提交 aa65d11a 编写于 作者: K Krzysztof Opasiak 提交者: Felipe Balbi

usb: gadget: f_hid: fix: Prevent accessing released memory

When we unlock our spinlock to copy data to user we may get
disabled by USB host and free the whole list of completed out
requests including the one from which we are copying the data
to user memory.

To prevent from this let's remove our working element from
the list and place it back only if there is sth left when we
finish with it.

Fixes: 99c51500 ("usb: gadget: hidg: register OUT INT endpoint for SET_REPORT")
Cc: stable@vger.kernel.org
Tested-by: NDavid Lechner <david@lechnology.com>
Signed-off-by: NKrzysztof Opasiak <k.opasiak@samsung.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>
上级 20d2ca95
...@@ -277,6 +277,13 @@ static ssize_t f_hidg_read(struct file *file, char __user *buffer, ...@@ -277,6 +277,13 @@ static ssize_t f_hidg_read(struct file *file, char __user *buffer,
/* pick the first one */ /* pick the first one */
list = list_first_entry(&hidg->completed_out_req, list = list_first_entry(&hidg->completed_out_req,
struct f_hidg_req_list, list); struct f_hidg_req_list, list);
/*
* Remove this from list to protect it from beign free()
* while host disables our function
*/
list_del(&list->list);
req = list->req; req = list->req;
count = min_t(unsigned int, count, req->actual - list->pos); count = min_t(unsigned int, count, req->actual - list->pos);
spin_unlock_irqrestore(&hidg->spinlock, flags); spin_unlock_irqrestore(&hidg->spinlock, flags);
...@@ -292,16 +299,21 @@ static ssize_t f_hidg_read(struct file *file, char __user *buffer, ...@@ -292,16 +299,21 @@ static ssize_t f_hidg_read(struct file *file, char __user *buffer,
* call, taking into account its current read position. * call, taking into account its current read position.
*/ */
if (list->pos == req->actual) { if (list->pos == req->actual) {
spin_lock_irqsave(&hidg->spinlock, flags);
list_del(&list->list);
kfree(list); kfree(list);
spin_unlock_irqrestore(&hidg->spinlock, flags);
req->length = hidg->report_length; req->length = hidg->report_length;
ret = usb_ep_queue(hidg->out_ep, req, GFP_KERNEL); ret = usb_ep_queue(hidg->out_ep, req, GFP_KERNEL);
if (ret < 0) if (ret < 0) {
free_ep_req(hidg->out_ep, req);
return ret; return ret;
} }
} else {
spin_lock_irqsave(&hidg->spinlock, flags);
list_add(&list->list, &hidg->completed_out_req);
spin_unlock_irqrestore(&hidg->spinlock, flags);
wake_up(&hidg->read_queue);
}
return count; return count;
} }
...@@ -560,14 +572,18 @@ static void hidg_disable(struct usb_function *f) ...@@ -560,14 +572,18 @@ static void hidg_disable(struct usb_function *f)
{ {
struct f_hidg *hidg = func_to_hidg(f); struct f_hidg *hidg = func_to_hidg(f);
struct f_hidg_req_list *list, *next; struct f_hidg_req_list *list, *next;
unsigned long flags;
usb_ep_disable(hidg->in_ep); usb_ep_disable(hidg->in_ep);
usb_ep_disable(hidg->out_ep); usb_ep_disable(hidg->out_ep);
spin_lock_irqsave(&hidg->spinlock, flags);
list_for_each_entry_safe(list, next, &hidg->completed_out_req, list) { list_for_each_entry_safe(list, next, &hidg->completed_out_req, list) {
free_ep_req(hidg->out_ep, list->req);
list_del(&list->list); list_del(&list->list);
kfree(list); kfree(list);
} }
spin_unlock_irqrestore(&hidg->spinlock, flags);
} }
static int hidg_set_alt(struct usb_function *f, unsigned intf, unsigned alt) static int hidg_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册