提交 7fafcfdf 编写于 作者: Y Yavuz, Tuba 提交者: Greg Kroah-Hartman

USB: gadget: f_midi: fixing a possible double-free in f_midi

It looks like there is a possibility of a double-free vulnerability on an
error path of the f_midi_set_alt function in the f_midi driver. If the
path is feasible then free_ep_req gets called twice:

         req->complete = f_midi_complete;
         err = usb_ep_queue(midi->out_ep, req, GFP_ATOMIC);
            => ...
             usb_gadget_giveback_request
               =>
                 f_midi_complete (CALLBACK)
                   (inside f_midi_complete, for various cases of status)
                   free_ep_req(ep, req); // first kfree
         if (err) {
                 ERROR(midi, "%s: couldn't enqueue request: %d\n",
                             midi->out_ep->name, err);
                 free_ep_req(midi->out_ep, req); // second kfree
                 return err;
         }

The double-free possibility was introduced with commit ad0d1a05
("usb: gadget: f_midi: fix leak on failed to enqueue out requests").

Found by MOXCAFE tool.
Signed-off-by: NTuba Yavuz <tuba@ece.ufl.edu>
Fixes: ad0d1a05 ("usb: gadget: f_midi: fix leak on failed to enqueue out requests")
Acked-by: NFelipe Balbi <felipe.balbi@linux.intel.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
上级 4d8d5a39
......@@ -404,7 +404,8 @@ static int f_midi_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
if (err) {
ERROR(midi, "%s: couldn't enqueue request: %d\n",
midi->out_ep->name, err);
free_ep_req(midi->out_ep, req);
if (req->buf != NULL)
free_ep_req(midi->out_ep, req);
return err;
}
}
......
......@@ -61,7 +61,9 @@ struct usb_request *alloc_ep_req(struct usb_ep *ep, size_t len);
/* Frees a usb_request previously allocated by alloc_ep_req() */
static inline void free_ep_req(struct usb_ep *ep, struct usb_request *req)
{
WARN_ON(req->buf == NULL);
kfree(req->buf);
req->buf = NULL;
usb_ep_free_request(ep, req);
}
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册