Commit bad3cc08 authored Dec 05, 2024 by Dan Carpenter Committed by Guo Mengqi Dec 05, 2024

USB: serial: io_edgeport: fix use after free in debug printk

stable inclusion
from stable-v5.10.230
commit e567fc8f7a4460e486e52c9261b1e8b9f5dc42aa
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB5AVJ
CVE: CVE-2024-50267

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=e567fc8f7a4460e486e52c9261b1e8b9f5dc42aa



--------------------------------

commit 37bb5628379295c1254c113a407cab03a0f4d0b4 upstream.

The "dev_dbg(&urb->dev->dev, ..." which happens after usb_free_urb(urb)
is a use after free of the "urb" pointer.  Store the "dev" pointer at the
start of the function to avoid this issue.

Fixes: 984f6868 ("USB: serial: io_edgeport.c: remove dbg() usage")
Cc: stable@vger.kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Guo Mengqi <guomengqi3@huawei.com>

parent fdc4bca5

drivers/usb/serial/io_edgeport.c

+4 −4

Original line number	Diff line number	Diff line
		@@ -846,11 +846,12 @@ static void edge_bulk_out_data_callback(struct urb *urb)
		static void edge_bulk_out_cmd_callback(struct urb *urb)
		{
		struct edgeport_port *edge_port = urb->context;
		struct device *dev = &urb->dev->dev;
		int status = urb->status;

		atomic_dec(&CmdUrbs);
		dev_dbg(&urb->dev->dev, "%s - FREE URB %p (outstanding %d)\n",
		__func__, urb, atomic_read(&CmdUrbs));
		dev_dbg(dev, "%s - FREE URB %p (outstanding %d)\n", __func__, urb,
		atomic_read(&CmdUrbs));


		/* clean up the transfer buffer */
		@@ -860,8 +861,7 @@ static void edge_bulk_out_cmd_callback(struct urb *urb)
		usb_free_urb(urb);

		if (status) {
		dev_dbg(&urb->dev->dev,
		"%s - nonzero write bulk status received: %d\n",
		dev_dbg(dev, "%s - nonzero write bulk status received: %d\n",
		__func__, status);
		return;
		}