From patchwork Tue Mar 30 01:36:48 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Shuah Khan X-Patchwork-Id: 412423 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-19.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 207F4C433E0 for ; Tue, 30 Mar 2021 01:37:34 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id D70D661601 for ; Tue, 30 Mar 2021 01:37:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230286AbhC3BhB (ORCPT ); Mon, 29 Mar 2021 21:37:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48038 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230210AbhC3Bgy (ORCPT ); Mon, 29 Mar 2021 21:36:54 -0400 Received: from mail-io1-xd33.google.com (mail-io1-xd33.google.com [IPv6:2607:f8b0:4864:20::d33]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1AEEAC061764 for ; Mon, 29 Mar 2021 18:36:54 -0700 (PDT) Received: by mail-io1-xd33.google.com with SMTP id z136so14716293iof.10 for ; Mon, 29 Mar 2021 18:36:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=SyCGnwGXC+XNnvx4uNqau3wnYVDaw+dKBtB8XYrUblw=; b=ZSEQDpwq5HhPjDR5JNP9sYoVwAcMpfYjYgaUXPsRib28GHM5pekOZmkkhsG53u8IiH tTiEQoMeFQQY3jYSwVU+VEB9paqCTKiEhNgEEVKe1Z6xwGP21DGR7YzKGVqoAfRn+7al PpGrVGJ2vl04zHbHcEA1hYym+9W0FJrZZo2eM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=SyCGnwGXC+XNnvx4uNqau3wnYVDaw+dKBtB8XYrUblw=; b=a0B8hoJMzUowRvsY997IIXyGYDQKmKz6H8aT/bXM/iDGc9V8p5HavXtA316kyDszDc jSI9vvjEVqvWsFR+erk9dhjZhXZhrLvVRELG/2ffbB+ThgC/xXzR2L4jc0SG/DcsESkb 5/waZys8kwzRmiGn7AEJYrmfolYR3bITD3ZHVj/0w45016uH5y9SAty5KEqlv62QpCjT H02erklCpQ8Pp/Sk3rrTLYsevksa2jyYYPdBw/lIn53LxH4YE7Q9skePdCmcjDQFb5cu P6ND4qmKbB2FWAWsLQ0E1Ax2K+yKhxgaFo83n0YiXyEjpsz2rpVYeYpFA9QobOti7R7/ gG4w== X-Gm-Message-State: AOAM532Fkk67FAEmmMaquwe0Cqn1LVTpOcg90qbRXn++d07E1twxbLib KlFZtnPMUVdzpVv/z9VS1lubYA== X-Google-Smtp-Source: ABdhPJxHjb6KdN+eZhjimwTzpK74ggotD/Vm9maFNTtkfCzwbdr69wmMdudyFUPxQwEG1dEadVnabQ== X-Received: by 2002:a5e:980e:: with SMTP id s14mr23180258ioj.63.1617068213453; Mon, 29 Mar 2021 18:36:53 -0700 (PDT) Received: from shuah-t480s.internal (c-24-9-64-241.hsd1.co.comcast.net. [24.9.64.241]) by smtp.gmail.com with ESMTPSA id i13sm10551696ilm.86.2021.03.29.18.36.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Mar 2021 18:36:53 -0700 (PDT) From: Shuah Khan To: valentina.manea.m@gmail.com, shuah@kernel.org, gregkh@linuxfoundation.org Cc: Shuah Khan , linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com, stable@vger.kernel.org Subject: [PATCH 1/4] usbip: add sysfs_lock to synchronize sysfs code paths Date: Mon, 29 Mar 2021 19:36:48 -0600 Message-Id: X-Mailer: git-send-email 2.27.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org Fuzzing uncovered race condition between sysfs code paths in usbip drivers. Device connect/disconnect code paths initiated through sysfs interface are prone to races if disconnect happens during connect and vice versa. This problem is common to all drivers while it can be reproduced easily in vhci_hcd. Add a sysfs_lock to usbip_device struct to protect the paths. Use this in vhci_hcd to protect sysfs paths. For a complete fix, usip_host and usip-vudc drivers and the event handler will have to use this lock to protect the paths. These changes will be done in subsequent patches. Reported-and-tested-by: syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Signed-off-by: Shuah Khan --- drivers/usb/usbip/usbip_common.h | 3 +++ drivers/usb/usbip/vhci_hcd.c | 1 + drivers/usb/usbip/vhci_sysfs.c | 30 +++++++++++++++++++++++++----- 3 files changed, 29 insertions(+), 5 deletions(-) diff --git a/drivers/usb/usbip/usbip_common.h b/drivers/usb/usbip/usbip_common.h index d60ce17d3dd2..ea2a20e6d27d 100644 --- a/drivers/usb/usbip/usbip_common.h +++ b/drivers/usb/usbip/usbip_common.h @@ -263,6 +263,9 @@ struct usbip_device { /* lock for status */ spinlock_t lock; + /* mutex for synchronizing sysfs store paths */ + struct mutex sysfs_lock; + int sockfd; struct socket *tcp_socket; diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c index a20a8380ca0c..4ba6bcdaa8e9 100644 --- a/drivers/usb/usbip/vhci_hcd.c +++ b/drivers/usb/usbip/vhci_hcd.c @@ -1101,6 +1101,7 @@ static void vhci_device_init(struct vhci_device *vdev) vdev->ud.side = USBIP_VHCI; vdev->ud.status = VDEV_ST_NULL; spin_lock_init(&vdev->ud.lock); + mutex_init(&vdev->ud.sysfs_lock); INIT_LIST_HEAD(&vdev->priv_rx); INIT_LIST_HEAD(&vdev->priv_tx); diff --git a/drivers/usb/usbip/vhci_sysfs.c b/drivers/usb/usbip/vhci_sysfs.c index c4b4256e5dad..e2847cd3e6e3 100644 --- a/drivers/usb/usbip/vhci_sysfs.c +++ b/drivers/usb/usbip/vhci_sysfs.c @@ -185,6 +185,8 @@ static int vhci_port_disconnect(struct vhci_hcd *vhci_hcd, __u32 rhport) usbip_dbg_vhci_sysfs("enter\n"); + mutex_lock(&vdev->ud.sysfs_lock); + /* lock */ spin_lock_irqsave(&vhci->lock, flags); spin_lock(&vdev->ud.lock); @@ -195,6 +197,7 @@ static int vhci_port_disconnect(struct vhci_hcd *vhci_hcd, __u32 rhport) /* unlock */ spin_unlock(&vdev->ud.lock); spin_unlock_irqrestore(&vhci->lock, flags); + mutex_unlock(&vdev->ud.sysfs_lock); return -EINVAL; } @@ -205,6 +208,8 @@ static int vhci_port_disconnect(struct vhci_hcd *vhci_hcd, __u32 rhport) usbip_event_add(&vdev->ud, VDEV_EVENT_DOWN); + mutex_unlock(&vdev->ud.sysfs_lock); + return 0; } @@ -349,30 +354,36 @@ static ssize_t attach_store(struct device *dev, struct device_attribute *attr, else vdev = &vhci->vhci_hcd_hs->vdev[rhport]; + mutex_lock(&vdev->ud.sysfs_lock); + /* Extract socket from fd. */ socket = sockfd_lookup(sockfd, &err); if (!socket) { dev_err(dev, "failed to lookup sock"); - return -EINVAL; + err = -EINVAL; + goto unlock_mutex; } if (socket->type != SOCK_STREAM) { dev_err(dev, "Expecting SOCK_STREAM - found %d", socket->type); sockfd_put(socket); - return -EINVAL; + err = -EINVAL; + goto unlock_mutex; } /* create threads before locking */ tcp_rx = kthread_create(vhci_rx_loop, &vdev->ud, "vhci_rx"); if (IS_ERR(tcp_rx)) { sockfd_put(socket); - return -EINVAL; + err = -EINVAL; + goto unlock_mutex; } tcp_tx = kthread_create(vhci_tx_loop, &vdev->ud, "vhci_tx"); if (IS_ERR(tcp_tx)) { kthread_stop(tcp_rx); sockfd_put(socket); - return -EINVAL; + err = -EINVAL; + goto unlock_mutex; } /* get task structs now */ @@ -397,7 +408,8 @@ static ssize_t attach_store(struct device *dev, struct device_attribute *attr, * Will be retried from userspace * if there's another free port. */ - return -EBUSY; + err = -EBUSY; + goto unlock_mutex; } dev_info(dev, "pdev(%u) rhport(%u) sockfd(%d)\n", @@ -423,7 +435,15 @@ static ssize_t attach_store(struct device *dev, struct device_attribute *attr, rh_port_connect(vdev, speed); + dev_info(dev, "Device attached\n"); + + mutex_unlock(&vdev->ud.sysfs_lock); + return count; + +unlock_mutex: + mutex_unlock(&vdev->ud.sysfs_lock); + return err; } static DEVICE_ATTR_WO(attach); From patchwork Tue Mar 30 01:36:49 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Shuah Khan X-Patchwork-Id: 413535 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-19.