From: Greg Kroah-Hartman Date: Sun, 16 Oct 2022 12:30:37 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v5.4.219~135 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2f9c1231e4e7ca92ff02e857e3c8e3d28594467d;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: fbdev-smscufx-fix-use-after-free-in-ufx_ops_open.patch --- diff --git a/queue-4.9/fbdev-smscufx-fix-use-after-free-in-ufx_ops_open.patch b/queue-4.9/fbdev-smscufx-fix-use-after-free-in-ufx_ops_open.patch new file mode 100644 index 00000000000..78b44e3a01b --- /dev/null +++ b/queue-4.9/fbdev-smscufx-fix-use-after-free-in-ufx_ops_open.patch @@ -0,0 +1,79 @@ +From 5610bcfe8693c02e2e4c8b31427f1bdbdecc839c Mon Sep 17 00:00:00 2001 +From: Hyunwoo Kim +Date: Sun, 25 Sep 2022 06:32:43 -0700 +Subject: fbdev: smscufx: Fix use-after-free in ufx_ops_open() + +From: Hyunwoo Kim + +commit 5610bcfe8693c02e2e4c8b31427f1bdbdecc839c upstream. + +A race condition may occur if the user physically removes the +USB device while calling open() for this device node. + +This is a race condition between the ufx_ops_open() function and +the ufx_usb_disconnect() function, which may eventually result in UAF. + +So, add a mutex to the ufx_ops_open() and ufx_usb_disconnect() functions +to avoid race contidion of krefs. + +Signed-off-by: Hyunwoo Kim +Cc: stable@vger.kernel.org +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/smscufx.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/drivers/video/fbdev/smscufx.c ++++ b/drivers/video/fbdev/smscufx.c +@@ -140,6 +140,8 @@ static int ufx_submit_urb(struct ufx_dat + static int ufx_alloc_urb_list(struct ufx_data *dev, int count, size_t size); + static void ufx_free_urb_list(struct ufx_data *dev); + ++static DEFINE_MUTEX(disconnect_mutex); ++ + /* reads a control register */ + static int ufx_reg_read(struct ufx_data *dev, u32 index, u32 *data) + { +@@ -1073,9 +1075,13 @@ static int ufx_ops_open(struct fb_info * + if (user == 0 && !console) + return -EBUSY; + ++ mutex_lock(&disconnect_mutex); ++ + /* If the USB device is gone, we don't accept new opens */ +- if (dev->virtualized) ++ if (dev->virtualized) { ++ mutex_unlock(&disconnect_mutex); + return -ENODEV; ++ } + + dev->fb_count++; + +@@ -1100,6 +1106,8 @@ static int ufx_ops_open(struct fb_info * + pr_debug("open /dev/fb%d user=%d fb_info=%p count=%d", + info->node, user, info, dev->fb_count); + ++ mutex_unlock(&disconnect_mutex); ++ + return 0; + } + +@@ -1761,6 +1769,8 @@ static void ufx_usb_disconnect(struct us + { + struct ufx_data *dev; + ++ mutex_lock(&disconnect_mutex); ++ + dev = usb_get_intfdata(interface); + + pr_debug("USB disconnect starting\n"); +@@ -1781,6 +1791,8 @@ static void ufx_usb_disconnect(struct us + kref_put(&dev->kref, ufx_free); + + /* consider ufx_data freed */ ++ ++ mutex_unlock(&disconnect_mutex); + } + + static struct usb_driver ufx_driver = { diff --git a/queue-4.9/series b/queue-4.9/series index 0bf347a2f8e..b3d78f290a3 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -50,3 +50,4 @@ regulator-qcom_rpm-fix-circular-deferral-regression.patch parisc-fbdev-stifb-align-graphics-memory-size-to-4mb.patch um-cpuinfo-fix-a-warning-for-config_cpumask_offstack.patch pci-sanitise-firmware-bar-assignments-behind-a-pci-pci-bridge.patch +fbdev-smscufx-fix-use-after-free-in-ufx_ops_open.patch