From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+47b26cd837ececfc666d@syzkaller.appspotmail.com,
Anirudh Rayabharam <mail@anirudhrb.com>,
Jiri Kosina <jkosina@suse.cz>
Subject: [PATCH 4.9 56/57] HID: usbhid: free raw_report buffers in usbhid_stop
Date: Mon, 4 Oct 2021 14:52:40 +0200 [thread overview]
Message-ID: <20211004125030.720628285@linuxfoundation.org> (raw)
In-Reply-To: <20211004125028.940212411@linuxfoundation.org>
From: Anirudh Rayabharam <mail@anirudhrb.com>
commit f7744fa16b96da57187dc8e5634152d3b63d72de upstream.
Free the unsent raw_report buffers when the device is removed.
Fixes a memory leak reported by syzbot at:
https://syzkaller.appspot.com/bug?id=7b4fa7cb1a7c2d3342a2a8a6c53371c8c418ab47
Reported-by: syzbot+47b26cd837ececfc666d@syzkaller.appspotmail.com
Tested-by: syzbot+47b26cd837ececfc666d@syzkaller.appspotmail.com
Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/usbhid/hid-core.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -500,7 +500,7 @@ static void hid_ctrl(struct urb *urb)
if (unplug) {
usbhid->ctrltail = usbhid->ctrlhead;
- } else {
+ } else if (usbhid->ctrlhead != usbhid->ctrltail) {
usbhid->ctrltail = (usbhid->ctrltail + 1) & (HID_CONTROL_FIFO_SIZE - 1);
if (usbhid->ctrlhead != usbhid->ctrltail &&
@@ -1185,9 +1185,20 @@ static void usbhid_stop(struct hid_devic
usbhid->intf->needs_remote_wakeup = 0;
clear_bit(HID_STARTED, &usbhid->iofl);
+
spin_lock_irq(&usbhid->lock); /* Sync with error and led handlers */
set_bit(HID_DISCONNECTED, &usbhid->iofl);
+ while (usbhid->ctrltail != usbhid->ctrlhead) {
+ if (usbhid->ctrl[usbhid->ctrltail].dir == USB_DIR_OUT) {
+ kfree(usbhid->ctrl[usbhid->ctrltail].raw_report);
+ usbhid->ctrl[usbhid->ctrltail].raw_report = NULL;
+ }
+
+ usbhid->ctrltail = (usbhid->ctrltail + 1) &
+ (HID_CONTROL_FIFO_SIZE - 1);
+ }
spin_unlock_irq(&usbhid->lock);
+
usb_kill_urb(usbhid->urbin);
usb_kill_urb(usbhid->urbout);
usb_kill_urb(usbhid->urbctrl);
next prev parent reply other threads:[~2021-10-04 13:00 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-04 12:51 [PATCH 4.9 00/57] 4.9.285-rc1 review Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.9 01/57] ocfs2: drop acl cache for directories too Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.9 02/57] usb: gadget: r8a66597: fix a loop in set_feature() Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.9 03/57] usb: musb: tusb6010: uninitialized data in tusb_fifo_write_unaligned() Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.9 04/57] cifs: fix incorrect check for null pointer in header_assemble Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.9 05/57] xen/x86: fix PV trap handling on secondary processors Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.9 06/57] usb-storage: Add quirk for ScanLogic SL11R-IDE older than 2.6c Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.9 07/57] USB: serial: cp210x: add ID for GW Instek GDM-834x Digital Multimeter Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.9 08/57] staging: greybus: uart: fix tty use after free Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.9 09/57] USB: serial: mos7840: remove duplicated 0xac24 device ID Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.9 10/57] USB: serial: option: add Telit LN920 compositions Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.9 11/57] USB: serial: option: remove duplicate USB device ID Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.9 12/57] USB: serial: option: add device id for Foxconn T99W265 Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.9 13/57] mcb: fix error handling in mcb_alloc_bus() Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.9 14/57] serial: mvebu-uart: fix drivers tx_empty callback Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.9 15/57] net: hso: fix muxed tty registration Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 16/57] net/mlx4_en: Dont allow aRFS for encapsulated packets Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 17/57] scsi: iscsi: Adjust iface sysfs attr detection Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 18/57] blktrace: Fix uaf in blk_trace access after removing by sysfs Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 19/57] net: stmmac: allow CSR clock of 300MHz Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 20/57] m68k: Double cast io functions to unsigned long Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 21/57] compiler.h: Introduce absolute_pointer macro Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 22/57] net: i825xx: Use absolute_pointer for memcpy from fixed memory location Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 23/57] sparc: avoid stringop-overread errors Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 24/57] qnx4: " Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 25/57] parisc: Use absolute_pointer() to define PAGE0 Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 26/57] arm64: Mark __stack_chk_guard as __ro_after_init Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 27/57] alpha: Declare virt_to_phys and virt_to_bus parameter as pointer to volatile Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 28/57] net: 6pack: Fix tx timeout and slot time Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 29/57] spi: Fix tegra20 build with CONFIG_PM=n Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 30/57] arm64: dts: marvell: armada-37xx: Extend PCIe MEM space Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 31/57] qnx4: work around gcc false positive warning bug Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 32/57] tty: Fix out-of-bound vmalloc access in imageblit Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 33/57] cpufreq: schedutil: Use kobject release() method to free sugov_tunables Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 34/57] cpufreq: schedutil: Destroy mutex before kobject_put() frees the memory Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 35/57] mac80211: fix use-after-free in CCMP/GCMP RX Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 36/57] ipvs: check that ip_vs_conn_tab_bits is between 8 and 20 Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 37/57] mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 38/57] hwmon: (tmp421) fix rounding for negative values Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 39/57] e100: fix length calculation in e100_get_regs_len Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 40/57] e100: fix buffer overrun in e100_get_regs Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 41/57] ipack: ipoctal: fix stack information leak Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 42/57] ipack: ipoctal: fix tty registration race Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 43/57] ipack: ipoctal: fix tty-registration error handling Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 44/57] ipack: ipoctal: fix missing allocation-failure check Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 45/57] ipack: ipoctal: fix module reference leak Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 46/57] ext4: fix potential infinite loop in ext4_dx_readdir() Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 47/57] net: udp: annotate data race around udp_sk(sk)->corkflag Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 48/57] EDAC/synopsys: Fix wrong value type assignment for edac_mode Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 49/57] ARM: 9077/1: PLT: Move struct plt_entries definition to header Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 50/57] ARM: 9078/1: Add warn suppress parameter to arm_gen_branch_link() Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 51/57] ARM: 9079/1: ftrace: Add MODULE_PLTS support Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 52/57] ARM: 9098/1: ftrace: MODULE_PLT: Fix build problem without DYNAMIC_FTRACE Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 53/57] arm64: Extend workaround for erratum 1024718 to all versions of Cortex-A55 Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 54/57] HID: betop: fix slab-out-of-bounds Write in betop_probe Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.9 55/57] netfilter: ipset: Fix oversized kvmalloc() calls Greg Kroah-Hartman
2021-10-04 12:52 ` Greg Kroah-Hartman [this message]
2021-10-04 12:52 ` [PATCH 4.9 57/57] net: mdiobus: Fix memory leak in __mdiobus_register Greg Kroah-Hartman
2021-10-04 20:35 ` Florian Fainelli
2021-10-05 6:54 ` Greg Kroah-Hartman
2021-10-04 19:50 ` [PATCH 4.9 00/57] 4.9.285-rc1 review Shuah Khan
2021-10-05 2:13 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211004125030.720628285@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jkosina@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=mail@anirudhrb.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+47b26cd837ececfc666d@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox