github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-15 01:43:11 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
ce4cfa2318
linux/drivers/hid
History
Hans de Goede dac501397b HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect 
hidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)
races when it races with itself.

hidpp_connect_event() primarily runs from a workqueue but it also runs
on probe() and if a "device-connected" packet is received by the hw
when the thread running hidpp_connect_event() from probe() is waiting on
the hw, then a second thread running hidpp_connect_event() will be
started from the workqueue.

This opens the following races (note the below code is simplified):

1. Retrieving + printing the protocol (harmless race):

	if (!hidpp->protocol_major) {
		hidpp_root_get_protocol_version()
		hidpp->protocol_major = response.rap.params[0];
	}

We can actually see this race hit in the dmesg in the abrt output
attached to rhbz#2227968:

[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.
[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.

Testing with extra logging added has shown that after this the 2 threads
take turn grabbing the hw access mutex (send_mutex) so they ping-pong
through all the other TOCTOU cases managing to hit all of them:

2. Updating the name to the HIDPP name (harmless race):

	if (hidpp->name == hdev->name) {
		...
		hidpp->name = new_name;
	}

3. Initializing the power_supply class for the battery (problematic!):

hidpp_initialize_battery()
{
        if (hidpp->battery.ps)
                return 0;

	probe_battery(); /* Blocks, threads take turns executing this */

	hidpp->battery.desc.properties =
		devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);

	hidpp->battery.ps =
		devm_power_supply_register(&hidpp->hid_dev->dev,
					   &hidpp->battery.desc, cfg);
}

4. Creating delayed input_device (potentially problematic):

	if (hidpp->delayed_input)
		return;

	hidpp->delayed_input = hidpp_allocate_input(hdev);

The really big problem here is 3. Hitting the race leads to the following
sequence:

	hidpp->battery.desc.properties =
		devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);

	hidpp->battery.ps =
		devm_power_supply_register(&hidpp->hid_dev->dev,
					   &hidpp->battery.desc, cfg);

	...

	hidpp->battery.desc.properties =
		devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);

	hidpp->battery.ps =
		devm_power_supply_register(&hidpp->hid_dev->dev,
					   &hidpp->battery.desc, cfg);

So now we have registered 2 power supplies for the same battery,
which looks a bit weird from userspace's pov but this is not even
the really big problem.

Notice how:

1. This is all devm-maganaged
2. The hidpp->battery.desc struct is shared between the 2 power supplies
3. hidpp->battery.desc.properties points to the result from the second
   devm_kmemdup()

This causes a use after free scenario on USB disconnect of the receiver:
1. The last registered power supply class device gets unregistered
2. The memory from the last devm_kmemdup() call gets freed,
   hidpp->battery.desc.properties now points to freed memory
3. The first registered power supply class device gets unregistered,
   this involves sending a remove uevent to userspace which invokes
   power_supply_uevent() to fill the uevent data
4. power_supply_uevent() uses hidpp->battery.desc.properties which
   now points to freed memory leading to backtraces like this one:

Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08
...
Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_event
Sep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0
...
Sep 22 20:01:35 eric kernel:  ? asm_exc_page_fault+0x26/0x30
Sep 22 20:01:35 eric kernel:  ? power_supply_uevent+0xee/0x1d0
Sep 22 20:01:35 eric kernel:  ? power_supply_uevent+0x10d/0x1d0
Sep 22 20:01:35 eric kernel:  dev_uevent+0x10f/0x2d0
Sep 22 20:01:35 eric kernel:  kobject_uevent_env+0x291/0x680
Sep 22 20:01:35 eric kernel:  power_supply_unregister+0x8e/0xa0
Sep 22 20:01:35 eric kernel:  release_nodes+0x3d/0xb0
Sep 22 20:01:35 eric kernel:  devres_release_group+0xfc/0x130
Sep 22 20:01:35 eric kernel:  hid_device_remove+0x56/0xa0
Sep 22 20:01:35 eric kernel:  device_release_driver_internal+0x19f/0x200
Sep 22 20:01:35 eric kernel:  bus_remove_device+0xc6/0x130
Sep 22 20:01:35 eric kernel:  device_del+0x15c/0x3f0
Sep 22 20:01:35 eric kernel:  ? __queue_work+0x1df/0x440
Sep 22 20:01:35 eric kernel:  hid_destroy_device+0x4b/0x60
Sep 22 20:01:35 eric kernel:  logi_dj_remove+0x9a/0x100 [hid_logitech_dj 5c91534a0ead2b65e04dd799a0437e3b99b21bc4]
Sep 22 20:01:35 eric kernel:  hid_device_remove+0x44/0xa0
Sep 22 20:01:35 eric kernel:  device_release_driver_internal+0x19f/0x200
Sep 22 20:01:35 eric kernel:  bus_remove_device+0xc6/0x130
Sep 22 20:01:35 eric kernel:  device_del+0x15c/0x3f0
Sep 22 20:01:35 eric kernel:  ? __queue_work+0x1df/0x440
Sep 22 20:01:35 eric kernel:  hid_destroy_device+0x4b/0x60
Sep 22 20:01:35 eric kernel:  usbhid_disconnect+0x47/0x60 [usbhid 727dcc1c0b94e6b4418727a468398ac3bca492f3]
Sep 22 20:01:35 eric kernel:  usb_unbind_interface+0x90/0x270
Sep 22 20:01:35 eric kernel:  device_release_driver_internal+0x19f/0x200
Sep 22 20:01:35 eric kernel:  bus_remove_device+0xc6/0x130
Sep 22 20:01:35 eric kernel:  device_del+0x15c/0x3f0
Sep 22 20:01:35 eric kernel:  ? kobject_put+0xa0/0x1d0
Sep 22 20:01:35 eric kernel:  usb_disable_device+0xcd/0x1e0
Sep 22 20:01:35 eric kernel:  usb_disconnect+0xde/0x2c0
Sep 22 20:01:35 eric kernel:  usb_disconnect+0xc3/0x2c0
Sep 22 20:01:35 eric kernel:  hub_event+0xe80/0x1c10

