| Message ID | 20191124142236.25671-1-wenyang@linux.alibaba.com (mailing list archive) |
|---|---|
| State | Mainlined |
| Commit | 1848a543191ae32e558bb0a5974ae7c38ebd86fc |
| Headers | show |
| Series | usb: roles: fix a potential use after free | expand |
On 19-11-24 22:22:36, Wen Yang wrote: > Free the sw structure only after we are done using it. > This patch just moves the put_device() down a bit to avoid the > use after free. > > Fixes: 5c54fcac9a9d ("usb: roles: Take care of driver module reference counting") > Signed-off-by: Wen Yang <wenyang@linux.alibaba.com> > Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com> > Cc: Hans de Goede <hdegoede@redhat.com> > Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > Cc: Chunfeng Yun <chunfeng.yun@mediatek.com> > Cc: Suzuki K Poulose <suzuki.poulose@arm.com> > Cc: linux-usb@vger.kernel.org > Cc: linux-kernel@vger.kernel.org > --- > drivers/usb/roles/class.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/usb/roles/class.c b/drivers/usb/roles/class.c > index 8273126..63a00ff 100644 > --- a/drivers/usb/roles/class.c > +++ b/drivers/usb/roles/class.c > @@ -169,8 +169,8 @@ struct usb_role_switch *fwnode_usb_role_switch_get(struct fwnode_handle *fwnode) > void usb_role_switch_put(struct usb_role_switch *sw) > { > if (!IS_ERR_OR_NULL(sw)) { > - put_device(&sw->dev); > module_put(sw->dev.parent->driver->owner); > + put_device(&sw->dev); > } > } > EXPORT_SYMBOL_GPL(usb_role_switch_put); > -- > 1.8.3.1 > Reviewed-by: Peter Chen <peter.chen@nxp.com>
On Sun, Nov 24, 2019 at 10:22:36PM +0800, Wen Yang wrote: > Free the sw structure only after we are done using it. > This patch just moves the put_device() down a bit to avoid the > use after free. > > Fixes: 5c54fcac9a9d ("usb: roles: Take care of driver module reference counting") > Signed-off-by: Wen Yang <wenyang@linux.alibaba.com> > Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com> > Cc: Hans de Goede <hdegoede@redhat.com> > Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > Cc: Chunfeng Yun <chunfeng.yun@mediatek.com> > Cc: Suzuki K Poulose <suzuki.poulose@arm.com> > Cc: linux-usb@vger.kernel.org > Cc: linux-kernel@vger.kernel.org > --- > drivers/usb/roles/class.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/usb/roles/class.c b/drivers/usb/roles/class.c > index 8273126..63a00ff 100644 > --- a/drivers/usb/roles/class.c > +++ b/drivers/usb/roles/class.c > @@ -169,8 +169,8 @@ struct usb_role_switch *fwnode_usb_role_switch_get(struct fwnode_handle *fwnode) > void usb_role_switch_put(struct usb_role_switch *sw) > { > if (!IS_ERR_OR_NULL(sw)) { > - put_device(&sw->dev); > module_put(sw->dev.parent->driver->owner); > + put_device(&sw->dev); > } > } > EXPORT_SYMBOL_GPL(usb_role_switch_put); > -- > 1.8.3.1
On Tue, Nov 26, 2019 at 05:49:17PM +0200, Heikki Krogerus wrote: > On Sun, Nov 24, 2019 at 10:22:36PM +0800, Wen Yang wrote: > > Free the sw structure only after we are done using it. > > This patch just moves the put_device() down a bit to avoid the > > use after free. > > > > Fixes: 5c54fcac9a9d ("usb: roles: Take care of driver module reference counting") > > Signed-off-by: Wen Yang <wenyang@linux.alibaba.com> > > Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com> > > Cc: Hans de Goede <hdegoede@redhat.com> > > Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > > Cc: Chunfeng Yun <chunfeng.yun@mediatek.com> > > Cc: Suzuki K Poulose <suzuki.poulose@arm.com> > > Cc: linux-usb@vger.kernel.org > > Cc: linux-kernel@vger.kernel.org Ups, sorry. I meant: Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com> thanks,
diff --git a/drivers/usb/roles/class.c b/drivers/usb/roles/class.c index 8273126..63a00ff 100644 --- a/drivers/usb/roles/class.c +++ b/drivers/usb/roles/class.c @@ -169,8 +169,8 @@ struct usb_role_switch *fwnode_usb_role_switch_get(struct fwnode_handle *fwnode) void usb_role_switch_put(struct usb_role_switch *sw) { if (!IS_ERR_OR_NULL(sw)) { - put_device(&sw->dev); module_put(sw->dev.parent->driver->owner); + put_device(&sw->dev); } } EXPORT_SYMBOL_GPL(usb_role_switch_put);
Free the sw structure only after we are done using it. This patch just moves the put_device() down a bit to avoid the use after free. Fixes: 5c54fcac9a9d ("usb: roles: Take care of driver module reference counting") Signed-off-by: Wen Yang <wenyang@linux.alibaba.com> Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com> Cc: Hans de Goede <hdegoede@redhat.com> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Chunfeng Yun <chunfeng.yun@mediatek.com> Cc: Suzuki K Poulose <suzuki.poulose@arm.com> Cc: linux-usb@vger.kernel.org Cc: linux-kernel@vger.kernel.org --- drivers/usb/roles/class.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)