usbip: usbip_host: fix bad unlock balance during stub_probe()

usbip: usbip_host: fix bad unlock balance during stub_probe()

[Shuah Khan]

stub_probe() calls put_busid_priv() in an error path when device isn't
found in the busid_table. Fix it by making put_busid_priv() safe to be
called with null struct bus_id_priv pointer.

This problem happens when "usbip bind" is run without loading usbip_host
driver and then running modprobe. The first failed bind attempt unbinds
the device from the original driver and when usbip_host is modprobed,
stub_probe() runs and doesn't find the device in its busid table and calls
put_busid_priv(0 with null bus_id_priv pointer.

usbip-host 3-10.2: 3-10.2 is not in match_busid table...  skip!

[  367.359679] =====================================
[  367.359681] WARNING: bad unlock balance detected!
[  367.359683] 4.17.0-rc4+ #5 Not tainted
[  367.359685] -------------------------------------
[  367.359688] modprobe/2768 is trying to release lock (
[  367.359689]

==================================================================
[  367.359696] BUG: KASAN: null-ptr-deref in
print_unlock_imbalance_bug+0x99/0x110
[  367.359699] Read of size 8 at addr 0000000000000058 by task
modprobe/2768

[  367.359705] CPU: 4 PID: 2768 Comm: modprobe Not tainted 4.17.0-rc4+ #5

Fixes: 22076557b07c ("usbip: usbip_host: fix NULL-ptr deref and
use-after-free errors") in usb-linus

Signed-off-by: Shuah Khan (Samsung OSG) <shuah@kernel.org>
---

 drivers/usb/usbip/stub_main.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/usbip/stub_main.c b/drivers/usb/usbip/stub_main.c
index 41c7b9de2a92..bf8a5feb0ee9 100644
--- a/drivers/usb/usbip/stub_main.c
+++ b/drivers/usb/usbip/stub_main.c
@@ -82,7 +82,8 @@ struct bus_id_priv *get_busid_priv(const char *busid)
 
 void put_busid_priv(struct bus_id_priv *bid)
 {
-	spin_unlock(&bid->busid_lock);
+	if (bid)
+		spin_unlock(&bid->busid_lock);
 }
 
 static int add_match_busid(char *busid)

usbip: usbip_host: fix bad unlock balance during stub_probe()

[Greg Kroah-Hartman]

On Tue, May 15, 2018 at 05:57:23PM -0600, Shuah Khan (Samsung OSG) wrote:
> stub_probe() calls put_busid_priv() in an error path when device isn't
> found in the busid_table. Fix it by making put_busid_priv() safe to be
> called with null struct bus_id_priv pointer.
> 
> This problem happens when "usbip bind" is run without loading usbip_host
> driver and then running modprobe. The first failed bind attempt unbinds
> the device from the original driver and when usbip_host is modprobed,
> stub_probe() runs and doesn't find the device in its busid table and calls
> put_busid_priv(0 with null bus_id_priv pointer.
> 
> usbip-host 3-10.2: 3-10.2 is not in match_busid table...  skip!
> 
> [  367.359679] =====================================
> [  367.359681] WARNING: bad unlock balance detected!
> [  367.359683] 4.17.0-rc4+ #5 Not tainted
> [  367.359685] -------------------------------------
> [  367.359688] modprobe/2768 is trying to release lock (
> [  367.359689]
> ==================================================================
> [  367.359696] BUG: KASAN: null-ptr-deref in
> print_unlock_imbalance_bug+0x99/0x110
> [  367.359699] Read of size 8 at addr 0000000000000058 by task
> modprobe/2768

Minor nit, no need to line-wrap this.

> [  367.359705] CPU: 4 PID: 2768 Comm: modprobe Not tainted 4.17.0-rc4+ #5
> 
> Fixes: 22076557b07c ("usbip: usbip_host: fix NULL-ptr deref and
> use-after-free errors") in usb-linus

Nor this, and the extra blank line isn't needed here either.  I'll fix
it up by hand when I queue this up later today, thanks.

greg k-h
---
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

usbip: usbip_host: fix bad unlock balance during stub_probe()

[Shuah Khan]

On 05/15/2018 11:49 PM, Greg KH wrote:
> On Tue, May 15, 2018 at 05:57:23PM -0600, Shuah Khan (Samsung OSG) wrote:
>> stub_probe() calls put_busid_priv() in an error path when device isn't
>> found in the busid_table. Fix it by making put_busid_priv() safe to be
>> called with null struct bus_id_priv pointer.
>>
>> This problem happens when "usbip bind" is run without loading usbip_host
>> driver and then running modprobe. The first failed bind attempt unbinds
>> the device from the original driver and when usbip_host is modprobed,
>> stub_probe() runs and doesn't find the device in its busid table and calls
>> put_busid_priv(0 with null bus_id_priv pointer.
>>
>> usbip-host 3-10.2: 3-10.2 is not in match_busid table...  skip!
>>
>> [  367.359679] =====================================
>> [  367.359681] WARNING: bad unlock balance detected!
>> [  367.359683] 4.17.0-rc4+ #5 Not tainted
>> [  367.359685] -------------------------------------
>> [  367.359688] modprobe/2768 is trying to release lock (
>> [  367.359689]
>> ==================================================================
>> [  367.359696] BUG: KASAN: null-ptr-deref in
>> print_unlock_imbalance_bug+0x99/0x110
>> [  367.359699] Read of size 8 at addr 0000000000000058 by task
>> modprobe/2768
> 
> Minor nit, no need to line-wrap this.
> 
>> [  367.359705] CPU: 4 PID: 2768 Comm: modprobe Not tainted 4.17.0-rc4+ #5
>>
>> Fixes: 22076557b07c ("usbip: usbip_host: fix NULL-ptr deref and
>> use-after-free errors") in usb-linus
> 
> Nor this, and the extra blank line isn't needed here either.  I'll fix
> it up by hand when I queue this up later today, thanks.
> 

Thanks. I will keep that in mind the next time.

thanks,
-- Shuah
---
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html