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6F7C1C433E5 for ; Tue, 30 Mar 2021 01:37:34 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 5027961601 for ; Tue, 30 Mar 2021 01:37:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230331AbhC3BhB (ORCPT ); Mon, 29 Mar 2021 21:37:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48042 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230334AbhC3Bgy (ORCPT ); Mon, 29 Mar 2021 21:36:54 -0400 Received: from mail-io1-xd36.google.com (mail-io1-xd36.google.com [IPv6:2607:f8b0:4864:20::d36]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C2F18C061762 for ; Mon, 29 Mar 2021 18:36:54 -0700 (PDT) Received: by mail-io1-xd36.google.com with SMTP id j26so14711117iog.13 for ; Mon, 29 Mar 2021 18:36:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=KvfVRFZqhqRjK1byKojqnEiozyDbnINCucwz0rhiopU=; b=GhVEA0BHqUJZv87fb+mXjFKpgyyOeXVxFwW41z2SLhwnJoiKt/A4g6kMbb+pn7pmwF U3LZC0LgMIpELOvkQrYpGYyNebBdZzbbgCT1U8Ix2BYzTx8dfaw0x3fe4JFaLziGHZka nkgIFnGrusgAxn8qBku9wEXi/+8klvmMfI5J4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=KvfVRFZqhqRjK1byKojqnEiozyDbnINCucwz0rhiopU=; b=PZYrc/ualCh7NptB2tYvDgpulANGUQJ4F+QGAyTc31OaoNoRsxLMBxi3zFKnmyjWQf 0qTOSIzLiDvL1dGjht8ezJI7m3jFZh2wtOFIHcayiOurXDz/5G89Ku19M3fUuiNaWJKk w5xB7KMAOxipm+8BCrlXF+2E9Ssz19xATfGOtxTYmFHLn1DHpob/4Ds00fwr/s+/3zHh rMij0uXqfV/JWiZ9ypOScVgzQupMOjDFcv550+9apP4+B7sypmOOSSpdViBBeOjJ6itW fXwVNe0OdsqGILYiGnUW7ZIBwXz296povFE+COQ/xWRD63jgnzemMxKyBF2ZJ9bGcMXt QBYg== X-Gm-Message-State: AOAM5313wcJkmaQrpkiI/faYPA8JuU4teW0PhcuHytAlaEcjSOUBNYhn 9SxZA2OEhkYENHKZ1D07FFyXDA== X-Google-Smtp-Source: ABdhPJxw2A/AiRI6DjntWVPnXutaqISvIZx29YN/MbjZABzciBBR3rMv1y9Rrs9XxYhctjLK5z7lfQ== X-Received: by 2002:a05:6638:2726:: with SMTP id m38mr8181636jav.6.1617068214284; Mon, 29 Mar 2021 18:36:54 -0700 (PDT) Received: from shuah-t480s.internal (c-24-9-64-241.hsd1.co.comcast.net. [24.9.64.241]) by smtp.gmail.com with ESMTPSA id i13sm10551696ilm.86.2021.03.29.18.36.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Mar 2021 18:36:53 -0700 (PDT) From: Shuah Khan To: valentina.manea.m@gmail.com, shuah@kernel.org, gregkh@linuxfoundation.org Cc: Shuah Khan , linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com, stable@vger.kernel.org Subject: [PATCH 2/4] usbip: stub-dev synchronize sysfs code paths Date: Mon, 29 Mar 2021 19:36:49 -0600 Message-Id: <2b182f3561b4a065bf3bf6dce3b0e9944ba17b3f.1616807117.git.skhan@linuxfoundation.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org Fuzzing uncovered race condition between sysfs code paths in usbip drivers. Device connect/disconnect code paths initiated through sysfs interface are prone to races if disconnect happens during connect and vice versa. Use sysfs_lock to protect sysfs paths in stub-dev. Reported-and-tested-by: syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Signed-off-by: Shuah Khan --- drivers/usb/usbip/stub_dev.