github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-05 21:15:53 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
4a5d797a9f
linux/drivers
History
Anirudh Rayabharam 4a5d797a9f usb: gadget: dummy_hcd: fix gpf in gadget_setup 
Fix a general protection fault reported by syzbot due to a race between
gadget_setup() and gadget_unbind() in raw_gadget.

The gadget core is supposed to guarantee that there won't be any more
callbacks to the gadget driver once the driver's unbind routine is
called. That guarantee is enforced in usb_gadget_remove_driver as
follows:

        usb_gadget_disconnect(udc->gadget);
        if (udc->gadget->irq)
                synchronize_irq(udc->gadget->irq);
        udc->driver->unbind(udc->gadget);
        usb_gadget_udc_stop(udc);

usb_gadget_disconnect turns off the pullup resistor, telling the host
that the gadget is no longer connected and preventing the transmission
of any more USB packets. Any packets that have already been received
are sure to processed by the UDC driver's interrupt handler by the time
synchronize_irq returns.

But this doesn't work with dummy_hcd, because dummy_hcd doesn't use
interrupts; it uses a timer instead. It does have code to emulate the
effect of synchronize_irq, but that code doesn't get invoked at the
right time -- it currently runs in usb_gadget_udc_stop, after the unbind
callback instead of before. Indeed, there's no way for
usb_gadget_remove_driver to invoke this code before the unbind callback.

To fix this, move the synchronize_irq() emulation code to dummy_pullup
so that it runs before unbind. Also, add a comment explaining why it is
necessary to have it there.

