Commit 8c6ac185 authored by Johan Hovold's avatar Johan Hovold Committed by Khalid Elmously

USB: usb-skeleton: fix NULL-deref on disconnect

BugLink: https://bugs.launchpad.net/bugs/1848780

commit bed5ef23 upstream.

The driver was using its struct usb_interface pointer as an inverted
disconnected flag and was setting it to NULL before making sure all
completion handlers had run. This could lead to NULL-pointer
dereferences in the dev_err() statements in the completion handlers
which relies on said pointer.

Fix this by using a dedicated disconnected flag.

Note that this is also addresses a NULL-pointer dereference at release()
and a struct usb_interface reference leak introduced by a recent runtime
PM fix, which depends on and should have been submitted together with
this patch.

Fixes: 4212cd74 ("USB: usb-skeleton.c: remove err() usage")
Fixes: 5c290a5e ("USB: usb-skeleton: fix runtime PM after driver unbind")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20191009170944.30057-2-johan@kernel.orgSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
parent 5415cfea
...@@ -63,6 +63,7 @@ struct usb_skel { ...@@ -63,6 +63,7 @@ struct usb_skel {
spinlock_t err_lock; /* lock for errors */ spinlock_t err_lock; /* lock for errors */
struct kref kref; struct kref kref;
struct mutex io_mutex; /* synchronize I/O with disconnect */ struct mutex io_mutex; /* synchronize I/O with disconnect */
unsigned long disconnected:1;
wait_queue_head_t bulk_in_wait; /* to wait for an ongoing read */ wait_queue_head_t bulk_in_wait; /* to wait for an ongoing read */
}; };
#define to_skel_dev(d) container_of(d, struct usb_skel, kref) #define to_skel_dev(d) container_of(d, struct usb_skel, kref)
...@@ -239,7 +240,7 @@ static ssize_t skel_read(struct file *file, char *buffer, size_t count, ...@@ -239,7 +240,7 @@ static ssize_t skel_read(struct file *file, char *buffer, size_t count,
if (rv < 0) if (rv < 0)
return rv; return rv;
if (!dev->interface) { /* disconnect() was called */ if (dev->disconnected) { /* disconnect() was called */
rv = -ENODEV; rv = -ENODEV;
goto exit; goto exit;
} }
...@@ -420,7 +421,7 @@ static ssize_t skel_write(struct file *file, const char *user_buffer, ...@@ -420,7 +421,7 @@ static ssize_t skel_write(struct file *file, const char *user_buffer,
/* this lock makes sure we don't submit URBs to gone devices */ /* this lock makes sure we don't submit URBs to gone devices */
mutex_lock(&dev->io_mutex); mutex_lock(&dev->io_mutex);
if (!dev->interface) { /* disconnect() was called */ if (dev->disconnected) { /* disconnect() was called */
mutex_unlock(&dev->io_mutex); mutex_unlock(&dev->io_mutex);
retval = -ENODEV; retval = -ENODEV;
goto error; goto error;
...@@ -588,7 +589,7 @@ static void skel_disconnect(struct usb_interface *interface) ...@@ -588,7 +589,7 @@ static void skel_disconnect(struct usb_interface *interface)
/* prevent more I/O from starting */ /* prevent more I/O from starting */
mutex_lock(&dev->io_mutex); mutex_lock(&dev->io_mutex);
dev->interface = NULL; dev->disconnected = 1;
mutex_unlock(&dev->io_mutex); mutex_unlock(&dev->io_mutex);
usb_kill_anchored_urbs(&dev->submitted); usb_kill_anchored_urbs(&dev->submitted);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment