cdb2deed99
[ Upstream commit 422dc0a4d12d0b80dd3aab3fe5943f665ba8f041 ] chaoskey_open() takes the lock only to increase the counter of openings. That means that the mutual exclusion with chaoskey_disconnect() cannot prevent an increase of the counter and chaoskey_open() returning a success. If that race is hit, chaoskey_disconnect() will happily free all resources associated with the device after it has dropped the lock, as it has read the counter as zero. To prevent this race chaoskey_open() has to check the presence of the device under the lock. However, the current per device lock cannot be used, because it is a part of the data structure to be freed. Hence an additional global mutex is needed. The issue is as old as the driver. Signed-off-by: Oliver Neukum <oneukum@suse.com> Reported-by: syzbot+422188bce66e76020e55@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=422188bce66e76020e55 Fixes: 66e3e591891da ("usb: Add driver for Altus Metrum ChaosKey device (v2)") Rule: add Link: https://lore.kernel.org/stable/20241002132201.552578-1-oneukum%40suse.com Link: https://lore.kernel.org/r/20241002132201.552578-1-oneukum@suse.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|---|---|---|
| .. | ||
| sisusbvga | ||
| adutux.c | ||
| apple-mfi-fastcharge.c | ||
| appledisplay.c | ||
| chaoskey.c | ||
| cypress_cy7c63.c | ||
| cytherm.c | ||
| ehset.c | ||
| emi26.c | ||
| emi62.c | ||
| ezusb.c | ||
| ftdi-elan.c | ||
| idmouse.c | ||
| iowarrior.c | ||
| isight_firmware.c | ||
| Kconfig | ||
| ldusb.c | ||
| legousbtower.c | ||
| lvstest.c | ||
| Makefile | ||
| trancevibrator.c | ||
| usb251xb.c | ||
| usb3503.c | ||
| usb4604.c | ||
| usb_u132.h | ||
| usblcd.c | ||
| usbsevseg.c | ||
| usbtest.c | ||
| uss720.c | ||
| yurex.c | ||