Module Name: src
Committed By: skrll
Date: Thu Jan 10 22:13:07 UTC 2019
Modified Files:
src/sys/dev/usb: usbdi.c
Log Message:
Avoid use after free when closing interrupt pipe transfer by calling
upm_close before destroying the interupt pipe xfer.
Found by kasan on wiz's machine.
To generate a diff of this commit:
cvs rdiff -u -r1.180 -r1.181 src/sys/dev/usb/usbdi.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/usb/usbdi.c
diff -u src/sys/dev/usb/usbdi.c:1.180 src/sys/dev/usb/usbdi.c:1.181
--- src/sys/dev/usb/usbdi.c:1.180 Fri Nov 16 00:34:50 2018
+++ src/sys/dev/usb/usbdi.c Thu Jan 10 22:13:07 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: usbdi.c,v 1.180 2018/11/16 00:34:50 manu Exp $ */
+/* $NetBSD: usbdi.c,v 1.181 2019/01/10 22:13:07 skrll Exp $ */
/*
* Copyright (c) 1998, 2012, 2015 The NetBSD Foundation, Inc.
@@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: usbdi.c,v 1.180 2018/11/16 00:34:50 manu Exp $");
+__KERNEL_RCSID(0, "$NetBSD: usbdi.c,v 1.181 2019/01/10 22:13:07 skrll Exp $");
#ifdef _KERNEL_OPT
#include "opt_usb.h"
@@ -258,13 +258,14 @@ usbd_close_pipe(struct usbd_pipe *pipe)
LIST_REMOVE(pipe, up_next);
pipe->up_endpoint->ue_refcnt--;
+ pipe->up_methods->upm_close(pipe);
+
if (pipe->up_intrxfer != NULL) {
usbd_unlock_pipe(pipe);
usbd_destroy_xfer(pipe->up_intrxfer);
usbd_lock_pipe(pipe);
}
- pipe->up_methods->upm_close(pipe);
usbd_unlock_pipe(pipe);
kmem_free(pipe, pipe->up_dev->ud_bus->ub_pipesize);
