Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp1326908imm; Tue, 2 Oct 2018 06:34:56 -0700 (PDT) X-Google-Smtp-Source: ACcGV62bglnbafulZXVAS6kaOo5cuLaiv3FVE4TiBWOgrDN9plp2IyA+8TFoXF5wsu7Q9zrCl+nt X-Received: by 2002:a17:902:7283:: with SMTP id d3-v6mr16689945pll.326.1538487296335; Tue, 02 Oct 2018 06:34:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538487296; cv=none; d=google.com; s=arc-20160816; b=sTJEwOK+5A1KeKpuTU1qDC6RH5qX7lcVH4MGkzv37RhaF7tOrPw5n/ZzpnGwPoU/V4 XPmFVC1L3+W+ADhdfywaHqh6ls1575uqLnL4uonV3m166KqZAkmPao8YoCH+ujIhPxLm BhmbefRA4ag5AdAt1IjVrYi6j1MyLKZFeIUCGTKdyESxkgyyucivze2BrgS0R8oZaAsU FO5BI5EwM/JaYL50zrqZxAnQYUlaYd6sYSiznKvbmojYJnARySC4BjsPFOU6q+h1HLtm eO2rHjxsT5oSpBmCOHJBMe0Rh0+fptfkCJ3Hp7p2OQBfD9ug7onSCjxVwEeFtXM4ea3b PefQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from; bh=WIm5xgTZQu4UB9i/Pd7yt58lGwtTBkldxZAVXIm2aO8=; b=Jw91FOLvQ9tTTeHxAf7Do6N2cT5Nn7e+3Z3DjhyDGG8DIhuVf4VdC8ThcH+ATHJfST Lw79Wg6dX98gBmjC5w2wNAjWfd7BB7ZXhTy/y1ykc27+WhXvLdP8utqeXYunW/Brh4i7 fF8nBUx5cOsVT2kN3jfc5n0wZeNVkdDQu0EOvEHxV7sABpqvsAybxaulxehWSM+e+K9R B8pXpYcMvDgoN5zaRUmroaFeVIh1RCk+uMYycynv8w4WsDLTtbKI7bEhkRJ06DM4abmm WlIJDM+SewzFCvXaQRErLKcawFW677SrJygdyweDq8DXbDwr5N8MqJ4wpOzOFQwSygTa dw4Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s21-v6si12881935pgj.90.2018.10.02.06.34.41; Tue, 02 Oct 2018 06:34:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732137AbeJBUR1 (ORCPT + 99 others); Tue, 2 Oct 2018 16:17:27 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:35164 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732083AbeJBURZ (ORCPT ); Tue, 2 Oct 2018 16:17:25 -0400 Received: from localhost (24-104-73-23-ip-static.hfc.comcastbusiness.net [24.104.73.23]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id DB0755AA; Tue, 2 Oct 2018 13:34:01 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alan Stern , syzbot+f84aa7209ccec829536f@syzkaller.appspotmail.com Subject: [PATCH 4.14 094/137] USB: fix error handling in usb_driver_claim_interface() Date: Tue, 2 Oct 2018 06:24:55 -0700 Message-Id: <20181002132505.090398626@linuxfoundation.org> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20181002132458.446916963@linuxfoundation.org> References: <20181002132458.446916963@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Alan Stern commit bd729f9d67aa9a303d8925bb8c4f06af25f407d1 upstream. The syzbot fuzzing project found a use-after-free bug in the USB core. The bug was caused by usbfs not unbinding from an interface when the USB device file was closed, which led another process to attempt the unbind later on, after the private data structure had been deallocated. The reason usbfs did not unbind the interface at the appropriate time was because it thought the interface had never been claimed in the first place. This was caused by the fact that usb_driver_claim_interface() does not clean up properly when device_bind_driver() returns an error. Although the error code gets passed back to the caller, the iface->dev.driver pointer remains set and iface->condition remains equal to USB_INTERFACE_BOUND. This patch adds proper error handling to usb_driver_claim_interface(). Signed-off-by: Alan Stern Reported-by: syzbot+f84aa7209ccec829536f@syzkaller.appspotmail.com CC: Signed-off-by: Greg Kroah-Hartman --- drivers/usb/core/driver.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) --- a/drivers/usb/core/driver.c +++ b/drivers/usb/core/driver.c @@ -565,6 +565,21 @@ int usb_driver_claim_interface(struct us if (!lpm_disable_error) usb_unlocked_enable_lpm(udev); + if (retval) { + dev->driver = NULL; + usb_set_intfdata(iface, NULL); + iface->needs_remote_wakeup = 0; + iface->condition = USB_INTERFACE_UNBOUND; + + /* + * Unbound interfaces are always runtime-PM-disabled + * and runtime-PM-suspended + */ + if (driver->supports_autosuspend) + pm_runtime_disable(dev); + pm_runtime_set_suspended(dev); + } + return retval; } EXPORT_SYMBOL_GPL(usb_driver_claim_interface);