On Wed, 22 Apr 2020, Alan Stern wrote: > The syzbot fuzzer discovered a bad race between in the usbhid driver > between usbhid_stop() and usbhid_close(). In particular, > usbhid_stop() does: > > usb_free_urb(usbhid->urbin); > ... > usbhid->urbin = NULL; /* don't mess up next start */ > > and usbhid_close() does: > > usb_kill_urb(usbhid->urbin); > > with no mutual exclusion. If the two routines happen to run > concurrently so that usb_kill_urb() is called in between the > usb_free_urb() and the NULL assignment, it will access the > deallocated urb structure -- a use-after-free bug. > > This patch adds a mutex to the usbhid private structure and uses it to > enforce mutual exclusion of the usbhid_start(), usbhid_stop(), > usbhid_open() and usbhid_close() callbacks. > > Reported-and-tested-by: syzbot+7bf5a7b0f0a1f9446f4c@xxxxxxxxxxxxxxxxxxxxxxxxx > Signed-off-by: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> > CC: <stable@xxxxxxxxxxxxxxx> > > --- > > > [as1935] Applied, thanks a lot Alan. -- Jiri Kosina SUSE Labs