Reported-by: syzbot+eb4674092e6cc8d9e0bd@syzkaller.appspotmail.com
Suggested-by: Alan Stern <stern@rowland.harvard.edu>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
Link: https://lore.kernel.org/r/20210419033713.3021-1-mail@anirudhrb.com
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-04-22 10:48:09 +02:00
..
accessibility Char/Misc driver patches for 5.12-rc1 2021-02-24 10:25:37 -08:00
acpi ACPI: processor: Fix build when CONFIG_ACPI_PROCESSOR=m 2021-04-07 19:02:43 +02:00
amba
android
ata
atm module: remove never implemented MODULE_SUPPORTED_DEVICE 2021-03-17 13:16:18 -07:00
auxdisplay auxdisplay: Remove in_interrupt() usage. 2021-03-16 16:32:40 +01:00
base driver core: Fix locking bug in deferred_probe_timeout_work_func() 2021-04-05 09:14:18 +02:00
bcma
block block-5.12-2021-04-02 2021-04-02 16:13:13 -07:00
bluetooth Bluetooth: btusb: Revert Fix the autosuspend enable and disable 2021-04-09 09:08:02 -07:00
bus treewide: change my e-mail address, fix my name 2021-04-09 14:54:23 -07:00
cdrom
char parisc: parisc-agp requires SBA IOMMU driver 2021-04-06 11:46:39 +02:00
clk clk: fixed: fix double free in resource managed fixed-factor clock 2021-04-07 16:01:25 -07:00
clocksource A small set of clockevent fixes which fell through the cracks 2021-02-22 14:11:36 -08:00
connector
counter counter: stm32-timer-cnt: fix ceiling miss-alignment with reload register 2021-03-06 16:48:09 +00:00
cpufreq cpufreq: Fix scaling_{available,boost}_frequencies_show() comments 2021-03-26 17:43:48 +01:00
cpuidle
crypto vio: make remove callback return void 2021-03-02 22:41:23 +11:00
cxl cxl/mem: Fix potential memory leak 2021-02-22 14:44:39 -08:00
dax Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2021-02-27 08:07:12 -08:00
dca
devfreq Merge branches 'pm-devfreq' and 'pm-tools' 2021-02-15 17:02:04 +01:00
dio
dma dmaengine updates for v5.12-rc1 2021-02-23 15:05:10 -08:00
dma-buf dma-fence: allow signaling drivers to set fence timestamp 2021-02-24 21:05:28 +05:30
edac Merge branch 'edac-misc' into edac-updates-for-v5.12 2021-02-15 10:06:58 +01:00
eisa
extcon extcon: Fix error handling in extcon_dev_register 2021-03-15 11:09:38 +09:00
firewire firewire: nosy: Fix a use-after-free bug in nosy_ioctl() 2021-04-04 14:05:45 -07:00
firmware treewide: change my e-mail address, fix my name 2021-04-09 14:54:23 -07:00
fpga
fsi
gnss
gpio treewide: change my e-mail address, fix my name 2021-04-09 14:54:23 -07:00
gpu - Fix invalid access to ACPI _DSM objects (Takashi) 2021-04-10 05:18:35 +10:00
greybus
hid Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid 2021-02-23 14:52:22 -08:00
hsi
hv mm/memory_hotplug: MEMHP_MERGE_RESOURCE -> MHP_MERGE_RESOURCE 2021-02-26 09:41:00 -08:00
hwmon Devicetree updates for v5.12: 2021-02-22 10:05:12 -08:00
hwspinlock
hwtracing ARM updates for 5.12-rc1: 2021-02-22 14:27:07 -08:00
i2c i2c: exynos5: correct top kerneldoc 2021-04-06 22:32:33 +02:00
i3c I3C for 5.12 2021-02-22 09:52:55 -08:00
ide ide-5.11-2021-02-28 2021-02-28 15:48:25 -08:00
idle
iio First set of IIO and counter fixes for the 5.12 cycle 2021-03-15 16:34:39 +01:00
infiniband RDMA/addr: Be strict with gid size 2021-04-08 16:14:56 -03:00
input module: remove never implemented MODULE_SUPPORTED_DEVICE 2021-03-17 13:16:18 -07:00
interconnect interconnect: Fix kerneldoc warning 2021-03-18 23:46:21 +02:00
iommu iommu/tegra-smmu: Make tegra_smmu_probe_device() to handle all IOMMU phandles 2021-03-18 11:31:12 +01:00
ipack
irqchip irqchip/ingenic: Add support for the JZ4760 2021-03-09 08:45:17 +00:00
isdn isdn: capi: fix mismatched prototypes 2021-03-22 16:51:11 -07:00
leds treewide: change my e-mail address, fix my name 2021-04-09 14:54:23 -07:00
lightnvm lightnvm: pblk: Replace guid_copy() with export_guid()/import_guid() 2021-02-14 21:27:24 -07:00
macintosh
mailbox treewide: change my e-mail address, fix my name 2021-04-09 14:54:23 -07:00
mcb
md dm ioctl: fix out of bounds array access when no devices 2021-03-26 14:51:50 -04:00
media module: remove never implemented MODULE_SUPPORTED_DEVICE 2021-03-17 13:16:18 -07:00
memory Char/Misc driver patches for 5.12-rc1 2021-02-24 10:25:37 -08:00
memstick
message
mfd mfd: intel_quark_i2c_gpio: Revert "Constify static struct resources" 2021-03-23 09:14:12 +00:00
