OpenCloudOS-Kernel/drivers
Alan Stern f50b878fed USB: gadget: fix GPF in gadgetfs
A NULL-pointer dereference bug in gadgetfs was uncovered by syzkaller:

> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault: 0000 [#1] SMP KASAN
> Dumping ftrace buffer:
>    (ftrace buffer empty)
> Modules linked in:
> CPU: 2 PID: 4820 Comm: syz-executor0 Not tainted 4.12.0-rc4+ #5
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> task: ffff880039542dc0 task.stack: ffff88003bdd0000
> RIP: 0010:__list_del_entry_valid+0x7e/0x170 lib/list_debug.c:51
> RSP: 0018:ffff88003bdd6e50 EFLAGS: 00010246
> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000010000
> RDX: 0000000000000000 RSI: ffffffff86504948 RDI: ffffffff86504950
> RBP: ffff88003bdd6e68 R08: ffff880039542dc0 R09: ffffffff8778ce00
> R10: ffff88003bdd6e68 R11: dffffc0000000000 R12: 0000000000000000
> R13: dffffc0000000000 R14: 1ffff100077badd2 R15: ffffffff864d2e40
> FS:  0000000000000000(0000) GS:ffff88006dc00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000000002014aff9 CR3: 0000000006022000 CR4: 00000000000006e0
> Call Trace:
>  __list_del_entry include/linux/list.h:116 [inline]
>  list_del include/linux/list.h:124 [inline]
>  usb_gadget_unregister_driver+0x166/0x4c0 drivers/usb/gadget/udc/core.c:1387
>  dev_release+0x80/0x160 drivers/usb/gadget/legacy/inode.c:1187
>  __fput+0x332/0x7f0 fs/file_table.c:209
>  ____fput+0x15/0x20 fs/file_table.c:245
>  task_work_run+0x19b/0x270 kernel/task_work.c:116
>  exit_task_work include/linux/task_work.h:21 [inline]
>  do_exit+0x18a3/0x2820 kernel/exit.c:878
>  do_group_exit+0x149/0x420 kernel/exit.c:982
>  get_signal+0x77f/0x1780 kernel/signal.c:2318
>  do_signal+0xd2/0x2130 arch/x86/kernel/signal.c:808
>  exit_to_usermode_loop+0x1a7/0x240 arch/x86/entry/common.c:157
>  prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
>  syscall_return_slowpath+0x3ba/0x410 arch/x86/entry/common.c:263
>  entry_SYSCALL_64_fastpath+0xbc/0xbe
> RIP: 0033:0x4461f9
> RSP: 002b:00007fdac2b1ecf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
> RAX: fffffffffffffe00 RBX: 00000000007080c8 RCX: 00000000004461f9
> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000007080c8
> RBP: 00000000007080a8 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 0000000000000000 R14: 00007fdac2b1f9c0 R15: 00007fdac2b1f700
> Code: 00 00 00 00 ad de 49 39 c4 74 6a 48 b8 00 02 00 00 00 00 ad de
> 48 89 da 48 39 c3 74 74 48 c1 ea 03 48 b8 00 00 00 00 00 fc ff df <80>
> 3c 02 00 0f 85 92 00 00 00 48 8b 13 48 39 f2 75 66 49 8d 7c
> RIP: __list_del_entry_valid+0x7e/0x170 lib/list_debug.c:51 RSP: ffff88003bdd6e50
> ---[ end trace 30e94b1eec4831c8 ]---
> Kernel panic - not syncing: Fatal exception

The bug was caused by dev_release() failing to turn off its
gadget_registered flag after unregistering the gadget driver.  As a
result, when a later user closed the device file before writing a
valid set of descriptors, dev_release() thought the gadget had been
registered and tried to unregister it, even though it had not been.
This led to the NULL pointer dereference.

