linux_dsm_epyc7002/drivers
Alan Stern 303911cfc5 USB: core: Fix races in character device registration and deregistraion
The syzbot fuzzer has found two (!) races in the USB character device
registration and deregistration routines.  This patch fixes the races.

The first race results from the fact that usb_deregister_dev() sets
usb_minors[intf->minor] to NULL before calling device_destroy() on the
class device.  This leaves a window during which another thread can
allocate the same minor number but will encounter a duplicate name
error when it tries to register its own class device.  A typical error
message in the system log would look like:

    sysfs: cannot create duplicate filename '/class/usbmisc/ldusb0'

The patch fixes this race by destroying the class device first.

The second race is in usb_register_dev().  When that routine runs, it
first allocates a minor number, then drops minor_rwsem, and then
creates the class device.  If the device creation fails, the minor
number is deallocated and the whole routine returns an error.  But
during the time while minor_rwsem was dropped, there is a window in
which the minor number is allocated and so another thread can
successfully open the device file.  Typically this results in
use-after-free errors or invalid accesses when the other thread closes
its open file reference, because the kernel then tries to release
resources that were already deallocated when usb_register_dev()
failed.  The patch fixes this race by keeping minor_rwsem locked
throughout the entire routine.

Reported-and-tested-by: syzbot+30cf45ebfe0b0c4847a1@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.1908121607590.1659-100000@iolanthe.rowland.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-08-12 22:47:24 +02:00
..
accessibility
acpi drivers/acpi/scan.c: document why we don't need the device_hotplug_lock 2019-08-03 07:02:01 -07:00
amba Driver Core and debugfs changes for 5.3-rc1 2019-07-12 12:24:03 -07:00
android binder: prevent transactions to context manager from its own process. 2019-07-24 11:02:28 +02:00
ata libata: add SG safety checks in SFF pio transfers 2019-08-07 12:23:57 -06:00
atm atm: iphase: Fix Spectre v1 vulnerability 2019-08-02 17:30:36 -07:00
auxdisplay It's been a relatively busy cycle for docs: 2019-07-09 12:34:26 -07:00
base Driver core fixes for 5.3-rc4 2019-08-10 12:20:02 -07:00
bcma
block loop: set PF_MEMALLOC_NOIO for the worker thread 2019-08-08 10:12:21 -06:00
bluetooth Bluetooth: hci_uart: check for missing tty operations 2019-07-31 13:17:33 -07:00
bus ARM: SoC-related driver updates 2019-07-19 17:13:56 -07:00
cdrom
char tpm: tpm_ibm_vtpm: Fix unallocated banks 2019-08-05 00:55:00 +03:00
clk clk: renesas: cpg-mssr: Fix reset control race condition 2019-07-22 15:04:54 -07:00
clocksource RISC-V: Remove per cpu clocksource 2019-08-06 14:37:58 -07:00
connector connector: remove redundant input callback from cn_dev 2019-07-21 13:31:14 -07:00
counter Staging / IIO driver update for 5.3-rc1 2019-07-11 15:36:02 -07:00
cpufreq cpufreq/pasemi: fix use-after-free in pas_cpufreq_cpu_init() 2019-07-23 09:49:10 +02:00
cpuidle Merge branch 'pm-cpufreq' 2019-07-18 09:49:30 +02:00
crypto Wimplicit-fallthrough patches for 5.3-rc4 2019-08-10 10:10:33 -07:00
