usb: wusbcore: fix unbalanced get/put cluster_id [Linux 4.9.187]

This Linux kernel change "usb: wusbcore: fix unbalanced get/put cluster_id" is included in the Linux 4.9.187 release. This change is authored by Phong Tran <tranmanphong [at] gmail.com> on Wed Jul 24 09:06:01 2019 +0700. The commit for this change in Linux stable tree is 5395597 (patch) which is from upstream commit f90bf1e. The same Linux upstream change may have been applied to various maintained Linux releases and you can find all Linux releases containing changes from upstream f90bf1e.

usb: wusbcore: fix unbalanced get/put cluster_id

commit f90bf1ece48a736097ea224430578fe586a9544c upstream.

syzboot reported that
https://syzkaller.appspot.com/bug?extid=fd2bd7df88c606eea4ef

There is not consitency parameter in cluste_id_get/put calling.
In case of getting the id with result is failure, the wusbhc->cluster_id
will not be updated and this can not be used for wusb_cluster_id_put().

Tested report
https://groups.google.com/d/msg/syzkaller-bugs/0znZopp3-9k/oxOrhLkLEgAJ

Reproduce and gdb got the details:

139     addr = wusb_cluster_id_get();
(gdb) n
140     if (addr == 0)
(gdb) print addr
$1 = 254 '\376'
(gdb) n
142     result = __hwahc_set_cluster_id(hwahc, addr);
(gdb) print result
$2 = -71
(gdb) break wusb_cluster_id_put
Breakpoint 3 at 0xffffffff836e3f20: file drivers/usb/wusbcore/wusbhc.c, line 384.
(gdb) s
Thread 2 hit Breakpoint 3, wusb_cluster_id_put (id=0 '\000') at drivers/usb/wusbcore/wusbhc.c:384
384     id = 0xff - id;
(gdb) n
385     BUG_ON(id >= CLUSTER_IDS);
(gdb) print id
$3 = 255 '\377'

Reported-by: syzbot+fd2bd7df88c606eea4ef@syzkaller.appspotmail.com
Signed-off-by: Phong Tran <tranmanphong@gmail.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20190724020601.15257-1-tranmanphong@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

There are 2 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 drivers/usb/host/hwa-hc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/host/hwa-hc.c b/drivers/usb/host/hwa-hc.c
index 97750f1..c14e4a6 100644
--- a/drivers/usb/host/hwa-hc.c
+++ b/drivers/usb/host/hwa-hc.c
@@ -173,7 +173,7 @@ static int hwahc_op_start(struct usb_hcd *usb_hcd)
    return result;

 error_set_cluster_id:
-   wusb_cluster_id_put(wusbhc->cluster_id);
+   wusb_cluster_id_put(addr);
 error_cluster_id_get:
    goto out;

Leave a Reply

Your email address will not be published. Required fields are marked *