mirrors/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2025-11-02 01:29:02 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
linux/drivers/usb/cdns3
History
Chen Yufeng 87c5ff5615 usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget 
In the __cdnsp_gadget_init() and cdnsp_gadget_exit() functions, the gadget
structure (pdev->gadget) was freed before its endpoints.
The endpoints are linked via the ep_list in the gadget structure.
Freeing the gadget first leaves dangling pointers in the endpoint list.
When the endpoints are subsequently freed, this results in a use-after-free.

Fix:
By separating the usb_del_gadget_udc() operation into distinct "del" and
"put" steps, cdnsp_gadget_free_endpoints() can be executed prior to the
final release of the gadget structure with usb_put_gadget().

A patch similar to bb9c74a5bd14("usb: dwc3: gadget: Free gadget structure
 only after freeing endpoints").

Signed-off-by: Chen Yufeng <chenyufeng@iie.ac.cn>
Link: https://lore.kernel.org/r/20250905094842.1232-1-chenyufeng@iie.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2025-09-06 15:24:05 +02:00
..
cdns3-debug.h usb: cdns3: change trace event cdns3_ring() operation 2023-03-09 15:35:03 +01:00
cdns3-ep0.c usb: cdns3: Fixed incorrect gadget state 2021-07-29 14:13:02 +08:00
cdns3-gadget.c usb: cdns3: Fix deadlock when using NCM gadget 2025-04-11 16:20:59 +02:00
cdns3-gadget.h usb: cdns3: fix iso transfer error when mult is not zero 2024-01-04 16:01:44 +01:00
cdns3-imx.c usb: Switch back to struct platform_driver::remove() 2024-10-04 15:13:03 +02:00
cdns3-pci-wrap.c usb: cdns3: Synchronise PCI IDs via common data base 2024-11-13 07:16:31 +01:00
cdns3-plat.c usb: cdns3: Remove the invalid comment 2025-04-11 16:08:33 +02:00
cdns3-starfive.c usb: Switch back to struct platform_driver::remove() 2024-10-04 15:13:03 +02:00
cdns3-ti.c usb: cdns3-ti: run HW init at resume() if HW was reset 2025-03-14 09:18:02 +01:00
cdns3-trace.c
cdns3-trace.h cdns3: Remove unused tracepoints 2025-09-06 15:23:39 +02:00
cdnsp-debug.h usb: cdnsp: Fix issue with CV Bad Descriptor test 2025-06-24 15:42:39 +01:00
cdnsp-ep0.c usb: cdnsp: Fix issue with CV Bad Descriptor test 2025-06-24 15:42:39 +01:00
cdnsp-gadget.c usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget 2025-09-06 15:24:05 +02:00
cdnsp-gadget.h usb: cdnsp: Fix issue with CV Bad Descriptor test 2025-06-24 15:42:39 +01:00
cdnsp-mem.c usb: cdnsp: Fix a NULL pointer dereference in cdnsp_endpoint_init() 2021-12-03 13:57:45 +01:00
cdnsp-pci.c usb: cdns3: cdnsp-pci: remove redundant pci_disable_device() call 2025-09-06 15:23:59 +02:00
cdnsp-ring.c usb: cdnsp: Fix issue with CV Bad Descriptor test 2025-06-24 15:42:39 +01:00
cdnsp-trace.c
cdnsp-trace.h cdnsp: Remove unused tracepoints 2025-09-06 15:23:39 +02:00
core.c usb: cdns3: call cdns_power_is_lost() only once in cdns_resume() 2025-03-14 09:18:02 +01:00
core.h usb: cdnsp: Fix issue with resuming from L1 2025-05-01 17:36:12 +02:00
drd.c usb: cdns3: Add quirk flag to enable suspend residency 2024-06-04 15:41:10 +02:00
drd.h usb: cdns3: Add quirk flag to enable suspend residency 2024-06-04 15:41:10 +02:00
gadget-export.h
host-export.h
host.c usb: host: cdns3: forward lost power information to xhci 2025-03-14 09:18:03 +01:00
Kconfig usb: cdns3: Add StarFive JH7110 USB driver 2023-05-29 15:52:11 +01:00
Makefile usb: cdns3: Add StarFive JH7110 USB driver 2023-05-29 15:52:11 +01:00