dax Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2019-07-19 10:42:02 -07:00
dca
devfreq
dio
dma dmaengine updates for v5.3-rc1 2019-07-17 09:55:43 -07:00
dma-buf Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2019-07-19 10:42:02 -07:00
edac
eisa
extcon
firewire firewire: mark expected switch fall-throughs 2019-07-25 20:09:37 -05:00
firmware Merge branch 'for-linus-5.3' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/ibft 2019-07-26 09:43:43 -07:00
fpga fpga-manager: altera-ps-spi: Fix build error 2019-07-24 11:29:41 +02:00
fsi
gnss
gpio gpiolib: Preserve desc->flags when setting state 2019-07-29 00:57:39 +02:00
gpu Merge branch 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2019-08-10 15:44:09 -07:00
hid Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid 2019-08-06 11:47:23 -07:00
hsi
hv proc/sysctl: add shared variables for range check 2019-07-18 17:08:07 -07:00
hwmon hwmon: (lm75) Fixup tmp75b clr_mask 2019-08-07 14:50:49 -07:00
hwspinlock hwspinlock: add the 'in_atomic' API 2019-06-29 21:08:14 -07:00
hwtracing coresight: Fix DEBUG_LOCKS_WARN_ON for uninitialized attribute 2019-08-01 20:51:34 +02:00
i2c i2c: s3c2410: Mark expected switch fall-through 2019-08-01 22:24:16 +02:00
i3c * Drop support for 10-bit I2C addresses 2019-07-09 09:04:31 -07:00
ide It's been a relatively busy cycle for docs: 2019-07-09 12:34:26 -07:00
idle
iio First set of IIO fixes in the 5.3 cycle. 2019-07-28 11:07:26 +02:00
infiniband RDMA/hns: Fix error return code in hns_roce_v1_rsv_lp_qp() 2019-08-01 12:53:53 -04:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2019-08-09 15:31:19 -07:00
interconnect
iommu virtio, vhost: bugfixes 2019-07-29 11:34:12 -07:00
ipack TTY / Serial driver updates for 5.3-rc1 2019-07-11 15:38:21 -07:00
irqchip irqchip fixes for 5.3 2019-08-01 20:21:00 +02:00
isdn isdn: hfcsusb: Fix mISDN driver crash caused by transfer buffer on the stack 2019-07-31 08:54:06 -07:00
leds LED updates for 5.3-rc1 2019-07-09 08:59:39 -07:00
lightnvm
macintosh drivers/macintosh/smu.c: Mark expected switch fall-through 2019-07-31 21:44:45 +10:00
mailbox - stm32: race fix by adding a spinlock 2019-07-14 16:36:51 -07:00
mcb
md for-linus-20190809 2019-08-09 09:28:18 -07:00
media media: vivid: fix missing cec adapter name 2019-07-30 11:47:51 -04:00
memory Kbuild updates for v5.3 (2nd) 2019-07-20 09:34:55 -07:00
memstick MMC core: 2019-07-11 18:11:21 -07:00
message SCSI misc on 20190709 2019-07-11 15:14:01 -07:00
mfd mfd: omap-usb-host: Mark expected switch fall-throughs 2019-08-09 19:46:52 -05:00
misc Char/misc fixes for 5.3-rc4 2019-08-10 12:24:20 -07:00
mmc mmc: cavium: Add the missing dma unmap when the dma has finished. 2019-08-06 18:59:14 +02:00
mtd NAND: 2019-08-04 16:37:08 -07:00
mux
net Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2019-08-06 17:11:59 -07:00
nfc NFC: nfcmrvl: fix gpio-handling regression 2019-08-05 10:25:48 -07:00
ntb NTB/msi: remove incorrect MODULE defines 2019-08-05 15:42:27 -04:00
nubus
nvdimm libnvdimm fixes v5.3-rc2 2019-07-27 08:25:51 -07:00
nvme Revert "nvme-pci: don't create a read hctx mapping without read queues" 2019-07-23 17:47:02 +02:00
nvmem nvmem: Use the same permissions for eeprom as for nvmem 2019-07-30 18:22:20 +02:00
