| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 23 Mar 2021 08:16:55 +0100 From: Greg KH <gregkh@...uxfoundation.org> To: Lv Yunlong <lyl2019@...l.ustc.edu.cn> Cc: linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH] usb: Add data checks in usbtmc_disconnect On Mon, Mar 22, 2021 at 08:47:17PM -0700, Lv Yunlong wrote: > In usbtmc_disconnect, data is got from intf with the > initial reference. There is no refcount inc operation > before usbmc_free_int(data). In usbmc_free_int(data), > the data may be freed. > > But later in usbtmc_disconnect, there is another put > function of data. I think it is better to add necessary > checks to avoid the data being put twice. It could cause > errors in race. > > Signed-off-by: Lv Yunlong <lyl2019@...l.ustc.edu.cn> > --- > drivers/usb/class/usbtmc.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/usb/class/usbtmc.c b/drivers/usb/class/usbtmc.c > index 74d5a9c5238a..e0438cb46386 100644 > --- a/drivers/usb/class/usbtmc.c > +++ b/drivers/usb/class/usbtmc.c > @@ -2494,7 +2494,9 @@ static void usbtmc_disconnect(struct usb_interface *intf) > } > mutex_unlock(&data->io_mutex); > usbtmc_free_int(data); > - kref_put(&data->kref, usbtmc_delete); > + > + if (data->iin_ep_present && data->iin_urb) > + kref_put(&data->kref, usbtmc_delete); What protects the data from changing right after the check and right before the kref_put() call? krefs need a lock somewhere to protect from races like this, please fix that logic instead. thanks, greg k-h
Powered by blists - more mailing lists