Received: by 10.213.65.68 with SMTP id h4csp751532imn; Fri, 6 Apr 2018 08:17:33 -0700 (PDT) X-Google-Smtp-Source: AIpwx48WP7BAWr2mJkm/A6HCd40MN1CqJAhJuVhsUDGoLFfr6kexyotD4q2CjvXN1R9vAYjiWesW X-Received: by 2002:a17:902:585e:: with SMTP id f30-v6mr25845549plj.254.1523027853797; Fri, 06 Apr 2018 08:17:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523027853; cv=none; d=google.com; s=arc-20160816; b=lF7hZQbpfGULrnbC3MopVvXExUW6CIEanavKykxy6r7xjHO9A3/6wh3Q6/G6ebYqZl GTXGXBYQ29ONFwwvUTC4yPVXBVOMeYkw1VKqBLYlqxL2jJTmvFvwWUQw54KFBUlvtrdp BQu0/M2jjygd4Ok56FLSBrP0anS0A0ZDipVVbj4uUCMtXYZTWeQV7xgoeh89OBHtO4bs QfzjFFctSBBbbY8FhUJihQxibqaZ3c0rCvuVXpl6iYPUo22g/QlW4f/fBvp9nrxn0cJv uOQ1uQ2m419vomN9VKzRp3AvNEJ5gzLsXDk5r+sxMKf+/R1ZNZeYepnD7a9aJfNeYBce T7Zw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=gL3KADZIG4MRd6/hG8ljzwikeEpvNmhj9r+0ZzwFyqE=; b=TvS4ijJxxvevGhE5dGT+egDW0B8bRBUHCXlt6bBH44pluvkQbbsSs4UV5Lwc1ZA0R/ tyLyORi8ZDRcPg+DO0Jf92s+EaZSc7NuhElTvS5CKXnxylcXTz26h+UbwRpA4/GG2U+N X0Y5WLkWGG7Uvwgnng2hBt+Nd+V5nq8uw4d8z4uKR6Md9r2J5+cnN02d7cYRROjvDpRu qIjHr10wceGUcBaxmK57YHv7IXO2rHWtcVuYpDgRHuo8VdtqGcHSWGm3FWYpiMuUWfne eHH4F+XmnY+kHZRZfLFeI+gD8Sf04lF/w0vsBV52b2ygUeNUQF31MvTSw4G4Ee3ULNe4 X0Sw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f3-v6si9613938plm.433.2018.04.06.08.17.19; Fri, 06 Apr 2018 08:17:33 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754474AbeDFN2q (ORCPT + 99 others); Fri, 6 Apr 2018 09:28:46 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:55452 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752755AbeDFN2n (ORCPT ); Fri, 6 Apr 2018 09:28:43 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 58D22C40; Fri, 6 Apr 2018 13:28:42 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, David Lechner , Krzysztof Opasiak , Felipe Balbi , Jerry Zhang Subject: [PATCH 3.18 46/93] usb: gadget: f_hid: fix: Prevent accessing released memory Date: Fri, 6 Apr 2018 15:23:15 +0200 Message-Id: <20180406084226.933085007@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180406084224.918716300@linuxfoundation.org> References: <20180406084224.918716300@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Krzysztof Opasiak commit aa65d11aa008f4de58a9cee7e121666d9d68505e upstream. When we unlock our spinlock to copy data to user we may get disabled by USB host and free the whole list of completed out requests including the one from which we are copying the data to user memory. To prevent from this let's remove our working element from the list and place it back only if there is sth left when we finish with it. Fixes: 99c515005857 ("usb: gadget: hidg: register OUT INT endpoint for SET_REPORT") Cc: stable@vger.kernel.org Tested-by: David Lechner Signed-off-by: Krzysztof Opasiak Signed-off-by: Felipe Balbi Cc: Jerry Zhang Signed-off-by: Greg Kroah-Hartman --- drivers/usb/gadget/function/f_hid.c | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) --- a/drivers/usb/gadget/function/f_hid.c +++ b/drivers/usb/gadget/function/f_hid.c @@ -197,6 +197,13 @@ static ssize_t f_hidg_read(struct file * /* pick the first one */ list = list_first_entry(&hidg->completed_out_req, struct f_hidg_req_list, list); + + /* + * Remove this from list to protect it from beign free() + * while host disables our function + */ + list_del(&list->list); + req = list->req; count = min_t(unsigned int, count, req->actual - list->pos); spin_unlock_irqrestore(&hidg->spinlock, flags); @@ -212,15 +219,20 @@ static ssize_t f_hidg_read(struct file * * call, taking into account its current read position. */ if (list->pos == req->actual) { - spin_lock_irqsave(&hidg->spinlock, flags); - list_del(&list->list); kfree(list); - spin_unlock_irqrestore(&hidg->spinlock, flags); req->length = hidg->report_length; ret = usb_ep_queue(hidg->out_ep, req, GFP_KERNEL); - if (ret < 0) + if (ret < 0) { + free_ep_req(hidg->out_ep, req); return ret; + } + } else { + spin_lock_irqsave(&hidg->spinlock, flags); + list_add(&list->list, &hidg->completed_out_req); + spin_unlock_irqrestore(&hidg->spinlock, flags); + + wake_up(&hidg->read_queue); } return count; @@ -455,6 +467,7 @@ static void hidg_disable(struct usb_func { struct f_hidg *hidg = func_to_hidg(f); struct f_hidg_req_list *list, *next; + unsigned long flags; usb_ep_disable(hidg->in_ep); hidg->in_ep->driver_data = NULL; @@ -462,10 +475,13 @@ static void hidg_disable(struct usb_func usb_ep_disable(hidg->out_ep); hidg->out_ep->driver_data = NULL; + spin_lock_irqsave(&hidg->spinlock, flags); list_for_each_entry_safe(list, next, &hidg->completed_out_req, list) { + free_ep_req(hidg->out_ep, list->req); list_del(&list->list); kfree(list); } + spin_unlock_irqrestore(&hidg->spinlock, flags); } static int hidg_set_alt(struct usb_function *f, unsigned intf, unsigned alt)