From patchwork Thu May 12 12:37:20 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Oliver Neukum X-Patchwork-Id: 12847652 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E548AC433EF for ; Thu, 12 May 2022 12:37:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1353862AbiELMh2 (ORCPT ); Thu, 12 May 2022 08:37:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51018 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349758AbiELMh1 (ORCPT ); Thu, 12 May 2022 08:37:27 -0400 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 533F26212B for ; Thu, 12 May 2022 05:37:26 -0700 (PDT) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 141441F88F; Thu, 12 May 2022 12:37:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1652359045; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=P9lhJMO5oZS2g47UJKj/tR2sGhDq+1Yr7qCMhH7/RDo=; b=Igu+hegJtWvM1nyX1ODL9u8tToH5KGnYvCdUGqDeD/3olK5CdKX2a5f8jIfhLwqRBC7tZR 1su8f8UpA1yFcUyPs9vYpudA9jzJ5mgEsl+m9KElP8fRj3p9GTKmOaZnA6COIlFoLOf4SH xEzkvKhYVKPgPsi+pvHNCEfHxBjHCq4= Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id DA34B13ABE; Thu, 12 May 2022 12:37:24 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id hplyMoT/fGL/GgAAMHmgww (envelope-from ); Thu, 12 May 2022 12:37:24 +0000 From: Oliver Neukum To: linux-media@vger.kernel.org, mchehab@kernel.org, sean@mess.org Cc: Oliver Neukum Subject: [PATCHv2 1/4] igorplugusb: respect DMA coherency Date: Thu, 12 May 2022 14:37:20 +0200 Message-Id: <20220512123723.25815-1-oneukum@suse.com> X-Mailer: git-send-email 2.35.3 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org The coherency rules mean that you cannot embed a buffer inside a descriptor. kmalloc() separately. v2: Resending series due to omitting this patch Signed-off-by: Oliver Neukum --- drivers/media/rc/igorplugusb.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/media/rc/igorplugusb.c b/drivers/media/rc/igorplugusb.c index b40dbf500186..b46362da8623 100644 --- a/drivers/media/rc/igorplugusb.c +++ b/drivers/media/rc/igorplugusb.c @@ -38,7 +38,7 @@ struct igorplugusb { struct timer_list timer; - uint8_t buf_in[MAX_PACKET]; + u8 *buf_in; char phys[64]; }; @@ -177,6 +177,9 @@ static int igorplugusb_probe(struct usb_interface *intf, if (!ir->urb) goto fail; + ir->buf_in = kmalloc(MAX_PACKET, GFP_KERNEL); + if (!ir->buf_in) + goto fail; usb_fill_control_urb(ir->urb, udev, usb_rcvctrlpipe(udev, 0), (uint8_t *)&ir->request, ir->buf_in, sizeof(ir->buf_in), igorplugusb_callback, ir); @@ -223,6 +226,7 @@ static int igorplugusb_probe(struct usb_interface *intf, rc_free_device(ir->rc); usb_free_urb(ir->urb); del_timer(&ir->timer); + kfree(ir->buf_in); return ret; } @@ -236,6 +240,7 @@ static void igorplugusb_disconnect(struct usb_interface *intf) usb_set_intfdata(intf, NULL); usb_kill_urb(ir->urb); usb_free_urb(ir->urb); + kfree(ir->buf_in); } static const struct usb_device_id igorplugusb_table[] = { From patchwork Thu May 12 12:37:21 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Oliver Neukum X-Patchwork-Id: 12847653 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DA3DDC433F5 for ; Thu, 12 May 2022 12:37:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1353854AbiELMh3 (ORCPT ); Thu, 12 May 2022 08:37:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51040 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1351968AbiELMh1 (ORCPT ); Thu, 12 May 2022 08:37:27 -0400 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.220.28]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 95A7A62135 for ; Thu, 12 May 2022 05:37:26 -0700 (PDT) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 