Google Git
Sign in
android / kernel / msm / e187767677be6165716aae560130921bc2520db7
commite187767677be6165716aae560130921bc2520db7[log] [tgz]
authorKrzysztof Opasiak <kopasiak90@gmail.com>Thu Jan 19 18:55:28 2017 +0100
committerDavid C. Park <davidc.park@lge.com>Mon Aug 13 10:23:41 2018 -0700
treed499a3c8babc6b7fef093615180dfed207dc1a28
parentf974b038a543b7b8ba3113e264bfa126a66612c4 [diff]
UPSTREAM: usb: gadget: f_hid: fix: Prevent accessing released memory

When we unlock our spinlock to copy data to user we may get
disabled by USB host and free the whole list of completed out
requests including the one from which we are copying the data
to user memory.

To prevent from this let's remove our working element from
the list and place it back only if there is sth left when we
finish with it.

CVE-2018-9417

Change-Id: Idbf41652b00654ca53cb76c1c7c48d634c3fab40
Fixes: 99c515005857 ("usb: gadget: hidg: register OUT INT endpoint for SET_REPORT")
Cc: stable@vger.kernel.org
Tested-by: David Lechner <david@lechnology.com>
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
1 file changed
tree: d499a3c8babc6b7fef093615180dfed207dc1a28
  1. android/
  2. arch/
  3. block/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. linaro/
  15. mm/
  16. net/
  17. samples/
  18. scripts/
  19. security/
  20. sound/
  21. tools/
  22. usr/
  23. virt/
  24. .gitignore
  25. .mailmap
  26. AndroidKernel.mk
  27. build.config
  28. COPYING
  29. CREDITS
  30. Kbuild
  31. Kconfig
  32. MAINTAINERS
  33. Makefile
  34. README
  35. REPORTING-BUGS