lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <3cbe7ad1-421a-493c-9cb2-9234e139923f@kernel.dk>
Date: Fri, 23 Feb 2024 07:43:08 -0700
From: Jens Axboe <axboe@...nel.dk>
To: Selvarasu Ganesan <quic_selvaras@...cinc.com>,
 Greg KH <gregkh@...uxfoundation.org>
Cc: brauner@...nel.org, jack@...e.cz, jlayton@...nel.org,
 keescook@...omium.org, peter@...sgaard.com, hayama@...eo.co.jp,
 dmantipov@...dex.ru, quic_linyyuan@...cinc.com, linux-usb@...r.kernel.org,
 linux-kernel@...r.kernel.org, quic_ppratap@...cinc.com,
 quic_wcheng@...cinc.com, quic_jackp@...cinc.com
Subject: Re: [PATCH] usb: gadget: f_fs: Fix NULL pointer dereference in
 ffs_epfile_async_io_complete()

On 2/23/24 4:35 AM, Selvarasu Ganesan wrote:
> Here?s what the code might look like with a new lock:
> 
> static void ffs_epfile_async_io_complete(struct usb_ep *_ep,
>                                          struct usb_request *req)
> {
> ....
> spin_lock(&ffs->new_lock);
> if (ffs && ffs->io_completion_wq)
>     queue_work(ffs->io_completion_wq, &io_data->work);
> spin_unlock(&ffs->new_lock);
> ....
> }
> 
> 
> 
> static void ffs_data_put(struct ffs_data *ffs) {
> ...
> destroy_workqueue(ffs->io_completion_wq);
> kfree(ffs->dev_name);
> spin_lock(&ffs->new_lock);
> kfree(ffs);
> spin_unlock(&ffs->new_lock);
> ...
> }

This obviously won't work at all, and it's not the right way to fix it
at all. It needs a ref count.

-- 
Jens Axboe


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