From patchwork Wed Oct 9 15:38:44 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 11181481 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 53E8B76 for ; Wed, 9 Oct 2019 15:38:57 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 360A421848 for ; Wed, 9 Oct 2019 15:38:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1570635537; bh=lvPQ8nKmX53MrGZJqKw2O2MLEPBjlugm7aWuPrs6h6Y=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=Sw6LxmT65u1ZIFagSgJQtB4faKPmmQPE9W37Pq5gqR5/QiF/mlqSm0hv31tCS01uw HBA3wmgMqBVRSj4/TC6OGmVRBUPysQLvOW/fx8UaAESsZSMsU7BtaGELT2Xo4NXigo 5YtkCWNdMsuIM6bFlpneMFcvb+mjLJhj8SCko4Fg= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731270AbfJIPi4 (ORCPT ); Wed, 9 Oct 2019 11:38:56 -0400 Received: from mail-lf1-f65.google.com ([209.85.167.65]:41591 "EHLO mail-lf1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730256AbfJIPiz (ORCPT ); Wed, 9 Oct 2019 11:38:55 -0400 Received: by mail-lf1-f65.google.com with SMTP id r2so2004554lfn.8; Wed, 09 Oct 2019 08:38:52 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=szNiykfatwwBWyT1R8vEp0SHm+VURe3hz2h1YW3Ai0o=; b=Y4gigpI6sTHCy0X9/oX4WcCrwjpjpECH6UWgR1HEcd5gbqskbvuj1T6teRraRbqkLs Id9MD/ZMjvwufOvErqMfz8BdQZJas4dEe5gNGvh5KJoJAHFeoTLVSXSh8nzqjmUUMSHz HIEROUoYdfIVpglDa3bxZzpv3fCs+nBWA/T6vlB2bFvuqWVeAjtEFNg0g1lekJR10ji7 h08iZciLkzsADDLqTBRavQhExb3/RGOEJOJkpgNyofqhW/2ZP98kqX6rYf9Ccp7DMSKP vhhKlCHcvvPWae4wbmfLAFWtgMbZ21DwgEPIoernP+pQbIjvu1uFFcCFx3crnOAusC5S bKGg== X-Gm-Message-State: APjAAAVlq5c0qqTZChAMfRU9XjZSkaLqRMTA0uYziun2XeKlHMCyC8xV jkLFyLnZSf51h2fW08napiNSo89m X-Google-Smtp-Source: APXvYqwLWPUUg67a1JhQhorAQnETs8oOcbXIYEf2iIftkXz+iKY5XRY3Xh+rnvRQZWZpiCAiY/N3NA== X-Received: by 2002:ac2:5924:: with SMTP id v4mr2521416lfi.29.1570635532016; Wed, 09 Oct 2019 08:38:52 -0700 (PDT) Received: from xi.terra (c-51f1e055.07-184-6d6c6d4.bbcust.telenor.se. [85.224.241.81]) by smtp.gmail.com with ESMTPSA id m15sm596554ljg.97.2019.10.09.08.38.51 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 09 Oct 2019 08:38:51 -0700 (PDT) Received: from johan by xi.terra with local (Exim 4.92.2) (envelope-from ) id 1iIE3J-0002Gr-Ai; Wed, 09 Oct 2019 17:39:01 +0200 From: Johan Hovold To: Greg Kroah-Hartman Cc: linux-usb@vger.kernel.org, Keith Packard , Juergen Stuber , Johan Hovold , stable Subject: [PATCH 1/5] USB: adutux: fix use-after-free on release Date: Wed, 9 Oct 2019 17:38:44 +0200 Message-Id: <20191009153848.8664-2-johan@kernel.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20191009153848.8664-1-johan@kernel.org> References: <20191009153848.8664-1-johan@kernel.org> MIME-Version: 1.0 Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org The driver was accessing its struct usb_device in its release() callback without holding a reference. This would lead to a use-after-free whenever the device was disconnected while the character device was still open. Fixes: 66d4bc30d128 ("USB: adutux: remove custom debug macro") Cc: stable # 3.12 Signed-off-by: Johan Hovold --- drivers/usb/misc/adutux.