Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2974410imu; Sun, 9 Dec 2018 14:04:00 -0800 (PST) X-Google-Smtp-Source: AFSGD/WUjUIfYHnk4tYmOdJvEzXhj1wQuCl7lBMJFxKBbJRFYVoJxMF0AODuKEOiKERXF+NNBjC5 X-Received: by 2002:a63:d5e:: with SMTP id 30mr8802012pgn.54.1544393039972; Sun, 09 Dec 2018 14:03:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544393039; cv=none; d=google.com; s=arc-20160816; b=bLGRQGlpFxs9NjgjmZ0h4uciyRGONafX35tF3emb90K7OQULzsjH5sK3htdyEwbui0 fxhehyuRgYG+I65ZOEUf3TG0FYxqZkaq3Zd3uSbV0imfK+daJoFXbpfzlQUz+WSwEWvz NshZ4G/kIYIEH0j00hcEoTd67da3Fc0rI/0vM3oQ2V6lbWlKQAszLdz88SFQKAsZFi4D bfGTdBy/PmS8sKS1KWCYecp/fISvAaCMAlkXImeHu02DhnfL9b8I0P/yUZHC5jjaDxJ/ tlE7XiEX3J7fRI4VDo5HaQjLpsuLAXrp6RD6XBcmCaIjAz7lbFXw/TYNKZilhjPNb6F2 tZYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=6vpQCi1JLFaY2TBDL/SrFQ74VkVa9Ds+bxGUcsGEdE4=; b=nIzs/9N5jEevqEr+oSK3Cm5mPLrOzyzkLNjmUYHD/XMHrMbOLfvUGMXKGJlr68xC7a JP7+8gVw9DlNYPtaC8Hl0mre3D/gB+HSG0+ocbFnIIb3vYHwMfDf77/dz/Q4NFQEu0yV EO9cMFeqy796PZ5f9/qZ+KAKsVZiPKS3m2gtg8IBqYZjOMb6UOEx//7CSJXnsZE/gUiL 3jpB/qAiCpW9MpTC89D4xWygQBeGpKaTSksE3p/hD3hrLIfAsWJtwma1Z56+YS0VX3/Y WMkSYYOvqto9Jba/n3jAibk8RHvrE7fu4RKHQEyx6Z/lhjwt6XPXl+0qEY5AVVBb8D0T /dsQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f35si8442671plh.399.2018.12.09.14.03.44; Sun, 09 Dec 2018 14:03:59 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727085AbeLIWBM (ORCPT + 99 others); Sun, 9 Dec 2018 17:01:12 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:35978 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726691AbeLIVze (ORCPT ); Sun, 9 Dec 2018 16:55:34 -0500 Received: from pub.yeoldevic.com ([81.174.156.145] helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1gW72x-0002ih-Ij; Sun, 09 Dec 2018 21:55:31 +0000 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1gW72i-0003ao-Pf; Sun, 09 Dec 2018 21:55:16 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Greg Kroah-Hartman" , "Alan Stern" , syzbot+f84aa7209ccec829536f@syzkaller.appspotmail.com Date: Sun, 09 Dec 2018 21:50:33 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) X-Patchwork-Hint: ignore Subject: [PATCH 3.16 255/328] USB: fix error handling in usb_driver_claim_interface() In-Reply-To: X-SA-Exim-Connect-IP: 81.174.156.145 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.62-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Alan Stern commit bd729f9d67aa9a303d8925bb8c4f06af25f407d1 upstream. The syzbot fuzzing project found a use-after-free bug in the USB core. The bug was caused by usbfs not unbinding from an interface when the USB device file was closed, which led another process to attempt the unbind later on, after the private data structure had been deallocated. The reason usbfs did not unbind the interface at the appropriate time was because it thought the interface had never been claimed in the first place. This was caused by the fact that usb_driver_claim_interface() does not clean up properly when device_bind_driver() returns an error. Although the error code gets passed back to the caller, the iface->dev.driver pointer remains set and iface->condition remains equal to USB_INTERFACE_BOUND. This patch adds proper error handling to usb_driver_claim_interface(). Signed-off-by: Alan Stern Reported-by: syzbot+f84aa7209ccec829536f@syzkaller.appspotmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings --- drivers/usb/core/driver.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) --- a/drivers/usb/core/driver.c +++ b/drivers/usb/core/driver.c @@ -556,6 +556,21 @@ int usb_driver_claim_interface(struct us if (device_is_registered(dev)) retval = device_bind_driver(dev); + if (retval) { + dev->driver = NULL; + usb_set_intfdata(iface, NULL); + iface->needs_remote_wakeup = 0; + iface->condition = USB_INTERFACE_UNBOUND; + + /* + * Unbound interfaces are always runtime-PM-disabled + * and runtime-PM-suspended + */ + if (driver->supports_autosuspend) + pm_runtime_disable(dev); + pm_runtime_set_suspended(dev); + } + return retval; } EXPORT_SYMBOL_GPL(usb_driver_claim_interface);