There have been quite a few bug reports (see Link tags) about this crash.

Fix all the TOCTOU issues, including the really bad power-supply related
system crash on USB disconnect, by making probe() use the workqueue for
running hidpp_connect_event() too, so that it can never run more then once.

Link: https://bugzilla.redhat.com/show_bug.cgi?id=2227221
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2227968
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2227968
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2242189
Link: https://bugzilla.kernel.org/show_bug.cgi?id=217412#c58
Cc: stable@vger.kernel.org
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20231005182638.3776-1-hdegoede@redhat.com
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
2023-10-06 16:09:14 +02:00
..
amd-sfh-hid HID: amd_sfh: Fix for shift-out-of-bounds 2023-07-10 09:53:50 +02:00
bpf bpf: Replace deprecated -target with --target= for Clang 2023-06-29 15:46:17 +02:00
i2c-hid HID: i2c-hid: fix handling of unpopulated devices 2023-10-06 09:14:19 +02:00
intel-ish-hid HID: intel-ish-hid: ipc: Disable and reenable ACPI GPE bit 2023-10-05 12:50:35 +02:00
surface-hid for-linus-2023022201 2023-02-22 11:24:42 -08:00
usbhid Merge branch 'for-6.3/hid-core' into for-linus 2023-02-22 10:27:57 +01:00
.kunitconfig HID: input: map battery system charging 2022-12-20 15:30:35 +01:00
hid-a4tech.c HID: a4tech: use A4_2WHEEL_MOUSE_HACK_B8 for A4TECH NB-95 2021-05-05 14:29:13 +02:00
hid-accutouch.c
hid-alps.c HID: hid-alps: use default remove for hid device 2022-11-21 22:17:10 +01:00
hid-apple.c HID: apple: Add "Hailuck" to the list of non-apple keyboards 2023-08-16 15:20:59 +02:00
hid-appleir.c HID: appleir: Use devm_kzalloc() instead of kzalloc() 2020-03-13 17:33:11 +01:00
hid-asus.c HID: asus: reformat the hotkey mapping block 2023-05-23 15:17:24 +02:00
hid-aureal.c
hid-axff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-belkin.c
hid-betopff.c HID: betop: check shape of output reports 2023-01-18 16:34:35 +01:00
hid-bigbenff.c hid: bigben_probe(): validate report count 2023-02-16 12:00:26 +01:00
hid-cherry.c
hid-chicony.c HID: check for valid USB device for many HID drivers 2021-12-02 15:36:18 +01:00
hid-cmedia.c HID: cmedia: add support for HS-100B mute button 2021-07-28 11:51:07 +02:00
hid-core.c HID: fix an error code in hid_check_device_match() 2023-06-08 17:00:09 +02:00
hid-corsair.c HID: check for valid USB device for many HID drivers 2021-12-02 15:36:18 +01:00
hid-cougar.c HID: cougar: Make use of the helper function devm_add_action_or_reset() 2021-10-07 13:37:25 +02:00
hid-cp2112.c HID: cp2112: Use octal permissions 2023-07-28 17:07:15 +02:00
hid-creative-sb0540.c HID: sb0540: add support for Creative SB0540 IR receivers 2019-09-03 16:52:04 +02:00
hid-cypress.c HID: cypress: Support Varmilo Keyboards' media hotkeys 2020-10-23 13:23:44 +02:00
hid-debug.c HID: Add Mapping for System Microphone Mute 2022-12-20 15:32:46 +01:00
hid-dr.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-elan.c HID: hid-elan: use default remove for hid device 2022-11-21 22:17:10 +01:00
hid-elecom.c HID: elecom: add support for TrackBall 056E:011C 2023-01-20 18:44:10 +01:00
hid-elo.c HID: elo: Revert USB reference counting 2022-02-17 14:14:41 +01:00
