MIRRORS/linux-yocto
1
0
Fork 0
mirror of git://git.yoctoproject.org/linux-yocto.git synced 2025-10-22 15:03:53 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
880e4ff5d6
linux-yocto/drivers
History
Tao Xue 5f06ee9f9a usb: gadget : fix use-after-free in composite_dev_cleanup() 
commit 151c0aa896 upstream.

1. In func configfs_composite_bind() -> composite_os_desc_req_prepare():
if kmalloc fails, the pointer cdev->os_desc_req will be freed but not
set to NULL. Then it will return a failure to the upper-level function.
2. in func configfs_composite_bind() -> composite_dev_cleanup():
it will checks whether cdev->os_desc_req is NULL. If it is not NULL, it
will attempt to use it.This will lead to a use-after-free issue.

BUG: KASAN: use-after-free in composite_dev_cleanup+0xf4/0x2c0
Read of size 8 at addr 0000004827837a00 by task init/1

CPU: 10 PID: 1 Comm: init Tainted: G           O      5.10.97-oh #1
 kasan_report+0x188/0x1cc
 __asan_load8+0xb4/0xbc
 composite_dev_cleanup+0xf4/0x2c0
 configfs_composite_bind+0x210/0x7ac
 udc_bind_to_driver+0xb4/0x1ec
 usb_gadget_probe_driver+0xec/0x21c
 gadget_dev_desc_UDC_store+0x264/0x27c

Fixes: 37a3a53342 ("usb: gadget: OS Feature Descriptors support")
Cc: stable <stable@kernel.org>
Signed-off-by: Tao Xue <xuetao09@huawei.com>
Link: https://lore.kernel.org/r/20250721093908.14967-1-xuetao09@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2025-08-15 12:14:14 +02:00
..
accel accel/ivpu: Fix reset_engine debugfs file logic 2025-08-15 12:14:10 +02:00
accessibility
acpi Revert "ACPI: battery: negate current when discharging" 2025-07-17 18:37:12 +02:00
amba
android
ata ata: pata_cs5536: fix build on 32-bit UML 2025-07-10 16:05:06 +02:00
atm atm: idt77252: Add missing dma_map_error() 2025-07-17 18:37:20 +02:00
auxdisplay auxdisplay: charlcd: Partially revert "Move hwidth and bwidth to struct hd44780_common" 2025-05-29 11:02:24 +02:00
base regmap: fix potential memory leak of regmap_bus 2025-08-01 09:48:40 +01:00
bcma
block ublk: use vmalloc for ublk_device's __queues 2025-08-15 12:13:32 +02:00
bluetooth Bluetooth: btusb: Add USB ID 3625:010b for TP-LINK Archer TX10UB Nano 2025-08-15 12:14:12 +02:00
bus bus: mhi: host: pci_generic: Fix the modem name of Foxconn T99W640 2025-08-15 12:13:38 +02:00
cache
cdrom
cdx
char hwrng: mtk - handle devm_pm_runtime_enable errors 2025-08-15 12:13:55 +02:00
clk clk: imx95-blk-ctl: Fix synchronous abort 2025-08-15 12:13:56 +02:00
clocksource clocksource: mips-gic-timer: Enable counter when CPUs start 2025-05-29 11:02:41 +02:00
comedi comedi: comedi_test: Fix possible deletion of uninitialized timers 2025-08-01 09:48:44 +01:00
connector
counter counter: interrupt-cnt: Protect enable/disable OPs with mutex 2025-06-19 15:32:12 +02:00
cpufreq cpufreq: Init policy->rwsem before it may be possibly used 2025-08-15 12:13:37 +02:00
cpuidle cpuidle: psci: Fix cpuhotplug routine with PREEMPT_RT=y 2025-07-24 08:56:25 +02:00
crypto crypto: qat - fix seq_file position update in adf_ring_next() 2025-08-15 12:13:57 +02:00
cxl cxl/region: Add a dev_err() on missing target list entries 2025-07-06 11:01:32 +02:00
dax
dca
devfreq PM / devfreq: Fix a index typo in trans_stat 2025-08-15 12:13:37 +02:00
dio
dma dmaengine: nbpfaxi: Add missing check after DMA map 2025-08-15 12:13:56 +02:00