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/usb/usbip/stub_dev.c b/drivers/usb/usbip/stub_dev.c index 8f1de1fbbeed..d8d3892e5a69 100644 --- a/drivers/usb/usbip/stub_dev.c +++ b/drivers/usb/usbip/stub_dev.c @@ -63,6 +63,7 @@ static ssize_t usbip_sockfd_store(struct device *dev, struct device_attribute *a dev_info(dev, "stub up\n"); + mutex_lock(&sdev->ud.sysfs_lock); spin_lock_irq(&sdev->ud.lock); if (sdev->ud.status != SDEV_ST_AVAILABLE) { @@ -87,13 +88,13 @@ static ssize_t usbip_sockfd_store(struct device *dev, struct device_attribute *a tcp_rx = kthread_create(stub_rx_loop, &sdev->ud, "stub_rx"); if (IS_ERR(tcp_rx)) { sockfd_put(socket); - return -EINVAL; + goto unlock_mutex; } tcp_tx = kthread_create(stub_tx_loop, &sdev->ud, "stub_tx"); if (IS_ERR(tcp_tx)) { kthread_stop(tcp_rx); sockfd_put(socket); - return -EINVAL; + goto unlock_mutex; } /* get task structs now */ @@ -112,6 +113,8 @@ static ssize_t usbip_sockfd_store(struct device *dev, struct device_attribute *a wake_up_process(sdev->ud.tcp_rx); wake_up_process(sdev->ud.tcp_tx); + mutex_unlock(&sdev->ud.sysfs_lock); + } else { dev_info(dev, "stub down\n"); @@ -122,6 +125,7 @@ static ssize_t usbip_sockfd_store(struct device *dev, struct device_attribute *a spin_unlock_irq(&sdev->ud.lock); usbip_event_add(&sdev->ud, SDEV_EVENT_DOWN); + mutex_unlock(&sdev->ud.sysfs_lock); } return count; @@ -130,6 +134,8 @@ static ssize_t usbip_sockfd_store(struct device *dev, struct device_attribute *a sockfd_put(socket); err: spin_unlock_irq(&sdev->ud.lock); +unlock_mutex: + mutex_unlock(&sdev->ud.sysfs_lock); return -EINVAL; } static DEVICE_ATTR_WO(usbip_sockfd); @@ -270,6 +276,7 @@ static struct stub_device *stub_device_alloc(struct usb_device *udev) sdev->ud.side = USBIP_STUB; sdev->ud.status = SDEV_ST_AVAILABLE; spin_lock_init(&sdev->ud.lock); + mutex_init(&sdev->ud.sysfs_lock); sdev->ud.tcp_socket = NULL; sdev->ud.sockfd = -1; From patchwork Tue Mar 30 01:36:50 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Shuah Khan X-Patchwork-Id: 412422 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-19.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5100EC433E2 for ; Tue, 30 Mar 2021 01:37:34 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 21BD7619B4 for ; Tue, 30 Mar 2021 01:37:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230202AbhC3BhC (ORCPT ); Mon, 29 Mar 2021 21:37:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48056 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230347AbhC3Bgz (ORCPT ); Mon, 29 Mar 2021 21:36:55 -0400 Received: from mail-io1-xd2f.google.com (mail-io1-xd2f.google.com [IPv6:2607:f8b0:4864:20::d2f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BA3BFC061762 for ; Mon, 29 Mar 2021 18:36:55 -0700 (PDT) Received: by mail-io1-xd2f.google.com with SMTP id v26so14739250iox.11 for ; Mon, 29 Mar 2021 18:36:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=tV/mEj+Wz4XIbwCNkB/GFkd/M8Q2H4CM2ibkXqRlrls=; b=NtT7wCrRnSAGUWpVWKDKbK87e+lZ68sIxKoEKYx5eXkr5uEYVxvOjCIkhvJ4OCxPJY CSuLHcvo0Rbopiyg+cjMgmc57WZkpouFLjROnkzowqYimckIUyBixLhQ+hfb+ipkRiaU 81DTjLGUAvlitj+31mL4GA01UAuPMIKeZ1Bds= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=tV/mEj+Wz4XIbwCNkB/GFkd/M8Q2H4CM2ibkXqRlrls=; b=VJmwhru0xGxyBsoozoqiGxy02gVx7bNNxTX/Qc/mHk2MUqrg3gBQdMwXt8vK2xhsUH 0WfX5mFgncZZJP482tNEmZkNZ3auMctZiNbgDc3eiVPKLB2CvtGJjjZQEjoxb5PBa1lH MZ5e3+m8jpQoO3Vf8YiBBlXlT8KEj+GgsEtQwZUDP8iUqO8fjsf7hsVBVkOylq9aoo3m jzJmCDyJMPqXkPGWhIrR0+QqefMxoYcs2Vn75j/jYa+t7kKWP4wubr/rjrdOXSvoqVOZ d0n00lTeF2ThqZ3mgzA4ACCBQSCe417llQ//PB/cawRMVY36n7IDfRHI21gRbYmx4zt6 3Y4A== X-Gm-Message-State: AOAM533qLDFiBSrVs2pxNM9wCIyUpm9Q+I/Mrtos54ai4A/hHsXjAp6q aynci2K7uFSFTNvZK28H4sHWvw== X-Google-Smtp-Source: ABdhPJymWFQgtGt2nvRet++FbCKoktEKtDhEaZuC66r7VTdIM7c0tSZNfwldgR6bWs9qvYTEQLquSg== X-Received: by 2002:a6b:5905:: with SMTP id n5mr22385286iob.90.1617068214937; Mon, 29 Mar 2021 18:36:54 -0700 (PDT) Received: from shuah-t480s.internal (c-24-9-64-241.hsd1.co.comcast.net. [24.9.64.241]) by smtp.gmail.com with ESMTPSA id i13sm10551696ilm.86.2021.03.29.18.36.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Mar 2021 18:36:54 -0700 (PDT) From: Shuah Khan To: valentina.manea.m@gmail.com, shuah@kernel.org, gregkh@linuxfoundation.org Cc: Shuah Khan , linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com, stable@vger.kernel.org Subject: [PATCH 3/4] usbip: vudc synchronize sysfs code paths Date: Mon, 29 Mar 2021 19:36:50 -0600 Message-Id: X-Mailer: git-send-email 2.27.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org Fuzzing uncovered race condition between sysfs code paths in usbip drivers. Device connect/disconnect code paths initiated through sysfs interface are prone to races if disconnect happens during connect and vice versa. Use sysfs_lock to protect sysfs paths in vudc. Reported-and-tested-by: syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Signed-off-by: Shuah Khan --- drivers/usb/usbip/vudc_dev.c | 1 + drivers/usb/usbip/vudc_sysfs.c | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/drivers/usb/usbip/vudc_dev.c b/drivers/usb/usbip/vudc_dev.c index c8eeabdd9b56..2bc428f2e261 100644 --- a/drivers/usb/usbip/vudc_dev.c +++ b/drivers/usb/usbip/vudc_dev.c @@ -572,6 +572,7 @@ static int init_vudc_hw(struct vudc *udc) init_waitqueue_head(&udc->tx_waitq); spin_lock_init(&ud->lock); + mutex_init(&ud->sysfs_lock); ud->status = SDEV_ST_AVAILABLE; ud->side = USBIP_VUDC; diff --git a/drivers/usb/usbip/vudc_sysfs.c b/drivers/usb/usbip/vudc_sysfs.c index 7383a543c6d1..f7633ee655a1 100644 --- a/drivers/usb/usbip/vudc_sysfs.c +++ b/drivers/usb/usbip/vudc_sysfs.c @@ -112,6 +112,7 @@ static ssize_t usbip_sockfd_store(struct device *dev, dev_err(dev, "no device"); return -ENODEV; } + mutex_lock(&udc->ud.sysfs_lock); spin_lock_irqsave(&udc->lock, flags); /* Don't export what we don't have */ if (!udc->driver || !udc->pullup) { @@ -187,6 +188,8 @@ static ssize_t usbip_sockfd_store(struct device *dev, wake_up_process(udc->ud.tcp_rx); wake_up_process(udc->ud.tcp_tx); + + mutex_unlock(&udc->ud.sysfs_lock); return count; } else { @@ -207,6 +210,7 @@ static ssize_t usbip_sockfd_store(struct device *dev, } spin_unlock_irqrestore(&udc->lock, flags); + mutex_unlock(&udc->ud.sysfs_lock); return count; @@ -216,6 +220,7 @@ static ssize_t usbip_sockfd_store(struct device *dev, spin_unlock_irq(&udc->ud.lock); unlock: spin_unlock_irqrestore(&udc->lock, flags); + mutex_unlock(&udc->ud.sysfs_lock); return ret; } From patchwork Tue Mar 30 01:36:51 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Shuah Khan X-Patchwork-Id: 413536 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-19.