From patchwork Wed Oct 9 17:09:42 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 11181693 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 41F471864 for ; Wed, 9 Oct 2019 17:09:47 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 217EF218AC for ; Wed, 9 Oct 2019 17:09:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1570640987; bh=MYPJn/hhfzehwAQGj1bzF7pZZtAWhaFcYPqHDdSDyKg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=cCr7P2asY2ipGl8DGE3GDVrkgE4LDTs7tDyIAqPZoTQ+9tSZC1i4yPMdfOMm5Jy74 m3qY7uFIYzQ4fK4b7nThfwt9fpUhFF9pyqFTTsR0/RQ+R/C172P62Pws7r4B3xWko2 Dzg2vUDwD8c30objfstHdHOwuOnEwJ1VGYVRmjG8= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731888AbfJIRJq (ORCPT ); Wed, 9 Oct 2019 13:09:46 -0400 Received: from mail-lf1-f68.google.com ([209.85.167.68]:45803 "EHLO mail-lf1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731417AbfJIRJq (ORCPT ); Wed, 9 Oct 2019 13:09:46 -0400 Received: by mail-lf1-f68.google.com with SMTP id r134so2213456lff.12; Wed, 09 Oct 2019 10:09:44 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=L4J8qTu+YF8xfX8qpydkpgib5XDtsqf13k/D3VElzdQ=; b=OZLl3iRP6mkjwcbVT5TlPKpIY96CbbsOooatjGasZOnYfWSxplzD7jTj3V3Ko/pOPU lE0m/Hfm+hUQuO54qeydzYvPM1UXUMwVH9pRLmsgukokzHZNKSrZb40aEdtK03W/CJ/i XNO6ZOvWNjkyDMv5oDJWrvsTuNszNMfMljZ3IFJBj2ZM2/gtXSN8t5EOzMWxf6A49eDC AVx0sHI9Yu47bRZaAXdfSVhNy9FSSEBUXYG2XiUL3TMzKYh2sgtxAYRB2w3tXfB0oyhT oemel3QJiq4ZDfGktpQKe33dEk9XmJQxXnncRGXeOetUCR/vIjKLdAkad5aBJbd1+1FO 7Snw== X-Gm-Message-State: APjAAAXO1IwrZFo0MHamCuYo9b8g+1HhNzyw670e28uZg/q6l+Y5uFF7 9AE2xaJEmCc/m6isAonTH4c= X-Google-Smtp-Source: APXvYqzCAODMuJ4k5t6hiwqZmPWzIDblLTW1E+Ap4zMw4neNCg11CRLC0IrKMA4tmk4GZ2ch3G8avQ== X-Received: by 2002:a19:c188:: with SMTP id r130mr2878297lff.41.1570640984165; Wed, 09 Oct 2019 10:09:44 -0700 (PDT) Received: from xi.terra (c-51f1e055.07-184-6d6c6d4.bbcust.telenor.se. [85.224.241.81]) by smtp.gmail.com with ESMTPSA id h25sm748316lfj.81.2019.10.09.10.09.42 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 09 Oct 2019 10:09:42 -0700 (PDT) Received: from johan by xi.terra with local (Exim 4.92.2) (envelope-from ) id 1iIFTF-0007pq-0j; Wed, 09 Oct 2019 19:09:53 +0200 From: Johan Hovold To: Greg Kroah-Hartman Cc: linux-usb@vger.kernel.org, Johan Hovold , stable Subject: [PATCH 1/3] USB: usb-skeleton: fix NULL-deref on disconnect Date: Wed, 9 Oct 2019 19:09:42 +0200 Message-Id: <20191009170944.30057-2-johan@kernel.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20191009170944.30057-1-johan@kernel.org> References: <20191009170944.30057-1-johan@kernel.org> MIME-Version: 1.0 Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org The driver was using its struct usb_interface pointer as an inverted disconnected flag and was setting it to NULL before making sure all completion handlers had run. This could lead to NULL-pointer dereferences in the dev_err() statements in the completion handlers which relies on said pointer. Fix this by using a dedicated disconnected flag. Note that this is also addresses a NULL-pointer dereference at release() and a struct usb_interface reference leak introduced by a recent runtime PM fix, which depends on and should have been submitted together with this patch. Fixes: 4212cd74ca6f ("USB: usb-skeleton.c: remove err() usage") Fixes: 5c290a5e42c3 ("USB: usb-skeleton: fix runtime PM after driver unbind") Cc: stable Signed-off-by: Johan Hovold --- drivers/usb/usb-skeleton.