• Alan Stern's avatar
    USB: core: Fix races in character device registration and deregistraion · 303911cf
    Alan Stern authored
    The syzbot fuzzer has found two (!) races in the USB character device
    registration and deregistration routines.  This patch fixes the races.
    The first race results from the fact that usb_deregister_dev() sets
    usb_minors[intf->minor] to NULL before calling device_destroy() on the
    class device.  This leaves a window during which another thread can
    allocate the same minor number but will encounter a duplicate name
    error when it tries to register its own class device.  A typical error
    message in the system log would look like:
        sysfs: cannot create duplicate filename '/class/usbmisc/ldusb0'
    The patch fixes this race by destroying the class device first.
    The second race is in usb_register_dev().  When that routine runs, it
    first allocates a minor number, then drops minor_rwsem, and then
    creates the class device.  If the device creation fails, the minor
    number is deallocated and the whole routine returns an error.  But
    during the time while minor_rwsem was dropped, there is a window in
    which the minor number is allocated and so another thread can
    successfully open the device file.  Typically this results in
    use-after-free errors or invalid accesses when the other thread closes
    its open file reference, because the kernel then tries to release
    resources that were already deallocated when usb_register_dev()
    failed.  The patch fixes this race by keeping minor_rwsem locked
    throughout the entire routine.
    Reported-and-tested-by: syzbot+30cf45ebfe0b0c4847a1@syzkaller.appspotmail.com
    Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
    CC: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.1908121607590.1659-100000@iolanthe.rowland.org
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
file.c 6.2 KB