linux/drivers/usb
Alan Stern d81bb019d7 USB: Fix invalid-free bug in port_over_current_notify()
Syzbot and KASAN found the following invalid-free bug in
port_over_current_notify():

--------------------------------------------------------------------------
BUG: KASAN: double-free or invalid-free in port_over_current_notify
drivers/usb/core/hub.c:5192 [inline]
BUG: KASAN: double-free or invalid-free in port_event
drivers/usb/core/hub.c:5241 [inline]
BUG: KASAN: double-free or invalid-free in hub_event+0xd97/0x4140
drivers/usb/core/hub.c:5384

CPU: 1 PID: 32710 Comm: kworker/1:3 Not tainted 4.20.0-rc3+ #129
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x244/0x39d lib/dump_stack.c:113
  print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256
  kasan_report_invalid_free+0x64/0xa0 mm/kasan/report.c:336
  __kasan_slab_free+0x13a/0x150 mm/kasan/kasan.c:501
  kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
  __cache_free mm/slab.c:3498 [inline]
  kfree+0xcf/0x230 mm/slab.c:3817
  port_over_current_notify drivers/usb/core/hub.c:5192 [inline]
  port_event drivers/usb/core/hub.c:5241 [inline]
  hub_event+0xd97/0x4140 drivers/usb/core/hub.c:5384
  process_one_work+0xc90/0x1c40 kernel/workqueue.c:2153
  worker_thread+0x17f/0x1390 kernel/workqueue.c:2296
  kthread+0x35a/0x440 kernel/kthread.c:246
  ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
--------------------------------------------------------------------------

The problem is caused by use of a static array to store
environment-string pointers.  When the routine is called by multiple
threads concurrently, the pointers from one thread can overwrite those
from another.

The solution is to use an ordinary automatic array instead of a static
array.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: syzbot+98881958e1410ec7e53c@syzkaller.appspotmail.com
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-12-05 10:37:29 +01:00
..
atm USB: atm: fix up some remaining DEVICE_ATTR() usage 2018-01-24 08:49:52 +01:00
c67x00
chipidea usb: chipidea: Fix otg event handler 2018-09-20 17:04:22 +08:00
class usb: cdc-acm: add entry for Hiro (Conexant) modem 2018-11-20 12:12:06 +01:00
common usb: roles: Take care of driver module reference counting 2018-09-20 13:20:24 +02:00
core USB: Fix invalid-free bug in port_over_current_notify() 2018-12-05 10:37:29 +01:00
dwc2 usb: dwc2: pci: Fix an error code in probe 2018-11-14 11:07:12 +02:00
dwc3 Revert "usb: dwc3: gadget: skip Set/Clear Halt when invalid" 2018-11-26 09:05:27 +02:00
early mm: remove include/linux/bootmem.h 2018-10-31 08:54:16 -07:00
gadget usb: gadget: u_ether: fix unsafe list iteration 2018-11-28 08:46:26 +02:00
host usb: xhci: Prevent bus suspend if a port connect change or polling state is detected 2018-11-15 09:17:40 -08:00
image
isp1760 usb: isp1760: remove redundant variable 'selector' 2018-07-13 15:41:56 +02:00
misc usb: appledisplay: Add 27" Apple Cinema Display 2018-12-05 10:37:29 +01:00
mon USB: mon: use ktime_get_real_ts64 instead of getnstimeofday64 2018-06-25 21:58:26 +08:00
mtu3 usb: mtu3: disable vbus rise/fall interrupts of ltssm 2018-10-02 10:39:02 +03:00
musb usb: musb: dsps: do not disable CPPI41 irq in driver teardown 2018-09-20 12:40:14 +02:00
phy usb: phy: ab8500: silence some uninitialized variable warnings 2018-10-18 19:44:39 +02:00
renesas_usbhs usb: renesas_usbhs: add support for R-Car E3 2018-10-02 10:48:08 +03:00
roles usb: roles: intel_xhci: Fix Unbalanced pm_runtime_enable 2018-10-09 16:13:42 +02:00
serial USB/PHY patches for 4.20-rc1 2018-10-26 08:14:13 -07:00
storage USB: usb-storage: Add new IDs to ums-realtek 2018-11-26 08:09:47 +01:00
typec usb: typec: ucsi: add support for Cypress CCGx 2018-11-09 18:49:59 +01:00
usbip Merge branch 'work.afs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2018-11-01 19:58:52 -07:00
wusbcore USB/PHY patches for 4.20-rc1 2018-10-26 08:14:13 -07:00
Kconfig usb: select USB_COMMON for usb role switch config 2018-04-22 15:23:37 +02:00
Makefile usb: roles: Add Intel xHCI USB role switch driver 2018-03-22 13:49:27 +01:00
README
usb-skeleton.c usb: usb-skeleton: use irqsave() in USB's complete callback 2018-06-28 19:36:06 +09:00

To understand all the Linux-USB framework, you'll use these resources:

    * This source code.  This is necessarily an evolving work, and
      includes kerneldoc that should help you get a current overview.
      ("make pdfdocs", and then look at "usb.pdf" for host side and
      "gadget.pdf" for peripheral side.)  Also, Documentation/usb has
      more information.

    * The USB 2.0 specification (from www.usb.org), with supplements
      such as those for USB OTG and the various device classes.
      The USB specification has a good overview chapter, and USB
      peripherals conform to the widely known "Chapter 9".

    * Chip specifications for USB controllers.  Examples include
      host controllers (on PCs, servers, and more); peripheral
      controllers (in devices with Linux firmware, like printers or
      cell phones); and hard-wired peripherals like Ethernet adapters.

    * Specifications for other protocols implemented by USB peripheral
      functions.  Some are vendor-specific; others are vendor-neutral
      but just standardized outside of the www.usb.org team.

Here is a list of what each subdirectory here is, and what is contained in
them.

core/		- This is for the core USB host code, including the
		  usbfs files and the hub class driver ("hub_wq").

host/		- This is for USB host controller drivers.  This
		  includes UHCI, OHCI, EHCI, and others that might
		  be used with more specialized "embedded" systems.

gadget/		- This is for USB peripheral controller drivers and
		  the various gadget drivers which talk to them.


Individual USB driver directories.  A new driver should be added to the
first subdirectory in the list below that it fits into.

image/		- This is for still image drivers, like scanners or
		  digital cameras.
../input/	- This is for any driver that uses the input subsystem,
		  like keyboard, mice, touchscreens, tablets, etc.
../media/	- This is for multimedia drivers, like video cameras,
		  radios, and any other drivers that talk to the v4l
		  subsystem.
../net/		- This is for network drivers.
serial/		- This is for USB to serial drivers.
storage/	- This is for USB mass-storage drivers.
class/		- This is for all USB device drivers that do not fit
		  into any of the above categories, and work for a range
		  of USB Class specified devices. 
misc/		- This is for all USB device drivers that do not fit
		  into any of the above categories.