| d1857f82 | 17-Mar-2026 |
Adam Crosser <adam.crosser@praetorian.com> |
gpib: fix use-after-free in IO ioctl handlers
The IBRD, IBWRT, IBCMD, and IBWAIT ioctl handlers use a gpib_descriptor
pointer after board->big_gpib_mutex has been released. A concurrent
IBCLOSEDEV
gpib: fix use-after-free in IO ioctl handlers
The IBRD, IBWRT, IBCMD, and IBWAIT ioctl handlers use a gpib_descriptor
pointer after board->big_gpib_mutex has been released. A concurrent
IBCLOSEDEV ioctl can free the descriptor via close_dev_ioctl() during
this window, causing a use-after-free.
The IO handlers (read_ioctl, write_ioctl, command_ioctl) explicitly
release big_gpib_mutex before calling their handler. wait_ioctl() is
called with big_gpib_mutex held, but ibwait() releases it internally
when wait_mask is non-zero. In all four cases, the descriptor pointer
obtained from handle_to_descriptor() becomes unprotected.
Fix this by introducing a kernel-only descriptor_busy reference count
in struct gpib_descriptor. Each handler atomically increments
descriptor_busy under file_priv->descriptors_mutex before releasing the
lock, and decrements it when done. close_dev_ioctl() checks
descriptor_busy under the same lock and rejects the close with -EBUSY
if the count is non-zero.
A reference count rather than a simple flag is necessary because
multiple handlers can operate on the same descriptor concurrently
(e.g. IBRD and IBWAIT on the same handle from different threads).
A separate counter is needed because io_in_progress can be cleared from
unprivileged userspace via the IBWAIT ioctl (through general_ibstatus()
with set_mask containing CMPL), which would allow an attacker to bypass
a check based solely on io_in_progress. The new descriptor_busy
counter is only modified by the kernel IO paths.
The lock ordering is consistent (big_gpib_mutex -> descriptors_mutex)
and the handlers only hold descriptors_mutex briefly during the lookup,
so there is no deadlock risk and no impact on IO throughput.
Signed-off-by: Adam Crosser <adam.crosser@praetorian.com>
Cc: stable <stable@kernel.org>
Reviewed-by: Dave Penkler <dpenkler@gmail.com>
Tested-by: Dave Penkler <dpenkler@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
| 5cefb52c | 10-Mar-2026 |
Johan Hovold <johan@kernel.org> |
gpib: lpvo_usb: fix memory leak on disconnect
The driver iterates over the registered USB interfaces during GPIB
attach and takes a reference to their USB devices until a match is
found. These refer
gpib: lpvo_usb: fix memory leak on disconnect
The driver iterates over the registered USB interfaces during GPIB
attach and takes a reference to their USB devices until a match is
found. These references are never released which leads to a memory leak
when devices are disconnected.
Fix the leak by dropping the unnecessary references.
Fixes: fce79512a96a ("staging: gpib: Add LPVO DIY USB GPIB driver")
Cc: stable <stable@kernel.org> # 6.13
Cc: Dave Penkler <dpenkler@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260310105127.17538-1-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
| 3df1fd31 | 16-Jan-2026 |
Dominik Karol Piątkowski <dominik.karol.piatkowski@protonmail.com> |
gpib: tnt4882: Unify *allocate_private usage
Use the return value of tnt4882_allocate_private in calling code as
early return value in case of error.
Signed-off-by: Dominik Karol Piątkowski <domini
gpib: tnt4882: Unify *allocate_private usage
Use the return value of tnt4882_allocate_private in calling code as
early return value in case of error.
Signed-off-by: Dominik Karol Piątkowski <dominik.karol.piatkowski@protonmail.com>
Link: https://patch.msgid.link/20260116174647.317256-28-dominik.karol.piatkowski@protonmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
| 9effb865 | 16-Jan-2026 |
Dominik Karol Piątkowski <dominik.karol.piatkowski@protonmail.com> |
gpib: tnt4882: Unify *allocate_private return value
Return -ENOMEM instead of -1 in tnt4882_allocate_private in case of
memory allocation failure.