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 499BEC433DB for ; Tue, 30 Mar 2021 01:37:34 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 0F5C461934 for ; Tue, 30 Mar 2021 01:37:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230308AbhC3BhC (ORCPT ); Mon, 29 Mar 2021 21:37:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48062 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230362AbhC3Bg4 (ORCPT ); Mon, 29 Mar 2021 21:36:56 -0400 Received: from mail-io1-xd35.google.com (mail-io1-xd35.google.com [IPv6:2607:f8b0:4864:20::d35]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2D2EDC0613D8 for ; Mon, 29 Mar 2021 18:36:56 -0700 (PDT) Received: by mail-io1-xd35.google.com with SMTP id r193so14740650ior.9 for ; Mon, 29 Mar 2021 18:36:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=3F9Ll0qnSxDDddAOx0jqTjf+DiNaHm+WnTfsee7Z5qE=; b=STwWa5iIWBQnuXyByFcWblI5Yuw6ryaNi8aFcux+kT6rU8ycSq7bfx2bfmwAiUo3+T cexk4q1oE5HuSARupJhYrPx/AtOLP1mJN6950ZRCMzw34JX/fcKoRiXMebdNK+OdVdqX hkQq9E0x9ZwnkUfOjtAg+2yotMhjWoKEMoe+0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=3F9Ll0qnSxDDddAOx0jqTjf+DiNaHm+WnTfsee7Z5qE=; b=WP+7hX+3u5DgpTMsmxt0Svpv31qKWvUpSLZNggxoT+QLrJA1xkgWI5AOfGY3zUeVlK T7xkGwQ2wyElu9kvvOFaD8T7nrLGJOReLDip0V/Eg840GyAWP1g3jcJSkRoTkTpj4fex ApYYuvWKPgvV7tHmRZBafBZM8qmb2HbDOHsie5IKnJB+1UKJIN1bcwaq2xkrawdLFM82 BOBPaGZd239Fx2jalBivJQzIy5LKmZAXXivWEp55JaXsqUWmgI+Al49ZwE6qY6QgHTMt Whyg900E0Ze/kXOj8A58Kgc+uOM8XQsaoOgAZ2nP1sxanOnBLDNvh5ALxu5LxA2S2TAo VUHg== X-Gm-Message-State: AOAM532ORaMuG/JY6+x1b24Ut98DMg51Zad9SO00kUHLYsRBLJanS0eC LF34CKNPt9AI2sbFB0vtdpxk/A== X-Google-Smtp-Source: ABdhPJxk7i3YAI4U7l+ZaD3kv7Ww8QwZ8r2xWDlq9TXLeehfGxAmiyDBUuENs49ZQjNY1w/c8/z1Cw== X-Received: by 2002:a5d:9250:: with SMTP id e16mr22642440iol.27.1617068215710; Mon, 29 Mar 2021 18:36:55 -0700 (PDT) Received: from shuah-t480s.internal (c-24-9-64-241.hsd1.co.comcast.net. [24.9.64.241]) by smtp.gmail.com with ESMTPSA id i13sm10551696ilm.86.2021.03.29.18.36.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Mar 2021 18:36:55 -0700 (PDT) From: Shuah Khan To: valentina.manea.m@gmail.com, shuah@kernel.org, gregkh@linuxfoundation.org Cc: Shuah Khan , linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com, stable@vger.kernel.org Subject: [PATCH 4/4] usbip: synchronize event handler with sysfs code paths Date: Mon, 29 Mar 2021 19:36:51 -0600 Message-Id: X-Mailer: git-send-email 2.27.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org Fuzzing uncovered race condition between sysfs code paths in usbip drivers. Device connect/disconnect code paths initiated through sysfs interface are prone to races if disconnect happens during connect and vice versa. Use sysfs_lock to synchronize event handler with sysfs paths in usbip drivers. Reported-and-tested-by: syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Signed-off-by: Shuah Khan --- drivers/usb/usbip/usbip_event.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/usb/usbip/usbip_event.c b/drivers/usb/usbip/usbip_event.c index 5d88917c9631..086ca76dd053 100644 --- a/drivers/usb/usbip/usbip_event.c +++ b/drivers/usb/usbip/usbip_event.c @@ -70,6 +70,7 @@ static void event_handler(struct work_struct *work) while ((ud = get_event()) != NULL) { usbip_dbg_eh("pending event %lx\n", ud->event); + mutex_lock(&ud->sysfs_lock); /* * NOTE: shutdown must come first. * Shutdown the device. @@ -90,6 +91,7 @@ static void event_handler(struct work_struct *work) ud->eh_ops.unusable(ud); unset_event(ud, USBIP_EH_UNUSABLE); } + mutex_unlock(&ud->sysfs_lock); wake_up(&ud->eh_waitq); }