hid-emsff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-evision.c HID: evision: Add preliminary support for EVision keyboards 2023-02-06 18:17:56 +01:00
hid-ezkey.c
hid-ft260.c HID: ft260: fix 'cast to restricted' kernel CI bot warnings 2022-11-11 11:09:36 +01:00
hid-gaff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-gembird.c
hid-generic.c
hid-gfrm.c
hid-glorious.c HID: Add driver fixing Glorious PC Gaming Race mouse report descriptor 2020-03-18 13:36:21 +01:00
hid-google-hammer.c HID: google: add jewel USB id 2023-05-23 15:09:24 +02:00
hid-google-stadiaff.c HID: hid-google-stadiaff: add support for Stadia force feedback 2023-08-14 11:35:37 +02:00
hid-gt683r.c HID: gt683r: add missing MODULE_DEVICE_TABLE 2021-05-27 15:40:34 +02:00
hid-gyration.c
hid-holtek-kbd.c HID: holtek: fix slab-out-of-bounds Write in holtek_kbd_input_event 2023-09-18 17:13:01 +02:00
hid-holtek-mouse.c HID: holtek: fix mouse probing 2021-12-20 11:25:42 +01:00
hid-holtekff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-hyperv.c HID: hyperv: avoid struct memcpy overrun warning 2023-07-09 12:47:37 +02:00
hid-icade.c
hid-ids.h HID: Add quirk to ignore the touchscreen battery on HP ENVY 15-eu0556ng 2023-10-05 12:50:35 +02:00
hid-input-test.c HID: input: map battery system charging 2022-12-20 15:30:35 +01:00
hid-input.c HID: Add quirk to ignore the touchscreen battery on HP ENVY 15-eu0556ng 2023-10-05 12:50:35 +02:00
hid-ite.c HID: ite: Enable QUIRK_TOUCHPAD_ON_OFF_REPORT on Acer Aspire Switch V 10 2022-11-14 23:55:12 +01:00
hid-jabra.c
hid-kensington.c
hid-keytouch.c
hid-kye.c HID: kye: Fix rdesc for kye tablets 2023-04-13 16:16:04 +02:00
hid-lcpower.c
hid-led.c HID: hid-led: fix maximum brightness for Dream Cheeky 2022-04-21 10:28:49 +02:00
hid-lenovo.c HID: lenovo: Make array tp10ubkbd_led static const 2022-10-18 14:43:59 +02:00
hid-letsketch.c HID: letsketch: Use hid_is_usb() 2023-01-17 13:44:01 +01:00
hid-lg-g15.c HID: lg-g15: explicitly include linux/leds.h 2023-04-13 17:08:45 +02:00
hid-lg.c HID: check for valid USB device for many HID drivers 2021-12-02 15:36:18 +01:00
hid-lg.h
hid-lg2ff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-lg3ff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-lg4ff.c HID: hid-lg4ff: Add check for empty lbuf 2022-11-14 23:56:52 +01:00
hid-lg4ff.h
hid-lgff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-logitech-dj.c HID: logitech-dj: Fix error handling in logi_dj_recv_switch_to_dj_mode() 2023-08-22 17:35:05 +02:00
hid-logitech-hidpp.c HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect 2023-10-06 16:09:14 +02:00
hid-macally.c HID: macally: Constify macally_id_table 2020-08-17 11:38:49 +02:00
hid-magicmouse.c HID: magicmouse: Do not set BTN_MOUSE on double report 2022-10-14 10:47:50 +01:00
hid-maltron.c
hid-mcp2221.c HID: mcp2221: fix get and get_direction for gpio 2023-04-13 16:41:37 +02:00
hid-megaworld.c HID: Add support for Mega World controller force feedback 2022-05-06 08:29:26 +02:00
hid-mf.c HID: mf: add support for 0079:1846 Mayflash/Dragonrise USB Gamecube Adapter 2020-11-25 14:30:33 +01:00
hid-microsoft.c HID: microsoft: Add rumble support to latest xbox controllers 2023-06-08 16:09:51 +02:00
hid-monterey.c
hid-multitouch.c HID: multitouch: Add required quirk for Synaptics 0xcd7e device 2023-10-05 12:50:34 +02:00
