From patchwork Wed Oct 4 14:36:13 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Carrasco X-Patchwork-Id: 148365 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:254a:b0:403:3b70:6f57 with SMTP id hf10csp212307vqb; Wed, 4 Oct 2023 08:26:40 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEuiH1iYxx+2ejQz0zY+J3/3aTUYZn77TkQOGHfpOMKtVxV8I54o+xjCcdGcS4aUNPJkRkg X-Received: by 2002:a05:6a20:734a:b0:15d:641b:57b6 with SMTP id v10-20020a056a20734a00b0015d641b57b6mr2962884pzc.5.1696433200359; Wed, 04 Oct 2023 08:26:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696433200; cv=none; d=google.com; s=arc-20160816; b=X8tLo/zKLYiMWDoDWp9rbu5iABGpuhICPmcm+xegMfeXtdSQrXrxeurX02pY3ur1g5 4em2BHUnhcr4PviZVGN/BPsnJH33pA9y5PGVJNMlBSPIqi46xgnTqGI1r9JIcDiGqN00 6/00KcDTE4ftjO2R9Rbfjx1xiBrWxlAPn7zoKFfrcaTDz1eg2xSKibcEfKql08hyKcgS 8uJWwuu+hJD9dzF4UL4zLW8nmaevqo9a85UTX8qZE6eKQjB/SynmrteGPb+fKxCL+TYg rS/hVEg0YhAUIGhXXD9aOBLHSsEvkTnQ1ujQQoQhatmPp4bSICYIEyEGUsG1vg9PBwIV DpWQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:message-id:content-transfer-encoding :mime-version:subject:date:from:dkim-signature; bh=J2xO8oSkiTINirvXxwWkAua5IlzQF1Y8ARzBIAy73jk=; fh=HbD8I8C32Kws+Jm1NRkTRbXmoSd+4wRU1XqN5k6Wag0=; b=T+O0K2Y81q6shNidQdFydPu/kKIV1nCDeJ2lo2SxMyrx5dzc6BCAq6c3gqinBAk/p5 /Zjm2Aj6hXiBKT0x94lMIgPbs6PCsp75M4k+gAwgHQJjkJ68Ub4dJZ7ILK+AA9FqBLOd 1VT1l2uz8kfZZtoZmmCDg77Oq/vl6VF1wMR5xAqYbo3EO2pZqaWnZtqkjdj0c0br0tjl NeDQN1thrcZ9rtAOwZbXQLrJ/nat1hy1BAq5OcKPmiePG2JZP9s7JzEEUDyRRnG19vgB 7z9wiD1kXIOJLhXn2Mm5wXD3+O0sQPonlmGWRkawKIBM1UUfCsAXki090/9CypvVlBcQ 2g9A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=DDZtja2x; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from snail.vger.email (snail.vger.email. [23.128.96.37]) by mx.google.com with ESMTPS id p21-20020a056a000a1500b0068e2d888713si4013306pfh.167.2023.10.04.08.26.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Oct 2023 08:26:40 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=DDZtja2x; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id 2BACF81A3351; Wed, 4 Oct 2023 08:26:39 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233117AbjJDP03 (ORCPT + 18 others); Wed, 4 Oct 2023 11:26:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54176 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233156AbjJDOg2 (ORCPT ); Wed, 4 Oct 2023 10:36:28 -0400 Received: from mail-ej1-x641.google.com (mail-ej1-x641.google.com [IPv6:2a00:1450:4864:20::641]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A666EFC; Wed, 4 Oct 2023 07:36:22 -0700 (PDT) Received: by mail-ej1-x641.google.com with SMTP id a640c23a62f3a-9adb9fa7200so229440266b.0; Wed, 04 Oct 2023 07:36:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696430181; x=1697034981; darn=vger.kernel.org; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:from:to:cc:subject:date:message-id:reply-to; bh=J2xO8oSkiTINirvXxwWkAua5IlzQF1Y8ARzBIAy73jk=; b=DDZtja2xBasFS6hx3Hkt4NkupZGUX2h2PXoqwBYGfwhqvZBt6mQjzF77E44ym8COBj ZVRiL/iJVKz2VLXFQoKIejeLszAp3WqTqg2tj/inubtrxnHIKR/S1tPuT0ZqNAHFRNwD Ft8oGS8oJTvppsame8RL1GZQovX9bYgxvrr5KVjktHO5ITTBBJHo096Ttu/DiyhIp9oh dd4RGd4YR4/z0pC3KADMsM/N8tyLwdY0A+KsF+jvlASsAnzCdCyI2MKPDE4cOEfIWp9e LAMDYWuMsm1V97nMTpBAFdUs/6UV85ONw92Wj4Wcas2OvcMzbSFoQXa9c1JFR9ty9NJI ypkQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696430181; x=1697034981; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=J2xO8oSkiTINirvXxwWkAua5IlzQF1Y8ARzBIAy73jk=; b=Ycd2MwrsoXWEOJ6Gm/Hbc27oA8k9h3uRgV7l1WNb/66NEwByaqodPFW/ZZGi8C//Ay UMMzUOULjpMhhI1lK1fNymy/xFFa8H02glGM08g3LO9kgp6SYUdw3FVQ8KFD9aRn16DZ XErxk5+ncwVzJHeHDbyAVSBD8YrF+VfyAlbz8z3JhBNhjkX2mg5BFD4DCu5SozsRtGVQ ZhT1WBiyKlzhB0QdG/0IoMuwqPdlPDp/FmAvxPFiGhOQVX3mTRs7Q+CR6MermqK54ztJ bntruhfewnwvuDAFXEmB0TuzaeAJ97SyT/+ORit4OJgoWRaonkqrEEF5FltAaMKEk5RI G8pQ== X-Gm-Message-State: AOJu0YzMPIOrdi3a7S5CH7wa9lRb/MIZIo35qAOUF+kYB1myis9ZZKMt ETYCbBv9i1YtE9d5dpiz2tz6qIRcsxpuj85A X-Received: by 2002:a17:907:7614:b0:9b8:9217:73f5 with SMTP id jx20-20020a170907761400b009b8921773f5mr1798052ejc.32.1696430181067; Wed, 04 Oct 2023 07:36:21 -0700 (PDT) Received: from [127.0.1.1] (91-118-163-37.static.upcbusiness.at. [91.118.163.37]) by smtp.gmail.com with ESMTPSA id i12-20020a1709063c4c00b0099275c59bc9sm2953457ejg.33.2023.10.04.07.36.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Oct 2023 07:36:20 -0700 (PDT) From: Javier Carrasco Date: Wed, 04 Oct 2023 16:36:13 +0200 Subject: [PATCH v3] Input: powermate - fix use-after-free in powermate_config_complete MIME-Version: 1.0 Message-Id: <20230916-topic-powermate_use_after_free-v3-1-64412b81a7a2@gmail.com> X-B4-Tracking: v=1; b=H4sIAFx4HWUC/5XOQQ+CIBwF8K/SOEcDVIxOfY/WHNIfZVNwgFRzf vfQU8c6vnf4vbegAN5AQJfDgjwkE4yzORTHA1K9tB1g88gZMcIKIijH0U1G4ck9wY8yQjMHaKS O4BvtAbCqSaFqwYUSFGWklQFw66VVfWbsPAy5nDxo89pXb/ecexOi8+/9RKJb+/NeophiprUsO a/YmYtrN0oznJQb0UYn9h/HMleRSpeCUKGZ/ubWdf0AVzaLrDABAAA= To: Dmitry Torokhov Cc: linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, Javier Carrasco , syzbot+0434ac83f907a1dbdd1e@syzkaller.appspotmail.com X-Mailer: b4 0.12.0 X-Developer-Signature: v=1; a=ed25519-sha256; t=1696430180; l=1827; i=javier.carrasco.cruz@gmail.com; s=20230509; h=from:subject:message-id; bh=KPYYPZGtfceRNSYjVeOZBv0bkIvjfUqnR91rZxcVaTk=; b=+L2yMUuZpEXC7YMXYT0MpTphou8mVyRdYec1yWPYQ2jUCy+XMpkPM5bV1EEsXlkxCyJthhH0F mBz5w8UDHhCCXHyB59lTA1QNjdLzMiEnQ87HTWLyu3UrOfiQsRRXjOw X-Developer-Key: i=javier.carrasco.cruz@gmail.com; a=ed25519; pk=tIGJV7M+tCizagNijF0eGMBGcOsPD+0cWGfKjl4h6K8= X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Wed, 04 Oct 2023 08:26:39 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1778839139310412555 X-GMAIL-MSGID: 1778839139310412555 syzbot has found a use-after-free bug [1] in the powermate driver. This happens when the device is disconnected, which leads to a memory free from the powermate_device struct. When an asynchronous control message completes after the kfree and its callback is invoked, the lock does not exist anymore and hence the bug. Use usb_kill_urb() on pm->config to cancel any in-progress requests upon device disconnection. [1] https://syzkaller.appspot.com/bug?extid=0434ac83f907a1dbdd1e Signed-off-by: Javier Carrasco Reported-by: syzbot+0434ac83f907a1dbdd1e@syzkaller.appspotmail.com --- Changes in v3: - Let usb_kill_urb on pm->irq where it is i.e. before unregistering the device. - Link to v2: https://lore.kernel.org/r/20230916-topic-powermate_use_after_free-v2-1-505f49019f2f@gmail.com Changes in v2: - Use usb_kill_urb() on pm->config upon device disconnection. - Link to v1: https://lore.kernel.org/r/20230916-topic-powermate_use_after_free-v1-1-2ffa46652869@gmail.com --- drivers/input/misc/powermate.c | 1 + 1 file changed, 1 insertion(+) --- base-commit: cefc06e4de1477dbdc3cb2a91d4b1873b7797a5c change-id: 20230916-topic-powermate_use_after_free-c703c7969c91 Best regards, diff --git a/drivers/input/misc/powermate.c b/drivers/input/misc/powermate.c index c1c733a9cb89..db2ba89adaef 100644 --- a/drivers/input/misc/powermate.c +++ b/drivers/input/misc/powermate.c @@ -425,6 +425,7 @@ static void powermate_disconnect(struct usb_interface *intf) pm->requires_update = 0; usb_kill_urb(pm->irq); input_unregister_device(pm->input); + usb_kill_urb(pm->config); usb_free_urb(pm->irq); usb_free_urb(pm->config); powermate_free_buffers(interface_to_usbdev(intf), pm);