dma-buf dma-buf: fix timeout handling in dma_resv_wait_timeout v2 2025-07-10 16:05:12 +02:00
dpll dpll: Add an assertion to check freq_supported_num 2025-05-29 11:02:31 +02:00
edac EDAC/amd64: Fix size calculation for Non-Power-of-Two DIMMs 2025-07-06 11:01:42 +02:00
eisa
extcon
firewire
firmware firmware: arm_scmi: Fix up turbo frequencies selection 2025-08-15 12:13:34 +02:00
fpga fpga: fix potential null pointer deref in fpga_mgr_test_img_load_sgt() 2025-06-19 15:32:13 +02:00
fsi
gnss
gpio gpio: mlxbf3: only get IRQ for device instance 0 2025-06-27 11:11:46 +01:00
gpu drm/i915/ddi: only call shutdown hooks for valid encoders 2025-08-15 12:14:11 +02:00
greybus
hid HID: apple: validate feature-report field count to prevent NULL pointer dereference 2025-08-15 12:14:14 +02:00
hsi
hte
hv Drivers: hv: Make the sysfs node size for the ring buffer dynamic 2025-08-01 09:48:47 +01:00
hwmon hwmon: (corsair-cpro) Validate the size of the received input buffer 2025-07-24 08:56:32 +02:00
hwspinlock
hwtracing coresight: Only check bottom two claim bits 2025-07-06 11:01:34 +02:00
i2c i2c: muxes: mule: Fix an error handling path in mule_i2c_mux_probe() 2025-08-15 12:14:02 +02:00
i3c i3c: master: svc: Fix implicit fallthrough in svc_i3c_master_ibi_work() 2025-05-29 11:03:26 +02:00
idle
iio iio: hid-sensor-prox: Fix incorrect OFFSET calculation 2025-08-01 09:48:47 +01:00
infiniband RDMA/mana_ib: Fix DSCP value in modify QP 2025-08-15 12:13:54 +02:00
input Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT 2025-08-01 09:48:39 +01:00
interconnect interconnect: qcom: sc8180x: specify num_nodes 2025-08-15 12:13:38 +02:00
iommu iommu/amd: Fix geometry.aperture_end for V2 tables 2025-08-15 12:13:44 +02:00
ipack
irqchip irqchip: Build IMX_MU_MSI only on ARM 2025-08-15 12:14:07 +02:00
isdn
leds leds: multicolor: Fix intensity setting while SW blinking 2025-07-06 11:01:32 +02:00
macintosh
mailbox mailbox: Not protect module_put with spin_lock_irqsave 2025-07-06 11:01:32 +02:00
mcb
md Revert "bcache: remove heap-related macros and switch to generic min_heap" 2025-08-15 12:14:10 +02:00
media media: ti: j721e-csi2rx: fix list_del corruption 2025-08-15 12:14:14 +02:00
memory
memstick memstick: core: Zero initialize id_reg in h_memstick_read_dev_id() 2025-07-24 08:56:26 +02:00
message
mfd mfd: exynos-lpass: Fix another error handling path in exynos_lpass_probe() 2025-07-10 16:05:02 +02:00
misc Revert "vmci: Prevent the dispatching of uninitialized payloads" 2025-08-15 12:13:36 +02:00
mmc mmc: sdhci_am654: Workaround for Errata i2312 2025-07-24 08:56:26 +02:00
most
mtd mtd: rawnand: atmel: set pmecc data setup time 2025-08-15 12:13:57 +02:00
mux
net net: usbnet: Fix the wrong netif_carrier_on() call 2025-08-15 12:14:12 +02:00
nfc
ntb
nubus
nvdimm libnvdimm/labels: Fix divide error in nd_label_data_init() 2025-05-29 11:02:09 +02:00
nvme nvmet: exit debugfs after discovery subsystem exits 2025-08-15 12:14:08 +02:00
nvmem nvmem: layouts: u-boot-env: remove crc32 endianness conversion 2025-07-24 08:56:21 +02:00
of of: unittest: Unlock on error in unittest_data_add() 2025-06-19 15:31:48 +02:00
opp
parisc
parport
pci PCI/ASPM: Fix L1SS saving 2025-08-15 12:14:12 +02:00
pcmcia
peci
perf perf/arm-ni: Set initial IRQ affinity 2025-08-15 12:14:14 +02:00
phy phy: qualcomm: phy-qcom-eusb2-repeater: Don't zero-out registers 2025-08-15 12:13:51 +02:00
