github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-09 07:03:37 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
5655455a06
linux/drivers
History
Schspa Shi d9bae32c6a usb: gadget: fix race when gadget driver register via ioctl 
commit 5f0b5f4d50 upstream.

The usb_gadget_register_driver can be called multi time by to
threads via USB_RAW_IOCTL_RUN ioctl syscall, which will lead
to multiple registrations.

Call trace:
  driver_register+0x220/0x3a0 drivers/base/driver.c:171
  usb_gadget_register_driver_owner+0xfb/0x1e0
    drivers/usb/gadget/udc/core.c:1546
  raw_ioctl_run drivers/usb/gadget/legacy/raw_gadget.c:513 [inline]
  raw_ioctl+0x1883/0x2730 drivers/usb/gadget/legacy/raw_gadget.c:1220
  ioctl USB_RAW_IOCTL_RUN

This routine allows two processes to register the same driver instance
via ioctl syscall. which lead to a race condition.

Please refer to the following scenarios.

           T1                                  T2
------------------------------------------------------------------
usb_gadget_register_driver_owner
  driver_register                    driver_register
    driver_find                       driver_find
    bus_add_driver                    bus_add_driver
      priv alloced                     <context switch>
      drv->p = priv;
      <schedule out>
      kobject_init_and_add // refcount = 1;
   //couldn't find an available UDC or it's busy
   <context switch>
                                       priv alloced
                                       drv->priv = priv;
                                       kobject_init_and_add
                                         ---> refcount = 1 <------
                                       // register success
                                       <context switch>
===================== another ioctl/process ======================
                                      driver_register
                                       driver_find
                                        k = kset_find_obj()
                                         ---> refcount = 2 <------
                                        <context out>
   driver_unregister
   // drv->p become T2's priv
   ---> refcount = 1 <------
   <context switch>
                                        kobject_put(k)
                                         ---> refcount = 0 <------
                                        return priv->driver;
                                        --------UAF here----------

There will be UAF in this scenario.

We can fix it by adding a new STATE_DEV_REGISTERING device state to
avoid double register.

