From: Greg KH <greg@kroah.com>
To: Alan Stern <stern@rowland.harvard.edu>
Cc: USB list <linux-usb@vger.kernel.org>,
andreyknvl@google.com, bhelgaas@google.com, kirr@nexedi.com,
linux@roeck-us.net, lkundrak@v3.sk, logang@deltatee.com,
syzkaller-bugs@googlegroups.com
Subject: Re: [PATCH] USB: core: Fix races in character device registration and deregistraion
Date: Mon, 12 Aug 2019 22:52:08 +0200 [thread overview]
Message-ID: <20190812205208.GA12789@kroah.com> (raw)
In-Reply-To: <Pine.LNX.4.44L0.1908121607590.1659-100000@iolanthe.rowland.org>
On Mon, Aug 12, 2019 at 04:11:07PM -0400, Alan Stern wrote:
> The syzbot fuzzer has found two (!) races in the USB character device
> registration and deregistration routines. This patch fixes the races.
>
> The first race results from the fact that usb_deregister_dev() sets
> usb_minors[intf->minor] to NULL before calling device_destroy() on the
> class device. This leaves a window during which another thread can
> allocate the same minor number but will encounter a duplicate name
> error when it tries to register its own class device. A typical error
> message in the system log would look like:
>
> sysfs: cannot create duplicate filename '/class/usbmisc/ldusb0'
>
> The patch fixes this race by destroying the class device first.
>
> The second race is in usb_register_dev(). When that routine runs, it
> first allocates a minor number, then drops minor_rwsem, and then
> creates the class device. If the device creation fails, the minor
> number is deallocated and the whole routine returns an error. But
> during the time while minor_rwsem was dropped, there is a window in
> which the minor number is allocated and so another thread can
> successfully open the device file. Typically this results in
> use-after-free errors or invalid accesses when the other thread closes
> its open file reference, because the kernel then tries to release
> resources that were already deallocated when usb_register_dev()
> failed. The patch fixes this race by keeping minor_rwsem locked
> throughout the entire routine.
>
> Reported-and-tested-by: syzbot+30cf45ebfe0b0c4847a1@syzkaller.appspotmail.com
> Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
> CC: <stable@vger.kernel.org>
>
> ---
>
> [as1907]
Thanks for this, now queued up.
greg k-h
prev parent reply other threads:[~2019-08-12 20:52 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-09 13:18 KASAN: use-after-free Read in ld_usb_release syzbot
2019-08-09 16:51 ` Alan Stern
2019-08-09 17:33 ` Andrey Konovalov
2019-08-09 17:53 ` syzbot
2019-08-12 12:07 ` Andrey Konovalov
2019-08-12 14:21 ` Alan Stern
2019-08-12 14:31 ` Greg KH
2019-08-12 15:31 ` Greg KH
2019-08-12 20:11 ` [PATCH] USB: core: Fix races in character device registration and deregistraion Alan Stern
2019-08-12 20:52 ` Greg KH [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190812205208.GA12789@kroah.com \
--to=greg@kroah.com \
--cc=andreyknvl@google.com \
--cc=bhelgaas@google.com \
--cc=kirr@nexedi.com \
--cc=linux-usb@vger.kernel.org \
--cc=linux@roeck-us.net \
--cc=lkundrak@v3.sk \
--cc=logang@deltatee.com \
--cc=stern@rowland.harvard.edu \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.