From nobody Sun Oct 5 22:01:47 2025 Received: from mailhub11-fb.kaspersky-labs.com (mailhub11-fb.kaspersky-labs.com [81.19.104.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 821302882B8; Tue, 29 Jul 2025 10:21:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=81.19.104.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1753784518; cv=none; b=BKpmTUy9J5P38c7kdyNjqLEMeaQ+uI7n1TRXAMMoRwNsjpFUm8zJ6nl3lhOkRi8OCeVruyT37El2sDGD/Ssp0IIA8vko25mANznHj6pYhCuvEZY7UrmVof4B3f1ZjNXI3RvS/Ez/VnHQqRVpttGE2iSdvufxkglSu/lXmXa2wAQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1753784518; c=relaxed/simple; bh=RdwgkpJygYbVHv+DnDQgJ36uT2BMnCr2YQHud15WhqQ=; h=From:To:CC:Subject:Date:Message-ID:MIME-Version:Content-Type; b=LVHwMnwQMt3+734M797NQO3gIUH5iLAfkr4BHoNkTTRAb8mSS+OHpEhZyIA+xACEG7eQRj2A+cgFCGk5g6nkHJ3pvPF8XGOuX5dg3m9SJOc++R9I9B6EkhE9EIK3CTYk1VSMXgGgrAFR1ZxpQk472wL2nu7O3JmeRAf0miFB1ss= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=kaspersky.com; spf=pass smtp.mailfrom=kaspersky.com; dkim=pass (2048-bit key) header.d=kaspersky.com header.i=@kaspersky.com header.b=Xbwn3BWA; dkim=pass (2048-bit key) header.d=kaspersky.com header.i=@kaspersky.com header.b=TD3fE41v; arc=none smtp.client-ip=81.19.104.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=kaspersky.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=kaspersky.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kaspersky.com header.i=@kaspersky.com header.b="Xbwn3BWA"; dkim=pass (2048-bit key) header.d=kaspersky.com header.i=@kaspersky.com header.b="TD3fE41v" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kaspersky.com; s=mail202505; t=1753784023; bh=hq+m1yjCde1obhWdPENYPOgw5P3QzOy2HCU8y8pSSrM=; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type; b=Xbwn3BWA9CW9EOCSpY1AOMks/vAhm35p2YhMJ4RIpg5BlHiJJTFVGOwosyu8cxfh8 F3kqhQpdgzWcCUuYCzXAsoL45IJ0JFgnW8DaEvRwsLOI4oL8Ltof17pX4xWtNW74i0 T5FckLgEUUYEaJo1XGy2L1kViJVcoWsHW8c0PNHKoXceOxiWLeKQAAOWyoomNcki3f kEkNAlI0mmrl4kDN/UA3rrnY25GEfen0rnLPY8dYhDHEs/WnQFqUa2ocJemat5jxu9 Si3IGF/NC2n1FKGwsqA01cPzRPTGER+kbootwKbMsS19zaYn65oe8yRezmMlE/usrv Fzau7jHHwVNzw== Received: from mailhub11-fb.kaspersky-labs.com (localhost [127.0.0.1]) by mailhub11-fb.kaspersky-labs.com (Postfix) with ESMTP id 7FD84E876C2; Tue, 29 Jul 2025 13:13:43 +0300 (MSK) Received: from mx13.kaspersky-labs.com (mx13.kaspersky-labs.com [91.103.66.164]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mx13.kaspersky-labs.com", Issuer "Kaspersky MailRelays CA G3" (verified OK)) by mailhub11-fb.kaspersky-labs.com (Postfix) with ESMTPS id 47961E808C1; Tue, 29 Jul 2025 13:13:43 +0300 (MSK) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kaspersky.com; s=mail202505; t=1753784014; bh=hq+m1yjCde1obhWdPENYPOgw5P3QzOy2HCU8y8pSSrM=; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type; b=TD3fE41vAUBFWEJwpbLkG8LJ2MOKaJH3COHWfDOsFEqTWrcfjX3FKly9Qvts5uB6y Ir10vZ9MtLghOExFY4ffZ0z237sz6qzDp/gSci2LwWzvgzx3bx4S6SO4fVNZb6BQlw y3k3S0aDhLKSIwqc5Uhkev7Lx43fG6EcSplwLUTMaas7a7dpMRcQr0mTiYYSwN4FSf rbg2YUpCA3oAGTwNgctwtUMrJnB+lW31N2Y9NTVyePYBZ6vj2gJOH7BxzX2c48DI4B XiWXwzqYNEFvNMdlMQHMlZwQcNZnz55lurwYZjDWZ6SPaDINCa/yHYJESL9xRKp7WB RAt+RXsu+x06w== Received: from relay13.kaspersky-labs.com (localhost [127.0.0.1]) by relay13.kaspersky-labs.com (Postfix) with ESMTP id AEFFC3E1C62; Tue, 29 Jul 2025 13:13:34 +0300 (MSK) Received: from mail-hq2.kaspersky.com (unknown [91.103.66.