HID: fix race between open() and disconnect() in usbhid

There is a window: task A task B spin_lock_irq(&usbhid->inlock); /* Sync with error handler */ usb_set_intfdata(intf, NULL); spin_unlock_irq(&usbhid->inlock); usb_kill_urb(usbhid->urbin); usb_kill_urb(usbhid->urbout); usb_kill_urb(usbhid->urbctrl); del_timer_sync(&usbhid->io_retry); cancel_work_sync(&usbhid->reset_work); if (!hid->open++) { res = usb_autopm_get_interface(usbhid->intf); if (res < 0) { hid->open--; return -EIO; } } if (hid_start_in(hid)) if (hid->claimed & HID_CLAIMED_INPUT) hidinput_disconnect(hid); in which an open() to an already disconnected device will submit an URB to an undead device. In case disconnect() was called by an ioctl, this'll oops. Fix by introducing a new flag and checking it in hid_start_in(). Signed-off-by: N Oliver Neukum <oneukum@suse.de> Signed-off-by: N Jiri Kosina <jkosina@suse.cz>

HID: fix race between open() and disconnect() in usbhid
There is a window: task A task B spin_lock_irq(&usbhid->inlock); /* Sync with error handler */ usb_set_intfdata(intf, NULL); spin_unlock_irq(&usbhid->inlock); usb_kill_urb(usbhid->urbin); usb_kill_urb(usbhid->urbout); usb_kill_urb(usbhid->urbctrl); del_timer_sync(&usbhid->io_retry); cancel_work_sync(&usbhid->reset_work); if (!hid->open++) { res = usb_autopm_get_interface(usbhid->intf); if (res < 0) { hid->open--; return -EIO; } } if (hid_start_in(hid)) if (hid->claimed & HID_CLAIMED_INPUT) hidinput_disconnect(hid); in which an open() to an already disconnected device will submit an URB to an undead device. In case disconnect() was called by an ioctl, this'll oops. Fix by introducing a new flag and checking it in hid_start_in(). Signed-off-by: N Oliver Neukum <oneukum@suse.de> Signed-off-by: N Jiri Kosina <jkosina@suse.cz>
69626f23 · Oliver Neukum · Jiri Kosina · abdff0f7 · 69626f23 · 69626f23
隐藏空白更改
内联并排

Showing with 4 addition and 1 deletion

drivers/hid/usbhid/hid-core.c drivers/hid/usbhid/hid-core.c +3 -1

include/linux/hid.h include/linux/hid.h +1 -0

未找到文件。
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -82,6 +82,7 @@ static int hid_start_in(struct hid_device *hid)
 	spin_lock_irqsave(&usbhid->inlock, flags);
 	if (hid->open > 0 && !test_bit(HID_SUSPENDED, &usbhid->iofl) &&
+			!test_bit(HID_DISCONNECTED, &usbhid->iofl) &&
 			!test_and_set_bit(HID_IN_RUNNING, &usbhid->iofl)) {
 		rc = usb_submit_urb(usbhid->urbin, GFP_ATOMIC);
 		if (rc != 0)
@@ -155,7 +156,7 @@ static void hid_io_error(struct hid_device *hid)
 	spin_lock_irqsave(&usbhid->inlock, flags);
 	/* Stop when disconnected */
-	if (usb_get_intfdata(usbhid->intf) == NULL)
+	if (test_bit(HID_DISCONNECTED, &usbhid->iofl))
 		goto done;
 	/* If it has been a while since the last error, we'll assume
@@ -941,6 +942,7 @@ static void hid_disconnect(struct usb_interface *intf)
 	spin_lock_irq(&usbhid->inlock);	/* Sync with error handler */
 	usb_set_intfdata(intf, NULL);
+	set_bit(HID_DISCONNECTED, &usbhid->iofl);
 	spin_unlock_irq(&usbhid->inlock);
 	usb_kill_urb(usbhid->urbin);
 	usb_kill_urb(usbhid->urbout);

--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -424,6 +424,7 @@ struct hid_control_fifo {
 #define HID_RESET_PENDING	4
 #define HID_SUSPENDED		5
 #define HID_CLEAR_HALT		6
+#define HID_DISCONNECTED	7
 struct hid_input {
 	struct list_head list;