lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20191028114228.3679219-5-john@metanate.com>
Date:   Mon, 28 Oct 2019 11:42:26 +0000
From:   John Keeping <john@...anate.com>
To:     linux-usb@...r.kernel.org
Cc:     Felipe Balbi <balbi@...nel.org>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        linux-kernel@...r.kernel.org, John Keeping <john@...anate.com>
Subject: [PATCH v2 4/6] USB: gadget: f_hid: decouple cdev from f_hidg lifetime

The character device needs to live until the last file descriptor has
been closed (and until after ->release() is called in that case).
Change the lifetime of our character devices to match the module, so as
to avoid a use-after-free when closing a file descriptor after the
gadget function has been deleted.

Signed-off-by: John Keeping <john@...anate.com>
---
v2:
- Updated for changes in patch 1

 drivers/usb/gadget/function/f_hid.c | 42 +++++++++++++++++++++--------
 1 file changed, 31 insertions(+), 11 deletions(-)

diff --git a/drivers/usb/gadget/function/f_hid.c b/drivers/usb/gadget/function/f_hid.c
index 6cf3b5b14ded..eda4f24d2790 100644
--- a/drivers/usb/gadget/function/f_hid.c
+++ b/drivers/usb/gadget/function/f_hid.c
@@ -24,6 +24,7 @@
 
 static int major, minors;
 static struct class *hidg_class;
+static struct cdev *hidg_cdev;
 static DEFINE_IDR(hidg_idr);
 static DEFINE_MUTEX(hidg_idr_lock); /* protects access to hidg_idr */
 
@@ -58,7 +59,6 @@ struct f_hidg {
 	struct usb_request		*req;
 
 	int				minor;
-	struct cdev			cdev;
 	struct usb_function		func;
 
 	struct usb_ep			*in_ep;
@@ -827,11 +827,7 @@ static int hidg_bind(struct usb_configuration *c, struct usb_function *f)
 	INIT_LIST_HEAD(&hidg->completed_out_req);
 
 	/* create char device */
-	cdev_init(&hidg->cdev, &f_hidg_fops);
 	dev = MKDEV(major, hidg->minor);
-	status = cdev_add(&hidg->cdev, dev, 1);
-	if (status)
-		goto fail_free_descs;
 
 	mutex_lock(&hidg_idr_lock);
 	idr_replace(&hidg_idr, hidg, hidg->minor);
@@ -841,13 +837,14 @@ static int hidg_bind(struct usb_configuration *c, struct usb_function *f)
 			       "%s%d", "hidg", hidg->minor);
 	if (IS_ERR(device)) {
 		status = PTR_ERR(device);
-		goto del;
+		goto fail_idr_remove;
 	}
 
 	return 0;
-del:
-	cdev_del(&hidg->cdev);
-fail_free_descs:
+fail_idr_remove:
+	mutex_lock(&hidg_idr_lock);
+	idr_replace(&hidg_idr, NULL, hidg->minor);
+	mutex_unlock(&hidg_idr_lock);
 	usb_free_all_descriptors(f);
 fail:
 	ERROR(f->config->cdev, "hidg_bind FAILED\n");
@@ -1071,7 +1068,10 @@ static void hidg_unbind(struct usb_configuration *c, struct usb_function *f)
 	struct f_hidg *hidg = func_to_hidg(f);
 
 	device_destroy(hidg_class, MKDEV(major, hidg->minor));
-	cdev_del(&hidg->cdev);
+
+	mutex_lock(&hidg_idr_lock);
+	idr_replace(&hidg_idr, NULL, hidg->minor);
+	mutex_unlock(&hidg_idr_lock);
 
 	usb_free_all_descriptors(f);
 }
@@ -1129,6 +1129,7 @@ MODULE_AUTHOR("Fabien Chouteau");
 
 static int ghid_setup(void)
 {
+	struct cdev *cdev = NULL;
 	int status;
 	dev_t dev;
 
@@ -1149,12 +1150,30 @@ static int ghid_setup(void)
 	major = MAJOR(dev);
 	minors = HIDG_MINORS;
 
+	status = -ENOMEM;
+	cdev = cdev_alloc();
+	if (!cdev)
+		goto fail_unregister;
+
+	cdev->owner = THIS_MODULE;
+	cdev->ops = &f_hidg_fops;
+	kobject_set_name(&cdev->kobj, "hidg");
+
+	status = cdev_add(cdev, dev, HIDG_MINORS);
+	if (status)
+		goto fail_put;
+
 	status = usb_function_register(&hidusb_func);
 	if (status)
-		goto fail_unregister;
+		goto fail_cdev_del;
 
+	hidg_cdev = cdev;
 	return 0;
 
+fail_cdev_del:
+	cdev_del(cdev);
+fail_put:
+	kobject_put(&cdev->kobj);
 fail_unregister:
 	unregister_chrdev_region(dev, HIDG_MINORS);
 	class_destroy(hidg_class);
@@ -1165,6 +1184,7 @@ static int ghid_setup(void)
 static void ghid_cleanup(void)
 {
 	usb_function_unregister(&hidusb_func);
+	cdev_del(hidg_cdev);
 
 	if (major) {
 		unregister_chrdev_region(MKDEV(major, 0), minors);
-- 
2.23.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