diff options
| author | Shuah Khan (Samsung OSG) <shuah@kernel.org> | 2018-05-14 22:49:58 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2018-05-15 03:52:02 -0400 |
| commit | 22076557b07c12086eeb16b8ce2b0b735f7a27e7 (patch) | |
| tree | c568062087d8f520520d13239f603fbdf2b45ce3 /drivers/usb/usbip/stub_dev.c | |
| parent | 7510df3f29d44685bab7b1918b61a8ccd57126a9 (diff) | |
usbip: usbip_host: fix NULL-ptr deref and use-after-free errors
usbip_host updates device status without holding lock from stub probe,
disconnect and rebind code paths. When multiple requests to import a
device are received, these unprotected code paths step all over each
other and drive fails with NULL-ptr deref and use-after-free errors.
The driver uses a table lock to protect the busid array for adding and
deleting busids to the table. However, the probe, disconnect and rebind
paths get the busid table entry and update the status without holding
the busid table lock. Add a new finer grain lock to protect the busid
entry. This new lock will be held to search and update the busid entry
fields from get_busid_idx(), add_match_busid() and del_match_busid().
match_busid_show() does the same to access the busid entry fields.
get_busid_priv() changed to return the pointer to the busid entry holding
the busid lock. stub_probe(), stub_disconnect() and stub_device_rebind()
call put_busid_priv() to release the busid lock before returning. This
changes fixes the unprotected code paths eliminating the race conditions
in updating the busid entries.
Reported-by: Jakub Jirasek
Signed-off-by: Shuah Khan (Samsung OSG) <shuah@kernel.org>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/usb/usbip/stub_dev.c')
| -rw-r--r-- | drivers/usb/usbip/stub_dev.c | 33 |
1 files changed, 23 insertions, 10 deletions
diff --git a/drivers/usb/usbip/stub_dev.c b/drivers/usb/usbip/stub_dev.c index 9d0425113c4b..c0d6ff1baa72 100644 --- a/drivers/usb/usbip/stub_dev.c +++ b/drivers/usb/usbip/stub_dev.c | |||
| @@ -300,7 +300,7 @@ static int stub_probe(struct usb_device *udev) | |||
| 300 | struct stub_device *sdev = NULL; | 300 | struct stub_device *sdev = NULL; |
| 301 | const char *udev_busid = dev_name(&udev->dev); | 301 | const char *udev_busid = dev_name(&udev->dev); |
| 302 | struct bus_id_priv *busid_priv; | 302 | struct bus_id_priv *busid_priv; |
| 303 | int rc; | 303 | int rc = 0; |
| 304 | 304 | ||
| 305 | dev_dbg(&udev->dev, "Enter probe\n"); | 305 | dev_dbg(&udev->dev, "Enter probe\n"); |
| 306 | 306 | ||
| @@ -317,13 +317,15 @@ static int stub_probe(struct usb_device *udev) | |||
| 317 | * other matched drivers by the driver core. | 317 | * other matched drivers by the driver core. |
| 318 | * See driver_probe_device() in driver/base/dd.c | 318 | * See driver_probe_device() in driver/base/dd.c |
| 319 | */ | 319 | */ |
| 320 | return -ENODEV; | 320 | rc = -ENODEV; |
| 321 | goto call_put_busid_priv; | ||
| 321 | } | 322 | } |
| 322 | 323 | ||
| 323 | if (udev->descriptor.bDeviceClass == USB_CLASS_HUB) { | 324 | if (udev->descriptor.bDeviceClass == USB_CLASS_HUB) { |
| 324 | dev_dbg(&udev->dev, "%s is a usb hub device... skip!\n", | 325 | dev_dbg(&udev->dev, "%s is a usb hub device... skip!\n", |
| 325 | udev_busid); | 326 | udev_busid); |
| 326 | return -ENODEV; | 327 | rc = -ENODEV; |
| 328 | goto call_put_busid_priv; | ||
| 327 | } | 329 | } |
| 328 | 330 | ||
| 329 | if (!strcmp(udev->bus->bus_name, "vhci_hcd")) { | 331 | if (!strcmp(udev->bus->bus_name, "vhci_hcd")) { |
| @@ -331,13 +333,16 @@ static int stub_probe(struct usb_device *udev) | |||
| 331 | "%s is attached on vhci_hcd... skip!\n", | 333 | "%s is attached on vhci_hcd... skip!\n", |
| 332 | udev_busid); | 334 | udev_busid); |
| 333 | 335 | ||
| 334 | return -ENODEV; | 336 | rc = -ENODEV; |
| 337 | goto call_put_busid_priv; | ||
| 335 | } | 338 | } |
| 336 | 339 | ||
| 337 | /* ok, this is my device */ | 340 | /* ok, this is my device */ |
| 338 | sdev = stub_device_alloc(udev); | 341 | sdev = stub_device_alloc(udev); |
| 339 | if (!sdev) | 342 | if (!sdev) { |
| 340 | return -ENOMEM; | 343 | rc = -ENOMEM; |
| 344 | goto call_put_busid_priv; | ||
| 345 | } | ||
| 341 | 346 | ||
| 342 | dev_info(&udev->dev, | 347 | dev_info(&udev->dev, |
| 343 | "usbip-host: register new device (bus %u dev %u)\n", | 348 | "usbip-host: register new device (bus %u dev %u)\n", |
| @@ -369,7 +374,9 @@ static int stub_probe(struct usb_device *udev) | |||
| 369 | } | 374 | } |
| 370 | busid_priv->status = STUB_BUSID_ALLOC; | 375 | busid_priv->status = STUB_BUSID_ALLOC; |
| 371 | 376 | ||
| 372 | return 0; | 377 | rc = 0; |
| 378 | goto call_put_busid_priv; | ||
| 379 | |||
| 373 | err_files: | 380 | err_files: |
| 374 | usb_hub_release_port(udev->parent, udev->portnum, | 381 | usb_hub_release_port(udev->parent, udev->portnum, |
| 375 | (struct usb_dev_state *) udev); | 382 | (struct usb_dev_state *) udev); |
| @@ -379,6 +386,9 @@ err_port: | |||
| 379 | 386 | ||
| 380 | busid_priv->sdev = NULL; | 387 | busid_priv->sdev = NULL; |
| 381 | stub_device_free(sdev); | 388 | stub_device_free(sdev); |
| 389 | |||
| 390 | call_put_busid_priv: | ||
| 391 | put_busid_priv(busid_priv); | ||
| 382 | return rc; | 392 | return rc; |
| 383 | } | 393 | } |
| 384 | 394 | ||
| @@ -417,7 +427,7 @@ static void stub_disconnect(struct usb_device *udev) | |||
| 417 | /* get stub_device */ | 427 | /* get stub_device */ |
| 418 | if (!sdev) { | 428 | if (!sdev) { |
| 419 | dev_err(&udev->dev, "could not get device"); | 429 | dev_err(&udev->dev, "could not get device"); |
| 420 | return; | 430 | goto call_put_busid_priv; |
| 421 | } | 431 | } |
| 422 | 432 | ||
| 423 | dev_set_drvdata(&udev->dev, NULL); | 433 | dev_set_drvdata(&udev->dev, NULL); |
| @@ -432,12 +442,12 @@ static void stub_disconnect(struct usb_device *udev) | |||
| 432 | (struct usb_dev_state *) udev); | 442 | (struct usb_dev_state *) udev); |
| 433 | if (rc) { | 443 | if (rc) { |
| 434 | dev_dbg(&udev->dev, "unable to release port\n"); | 444 | dev_dbg(&udev->dev, "unable to release port\n"); |
| 435 | return; | 445 | goto call_put_busid_priv; |
| 436 | } | 446 | } |
| 437 | 447 | ||
| 438 | /* If usb reset is called from event handler */ | 448 | /* If usb reset is called from event handler */ |
| 439 | if (usbip_in_eh(current)) | 449 | if (usbip_in_eh(current)) |
| 440 | return; | 450 | goto call_put_busid_priv; |
| 441 | 451 | ||
| 442 | /* shutdown the current connection */ | 452 | /* shutdown the current connection */ |
| 443 | shutdown_busid(busid_priv); | 453 | shutdown_busid(busid_priv); |
| @@ -450,6 +460,9 @@ static void stub_disconnect(struct usb_device *udev) | |||
| 450 | 460 | ||
| 451 | if (busid_priv->status == STUB_BUSID_ALLOC) | 461 | if (busid_priv->status == STUB_BUSID_ALLOC) |
| 452 | busid_priv->status = STUB_BUSID_ADDED; | 462 | busid_priv->status = STUB_BUSID_ADDED; |
| 463 | |||
| 464 | call_put_busid_priv: | ||
| 465 | put_busid_priv(busid_priv); | ||
| 453 | } | 466 | } |
| 454 | 467 | ||
| 455 | #ifdef CONFIG_PM | 468 | #ifdef CONFIG_PM |