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/usb/usb-skeleton.c b/drivers/usb/usb-skeleton.c index 8001d6384c73..c2843fcfa52d 100644 --- a/drivers/usb/usb-skeleton.c +++ b/drivers/usb/usb-skeleton.c @@ -61,6 +61,7 @@ struct usb_skel { spinlock_t err_lock; /* lock for errors */ struct kref kref; struct mutex io_mutex; /* synchronize I/O with disconnect */ + unsigned long disconnected:1; wait_queue_head_t bulk_in_wait; /* to wait for an ongoing read */ }; #define to_skel_dev(d) container_of(d, struct usb_skel, kref) @@ -238,7 +239,7 @@ static ssize_t skel_read(struct file *file, char *buffer, size_t count, if (rv < 0) return rv; - if (!dev->interface) { /* disconnect() was called */ + if (dev->disconnected) { /* disconnect() was called */ rv = -ENODEV; goto exit; } @@ -420,7 +421,7 @@ static ssize_t skel_write(struct file *file, const char *user_buffer, /* this lock makes sure we don't submit URBs to gone devices */ mutex_lock(&dev->io_mutex); - if (!dev->interface) { /* disconnect() was called */ + if (dev->disconnected) { /* disconnect() was called */ mutex_unlock(&dev->io_mutex); retval = -ENODEV; goto error; @@ -571,7 +572,7 @@ static void skel_disconnect(struct usb_interface *interface) /* prevent more I/O from starting */ mutex_lock(&dev->io_mutex); - dev->interface = NULL; + dev->disconnected = 1; mutex_unlock(&dev->io_mutex); usb_kill_anchored_urbs(&dev->submitted); From patchwork Wed Oct 9 17:09:43 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 11181695 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1CDA617EE for ; Wed, 9 Oct 2019 17:09:49 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id ECA91218DE for ; Wed, 9 Oct 2019 17:09:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1570640989; bh=tG3TyHP5E1sZotu8nYHFd6nV3IuBECpW5MA9R+gjRfw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=g9yaaJaf2un4unRBW0A7Jus3kLD5SQnSExN7ugWFDLXn6q+IGr5FyCsQnIJScW8Dz npPEWqDmsrBiWy2OQWtsle+wZ5AUEWPWmlwVV/wBhnxfEvMUzOL0z3kgfQZWcm66Nd XMAkAP0gLDYlnp7rbwKvEDmJDxIpO3rfBDI2iLiw= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731894AbfJIRJr (ORCPT ); Wed, 9 Oct 2019 13:09:47 -0400 Received: from mail-lf1-f66.google.com ([209.85.167.66]:42856 "EHLO mail-lf1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730490AbfJIRJr (ORCPT ); Wed, 9 Oct 2019 13:09:47 -0400 Received: by mail-lf1-f66.google.com with SMTP id c195so2216534lfg.9 for ; Wed, 09 Oct 2019 10:09:46 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=53aiIY4OLOQeb8041yaU2CTe92uW8YD2bs3dJXD1Nm0=; b=aEkZ97F2Lj/YBw59VA7aCF4lkQSJpCS3C+hWlxpIuB9wo89w+dakCUNFl32sL1FGzP YXlAH2t4xpy2+wNB30rSNijSw7fOMAJ1ozYNr3AA4IiYMtUqJhSEEnlhF+KaEdZk0/KG slCVckMEs5PdfxYJL0+IBFqWKoLVTH7CvI3Vxa9nj8cWfzJC1nvk69JzoMEJpY6FC6SW oWfxPjvzGCciu1kSF3zCuJ3oTqgv8E6oxUgAiHgVfkJF56N4EJfi7879Es/Vjbay2f9d slrtCGFFBjj+Tf81skQaUXgP+sed6c5XbCtg+VB/ebOWbwKQqpHEO0En1Y0qsQS1wOP3 EMRQ== X-Gm-Message-State: APjAAAWWAwNCsuy2PC7+fEGIjAlMvT643trXUVuYufFkohpGVc/jxClX cvdrMkyvu1cCw7WS6qYWX0c= X-Google-Smtp-Source: APXvYqxZspOX8iLzYzDI3hYYhdJfbOq5z3j4v8VptptOUlfzw8f4yibdiTd2w3IMJK/KDMkgiZ1fLA== X-Received: by 2002:ac2:5c4b:: with SMTP id s11mr2825831lfp.18.1570640985457; Wed, 09 Oct 2019 10:09:45 -0700 (PDT) Received: from xi.terra (c-51f1e055.07-184-6d6c6d4.bbcust.telenor.se. [85.224.241.81]) by smtp.gmail.com with ESMTPSA id w17sm595907lfl.43.2019.10.09.10.09.42 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 09 Oct 2019 10:09:42 -0700 (PDT) Received: from johan by xi.terra with local (Exim 4.92.2) (envelope-from ) id 1iIFTF-0007pv-3y; Wed, 09 Oct 2019 19:09:53 +0200 From: Johan Hovold To: Greg Kroah-Hartman Cc: linux-usb@vger.kernel.org, Johan Hovold Subject: [PATCH 2/3] USB: usb-skeleton: fix use-after-free after driver unbind Date: Wed, 9 Oct 2019 19:09:43 +0200 Message-Id: <20191009170944.30057-3-johan@kernel.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20191009170944.30057-1-johan@kernel.org> References: <20191009170944.30057-1-johan@kernel.org> MIME-Version: 1.0 Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org The driver failed to stop its read URB on disconnect, something which could lead to a use-after-free in the completion handler after driver unbind in case the character device has been closed. Fixes: e7389cc9a7ff ("USB: skel_read really sucks royally") Signed-off-by: Johan Hovold --- drivers/usb/usb-skeleton.