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/usb/misc/adutux.c b/drivers/usb/misc/adutux.c index f9efec719359..6f5edb9fc61e 100644 --- a/drivers/usb/misc/adutux.c +++ b/drivers/usb/misc/adutux.c @@ -149,6 +149,7 @@ static void adu_delete(struct adu_device *dev) kfree(dev->read_buffer_secondary); kfree(dev->interrupt_in_buffer); kfree(dev->interrupt_out_buffer); + usb_put_dev(dev->udev); kfree(dev); } @@ -664,7 +665,7 @@ static int adu_probe(struct usb_interface *interface, mutex_init(&dev->mtx); spin_lock_init(&dev->buflock); - dev->udev = udev; + dev->udev = usb_get_dev(udev); init_waitqueue_head(&dev->read_wait); init_waitqueue_head(&dev->write_wait); From patchwork Wed Oct 9 15:38:45 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 11181479 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9207C76 for ; Wed, 9 Oct 2019 15:38:56 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 7365F21920 for ; Wed, 9 Oct 2019 15:38:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1570635536; bh=u6ZPbGMwa36ig10jiJtr/3NN0oyL1sM1B7giXgw+EmQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=DVojus5r/fy0KHKkua86aUrZPmxui2CzJm5LD7AcL6V2ob+Tk5FQjtIpKOL7+7rL4 T7+56ZAAumnpzhTW+dCTf1NIQ9eeAebzlb5dYI/4umJAa9FC5U9hxv/4BP2KHguDwT brQznoTjUqCVylxV1+OH4Ux72iBVEL+q0LRhQasM= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731234AbfJIPiz (ORCPT ); Wed, 9 Oct 2019 11:38:55 -0400 Received: from mail-lj1-f194.google.com ([209.85.208.194]:34771 "EHLO mail-lj1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729865AbfJIPiz (ORCPT ); Wed, 9 Oct 2019 11:38:55 -0400 Received: by mail-lj1-f194.google.com with SMTP id j19so3018024lja.1; Wed, 09 Oct 2019 08:38:53 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Br9ch3HUxePYMcVA5+eOqOIVq/1B20gFu8Zz9x8IFTI=; b=XBhXP7R1BvdDAaYId5Jh3TWjEho52qqGxmMcjim4BhCD8kC8EEDcNaS0rXzW5O9+fd YTIb5yIm9qJNlQAnGbfxY20hF42cgLyIdaxWc5aISncto+g3WVsBl5sa/i3eYZ6WBewW 7q1UCCIsDCa2z0cY+/lEVaG746M/KZn99yV/JngpCyc6HNzaY+jlMXkYUgE3ZILc48IR g6H0RNbgJB2DNyGkpUSc/2GcTN5Si0rZKI+SiSre5XXamzbvyefPEUSQCJ5ONx38jhhA c3je9QIATDg8JMYllEYBzzDGbLap2MaD/CRby2qwqHsSu4++EkE9s9sSamsqR4eMobvz RoOg== X-Gm-Message-State: APjAAAUIHfjNwqz13oX54YwZNF2VqJ8RDermSnaGNUNTiSIAJRyv8gZd hgybwJLV8aQe31cltyqxvY9ZCFgd X-Google-Smtp-Source: APXvYqywcWUdHcZH20c3zwxA9S/BXw6GsWgph5TWDTvmOIYGVcG/uEb6zD2k0xkfN06b4ddhIpYjtw== X-Received: by 2002:a2e:6101:: with SMTP id v1mr2827736ljb.122.1570635532802; Wed, 09 Oct 2019 08:38:52 -0700 (PDT) Received: from xi.terra (c-51f1e055.07-184-6d6c6d4.bbcust.telenor.se. [85.224.241.81]) by smtp.gmail.com with ESMTPSA id q5sm582581lfm.93.2019.10.09.08.38.51 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 09 Oct 2019 08:38:51 -0700 (PDT) Received: from johan by xi.terra with local (Exim 4.92.2) (envelope-from ) id 1iIE3J-0002Gw-DB; Wed, 09 Oct 2019 17:39:01 +0200 From: Johan Hovold To: Greg Kroah-Hartman Cc: linux-usb@vger.kernel.org, Keith Packard , Juergen Stuber , Johan Hovold , stable Subject: [PATCH 2/5] USB: chaoskey: fix use-after-free on release Date: Wed, 9 Oct 2019 17:38:45 +0200 Message-Id: <20191009153848.8664-3-johan@kernel.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20191009153848.8664-1-johan@kernel.org> References: <20191009153848.8664-1-johan@kernel.org> MIME-Version: 1.0 Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org The driver was accessing its struct usb_interface in its release() callback without holding a reference. This would lead to a use-after-free whenever the device was disconnected while the character device was still open. Fixes: 66e3e591891d ("usb: Add driver for Altus Metrum ChaosKey device (v2)") Cc: stable # 4.1 Signed-off-by: Johan Hovold --- drivers/usb/misc/chaoskey.