Signed-off-by: Dominik Karol Piątkowski <dominik.k
gpib: tnt4882: Unify *allocate_private return value
Return -ENOMEM instead of -1 in tnt4882_allocate_private in case of
memory allocation failure.
Signed-off-by: Dominik Karol Piątkowski <dominik.karol.piatkowski@protonmail.com>
Link: https://patch.msgid.link/20260116174647.317256-27-dominik.karol.piatkowski@protonmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
| a16ad9b6 | 16-Jan-2026 |
Dominik Karol Piątkowski <dominik.karol.piatkowski@protonmail.com> |
gpib: tnt4882: Replace kmalloc/memset to kzalloc in *allocate_private
Replace kmalloc/memset pair to kzalloc in tnt4882_allocate_private.
Signed-off-by: Dominik Karol Piątkowski <dominik.karol.piat
gpib: tnt4882: Replace kmalloc/memset to kzalloc in *allocate_private
Replace kmalloc/memset pair to kzalloc in tnt4882_allocate_private.
Signed-off-by: Dominik Karol Piątkowski <dominik.karol.piatkowski@protonmail.com>
Link: https://patch.msgid.link/20260116174647.317256-26-dominik.karol.piatkowski@protonmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
| c2a9f77c | 16-Jan-2026 |
Dominik Karol Piątkowski <dominik.karol.piatkowski@protonmail.com> |
gpib: pc2: Unify *allocate_private usage
Use the return value of allocate_private in calling code as early return
value in case of error.
Signed-off-by: Dominik Karol Piątkowski <dominik.karol.piat
gpib: pc2: Unify *allocate_private usage
Use the return value of allocate_private in calling code as early return
value in case of error.
Signed-off-by: Dominik Karol Piątkowski <dominik.karol.piatkowski@protonmail.com>
Link: https://patch.msgid.link/20260116174647.317256-25-dominik.karol.piatkowski@protonmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
| 68de22e9 | 16-Jan-2026 |
Dominik Karol Piątkowski <dominik.karol.piatkowski@protonmail.com> |
gpib: pc2: Unify *allocate_private return value
Return -ENOMEM instead of -1 in allocate_private in case of memory
allocation failure.
Signed-off-by: Dominik Karol Piątkowski <dominik.karol.piatkow
gpib: pc2: Unify *allocate_private return value
Return -ENOMEM instead of -1 in allocate_private in case of memory
allocation failure.
Signed-off-by: Dominik Karol Piątkowski <dominik.karol.piatkowski@protonmail.com>
Link: https://patch.msgid.link/20260116174647.317256-24-dominik.karol.piatkowski@protonmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
| 6e6dc3f7 | 16-Jan-2026 |
Dominik Karol Piątkowski <dominik.karol.piatkowski@protonmail.com> |
gpib: pc2: Replace kmalloc/memset to kzalloc in *allocate_private
Replace kmalloc/memset pair to kzalloc in allocate_private.
Signed-off-by: Dominik Karol Piątkowski <dominik.karol.piatkowski@proto
gpib: pc2: Replace kmalloc/memset to kzalloc in *allocate_private
Replace kmalloc/memset pair to kzalloc in allocate_private.
Signed-off-by: Dominik Karol Piątkowski <dominik.karol.piatkowski@protonmail.com>
Link: https://patch.msgid.link/20260116174647.317256-23-dominik.karol.piatkowski@protonmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
| 78047416 | 16-Jan-2026 |
Dominik Karol Piątkowski <dominik.karol.piatkowski@protonmail.com> |
gpib: ni_usb: Fix the *allocate_private retval check
Change
if (retval < 0)
return retval;
into
if (retval)
return retval;
as it is more fitting in this case.
Signed-off-by: Dom
gpib: ni_usb: Fix the *allocate_private retval check
Change
if (retval < 0)
return retval;
into
if (retval)
return retval;
as it is more fitting in this case.
Signed-off-by: Dominik Karol Piątkowski <dominik.karol.piatkowski@protonmail.com>
Link: https://patch.msgid.link/20260116174647.317256-22-dominik.karol.piatkowski@protonmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
| 64900aa8 | 16-Jan-2026 |
Dominik Karol Piątkowski <dominik.karol.piatkowski@protonmail.com> |
gpib: ni_usb: Replace kmalloc/memset to kzalloc in *allocate_private
Replace kmalloc/memset pair to kzalloc in ni_usb_allocate_private.
Signed-off-by: Dominik Karol Piątkowski <dominik.karol.piatko
gpib: ni_usb: Replace kmalloc/memset to kzalloc in *allocate_private
Replace kmalloc/memset pair to kzalloc in ni_usb_allocate_private.
Signed-off-by: Dominik Karol Piątkowski <dominik.karol.piatkowski@protonmail.com>
Link: https://patch.msgid.link/20260116174647.317256-21-dominik.karol.piatkowski@protonmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
| 11f1b169 | 16-Jan-2026 |
Dominik Karol Piątkowski <dominik.karol.piatkowski@protonmail.com> |
gpib: ines: Unify *allocate_private usage
Use the return value of ines_allocate_private in calling code as early
return value in case of error.
Signed-off-by: Dominik Karol Piątkowski <dominik.karo
gpib: ines: Unify *allocate_private usage
Use the return value of ines_allocate_private in calling code as early
return value in case of error.
Signed-off-by: Dominik Karol Piątkowski <dominik.karol.piatkowski@protonmail.com>
Link: https://patch.msgid.link/20260116174647.317256-20-dominik.karol.piatkowski@protonmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
| 24d4d06a | 16-Jan-2026 |
Dominik Karol Piątkowski <dominik.karol.piatkowski@protonmail.com> |
gpib: ines: Unify *allocate_private return value
Return -ENOMEM instead of -1 in ines_allocate_private in case of memory
allocation failure.
Signed-off-by: Dominik Karol Piątkowski <dominik.karol.p
gpib: ines: Unify *allocate_private return value
Return -ENOMEM instead of -1 in ines_allocate_private in case of memory
allocation failure.
Signed-off-by: Dominik Karol Piątkowski <dominik.karol.piatkowski@protonmail.com>
Link: https://patch.msgid.link/20260116174647.317256-19-dominik.karol.piatkowski@protonmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
| b3d3ab10 | 16-Jan-2026 |
Dominik Karol Piątkowski <dominik.karol.piatkowski@protonmail.com> |
gpib: ines: Replace kmalloc/memset to kzalloc in *allocate_private
Replace kmalloc/memset pair to kzalloc in ines_allocate_private.
Signed-off-by: Dominik Karol Piątkowski <dominik.karol.piatkowski
gpib: ines: Replace kmalloc/memset to kzalloc in *allocate_private
Replace kmalloc/memset pair to kzalloc in ines_allocate_private.
Signed-off-by: Dominik Karol Piątkowski <dominik.karol.piatkowski@protonmail.com>
Link: https://patch.msgid.link/20260116174647.317256-18-dominik.karol.piatkowski@protonmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
| 3f5d8316 | 16-Jan-2026 |
Dominik Karol Piątkowski <dominik.karol.piatkowski@protonmail.com> |
gpib: hp_82341: Unify *allocate_private usage
Use the return value of hp_82341_allocate_private in calling code as
early return value in case of error.
Signed-off-by: Dominik Karol Piątkowski <domi
gpib: hp_82341: Unify *allocate_private usage
Use the return value of hp_82341_allocate_private in calling code as
early return value in case of error.
Signed-off-by: Dominik Karol Piątkowski <dominik.karol.piatkowski@protonmail.com>
Link: https://patch.msgid.link/20260116174647.317256-17-dominik.karol.piatkowski@protonmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
| c0790b6c | 16-Jan-2026 |
Dominik Karol Piątkowski <dominik.karol.piatkowski@protonmail.com> |
gpib: hp_82335: Unify *allocate_private usage
Use the return value of hp82335_allocate_private in calling code as
early return value in case of error.
