From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Johan Hovold <johan@kernel.org>
Subject: [PATCH 4.14 29/65] USB: usblcd: fix I/O after disconnect
Date: Wed, 16 Oct 2019 14:50:43 -0700 [thread overview]
Message-ID: <20191016214824.139956965@linuxfoundation.org> (raw)
In-Reply-To: <20191016214756.457746573@linuxfoundation.org>
From: Johan Hovold <johan@kernel.org>
commit eb7f5a490c5edfe8126f64bc58b9ba2edef0a425 upstream.
Make sure to stop all I/O on disconnect by adding a disconnected flag
which is used to prevent new I/O from being started and by stopping all
ongoing I/O before returning.
This also fixes a potential use-after-free on driver unbind in case the
driver data is freed before the completion handler has run.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable <stable@vger.kernel.org> # 7bbe990c989e
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20190926091228.24634-7-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/misc/usblcd.c | 33 +++++++++++++++++++++++++++++++--
1 file changed, 31 insertions(+), 2 deletions(-)
--- a/drivers/usb/misc/usblcd.c
+++ b/drivers/usb/misc/usblcd.c
@@ -17,6 +17,7 @@
#include <linux/slab.h>
#include <linux/errno.h>
#include <linux/mutex.h>
+#include <linux/rwsem.h>
#include <linux/uaccess.h>
#include <linux/usb.h>
@@ -56,6 +57,8 @@ struct usb_lcd {
using up all RAM */
struct usb_anchor submitted; /* URBs to wait for
before suspend */
+ struct rw_semaphore io_rwsem;
+ unsigned long disconnected:1;
};
#define to_lcd_dev(d) container_of(d, struct usb_lcd, kref)
@@ -141,6 +144,13 @@ static ssize_t lcd_read(struct file *fil
dev = file->private_data;
+ down_read(&dev->io_rwsem);
+
+ if (dev->disconnected) {
+ retval = -ENODEV;
+ goto out_up_io;
+ }
+
/* do a blocking bulk read to get data from the device */
retval = usb_bulk_msg(dev->udev,
usb_rcvbulkpipe(dev->udev,
@@ -157,6 +167,9 @@ static ssize_t lcd_read(struct file *fil
retval = bytes_read;
}
+out_up_io:
+ up_read(&dev->io_rwsem);
+
return retval;
}
@@ -236,11 +249,18 @@ static ssize_t lcd_write(struct file *fi
if (r < 0)
return -EINTR;
+ down_read(&dev->io_rwsem);
+
+ if (dev->disconnected) {
+ retval = -ENODEV;
+ goto err_up_io;
+ }
+
/* create a urb, and a buffer for it, and copy the data to the urb */
urb = usb_alloc_urb(0, GFP_KERNEL);
if (!urb) {
retval = -ENOMEM;
- goto err_no_buf;
+ goto err_up_io;
}
buf = usb_alloc_coherent(dev->udev, count, GFP_KERNEL,
@@ -277,6 +297,7 @@ static ssize_t lcd_write(struct file *fi
the USB core will eventually free it entirely */
usb_free_urb(urb);
+ up_read(&dev->io_rwsem);
exit:
return count;
error_unanchor:
@@ -284,7 +305,8 @@ error_unanchor:
error:
usb_free_coherent(dev->udev, count, buf, urb->transfer_dma);
usb_free_urb(urb);
-err_no_buf:
+err_up_io:
+ up_read(&dev->io_rwsem);
up(&dev->limit_sem);
return retval;
}
@@ -324,6 +346,7 @@ static int lcd_probe(struct usb_interfac
kref_init(&dev->kref);
sema_init(&dev->limit_sem, USB_LCD_CONCURRENT_WRITES);
+ init_rwsem(&dev->io_rwsem);
init_usb_anchor(&dev->submitted);
dev->udev = usb_get_dev(interface_to_usbdev(interface));
@@ -421,6 +444,12 @@ static void lcd_disconnect(struct usb_in
/* give back our minor */
usb_deregister_dev(interface, &lcd_class);
+ down_write(&dev->io_rwsem);
+ dev->disconnected = 1;
+ up_write(&dev->io_rwsem);
+
+ usb_kill_anchored_urbs(&dev->submitted);
+
/* decrement our usage count */
kref_put(&dev->kref, lcd_delete);
next prev parent reply other threads:[~2019-10-16 21:56 UTC|newest]
Thread overview: 73+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-16 21:50 [PATCH 4.14 00/65] 4.14.150-stable review Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 01/65] panic: ensure preemption is disabled during panic() Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 02/65] f2fs: use EINVAL for superblock with invalid magic Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 03/65] USB: rio500: Remove Rio 500 kernel driver Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 04/65] USB: yurex: Dont retry on unexpected errors Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 05/65] USB: yurex: fix NULL-derefs on disconnect Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 06/65] USB: usb-skeleton: fix runtime PM after driver unbind Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 07/65] USB: usb-skeleton: fix NULL-deref on disconnect Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 08/65] xhci: Fix false warning message about wrong bounce buffer write length Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 09/65] xhci: Prevent device initiated U1/U2 link pm if exit latency is too long Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 10/65] xhci: Check all endpoints for LPM timeout Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 11/65] usb: xhci: wait for CNR controller not ready bit in xhci resume Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 12/65] xhci: Increase STS_SAVE timeout in xhci_suspend() Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 13/65] USB: adutux: remove redundant variable minor Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 14/65] USB: adutux: fix use-after-free on disconnect Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 15/65] USB: adutux: fix NULL-derefs " Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 16/65] USB: adutux: fix use-after-free on release Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 17/65] USB: iowarrior: fix use-after-free on disconnect Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 18/65] USB: iowarrior: fix use-after-free on release Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 19/65] USB: iowarrior: fix use-after-free after driver unbind Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 20/65] USB: usblp: fix runtime PM " Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 21/65] USB: chaoskey: fix use-after-free on release Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 22/65] USB: ldusb: fix NULL-derefs on driver unbind Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 23/65] serial: uartlite: fix exit path null pointer Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 24/65] USB: serial: keyspan: fix NULL-derefs on open() and write() Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 25/65] USB: serial: ftdi_sio: add device IDs for Sienna and Echelon PL-20 Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 26/65] USB: serial: option: add Telit FN980 compositions Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 27/65] USB: serial: option: add support for Cinterion CLS8 devices Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 28/65] USB: serial: fix runtime PM after driver unbind Greg Kroah-Hartman
2019-10-16 21:50 ` Greg Kroah-Hartman [this message]
2019-10-16 21:50 ` [PATCH 4.14 30/65] USB: microtek: fix info-leak at probe Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 31/65] USB: dummy-hcd: fix power budget for SuperSpeed mode Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 32/65] usb: renesas_usbhs: gadget: Do not discard queues in usb_ep_set_{halt,wedge}() Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 33/65] usb: renesas_usbhs: gadget: Fix usb_ep_set_{halt,wedge}() behavior Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 34/65] USB: legousbtower: fix slab info leak at probe Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 35/65] USB: legousbtower: fix deadlock on disconnect Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 36/65] USB: legousbtower: fix potential NULL-deref " Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 37/65] USB: legousbtower: fix open after failed reset request Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 38/65] USB: legousbtower: fix use-after-free on release Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 39/65] staging: vt6655: Fix memory leak in vt6655_probe Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 40/65] iio: adc: ad799x: fix probe error handling Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 41/65] iio: adc: axp288: Override TS pin bias current for some models Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 42/65] iio: light: opt3001: fix mutex unlock race Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 43/65] efivar/ssdt: Dont iterate over EFI vars if no SSDT override was specified Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 44/65] perf llvm: Dont access out-of-scope array Greg Kroah-Hartman
2019-10-16 21:50 ` [PATCH 4.14 45/65] perf inject jit: Fix JIT_CODE_MOVE filename Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 46/65] CIFS: Gracefully handle QueryInfo errors during open Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 47/65] CIFS: Force revalidate inode when dentry is stale Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 48/65] CIFS: Force reval dentry if LOOKUP_REVAL flag is set Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 49/65] kernel/sysctl.c: do not override max_threads provided by userspace Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 50/65] firmware: google: increment VPD key_len properly Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 51/65] gpiolib: dont clear FLAG_IS_OUT when emulating open-drain/open-source Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 52/65] Staging: fbtft: fix memory leak in fbtft_framebuffer_alloc Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 53/65] iio: hx711: add delay until DOUT is ready Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 54/65] iio: adc: hx711: fix bug in sampling of data Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 55/65] btrfs: fix incorrect updating of log root tree Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 56/65] NFS: Fix O_DIRECT accounting of number of bytes read/written Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 57/65] MIPS: Disable Loongson MMI instructions for kernel build Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 58/65] Fix the locking in dcache_readdir() and friends Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 59/65] media: stkwebcam: fix runtime PM after driver unbind Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 60/65] tracing/hwlat: Report total time spent in all NMIs during the sample Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 61/65] tracing/hwlat: Dont ignore outer-loop duration when calculating max_latency Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 62/65] ftrace: Get a reference counter for the trace_array on filter files Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 63/65] tracing: Get trace_array reference for available_tracers files Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 64/65] x86/asm: Fix MWAITX C-state hint value Greg Kroah-Hartman
2019-10-16 21:51 ` [PATCH 4.14 65/65] xfs: clear sb->s_fs_info on mount failure Greg Kroah-Hartman
2019-10-17 1:42 ` [PATCH 4.14 00/65] 4.14.150-stable review kernelci.org bot
2019-10-17 6:22 ` Naresh Kamboju
2019-10-17 14:55 ` shuah
2019-10-17 18:03 ` Guenter Roeck
2019-10-17 18:27 ` Didik Setiawan
2019-10-18 7:57 ` Jon Hunter
2019-10-18 9:59 ` Jinpu Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191016214824.139956965@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=johan@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).