lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <f90522c4-f7d6-3068-9789-8c6d893f2768@suse.com>
Date:   Wed, 6 Apr 2022 13:47:35 +0200
From:   Oliver Neukum <oneukum@...e.com>
To:     Hangyu Hua <hbh25y@...il.com>, gregkh@...uxfoundation.org,
        mudongliangabcd@...il.com
CC:     linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] usb: misc: fix improper handling of refcount in
 uss720_probe()



On 06.04.22 09:33, Hangyu Hua wrote:
> usb_put_dev shouldn't be called when uss720_probe succeeds because of
> priv->usbdev. At the same time, priv->usbdev shouldn't be set to NULL
> before destroy_priv in uss720_disconnect because usb_put_dev is in
> destroy_priv.

Hi,

I am sorry, but that's a clear NACK.
> @@ -754,13 +753,13 @@ static void uss720_disconnect(struct usb_interface *intf)
>  	usb_set_intfdata(intf, NULL);
>  	if (pp) {
>  		priv = pp->private_data;
> -		priv->usbdev = NULL;
>  		priv->pp = NULL;
>  		dev_dbg(&intf->dev, "parport_remove_port\n");
>  		parport_remove_port(pp);
>  		parport_put_port(pp);
>  		kill_all_async_requests_priv(priv);
>  		kref_put(&priv->ref_count, destroy_priv);
> +		priv->usbdev = NULL;

That is a clear use after free The patch is no good in this state..

    HTH
        Oliver

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