linux/drivers/hid
Alan Stern 0ed08faded HID: usbhid: Fix race between usbhid_close() and usbhid_stop()
The syzbot fuzzer discovered a bad race between in the usbhid driver
between usbhid_stop() and usbhid_close().  In particular,
usbhid_stop() does:

	usb_free_urb(usbhid->urbin);
	...
	usbhid->urbin = NULL; /* don't mess up next start */

and usbhid_close() does:

	usb_kill_urb(usbhid->urbin);

with no mutual exclusion.  If the two routines happen to run
concurrently so that usb_kill_urb() is called in between the
usb_free_urb() and the NULL assignment, it will access the
deallocated urb structure -- a use-after-free bug.

This patch adds a mutex to the usbhid private structure and uses it to
enforce mutual exclusion of the usbhid_start(), usbhid_stop(),
usbhid_open() and usbhid_close() callbacks.

Reported-and-tested-by: syzbot+7bf5a7b0f0a1f9446f4c@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: <stable@vger.kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2020-04-29 16:24:26 +02:00
..
i2c-hid HID: i2c-hid: add Trekstor Surfbook E11B to descriptor override 2020-02-14 09:49:11 +01:00
intel-ish-hid HID: intel-ish-hid: hbm.h: Replace zero-length array with flexible-array member 2020-03-21 00:07:32 +01:00
usbhid HID: usbhid: Fix race between usbhid_close() and usbhid_stop() 2020-04-29 16:24:26 +02:00
hid-a4tech.c HID: input: fix a4tech horizontal wheel custom usage 2019-08-05 14:37:15 +02:00
hid-accutouch.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-alps.c HID: alps: ALPS_1657 is too specific; use U1_UNICORN_LEGACY instead 2020-04-15 14:51:42 +02:00
hid-apple.c HID: apple: Add support for recent firmware on Magic Keyboards 2020-02-12 14:17:42 +01:00
hid-appleir.c HID: appleir: Use devm_kzalloc() instead of kzalloc() 2020-03-13 17:33:11 +01:00
hid-asus.c HID: asus: Ignore Asus vendor-page usage-code 0xff events 2019-12-13 10:26:18 +01:00
hid-aureal.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
hid-axff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-belkin.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-betopff.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-bigbenff.c HID: hid-bigbenff: fix race condition for scheduled work during removal 2020-02-18 14:43:51 +01:00
hid-cherry.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-chicony.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-cmedia.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 282 2019-06-05 17:36:37 +02:00
hid-core.c HID: core: fix off-by-one memset in hid_report_raw_event() 2020-02-12 14:18:33 +01:00
hid-corsair.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-cougar.c HID: do not call hid_set_drvdata(hdev, NULL) in drivers 2019-08-22 17:11:58 +02:00
hid-cp2112.c HID: cp2112: prevent sleeping function called from invalid context 2019-08-19 14:13:00 +02:00
hid-creative-sb0540.c HID: sb0540: add support for Creative SB0540 IR receivers 2019-09-03 16:52:04 +02:00
hid-cypress.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-debug.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
hid-dr.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-elan.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-elecom.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-elo.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 307 2019-06-05 17:37:04 +02:00
hid-emsff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-ezkey.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-gaff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-gembird.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-generic.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-gfrm.c HID: do not call hid_set_drvdata(hdev, NULL) in drivers 2019-08-22 17:11:58 +02:00
hid-glorious.c HID: Add driver fixing Glorious PC Gaming Race mouse report descriptor 2020-03-18 13:36:21 +01:00
hid-google-hammer.c HID: google: add moonball USB id 2020-03-16 14:51:05 +01:00
hid-gt683r.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
hid-gyration.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-holtek-kbd.c HID: holtek: test for sanity of intfdata 2019-08-05 14:18:42 +02:00
hid-holtek-mouse.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-holtekff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-hyperv.c HID: hyperv: NULL check before some freeing functions is not needed. 2020-03-05 14:17:11 +00:00
hid-icade.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-ids.h HID: alps: ALPS_1657 is too specific; use U1_UNICORN_LEGACY instead 2020-04-15 14:51:42 +02:00
hid-input.c HID: hid-input: clear unmapped usages 2019-12-13 13:43:15 +01:00
hid-ite.c HID: ite: Only bind to keyboard USB interface on Acer SW5-012 keyboard dock 2020-02-03 15:32:44 +01:00
hid-jabra.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-kensington.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-keytouch.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-kye.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-lcpower.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-led.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 372 2019-06-05 17:37:10 +02:00
hid-lenovo.c HID: do not call hid_set_drvdata(hdev, NULL) in drivers 2019-08-22 17:11:58 +02:00
hid-lg2ff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-lg3ff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-lg4ff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-lg4ff.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
hid-lg-g15.c HID: logitech: Add support for Logitech G11 extra keys 2020-04-14 11:15:36 +02:00
hid-lg.c HID: logitech: Fix general protection fault caused by Logitech driver 2019-08-22 09:53:08 +02:00
hid-lg.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
hid-lgff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-logitech-dj.c HID: logitech-dj: add support for the static device in the Powerplay mat/receiver 2020-03-10 14:20:40 +01:00
hid-logitech-hidpp.c HID: logitech-hidpp: BatteryVoltage: only read chargeStatus if extPower is active 2020-01-28 15:51:19 +01:00
hid-macally.c HID: macally: Add support for Macally ikey keyboard 2019-04-03 17:14:13 +02:00
hid-magicmouse.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-maltron.c Support for Maltron L90 keyboard media keys 2019-01-14 20:11:01 +01:00
hid-mcp2221.c HID: mcp2221: add usb to i2c-smbus host bridge 2020-03-10 12:37:42 +01:00
hid-mf.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
