Free the sw structure only after we are done using it.
This patch just moves the put_device() down a bit to avoid the
use after free.
Fixes: 5c54fcac9a9d ("usb: roles: Take care of driver module reference counting")
Signed-off-by: Wen Yang <[email protected]>
Cc: Heikki Krogerus <[email protected]>
Cc: Hans de Goede <[email protected]>
Cc: Greg Kroah-Hartman <[email protected]>
Cc: Chunfeng Yun <[email protected]>
Cc: Suzuki K Poulose <[email protected]>
Cc: [email protected]
Cc: [email protected]
---
drivers/usb/roles/class.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/roles/class.c b/drivers/usb/roles/class.c
index 8273126..63a00ff 100644
--- a/drivers/usb/roles/class.c
+++ b/drivers/usb/roles/class.c
@@ -169,8 +169,8 @@ struct usb_role_switch *fwnode_usb_role_switch_get(struct fwnode_handle *fwnode)
void usb_role_switch_put(struct usb_role_switch *sw)
{
if (!IS_ERR_OR_NULL(sw)) {
- put_device(&sw->dev);
module_put(sw->dev.parent->driver->owner);
+ put_device(&sw->dev);
}
}
EXPORT_SYMBOL_GPL(usb_role_switch_put);
--
1.8.3.1
On 19-11-24 22:22:36, Wen Yang wrote:
> Free the sw structure only after we are done using it.
> This patch just moves the put_device() down a bit to avoid the
> use after free.
>
> Fixes: 5c54fcac9a9d ("usb: roles: Take care of driver module reference counting")
> Signed-off-by: Wen Yang <[email protected]>
> Cc: Heikki Krogerus <[email protected]>
> Cc: Hans de Goede <[email protected]>
> Cc: Greg Kroah-Hartman <[email protected]>
> Cc: Chunfeng Yun <[email protected]>
> Cc: Suzuki K Poulose <[email protected]>
> Cc: [email protected]
> Cc: [email protected]
> ---
> drivers/usb/roles/class.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/usb/roles/class.c b/drivers/usb/roles/class.c
> index 8273126..63a00ff 100644
> --- a/drivers/usb/roles/class.c
> +++ b/drivers/usb/roles/class.c
> @@ -169,8 +169,8 @@ struct usb_role_switch *fwnode_usb_role_switch_get(struct fwnode_handle *fwnode)
> void usb_role_switch_put(struct usb_role_switch *sw)
> {
> if (!IS_ERR_OR_NULL(sw)) {
> - put_device(&sw->dev);
> module_put(sw->dev.parent->driver->owner);
> + put_device(&sw->dev);
> }
> }
> EXPORT_SYMBOL_GPL(usb_role_switch_put);
> --
> 1.8.3.1
>
Reviewed-by: Peter Chen <[email protected]>
--
Thanks,
Peter Chen
On Tue, Nov 26, 2019 at 05:49:17PM +0200, Heikki Krogerus wrote:
> On Sun, Nov 24, 2019 at 10:22:36PM +0800, Wen Yang wrote:
> > Free the sw structure only after we are done using it.
> > This patch just moves the put_device() down a bit to avoid the
> > use after free.
> >
> > Fixes: 5c54fcac9a9d ("usb: roles: Take care of driver module reference counting")
> > Signed-off-by: Wen Yang <[email protected]>
> > Cc: Heikki Krogerus <[email protected]>
> > Cc: Hans de Goede <[email protected]>
> > Cc: Greg Kroah-Hartman <[email protected]>
> > Cc: Chunfeng Yun <[email protected]>
> > Cc: Suzuki K Poulose <[email protected]>
> > Cc: [email protected]
> > Cc: [email protected]
Ups, sorry. I meant:
Reviewed-by: Heikki Krogerus <[email protected]>
thanks,
--
heikki
On Sun, Nov 24, 2019 at 10:22:36PM +0800, Wen Yang wrote:
> Free the sw structure only after we are done using it.
> This patch just moves the put_device() down a bit to avoid the
> use after free.
>
> Fixes: 5c54fcac9a9d ("usb: roles: Take care of driver module reference counting")
> Signed-off-by: Wen Yang <[email protected]>
> Cc: Heikki Krogerus <[email protected]>
> Cc: Hans de Goede <[email protected]>
> Cc: Greg Kroah-Hartman <[email protected]>
> Cc: Chunfeng Yun <[email protected]>
> Cc: Suzuki K Poulose <[email protected]>
> Cc: [email protected]
> Cc: [email protected]
> ---
> drivers/usb/roles/class.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/usb/roles/class.c b/drivers/usb/roles/class.c
> index 8273126..63a00ff 100644
> --- a/drivers/usb/roles/class.c
> +++ b/drivers/usb/roles/class.c
> @@ -169,8 +169,8 @@ struct usb_role_switch *fwnode_usb_role_switch_get(struct fwnode_handle *fwnode)
> void usb_role_switch_put(struct usb_role_switch *sw)
> {
> if (!IS_ERR_OR_NULL(sw)) {
> - put_device(&sw->dev);
> module_put(sw->dev.parent->driver->owner);
> + put_device(&sw->dev);
> }
> }
> EXPORT_SYMBOL_GPL(usb_role_switch_put);
> --
> 1.8.3.1
--
heikki