivers/usb/gadget/function/f_printer.c
> index a881c69b1f2b..01e842e1ba2f 100644
> --- a/drivers/usb/gadget/function/f_printer.c
> +++ b/drivers/usb/gadget/function/f_printer.c
> @@ -381,8 +381,8 @@ printer_close(struct inode *inode, struct file *fd)
> dev->printer_status &= ~PRINTER_SELECTED;
> spin_unlock_irqrestore(&dev->lock, flags);
>
> - kref_put(&dev->kref, printer_dev_free);
> DBG(dev, "printer_close\n");
> + kref_put(&dev->kref, printer_dev_free);
>
> return 0;
> }
next prev parent reply other threads:[~2022-11-21 15:34 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-21 14:44 [PATCH] usb: gadget: function: use after free in printer_close() Dan Carpenter
2022-11-21 15:32 ` Andrzej Pietrasiewicz [this message]
2022-11-22 7:00 ` Dan Carpenter
2022-11-22 9:49 ` Andrzej Pietrasiewicz
2022-11-22 14:16 ` [PATCH] usb: gadget: function: Simplify error messaging in printer open/close Andrzej Pietrasiewicz
2022-11-22 15:54 ` Greg Kroah-Hartman
2022-11-23 11:07 ` [PATCH] usb: gadget: function: Simplify diagnostic messaging in printer Andrzej Pietrasiewicz
-- strict thread matches above, loose matches on Subject: below --
2022-11-18 11:47 [PATCH] usb: gadget: function: use after free in printer_close() Dan Carpenter
2022-11-21 12:37 ` Andrzej Pietrasiewicz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b7dcf498-51ea-3aaf-211f-09fa59c38768@collabora.com \
--to=andrzej.p@collabora.com \
--cc=albertsbriscoe@gmail.com \
--cc=balbi@kernel.org \
--cc=error27@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=qiang.zhang@windriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).