of virtio, vhost: fixes, features, performance 2019-07-17 11:26:09 -07:00
opp pci-v5.3-changes 2019-07-15 20:44:49 -07:00
oprofile vfs: Convert oprofilefs to use the new mount API 2019-07-04 22:01:59 -04:00
parisc
parport It's been a relatively busy cycle for docs: 2019-07-09 12:34:26 -07:00
pci Revert "PCI: Add missing link delays required by the PCIe spec" 2019-08-07 13:06:42 +02:00
pcmcia pcmcia: db1xxx_ss: Mark expected switch fall-throughs 2019-08-09 19:53:04 -05:00
perf drivers/perf: arm_pmu: Fix failure path in PM notifier 2019-07-29 11:43:48 +01:00
phy phy: for 5.3 2019-07-01 15:04:59 +02:00
pinctrl pinctrl: aspeed: Make aspeed_pinmux_ips static 2019-07-29 23:35:31 +02:00
platform platform/x86: pcengines-apuv2: use KEY_RESTART for front button 2019-07-29 18:24:59 +03:00
pnp docs: driver-api: add a series of orphaned documents 2019-07-15 11:03:02 -03:00
power power supply and reset changes for the v5.3 series 2019-07-15 21:06:15 -07:00
powercap powercap: Invoke powercap_init() and rapl_init() earlier 2019-07-22 11:23:00 +02:00
pps drivers/pps/pps.c: clear offset flags in PPS_SETPARAMS ioctl 2019-07-16 19:23:24 -07:00
ps3
ptp
pwm pwm: Fallback to the static lookup-list when acpi_pwm_get fails 2019-08-08 13:17:38 +02:00
rapidio Merge branch 'akpm' (patches from Andrew) 2019-07-17 08:58:04 -07:00
ras
regulator regulator: of: Add of_node_put() before return in function 2019-08-01 14:07:46 +01:00
remoteproc remoteproc updates for v5.3 2019-07-17 11:44:41 -07:00
reset ARM: SoC-related driver updates 2019-07-19 17:13:56 -07:00
rpmsg
rtc RTC for 5.3 2019-07-17 10:03:50 -07:00
s390 Wimplicit-fallthrough patches for 5.3-rc4 2019-08-10 10:10:33 -07:00
sbus
scsi Wimplicit-fallthrough patches for 5.3-rc4 2019-08-10 10:10:33 -07:00
sfi
sh
siox
slimbus
sn
soc Merge branch 'pdf_fixes_v1' of https://git.linuxtv.org/mchehab/experimental into mauro 2019-07-22 13:51:20 -06:00
soundwire soundwire updates for v5.3-rc1 2019-07-05 08:15:08 +02:00
spi spi: Fixes for v5.3 2019-08-05 11:49:02 -07:00
spmi
ssb
staging staging: android: ion: Bail out upon SIGKILL when allocating memory. 2019-07-25 13:11:51 +02:00
target scsi: target: cxgbit: add support for IEEE_8021QAZ_APP_SEL_STREAM selector 2019-07-22 17:04:20 -04:00
tc
tee
thermal int340X/processor_thermal_device: Fix proc_thermal_rapl_remove() 2019-07-23 09:36:07 +02:00
thunderbolt Driver Core and debugfs changes for 5.3-rc1 2019-07-12 12:24:03 -07:00
tty kgdboc: disable the console lock when in kgdb 2019-07-30 17:39:39 +02:00
uio
usb USB: core: Fix races in character device registration and deregistraion 2019-08-12 22:47:24 +02:00
uwb
vfio VFIO updates for v5.3-rc1 2019-07-17 11:23:13 -07:00
vhost vhost: disable metadata prefetch optimization 2019-07-26 07:49:29 -04:00
video video: fbdev: omapfb_main: Mark expected switch fall-throughs 2019-08-09 19:51:52 -05:00
virt
virtio Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2019-07-19 10:42:02 -07:00
visorbus
vlynq
vme
w1 docs: driver-api: add a series of orphaned documents 2019-07-15 11:03:02 -03:00
watchdog watchdog: riowd: Mark expected switch fall-through 2019-08-09 19:51:01 -05:00
xen xen: fixes for 5.3-rc3 2019-08-02 15:26:48 -07:00
zorro
Kconfig
Makefile