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/usb/usb-skeleton.c b/drivers/usb/usb-skeleton.c index c2843fcfa52d..be311787403e 100644 --- a/drivers/usb/usb-skeleton.c +++ b/drivers/usb/usb-skeleton.c @@ -575,6 +575,7 @@ static void skel_disconnect(struct usb_interface *interface) dev->disconnected = 1; mutex_unlock(&dev->io_mutex); + usb_kill_urb(dev->bulk_in_urb); usb_kill_anchored_urbs(&dev->submitted); /* decrement our usage count */ From patchwork Wed Oct 9 17:09:44 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 11181697 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 36B951864 for ; Wed, 9 Oct 2019 17:09:50 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 0E0C8218AC for ; Wed, 9 Oct 2019 17:09:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1570640990; bh=KsIufiuYgL64grPVPDG91QeWStQjS2cLh7DjpAHxJ9Y=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=N3WzwI0RxSDyWlfrpyQbpXGBRhE57UDi0XgXVdUiJd/z9XAQw9TcqNkuw+584o9a9 /Q1AgUSJRSoUsWPJUKCBp0NqREmbxa1TojZ7uPiOO7+q+QSMAoWy9zEfKYcK0aU6Uz BSa5NfnErUpQWMC+xIi0WdUmOdykcV/1XAfXo0CA= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731879AbfJIRJt (ORCPT ); Wed, 9 Oct 2019 13:09:49 -0400 Received: from mail-lf1-f65.google.com ([209.85.167.65]:45803 "EHLO mail-lf1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731908AbfJIRJt (ORCPT ); Wed, 9 Oct 2019 13:09:49 -0400 Received: by mail-lf1-f65.google.com with SMTP id r134so2213503lff.12 for ; Wed, 09 Oct 2019 10:09:46 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=X9RwUQKmTZ/DEElWepO5PO6zmD+LDDWIRfVD4Cm3DS8=; b=FR+vv6gLCqZxHNDNK5SKEjfVKrxKYDxF9uZPezLm4QKLJVil7TE/LGjLFndFu7uX09 aAisSLW1MobfrHw0FprkG4ZnXSpajgH1tFWkpN9tOfhP3o+Gq/VIyF/SWd88mOGJmdZz NgE+KasaGG2gXl9smtfU1EGrBpMoSZwPtorC8qPMRl6eTtxIqBdAMJl36723eb/4YvjZ eMVcIMjq1p+y+Mid4CYxXWxzAwmdgTaguK5EAVwdC0lzRLycI3GzJpCkCxoNl2lPpuOk nWRm55BmheghAkeLqpkzdj+2UDDwdEyKIhMLjLLQ5lLZr9ta2Pn7e24BMfwqiYPQQtQG NRnQ== X-Gm-Message-State: APjAAAXXiVdYHCbp7uZYTnOO+eSpKybbmEIIVvhjyViTzVKr+T4wLICp bImstf7p7nkwZTyn/A+lvQI= X-Google-Smtp-Source: APXvYqzbKTx/W6/rfwGqvAjnEW1XzHIp77JbsLhLuSO0tdPgbbt4YVmUL/VOSYCWCZ4xInXJwLsbYA== X-Received: by 2002:a19:ed10:: with SMTP id y16mr3040537lfy.74.1570640985852; Wed, 09 Oct 2019 10:09:45 -0700 (PDT) Received: from xi.terra (c-51f1e055.07-184-6d6c6d4.bbcust.telenor.se. [85.224.241.81]) by smtp.gmail.com with ESMTPSA id n12sm654533lfh.86.2019.10.09.10.09.42 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 09 Oct 2019 10:09:44 -0700 (PDT) Received: from johan by xi.terra with local (Exim 4.92.2) (envelope-from ) id 1iIFTF-0007q0-7F; Wed, 09 Oct 2019 19:09:53 +0200 From: Johan Hovold To: Greg Kroah-Hartman Cc: linux-usb@vger.kernel.org, Johan Hovold Subject: [PATCH 3/3] USB: usb-skeleton: drop redundant in-urb check Date: Wed, 9 Oct 2019 19:09:44 +0200 Message-Id: <20191009170944.30057-4-johan@kernel.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20191009170944.30057-1-johan@kernel.org> References: <20191009170944.30057-1-johan@kernel.org> MIME-Version: 1.0 Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org The driver bails out at probe if we can't find a bulk-in endpoint or if we fail to allocate the URB, so drop the check in read(). Signed-off-by: Johan Hovold --- drivers/usb/usb-skeleton.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/usb/usb-skeleton.c b/drivers/usb/usb-skeleton.c index be311787403e..2dc58766273a 100644 --- a/drivers/usb/usb-skeleton.c +++ b/drivers/usb/usb-skeleton.c @@ -230,8 +230,7 @@ static ssize_t skel_read(struct file *file, char *buffer, size_t count, dev = file->private_data; - /* if we cannot read at all, return EOF */ - if (!dev->bulk_in_urb || !count) + if (!count) return 0; /* no concurrent readers */