USB: Close usb_find_interface race

USB drivers that create character devices call usb_register_dev in their
probe function. This associates the usb_interface device with that minor
number and creates the character device and announces it to the world.
However, the driver's probe function is called before the new
usb_interface is added to the driver's klist_devices.

This is a problem because userspace will respond to the character device
creation announcement by opening the character device. The driver's open
function will the call usb_find_interface to find the usb_interface
associated with that minor number. usb_find_interface will walk the
driver's list of devices and find the usb_interface with the matching
minor number.

Because the announcement happens before the usb_interface is added to the
driver's klist_devices, a race condition exists. A straightforward fix
is to walk the list of devices on usb_bus_type instead since the device
is added to that list before the announcement occurs.

bus_find_device calls get_device to bump the reference count on the found
device. It is arguable that the reference count should be dropped by the
caller of usb_find_interface instead of usb_find_interface, however,
the current users of usb_find_interface do not expect this.

Signed-off-by: Russ Dill <Russ.Dill@gmail.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

1 files changed, 10 insertions, 18 deletions

diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c
index b1b85abb9a2d..d1e9440799de 100644
--- a/drivers/usb/core/usb.c
+++ b/drivers/usb/core/usb.c
@@ -130,24 +130,17 @@ struct usb_host_interface *usb_altnum_to_altsetting(
 }
 EXPORT_SYMBOL_GPL(usb_altnum_to_altsetting);
 
-struct find_interface_arg {
-        int minor;
-        struct usb_interface *interface;
-};
-
 static int __find_interface(struct device *dev, void *data)
 {
-        struct find_interface_arg *arg = data;
+        int *minor = data;
         struct usb_interface *intf;
 
         if (!is_usb_interface(dev))
                 return 0;
 
         intf = to_usb_interface(dev);
-        if (intf->minor != -1 && intf->minor == arg->minor) {
-                arg->interface = intf;
+        if (intf->minor != -1 && intf->minor == *minor)
                 return 1;
-        }
         return 0;
 }
 
@@ -156,21 +149,20 @@ static int __find_interface(struct device *dev, void *data)
  * @drv: the driver whose current configuration is considered
  * @minor: the minor number of the desired device
  *
- * This walks the driver device list and returns a pointer to the interface
+ * This walks the bus device list and returns a pointer to the interface
  * with the matching minor.  Note, this only works for devices that share the
  * USB major number.
  */
 struct usb_interface *usb_find_interface(struct usb_driver *drv, int minor)
 {
-        struct find_interface_arg argb;
-        int retval;
+        struct device *dev;
+
+        dev = bus_find_device(&usb_bus_type, NULL, &minor, __find_interface);
+
+        /* Drop reference count from bus_find_device */
+        put_device(dev);
 
-        argb.minor = minor;
-        argb.interface = NULL;
-        /* eat the error, it will be in argb.interface */
-        retval = driver_for_each_device(&drv->drvwrap.driver, NULL, &argb,
-                                        __find_interface);
-        return argb.interface;
+        return dev ? to_usb_interface(dev) : NULL;
 }
 EXPORT_SYMBOL_GPL(usb_find_interface);