misc mei: allow map and unmap of client dma buffer only for disconnected client 2021-03-23 15:15:15 +01:00
mmc mmc: cqhci: Fix random crash when remove mmc module/card 2021-03-09 10:00:52 +01:00
most
mtd module: remove never implemented MODULE_SUPPORTED_DEVICE 2021-03-17 13:16:18 -07:00
mux
net thunderbolt: Changes for v5.13 merge window 2021-04-13 12:17:14 +02:00
nfc Char/Misc driver patches for 5.12-rc1 2021-02-24 10:25:37 -08:00
ntb NTB: Add support for EPF PCI Non-Transparent Bridge 2021-02-23 14:12:53 -06:00
nubus
nvdimm libnvdimm + device-dax for 5.12 2021-02-24 09:35:54 -08:00
nvme nvmet-tcp: fix kmap leak when data digest in use 2021-03-18 05:39:18 +01:00
nvmem
of Devicetree fixes for v5.12, take 2: 2021-04-09 13:01:48 -07:00
opp opp: Don't drop extra references to OPPs accidentally 2021-03-12 09:26:52 +05:30
parisc
parport module: remove never implemented MODULE_SUPPORTED_DEVICE 2021-03-17 13:16:18 -07:00
pci powerpc fixes for 5.12 #4 2021-03-21 10:57:35 -07:00
pcmcia Merge branch 'pcmcia-next' of git://git.kernel.org/pub/scm/linux/kernel/git/brodo/linux 2021-02-26 13:54:43 -08:00
perf perf/arm_dmc620_pmu: Fix error return code in dmc620_pmu_device_probe() 2021-03-12 11:30:31 +00:00
phy phy: second round of phy fixes for v5.11 2021-02-10 10:39:23 +01:00
pinctrl intel-pinctrl for v5.12-3 2021-03-30 00:46:49 +02:00
platform Merge 5.12-rc7 into usb-next 2021-04-12 08:15:27 +02:00
pnp
power
powercap powercap/drivers/dtpm: Add the experimental label to the option description 2021-03-01 17:43:29 +01:00
pps
ps3
ptp ptp_qoriq: fix overflow in ptp_qoriq_adjfine() u64 calcalation 2021-03-24 12:10:03 -07:00
pwm pwm: Changes for v5.12-rc1 2021-02-25 12:23:49 -08:00
rapidio
ras RAS/CEC: Correct ce_add_elem()'s returned values 2021-04-07 11:52:26 +02:00
regulator regulator: bd9571mwv: Convert device attribute to sysfs_emit() 2021-03-15 15:42:12 +00:00
remoteproc remoteproc: pru: Fix firmware loading crashes on K3 SoCs 2021-03-17 14:15:07 -05:00
reset RISC-V Patches for the 5.12 Merge Window 2021-02-26 10:28:35 -08:00
rpmsg
rtc Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2021-02-27 08:07:12 -08:00
s390 module: remove never implemented MODULE_SUPPORTED_DEVICE 2021-03-17 13:16:18 -07:00
sbus module: remove never implemented MODULE_SUPPORTED_DEVICE 2021-03-17 13:16:18 -07:00
scsi SCSI fixes on 20210410 2021-04-10 12:29:19 -07:00
sh module: remove never implemented MODULE_SUPPORTED_DEVICE 2021-03-17 13:16:18 -07:00
siox
slimbus
soc ARM SoC fixes for v5.12, part 2 2021-04-07 09:26:50 -07:00
soundwire ALSA: hda: move Intel SoundWire ACPI scan to dedicated module 2021-03-02 15:33:00 +01:00
spi spi: cadence: set cqspi to the driver_data field of struct device 2021-03-11 13:32:32 +00:00
spmi spmi: spmi-pmic-arb: Fix hw_irq overflow 2021-02-12 12:26:46 +01:00
ssb
staging staging: rtl8192e: Change state information from u16 to u8 2021-03-23 13:32:40 +01:00
target scsi: target: iscsi: Fix zero tag inside a trace event 2021-04-05 23:09:37 -04:00
tc
tee module: remove never implemented MODULE_SUPPORTED_DEVICE 2021-03-17 13:16:18 -07:00
thermal thermal/core: Add NULL pointer check before using cooling device stats 2021-03-17 09:55:58 +01:00
thunderbolt thunderbolt: Changes for v5.13 merge window 2021-04-13 12:17:14 +02:00
tty Serial driver fix for 5.12-rc6 2021-04-03 10:00:53 -07:00
uio
usb usb: gadget: dummy_hcd: fix gpf in gadget_setup 2021-04-22 10:48:09 +02:00
vdpa vdpa/mlx5: Fix suspend/resume index restoration 2021-04-09 12:08:28 -04:00
vfio vfio/nvlink: Add missing SPAPR_TCE_IOMMU depends 2021-03-29 14:48:00 -06:00
vhost virtio: fixes, cleanups 2021-03-18 11:20:35 -07:00
video hyperv-fixes for 5.12-rc6 2021-04-03 10:42:20 -07:00
virt virt: acrn: Correct type casting of argument of copy_from_user() 2021-03-10 16:59:50 +01:00
virtio virtio: fixes, cleanups 2021-03-18 11:20:35 -07:00
visorbus
vlynq
vme
w1
watchdog treewide: change my e-mail address, fix my name 2021-04-09 14:54:23 -07:00
xen xen: branch for v5.12-rc7 2021-04-09 09:58:42 -07:00
zorro
Kconfig cxl/mem: Introduce a driver for CXL-2.0-Type-3 endpoints 2021-02-16 20:36:38 -08:00
Makefile Simple Firmware Interface (SFI) support removal for v5.12-rc1 2021-02-24 10:35:29 -08:00