Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3957482imm; Mon, 8 Oct 2018 12:17:56 -0700 (PDT) X-Google-Smtp-Source: ACcGV60gfeFDssXCmShHKfaALOx+nzrA6aeqW2YnquzP4dXSSasg+PmtHyQS0qgVgKS/HziCkIPG X-Received: by 2002:a65:62d5:: with SMTP id m21-v6mr22815974pgv.243.1539026276484; Mon, 08 Oct 2018 12:17:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539026276; cv=none; d=google.com; s=arc-20160816; b=zIrV5bo2RBF4ZZbuLISyveRNlYZusW8iTErJf4TSd9wpqhu2UojzaFTg+V50c9mZY7 47LKvU5jXDaO7Q5NRWijEm9bwBShhSU2j7V1souUMQTYyyaNnKHMn/U6Nm0/hZtdfdtQ i5ulVGFR850R5c7ikD4sRIShWn81iy8C6l5Wr6k0zp07JqJqXcNWoZy8CEHoKNXKsLQr tJohn8UfjJX0EtfR1LblXoi7xJ0VWMi8TMJ0F/0nyHY76QBQJ5vByw8t3ZjSsSYw6IiX 2+oLGC5OFT2BLW05G0k8zv3gGj9umlZou0hVMSs6lRN5RZ3eKCMBK5z5DULdlROeDsVY EvXA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ZqVcJ/dqUm5zlmE2SWq4EyEsvW9k+YxABxCGb7RAxrk=; b=nPSYcoxuRnQB3FS/7SKnAWIXHefG7yu5djHobZRbci29IWov2iUPeF4AokdbZlUGgj JhO5yU++WR3ljPC52rk7nzxxhEuS0/2UbD6JS5zAS1QvmVrnpEQjokbXZ1I1iVHqlUHt 7wdbJAOTmmA1BbJwR6dNFu9U/XnBgDDahfCxmBeXIiTOUhxKIuLiN9nO1UY6/+vSIwAI t3x9ZBtVe05eofI47QAzO5SVm0hwtm2yzRYdqd4AmfCNuHK8eBdd8hYV2+bqx5wIrEA8 khAuwxKv6hF7SpeIObEmS6IBbmcE8zFbWMt96C5IV7Z7ksKlATxnJWUwlO7JC6xlsst7 43mg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="j/pr9Hed"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b13-v6si20687888plm.275.2018.10.08.12.17.41; Mon, 08 Oct 2018 12:17:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="j/pr9Hed"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728454AbeJIBtE (ORCPT + 99 others); Mon, 8 Oct 2018 21:49:04 -0400 Received: from mail.kernel.org ([198.145.29.99]:33646 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726522AbeJIBtD (ORCPT ); Mon, 8 Oct 2018 21:49:03 -0400 Received: from localhost (ip-213-127-77-176.ip.prioritytelecom.net [213.127.77.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 50B982064A; Mon, 8 Oct 2018 18:36:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1539023760; bh=iQed2jpXHaz2JILAoWfociJfzHOyMxmb48KFg4CDYzg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=j/pr9HedR0twFmg776rFvs0wlFvqrt9zLInZRtjNfMs0/eutwfDSsp00N99iRQEvo cdwHlIW49Ds0igfllJsgvWZxLeXy+5/SK2hkN25g4kY0yeP4RBVR8SgSxDEYXqEZC6 1KeDJO3xyb1T9JlGlU0ucMqCdSPqb36W9AK1sKpw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alan Stern , syzbot+f84aa7209ccec829536f@syzkaller.appspotmail.com Subject: [PATCH 4.4 050/113] USB: fix error handling in usb_driver_claim_interface() Date: Mon, 8 Oct 2018 20:30:51 +0200 Message-Id: <20181008175533.475911626@linuxfoundation.org> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20181008175530.864641368@linuxfoundation.org> References: <20181008175530.864641368@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Alan Stern commit bd729f9d67aa9a303d8925bb8c4f06af25f407d1 upstream. The syzbot fuzzing project found a use-after-free bug in the USB core. The bug was caused by usbfs not unbinding from an interface when the USB device file was closed, which led another process to attempt the unbind later on, after the private data structure had been deallocated. The reason usbfs did not unbind the interface at the appropriate time was because it thought the interface had never been claimed in the first place. This was caused by the fact that usb_driver_claim_interface() does not clean up properly when device_bind_driver() returns an error. Although the error code gets passed back to the caller, the iface->dev.driver pointer remains set and iface->condition remains equal to USB_INTERFACE_BOUND. This patch adds proper error handling to usb_driver_claim_interface(). Signed-off-by: Alan Stern Reported-by: syzbot+f84aa7209ccec829536f@syzkaller.appspotmail.com CC: Signed-off-by: Greg Kroah-Hartman --- drivers/usb/core/driver.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) --- a/drivers/usb/core/driver.c +++ b/drivers/usb/core/driver.c @@ -562,6 +562,21 @@ int usb_driver_claim_interface(struct us if (!lpm_disable_error) usb_unlocked_enable_lpm(udev); + if (retval) { + dev->driver = NULL; + usb_set_intfdata(iface, NULL); + iface->needs_remote_wakeup = 0; + iface->condition = USB_INTERFACE_UNBOUND; + + /* + * Unbound interfaces are always runtime-PM-disabled + * and runtime-PM-suspended + */ + if (driver->supports_autosuspend) + pm_runtime_disable(dev); + pm_runtime_set_suspended(dev); + } + return retval; } EXPORT_SYMBOL_GPL(usb_driver_claim_interface);