hid-nintendo.c HID: nintendo: reinitialize USB Pro Controller after resuming from suspend 2023-10-05 12:50:34 +02:00
hid-nti.c
hid-ntrig.c
hid-nvidia-shield.c HID: nvidia-shield: Fix some missing function calls() in the probe error handling path 2023-10-05 12:50:34 +02:00
hid-ortek.c
hid-penmount.c
hid-petalynx.c
hid-picolcd_backlight.c
hid-picolcd_cir.c media: rc: harmonize infrared durations to microseconds 2020-09-03 16:18:55 +02:00
hid-picolcd_core.c HID: hid-picolcd_core: Remove unused variable 'ret' 2021-04-07 18:46:20 +02:00
hid-picolcd_debugfs.c
hid-picolcd_fb.c hid/picolcd: Remove flag FBINFO_FLAG_DEFAULT from fbdev driver 2023-07-24 16:50:39 +02:00
hid-picolcd_lcd.c
hid-picolcd_leds.c
hid-picolcd.h
hid-pl.c
hid-plantronics.c HID: plantronics: Additional PIDs for double volume key presses quirk 2022-12-20 15:35:21 +01:00
hid-playstation.c Merge branch 'for-6.3/sony' into for-linus 2023-02-22 10:40:03 +01:00
hid-primax.c
hid-prodikeys.c HID: check for valid USB device for many HID drivers 2021-12-02 15:36:18 +01:00
hid-pxrc.c HID: Add driver for PhoenixRC Flight Controller 2022-09-20 11:36:21 +01:00
hid-quirks.c HID: add quirk for 03f0:464a HP Elite Presenter Mouse 2023-06-09 17:54:26 +02:00
hid-razer.c HID: Add driver for Razer Blackwidow keyboards 2022-02-16 17:12:14 +01:00
hid-redragon.c
hid-retrode.c
hid-rmi.c HID: i2c: let RMI devices decide what constitutes wakeup event 2022-11-21 18:56:20 +01:00
hid-roccat-arvo.c HID: roccat: make all 'class' structures const 2023-08-14 11:23:35 +02:00
hid-roccat-arvo.h
hid-roccat-common.c
hid-roccat-common.h
hid-roccat-isku.c HID: roccat: make all 'class' structures const 2023-08-14 11:23:35 +02:00
hid-roccat-isku.h
hid-roccat-kone.c HID: roccat: make all 'class' structures const 2023-08-14 11:23:35 +02:00
hid-roccat-kone.h HID: roccat: Use struct_group() to zero kone_mouse_event 2021-09-25 08:20:48 -07:00
hid-roccat-koneplus.c HID: roccat: make all 'class' structures const 2023-08-14 11:23:35 +02:00
hid-roccat-koneplus.h
hid-roccat-konepure.c HID: roccat: make all 'class' structures const 2023-08-14 11:23:35 +02:00
hid-roccat-kovaplus.c HID: roccat: make all 'class' structures const 2023-08-14 11:23:35 +02:00
hid-roccat-kovaplus.h
hid-roccat-lua.c HID: check for valid USB device for many HID drivers 2021-12-02 15:36:18 +01:00
hid-roccat-lua.h
hid-roccat-pyra.c HID: roccat: make all 'class' structures const 2023-08-14 11:23:35 +02:00
hid-roccat-pyra.h
hid-roccat-ryos.c HID: roccat: make all 'class' structures const 2023-08-14 11:23:35 +02:00
hid-roccat-savu.c HID: roccat: make all 'class' structures const 2023-08-14 11:23:35 +02:00
hid-roccat-savu.h
hid-roccat.c HID: roccat: make all 'class' structures const 2023-08-14 11:23:35 +02:00
hid-saitek.c HID: saitek: add madcatz variant of MMO7 mouse device ID 2022-10-18 14:42:45 +02:00
hid-samsung.c HID: check for valid USB device for many HID drivers 2021-12-02 15:36:18 +01:00
hid-semitek.c HID: semitek: new driver for GK6X series keyboards 2021-05-05 14:21:08 +02:00
hid-sensor-custom.c HID: hid-sensor-custom: Fix buffer overrun in device name 2023-03-24 14:09:29 +01:00
hid-sensor-hub.c HID: sensor-hub: Allow multi-function sensor devices 2023-08-14 11:12:56 +02:00
hid-sigmamicro.c HID: add SiGma Micro driver 2022-02-02 15:12:22 +01:00
hid-sjoy.c
hid-sony.c HID: sony: remove duplicate NULL check before calling usb_free_urb() 2023-10-05 12:50:35 +02:00
