| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 26 Feb 2016 15:52:29 +0100
From: John Ogness <john.ogness@...utronix.de>
To: linux-kernel@...r.kernel.org
Subject: [PATCH] usb: musb: gadget: fix possible NULL pointer dereference
txstate() assumes that if the request buffer is mapped, a DMA channel
is allocated. There is a case here where the DMA channel is released
and then shortly thereafter (in general PIO code) the request buffer
is unmapped. However, in this case unmap_dma_buffer() silently fails
because the DMA channel is already gone. Thus, the next time txstate()
is called, there is a NULL pointer exception because the buffer is
mapped but no DMA channel is allocated.
This patch adds an extra call unmap_dma_buffer() before releasing the
channel.
Signed-off-by: John Ogness <john.ogness@...utronix.de>
---
patch against next-20160226
drivers/usb/musb/musb_gadget.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/usb/musb/musb_gadget.c b/drivers/usb/musb/musb_gadget.c
index 87bd578..c518d3c 100644
--- a/drivers/usb/musb/musb_gadget.c
+++ b/drivers/usb/musb/musb_gadget.c
@@ -393,6 +393,7 @@ static void txstate(struct musb *musb, struct musb_request *req)
request->dma + request->actual,
request_size);
if (!use_dma) {
+ unmap_dma_buffer(req, musb);
c->channel_release(musb_ep->dma);
musb_ep->dma = NULL;
csr &= ~MUSB_TXCSR_DMAENAB;
--
1.7.10.4
Powered by blists - more mailing lists