| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 6 Apr 2022 13:47:35 +0200
From: Oliver Neukum <oneukum@...e.com>
To: Hangyu Hua <hbh25y@...il.com>, gregkh@...uxfoundation.org,
mudongliangabcd@...il.com
CC: linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] usb: misc: fix improper handling of refcount in
uss720_probe()
On 06.04.22 09:33, Hangyu Hua wrote:
> usb_put_dev shouldn't be called when uss720_probe succeeds because of
> priv->usbdev. At the same time, priv->usbdev shouldn't be set to NULL
> before destroy_priv in uss720_disconnect because usb_put_dev is in
> destroy_priv.
Hi,
I am sorry, but that's a clear NACK.
> @@ -754,13 +753,13 @@ static void uss720_disconnect(struct usb_interface *intf)
> usb_set_intfdata(intf, NULL);
> if (pp) {
> priv = pp->private_data;
> - priv->usbdev = NULL;
> priv->pp = NULL;
> dev_dbg(&intf->dev, "parport_remove_port\n");
> parport_remove_port(pp);
> parport_put_port(pp);
> kill_all_async_requests_priv(priv);
> kref_put(&priv->ref_count, destroy_priv);
> + priv->usbdev = NULL;
That is a clear use after free The patch is no good in this state..
HTH
Oliver
Powered by blists - more mailing lists