On Mon, Aug 12, 2019 at 04:11:07PM -0400, Alan Stern wrote: > The syzbot fuzzer has found two (!) races in the USB character device > registration and deregistration routines. This patch fixes the races. > > The first race results from the fact that usb_deregister_dev() sets > usb_minors[intf->minor] to NULL before calling device_destroy() on the > class device. This leaves a window during which another thread can > allocate the same minor number but will encounter a duplicate name > error when it tries to register its own class device. A typical error > message in the system log would look like: > > sysfs: cannot create duplicate filename '/class/usbmisc/ldusb0' > > The patch fixes this race by destroying the class device first. > > The second race is in usb_register_dev(). When that routine runs, it > first allocates a minor number, then drops minor_rwsem, and then > creates the class device. If the device creation fails, the minor > number is deallocated and the whole routine returns an error. But > during the time while minor_rwsem was dropped, there is a window in > which the minor number is allocated and so another thread can > successfully open the device file. Typically this results in > use-after-free errors or invalid accesses when the other thread closes > its open file reference, because the kernel then tries to release > resources that were already deallocated when usb_register_dev() > failed. The patch fixes this race by keeping minor_rwsem locked > throughout the entire routine. > > Reported-and-tested-by: syzbot+30cf45ebfe0b0c4847a1@xxxxxxxxxxxxxxxxxxxxxxxxx > Signed-off-by: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> > CC: <stable@xxxxxxxxxxxxxxx> > > --- > > [as1907] Thanks for this, now queued up. greg k-h
