[PATCH] driver: powermate: kill urb in the disconnect function

From: Dongliang Mu
Date: Sun Dec 19 2021 - 01:03:04 EST

Next message: Zev Weiss: "Re: [PATCH] hwmon: (nct6775) add support for TSI temperature registers"
Previous message: Nadav Amit: "Re: [PATCH v1 06/11] mm: support GUP-triggered unsharing via FAULT_FLAG_UNSHARE (!hugetlb)"
Next in thread: Dmitry Torokhov: "Re: [PATCH] driver: powermate: kill urb in the disconnect function"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In powermate_disconnect, powermate_pulse_led will invoke
powermate_sync_state and submit one urb with pm as its context.
If powermate disconnect before the execution of complete handler,
the pm will become a dangling pointer and lead to UAF.

Fix this by calling usb_kill_urb(pm->config) in the disconnect function.
Note that, the error handling error does not need to take care of this.

Reported-by: syzbot+9780d2b05ac158d32284@xxxxxxxxxxxxxxxxxxxxxxxxx
Fixes: ba0acb5ee318901 ("Input: move USB miscellaneous devices under drivers/input/misc")
Signed-off-by: Dongliang Mu <mudongliangabcd@xxxxxxxxx>
---
drivers/input/misc/powermate.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/drivers/input/misc/powermate.c b/drivers/input/misc/powermate.c
index c4e0e1886061..903993469fde 100644
--- a/drivers/input/misc/powermate.c
+++ b/drivers/input/misc/powermate.c
@@ -424,6 +424,7 @@ static void powermate_disconnect(struct usb_interface *intf)
if (pm) {
pm->requires_update = 0;
usb_kill_urb(pm->irq);
+ usb_kill_urb(pm->config);
input_unregister_device(pm->input);
usb_free_urb(pm->irq);
usb_free_urb(pm->config);
--
2.25.1

Next message: Zev Weiss: "Re: [PATCH] hwmon: (nct6775) add support for TSI temperature registers"
Previous message: Nadav Amit: "Re: [PATCH v1 06/11] mm: support GUP-triggered unsharing via FAULT_FLAG_UNSHARE (!hugetlb)"
Next in thread: Dmitry Torokhov: "Re: [PATCH] driver: powermate: kill urb in the disconnect function"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]