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/usb/misc/chaoskey.c b/drivers/usb/misc/chaoskey.c index cf5828ce927a..34e6cd6f40d3 100644 --- a/drivers/usb/misc/chaoskey.c +++ b/drivers/usb/misc/chaoskey.c @@ -98,6 +98,7 @@ static void chaoskey_free(struct chaoskey *dev) usb_free_urb(dev->urb); kfree(dev->name); kfree(dev->buf); + usb_put_intf(dev->interface); kfree(dev); } } @@ -145,6 +146,8 @@ static int chaoskey_probe(struct usb_interface *interface, if (dev == NULL) goto out; + dev->interface = usb_get_intf(interface); + dev->buf = kmalloc(size, GFP_KERNEL); if (dev->buf == NULL) @@ -174,8 +177,6 @@ static int chaoskey_probe(struct usb_interface *interface, goto out; } - dev->interface = interface; - dev->in_ep = in_ep; if (le16_to_cpu(udev->descriptor.idVendor) != ALEA_VENDOR_ID) From patchwork Wed Oct 9 15:38:46 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 11181483 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id F0ED517D4 for ; Wed, 9 Oct 2019 15:38:58 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id D37C1218AC for ; Wed, 9 Oct 2019 15:38:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1570635538; bh=RmjKKQzrjTUogTulInh8oW3A0UYVTfa/tYIbrt7kQi4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=N7gGPjTE8NgnstzA/JvvH6uc4ZibMN4Co2tzoZnVhe05PDbf//CTFLVIf8apyGBRm oNxPP5/KaNjDIdGcuK41EqPwZysEAGmUxKC/z2avgT0OYVUDFYWhQd9cnp5W/09DPH oaO9w4ACGewkDDsTb2sZDUAj9I95sRGPWrD2P0gI= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731331AbfJIPi5 (ORCPT ); Wed, 9 Oct 2019 11:38:57 -0400 Received: from mail-lj1-f193.google.com ([209.85.208.193]:40881 "EHLO mail-lj1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728804AbfJIPi4 (ORCPT ); Wed, 9 Oct 2019 11:38:56 -0400 Received: by mail-lj1-f193.google.com with SMTP id 7so2968341ljw.7; Wed, 09 Oct 2019 08:38:54 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=IOgY95F7SAkBcHWELp/HRRu/NsS+nMHwkVpkJBv5wWE=; b=gwdfM9lgYXWZ9c0oGJkSqcAdPGSeAM765ziwd/fBKIQN3JxUCigt85/jdMON/wzR4Y lKowiiVfK8VJE7jHukkvOgUGOuw9xMm+B/vgpO9Q9i3tBVINkJXva7YQ3qbKyaWcKuUu jZc2iHZYv2m0oHC41hHUg6OvplpzlWCmHlW2tBJGlkDZrnGh0zwXV8aBa2JFn1/bVhkB j7iVo3c3Aw2bovJpMvGY+d8QQJL/R1kEPzpPq6arFPRoRjKqRfvHMJY1GXlo3I14H2d2 6QNMKzWhs7VnGXpC7E1QbWcLKccZpBRg7MyVxfjNzYOn8imOPgijS2uos7pnTHbejvWO +RyA== X-Gm-Message-State: APjAAAUYCTW6SMGAUpisCnrW7syQw0tEkh7wHWi2fyGf1ttYRiWfs60G e3Nv6wCZN2HaD2+eo1vgY31m6gQA X-Google-Smtp-Source: APXvYqyMxaLW2Wi4wqJjBUSaLG5bnSH9nJEALMC9vUhlvUISqd2iZss3Ar56VxVWpM+LKv4kxaxGyQ== X-Received: by 2002:a2e:a0d6:: with SMTP id f22mr2836942ljm.81.1570635533896; Wed, 09 Oct 2019 08:38:53 -0700 (PDT) Received: from xi.terra (c-51f1e055.07-184-6d6c6d4.bbcust.telenor.se. [85.224.241.81]) by smtp.gmail.com with ESMTPSA id y204sm593197lfa.64.2019.10.09.08.38.51 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 09 Oct 2019 08:38:51 -0700 (PDT) Received: from johan by xi.terra with local (Exim 4.92.2) (envelope-from ) id 1iIE3J-0002H2-Fl; Wed, 09 Oct 2019 17:39:01 +0200 From: Johan Hovold To: Greg Kroah-Hartman Cc: linux-usb@vger.kernel.org, Keith Packard , Juergen Stuber , Johan Hovold , stable Subject: [PATCH 3/5] USB: ldusb: fix NULL-derefs on driver unbind Date: Wed, 9 Oct 2019 17:38:46 +0200 Message-Id: <20191009153848.8664-4-johan@kernel.