lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Wed, 20 Mar 2019 05:38:38 +0000
From:   "Yang, Fei" <fei.yang@...el.com>
To:     "mgautam@...eaurora.org" <mgautam@...eaurora.org>
CC:     "balbi@...nel.org" <balbi@...nel.org>,
        "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>,
        "zhangjerry@...gle.com" <zhangjerry@...gle.com>,
        "andrzej.p@...labora.com" <andrzej.p@...labora.com>,
        "plr.vincent@...il.com" <plr.vincent@...il.com>,
        "Shen, JingX" <jingx.shen@...el.com>,
        "john.stultz@...aro.org" <john.stultz@...aro.org>,
        "linux-usb@...r.kernel.org" <linux-usb@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "linux-usb-owner@...r.kernel.org" <linux-usb-owner@...r.kernel.org>
Subject: RE: [PATCH] usb: gadget: f_fs: don't free buffer prematurely

>> From: Fei Yang <fei.yang@...el.com>
>> 
>> The following kernel panic happens due to the io_data buffer gets 
>> deallocated before the async io is completed. Add a check for the case 
>> where io_data buffer should be deallocated by ffs_user_copy_worker.
> 
> [snip]
>
> Please add tag - 'Fixes: 772a7a724f6 ("usb: gadget: f_fs: Allow scatter-gather buffers")
Sent [PATCH V2]

>> ---
>>  drivers/usb/gadget/function/f_fs.c | 3 ++-
>>  1 file changed, 2 insertions(+), 1 deletion(-)
>> 
>> diff --git a/drivers/usb/gadget/function/f_fs.c
>> b/drivers/usb/gadget/function/f_fs.c
>> index 20413c2..47be961 100644
>> --- a/drivers/usb/gadget/function/f_fs.c
>> +++ b/drivers/usb/gadget/function/f_fs.c
>> @@ -1133,7 +1133,8 @@ static ssize_t ffs_epfile_io(struct file *file,
>> struct ffs_io_data *io_data)
>>  error_mutex:
>>  	mutex_unlock(&epfile->mutex);
>>  error:
>> -	ffs_free_buffer(io_data);
>> +	if (ret != -EIOCBQUEUED) /* don't free if there is iocb queued */
>> +		ffs_free_buffer(io_data);
>>  	return ret;
>>  }

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