iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

USB: usb-skeleton: fix NULL-deref on disconnect

Browse Source 
The driver was using its struct usb_interface pointer as an inverted
disconnected flag and was setting it to NULL before making sure all
completion handlers had run. This could lead to NULL-pointer
dereferences in the dev_err() statements in the completion handlers
which relies on said pointer.

Fix this by using a dedicated disconnected flag.

Note that this is also addresses a NULL-pointer dereference at release()
and a struct usb_interface reference leak introduced by a recent runtime
PM fix, which depends on and should have been submitted together with
this patch.

Fixes: 4212cd74ca ("USB: usb-skeleton.c: remove err() usage")
Fixes: 5c290a5e42 ("USB: usb-skeleton: fix runtime PM after driver unbind")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20191009170944.30057-2-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Johan Hovold
2019-10-09 19:09:42 +02:00
committed by Greg Kroah-Hartman
parent 623170ff59
commit bed5ef2309
1 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
drivers/usb/usb-skeleton.c
View File

@ -61,6 +61,7 @@ struct usb_skel {
spinlock_t err_lock; /* lock for errors */ spinlock_t err_lock; /* lock for errors */
struct kref kref; struct kref kref;
struct mutex io_mutex; /* synchronize I/O with disconnect */ struct mutex io_mutex; /* synchronize I/O with disconnect */
unsigned long disconnected:1;
wait_queue_head_t bulk_in_wait; /* to wait for an ongoing read */ wait_queue_head_t bulk_in_wait; /* to wait for an ongoing read */
}; };
#define to_skel_dev(d) container_of(d, struct usb_skel, kref) #define to_skel_dev(d) container_of(d, struct usb_skel, kref)
@ -238,7 +239,7 @@ static ssize_t skel_read(struct file *file, char *buffer, size_t count,
if (rv < 0) if (rv < 0)
return rv; return rv;
if (!dev->interface) { /* disconnect() was called */ if (dev->disconnected) { /* disconnect() was called */
rv = -ENODEV; rv = -ENODEV;
goto exit; goto exit;
} }
@ -420,7 +421,7 @@ static ssize_t skel_write(struct file *file, const char *user_buffer,
/* this lock makes sure we don't submit URBs to gone devices */ /* this lock makes sure we don't submit URBs to gone devices */
mutex_lock(&dev->io_mutex); mutex_lock(&dev->io_mutex);
if (!dev->interface) { /* disconnect() was called */ if (dev->disconnected) { /* disconnect() was called */
mutex_unlock(&dev->io_mutex); mutex_unlock(&dev->io_mutex);
retval = -ENODEV; retval = -ENODEV;
goto error; goto error;
@ -571,7 +572,7 @@ static void skel_disconnect(struct usb_interface *interface)
/* prevent more I/O from starting */ /* prevent more I/O from starting */
mutex_lock(&dev->io_mutex); mutex_lock(&dev->io_mutex);
dev->interface = NULL; dev->disconnected = 1;
mutex_unlock(&dev->io_mutex); mutex_unlock(&dev->io_mutex);
usb_kill_anchored_urbs(&dev->submitted); usb_kill_anchored_urbs(&dev->submitted);