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20191009153848.8664-1-johan@kernel.org> References: <20191009153848.8664-1-johan@kernel.org> MIME-Version: 1.0 Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org The driver was using its struct usb_interface pointer as an inverted disconnected flag, but was setting it to NULL before making sure all completion handlers had run. This could lead to a NULL-pointer dereference in a number of dev_dbg, dev_warn and dev_err statements in the completion handlers which relies on said pointer. Fix this by unconditionally stopping all I/O and preventing resubmissions by poisoning the interrupt URBs at disconnect and using a dedicated disconnected flag. This also makes sure that all I/O has completed by the time the disconnect callback returns. Fixes: 2824bd250f0b ("[PATCH] USB: add ldusb driver") Cc: stable # 2.6.13 Signed-off-by: Johan Hovold --- drivers/usb/misc/ldusb.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/drivers/usb/misc/ldusb.c b/drivers/usb/misc/ldusb.c index 6581774bdfa4..f3108d85e768 100644 --- a/drivers/usb/misc/ldusb.c +++ b/drivers/usb/misc/ldusb.c @@ -153,6 +153,7 @@ MODULE_PARM_DESC(min_interrupt_out_interval, "Minimum interrupt out interval in struct ld_usb { struct mutex mutex; /* locks this structure */ struct usb_interface *intf; /* save off the usb interface pointer */ + unsigned long disconnected:1; int open_count; /* number of times this port has been opened */ @@ -192,12 +193,10 @@ static void ld_usb_abort_transfers(struct ld_usb *dev) /* shutdown transfer */ if (dev->interrupt_in_running) { dev->interrupt_in_running = 0; - if (dev->intf) - usb_kill_urb(dev->interrupt_in_urb); + usb_kill_urb(dev->interrupt_in_urb); } if (dev->interrupt_out_busy) - if (dev->intf) - usb_kill_urb(dev->interrupt_out_urb); + usb_kill_urb(dev->interrupt_out_urb); } /** @@ -205,8 +204,6 @@ static void ld_usb_abort_transfers(struct ld_usb *dev) */ static void ld_usb_delete(struct ld_usb *dev) { - ld_usb_abort_transfers(dev); - /* free data structures */ usb_free_urb(dev->interrupt_in_urb); usb_free_urb(dev->interrupt_out_urb); @@ -263,7 +260,7 @@ static void ld_usb_interrupt_in_callback(struct urb *urb) resubmit: /* resubmit if we're still running */ - if (dev->interrupt_in_running && !dev->buffer_overflow && dev->intf) { + if (dev->interrupt_in_running && !dev->buffer_overflow) { retval = usb_submit_urb(dev->interrupt_in_urb, GFP_ATOMIC); if (retval) { dev_err(&dev->intf->dev, @@ -392,7 +389,7 @@ static int ld_usb_release(struct inode *inode, struct file *file) retval = -ENODEV; goto unlock_exit; } - if (dev->intf == NULL) { + if (dev->disconnected) { /* the device was unplugged before the file was released */ mutex_unlock(&dev->mutex); /* unlock here as ld_usb_delete frees dev */ @@ -423,7 +420,7 @@ static __poll_t ld_usb_poll(struct file *file, poll_table *wait) dev = file->private_data; - if (!dev->intf) + if (dev->disconnected) return EPOLLERR | EPOLLHUP; poll_wait(file, &dev->read_wait, wait); @@ -462,7 +459,7 @@ static ssize_t ld_usb_read(struct file *file, char __user *buffer, size_t count, } /* verify that the device wasn't unplugged */ - if (dev->intf == NULL) { + if (dev->disconnected) { retval = -ENODEV; printk(KERN_ERR "ldusb: No device or device unplugged %d\n", retval); goto unlock_exit; @@ -542,7 +539,7 @@ static ssize_t