• Shuah Khan (Samsung OSG)'s avatar
    usbip: usbip_host: fix NULL-ptr deref and use-after-free errors · f2a6d5f1
    Shuah Khan (Samsung OSG) authored
    commit 22076557 upstream.
    
    usbip_host updates device status without holding lock from stub probe,
    disconnect and rebind code paths. When multiple requests to import a
    device are received, these unprotected code paths step all over each
    other and drive fails with NULL-ptr deref and use-after-free errors.
    
    The driver uses a table lock to protect the busid array for adding and
    deleting busids to the table. However, the probe, disconnect and rebind
    paths get the busid table entry and update the status without holding
    the busid table lock. Add a new finer grain lock to protect the busid
    entry. This new lock will be held to search and update the busid entry
    fields from get_busid_idx(), add_match_busid() and del_match_busid().
    
    match_busid_show() does the same to access the busid entry fields.
    
    get_busid_priv() changed to return the pointer to the busid entry holding
    the busid lock. stub_probe(), stub_disconnect() and stub_device_rebind()
    call put_busid_priv() to release the busid lock before returning. This
    changes fixes the unprotected code paths eliminating the race conditions
    in updating the busid entries.
    
    Reported-by: Jakub Jirasek
    Signed-off-by: default avatarShuah Khan (Samsung OSG) <shuah@kernel.org>
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    f2a6d5f1
stub_main.c 9.25 KB