From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Alan Stern <stern@rowland.harvard.edu>,
Jiri Kosina <jkosina@suse.cz>,
syzbot+7bf5a7b0f0a1f9446f4c@syzkaller.appspotmail.com
Subject: [PATCH 4.19 21/48] HID: usbhid: Fix race between usbhid_close() and usbhid_stop()
Date: Wed, 13 May 2020 11:44:47 +0200 [thread overview]
Message-ID: <20200513094356.227542582@linuxfoundation.org> (raw)
In-Reply-To: <20200513094351.100352960@linuxfoundation.org>
From: Alan Stern <stern@rowland.harvard.edu>
commit 0ed08faded1da03eb3def61502b27f81aef2e615 upstream.
The syzbot fuzzer discovered a bad race between in the usbhid driver
between usbhid_stop() and usbhid_close(). In particular,
usbhid_stop() does:
usb_free_urb(usbhid->urbin);
...
usbhid->urbin = NULL; /* don't mess up next start */
and usbhid_close() does:
usb_kill_urb(usbhid->urbin);
with no mutual exclusion. If the two routines happen to run
concurrently so that usb_kill_urb() is called in between the
usb_free_urb() and the NULL assignment, it will access the
deallocated urb structure -- a use-after-free bug.
This patch adds a mutex to the usbhid private structure and uses it to
enforce mutual exclusion of the usbhid_start(), usbhid_stop(),
usbhid_open() and usbhid_close() callbacks.
Reported-and-tested-by: syzbot+7bf5a7b0f0a1f9446f4c@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: <stable@vger.kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/usbhid/hid-core.c | 37 +++++++++++++++++++++++++++++--------
drivers/hid/usbhid/usbhid.h | 1 +
2 files changed, 30 insertions(+), 8 deletions(-)
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -685,16 +685,21 @@ static int usbhid_open(struct hid_device
struct usbhid_device *usbhid = hid->driver_data;
int res;
+ mutex_lock(&usbhid->mutex);
+
set_bit(HID_OPENED, &usbhid->iofl);
- if (hid->quirks & HID_QUIRK_ALWAYS_POLL)
- return 0;
+ if (hid->quirks & HID_QUIRK_ALWAYS_POLL) {
+ res = 0;
+ goto Done;
+ }
res = usb_autopm_get_interface(usbhid->intf);
/* the device must be awake to reliably request remote wakeup */
if (res < 0) {
clear_bit(HID_OPENED, &usbhid->iofl);
- return -EIO;
+ res = -EIO;
+ goto Done;
}
usbhid->intf->needs_remote_wakeup = 1;
@@ -728,6 +733,9 @@ static int usbhid_open(struct hid_device
msleep(50);
clear_bit(HID_RESUME_RUNNING, &usbhid->iofl);
+
+ Done:
+ mutex_unlock(&usbhid->mutex);
return res;
}
@@ -735,6 +743,8 @@ static void usbhid_close(struct hid_devi
{
struct usbhid_device *usbhid = hid->driver_data;
+ mutex_lock(&usbhid->mutex);
+
/*
* Make sure we don't restart data acquisition due to
* a resumption we no longer care about by avoiding racing
@@ -746,12 +756,13 @@ static void usbhid_close(struct hid_devi
clear_bit(HID_IN_POLLING, &usbhid->iofl);
spin_unlock_irq(&usbhid->lock);
- if (hid->quirks & HID_QUIRK_ALWAYS_POLL)
- return;
+ if (!(hid->quirks & HID_QUIRK_ALWAYS_POLL)) {
+ hid_cancel_delayed_stuff(usbhid);
+ usb_kill_urb(usbhid->urbin);
+ usbhid->intf->needs_remote_wakeup = 0;
+ }
- hid_cancel_delayed_stuff(usbhid);
- usb_kill_urb(usbhid->urbin);
- usbhid->intf->needs_remote_wakeup = 0;
+ mutex_unlock(&usbhid->mutex);
}
/*
@@ -1060,6 +1071,8 @@ static int usbhid_start(struct hid_devic
unsigned int n, insize = 0;
int ret;
+ mutex_lock(&usbhid->mutex);
+
clear_bit(HID_DISCONNECTED, &usbhid->iofl);
usbhid->bufsize = HID_MIN_BUFFER_SIZE;
@@ -1180,6 +1193,8 @@ static int usbhid_start(struct hid_devic
usbhid_set_leds(hid);
device_set_wakeup_enable(&dev->dev, 1);
}
+
+ mutex_unlock(&usbhid->mutex);
return 0;
fail:
@@ -1190,6 +1205,7 @@ fail:
usbhid->urbout = NULL;
usbhid->urbctrl = NULL;
hid_free_buffers(dev, hid);
+ mutex_unlock(&usbhid->mutex);
return ret;
}
@@ -1205,6 +1221,8 @@ static void usbhid_stop(struct hid_devic
