linux/drivers/usb/gadget/legacy at f7fbcf4637fe8f54acb18d88488ae901b3d7a4dc - niansa-misc/linux - Gitea: Git with a cup of tea

niansa-misc/linux

mirror of synced 2025-03-06 20:59:54 +01:00

History

Alan Stern 90bc2af246 USB: gadget: Fix double-free bug in raw_gadget driver Re-reading a recently merged fix to the raw_gadget driver showed that it inadvertently introduced a double-free bug in a failure pathway. If raw_ioctl_init() encounters an error after the driver ID number has been allocated, it deallocates the ID number before returning. But when dev_free() runs later on, it will then try to deallocate the ID number a second time. Closely related to this issue is another error in the recent fix: The ID number is stored in the raw_dev structure before the code checks to see whether the structure has already been initialized, in which case the new ID number would overwrite the earlier value. The solution to both bugs is to keep the new ID number in a local variable, and store it in the raw_dev structure only after the check for prior initialization. No errors can occur after that point, so the double-free will never happen. Fixes: `f2d8c26068` ("usb: gadget: Fix non-unique driver names in raw-gadget driver") CC: Andrey Konovalov <andreyknvl@gmail.com> CC: <stable@vger.kernel.org> Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Link: https://lore.kernel.org/r/YrMrRw5AyIZghN0v@rowland.harvard.edu Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2022-06-24 13:45:21 +02:00
..
acm_ms.c	USB: gadget: legacy: fix return error code in acm_ms_bind()	2020-12-28 15:45:50 +01:00
audio.c	usb: gadget: audio: Add HS/SS bInterval params for UAC2	2022-01-31 14:26:18 +01:00
cdc2.c	usb: gadget: legacy: fix error return code in cdc_bind()	2020-05-09 11:05:08 +03:00
dbgp.c	USB: gadget: Rename usb_gadget_probe_driver()	2022-04-26 14:00:13 +02:00
ether.c	USB: gadget: legacy: fix an error code in eth_bind()	2021-01-31 13:53:39 +01:00
g_ffs.c	usb: gadget: legacy: set max_speed to super-speed	2020-01-15 10:39:21 +01:00
gmidi.c	usb: gadget: legacy: gmidi: remove useless cast for driver.name	2020-02-19 11:10:24 +01:00
hid.c	usb: gadget: legacy: remove using list iterator after loop body as a ptr	2022-03-15 18:19:44 +01:00
inode.c	USB: gadget: Rename usb_gadget_probe_driver()	2022-04-26 14:00:13 +02:00
Kconfig	media: Kconfig: cleanup VIDEO_DEV dependencies	2022-03-18 05:58:35 +01:00
Makefile	usb: gadget: add raw-gadget interface	2020-03-15 11:34:48 +02:00
mass_storage.c	usb: gadget: legacy: fix error return code of msg_bind()	2021-03-23 14:13:29 +01:00
multi.c	USB: gadget: legacy: remove left-over __ref annotations	2021-03-23 12:57:10 +01:00
ncm.c	usb: gadget: legacy: fix error return code in gncm_bind()	2020-05-09 11:05:08 +03:00
nokia.c	usb: gadget: legacy: nokia: Remove unused static variable 'product_nokia'	2020-07-09 17:19:56 +02:00
printer.c	usb: gadget: Add description for module parameter	2021-08-26 13:30:00 +02:00
raw_gadget.c	USB: gadget: Fix double-free bug in raw_gadget driver	2022-06-24 13:45:21 +02:00
serial.c	usb: gadget: eliminate anonymous module_init & module_exit	2022-03-18 12:53:18 +01:00
tcm_usb_gadget.c	usb: gadget: tcm: fix spelling mistake: "Manufactor" -> "Manufacturer"	2018-07-26 13:35:29 +03:00
webcam.c	usb: webcam: Invalid size of Processing Unit Descriptor	2021-03-18 09:02:27 +01:00
zero.c	USB: Fix up terminology	2020-07-01 14:04:04 +02:00