linux/drivers/usb/misc
Johan Hovold edc4746f25 USB: iowarrior: fix use-after-free on disconnect
A recent fix addressing a deadlock on disconnect introduced a new bug
by moving the present flag out of the critical section protected by the
driver-data mutex. This could lead to a racing release() freeing the
driver data before disconnect() is done with it.

Due to insufficient locking a related use-after-free could be triggered
also before the above mentioned commit. Specifically, the driver needs
to hold the driver-data mutex also while checking the opened flag at
disconnect().

Fixes: c468a8aa79 ("usb: iowarrior: fix deadlock on disconnect")
Fixes: 946b960d13 ("USB: add driver for iowarrior devices.")
Cc: stable <stable@vger.kernel.org>	# 2.6.21
Reported-by: syzbot+0761012cebf7bdb38137@syzkaller.appspotmail.com
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20191009104846.5925-2-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-10-10 12:45:06 +02:00
..
sisusbvga USB: sisusbvga: Remove unneeded variable 2019-06-10 18:03:09 +02:00
Kconfig USB: rio500: Remove Rio 500 kernel driver 2019-10-04 10:53:36 +02:00
Makefile USB: rio500: Remove Rio 500 kernel driver 2019-10-04 10:53:36 +02:00
adutux.c USB: adutux: fix use-after-free on release 2019-10-10 12:43:19 +02:00
appledisplay.c Merge 4.20-rc6 into usb-next 2018-12-10 10:19:08 +01:00
chaoskey.c USB: chaoskey: fix use-after-free on release 2019-10-10 12:43:19 +02:00
cypress_cy7c63.c USB: cypress_cy7c63: convert to use dev_groups 2019-08-09 07:55:44 +02:00
cytherm.c USB: cytherm: convert to use dev_groups 2019-08-09 07:55:44 +02:00
ehset.c USB: misc: Remove redundant license text 2017-11-04 11:55:38 +01:00
emi26.c USB: misc: Remove redundant license text 2017-11-04 11:55:38 +01:00
emi62.c USB: misc: Remove redundant license text 2017-11-04 11:55:38 +01:00
ezusb.c USB: misc: Remove redundant license text 2017-11-04 11:55:38 +01:00
ftdi-elan.c usb: ftdi-elan: fix possible condition with no effect (if == else) 2019-06-03 15:21:57 +02:00
idmouse.c USB: misc: Remove redundant license text 2017-11-04 11:55:38 +01:00
iowarrior.c USB: iowarrior: fix use-after-free on disconnect 2019-10-10 12:45:06 +02:00
isight_firmware.c USB: misc: Remove redundant license text 2017-11-04 11:55:38 +01:00
ldusb.c USB: ldusb: fix NULL-derefs on driver unbind 2019-10-10 12:43:18 +02:00
legousbtower.c USB: legousbtower: fix use-after-free on release 2019-10-10 12:43:18 +02:00
lvstest.c USB: lvstest: convert to use dev_groups 2019-08-09 07:55:44 +02:00
trancevibrator.c USB: trancevibrator: convert to use dev_groups 2019-08-09 07:55:45 +02:00
usb251xb.c usb: usb251xb: Reallow swap-dx-lanes to apply to the upstream port 2019-07-25 11:16:19 +02:00
usb3503.c usb: misc: usb3503: get optional clock by devm_clk_get_optional() 2019-04-19 14:24:25 +02:00
usb4604.c USB: misc: Remove redundant license text 2017-11-04 11:55:38 +01:00
usb_u132.h USB: misc: Remove redundant license text 2017-11-04 11:55:38 +01:00
usblcd.c USB: usblcd: use pr_err() 2019-10-04 11:11:08 +02:00
usbsevseg.c USB: usbsevseg: convert to use dev_groups 2019-08-09 07:55:45 +02:00
usbtest.c usb: misc: usbtest: add super-speed isoc support 2019-02-13 13:03:23 +02:00
uss720.c usb: misc: uss720: Fix two sleep-in-atomic-context bugs 2018-09-05 14:36:53 +02:00
yurex.c USB: yurex: Don't retry on unexpected errors 2019-10-04 11:02:59 +02:00