| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 7 Apr 2022 09:55:23 +0800
From: Hangyu Hua <hbh25y@...il.com>
To: Oliver Neukum <oneukum@...e.com>, gregkh@...uxfoundation.org,
mudongliangabcd@...il.com
Cc: linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] usb: misc: fix improper handling of refcount in
uss720_probe()
Oh, i sorry. Thank you for your reminder. I will remake a patch carefully.
On 2022/4/6 19:47, Oliver Neukum wrote:
>
>
> On 06.04.22 09:33, Hangyu Hua wrote:
>> usb_put_dev shouldn't be called when uss720_probe succeeds because of
>> priv->usbdev. At the same time, priv->usbdev shouldn't be set to NULL
>> before destroy_priv in uss720_disconnect because usb_put_dev is in
>> destroy_priv.
>
> Hi,
>
> I am sorry, but that's a clear NACK.
>> @@ -754,13 +753,13 @@ static void uss720_disconnect(struct usb_interface *intf)
>> usb_set_intfdata(intf, NULL);
>> if (pp) {
>> priv = pp->private_data;
>> - priv->usbdev = NULL;
>> priv->pp = NULL;
>> dev_dbg(&intf->dev, "parport_remove_port\n");
>> parport_remove_port(pp);
>> parport_put_port(pp);
>> kill_all_async_requests_priv(priv);
>> kref_put(&priv->ref_count, destroy_priv);
>> + priv->usbdev = NULL;
>
> That is a clear use after free The patch is no good in this state..
>
> HTH
> Oliver
>
Powered by blists - more mailing lists