From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Alan Stern <stern@rowland.harvard.edu>,
Christian Lamparter <chunkeey@gmail.com>,
Kalle Valo <kvalo@codeaurora.org>
Subject: [PATCH 4.4 25/40] carl9170: fix misuse of device driver API
Date: Thu, 18 Jul 2019 12:02:21 +0900 [thread overview]
Message-ID: <20190718030048.988349013@linuxfoundation.org> (raw)
In-Reply-To: <20190718030039.676518610@linuxfoundation.org>
From: Christian Lamparter <chunkeey@gmail.com>
commit feb09b2933275a70917a869989ea2823e7356be8 upstream.
This patch follows Alan Stern's recent patch:
"p54: Fix race between disconnect and firmware loading"
that overhauled carl9170 buggy firmware loading and driver
unbinding procedures.
Since the carl9170 code was adapted from p54 it uses the
same functions and is likely to have the same problem, but
it's just that the syzbot hasn't reproduce them (yet).
a summary from the changes (copied from the p54 patch):
* Call usb_driver_release_interface() rather than
device_release_driver().
* Lock udev (the interface's parent) before unbinding the
driver instead of locking udev->parent.
* During the firmware loading process, take a reference
to the USB interface instead of the USB device.
* Don't take an unnecessary reference to the device during
probe (and then don't drop it during disconnect).
and
* Make sure to prevent use-after-free bugs by explicitly
setting the driver context to NULL after signaling the
completion.
Cc: <stable@vger.kernel.org>
Cc: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/ath/carl9170/usb.c | 39 +++++++++++++-------------------
1 file changed, 17 insertions(+), 22 deletions(-)
--- a/drivers/net/wireless/ath/carl9170/usb.c
+++ b/drivers/net/wireless/ath/carl9170/usb.c
@@ -128,6 +128,8 @@ static struct usb_device_id carl9170_usb
};
MODULE_DEVICE_TABLE(usb, carl9170_usb_ids);
+static struct usb_driver carl9170_driver;
+
static void carl9170_usb_submit_data_urb(struct ar9170 *ar)
{
struct urb *urb;
@@ -968,32 +970,28 @@ err_out:
static void carl9170_usb_firmware_failed(struct ar9170 *ar)
{
- struct device *parent = ar->udev->dev.parent;
- struct usb_device *udev;
-
- /*
- * Store a copy of the usb_device pointer locally.
- * This is because device_release_driver initiates
- * carl9170_usb_disconnect, which in turn frees our
- * driver context (ar).
+ /* Store a copies of the usb_interface and usb_device pointer locally.
+ * This is because release_driver initiates carl9170_usb_disconnect,
+ * which in turn frees our driver context (ar).
*/
- udev = ar->udev;
+ struct usb_interface *intf = ar->intf;
+ struct usb_device *udev = ar->udev;
complete(&ar->fw_load_wait);
+ /* at this point 'ar' could be already freed. Don't use it anymore */
+ ar = NULL;
/* unbind anything failed */
- if (parent)
- device_lock(parent);
-
- device_release_driver(&udev->dev);
- if (parent)
- device_unlock(parent);
+ usb_lock_device(udev);
+ usb_driver_release_interface(&carl9170_driver, intf);
+ usb_unlock_device(udev);
- usb_put_dev(udev);
+ usb_put_intf(intf);
}
static void carl9170_usb_firmware_finish(struct ar9170 *ar)
{
+ struct usb_interface *intf = ar->intf;
int err;
err = carl9170_parse_firmware(ar);
@@ -1011,7 +1009,7 @@ static void carl9170_usb_firmware_finish
goto err_unrx;
complete(&ar->fw_load_wait);
- usb_put_dev(ar->udev);
+ usb_put_intf(intf);
return;
err_unrx:
@@ -1054,7 +1052,6 @@ static int carl9170_usb_probe(struct usb
return PTR_ERR(ar);
udev = interface_to_usbdev(intf);
- usb_get_dev(udev);
ar->udev = udev;
ar->intf = intf;
ar->features = id->driver_info;
@@ -1096,15 +1093,14 @@ static int carl9170_usb_probe(struct usb
atomic_set(&ar->rx_anch_urbs, 0);
atomic_set(&ar->rx_pool_urbs, 0);
- usb_get_dev(ar->udev);
+ usb_get_intf(intf);
carl9170_set_state(ar, CARL9170_STOPPED);
err = request_firmware_nowait(THIS_MODULE, 1, CARL9170FW_NAME,
&ar->udev->dev, GFP_KERNEL, ar, carl9170_usb_firmware_step2);
if (err) {
- usb_put_dev(udev);
- usb_put_dev(udev);
+ usb_put_intf(intf);
carl9170_free(ar);
}
return err;
@@ -1133,7 +1129,6 @@ static void carl9170_usb_disconnect(stru
carl9170_release_firmware(ar);
carl9170_free(ar);
- usb_put_dev(udev);
}
#ifdef CONFIG_PM
next prev parent reply other threads:[~2019-07-18 3:16 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-18 3:01 [PATCH 4.4 00/40] 4.4.186-stable review Greg Kroah-Hartman
2019-07-18 3:01 ` [PATCH 4.4 01/40] Input: elantech - enable middle button support on 2 ThinkPads Greg Kroah-Hartman
2019-07-18 3:01 ` [PATCH 4.4 02/40] samples, bpf: fix to change the buffer size for read() Greg Kroah-Hartman
