From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Hans de Goede <hdegoede@redhat.com>,
Benjamin Tissoires <bentiss@kernel.org>
Subject: [PATCH 4.14 03/66] HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect
Date: Mon, 23 Oct 2023 12:55:53 +0200 [thread overview]
Message-ID: <20231023104810.906730627@linuxfoundation.org> (raw)
In-Reply-To: <20231023104810.781270702@linuxfoundation.org>
4.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
commit dac501397b9d81e4782232c39f94f4307b137452 upstream.
hidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)
races when it races with itself.
hidpp_connect_event() primarily runs from a workqueue but it also runs
on probe() and if a "device-connected" packet is received by the hw
when the thread running hidpp_connect_event() from probe() is waiting on
the hw, then a second thread running hidpp_connect_event() will be
started from the workqueue.
This opens the following races (note the below code is simplified):
1. Retrieving + printing the protocol (harmless race):
if (!hidpp->protocol_major) {
hidpp_root_get_protocol_version()
hidpp->protocol_major = response.rap.params[0];
}
We can actually see this race hit in the dmesg in the abrt output
attached to rhbz#2227968:
[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.
[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.
Testing with extra logging added has shown that after this the 2 threads
take turn grabbing the hw access mutex (send_mutex) so they ping-pong
through all the other TOCTOU cases managing to hit all of them:
2. Updating the name to the HIDPP name (harmless race):
if (hidpp->name == hdev->name) {
...
hidpp->name = new_name;
}
3. Initializing the power_supply class for the battery (problematic!):
hidpp_initialize_battery()
{
if (hidpp->battery.ps)
return 0;
probe_battery(); /* Blocks, threads take turns executing this */
hidpp->battery.desc.properties =
devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);
hidpp->battery.ps =
devm_power_supply_register(&hidpp->hid_dev->dev,
&hidpp->battery.desc, cfg);
}
4. Creating delayed input_device (potentially problematic):
if (hidpp->delayed_input)
return;
hidpp->delayed_input = hidpp_allocate_input(hdev);
The really big problem here is 3. Hitting the race leads to the following
sequence:
hidpp->battery.desc.properties =
devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);
hidpp->battery.ps =
devm_power_supply_register(&hidpp->hid_dev->dev,
&hidpp->battery.desc, cfg);
...
hidpp->battery.desc.properties =
devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);
hidpp->battery.ps =
devm_power_supply_register(&hidpp->hid_dev->dev,
&hidpp->battery.desc, cfg);
So now we have registered 2 power supplies for the same battery,
which looks a bit weird from userspace's pov but this is not even
the really big problem.
Notice how:
1. This is all devm-maganaged
2. The hidpp->battery.desc struct is shared between the 2 power supplies
3. hidpp->battery.desc.properties points to the result from the second
devm_kmemdup()
This causes a use after free scenario on USB disconnect of the receiver:
1. The last registered power supply class device gets unregistered
2. The memory from the last devm_kmemdup() call gets freed,
hidpp->battery.desc.properties now points to freed memory
3. The first registered power supply class device gets unregistered,
this involves sending a remove uevent to userspace which invokes
power_supply_uevent() to fill the uevent data
4. power_supply_uevent() uses hidpp->battery.desc.properties which
now points to freed memory leading to backtraces like this one:
Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08
...
Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_event
Sep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0
...
Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30
Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0
Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0
Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0
Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680
Sep 22 20:01:35 eric kernel: power_supply_unregister+0x8e/0xa0
Sep 22 20:01:35 eric kernel: release_nodes+0x3d/0xb0
Sep 22 20:01:35 eric kernel: devres_release_group+0xfc/0x130
Sep 22 20:01:35 eric kernel: hid_device_remove+0x56/0xa0
Sep 22 20:01:35 eric kernel: device_release_driver_internal+0x19f/0x200
Sep 22 20:01:35 eric kernel: bus_remove_device+0xc6/0x130
Sep 22 20:01:35 eric kernel: device_del+0x15c/0x3f0
Sep 22 20:01:35 eric kernel: ? __queue_work+0x1df/0x440
Sep 22 20:01:35 eric kernel: hid_destroy_device+0x4b/0x60
Sep 22 20:01:35 eric kernel: logi_dj_remove+0x9a/0x100 [hid_logitech_dj 5c91534a0ead2b65e04dd799a0437e3b99b21bc4]
Sep 22 20:01:35 eric kernel: hid_device_remove+0x44/0xa0
Sep 22 20:01:35 eric kernel: device_release_driver_internal+0x19f/0x200
Sep 22 20:01:35 eric kernel: bus_remove_device+0xc6/0x130
Sep 22 20:01:35 eric kernel: device_del+0x15c/0x3f0
Sep 22 20:01:35 eric kernel: ? __queue_work+0x1df/0x440
Sep 22 20:01:35 eric kernel: hid_destroy_device+0x4b/0x60
Sep 22 20:01:35 eric kernel: usbhid_disconnect+0x47/0x60 [usbhid 727dcc1c0b94e6b4418727a468398ac3bca492f3]
Sep 22 20:01:35 eric kernel: usb_unbind_interface+0x90/0x270
Sep 22 20:01:35 eric kernel: device_release_driver_internal+0x19f/0x200
Sep 22 20:01:35 eric kernel: bus_remove_device+0xc6/0x130
Sep 22 20:01:35 eric kernel: device_del+0x15c/0x3f0
Sep 22 20:01:35 eric kernel: ? kobject_put+0xa0/0x1d0
Sep 22 20:01:35 eric kernel: usb_disable_device+0xcd/0x1e0
Sep 22 20:01:35 eric kernel: usb_disconnect+0xde/0x2c0
Sep 22 20:01:35 eric kernel: usb_disconnect+0xc3/0x2c0
Sep 22 20:01:35 eric kernel: hub_event+0xe80/0x1c10
There have been quite a few bug reports (see Link tags) about this crash.
Fix all the TOCTOU issues, including the really bad power-supply related
system crash on USB disconnect, by making probe() use the workqueue for
running hidpp_connect_event() too, so that it can never run more then once.
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2227221
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2227968
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2227968
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2242189
Link: https://bugzilla.kernel.org/show_bug.cgi?id=217412#c58
Cc: stable@vger.kernel.org
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20231005182638.3776-1-hdegoede@redhat.com
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-logitech-hidpp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/hid/hid-logitech-hidpp.c
+++ b/drivers/hid/hid-logitech-hidpp.c
@@ -3128,7 +3128,8 @@ static int hidpp_probe(struct hid_device
/* Allow incoming packets */
hid_device_io_start(hdev);
- hidpp_connect_event(hidpp);
+ schedule_work(&hidpp->work);
+ flush_work(&hidpp->work);
return ret;
next prev parent reply other threads:[~2023-10-23 10:59 UTC|newest]
Thread overview: 74+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-23 10:55 [PATCH 4.14 00/66] 4.14.328-rc1 review Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 4.14 01/66] RDMA/cxgb4: Check skb value for failure to allocate Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 4.14 02/66] platform/x86: hp-wmi:: Mark driver struct with __refdata to prevent section mismatch warning Greg Kroah-Hartman
2023-10-23 10:55 ` Greg Kroah-Hartman [this message]
2023-10-23 10:55 ` [PATCH 4.14 04/66] drm: etvnaviv: fix bad backport leading to warning Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 4.14 05/66] ieee802154: ca8210: Fix a potential UAF in ca8210_probe Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 4.14 06/66] drm/vmwgfx: fix typo of sizeof argument Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 4.14 07/66] ixgbe: fix crash with empty VF macvlan list Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 4.14 08/66] nfc: nci: assert requested protocol is valid Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 4.14 09/66] workqueue: Override implicit ordered attribute in workqueue_apply_unbound_cpumask() Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 10/66] usb: xhci: xhci-ring: Use sysdev for mapping bounce buffer Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 11/66] net: usb: dm9601: fix uninitialized variable use in dm9601_mdio_read Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 12/66] usb: musb: Get the musb_qh poniter after musb_giveback Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 13/66] usb: musb: Modify the "HWVers" register address Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 14/66] iio: pressure: bmp280: Fix NULL pointer exception Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 15/66] iio: pressure: ms5611: ms5611_prom_is_valid false negative bug Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 16/66] mcb: remove is_added flag from mcb_device struct Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 17/66] ceph: fix incorrect revoked caps assert in ceph_fill_file_size() Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 18/66] Input: powermate - fix use-after-free in powermate_config_complete Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 19/66] Input: xpad - add PXN V900 support Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 20/66] cgroup: Remove duplicates in cgroup v1 tasks file Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 21/66] pinctrl: avoid unsafe code pattern in find_pinctrl() Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 22/66] usb: gadget: udc-xilinx: replace memcpy with memcpy_toio Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 23/66] usb: gadget: ncm: Handle decoding of multiple NTBs in unwrap call Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 24/66] x86/cpu: Fix AMD erratum #1485 on Zen4-based CPUs Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 25/66] usb: hub: Guard against accesses to uninitialized BOS descriptors Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 26/66] Bluetooth: hci_event: Ignore NULL link key Greg Kroah-Hartman
