Patch "Input: powermate - fix use-after-free in powermate_config_complete" has been added to the 5.10-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Sun, 15 Oct 2023 21:03:33 +0200

This is a note to let you know that I've just added the patch titled

    Input: powermate - fix use-after-free in powermate_config_complete

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     input-powermate-fix-use-after-free-in-powermate_config_complete.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 5c15c60e7be615f05a45cd905093a54b11f461bc Mon Sep 17 00:00:00 2001
From: Javier Carrasco <javier.carrasco.cruz@xxxxxxxxx>
Date: Fri, 13 Oct 2023 20:11:33 -0700
Subject: Input: powermate - fix use-after-free in powermate_config_complete

From: Javier Carrasco <javier.carrasco.cruz@xxxxxxxxx>

commit 5c15c60e7be615f05a45cd905093a54b11f461bc upstream.

syzbot has found a use-after-free bug [1] in the powermate driver. This
happens when the device is disconnected, which leads to a memory free from
the powermate_device struct.  When an asynchronous control message
completes after the kfree and its callback is invoked, the lock does not
exist anymore and hence the bug.

Use usb_kill_urb() on pm->config to cancel any in-progress requests upon
device disconnection.

[1] https://syzkaller.appspot.com/bug?extid=0434ac83f907a1dbdd1e

Signed-off-by: Javier Carrasco <javier.carrasco.cruz@xxxxxxxxx>
Reported-by: syzbot+0434ac83f907a1dbdd1e@xxxxxxxxxxxxxxxxxxxxxxxxx
Link: https://lore.kernel.org/r/20230916-topic-powermate_use_after_free-v3-1-64412b81a7a2@xxxxxxxxx
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 drivers/input/misc/powermate.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/input/misc/powermate.c
+++ b/drivers/input/misc/powermate.c
@@ -425,6 +425,7 @@ static void powermate_disconnect(struct
 		pm->requires_update = 0;
 		usb_kill_urb(pm->irq);
 		input_unregister_device(pm->input);
+		usb_kill_urb(pm->config);
 		usb_free_urb(pm->irq);
 		usb_free_urb(pm->config);
 		powermate_free_buffers(interface_to_usbdev(intf), pm);


Patches currently in stable-queue which might be from javier.carrasco.cruz@xxxxxxxxx are

queue-5.10/input-powermate-fix-use-after-free-in-powermate_config_complete.patch
queue-5.10/net-usb-dm9601-fix-uninitialized-variable-use-in-dm9601_mdio_read.patch