Reported-by: syzbot+dc7c3ca638e773db07f6@syzkaller.appspotmail.com
Link: https://lore.kernel.org/all/000000000000e66c2805de55b15a@google.com/
Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com>
Signed-off-by: Schspa Shi <schspa@gmail.com>
Link: https://lore.kernel.org/r/20220508150247.38204-1-schspa@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-05-25 09:57:21 +02:00
..
accessibility speakup-dectlk: Restore pitch setting 2022-02-16 12:56:37 +01:00
acpi ACPI: processor: idle: Avoid falling back to C3 type C-states 2022-05-09 09:14:41 +02:00
amba
android
ata ata: pata_marvell: Check the 'bmdma_addr' beforing reading 2022-04-27 14:38:58 +02:00
atm atm: eni: Add check for dma_map_single 2022-03-23 09:16:41 +01:00
auxdisplay auxdisplay: lcd2s: Use proper API to free the instance of charlcd object 2022-03-08 19:12:47 +01:00
base firmware_loader: use kernel credentials when reading firmware 2022-05-18 10:26:53 +02:00
bcma
block floppy: disable FDRAWCMD by default 2022-05-01 17:22:22 +02:00
bluetooth Bluetooth: btmtksdio: Fix kernel oops in btmtksdio_interrupt 2022-04-08 14:23:41 +02:00
bus bus: sunxi-rsb: Fix the return value of sunxi_rsb_device_create() 2022-05-09 09:14:37 +02:00
cdrom
char virtio_console: eliminate anonymous module_init & module_exit 2022-04-13 20:59:13 +02:00
clk clk: sunxi: sun9i-mmc: check return value after calling platform_get_resource() 2022-05-09 09:14:37 +02:00
clocksource clocksource: acpi_pm: fix return value of __setup handler 2022-04-08 14:23:09 +02:00
comedi
connector
counter
cpufreq cpufreq: qcom-cpufreq-hw: Clear dcvs interrupts 2022-05-09 09:14:37 +02:00
cpuidle
crypto crypto: hisilicon/sec - not need to enable sm4 extra mode at HW V3 2022-04-08 14:23:55 +02:00
cxl cxl/regs: Fix size of CXL Capability Header Register 2022-04-08 14:23:30 +02:00
dax dax: make sure inodes are flushed before destroy cache 2022-04-08 14:23:31 +02:00
dca
devfreq
dio
dma dmaengine: imx-sdma: fix init of uart scripts 2022-04-27 14:38:58 +02:00
dma-buf dma-buf: call dma_buf_stats_setup after dmabuf is in valid list 2022-05-18 10:26:57 +02:00
edac EDAC/synopsys: Read the error count from the correct register 2022-04-27 14:38:57 +02:00
eisa
extcon
firewire firewire: core: extend card->lock in fw_core_handle_bus_reset 2022-05-12 12:30:05 +02:00
firmware firmware: arm_scmi: Fix sorting of retrieved clock rates 2022-04-20 09:34:09 +02:00
fpga
fsi fsi: Aspeed: Fix a potential double free 2022-04-08 14:23:44 +02:00
gnss
gpio gpio: mvebu: drop pwm base assignment 2022-05-12 12:30:22 +02:00
gpu Revert "drm/amd/pm: keep the BACO feature enabled for suspend" 2022-05-18 10:26:57 +02:00
greybus greybus: svc: fix an error handling bug in gb_svc_hello() 2022-04-08 14:22:50 +02:00
hid HID: i2c-hid: fix GET/SET_REPORT for unnumbered reports 2022-04-08 14:23:31 +02:00
hsi
hv Drivers: hv: balloon: Disable balloon and hot-add accordingly 2022-04-20 09:34:16 +02:00
hwmon hwmon: (f71882fg) Fix negative temperature 2022-05-18 10:26:51 +02:00
hwspinlock
hwtracing coresight: syscfg: Fix memleak on registration failure in cscfg_create_device 2022-04-08 14:22:50 +02:00
i2c i2c: pasemi: Wait for write xfers to finish 2022-04-20 09:34:21 +02:00
i3c i3c: master: dw: check return of dw_i3c_master_get_free_pos() 2022-03-08 19:12:37 +01:00
idle
iio iio:imu:bmi160: disable regulator in error path 2022-05-09 09:14:31 +02:00
infiniband RDMA/irdma: Fix deadlock in irdma_cleanup_cm_core() 2022-05-18 10:26:52 +02:00
input Input: omap4-keypad - fix pm_runtime_get_sync() error checking 2022-04-27 14:38:58 +02:00
interconnect interconnect: Restore sync state by ignoring ipa-virt in provider count 2022-05-18 10:26:53 +02:00
iommu iommu: arm-smmu: disable large page mappings for Nvidia arm-smmu 2022-05-18 10:26:52 +02:00
ipack
irqchip irqchip/gic, gic-v3: Prevent GSI to SGI translations 2022-04-13 20:59:28 +02:00
isdn isdn: hfcpci: check the return value of dma_set_mask() in setup_hw() 2022-03-16 14:23:36 +01:00
leds
macintosh
mailbox mailbox: imx: fix wakeup failure from freeze mode 2022-04-08 14:24:10 +02:00
mcb
md dm integrity: fix memory corruption when tag_size is less than digest size 2022-04-20 09:34:20 +02:00
media media: rockchip/rga: do proper error checking in probe 2022-04-20 09:34:09 +02:00
memory memory: renesas-rpc-if: Fix HF/OSPI data transfer in Manual Mode 2022-05-09 09:14:34 +02:00
memstick
message