usbhid->intf->needs_remote_wakeup = 0;
}
+ mutex_lock(&usbhid->mutex);
+
clear_bit(HID_STARTED, &usbhid->iofl);
spin_lock_irq(&usbhid->lock); /* Sync with error and led handlers */
set_bit(HID_DISCONNECTED, &usbhid->iofl);
@@ -1225,6 +1243,8 @@ static void usbhid_stop(struct hid_devic
usbhid->urbout = NULL;
hid_free_buffers(hid_to_usb_dev(hid), hid);
+
+ mutex_unlock(&usbhid->mutex);
}
static int usbhid_power(struct hid_device *hid, int lvl)
@@ -1385,6 +1405,7 @@ static int usbhid_probe(struct usb_inter
INIT_WORK(&usbhid->reset_work, hid_reset);
timer_setup(&usbhid->io_retry, hid_retry_timeout, 0);
spin_lock_init(&usbhid->lock);
+ mutex_init(&usbhid->mutex);
ret = hid_add_device(hid);
if (ret) {
--- a/drivers/hid/usbhid/usbhid.h
+++ b/drivers/hid/usbhid/usbhid.h
@@ -93,6 +93,7 @@ struct usbhid_device {
dma_addr_t outbuf_dma; /* Output buffer dma */
unsigned long last_out; /* record of last output for timeouts */
+ struct mutex mutex; /* start/stop/open/close */
spinlock_t lock; /* fifo spinlock */
unsigned long iofl; /* I/O flags (CTRL_RUNNING, OUT_RUNNING) */
struct timer_list io_retry; /* Retry timer */
next prev parent reply other threads:[~2020-05-13 9:47 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-13 9:44 [PATCH 4.19 00/48] 4.19.123-rc1 review Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 01/48] USB: serial: qcserial: Add DW5816e support Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 02/48] tracing/kprobes: Fix a double initialization typo Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 03/48] vt: fix unicode console freeing with a common interface Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 04/48] dp83640: reverse arguments to list_add_tail Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 05/48] fq_codel: fix TCA_FQ_CODEL_DROP_BATCH_SIZE sanity checks Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 06/48] net: macsec: preserve ingress frame ordering Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 07/48] net/mlx4_core: Fix use of ENOSPC around mlx4_counter_alloc() Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 08/48] net_sched: sch_skbprio: add message validation to skbprio_change() Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 09/48] net: usb: qmi_wwan: add support for DW5816e Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 10/48] sch_choke: avoid potential panic in choke_reset() Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 11/48] sch_sfq: validate silly quantum values Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 12/48] tipc: fix partial topology connection closure Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 13/48] bnxt_en: Fix VLAN acceleration handling in bnxt_fix_features() Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 14/48] net/mlx5: Fix forced completion access non initialized command entry Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 15/48] net/mlx5: Fix command entry leak in Internal Error State Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 16/48] bnxt_en: Improve AER slot reset Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 17/48] bnxt_en: Fix VF anti-spoof filter setup Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 18/48] net: stricter validation of untrusted gso packets Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 19/48] HID: wacom: Read HID_DG_CONTACTMAX directly for non-generic devices Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 20/48] sctp: Fix bundling of SHUTDOWN with COOKIE-ACK Greg Kroah-Hartman
2020-05-13 9:44 ` Greg Kroah-Hartman [this message]