The fix is simple: turn off the flag when the gadget is unregistered.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-and-tested-by: Andrey Konovalov <andreyknvl@google.com>
CC: <stable@vger.kernel.org>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2017-06-09 16:02:20 +03:00
..
accessibility
acpi Merge branch 'ras-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-05-27 09:06:43 -07:00
amba
android
ata ARM: SoC driver updates 2017-05-09 10:01:15 -07:00
atm
auxdisplay
base Merge branches 'pm-sleep' and 'powercap' 2017-05-22 20:32:05 +02:00
bcma
block Merge branch 'for-linus' of git://git.kernel.dk/linux-block 2017-05-20 16:12:30 -07:00
bluetooth Bluetooth: hci_ldisc: Add protocol check to hci_uart_tx_wakeup() 2017-04-30 12:22:14 +02:00
bus
cdrom
char drivers: char: mem: Check for address space wraparound with mmap() 2017-05-18 16:53:55 +02:00
clk Sort of on the quieter side this time, which is probably due more 2017-05-10 13:38:18 -07:00
clocksource Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-05-12 10:43:25 -07:00
connector
cpufreq Merge branches 'intel_pstate', 'pm-cpufreq' and 'pm-cpufreq-sched' 2017-05-22 20:28:22 +02:00
cpuidle Merge branches 'pm-domains', 'pm-cpuidle', 'pm-sleep' and 'powercap' 2017-05-09 23:21:46 +02:00
crypto virtio: fixes, cleanups, performance 2017-05-10 11:33:08 -07:00
dax dax: fix false CONFIG_BLOCK dependency 2017-05-13 16:18:21 -07:00
dca
devfreq
dio
dma dmaengine updates for 4.12-rc1 2017-05-09 15:40:28 -07:00
dma-buf
edac EDAC, amd64: Fix reporting of Chip Select sizes on Fam17h 2017-05-03 16:27:36 +02:00
eisa
extcon
firewire
firmware More, and hopefully final, fixes after refactor for EFI pstore backend. 2017-05-22 19:31:07 -07:00
fmc
fpga fpga fr br: update supported version numbers 2017-04-26 11:38:56 +02:00
fsi
gpio Annotation of module parameters that specify device settings 2017-05-10 19:13:03 -07:00
gpu Merge branch 'drm-fixes-4.12' of git://people.freedesktop.org/~agd5f/linux into drm-fixes 2017-05-26 11:51:55 +10:00
hid Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2017-05-02 19:09:35 -07:00
hsi
hv char/misc patches for 4.12-rc1 2017-05-04 19:15:35 -07:00
hwmon hwmon: (coretemp) Handle frozen hotplug state correctly 2017-05-14 07:49:32 -07:00
hwspinlock
hwtracing drivers/hwtracing/intel_th/msu.c: use set_memory.h header 2017-05-08 17:15:14 -07:00
i2c i2c: designware: Fix bogus sda_hold_time due to uninitialized vars 2017-05-22 19:22:19 -07:00
ide ide: don't call memcpy with the same source and destination 2017-05-08 17:36:39 -04:00
idle x86/intel_idle: add Gemini Lake support 2017-05-01 23:17:37 +02:00
iio Annotation of module parameters that specify device settings 2017-05-10 19:13:03 -07:00
infiniband Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2017-05-12 11:44:13 -07:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2017-05-26 16:45:13 -07:00
iommu iommu/mediatek: Include linux/dma-mapping.h 2017-05-17 14:51:54 +02:00
ipack
irqchip Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-05-21 11:45:26 -07:00
isdn Annotation of module parameters that specify device settings 2017-05-10 19:13:03 -07:00
leds leds: pca955x: Correct I2C Functionality 2017-05-22 21:12:44 +02:00
lguest
lightnvm lightnvm: fix bad back free on error path 2017-05-04 07:53:04 -06:00
macintosh DeviceTree for 4.12: 2017-05-05 19:33:07 -07:00
mailbox mailbox: handle empty message in tx_tick 2017-04-27 16:20:04 +05:30
mcb
md Merge tag 'md/4.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md 2017-05-18 12:04:41 -07:00
media Annotation of module parameters that specify device settings 2017-05-10 19:13:03 -07:00
memory memory: omap-gpmc: Fix debug output for access width 2017-05-16 08:12:47 -07:00
memstick
message scsi: mpt: Move scsi_remove_host() out of mptscsih_remove_host() 2017-04-24 18:21:17 -04:00
mfd mfd: axp20x: Support AXP803 variant 2017-04-27 11:54:49 +01:00
misc misc: pci_endpoint_test: select CRC32 2017-05-16 23:05:40 +02:00
mmc This pull request contains fixes to make the WiFi work again for the ARM64 2017-05-26 09:05:35 -07:00
mtd This pull request contains updates for both UBI and UBIFS: 2017-05-13 10:23:12 -07:00
net net: ethernet: ax88796: don't call free_irq without request_irq first 2017-05-26 14:55:38 -04:00
nfc
ntb
nubus
nvdimm Merge branch 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm 2017-05-12 15:43:10 -07:00
nvme nvme: Quirk APST on Intel 600P/P3100 devices 2017-05-26 11:53:02 +03:00
nvmem ARM: SoC driver updates 2017-05-09 10:01:15 -07:00
of MMC host: 2017-05-24 08:21:56 -07:00
oprofile
parisc
parport
pci PCI/PM: Add needs_resume flag to avoid suspend complete optimization 2017-05-23 14:18:17 -05:00
pcmcia Annotation of module parameters that specify device settings 2017-05-10 19:13:03 -07:00
perf
phy
pinctrl Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2017-05-02 19:09:35 -07:00
platform char/misc patches for 4.12-rc1 2017-05-04 19:15:35 -07:00
pnp
power power supply and reset changes for the v4.12 series (part 2) 2017-05-12 12:02:21 -07:00
powercap PowerCap: Fix an error code in powercap_register_zone() 2017-05-14 13:30:05 +02:00
pps
ps3
ptp Merge branch 'timers-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-05-01 16:15:18 -07:00
pwm
rapidio char/misc patches for 4.12-rc1 2017-05-04 19:15:35 -07:00
ras
regulator Merge remote-tracking branch 'regulator/topic/vctrl' into regulator-next 2017-04-30 22:17:44 +09:00
remoteproc virtio: fixes, cleanups, performance 2017-05-10 11:33:08 -07:00
reset ARM: SoC driver updates 2017-05-09 10:01:15 -07:00
rpmsg virtio: fixes, cleanups, performance 2017-05-10 11:33:08 -07:00
rtc Merge branches 'pm-sleep' and 'powercap' 2017-05-22 20:32:05 +02:00
s390 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux 2017-05-16 09:24:44 -07:00
sbus
scsi SCSI fixes on 20170524 2017-05-24 20:29:53 -07:00
sfi
sh
sn
soc ARM: SoC fixes (and a cross-arch dt-include fix) 2017-05-19 13:36:56 -07:00
spi Merge remote-tracking branches 'spi/topic/ti-qspi' and 'spi/topic/xlp' into spi-next 2017-04-26 15:58:22 +01:00
spmi
ssb
staging staging: fsl-dpaa2/eth: add ETHERNET dependency 2017-05-16 14:23:31 +02:00
target Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2017-05-12 11:44:13 -07:00
tc
tee Linux 4.12-rc1 2017-05-18 23:54:47 -07:00
thermal thermal: broadcom: ns-thermal: default on iProc SoCs 2017-05-23 20:09:34 -07:00
thunderbolt
tty serial: altera_uart: call iounmap() at driver remove 2017-05-25 14:36:37 +02:00
uio uio: fix incorrect memory leak cleanup 2017-05-16 23:06:41 +02:00
usb USB: gadget: fix GPF in gadgetfs 2017-06-09 16:02:20 +03:00
uwb uwb: fix device quirk on big-endian hosts 2017-05-17 11:27:41 +02:00
vfio powerpc updates for 4.12 part 1. 2017-05-05 11:36:44 -07:00
vhost mm: support __GFP_REPEAT in kvmalloc_node for >32kB 2017-05-08 17:15:12 -07:00
video fbdev changes for v4.12: 2017-05-11 11:12:26 -07:00
virt drivers/virt/fsl_hypervisor.c: use get_user_pages_unlocked() 2017-05-08 17:15:10 -07:00
virtio virtio: allow extra context per descriptor 2017-05-02 23:41:43 +03:00
vlynq
vme
w1
watchdog watchdog: bcm281xx: Fix use of uninitialized spinlock. 2017-05-19 10:42:25 +02:00
xen Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2017-05-09 09:12:53 -07:00
zorro
Kconfig
Makefile Merge branch 'tee/initial-merge' into fixes 2017-05-10 21:03:31 +02:00