From: Oliver Neukum oneukum@suse.com

mainline inclusion from mainline-5.3 commit c468a8aa790e0dfe0a7f8a39db282d39c2c00b46 category: bugfix bugzilla: NA DTS: NA CVE: CVE-2019-19528

-------------------------------------------------

We have to drop the mutex before we close() upon disconnect() as close() needs the lock. This is safe to do by dropping the mutex as intfdata is already set to NULL, so open() will fail.

Fixes: 03f36e885fc26 ("USB: open disconnect race in iowarrior") Reported-by: syzbot+a64a382964bf6c71a9c0@syzkaller.appspotmail.com Cc: stable stable@vger.kernel.org Signed-off-by: Oliver Neukum oneukum@suse.com Link: https://lore.kernel.org/r/20190808092728.23417-1-oneukum@suse.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Mao Wenan maowenan@huawei.com --- drivers/usb/misc/iowarrior.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c index 1950e87b4219..eb8c08a54a77 100644 --- a/drivers/usb/misc/iowarrior.c +++ b/drivers/usb/misc/iowarrior.c @@ -889,19 +889,20 @@ static void iowarrior_disconnect(struct usb_interface *interface) dev = usb_get_intfdata(interface); mutex_lock(&iowarrior_open_disc_lock); usb_set_intfdata(interface, NULL); + /* prevent device read, write and ioctl */ + dev->present = 0;

minor = dev->minor; + mutex_unlock(&iowarrior_open_disc_lock); + /* give back our minor - this will call close() locks need to be dropped at this point*/

- /* give back our minor */ usb_deregister_dev(interface, &iowarrior_class);

mutex_lock(&dev->mutex);

/* prevent device read, write and ioctl */ - dev->present = 0;

mutex_unlock(&dev->mutex); - mutex_unlock(&iowarrior_open_disc_lock);

if (dev->opened) { /* There is a process that holds a filedescriptor to the device ,