mfd mfd: asic3: Add missing iounmap() on error asic3_mfd_probe 2022-04-08 14:23:43 +02:00
misc eeprom: at25: Use DMA safe buffers 2022-05-09 09:14:44 +02:00
mmc mmc: rtsx: add 74 Clocks in power on flow 2022-05-12 12:30:26 +02:00
most
mtd mtd: rawnand: qcom: fix memory corruption that causes panic 2022-05-09 09:14:41 +02:00
mux
net net: phy: micrel: Pass .probe for KS8737 2022-05-18 10:26:56 +02:00
nfc nfc: nfcmrvl: main: reorder destructive operations in nfcmrvl_nci_unregister_dev to avoid bugs 2022-05-12 12:30:10 +02:00
ntb ntb: intel: fix port config status offset for SPR 2022-03-08 19:12:44 +01:00
nubus
nvdimm nvdimm/region: Fix default alignment for small regions 2022-04-08 14:23:48 +02:00
nvme nvme-pci: disable namespace identifiers for Qemu controllers 2022-04-27 14:38:57 +02:00
nvmem nvmem: core: Fix a conflict between MTD and NVMEM on wp-gpios property 2022-03-02 11:48:06 +01:00
of of: net: move of_net under net/ 2022-03-08 19:12:41 +01:00
opp opp: Expose of-node's name in debugfs 2022-04-13 20:59:11 +02:00
parisc parisc: Fix CPU affinity for Lasi, WAX and Dino chips 2022-04-13 20:59:14 +02:00
parport
pci PCI: aardvark: Update comment about link going down after link-up 2022-05-12 12:30:34 +02:00
pcmcia
perf arm_pmu: Validate single/group leader events 2022-04-27 14:39:00 +02:00
phy phy: amlogic: fix error path in phy_g12a_usb3_pcie_probe() 2022-05-09 09:14:34 +02:00
pinctrl pinctrl: pistachio: fix use of irq_of_parse_and_map() 2022-05-09 09:14:36 +02:00
platform platform/surface: aggregator: Fix initialization order when compiling as builtin module 2022-05-18 10:26:48 +02:00
pnp
power power: supply: axp288-charger: Set Vhold to 4.4V 2022-04-13 20:59:05 +02:00
powercap
pps pps: clients: gpio: Propagate return value from pps_gpio_probe 2022-04-08 14:23:44 +02:00
ps3
ptp ptp: replace snprintf with sysfs_emit 2022-04-13 20:59:01 +02:00
pwm pwm: lpc18xx-sct: Initialize driver data and hardware before pwmchip_add() 2022-04-08 14:23:44 +02:00
rapidio
ras
regulator regulator: wm8994: Add an off-on delay for WM8994 variant 2022-04-20 09:34:16 +02:00
remoteproc remoteproc: qcom_q6v5_mss: Fix some leaks in q6v5_alloc_memory_region 2022-04-08 14:23:47 +02:00
reset reset: tegra-bpmp: Restore Handle errors in BPMP response 2022-04-27 14:38:55 +02:00
rpmsg rpmsg: char: Fix race between the release of rpmsg_eptdev and cdev 2022-02-01 17:27:07 +01:00
rtc rtc: mc146818-lib: fix signedness bug in mc146818_get_time() 2022-04-13 20:59:26 +02:00
s390 s390/lcs: fix variable dereferenced before check 2022-05-18 10:26:50 +02:00
sbus
scsi scsi: sr: Do not leak information in ioctl 2022-04-27 14:38:58 +02:00
sh
siox
slimbus slimbus: qcom: Fix IRQ check in qcom_slim_probe 2022-05-18 10:26:55 +02:00
soc soc: qcom: aoss: Fix missing put_device call in qmp_get 2022-04-20 09:34:21 +02:00
soundwire ASoC: Intel: sof_sdw: fix quirks for 2022 HP Spectre x360 13" 2022-04-08 14:24:02 +02:00
spi spi: cadence-quadspi: fix write completion support 2022-05-01 17:22:27 +02:00
spmi
ssb
staging staging: wfx: fix an error handling in wfx_init_common() 2022-04-13 20:59:11 +02:00
target scsi: target: tcmu: Fix possible page UAF 2022-04-20 09:34:15 +02:00
tc
tee optee: use driver internal tee_context for some rpc 2022-03-02 11:47:51 +01:00
thermal thermal: int340x: Fix attr.show callback prototype 2022-05-09 09:14:42 +02:00
thunderbolt
tty serial: 8250_mtk: Fix register address for XON/XOFF character 2022-05-18 10:26:55 +02:00
uio
usb usb: gadget: fix race when gadget driver register via ioctl 2022-05-25 09:57:21 +02:00
vdpa vdpa: mlx5: prevent cvq work from hogging CPU 2022-04-13 20:59:15 +02:00
vfio vfio/pci: Fix vf_token mechanism when device-specific VF drivers are used 2022-04-20 09:34:13 +02:00
vhost tuntap: add sanity checks about msg_controllen in sendmsg 2022-04-13 20:59:07 +02:00
video fbdev: efifb: Fix a use-after-free due early fb_info cleanup 2022-05-18 10:26:49 +02:00
virt virt: acrn: fix a memory leak in acrn_dev_ioctl() 2022-04-08 14:23:50 +02:00
virtio virtio: acknowledge all features before access 2022-03-16 14:23:43 +01:00
visorbus
vlynq
vme
w1 w1: w1_therm: fixes w1_seq for ds28ea00 sensors 2022-04-13 20:59:11 +02:00
watchdog watchdog: rti-wdt: Add missing pm_runtime_disable() in probe function 2022-04-08 14:24:11 +02:00
xen swiotlb: Support aligned swiotlb buffers 2022-04-08 14:24:17 +02:00
zorro
Kconfig
Makefile