Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3623732pxb; Mon, 24 Jan 2022 13:46:25 -0800 (PST) X-Google-Smtp-Source: ABdhPJz3rkDJD/Iq9WwzMPW7/oyhRBMHHwUZf11FyHzTgmtsp4f5+uw6YGf8Cq79foyk6DXn+IkB X-Received: by 2002:a17:903:11cf:b0:149:a17a:361b with SMTP id q15-20020a17090311cf00b00149a17a361bmr16441327plh.146.1643060785318; Mon, 24 Jan 2022 13:46:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643060785; cv=none; d=google.com; s=arc-20160816; b=DWRSt3N6nZ5I3NimCzFGiLpo7sAOFRHI54tzlXK0ftRVAqpk5u243TXnHAl/AlNXGh CeQDYlRIk20FaJcBn374nWwcio/uibBuazZBKASZR90ekgI66/i86sEsEopBeMulTzRM iuSDsDrxBOpROBU3LP9m2YNQQjhgWGxPEbeiD/E/7gRr3GYm0VlpI103sZCLALmXaEuA RxBL2QGKcNoMLhVf0EWYiNVRNTVcE3krl3uY+vs1+DAHtTrw+Qg6pIS6uKzhjAm5g06X 0MywGl48Yp6ZSO7KcUXvpqhCv+FIS8my5AGbrcNOQ1xXkPm3CyRkOwwr9Dc17dxU803i +Q2g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=whq+iGokHKkrO26U5vu56djalwqD4OKKbjVuO4FH4yY=; b=R1oKIjg0k9cmIUgLgWh5GG+zk7T7Yl0Xl1OXvfzI2XKM0TqzKJ0OcqEIEV4/CsEPgl V56qjYQa77u34QLVMtETWfz2clsJ6XPc70VkrjQPN6p9xIA9XtdIVxv423yq/BhJRjMN YsnYm2M/Mwy43ESXND3Zy0+8ubKeEKly2OrtnvXVOz1dK0FJB6+h26f9d/XRZ3d/OZl0 dsPBXjdWfvwuCOvRnlzwvZvQVVf8kafcBxrmjFRzEunl7PJ68wjSY78Ywy0Vezp6JPLo P+Zbg2XeNf56tkRdMRhlTv0OcCZrmzof2St6p4/rvcmRXc4rBwY9YCC7WA8PPTroOZ7H L6pw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=mFR9xQD1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l1si14681006pgb.230.2022.01.24.13.46.13; Mon, 24 Jan 2022 13:46:25 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=mFR9xQD1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1451529AbiAXVXG (ORCPT + 99 others); Mon, 24 Jan 2022 16:23:06 -0500 Received: from ams.source.kernel.org ([145.40.68.75]:50058 "EHLO ams.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1351823AbiAXUxH (ORCPT ); Mon, 24 Jan 2022 15:53:07 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id CA121B80CCF; Mon, 24 Jan 2022 20:53:05 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id F262FC340E7; Mon, 24 Jan 2022 20:53:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1643057584; bh=vSGR6VHbNUyq1gjucRiTGoZ958d6JifO3hYpyr6RMI8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mFR9xQD1Cb7VPZO9LQcPAjVzqTkY1WAO83f6WwrZLA5hUv6rZ3dny6fLz5G1WPxk4 IEhNNuN/QCMQKrmk/qm2YI2IjkhDbJmr0bHt1GnGGCykQKKaoJNPNyRExjLLXWwbt8 aaLwlqe/aqUF/pPRsmB1dab1GDAzI82hDs7jbyLw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jann Horn , Jiri Kosina Subject: [PATCH 5.16 0004/1039] HID: uhid: Fix worker destroying device without any protection Date: Mon, 24 Jan 2022 19:29:53 +0100 Message-Id: <20220124184125.288410926@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220124184125.121143506@linuxfoundation.org> References: <20220124184125.121143506@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jann Horn commit 4ea5763fb79ed89b3bdad455ebf3f33416a81624 upstream. uhid has to run hid_add_device() from workqueue context while allowing parallel use of the userspace API (which is protected with ->devlock). But hid_add_device() can fail. Currently, that is handled by immediately destroying the associated HID device, without using ->devlock - but if there are concurrent requests from userspace, that's wrong and leads to NULL dereferences and/or memory corruption (via use-after-free). Fix it by leaving the HID device as-is in the worker. We can clean it up later, either in the UHID_DESTROY command handler or in the ->release() handler. Cc: stable@vger.kernel.org Fixes: 67f8ecc550b5 ("HID: uhid: fix timeout when probe races with IO") Signed-off-by: Jann Horn Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman --- drivers/hid/uhid.c | 29 +++++++++++++++++++++++++---- 1 file changed, 25 insertions(+), 4 deletions(-) --- a/drivers/hid/uhid.c +++ b/drivers/hid/uhid.c @@ -28,11 +28,22 @@ struct uhid_device { struct mutex devlock; + + /* This flag tracks whether the HID device is usable for commands from + * userspace. The flag is already set before hid_add_device(), which + * runs in workqueue context, to allow hid_add_device() to communicate + * with userspace. + * However, if hid_add_device() fails, the flag is cleared without + * holding devlock. + * We guarantee that if @running changes from true to false while you're + * holding @devlock, it's still fine to access @hid. + */ bool running; __u8 *rd_data; uint rd_size; + /* When this is NULL, userspace may use UHID_CREATE/UHID_CREATE2. */ struct hid_device *hid; struct uhid_event input_buf; @@ -63,9 +74,18 @@ static void uhid_device_add_worker(struc if (ret) { hid_err(uhid->hid, "Cannot register HID device: error %d\n", ret); - hid_destroy_device(uhid->hid); - uhid->hid = NULL; + /* We used to call hid_destroy_device() here, but that's really + * messy to get right because we have to coordinate with + * concurrent writes from userspace that might be in the middle + * of using uhid->hid. + * Just leave uhid->hid as-is for now, and clean it up when + * userspace tries to close or reinitialize the uhid instance. + * + * However, we do have to clear the ->running flag and do a + * wakeup to make sure userspace knows that the device is gone. + */ uhid->running = false; + wake_up_interruptible(&uhid->report_wait); } } @@ -474,7 +494,7 @@ static int uhid_dev_create2(struct uhid_ void *rd_data; int ret; - if (uhid->running) + if (uhid->hid) return -EALREADY; rd_size = ev->u.create2.rd_size; @@ -556,7 +576,7 @@ static int uhid_dev_create(struct uhid_d static int uhid_dev_destroy(struct uhid_device *uhid) { - if (!uhid->running) + if (!uhid->hid) return -EINVAL; uhid->running = false; @@ -565,6 +585,7 @@ static int uhid_dev_destroy(struct uhid_ cancel_work_sync(&uhid->worker); hid_destroy_device(uhid->hid); + uhid->hid = NULL; kfree(uhid->rd_data); return 0;