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail-hq2.kaspersky.com", Issuer "Kaspersky MailRelays CA G3" (verified OK)) by mailhub13.kaspersky-labs.com (Postfix) with ESMTPS id E0FF73E151D; Tue, 29 Jul 2025 13:13:33 +0300 (MSK) Received: from larshin.avp.ru (10.16.106.5) by HQMAILSRV2.avp.ru (10.64.57.52) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1748.10; Tue, 29 Jul 2025 13:13:33 +0300 From: Larshin Sergey To: Sean Young CC: Larshin Sergey , Mauro Carvalho Chehab , Jarod Wilson , , , , , , Subject: [PATCH] media: rc: fix races with imon_disconnect() Date: Tue, 29 Jul 2025 13:13:32 +0300 Message-ID: <20250729101332.2435282-1-Sergey.Larshin@kaspersky.com> X-Mailer: git-send-email 2.39.5 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: HQMAILSRV5.avp.ru (10.64.57.55) To HQMAILSRV2.avp.ru (10.64.57.52) X-KSE-ServerInfo: HQMAILSRV2.avp.ru, 9 X-KSE-AntiSpam-Interceptor-Info: scan successful X-KSE-AntiSpam-Version: 6.1.1, Database issued on: 07/29/2025 09:55:44 X-KSE-AntiSpam-Status: KAS_STATUS_NOT_DETECTED X-KSE-AntiSpam-Method: none X-KSE-AntiSpam-Rate: 0 X-KSE-AntiSpam-Info: Lua profiles 195156 [Jul 29 2025] X-KSE-AntiSpam-Info: Version: 6.1.1.11 X-KSE-AntiSpam-Info: Envelope from: Sergey.Larshin@kaspersky.com X-KSE-AntiSpam-Info: LuaCore: 63 0.3.63 9cc2b4b18bf16653fda093d2c494e542ac094a39 X-KSE-AntiSpam-Info: {Tracking_cluster_exceptions} X-KSE-AntiSpam-Info: {Tracking_real_kaspersky_domains} X-KSE-AntiSpam-Info: {Tracking_one_url} X-KSE-AntiSpam-Info: {Tracking_uf_ne_domains} X-KSE-AntiSpam-Info: {Tracking_from_domain_doesnt_match_to} X-KSE-AntiSpam-Info: syzkaller.appspot.com:5.0.1,7.1.1;d41d8cd98f00b204e9800998ecf8427e.com:7.1.1;kaspersky.com:5.0.1,7.1.1;larshin.avp.ru:5.0.1,7.1.1;127.0.0.199:7.1.2 X-KSE-AntiSpam-Info: {Tracking_white_helo} X-KSE-AntiSpam-Info: FromAlignment: s X-KSE-AntiSpam-Info: Rate: 0 X-KSE-AntiSpam-Info: Status: not_detected X-KSE-AntiSpam-Info: Method: none X-KSE-Antiphishing-Info: Clean X-KSE-Antiphishing-ScanningType: Deterministic X-KSE-Antiphishing-Method: None X-KSE-Antiphishing-Bases: 07/29/2025 09:57:00 X-KSE-AttachmentFiltering-Interceptor-Info: no applicable attachment filtering rules found X-KSE-Antivirus-Interceptor-Info: scan successful X-KSE-Antivirus-Info: Clean, bases: 7/29/2025 9:06:00 AM X-KSE-BulkMessagesFiltering-Scan-Result: InTheLimit X-KSE-AttachmentFiltering-Interceptor-Info: no applicable attachment filtering rules found X-KSE-BulkMessagesFiltering-Scan-Result: InTheLimit X-KSMG-AntiPhishing: NotDetected, bases: 2025/07/29 09:04:00 X-KSMG-AntiSpam-Interceptor-Info: not scanned X-KSMG-AntiSpam-Status: not scanned, disabled by settings X-KSMG-AntiVirus: Kaspersky Secure Mail Gateway, version 2.1.1.8310, bases: 2025/07/29 08:29:00 #27646063 X-KSMG-AntiVirus-Status: NotDetected, skipped X-KSMG-LinksScanning: NotDetected, bases: 2025/07/29 09:04:00 X-KSMG-Message-Action: skipped X-KSMG-Rule-ID: 52 Content-Type: text/plain; charset="utf-8" Syzbot reports a KASAN issue as below: BUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inlin= e] BUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon= .c:627 Read of size 4 at addr ffff8880256fb000 by task syz-executor314/4465 CPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 __create_pipe include/linux/usb.h:1945 [inline] send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 vfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991 vfs_write+0x2d7/0xdd0 fs/read_write.c:576 ksys_write+0x127/0x250 fs/read_write.c:631 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The iMON driver improperly releases the usb_device reference in imon_disconnect without coordinating with active users of the device. Specifically, the fields usbdev_intf0 