2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 27/66] Bluetooth: Reject connection with the device which has same BD_ADDR Greg Kroah-Hartman
2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 28/66] Bluetooth: Fix a refcnt underflow problem for hci_conn Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 29/66] Bluetooth: vhci: Fix race when opening vhci device Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 30/66] Bluetooth: hci_event: Fix coding style Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 31/66] Bluetooth: avoid memcmp() out of bounds warning Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 32/66] nfc: nci: fix possible NULL pointer dereference in send_acknowledge() Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 33/66] regmap: fix NULL deref on lookup Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 34/66] KVM: x86: Mask LVTPC when handling a PMI Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 35/66] netfilter: nft_payload: fix wrong mac header matching Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 36/66] xfrm: fix a data-race in xfrm_gen_index() Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 37/66] net: ipv4: fix return value check in esp_remove_trailer Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 38/66] net: ipv6: " Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 39/66] net: rfkill: gpio: prevent value glitch during probe Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 40/66] net: usb: smsc95xx: Fix an error code in smsc95xx_reset() Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 41/66] i40e: prevent crash on probe if hw registers have invalid values Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 42/66] ARM: dts: ti: omap: Fix noisy serial with overrun-throttle-ms for mapphone Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 43/66] btrfs: initialize start_slot in btrfs_log_prealloc_extents Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 44/66] i2c: mux: Avoid potential false error message in i2c_mux_add_adapter Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 45/66] overlayfs: set ctime when setting mtime and atime Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 46/66] gpio: timberdale: Fix potential deadlock on &tgpio->lock Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 47/66] ata: libata-eh: Fix compilation warning in ata_eh_link_report() Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 48/66] tracing: relax trace_event_eval_update() execution with cond_resched() Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 49/66] HID: holtek: fix slab-out-of-bounds Write in holtek_kbd_input_event Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 50/66] Bluetooth: Avoid redundant authentication Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 51/66] Bluetooth: hci_core: Fix build warnings Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 52/66] wifi: mac80211: allow transmitting EAPOL frames with tainted key Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 53/66] wifi: cfg80211: avoid leaking stack data into trace Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 54/66] sky2: Make sure there is at least one frag_addr available Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 55/66] mmc: core: Capture correct oemid-bits for eMMC cards Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 56/66] Revert "pinctrl: avoid unsafe code pattern in find_pinctrl()" Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 57/66] ACPI: irq: Fix incorrect return value in acpi_register_gsi() Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 58/66] USB: serial: option: add Telit LE910C4-WWX 0x1035 composition Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 59/66] USB: serial: option: add entry for Sierra EM9191 with new firmware Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 60/66] USB: serial: option: add Fibocom to DELL custom modem FM101R-GL Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 61/66] perf: Disallow mis-matched inherited group reads Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 62/66] s390/pci: fix iommu bitmap allocation Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 63/66] gpio: vf610: set value before the direction to avoid a glitch Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 64/66] Bluetooth: hci_sock: fix slab oob read in create_monitor_event Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 65/66] Bluetooth: hci_sock: Correctly bounds check and pad HCI_MON_NEW_INDEX name Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 4.14 66/66] Bluetooth: hci_event: Fix using memcmp when comparing keys Greg Kroah-Hartman
2023-10-23 14:37 ` [PATCH 4.14 00/66] 4.14.328-rc1 review Guenter Roeck
2023-10-24 8:22 ` Greg Kroah-Hartman
2023-10-23 20:43 ` Pavel Machek
2023-10-24 8:36 ` Daniel Díaz
2023-10-25 18:57 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231023104810.906730627@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=bentiss@kernel.org \
--cc=hdegoede@redhat.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.