2019-07-18 3:01 ` [PATCH 4.4 03/40] mac80211: mesh: fix RCU warning Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 04/40] mwifiex: Fix possible buffer overflows at parsing bss descriptor Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 05/40] dt-bindings: can: mcp251x: add mcp25625 support Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 06/40] can: mcp251x: add support for mcp25625 Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 07/40] Input: imx_keypad - make sure keyboard can always wake up system Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 08/40] ARM: davinci: da850-evm: call regulator_has_full_constraints() Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 09/40] ARM: davinci: da8xx: specify dma_coherent_mask for lcdc Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 10/40] md: fix for divide error in status_resync Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 11/40] bnx2x: Check if transceiver implements DDM before access Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 12/40] udf: Fix incorrect final NOT_ALLOCATED (hole) extent length Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 13/40] x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg() Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 14/40] x86/tls: Fix possible spectre-v1 in do_get_thread_area() Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 15/40] mwifiex: Abort at too short BSS descriptor element Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 16/40] mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies() Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 17/40] fscrypt: dont set policy for a dead directory Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 18/40] mwifiex: Dont abort on small, spec-compliant vendor IEs Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 19/40] USB: serial: ftdi_sio: add ID for isodebug v1 Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 20/40] USB: serial: option: add support for GosunCn ME3630 RNDIS mode Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 21/40] usb: gadget: ether: Fix race between gether_disconnect and rx_submit Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 22/40] usb: renesas_usbhs: add a workaround for a race condition of workqueue Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 23/40] staging: comedi: dt282x: fix a null pointer deref on interrupt Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 24/40] staging: comedi: amplc_pci230: fix " Greg Kroah-Hartman
2019-07-18 3:02 ` Greg Kroah-Hartman [this message]
2019-07-18 3:02 ` [PATCH 4.4 26/40] VMCI: Fix integer overflow in VMCI handle arrays Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 27/40] MIPS: Remove superfluous check for __linux__ Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 28/40] e1000e: start network tx queue only when link is up Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 29/40] perf/core: Fix perf_sample_regs_user() mm check Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 30/40] ARM: omap2: remove incorrect __init annotation Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 31/40] be2net: fix link failure after ethtool offline test Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 32/40] ppp: mppe: Add softdep to arc4 Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 33/40] sis900: fix TX completion Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 34/40] dm verity: use message limit for data block corruption message Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 35/40] kvm: x86: avoid warning on repeated KVM_SET_TSS_ADDR Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 36/40] ARC: hide unused function unw_hdr_alloc Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 37/40] s390: fix stfle zero padding Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 38/40] s390/qdio: (re-)initialize tiqdio list entries Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 39/40] s390/qdio: dont touch the dsci in tiqdio_add_input_queues() Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.4 40/40] KVM: x86: protect KVM_CREATE_PIT/KVM_CREATE_PIT2 with kvm->lock Greg Kroah-Hartman
2019-07-18 7:33 ` [PATCH 4.4 00/40] 4.4.186-stable review kernelci.org bot
2019-07-18 9:19 ` Jon Hunter
2019-07-18 15:26 ` Naresh Kamboju
2019-07-18 19:47 ` Guenter Roeck
2019-07-18 20:56 ` Kelsey Skunberg
2019-07-19 4:40 ` Bharath Vedartham
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190718030048.988349013@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=chunkeey@gmail.com \
--cc=kvalo@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).