ld_usb_write(struct file *file, const char __user *buffer, } /* verify that the device wasn't unplugged */ - if (dev->intf == NULL) { + if (dev->disconnected) { retval = -ENODEV; printk(KERN_ERR "ldusb: No device or device unplugged %d\n", retval); goto unlock_exit; @@ -764,6 +761,9 @@ static void ld_usb_disconnect(struct usb_interface *intf) /* give back our minor */ usb_deregister_dev(intf, &ld_usb_class); + usb_poison_urb(dev->interrupt_in_urb); + usb_poison_urb(dev->interrupt_out_urb); + mutex_lock(&dev->mutex); /* if the device is not opened, then we clean up right now */ @@ -771,7 +771,7 @@ static void ld_usb_disconnect(struct usb_interface *intf) mutex_unlock(&dev->mutex); ld_usb_delete(dev); } else { - dev->intf = NULL; + dev->disconnected = 1; /* wake up pollers */ wake_up_interruptible_all(&dev->read_wait); wake_up_interruptible_all(&dev->write_wait); From patchwork Wed Oct 9 15:38:47 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 11181487 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0B8AE76 for ; Wed, 9 Oct 2019 15:39:00 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id E1606218DE for ; Wed, 9 Oct 2019 15:38:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1570635539; bh=fOyy0OWRFPgcy/Qsq7cSWefWU9m/HYBOoA4d9rG/Cv4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=zXvX6dhwBkqwWoK7TtX9CqVPHHITN4qPoejDWI2JuGmcyEMqctMhAfB57cnfbo2dF X6ezLfi53HIf2j8guAxRd1XpxaEvZWv3M3sf8J/f0sN0UVBaXMazxhfw0V5tjyAOH9 R2G0x28vL0qFze/u3mZdwHTJP+NET8iMkBUc6ZLQ= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731343AbfJIPi6 (ORCPT ); Wed, 9 Oct 2019 11:38:58 -0400 Received: from mail-lj1-f193.google.com ([209.85.208.193]:40882 "EHLO mail-lj1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731168AbfJIPi5 (ORCPT ); Wed, 9 Oct 2019 11:38:57 -0400 Received: by mail-lj1-f193.google.com with SMTP id 7so2968360ljw.7; Wed, 09 Oct 2019 08:38:55 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=/zQJrcNnJxUcOVRPJjyZL/u2APizudcIOcg9KosTJuI=; b=KTUDPaAUejV1guU8qJi4jlzzDedgHv635yvRLw6KzD+ExNg+atfiSdjJ+ugGHYJk5h FJtJiORFkp1b9JiLhgcTuXbo8fQ8Ri143WaFU1WJGo6JMe2MvmFuHL5pFu3BNCs5Kdey Xuh64pQngLHIuABtmLOtb6X10gpIiGzG6nZmCxEcZVDdMiFEkBtAcBazOsPI7AsYmLGv uiWgC0u8c9JYRfoyj/JYTLNGWM9DT47VNaaQKHNdtuaojRyb9fm63iY45Ldzy4Yv+Aef fkVU9cCH0B4Hvlwv9sFVGKZ/MJGWe1JUW3UuMflEIB++CpRWs1tOZ6kIly7HKTkh9wGD 7ePQ== X-Gm-Message-State: APjAAAUEoyaRqB7rjyGSbxuyiosdKx2eAPbhwKSzwjrbq48iXwdR2B4C m6tzrXG8wg9ZTIu3dxz3Q0CJ85os X-Google-Smtp-Source: APXvYqxabR1MXt0AgYV0VZq8D6na/8L7mjbB4TOHMZxWwdDNpo6z9gIUTQN55CNZ0fM+mMiWzWxK5g== X-Received: by 2002:a2e:420a:: with SMTP id p10mr2881448lja.16.1570635534570; Wed, 09 Oct 2019 08:38:54 -0700 (PDT) Received: from xi.terra (c-51f1e055.07-184-6d6c6d4.bbcust.telenor.se. [85.224.241.81]) by smtp.gmail.com with ESMTPSA id b7sm529841lfp.23.2019.10.09.08.38.51 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 09 Oct 2019 08:38:53 -0700 (PDT) Received: from johan by xi.terra with local (Exim 4.92.2) (envelope-from ) id 1iIE3J-0002H6-IG; Wed, 09 Oct 2019 17:39:01 +0200 From: Johan Hovold To: Greg Kroah-Hartman Cc: linux-usb@vger.kernel.org, Keith Packard , Juergen Stuber , Johan Hovold , stable Subject: [PATCH 4/5] USB: legousbtower: fix use-after-free on release Date: Wed, 9 Oct 2019 17:38:47 +0200 Message-Id: <20191009153848.8664-5-johan@kernel.