UbiquitousOS
/
OpenCloudOS-Kernel
mirror of https://gitee.com/OpenCloudOS/OpenCloudOS-Kernel.git
11
0
Fork 0
Code Issues Projects Releases Wiki Activity
1,221,445 Commits 6 Branches 27 Tags 3.2 GiB
C 97%
Assembly 1.4%
C++ 0.6%
Makefile 0.3%
Shell 0.3%
Other 0.3%
Go to file
Frank Li 70e8038813 usb: cdns3: fix memory double free when handle zero packet 
commit 5fd9e45f1ebcd57181358af28506e8a661a260b3 upstream.

829  if (request->complete) {
830          spin_unlock(&priv_dev->lock);
831          usb_gadget_giveback_request(&priv_ep->endpoint,
832                                    request);
833          spin_lock(&priv_dev->lock);
834  }
835
836  if (request->buf == priv_dev->zlp_buf)
837      cdns3_gadget_ep_free_request(&priv_ep->endpoint, request);

Driver append an additional zero packet request when queue a packet, which
length mod max packet size is 0. When transfer complete, run to line 831,
usb_gadget_giveback_request() will free this requestion. 836 condition is
true, so cdns3_gadget_ep_free_request() free this request again.

Log:

[ 1920.140696][  T150] BUG: KFENCE: use-after-free read in cdns3_gadget_giveback+0x134/0x2c0 [cdns3]
[ 1920.140696][  T150]
[ 1920.151837][  T150] Use-after-free read at 0x000000003d1cd10b (in kfence-#36):
[ 1920.159082][  T150]  cdns3_gadget_giveback+0x134/0x2c0 [cdns3]
[ 1920.164988][  T150]  cdns3_transfer_completed+0x438/0x5f8 [cdns3]

Add check at line 829, skip call usb_gadget_giveback_request() if it is
additional zero length packet request. Needn't call
usb_gadget_giveback_request() because it is allocated in this driver.

Cc: stable@vger.kernel.org
Fixes: 7733f6c32e ("usb: cdns3: Add Cadence USB3 DRD Driver")
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Reviewed-by: Roger Quadros <rogerq@kernel.org>
Acked-by: Peter Chen <peter.chen@kernel.org>
Link: https://lore.kernel.org/r/20240202154217.661867-2-Frank.Li@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2024-03-01 13:35:02 +01:00
Documentation docs: Instruct LaTeX to cope with deeper nesting 2024-03-01 13:34:58 +01:00
LICENSES LICENSES: Add the copyleft-next-0.3.1 license 2022-11-08 15:44:01 +01:00
arch ARM: ep93xx: Add terminator to gpiod_lookup_table 2024-03-01 13:35:01 +01:00
block block: Fix WARNING in _copy_from_iter 2024-03-01 13:34:49 +01:00
certs certs: Reference revocation list for all keyrings 2023-08-17 20:12:41 +00:00
crypto crypto: algif_hash - Remove bogus SGL free on zero-length error path 2024-02-23 09:25:11 +01:00
drivers usb: cdns3: fix memory double free when handle zero packet 2024-03-01 13:35:02 +01:00
fs erofs: fix refcount on the metabuf used for inode lookup 2024-03-01 13:35:01 +01:00
include mm/swap: fix race when skipping swapcache 2024-03-01 13:35:00 +01:00
init update workarounds for gcc "asm goto" issue 2024-02-23 09:24:47 +01:00
io_uring io_uring/net: fix multishot accept overflow handling 2024-02-23 09:25:10 +01:00
ipc Add x86 shadow stack support 2023-08-31 12:20:12 -07:00
kernel sched/rt: Disallow writing invalid values to sched_rt_period_us 2024-03-01 13:34:47 +01:00
lib lib/Kconfig.debug: TEST_IOV_ITER depends on MMU 2024-03-01 13:34:59 +01:00
mm mm/damon/reclaim: fix quota stauts loss due to online tunings 2024-03-01 13:35:00 +01:00
net l2tp: pass correct message length to ip6_append_data 2024-03-01 13:35:01 +01:00
rust rust: upgrade to Rust 1.73.0 2024-02-16 19:10:43 +01:00
samples work around gcc bugs with 'asm goto' with outputs 2024-02-23 09:24:47 +01:00
scripts modpost: Add '.ltext' and '.ltext.*' to TEXT_SECTIONS 2024-02-23 09:25:03 +01:00
security lsm: fix the logic in security_inode_getsecctx() 2024-02-23 09:25:02 +01:00
sound ALSA: usb-audio: Ignore clock selector errors for single connection 2024-03-01 13:34:52 +01:00
tools selftests/mm: uffd-unit-test check if huge page size is 0 2024-03-01 13:35:00 +01:00
usr initramfs: Encode dependency on KBUILD_BUILD_TIMESTAMP 2023-06-06 17:54:49 +09:00
virt ARM: 2023-09-07 13:52:20 -07:00
.clang-format iommu: Add for_each_group_device() 2023-05-23 08:15:51 +02:00
.cocciconfig
.get_maintainer.ignore get_maintainer: add Alan to .get_maintainer.ignore 2022-08-20 15:17:44 -07:00
.gitattributes .gitattributes: set diff driver for Rust source code files 2023-05-31 17:48:25 +02:00
.gitignore kbuild: rpm-pkg: rename binkernel.spec to kernel.spec 2023-07-25 00:59:33 +09:00
.mailmap 20 hotfixes. 12 are cc:stable and the remainder address post-6.5 issues 2023-10-24 09:52:16 -10:00
.rustfmt.toml rust: add `.rustfmt.toml` 2022-09-28 09:02:20 +02:00
COPYING COPYING: state that all contributions really are covered by this file 2020-02-10 13:32:20 -08:00
CREDITS USB: Remove Wireless USB and UWB documentation 2023-08-09 14:17:32 +02:00
Kbuild Kbuild updates for v6.1 2022-10-10 12:00:45 -07:00
Kconfig kbuild: ensure full rebuild when the compiler is updated 2020-05-12 13:28:33 +09:00
MAINTAINERS MAINTAINERS: add Catherine as xfs maintainer for 6.6.y 2024-02-16 19:10:43 +01:00
Makefile Linux 6.6.18 2024-02-23 09:25:28 +01:00
README Drop all 00-INDEX files from Documentation/ 2018-09-09 15:08:58 -06:00

README 

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.