562D821C75; Thu, 12 May 2022 12:37:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1652359045; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=iUDT8BZXeRxQ7GjtpFSvQqz6OKo7gELTdlRtsGg+/j0=; b=NaknaR5/hZ4pB4krTgZo8LV0YVduv9Gw8Cf9E49jv1YrS2lfjgghz1mOcN6xxvOU/5wqmF YtcFwGAyJySJUznBJ7DGxdEN93/7LcU2wSUr0VO587JaP9fN/r55yul7sAFKxszdeIoJN4 8HO0WBE67Bwvgqufx1ZHYRfqRxW1ayI= Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 1E12913ABE; Thu, 12 May 2022 12:37:25 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id yGLUBYX/fGL/GgAAMHmgww (envelope-from ); Thu, 12 May 2022 12:37:25 +0000 From: Oliver Neukum To: linux-media@vger.kernel.org, mchehab@kernel.org, sean@mess.org Cc: Oliver Neukum Subject: [PATCHv2 2/4] igorplugusb: prevent use after free in probe error Date: Thu, 12 May 2022 14:37:21 +0200 Message-Id: <20220512123723.25815-2-oneukum@suse.com> X-Mailer: git-send-email 2.35.3 In-Reply-To: <20220512123723.25815-1-oneukum@suse.com> References: <20220512123723.25815-1-oneukum@suse.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org The timer uses the URB. Free it only after the timer has been stopped. v2: Resending series due to omitting first patch Signed-off-by: Oliver Neukum --- drivers/media/rc/igorplugusb.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/media/rc/igorplugusb.c b/drivers/media/rc/igorplugusb.c index b46362da8623..1afba95409ff 100644 --- a/drivers/media/rc/igorplugusb.c +++ b/drivers/media/rc/igorplugusb.c @@ -223,9 +223,9 @@ static int igorplugusb_probe(struct usb_interface *intf, return 0; fail: - rc_free_device(ir->rc); - usb_free_urb(ir->urb); del_timer(&ir->timer); + usb_free_urb(ir->urb); + rc_free_device(ir->rc); kfree(ir->buf_in); return ret; From patchwork Thu May 12 12:37:22 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Oliver Neukum X-Patchwork-Id: 12847655 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4760AC433F5 for ; Thu, 12 May 2022 12:37:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1353863AbiELMhb (ORCPT ); Thu, 12 May 2022 08:37:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51072 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1353756AbiELMh1 (ORCPT ); Thu, 12 May 2022 08:37:27 -0400 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.220.28]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D178662136 for ; Thu, 12 May 2022 05:37:26 -0700 (PDT) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 8F4D521C82; Thu, 12 May 2022 12:37:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1652359045; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=L7b9NWV1Di5pSPdF/xuUrWQE6D56vC/QzYoNJmH9wT4=; b=vWoKwF800Vx/k/7F5layi9MYYFCtRK+d5yIeHn1qsX9EaRpEICK6Ugv08vaMFu/fITPvqD jW6NIEQPQuUHxxbusi+HNOTKAhfe1uoFvXoDw9mXWShVj3gNRPgJzqw5xBA9nPNJzg3xCZ sOX+rxkPqWQoKsWDzBXjovftVPrp4hw= Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 5F05713ABE; Thu, 12 May 2022 12:37:25 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id QCSQFYX/fGL/GgAAMHmgww (envelope-from ); Thu, 12 May 2022 12:37:25 +0000 From: Oliver Neukum To: linux-media@vger.kernel.org, mchehab@kernel.org, sean@mess.org Cc: Oliver Neukum Subject: [PATCHv2 3/4] igorplugusb: break cyclical race on disconnect Date: Thu, 12 May 2022 14:37:22 +0200 Message-Id: <20220512123723.25815-3-oneukum@suse.com> X-Mailer: git-send-email 2.35.3 In-Reply-To: <20220512123723.25815-1-oneukum@suse.com> References: <20220512123723.25815-1-oneukum@suse.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org The driver uses a timer, that may submit the URB and the URB may start the timer. No simple order of killing can break te cycle. Poison the URB before killing the timer. v2: Resending series due to omitting first patch Signed-off-by: Oliver Neukum --- drivers/media/rc/igorplugusb.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/media/rc/igorplugusb.c b/drivers/media/rc/igorplugusb.c index 1afba95409ff..b2245849f7aa 100644 --- a/drivers/media/rc/igorplugusb.c +++ b/drivers/media/rc/igorplugusb.c @@ -126,7 +126,7 @@ static void igorplugusb_cmd(struct igorplugusb *ir, int cmd) ir->request.bRequest = cmd; ir->urb->transfer_flags = 0; ret = usb_submit_urb(ir->urb, GFP_ATOMIC); - if (ret) + if (ret && ret != -EPERM) dev_err(ir->dev, "submit urb failed: %d", ret); } @@ -223,7 +223,9 @@ static int igorplugusb_probe(struct usb_interface *intf, return 0; fail: + usb_poison_urb(ir->urb); del_timer(&ir->timer); + usb_unpoison_urb(ir->urb); usb_free_urb(ir->urb); rc_free_device(ir->rc); kfree(ir->buf_in); @@ -236,9 +238,10 @@ static void igorplugusb_disconnect(struct usb_interface *intf) struct igorplugusb *ir = usb_get_intfdata(intf); rc_unregister_device(ir->rc); + usb_poison_urb(ir->urb); del_timer_sync(&ir->timer); usb_set_intfdata(intf, NULL); - usb_kill_urb(ir->urb); + usb_unpoison_urb(ir->urb); usb_free_urb(ir->urb); kfree(ir->buf_in); } From patchwork Thu May 12 12:37:23 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Oliver Neukum X-Patchwork-Id: 12847654 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E9911C4332F for ; Thu, 12 May 2022 12:37:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1353860AbiELMha (ORCPT ); Thu, 12 May 2022 08:37:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51110 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1353856AbiELMh2 (ORCPT ); Thu, 12 May 2022 08:37:28 -0400 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1CDFE62216 for ; Thu, 12 May 2022 05:37:27 -0700 (PDT) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id D04601F893; Thu, 12 May 2022 12:37:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1652359045; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=fwf89B8V5+V3KZCamsMNefpJQ19baCYyZNDhaBPr9+g=; b=sssfD7f4+XfpHC4Pd0k6fKRVS7fdDcWfzfMuL3+rTK2f4gyZNijAp9Ae2qq3yPkWBiN9xn kELVlr/nTu1e4S/hsOQxGQ4Q+UXRYoxebTQnPug7NZ3WqeWDxOmGlTyRfhehpbGnF0Vsxe 18pH7OWsbP9o6F1lUheDScxXU8GXnho= Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 97AF313ABE; Thu, 12 May 2022 12:37:25 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id +MJiI4X/fGL/GgAAMHmgww (envelope-from ); Thu, 12 May 2022 12:37:25 +0000 From: Oliver Neukum To: linux-media@vger.kernel.org, mchehab@kernel.org, sean@mess.org Cc: Oliver Neukum Subject: [PATCHv2 4/4] igorplugusb: remove superfluous usb_unlink_urb() Date: Thu, 12 May 2022 14:37:23 +0200 Message-Id: <20220512123723.25815-4-oneukum@suse.com> X-Mailer: git-send-email 2.35.3 In-Reply-To: <20220512123723.25815-1-oneukum@suse.com> References: <20220512123723.25815-1-oneukum@suse.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org Calling that on yourself while the completion handler is running is a NOP. Remove it. v2: Resinding series due to omitting first patch Signed-off-by: Oliver Neukum --- drivers/media/rc/igorplugusb.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/media/rc/igorplugusb.c b/drivers/media/rc/igorplugusb.c index b2245849f7aa..12ee5dd0a61a 100644 --- a/drivers/media/rc/igorplugusb.c +++ b/drivers/media/rc/igorplugusb.c @@ -110,7 +110,6 @@ static void igorplugusb_callback(struct urb *urb) case -ECONNRESET: case -ENOENT: case -ESHUTDOWN: - usb_unlink_urb(urb); return; default: dev_warn(ir->dev, "Error: urb status = %d\n", urb->status);