Re: [PATCH] usb: roles: fix a potential use after free
From: Heikki Krogerus
Date: Tue Nov 26 2019 - 10:49:18 EST
On Sun, Nov 24, 2019 at 10:22:36PM +0800, Wen Yang wrote:
> Free the sw structure only after we are done using it.
> This patch just moves the put_device() down a bit to avoid the
> use after free.
>
> Fixes: 5c54fcac9a9d ("usb: roles: Take care of driver module reference counting")
> Signed-off-by: Wen Yang <wenyang@xxxxxxxxxxxxxxxxx>
> Cc: Heikki Krogerus <heikki.krogerus@xxxxxxxxxxxxxxx>
> Cc: Hans de Goede <hdegoede@xxxxxxxxxx>
> Cc: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> Cc: Chunfeng Yun <chunfeng.yun@xxxxxxxxxxxx>
> Cc: Suzuki K Poulose <suzuki.poulose@xxxxxxx>
> Cc: linux-usb@xxxxxxxxxxxxxxx
> Cc: linux-kernel@xxxxxxxxxxxxxxx
> ---
> drivers/usb/roles/class.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/usb/roles/class.c b/drivers/usb/roles/class.c
> index 8273126..63a00ff 100644
> --- a/drivers/usb/roles/class.c
> +++ b/drivers/usb/roles/class.c
> @@ -169,8 +169,8 @@ struct usb_role_switch *fwnode_usb_role_switch_get(struct fwnode_handle *fwnode)
> void usb_role_switch_put(struct usb_role_switch *sw)
> {
> if (!IS_ERR_OR_NULL(sw)) {
> - put_device(&sw->dev);
> module_put(sw->dev.parent->driver->owner);
> + put_device(&sw->dev);
> }
> }
> EXPORT_SYMBOL_GPL(usb_role_switch_put);
> --
> 1.8.3.1
--
heikki