linux/drivers
Sriharsha Allenki a385ebdaa4 usb: gadget: f_fs: Fix use after free issue as part of queue failure
commit f63ec55ff9 upstream.

In AIO case, the request is freed up if ep_queue fails.
However, io_data->req still has the reference to this freed
request. In the case of this failure if there is aio_cancel
call on this io_data it will lead to an invalid dequeue
operation and a potential use after free issue.
Fix this by setting the io_data->req to NULL when the request
is freed as part of queue failure.

Fixes: 2e4c7553cd ("usb: gadget: f_fs: add aio support")
Signed-off-by: Sriharsha Allenki <sallenki@codeaurora.org>
CC: stable <stable@vger.kernel.org>
Reviewed-by: Peter Chen <peter.chen@nxp.com>
Link: https://lore.kernel.org/r/20200326115620.12571-1-sallenki@codeaurora.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-04-17 10:50:06 +02:00
..
accessibility
acpi ACPI: EC: Do not clear boot_ec_is_ecdt in acpi_ec_add() 2020-04-17 10:50:01 +02:00
amba
android binderfs: use refcount for binder control devices too 2020-03-25 08:25:50 +01:00
ata libata: Remove extra scsi_host_put() in ata_scsi_add_hosts() 2020-04-17 10:50:03 +02:00
atm fore200e: Fix incorrect checks of NULL pointer dereference 2020-02-24 08:36:36 +01:00
auxdisplay
base firmware: fix a double abort case with fw_load_sysfs_fallback 2020-04-17 10:50:05 +02:00
bcma
block null_blk: fix spurious IO errors after failed past-wp access 2020-04-17 10:50:00 +02:00
bluetooth Bluetooth: btusb: Disable runtime suspend on Realtek devices 2020-02-11 04:35:09 -08:00
bus bus: sunxi-rsb: Return correct data when mixing 16-bit and 8-bit reads 2020-04-17 10:49:56 +02:00
cdrom cdrom: respect device capabilities during opening action 2020-01-04 19:18:25 +01:00
char hwrng: imx-rngc - fix an error path 2020-04-13 10:48:08 +02:00
clk clk: ti: am43xx: Fix clock parent for RTC clock 2020-04-02 15:11:02 +02:00
clocksource clocksource/drivers/hyper-v: Untangle stimers and timesync from clocksources 2020-04-01 11:02:12 +02:00
connector
counter
cpufreq cpufreq: imx6q: fix error handling 2020-04-17 10:50:03 +02:00
cpuidle cpuidle: teo: Avoid using "early hits" incorrectly 2020-02-05 21:22:52 +00:00
crypto crypto: chtls - Fixed memory leak 2020-02-24 08:36:40 +01:00
dax
dca
devfreq Revert "PM / devfreq: Modify the device name as devfreq(X) for sysfs" 2020-03-05 16:43:43 +01:00
dio
dma dmaengine: coh901318: Fix a double lock bug in dma_tc_handle() 2020-03-12 13:00:30 +01:00
dma-buf dma-buf: free dmabuf->name in dma_buf_release() 2020-03-12 13:00:30 +01:00
edac EDAC/synopsys: Do not print an error with back-to-back snprintf() calls 2020-03-12 13:00:31 +01:00
eisa
extcon extcon: axp288: Add wakeup support 2020-04-08 09:08:43 +02:00
firewire net: add annotations on hh->hh_len lockless accesses 2020-01-09 10:20:06 +01:00
firmware efi/x86: Ignore the memory attributes table on i386 2020-04-17 10:50:03 +02:00
fpga
fsi fsi: core: Fix small accesses and unaligned offsets via sysfs 2019-12-31 16:45:09 +01:00
gnss
gpio gpiolib: acpi: Add quirk to ignore EC wakeups on HP x2 10 CHT + AXP288 model 2020-04-02 15:11:01 +02:00