pinctrl pinmux: fix race causing mux_owner NULL with active mux_usecount 2025-08-15 12:13:54 +02:00
platform platform/x86/intel/pmt: fix a crashlog NULL pointer access 2025-08-15 12:14:13 +02:00
pmdomain pmdomain: governor: Consider CPU latency tolerance from pm_domain_cpu_gov 2025-07-24 08:56:27 +02:00
pnp
power power: supply: max14577: Handle NULL pdata when CONFIG_OF is not set 2025-08-15 12:13:50 +02:00
powercap powercap: dtpm_cpu: Fix NULL pointer dereference in get_pd_power_uw() 2025-08-15 12:13:36 +02:00
pps pps: fix poll support 2025-08-15 12:13:35 +02:00
ps3
ptp ptp: allow reading of currently dialed frequency to succeed on free-running clocks 2025-06-27 11:11:43 +01:00
pwm pwm: mediatek: Ensure to disable clocks in error path 2025-07-17 18:37:10 +02:00
rapidio drivers/rapidio/rio_cm.c: prevent possible heap overwrite 2025-06-27 11:11:36 +01:00
ras
regulator regulator: core: fix NULL dereference on unbind due to stale coupling data 2025-08-01 09:48:39 +01:00
remoteproc remoteproc: xlnx: Disable unsupported features 2025-08-15 12:13:56 +02:00
reset
rpmsg rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send() 2025-06-19 15:32:06 +02:00
rtc rtc: rv3028: fix incorrect maximum clock rate handling 2025-08-15 12:14:00 +02:00
s390 s390/ap: Unmask SLCF bit in card and queue ap functions sysfs 2025-08-15 12:14:05 +02:00
sbus
scsi scsi: sd: Make sd shutdown issue START STOP UNIT appropriately 2025-08-15 12:14:03 +02:00
sh
siox
slimbus
soc soc: qcom: pmic_glink: fix OF node leak 2025-08-15 12:13:38 +02:00
soundwire soundwire: stream: restore params when prepare ports fail 2025-08-15 12:13:55 +02:00
spi spi: cs42l43: Property entry should be a null-terminated array 2025-08-15 12:14:06 +02:00
spmi
ssb
staging staging: media: atomisp: Fix stack buffer overflow in gmin_get_var_int() 2025-08-15 12:13:48 +02:00
target scsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port() 2025-07-10 16:05:07 +02:00
tc
tee optee: ffa: fix sleep in atomic context 2025-07-10 16:05:12 +02:00
thermal thermal/drivers/mediatek/lvts: Remove unused lvts_debugfs_exit 2025-06-19 15:32:38 +02:00
thunderbolt thunderbolt: Fix bit masking in tb_dp_port_set_hops() 2025-07-24 08:56:21 +02:00
tty pch_uart: Fix dma_sync_sg_for_device() nents value 2025-07-24 08:56:21 +02:00
ufs scsi: ufs: core: Use link recovery when h8 exit fails during runtime resume 2025-08-15 12:14:03 +02:00
uio uio_hv_generic: Align ring size to system page 2025-06-27 11:11:25 +01:00
usb usb: gadget : fix use-after-free in composite_dev_cleanup() 2025-08-15 12:14:14 +02:00
vdpa vdpa: Fix IDR memory leak in VDUSE module exit 2025-08-15 12:13:58 +02:00
vfio vfio/pci: Separate SR-IOV VF dev_set 2025-08-15 12:14:02 +02:00
vhost vhost: Reintroduce kthread API and add mode selection 2025-08-15 12:13:58 +02:00
video fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref 2025-08-15 12:13:57 +02:00
virt configfs-tsm-report: Fix NULL dereference of tsm_ops 2025-06-27 11:11:22 +01:00
virtio virtio_ring: Fix error reporting in virtqueue_resize 2025-08-01 09:48:39 +01:00
w1
watchdog watchdog: ziirave_wdt: check record length in ziirave_firm_verify() 2025-08-15 12:13:55 +02:00
xen xen/gntdev: remove struct gntdev_copy_batch from stack 2025-08-15 12:13:43 +02:00
zorro
Kconfig
Makefile