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20191009153848.8664-1-johan@kernel.org> References: <20191009153848.8664-1-johan@kernel.org> MIME-Version: 1.0 Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org The driver was accessing its struct usb_device in its release() callback without holding a reference. This would lead to a use-after-free whenever the device was disconnected while the character device was still open. Fixes: fef526cae700 ("USB: legousbtower: remove custom debug macro") Cc: stable # 3.12 Signed-off-by: Johan Hovold --- drivers/usb/misc/legousbtower.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/usb/misc/legousbtower.c b/drivers/usb/misc/legousbtower.c index 44d6a3381804..9d4c52a7ebe0 100644 --- a/drivers/usb/misc/legousbtower.c +++ b/drivers/usb/misc/legousbtower.c @@ -296,6 +296,7 @@ static inline void tower_delete (struct lego_usb_tower *dev) kfree (dev->read_buffer); kfree (dev->interrupt_in_buffer); kfree (dev->interrupt_out_buffer); + usb_put_dev(dev->udev); kfree (dev); } @@ -810,7 +811,7 @@ static int tower_probe (struct usb_interface *interface, const struct usb_device mutex_init(&dev->lock); - dev->udev = udev; + dev->udev = usb_get_dev(udev); dev->open_count = 0; dev->disconnected = 0; From patchwork Wed Oct 9 15:38:48 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 11181485 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D83F81709 for ; Wed, 9 Oct 2019 15:38:59 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id B9BFD218DE for ; Wed, 9 Oct 2019 15:38:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1570635539; bh=N8Ktgk7Cxvf676G67bht94toWjZacZkPLoJerkcFvIw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=zXqmuZ7RlvGX3eMz9ouDuZHB+uq+qWCfndW9Um80tAiQrzun82hDTaK6r2gqHVzX0 Kd+dHqA7MCeMpiH1km3YYVhcjsSRRmTXOaVk2TPHKqZxPE2j1ZyKMfjw4wBMhOT86k ZjhR6rOdIIU8ToT0WvwbA22Z5oQAxhyAsZltDAE8= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731370AbfJIPi7 (ORCPT ); Wed, 9 Oct 2019 11:38:59 -0400 Received: from mail-lj1-f196.google.com ([209.85.208.196]:39471 "EHLO mail-lj1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730256AbfJIPi6 (ORCPT ); Wed, 9 Oct 2019 11:38:58 -0400 Received: by mail-lj1-f196.google.com with SMTP id y3so2972650ljj.6; Wed, 09 Oct 2019 08:38:56 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=HWGhrR9zQu1kilGXu57u8nXDF16dj6cYe7KVAB6aMHE=; b=BlRdKv4v90THg+nkgbe0I7PiRPG5nFa35/cCKTTPuR8NT4eqYCEbcMHWhQ++QJzhDq +AiDZ2rQZLi3Xp8RcaSZAicwJYADaAvAIfC2aaZjrcuxcAgh4oQaKNcqsX154yf64BDj FX0cB6QuZ8c2JDFOhTeYcdWqohQkLw2qyraRTmaXSDkMVXvV2HsGkh1Z6TqPycnWiwz+ xO8n+t8VgyigUvDbUTO0iOqrjpjuvcHP0fTs8wbnGWS3/rzB7NlhQEJJGBRoZLls+ujm DfQSRfseAIrOEoN7jE1pXbyDbiKAG6WzDCV9cUI+dC5jEtYrKduWJLTusRWsibQNsQ3Z JB1A== X-Gm-Message-State: APjAAAVZ7Rj/3g3TUIlFBG5+r1QJTluY9HtOYUrh2wH0wsvzMPixB+T5 3g+GoucYnYLfy6KnCWMfl2c= X-Google-Smtp-Source: APXvYqzgDRhvqsI7XYqf5WepTJJQPmEGHKpTr7OeYL0U2W3l+9ztSYKra5VsB2hq888+pTB4gD8J/g== X-Received: by 2002:a2e:b17b:: with SMTP id a27mr2765429ljm.7.1570635535414; Wed, 09 Oct 2019 08:38:55 -0700 (PDT) Received: from xi.terra (c-51f1e055.07-184-6d6c6d4.bbcust.telenor.se. [85.224.241.81]) by smtp.gmail.com with ESMTPSA id 4sm557492ljv.87.2019.10.09.08.38.51 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 09 Oct 2019 08:38:53 -0700 (PDT) Received: from johan by xi.terra with local (Exim 4.92.2) (envelope-from ) id 1iIE3J-0002HB-Kq; Wed, 09 Oct 2019 17:39:01 +0200 From: Johan Hovold To: Greg Kroah-Hartman Cc: linux-usb@vger.kernel.org, Keith Packard , Juergen Stuber , Johan Hovold , stable Subject: [PATCH 5/5] USB: yurex: fix NULL-derefs on disconnect Date: Wed, 9 Oct 2019 17:38:48 +0200 Message-Id: <20191009153848.8664-6-johan@kernel.