hid-speedlink.c
hid-steam.c Merge branch 'for-6.3/steam' into for-linus 2023-02-22 10:41:06 +01:00
hid-steelseries.c HID: steelseries: Fix signedness bug in steelseries_headset_arctis_1_fetch_battery() 2023-09-18 16:44:24 +02:00
hid-sunplus.c
hid-thrustmaster.c HID: thrustmaster: Add sparco wheel and fix array length 2022-08-25 11:38:55 +02:00
hid-tivo.c
hid-tmff.c HID: thrustmaster use swap() to make code cleaner 2021-12-14 10:50:23 +01:00
hid-topre.c HID: topre: Add support for 87 keys Realforce R2 2023-03-10 18:59:51 +01:00
hid-topseed.c
hid-twinhan.c
hid-u2fzero.c hwrng: u2fzero - account for high quality RNG 2022-11-25 17:39:19 +08:00
hid-uclogic-core-test.c HID: uclogic: Handle wireless device reconnection 2023-01-18 09:44:57 +01:00
hid-uclogic-core.c HID: uclogic: Correct devm device reference for hidinput input_dev name 2023-08-24 15:57:57 +02:00
hid-uclogic-params-test.c HID: uclogic: Handle wireless device reconnection 2023-01-18 09:44:57 +01:00
hid-uclogic-params.c Merge branch 'for-6.3/uclogic' into for-linus 2023-02-22 10:41:39 +01:00
hid-uclogic-params.h HID: uclogic: Handle wireless device reconnection 2023-01-18 09:44:57 +01:00
hid-uclogic-rdesc-test.c HID: uclogic: Use KUNIT_EXPECT_MEMEQ 2023-01-18 09:47:04 +01:00
hid-uclogic-rdesc.c HID: uclogic: Refactor UGEEv2 probe magic data 2023-01-18 09:44:57 +01:00
hid-uclogic-rdesc.h HID: uclogic: Refactor UGEEv2 probe magic data 2023-01-18 09:44:57 +01:00
hid-udraw-ps3.c HID: udraw-ps3: Replace HTTP links with HTTPS ones 2020-07-20 12:24:41 +02:00
hid-viewsonic.c HID: uclogic: Switch to Digitizer usage for styluses 2022-05-11 14:19:27 +02:00
hid-vivaldi-common.c HID: vivaldi: convert to use dev_groups 2022-08-25 11:37:21 +02:00
hid-vivaldi-common.h HID: vivaldi: convert to use dev_groups 2022-08-25 11:37:21 +02:00
hid-vivaldi.c HID: vivaldi: convert to use dev_groups 2022-08-25 11:37:21 +02:00
hid-vrc2.c HID: Add driver for VRC-2 Car Controller 2022-09-20 11:35:00 +01:00
hid-waltop.c
hid-wiimote-core.c treewide: Convert del_timer*() to timer_shutdown*() 2022-12-25 13:38:09 -08:00
hid-wiimote-debug.c HID: hid-wiimote-debug.c: Drop error checking for debugfs_create_file 2023-08-14 11:14:42 +02:00
hid-wiimote-modules.c HID: wiimote: Add support for the DJ Hero turntable 2022-11-04 09:57:16 +01:00
hid-wiimote.h HID: wiimote: Add support for the DJ Hero turntable 2022-11-04 09:57:16 +01:00
hid-xiaomi.c HID: Add support for side buttons of Xiaomi Mi Dual Mode Wireless Mouse Silent 2021-09-22 11:53:07 +02:00
hid-xinmo.c
hid-zpff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-zydacron.c
hidraw.c HID: hidraw: make hidraw_class structure const 2023-08-14 11:23:35 +02:00
Kconfig HID: nvidia-shield: Select POWER_SUPPLY Kconfig option 2023-10-04 20:48:20 +02:00
Makefile HID: hid-google-stadiaff: add support for Stadia force feedback 2023-08-14 11:35:37 +02:00
uhid.c HID: uhid: Over-ride the default maximum data buffer value with our own 2023-02-23 11:52:05 +01:00
wacom_sys.c HID: wacom: struct name cleanup 2023-08-14 11:43:57 +02:00
wacom_wac.c HID: wacom: struct name cleanup 2023-08-14 11:43:57 +02:00
wacom_wac.h HID: wacom: struct name cleanup 2023-08-14 11:43:57 +02:00
wacom.h HID: wacom: remove the battery when the EKR is off 2023-08-14 11:43:57 +02:00