and usbdev_intf1 are not protected by the users counter (ictx->users). During probe, imon_init_intf0 or imon_init_intf1 increments the usb_device reference count depending on the interface. However, during disconnect, usb_put_dev is called unconditionally, regardless of actual usage. As a result, if vfd_write or other operations are still in progress after disconnect, this can lead to a use-after-free of the usb_device pointer. Thread 1 vfd_write Thread 2 imon_disconnect ... if usb_put_dev(ictx->usbdev_intf0) else usb_put_dev(ictx->usbdev_intf1) ... while send_packet if pipe =3D usb_sndintpipe( ictx->usbdev_intf0) UAF else pipe =3D usb_sndctrlpipe( ictx->usbdev_intf0, 0) UAF Guard access to usbdev_intf0 and usbdev_intf1 after disconnect by checking ictx->disconnected in all writer paths. Add early return with -ENODEV in send_packet(), vfd_write(), lcd_write() and display_open() if the device is no longer present. Set and read ictx->disconnected under ictx->lock to ensure memory synchronization. Acquire the lock in imon_disconnect() before setting the flag to synchronize with any ongoing operations. Ensure writers exit early and safely after disconnect before the USB core proceeds with cleanup. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Reported-by: syzbot+f1a69784f6efe748c3bf@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3Df1a69784f6efe748c3bf Fixes: 21677cfc562a ("V4L/DVB: ir-core: add imon driver") Cc: stable@vger.kernel.org Signed-off-by: Larshin Sergey --- drivers/media/rc/imon.c | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c index f5221b018808..cf3e6e43c0c7 100644 --- a/drivers/media/rc/imon.c +++ b/drivers/media/rc/imon.c @@ -536,7 +536,9 @@ static int display_open(struct inode *inode, struct fil= e *file) =20 mutex_lock(&ictx->lock); =20 - if (!ictx->display_supported) { + if (ictx->disconnected) { + retval =3D -ENODEV; + } else if (!ictx->display_supported) { pr_err("display not supported by device\n"); retval =3D -ENODEV; } else if (ictx->display_isopen) { @@ -598,6 +600,9 @@ static int send_packet(struct imon_context *ictx) int retval =3D 0; struct usb_ctrlrequest *control_req =3D NULL; =20 + if (ictx->disconnected) + return -ENODEV; + /* Check if we need to use control or interrupt urb */ if (!ictx->tx_control) { pipe =3D usb_sndintpipe(ictx->usbdev_intf0, @@ -949,12 +954,14 @@ static ssize_t vfd_write(struct file *file, const cha= r __user *buf, static const unsigned char vfd_packet6[] =3D { 0x01, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF }; =20 - if (ictx->disconnected) - return -ENODEV; - if (mutex_lock_interruptible(&ictx->lock)) return -ERESTARTSYS; =20 + if (ictx->disconnected) { + retval =3D -ENODEV; + goto exit; + } + if (!ictx->dev_present_intf0) { pr_err_ratelimited("no iMON device present\n"); retval =3D -ENODEV; @@ -1029,11 +1036,13 @@ static ssize_t lcd_write(struct file *file, const c= har __user *buf, int retval =3D 0; struct imon_context *ictx =3D file->private_data; =20 - if (ictx->disconnected) - return -ENODEV; - mutex_lock(&ictx->lock); =20 + if (ictx->disconnected) { + retval =3D -ENODEV; + goto exit; + } + if (!ictx->display_supported) { pr_err_ratelimited("no iMON display present\n"); retval =3D -ENODEV; @@ -2499,7 +2508,11 @@ static void imon_disconnect(struct usb_interface *in= terface) int ifnum; =20 ictx =3D usb_get_intfdata(interface); + + mutex_lock(&ictx->lock); ictx->disconnected =3D true; + mutex_unlock(&ictx->lock); + dev =3D ictx->dev; ifnum =3D interface->cur_altsetting->desc.bInterfaceNumber; =20 --=20 2.39.5