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20191009153848.8664-1-johan@kernel.org> References: <20191009153848.8664-1-johan@kernel.org> MIME-Version: 1.0 Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org The driver was using its struct usb_interface pointer as an inverted disconnected flag, but was setting it to NULL without making sure all code paths that used it were done with it. Before commit ef61eb43ada6 ("USB: yurex: Fix protection fault after device removal") this included the interrupt-in completion handler, but there are further accesses in dev_err and dev_dbg statements in yurex_write() and the driver-data destructor (sic!). Fix this by unconditionally stopping also the control URB at disconnect and by using a dedicated disconnected flag. Note that we need to take a reference to the struct usb_interface to avoid a use-after-free in the destructor whenever the device was disconnected while the character device was still open. Fixes: aadd6472d904 ("USB: yurex.c: remove dbg() usage") Fixes: 45714104b9e8 ("USB: yurex.c: remove err() usage") Cc: stable # 3.5: ef61eb43ada6 Signed-off-by: Johan Hovold --- drivers/usb/misc/yurex.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/usb/misc/yurex.c b/drivers/usb/misc/yurex.c index 8d52d4336c29..be0505b8b5d4 100644 --- a/drivers/usb/misc/yurex.c +++ b/drivers/usb/misc/yurex.c @@ -60,6 +60,7 @@ struct usb_yurex { struct kref kref; struct mutex io_mutex; + unsigned long disconnected:1; struct fasync_struct *async_queue; wait_queue_head_t waitq; @@ -107,6 +108,7 @@ static void yurex_delete(struct kref *kref) dev->int_buffer, dev->urb->transfer_dma); usb_free_urb(dev->urb); } + usb_put_intf(dev->interface); usb_put_dev(dev->udev); kfree(dev); } @@ -205,7 +207,7 @@ static int yurex_probe(struct usb_interface *interface, const struct usb_device_ init_waitqueue_head(&dev->waitq); dev->udev = usb_get_dev(interface_to_usbdev(interface)); - dev->interface = interface; + dev->interface = usb_get_intf(interface); /* set up the endpoint information */ iface_desc = interface->cur_altsetting; @@ -316,8 +318,9 @@ static void yurex_disconnect(struct usb_interface *interface) /* prevent more I/O from starting */ usb_poison_urb(dev->urb); + usb_poison_urb(dev->cntl_urb); mutex_lock(&dev->io_mutex); - dev->interface = NULL; + dev->disconnected = 1; mutex_unlock(&dev->io_mutex); /* wakeup waiters */ @@ -405,7 +408,7 @@ static ssize_t yurex_read(struct file *file, char __user *buffer, size_t count, dev = file->private_data; mutex_lock(&dev->io_mutex); - if (!dev->interface) { /* already disconnected */ + if (dev->disconnected) { /* already disconnected */ mutex_unlock(&dev->io_mutex); return -ENODEV; } @@ -440,7 +443,7 @@ static ssize_t yurex_write(struct file *file, const char __user *user_buffer, goto error; mutex_lock(&dev->io_mutex); - if (!dev->interface) { /* already disconnected */ + if (dev->disconnected) { /* already disconnected */ mutex_unlock(&dev->io_mutex); retval = -ENODEV; goto error;