Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp139266ybp; Tue, 8 Oct 2019 15:27:03 -0700 (PDT) X-Google-Smtp-Source: APXvYqxrQyt+ehQr2FAGza9LeWJLRM2xKlCe048OTI2Y8vD+xNMWj7QWxZ84NP9oByr3ZOBVmPX/ X-Received: by 2002:a05:6402:21dd:: with SMTP id bi29mr298883edb.7.1570573623474; Tue, 08 Oct 2019 15:27:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570573623; cv=none; d=google.com; s=arc-20160816; b=w+Q/hnX7icL6icvbuYuaUL0uR3T2gJk9ib/39xC+bstpCy5huJJGYr2E+hQwbc9nJX JK58dH7Lnhnclh4Wgr9UnquasCyFnvBacSZMq+D8ABfrk0cvevrS8+fCfihdE5tTj7dd QNwRuYxp9vmEFxfA3hQzoFcNcJ0mfB8BTek+0I/1gj7kacTcz9DKnOcMnfuGbapc/s8c AyltU35f8VAUPt9pKbFJkf5XxVJv9UVWmDxUJWhj6fidWceBGZDdt2gniEtquX7M0DjU X/SlLkUeshb5z5tniijr4mi2hgtoXJF6pRJyMpVuWHQUJIxDgjf0vYR9oPj3z8rcmH2D webQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=Ks0yg+h5+H9C2ViKjKDxqeQ5LYJiEWYLuFFx+w3tStY=; b=L06aeAQB4pFg+tIRk3QrPyfjuvBrwtl6Xe4uTd4XVsl5+zirDF7VXigpU55NpXhgM+ HDEqJmdseUZQ7o0T7/DVZoDrs6n2Ea8QIWFh8MxNaRPsOCl4EMzTp4nL3wmNZnznJDW4 eESAkMb6IA4n8stFy36gExr/prUqkQFMDrDYCLrVmC0eFNSHuaA0qEL18OS7Gd0FP4qw TZFUzLtVu9hEhbU9foRIkjda3AATAoBMCAs+k8gQMBmDAI4YPZUJr5Qq920j3X81XL+w 6iz8dt2UyvA0wMhWGq41h8RHqoUA8SyrxHHqGvl9JU4oKtqZaC3CfUmPXCOe1vd6RQYK f+bg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@valentin-vidic.from.hr header.s=2017 header.b=o51vqbae; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f16si256603edm.54.2019.10.08.15.26.32; Tue, 08 Oct 2019 15:27:03 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@valentin-vidic.from.hr header.s=2017 header.b=o51vqbae; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726349AbfJHWXR (ORCPT + 99 others); Tue, 8 Oct 2019 18:23:17 -0400 Received: from valentin-vidic.from.hr ([94.229.67.141]:41895 "EHLO valentin-vidic.from.hr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725848AbfJHWXQ (ORCPT ); Tue, 8 Oct 2019 18:23:16 -0400 X-Virus-Scanned: Debian amavisd-new at valentin-vidic.from.hr Received: by valentin-vidic.from.hr (Postfix, from userid 1000) id 42C6925D; Wed, 9 Oct 2019 00:23:09 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=valentin-vidic.from.hr; s=2017; t=1570573389; bh=gCUfr9ijiKWav6o1R8261PlBXptRHXBtHMu8ZFIIfpk=; h=From:To:Cc:Subject:Date:From; b=o51vqbaeFl/Epd2UP3431uHmkB3LyFRMsIDBxyj5/LXOGIymF0eb8IEWXc/Vihpr0 k5cO4FAOh1pCcK1b5Jm1oZfwRaPKJQW3uKl5I/0FO1/RQbWDSFmm2y+iL+gXpoFCPv ECwAHqJv1SPvNl7ayGq7fVfiUClOOgETB2doDWZkcxt90DhHMC+n4TWidh/i2zD1uG lfo0LsWUUsrMTn9PO8paQ344Z/4/sx1PM/Ebo73LdzhUm6jZJsWuCIuXY/QYI46GZt +TdgZ9+fvZtSNcF4b4WpvqEcn7AI9o+yF/ph8LJADYzAfwhzvh1T2oBQ9gi6C84Q8R viDMTzmFsDP1Q== From: Valentin Vidic To: Greg Kroah-Hartman Cc: Oliver Neukum , linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Valentin Vidic , syzbot+0761012cebf7bdb38137@syzkaller.appspotmail.com Subject: [PATCH] usb: iowarrior: fix access to freed data structure Date: Wed, 9 Oct 2019 00:23:07 +0200 Message-Id: <20191008222307.18587-1-vvidic@valentin-vidic.from.hr> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org struct iowarrior gets freed prematurely in iowarrior_release while it is still being referenced from usb_interface, so let only iowarrior_disconnect call iowarrior_delete. Fixes: KMSAN: uninit-value in iowarrior_disconnect Reported-by: syzbot+0761012cebf7bdb38137@syzkaller.appspotmail.com Signed-off-by: Valentin Vidic --- drivers/usb/misc/iowarrior.c | 35 +++++++++++++++-------------------- 1 file changed, 15 insertions(+), 20 deletions(-) diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c index f5bed9f29e56..0492ea76c4bf 100644 --- a/drivers/usb/misc/iowarrior.c +++ b/drivers/usb/misc/iowarrior.c @@ -638,7 +638,6 @@ static int iowarrior_open(struct inode *inode, struct file *file) static int iowarrior_release(struct inode *inode, struct file *file) { struct iowarrior *dev; - int retval = 0; dev = file->private_data; if (!dev) @@ -650,27 +649,23 @@ static int iowarrior_release(struct inode *inode, struct file *file) mutex_lock(&dev->mutex); if (dev->opened <= 0) { - retval = -ENODEV; /* close called more than once */ mutex_unlock(&dev->mutex); - } else { - dev->opened = 0; /* we're closing now */ - retval = 0; - if (dev->present) { - /* - The device is still connected so we only shutdown - pending read-/write-ops. - */ - usb_kill_urb(dev->int_in_urb); - wake_up_interruptible(&dev->read_wait); - wake_up_interruptible(&dev->write_wait); - mutex_unlock(&dev->mutex); - } else { - /* The device was unplugged, cleanup resources */ - mutex_unlock(&dev->mutex); - iowarrior_delete(dev); - } + return -ENODEV; /* close called more than once */ } - return retval; + + dev->opened = 0; /* we're closing now */ + if (dev->present) { + /* + * The device is still connected so we only shutdown + * pending read/write ops. + */ + usb_kill_urb(dev->int_in_urb); + wake_up_interruptible(&dev->read_wait); + wake_up_interruptible(&dev->write_wait); + } + + mutex_unlock(&dev->mutex); + return 0; } static __poll_t iowarrior_poll(struct file *file, poll_table * wait) -- 2.20.1