gpu drm/scheduler: fix rare NULL ptr race 2020-04-17 10:49:59 +02:00
greybus
hid HID: add ALWAYS_POLL quirk to lenovo pixart mouse 2020-03-21 08:11:59 +01:00
hsi
hv hv_balloon: Balloon up according to request page number 2020-02-11 04:35:21 -08:00
hwmon hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT() 2020-03-12 13:00:30 +01:00
hwspinlock
hwtracing stm class: sys-t: Fix the use of time_after() 2020-03-25 08:25:56 +01:00
i2c i2c: pca-platform: Use platform_irq_get_optional 2020-04-17 10:49:59 +02:00
i3c
ide ide: serverworks: potential overflow in svwks_set_pio_mode() 2020-02-24 08:36:53 +01:00
idle
iio iio: light: vcnl4000: update sampling periods for vcnl4040 2020-03-25 08:25:54 +01:00
infiniband RDMA/cm: Update num_paths in cma_resolve_iboe_route error flow 2020-04-13 10:48:14 +02:00
input Input: tm2-touchkey - add support for Coreriver TC360 variant 2020-04-17 10:49:57 +02:00
interconnect interconnect: qcom: qcs404: Walk the list safely on node removal 2019-12-17 19:55:39 +01:00
iommu iommu/vt-d: Allow devices with RMRRs to use identity domain 2020-04-13 10:48:18 +02:00
ipack
irqchip irqchip/gic-v4: Provide irq_retrigger to avoid circular locking dependency 2020-04-17 10:50:04 +02:00
isdn
leds leds: pca963x: Fix open-drain initialization 2020-02-24 08:36:24 +01:00
lightnvm
macintosh macintosh: windfarm: fix MODINFO regression 2020-03-18 07:17:53 +01:00
mailbox mailbox: imx: Fix Tx doorbell shutdown path 2020-01-04 19:18:30 +01:00
mcb
md md: check arrays is suspended in mddev_detach before call quiesce operations 2020-04-17 10:50:04 +02:00
media media: i2c: ov5695: Fix power on and off sequences 2020-04-17 10:50:04 +02:00
memory memory: mtk-smi: Add PM suspend and resume ops 2020-01-17 19:48:59 +01:00
memstick
message scsi: mptfusion: Fix double fetch bug in ioctl 2020-01-23 08:22:35 +01:00
mfd mfd: max77650: Select REGMAP_IRQ in Kconfig 2020-02-14 16:34:19 -05:00
misc mei: me: add cedar fork device ids 2020-04-08 09:08:42 +02:00
mmc mmc: sdhci-tegra: Fix busy detection by enabling MMC_CAP_NEED_RSP_BUSY 2020-04-01 11:01:29 +02:00
mtd mtd: sharpslpart: Fix unsigned comparison to zero 2020-02-14 16:34:18 -05:00
mux
net qlcnic: Fix bad kzalloc null test 2020-04-17 10:49:59 +02:00
nfc NFC: fdp: Fix a signedness bug in fdp_nci_send_patch() 2020-04-01 11:01:38 +02:00
ntb
nubus
nvdimm libnvdimm/btt: fix variable 'rc' set but not used 2020-01-04 19:18:12 +01:00
nvme nvme-rdma: Avoid double freeing of async event data 2020-04-08 09:08:37 +02:00
nvmem nvmem: check for NULL reg_read and reg_write before dereferencing 2020-04-08 09:08:42 +02:00
of drivers/of/of_mdio.c:fix of_mdiobus_register() 2020-04-01 11:01:51 +02:00
opp opp: Free static OPPs on errors while adding them 2020-02-24 08:36:34 +01:00
oprofile
parisc
parport parport: load lowlevel driver if ports not found 2019-12-31 16:45:25 +01:00
pci PCI/switchtec: Fix init_completion race condition with poll_wait() 2020-04-17 10:50:02 +02:00
pcmcia
perf drivers/perf: arm_pmu_acpi: Fix incorrect checking of gicc pointer 2020-03-25 08:25:47 +01:00
phy phy: ti: gmii-sel: do not fail in case of gmii 2020-03-25 08:25:42 +01:00
