| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 26 Apr 2011 14:14:26 -0700 (PDT) From: Andi Kleen <andi@...stfloor.org> To: willy@...ux.intel.com, sarah.a.sharp@...ux.intel.com, ak@...ux.intel.com, stable@...nel.org, linux-kernel@...r.kernel.org, stable@...nel.org, tim.bird@...sony.com Subject: [PATCH] [103/106] From: USB: Fix unplug of device with active streams 2.6.35-longterm review patch. If anyone has any objections, please let me know. ------------------ Date: Tue, 28 Sep 2010 00:57:32 -0400 Subject: USB: Fix unplug of device with active streams upstream commit: b214f191d95ba4b5a35aebd69cd129cf7e3b1884 If I unplug a device while the UAS driver is loaded, I get an oops in usb_free_streams(). This is because usb_unbind_interface() calls usb_disable_interface() which calls usb_disable_endpoint() which sets ep_out and ep_in to NULL. Then the UAS driver calls usb_pipe_endpoint() which returns a NULL pointer and passes an array of NULL pointers to usb_free_streams(). I think the correct fix for this is to check for the NULL pointer in usb_free_streams() rather than making the driver check for this situation. My original patch for this checked for dev->state == USB_STATE_NOTATTACHED, but the call to usb_disable_interface() is conditional, so not all drivers would want this check. Note from Sarah Sharp: This patch does avoid a potential dereference, but the real fix (which will be implemented later) is to set the .soft_unbind flag in the usb_driver structure for the UAS driver, and all drivers that allocate streams. The driver should free any streams when it is unbound from the interface. This avoids leaking stream rings in the xHCI driver when usb_disable_interface() is called. This should be queued for stable trees back to 2.6.35. Signed-off-by: Matthew Wilcox <willy@...ux.intel.com> Signed-off-by: Sarah Sharp <sarah.a.sharp@...ux.intel.com> Signed-off-by: Andi Kleen <ak@...ux.intel.com> Cc: stable@...nel.org --- drivers/usb/core/hcd.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) Index: linux-2.6.35.y/drivers/usb/core/hcd.c =================================================================== --- linux-2.6.35.y.orig/drivers/usb/core/hcd.c +++ linux-2.6.35.y/drivers/usb/core/hcd.c @@ -1874,7 +1874,7 @@ void usb_free_streams(struct usb_interfa /* Streams only apply to bulk endpoints. */ for (i = 0; i < num_eps; i++) - if (!usb_endpoint_xfer_bulk(&eps[i]->desc)) + if (!eps[i] || !usb_endpoint_xfer_bulk(&eps[i]->desc)) return; hcd->driver->free_streams(hcd, dev, eps, num_eps, mem_flags); -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists