From patchwork Mon Oct 7 15:09:04 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alan Stern X-Patchwork-Id: 11177715 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9BAA5112B for ; Mon, 7 Oct 2019 15:09:06 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 7A6EA21E6F for ; Mon, 7 Oct 2019 15:09:06 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729260AbfJGPJF (ORCPT ); Mon, 7 Oct 2019 11:09:05 -0400 Received: from iolanthe.rowland.org ([192.131.102.54]:60246 "HELO iolanthe.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1728837AbfJGPJF (ORCPT ); Mon, 7 Oct 2019 11:09:05 -0400 Received: (qmail 4331 invoked by uid 2102); 7 Oct 2019 11:09:04 -0400 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 7 Oct 2019 11:09:04 -0400 Date: Mon, 7 Oct 2019 11:09:04 -0400 (EDT) From: Alan Stern X-X-Sender: stern@iolanthe.rowland.org To: Mauro Carvalho Chehab , Hans Verkuil cc: linux-media@vger.kernel.org, USB list , Subject: [PATCH 1/2 RESEND] media: usbvision: Fix invalid accesses after device disconnect Message-ID: MIME-Version: 1.0 Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org The syzbot fuzzer found two invalid-access bugs in the usbvision driver. These bugs occur when userspace keeps the device file open after the device has been disconnected and usbvision_disconnect() has set usbvision->dev to NULL: When the device file is closed, usbvision_radio_close() tries to issue a usb_set_interface() call, passing the NULL pointer as its first argument. If userspace performs a querycap ioctl call, vidioc_querycap() calls usb_make_path() with the same NULL pointer. This patch fixes the problems by making the appropriate tests beforehand. Note that vidioc_querycap() is protected by usbvision->v4l2_lock, acquired in a higher layer of the V4L2 subsystem. Reported-and-tested-by: syzbot+7fa38a608b1075dfd634@syzkaller.appspotmail.com Signed-off-by: Alan Stern CC: --- [as1919] drivers/media/usb/usbvision/usbvision-video.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) Index: usb-devel/drivers/media/usb/usbvision/usbvision-video.c =================================================================== --- usb-devel.orig/drivers/media/usb/usbvision/usbvision-video.c +++ usb-devel/drivers/media/usb/usbvision/usbvision-video.c @@ -453,6 +453,9 @@ static int vidioc_querycap(struct file * { struct usb_usbvision *usbvision = video_drvdata(file); + if (!usbvision->dev) + return -ENODEV; + strscpy(vc->driver, "USBVision", sizeof(vc->driver)); strscpy(vc->card, usbvision_device_data[usbvision->dev_model].model_string, @@ -1111,7 +1114,8 @@ static int usbvision_radio_close(struct mutex_lock(&usbvision->v4l2_lock); /* Set packet size to 0 */ usbvision->iface_alt = 0; - usb_set_interface(usbvision->dev, usbvision->iface, + if (usbvision->dev) + usb_set_interface(usbvision->dev, usbvision->iface, usbvision->iface_alt); usbvision_audio_off(usbvision);