pinctrl pinctrl: core: Remove extra kref_get which blocks hogs being freed 2020-03-18 07:17:55 +01:00
platform platform/x86: intel_int0002_vgpio: Use acpi_register_wakeup_handler() 2020-04-13 10:48:09 +02:00
pnp
power power: supply: axp288_charger: Add special handling for HP Pavilion x2 10 2020-04-08 09:08:43 +02:00
powercap powercap: intel_rapl: add NULL pointer check to rapl_mmio_cpu_online() 2020-01-14 20:08:18 +01:00
pps
ps3
ptp ptp: free ptp device pin descriptors properly 2020-01-23 08:22:51 +01:00
pwm pwm: omap-dmtimer: put_device() after of_find_device_by_node() 2020-03-05 16:43:49 +01:00
rapidio
ras
regulator regulator: stm32-vrefbuf: fix a possible overshoot when re-enabling 2020-03-12 13:00:29 +01:00
remoteproc remoteproc: Initialize rproc_class before use 2020-02-24 08:36:54 +01:00
reset reset: uniphier: Add SCSSI reset control for each channel 2020-02-24 08:36:41 +01:00
rpmsg rpmsg: char: release allocated memory 2020-01-14 20:08:37 +01:00
rtc rtc: max8907: add missing select REGMAP_IRQ 2020-03-25 08:25:56 +01:00
s390 s390/qeth: handle error when backing RX buffer 2020-04-01 11:01:54 +02:00
sbus
scsi scsi: sd: Fix optimal I/O size for devices that change reported values 2020-04-01 11:02:01 +02:00
sfi
sh
siox
slimbus
soc soc: fsl: dpio: register dpio irq handlers after dpio create 2020-04-17 10:49:57 +02:00
soundwire soundwire: intel: fix PDI/stream mapping for Bulk 2019-12-31 16:45:11 +01:00
spi spi: spi-fsl-dspi: Replace interruptible wait queue with a simple completion 2020-04-17 10:50:05 +02:00
spmi spmi: pmic-arb: Set lockdep class for hierarchical irq domains 2020-02-19 19:53:07 +01:00
ssb
staging media: allegro: fix type of gop_length in channel_create message 2020-04-17 10:50:02 +02:00
target scsi: Revert "target: iscsi: Wait for all commands to finish before freeing a session" 2020-02-28 17:22:25 +01:00
tc
tee tee: optee: Fix compilation issue with nommu 2020-02-05 21:22:49 +00:00
thermal thermal: brcmstb_thermal: Do not use DT coefficients 2020-03-05 16:43:50 +01:00
thunderbolt thunderbolt: Prevent crash if non-active NVMem file is read 2020-02-28 17:22:13 +01:00
tty vt: vt_ioctl: fix use-after-free in vt_in_use() 2020-04-02 15:11:00 +02:00
uio uio: fix a sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol() 2020-02-24 08:36:27 +01:00
usb usb: gadget: f_fs: Fix use after free issue as part of queue failure 2020-04-17 10:50:06 +02:00
vfio vfio/spapr/nvlink2: Skip unpinning pages on error exit 2020-02-24 08:36:43 +01:00
vhost vhost: Check docket sk_family instead of call getname 2020-03-05 16:43:44 +01:00
video fbcon: fix null-ptr-deref in fbcon_switch 2020-04-13 10:48:14 +02:00
virt
virtio virtio_ring: Fix mem leak with vring_new_virtqueue() 2020-03-18 07:17:55 +01:00
visorbus visorbus: fix uninitialized variable access 2020-02-24 08:36:47 +01:00
vlynq
vme vme: bridges: reduce stack usage 2020-02-24 08:36:48 +01:00
w1
watchdog watchdog: iTCO_wdt: Make ICH_RES_IO_SMI optional 2020-04-08 09:08:46 +02:00
xen xenbus: req->err should be updated before req->state 2020-03-25 08:25:49 +01:00
zorro
Kconfig
Makefile