hid-microsoft.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-monterey.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-multitouch.c HID: multitouch: add eGalaxTouch P80H84 support 2020-04-14 11:14:11 +02:00
hid-nti.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-ntrig.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-ortek.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-penmount.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-petalynx.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-picolcd_backlight.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 265 2019-06-05 17:30:28 +02:00
hid-picolcd_cir.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 265 2019-06-05 17:30:28 +02:00
hid-picolcd_core.c HID: do not call hid_set_drvdata(hdev, NULL) in drivers 2019-08-22 17:11:58 +02:00
hid-picolcd_debugfs.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 265 2019-06-05 17:30:28 +02:00
hid-picolcd_fb.c Merge branch 'for-5.7/appleir' into for-linus 2020-04-01 12:26:12 +02:00
hid-picolcd_lcd.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 265 2019-06-05 17:30:28 +02:00
hid-picolcd_leds.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 265 2019-06-05 17:30:28 +02:00
hid-picolcd.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 265 2019-06-05 17:30:28 +02:00
hid-pl.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
hid-plantronics.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-primax.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 282 2019-06-05 17:36:37 +02:00
hid-prodikeys.c HID: prodikeys: make array keys static const, makes object smaller 2019-10-01 16:21:04 +02:00
hid-quirks.c Merge branch 'for-5.7/core' into for-linus 2020-04-01 12:27:16 +02:00
hid-redragon.c HID: redragon: fix num lock and caps lock LEDs 2018-06-25 15:23:40 +02:00
hid-retrode.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-rmi.c HID: rmi: Simplify an error handling path in 'rmi_hid_read_block()' 2020-03-23 00:08:51 +01:00
hid-roccat-arvo.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-arvo.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-common.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-common.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-isku.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-isku.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-kone.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-kone.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-koneplus.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-koneplus.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-konepure.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-kovaplus.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-kovaplus.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-lua.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-lua.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-pyra.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-pyra.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-ryos.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-savu.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat-savu.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-roccat.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-saitek.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-samsung.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-sensor-custom.c HID: hid-sensor-custom: Use scnprintf() for avoiding potential buffer overflow 2020-03-11 11:58:58 +01:00
hid-sensor-hub.c HID: do not call hid_set_drvdata(hdev, NULL) in drivers 2019-08-22 17:11:58 +02:00
hid-sjoy.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
hid-sony.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-speedlink.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-steam.c HID: steam: Fix input device disappearing 2020-01-09 10:57:41 +01:00
hid-steelseries.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-sunplus.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-tivo.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-tmff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-topseed.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-twinhan.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 178 2019-05-30 11:29:19 -07:00
hid-u2fzero.c HID: u2fzero: fail probe if not using USB transport 2019-04-17 16:39:43 +02:00
hid-uclogic-core.c Merge branch 'for-5.3/uclogic' into for-linus 2019-07-10 01:40:23 +02:00
hid-uclogic-params.c Merge branch 'for-5.3/uclogic' into for-linus 2019-07-10 01:40:23 +02:00
hid-uclogic-params.h HID: uclogic: Support Gray-coded rotary encoders 2019-02-21 12:00:54 +01:00
hid-uclogic-rdesc.c HID: uclogic: Add support for Ugee G5 2019-02-21 12:00:54 +01:00
hid-uclogic-rdesc.h HID: uclogic: Add support for Ugee G5 2019-02-21 12:00:54 +01:00
hid-udraw-ps3.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 282 2019-06-05 17:36:37 +02:00
hid-viewsonic.c HID: viewsonic: Support PD1011 signature pad 2019-02-21 12:00:53 +01:00
hid-waltop.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-wiimote-core.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-wiimote-debug.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-wiimote-modules.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-wiimote.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-xinmo.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hid-zpff.c HID: Fix assumption that devices have inputs 2019-10-03 15:36:40 -04:00
hid-zydacron.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
hidraw.c Merge branch 'for-5.6/hidraw' into for-linus 2020-01-27 15:49:30 +01:00
Kconfig Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid 2020-04-01 15:18:42 -07:00
Makefile Merge branch 'for-5.7/mcp2221' into for-linus 2020-04-01 13:36:46 +02:00
uhid.c HID: hidraw, uhid: Always report EPOLLOUT 2020-01-10 15:34:28 +01:00
wacom_sys.c HID: wacom: Read HID_DG_CONTACTMAX directly for non-generic devices 2020-04-03 12:10:22 +02:00
wacom_wac.c Revert "HID: wacom: generic: read the number of expected touches on a per collection basis" 2020-04-16 21:38:47 +02:00
wacom_wac.h Merge branches 'for-5.2/fixes', 'for-5.3/doc', 'for-5.3/ish', 'for-5.3/logitech' and 'for-5.3/wacom' into for-linus 2019-07-10 01:39:57 +02:00
wacom.h HID: wacom: generic: Treat serial number and related fields as unsigned 2019-11-06 21:37:29 +01:00