Signed-off-by: Dominik Karol Piątkowski <domin
gpib: hp_82335: Unify *allocate_private usage
Use the return value of hp82335_allocate_private in calling code as
early return value in case of error.
Signed-off-by: Dominik Karol Piątkowski <dominik.karol.piatkowski@protonmail.com>
Link: https://patch.msgid.link/20260116174647.317256-16-dominik.karol.piatkowski@protonmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
| 0a1e9b99 | 16-Jan-2026 |
Dominik Karol Piątkowski <dominik.karol.piatkowski@protonmail.com> |
gpib: hp_82335: Unify *allocate_private return value
Return -ENOMEM instead of -1 in hp82335_allocate_private in case of
memory allocation failure.
Signed-off-by: Dominik Karol Piątkowski <dominik.
gpib: hp_82335: Unify *allocate_private return value
Return -ENOMEM instead of -1 in hp82335_allocate_private in case of
memory allocation failure.
Signed-off-by: Dominik Karol Piątkowski <dominik.karol.piatkowski@protonmail.com>
Link: https://patch.msgid.link/20260116174647.317256-15-dominik.karol.piatkowski@protonmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
| 1dd1bc4d | 16-Jan-2026 |
Dominik Karol Piątkowski <dominik.karol.piatkowski@protonmail.com> |
gpib: gpio: Unify *allocate_private usage
Use the return value of allocate_private in calling code as early return
value in case of error.
Signed-off-by: Dominik Karol Piątkowski <dominik.karol.pia
gpib: gpio: Unify *allocate_private usage
Use the return value of allocate_private in calling code as early return
value in case of error.
Signed-off-by: Dominik Karol Piątkowski <dominik.karol.piatkowski@protonmail.com>
Link: https://patch.msgid.link/20260116174647.317256-14-dominik.karol.piatkowski@protonmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
| ad161c8b | 16-Jan-2026 |
Dominik Karol Piątkowski <dominik.karol.piatkowski@protonmail.com> |
gpib: gpio: Unify *allocate_private return value
Return -ENOMEM instead of -1 in allocate_private in case of memory
allocation failure.
Signed-off-by: Dominik Karol Piątkowski <dominik.karol.piatko
gpib: gpio: Unify *allocate_private return value
Return -ENOMEM instead of -1 in allocate_private in case of memory
allocation failure.
Signed-off-by: Dominik Karol Piątkowski <dominik.karol.piatkowski@protonmail.com>
Link: https://patch.msgid.link/20260116174647.317256-13-dominik.karol.piatkowski@protonmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
| c47b98c4 | 16-Jan-2026 |
Dominik Karol Piątkowski <dominik.karol.piatkowski@protonmail.com> |
gpib: fmh_gpib: Fix the *allocate_private retval check
Change
if (retval < 0)
return retval;
into
if (retval)
return retval;
as it is more fitting in this case.
Signed-off-by: D
gpib: fmh_gpib: Fix the *allocate_private retval check
Change
if (retval < 0)
return retval;
into
if (retval)
return retval;
as it is more fitting in this case.
Signed-off-by: Dominik Karol Piątkowski <dominik.karol.piatkowski@protonmail.com>
Link: https://patch.msgid.link/20260116174647.317256-12-dominik.karol.piatkowski@protonmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
| 578481c3 | 16-Jan-2026 |
Dominik Karol Piątkowski <dominik.karol.piatkowski@protonmail.com> |
gpib: fmh_gpib: Replace kmalloc/memset to kzalloc in *allocate_private
Replace kmalloc/memset pair to kzalloc in fmh_gpib_allocate_private.
Signed-off-by: Dominik Karol Piątkowski <dominik.karol.pi
gpib: fmh_gpib: Replace kmalloc/memset to kzalloc in *allocate_private
Replace kmalloc/memset pair to kzalloc in fmh_gpib_allocate_private.
Signed-off-by: Dominik Karol Piątkowski <dominik.karol.piatkowski@protonmail.com>
Link: https://patch.msgid.link/20260116174647.317256-11-dominik.karol.piatkowski@protonmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|