7fafcfdf63
It looks like there is a possibility of a double-free vulnerability on an error path of the f_midi_set_alt function in the f_midi driver. If the path is feasible then free_ep_req gets called twice: req->complete = f_midi_complete; err = usb_ep_queue(midi->out_ep, req, GFP_ATOMIC); => ... usb_gadget_giveback_request => f_midi_complete (CALLBACK) (inside f_midi_complete, for various cases of status) free_ep_req(ep, req); // first kfree if (err) { ERROR(midi, "%s: couldn't enqueue request: %d\n", midi->out_ep->name, err); free_ep_req(midi->out_ep, req); // second kfree return err; } The double-free possibility was introduced with commit ad0d1a058eac ("usb: gadget: f_midi: fix leak on failed to enqueue out requests"). Found by MOXCAFE tool. Signed-off-by: Tuba Yavuz <tuba@ece.ufl.edu> Fixes: ad0d1a058eac ("usb: gadget: f_midi: fix leak on failed to enqueue out requests") Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
71 lines
2.2 KiB
C
71 lines
2.2 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
/*
|
|
* u_f.h
|
|
*
|
|
* Utility definitions for USB functions
|
|
*
|
|
* Copyright (c) 2013 Samsung Electronics Co., Ltd.
|
|
* http://www.samsung.com
|
|
*
|
|
* Author: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
|
|
*/
|
|
|
|
#ifndef __U_F_H__
|
|
#define __U_F_H__
|
|
|
|
#include <linux/usb/gadget.h>
|
|
|
|
/* Variable Length Array Macros **********************************************/
|
|
#define vla_group(groupname) size_t groupname##__next = 0
|
|
#define vla_group_size(groupname) groupname##__next
|
|
|
|
#define vla_item(groupname, type, name, n) \
|
|
size_t groupname##_##name##__offset = ({ \
|
|
size_t align_mask = __alignof__(type) - 1; \
|
|
size_t offset = (groupname##__next + align_mask) & ~align_mask;\
|
|
size_t size = (n) * sizeof(type); \
|
|
groupname##__next = offset + size; \
|
|
offset; \
|
|
})
|
|
|
|
#define vla_item_with_sz(groupname, type, name, n) \
|
|
size_t groupname##_##name##__sz = (n) * sizeof(type); \
|
|
size_t groupname##_##name##__offset = ({ \
|
|
size_t align_mask = __alignof__(type) - 1; \
|
|
size_t offset = (groupname##__next + align_mask) & ~align_mask;\
|
|
size_t size = groupname##_##name##__sz; \
|
|
groupname##__next = offset + size; \
|
|
offset; \
|
|
})
|
|
|
|
#define vla_ptr(ptr, groupname, name) \
|
|
((void *) ((char *)ptr + groupname##_##name##__offset))
|
|
|
|
struct usb_ep;
|
|
struct usb_request;
|
|
|
|
/**
|
|
* alloc_ep_req - returns a usb_request allocated by the gadget driver and
|
|
* allocates the request's buffer.
|
|
*
|
|
* @ep: the endpoint to allocate a usb_request
|
|
* @len: usb_requests's buffer suggested size
|
|
*
|
|
* In case @ep direction is OUT, the @len will be aligned to ep's
|
|
* wMaxPacketSize. In order to avoid memory leaks or drops, *always* use
|
|
* usb_requests's length (req->length) to refer to the allocated buffer size.
|
|
* Requests allocated via alloc_ep_req() *must* be freed by free_ep_req().
|
|
*/
|
|
struct usb_request *alloc_ep_req(struct usb_ep *ep, size_t len);
|
|
|
|
/* Frees a usb_request previously allocated by alloc_ep_req() */
|
|
static inline void free_ep_req(struct usb_ep *ep, struct usb_request *req)
|
|
{
|
|
WARN_ON(req->buf == NULL);
|
|
kfree(req->buf);
|
|
req->buf = NULL;
|
|
usb_ep_free_request(ep, req);
|
|
}
|
|
|
|
#endif /* __U_F_H__ */
|