2019-11-26 14:32:58

by Wen Yang

[permalink] [raw]
Subject: [PATCH] usb: typec: fix use after free in typec_register_port()

We can't use "port->sw" and/or "port->mux" after it has been freed.

Fixes: 23481121c81d ("usb: typec: class: Don't use port parent for getting mux handles")
Signed-off-by: Wen Yang <[email protected]>
Cc: Heikki Krogerus <[email protected]>
Cc: Greg Kroah-Hartman <[email protected]>
Cc: [email protected]
Cc: [email protected]
---
drivers/usb/typec/class.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/typec/class.c b/drivers/usb/typec/class.c
index 7ece6ca..91d6227 100644
--- a/drivers/usb/typec/class.c
+++ b/drivers/usb/typec/class.c
@@ -1612,14 +1612,16 @@ struct typec_port *typec_register_port(struct device *parent,

port->sw = typec_switch_get(&port->dev);
if (IS_ERR(port->sw)) {
+ ret = PTR_ERR(port->sw);
put_device(&port->dev);
- return ERR_CAST(port->sw);
+ return ERR_PTR(ret);
}

port->mux = typec_mux_get(&port->dev, NULL);
if (IS_ERR(port->mux)) {
+ ret = PTR_ERR(port->mux);
put_device(&port->dev);
- return ERR_CAST(port->mux);
+ return ERR_PTR(ret);
}

ret = device_add(&port->dev);
--
1.8.3.1


2019-11-26 16:20:34

by Heikki Krogerus

[permalink] [raw]
Subject: Re: [PATCH] usb: typec: fix use after free in typec_register_port()

On Tue, Nov 26, 2019 at 10:04:52PM +0800, Wen Yang wrote:
> We can't use "port->sw" and/or "port->mux" after it has been freed.
>
> Fixes: 23481121c81d ("usb: typec: class: Don't use port parent for getting mux handles")
> Signed-off-by: Wen Yang <[email protected]>
> Cc: Heikki Krogerus <[email protected]>

Acked-by: Heikki Krogerus?<[email protected]>

> Cc: Greg Kroah-Hartman <[email protected]>
> Cc: [email protected]
> Cc: [email protected]
> ---
> drivers/usb/typec/class.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/usb/typec/class.c b/drivers/usb/typec/class.c
> index 7ece6ca..91d6227 100644
> --- a/drivers/usb/typec/class.c
> +++ b/drivers/usb/typec/class.c
> @@ -1612,14 +1612,16 @@ struct typec_port *typec_register_port(struct device *parent,
>
> port->sw = typec_switch_get(&port->dev);
> if (IS_ERR(port->sw)) {
> + ret = PTR_ERR(port->sw);
> put_device(&port->dev);
> - return ERR_CAST(port->sw);
> + return ERR_PTR(ret);
> }
>
> port->mux = typec_mux_get(&port->dev, NULL);
> if (IS_ERR(port->mux)) {
> + ret = PTR_ERR(port->mux);
> put_device(&port->dev);
> - return ERR_CAST(port->mux);
> + return ERR_PTR(ret);
> }
>
> ret = device_add(&port->dev);
> --
> 1.8.3.1

thanks,

--
heikki