2020-05-13 9:44 ` [PATCH 4.19 22/48] USB: uas: add quirk for LaCie 2Big Quadra Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 23/48] USB: serial: garmin_gps: add sanity checking for data length Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 24/48] tracing: Add a vmalloc_sync_mappings() for safe measure Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 25/48] KVM: arm: vgic: Fix limit condition when writing to GICD_I[CS]ACTIVER Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 26/48] KVM: arm64: Fix 32bit PC wrap-around Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 27/48] arm64: hugetlb: avoid potential NULL dereference Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 28/48] mm/page_alloc: fix watchdog soft lockups during set_zone_contiguous() Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 29/48] staging: gasket: Check the return value of gasket_get_bar_index() Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 30/48] coredump: fix crash when umh is disabled Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 31/48] KVM: VMX: Explicitly reference RCX as the vmx_vcpu pointer in asm blobs Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 32/48] KVM: VMX: Mark RCX, RDX and RSI as clobbered in vmx_vcpu_run()s asm blob Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 33/48] batman-adv: fix batadv_nc_random_weight_tq Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 34/48] batman-adv: Fix refcnt leak in batadv_show_throughput_override Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 35/48] batman-adv: Fix refcnt leak in batadv_store_throughput_override Greg Kroah-Hartman
2020-05-13 21:03 ` Pavel Machek
2020-05-13 9:45 ` [PATCH 4.19 36/48] batman-adv: Fix refcnt leak in batadv_v_ogm_process Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 37/48] x86/entry/64: Fix unwind hints in register clearing code Greg Kroah-Hartman
2020-05-13 21:48 ` Pavel Machek
2020-05-14 19:27 ` Josh Poimboeuf
2020-05-13 9:45 ` [PATCH 4.19 38/48] x86/entry/64: Fix unwind hints in kernel exit path Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 39/48] x86/entry/64: Fix unwind hints in rewind_stack_do_exit() Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 40/48] x86/unwind/orc: Dont skip the first frame for inactive tasks Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 41/48] x86/unwind/orc: Prevent unwinding before ORC initialization Greg Kroah-Hartman
2020-05-13 21:52 ` Pavel Machek
2020-05-14 19:44 ` Josh Poimboeuf
2020-05-14 20:13 ` Pavel Machek
2020-05-14 20:28 ` Josh Poimboeuf
2020-05-13 9:45 ` [PATCH 4.19 42/48] x86/unwind/orc: Fix error path for bad ORC entry type Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 43/48] x86/unwind/orc: Fix premature unwind stoppage due to IRET frames Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 44/48] netfilter: nat: never update the UDP checksum when its 0 Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 45/48] netfilter: nf_osf: avoid passing pointer to local var Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 46/48] objtool: Fix stack offset tracking for indirect CFAs Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 47/48] scripts/decodecode: fix trapping instruction formatting Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 48/48] ipc/mqueue.c: change __do_notify() to bypass check_kill_permission() Greg Kroah-Hartman
2020-05-13 13:45 ` [PATCH 4.19 00/48] 4.19.123-rc1 review Jon Hunter
2020-05-13 17:03 ` Guenter Roeck
2020-05-13 18:14 ` Naresh Kamboju
2020-05-13 19:29 ` Chris Paterson
2020-05-13 23:02 ` shuah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200513094356.227542582@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jkosina@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
--cc=syzbot+7bf5a7b0f0a1f9446f4c@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox