From patchwork Thu May 12 12:38:46 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Oliver Neukum X-Patchwork-Id: 12847656 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 82ACAC433EF for ; Thu, 12 May 2022 12:38:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1353866AbiELMiy (ORCPT ); Thu, 12 May 2022 08:38:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57376 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1353773AbiELMix (ORCPT ); Thu, 12 May 2022 08:38:53 -0400 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.220.28]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8EA1962216 for ; Thu, 12 May 2022 05:38:52 -0700 (PDT) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 4DF0421C75; Thu, 12 May 2022 12:38:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1652359131; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=g3jRLtMPE5wzF0FQyvN6VBs6PGUWKc5lOX3xVch6neU=; b=FtBtXuXYNC+3Oq3d8+Bu7TPaa20wO1PIXaS5LN9lhY7OIhutg9mLWub5Bhdnmkr8Wgw5hz Zcm1iPNScocH9khSc50T6KQcAQ0JPaInFUUT2FqbghxXw5xa6jXb5ZHHrmRaTY8iCokz8I ANKeb7jvtdlugh7d6NfYRs6aebIDLWk= Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 1A6FE13ABE; Thu, 12 May 2022 12:38:51 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id rCXGBNv/fGKqGwAAMHmgww (envelope-from ); Thu, 12 May 2022 12:38:51 +0000 From: Oliver Neukum To: linux-media@vger.kernel.org, mchehab@kernel.org, sean@mess.org Cc: Oliver Neukum Subject: [PATCH 1/4] igorplugusb: respect DMA coherency Date: Thu, 12 May 2022 14:38:46 +0200 Message-Id: <20220512123849.25903-1-oneukum@suse.com> X-Mailer: git-send-email 2.35.3 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org The coherency rules mean that you cannot embed a buffer inside a descriptor. kmalloc() separately. Signed-off-by: Oliver Neukum --- drivers/media/rc/igorplugusb.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/media/rc/igorplugusb.c b/drivers/media/rc/igorplugusb.c index b40dbf500186..b46362da8623 100644 --- a/drivers/media/rc/igorplugusb.c +++ b/drivers/media/rc/igorplugusb.c @@ -38,7 +38,7 @@ struct igorplugusb { struct timer_list timer; - uint8_t buf_in[MAX_PACKET]; + u8 *buf_in; char phys[64]; }; @@ -177,6 +177,9 @@ static int igorplugusb_probe(struct usb_interface *intf, if (!ir->urb) goto fail; + ir->buf_in = kmalloc(MAX_PACKET, GFP_KERNEL); + if (!ir->buf_in) + goto fail; usb_fill_control_urb(ir->urb, udev, usb_rcvctrlpipe(udev, 0), (uint8_t *)&ir->request, ir->buf_in, sizeof(ir->buf_in), igorplugusb_callback, ir); @@ -223,6 +226,7 @@ static int igorplugusb_probe(struct usb_interface *intf, rc_free_device(ir->rc); usb_free_urb(ir->urb); del_timer(&ir->timer); + kfree(ir->buf_in); return ret; } @@ -236,6 +240,7 @@ static void igorplugusb_disconnect(struct usb_interface *intf) usb_set_intfdata(intf, NULL); usb_kill_urb(ir->urb); usb_free_urb(ir->urb); + kfree(ir->buf_in); } static const struct usb_device_id igorplugusb_table[] = { From patchwork Thu May 12 12:38:47 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Oliver Neukum X-Patchwork-Id: 12847657 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3C569C433EF for ; Thu, 12 May 2022 12:39:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1353860AbiELMi7 (ORCPT ); Thu, 12 May 2022 08:38:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57798 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1353880AbiELMi6 (ORCPT ); Thu, 12 May 2022 08:38:58 -0400 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7E76062A28 for ; Thu, 12 May 2022 05:38:57 -0700 (PDT) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 37AAE1F88F; Thu, 12 May 2022 12:38:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1652359136; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=BNJI+u1QPL4iKmQOgR9HOOU515MZvyu/0IWN9/HT5Jw=; b=jUinTGPpFsu/yVLzzy9W9OhjpktyEdc+7keJqcLJ8n6lIJ9EvXdvFumUBh/nbSGFT4jZ1D I1cUGkcJ3jutz/kToUClHD96gyG15RtDaNdx1NsSGZCFDTnf68Zkk1KzYN7s3BrFM6rzW7 ehYoAud5Y0wo7RDH7LXa3d7+svK2vEw= Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id F1FBD13ABE; Thu, 12 May 2022 12:38:55 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id UIppOd//fGKqGwAAMHmgww (envelope-from ); Thu, 12 May 2022 12:38:55 +0000 From: Oliver Neukum To: linux-media@vger.kernel.org, mchehab@kernel.org, sean@mess.org Cc: Oliver Neukum Subject: [PATCH 2/4] igorplugusb: prevent use after free in probe error Date: Thu, 12 May 2022 14:38:47 +0200 Message-Id: <20220512123849.25903-2-oneukum@suse.com> X-Mailer: git-send-email 2.35.3 In-Reply-To: <20220512123849.25903-1-oneukum@suse.com> References: <20220512123849.25903-1-oneukum@suse.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org The timer uses the URB. Free it only after the timer has been stopped. Signed-off-by: Oliver Neukum --- drivers/media/rc/igorplugusb.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/media/rc/igorplugusb.c b/drivers/media/rc/igorplugusb.c index b46362da8623..1afba95409ff 100644 --- a/drivers/media/rc/igorplugusb.c +++ b/drivers/media/rc/igorplugusb.c @@ -223,9 +223,9 @@ static int igorplugusb_probe(struct usb_interface *intf, return 0; fail: - rc_free_device(ir->rc); - usb_free_urb(ir->urb); del_timer(&ir->timer); + usb_free_urb(ir->urb); + rc_free_device(ir->rc); kfree(ir->buf_in); return ret; From patchwork Thu May 12 12:38:48 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Oliver Neukum X-Patchwork-Id: 12847658 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9FD9FC433EF for ; Thu, 12 May 2022 12:39:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1353883AbiELMjC (ORCPT ); Thu, 12 May 2022 08:39:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57940 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1353880AbiELMjB (ORCPT ); Thu, 12 May 2022 08:39:01 -0400 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8E96F62136 for ; Thu, 12 May 2022 05:38:59 -0700 (PDT) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 50D0A1F893; Thu, 12 May 2022 12:38:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1652359138; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Cl1chpKtxWdZhiKHeu+ldZiumzQWQfZbSHf2WvQ8XlY=; b=JfIL9pf5+mixGbtoMcQcc4807zNcBXL8y1IGf3nm9FZOWo9Kn3LkzT+0fEstP5Nb4L3TkO p8Zu1bKyOxmyUFDdLjsfp4F5g2BwCqQJePApAeBeE6GZ7ygY7zdCjaLnKCUGQez5L58zw0 atoEcUKo/zwBLHAsfREa9E3DdwC73C4= Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 20A1913ABE; Thu, 12 May 2022 12:38:58 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id CE4wBuL/fGKqGwAAMHmgww (envelope-from ); Thu, 12 May 2022 12:38:58 +0000 From: Oliver Neukum To: linux-media@vger.kernel.org, mchehab@kernel.org, sean@mess.org Cc: Oliver Neukum Subject: [PATCH 3/4] igorplugusb: break cyclical race on disconnect Date: Thu, 12 May 2022 14:38:48 +0200 Message-Id: <20220512123849.25903-3-oneukum@suse.com> X-Mailer: git-send-email 2.35.3 In-Reply-To: <20220512123849.25903-1-oneukum@suse.com> References: <20220512123849.25903-1-oneukum@suse.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org The driver uses a timer, that may submit the URB and the URB may start the timer. No simple order of killing can break te cycle. Poison the URB before killing the timer. Signed-off-by: Oliver Neukum --- drivers/media/rc/igorplugusb.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/media/rc/igorplugusb.c b/drivers/media/rc/igorplugusb.c index 1afba95409ff..b2245849f7aa 100644 --- a/drivers/media/rc/igorplugusb.c +++ b/drivers/media/rc/igorplugusb.c @@ -126,7 +126,7 @@ static void igorplugusb_cmd(struct igorplugusb *ir, int cmd) ir->request.bRequest = cmd; ir->urb->transfer_flags = 0; ret = usb_submit_urb(ir->urb, GFP_ATOMIC); - if (ret) + if (ret && ret != -EPERM) dev_err(ir->dev, "submit urb failed: %d", ret); } @@ -223,7 +223,9 @@ static int igorplugusb_probe(struct usb_interface *intf, return 0; fail: + usb_poison_urb(ir->urb); del_timer(&ir->timer); + usb_unpoison_urb(ir->urb); usb_free_urb(ir->urb); rc_free_device(ir->rc); kfree(ir->buf_in); @@ -236,9 +238,10 @@ static void igorplugusb_disconnect(struct usb_interface *intf) struct igorplugusb *ir = usb_get_intfdata(intf); rc_unregister_device(ir->rc); + usb_poison_urb(ir->urb); del_timer_sync(&ir->timer); usb_set_intfdata(intf, NULL); - usb_kill_urb(ir->urb); + usb_unpoison_urb(ir->urb); usb_free_urb(ir->urb); kfree(ir->buf_in); } From patchwork Thu May 12 12:38:49 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Oliver Neukum X-Patchwork-Id: 12847659 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DE9E9C4332F for ; Thu, 12 May 2022 12:39:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1353889AbiELMjD (ORCPT ); Thu, 12 May 2022 08:39:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58096 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1353882AbiELMjC (ORCPT ); Thu, 12 May 2022 08:39:02 -0400 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.220.28]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 39BF36223C for ; Thu, 12 May 2022 05:39:01 -0700 (PDT) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id EBD6F21C75; Thu, 12 May 2022 12:38:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1652359139; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=dOSpqB3pLDS6sMKSpThZSIaP5oLpMXTeavYUI6S8mW8=; b=a9BJ0GATjnzEwX8oGp5sKok1cQ3CopM/9X7YOxvFPclhAjKFUUBzq8C5jr4Nq1wLmR2Lma JFKHVKN6f11LkodoFOggr26IHMG82AfoEQn84CPA0McYANU/TiOMFngIwFCZ6Hw0No7H76 sYEiWn5LKL769i5C0Fh8A2rqx7wUiuo= Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id AF0EF13ABE; Thu, 12 May 2022 12:38:59 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id QFv6KOP/fGKqGwAAMHmgww (envelope-from ); Thu, 12 May 2022 12:38:59 +0000 From: Oliver Neukum To: linux-media@vger.kernel.org, mchehab@kernel.org, sean@mess.org Cc: Oliver Neukum Subject: [PATCH 4/4] igorplugusb: remove superfluous usb_unlink_urb() Date: Thu, 12 May 2022 14:38:49 +0200 Message-Id: <20220512123849.25903-4-oneukum@suse.com> X-Mailer: git-send-email 2.35.3 In-Reply-To: <20220512123849.25903-1-oneukum@suse.com> References: <20220512123849.25903-1-oneukum@suse.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org Calling that on yourself while the completion handler is running is a NOP. Remove it. Signed-off-by: Oliver Neukum --- drivers/media/rc/igorplugusb.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/media/rc/igorplugusb.c b/drivers/media/rc/igorplugusb.c index b2245849f7aa..12ee5dd0a61a 100644 --- a/drivers/media/rc/igorplugusb.c +++ b/drivers/media/rc/igorplugusb.c @@ -110,7 +110,6 @@ static void igorplugusb_callback(struct urb *urb) case -ECONNRESET: case -ENOENT: case -ESHUTDOWN: - usb_unlink_urb(urb); return; default: dev_warn(ir->dev, "Error: urb status = %d\n", urb->status);