From patchwork Fri Apr 16 20:53:16 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tom Seewald X-Patchwork-Id: 423279 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7D355C433B4 for ; Fri, 16 Apr 2021 20:53:37 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 49425613CF for ; Fri, 16 Apr 2021 20:53:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236077AbhDPUyB (ORCPT ); Fri, 16 Apr 2021 16:54:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44520 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234312AbhDPUx6 (ORCPT ); Fri, 16 Apr 2021 16:53:58 -0400 Received: from mail-ot1-x32b.google.com (mail-ot1-x32b.google.com [IPv6:2607:f8b0:4864:20::32b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 39D11C061574 for ; Fri, 16 Apr 2021 13:53:32 -0700 (PDT) Received: by mail-ot1-x32b.google.com with SMTP id 92-20020a9d02e50000b029028fcc3d2c9eso4449198otl.0 for ; Fri, 16 Apr 2021 13:53:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=FI4INRVT2Pj8fXtTpAiz4l6HCcKpyf7chOv8uNKovyU=; b=m0PN7EA+Psvol027YrlObVbCokG9mw2JZYL7QWbwXKK55rIODbdm9aw1U9MfZ+dPYW nz5iRzNfOM529tkmK0XryVEby24Xm5hWww9U8Er6jExLQuDSSNBHbBbhxjV2/7hg6s9K FKbAlhWWtyd800YJ/kHWxcnI1qtK49Obq3m0lDO+0b1b0oJMNh3CM/fkJ7LoSpelE9+M wlUltoaSb2a+iHp6CEd3I2ttIsO3YL705gw1JxmbxsA86ZDAfBOXY591hWjztQ/HYu3j EcVte9xdE+cKzeduFovJG7BgUBDJl9T5/kDi5cu30WKyMp7CHQTzSxEh0PH2NRAyMieA f2pw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=FI4INRVT2Pj8fXtTpAiz4l6HCcKpyf7chOv8uNKovyU=; b=o29bdKAnrN0VRNbG9ypVrguJ/NvM5F41gHV40dJ1S7ci5fYsmiC58hC+x7qaWSpkbx PmpeUwtYLSl0NQSztC1UlBQmamQyoeonZ26Y9xTWVl3xemgHpRsCC3Lwoit3x7e/d3LW 25rVhjfm+8bCltDFDKuAjNF+9XUq4rZotLnntGFNC6TKUne3+0USNISejj0TnCJ9wfhe 5nzy7GPvT6FgE2tjLC5+71gAfHkyNOSUUzft/yNO70WK3AcP47n2z7x19lFKA0UckKAl yldEgpZ8uXbzXc9WYYdtUelBjxKR12QKsTgdKCa59VvAWlElAxV/4AfLiI0m1kNTsiXJ 3Q2g== X-Gm-Message-State: AOAM530Fsf+BhrjLJ0Y9eP/LLhpc2lZ2P2OkDYM4EhxHn3RrcMEEtNBf kSYi/Wl4n2SLFoaDjlwpIs2St91CcNUrik1V X-Google-Smtp-Source: ABdhPJzdzI4zuBbl1cyHE6jwswu+ZL4buASKlammCfaY52ym4cZt1xiDD9l6QLryisoi6GUnYYBSmA== X-Received: by 2002:a9d:1c9d:: with SMTP id l29mr5116609ota.372.1618606411167; Fri, 16 Apr 2021 13:53:31 -0700 (PDT) Received: from proxmox.local.lan (2603-80a0-0e01-cc2f-0226-b9ff-fe41-ba6b.res6.spectrum.com. [2603:80a0:e01:cc2f:226:b9ff:fe41:ba6b]) by smtp.googlemail.com with ESMTPSA id c21sm1440847ooa.48.2021.04.16.13.53.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 16 Apr 2021 13:53:30 -0700 (PDT) From: Tom Seewald To: stable@vger.kernel.org Cc: Shuah Khan , syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com, Greg Kroah-Hartman , Tom Seewald , Valentina Manea , Shuah Khan Subject: [PATCH 1/4] usbip: add sysfs_lock to synchronize sysfs code paths Date: Fri, 16 Apr 2021 15:53:16 -0500 Message-Id: <20210416205319.14075-1-tseewald@gmail.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Shuah Khan commit 4e9c93af7279b059faf5bb1897ee90512b258a12 upstream. Fuzzing uncovered race condition between sysfs code paths in usbip drivers. Device connect/disconnect code paths initiated through sysfs interface are prone to races if disconnect happens during connect and vice versa. This problem is common to all drivers while it can be reproduced easily in vhci_hcd. Add a sysfs_lock to usbip_device struct to protect the paths. Use this in vhci_hcd to protect sysfs paths. For a complete fix, usip_host and usip-vudc drivers and the event handler will have to use this lock to protect the paths. These changes will be done in subsequent patches. Cc: stable@vger.kernel.org # 4.9.x Reported-and-tested-by: syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com Signed-off-by: Shuah Khan Link: https://lore.kernel.org/r/b6568f7beae702bbc236a545d3c020106ca75eac.1616807117.git.skhan@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Tom Seewald Reviewed-by: Shuah Khan Reviewed-by: Shuah Khan --- drivers/usb/usbip/usbip_common.h | 3 +++ drivers/usb/usbip/vhci_hcd.c | 1 + drivers/usb/usbip/vhci_sysfs.c | 30 +++++++++++++++++++++++++----- 3 files changed, 29 insertions(+), 5 deletions(-) diff --git a/drivers/usb/usbip/usbip_common.h b/drivers/usb/usbip/usbip_common.h index 0b199a2664c0..3d47c681aea2 100644 --- a/drivers/usb/usbip/usbip_common.h +++ b/drivers/usb/usbip/usbip_common.h @@ -278,6 +278,9 @@ struct usbip_device { /* lock for status */ spinlock_t lock; + /* mutex for synchronizing sysfs store paths */ + struct mutex sysfs_lock; + int sockfd; struct socket *tcp_socket; diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c index 8bda6455dfcb..fb7b03029b8e 100644 --- a/drivers/usb/usbip/vhci_hcd.c +++ b/drivers/usb/usbip/vhci_hcd.c @@ -907,6 +907,7 @@ static void vhci_device_init(struct vhci_device *vdev) vdev->ud.side = USBIP_VHCI; vdev->ud.status = VDEV_ST_NULL; spin_lock_init(&vdev->ud.lock); + mutex_init(&vdev->ud.sysfs_lock); INIT_LIST_HEAD(&vdev->priv_rx); INIT_LIST_HEAD(&vdev->priv_tx); diff --git a/drivers/usb/usbip/vhci_sysfs.c b/drivers/usb/usbip/vhci_sysfs.c index ca00d38d22af..3496b402aa1b 100644 --- a/drivers/usb/usbip/vhci_sysfs.c +++ b/drivers/usb/usbip/vhci_sysfs.c @@ -161,6 +161,8 @@ static int vhci_port_disconnect(struct vhci_hcd *vhci, __u32 rhport) usbip_dbg_vhci_sysfs("enter\n"); + mutex_lock(&vdev->ud.sysfs_lock); + /* lock */ spin_lock_irqsave(&vhci->lock, flags); spin_lock(&vdev->ud.lock); @@ -171,6 +173,7 @@ static int vhci_port_disconnect(struct vhci_hcd *vhci, __u32 rhport) /* unlock */ spin_unlock(&vdev->ud.lock); spin_unlock_irqrestore(&vhci->lock, flags); + mutex_unlock(&vdev->ud.sysfs_lock); return -EINVAL; } @@ -181,6 +184,8 @@ static int vhci_port_disconnect(struct vhci_hcd *vhci, __u32 rhport) usbip_event_add(&vdev->ud, VDEV_EVENT_DOWN); + mutex_unlock(&vdev->ud.sysfs_lock); + return 0; } @@ -309,30 +314,36 @@ static ssize_t store_attach(struct device *dev, struct device_attribute *attr, vhci = hcd_to_vhci(hcd); vdev = &vhci->vdev[rhport]; + mutex_lock(&vdev->ud.sysfs_lock); + /* Extract socket from fd. */ socket = sockfd_lookup(sockfd, &err); if (!socket) { dev_err(dev, "failed to lookup sock"); - return -EINVAL; + err = -EINVAL; + goto unlock_mutex; } if (socket->type != SOCK_STREAM) { dev_err(dev, "Expecting SOCK_STREAM - found %d", socket->type); sockfd_put(socket); - return -EINVAL; + err = -EINVAL; + goto unlock_mutex; } /* create threads before locking */ tcp_rx = kthread_create(vhci_rx_loop, &vdev->ud, "vhci_rx"); if (IS_ERR(tcp_rx)) { sockfd_put(socket); - return -EINVAL; + err = -EINVAL; + goto unlock_mutex; } tcp_tx = kthread_create(vhci_tx_loop, &vdev->ud, "vhci_tx"); if (IS_ERR(tcp_tx)) { kthread_stop(tcp_rx); sockfd_put(socket); - return -EINVAL; + err = -EINVAL; + goto unlock_mutex; } /* get task structs now */ @@ -353,7 +364,8 @@ static ssize_t store_attach(struct device *dev, struct device_attribute *attr, kthread_stop_put(tcp_tx); dev_err(dev, "port %d already used\n", rhport); - return -EINVAL; + err = -EINVAL; + goto unlock_mutex; } dev_info(dev, "pdev(%u) rhport(%u) sockfd(%d)\n", @@ -378,7 +390,15 @@ static ssize_t store_attach(struct device *dev, struct device_attribute *attr, rh_port_connect(vdev, speed); + dev_info(dev, "Device attached\n"); + + mutex_unlock(&vdev->ud.sysfs_lock); + return count; + +unlock_mutex: + mutex_unlock(&vdev->ud.sysfs_lock); + return err; } static DEVICE_ATTR(attach, S_IWUSR, NULL, store_attach); From patchwork Fri Apr 16 20:53:17 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tom Seewald X-Patchwork-Id: 423819 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 39283C43460 for ; Fri, 16 Apr 2021 20:53:39 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 0B21D613CF for ; Fri, 16 Apr 2021 20:53:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236387AbhDPUyD (ORCPT ); Fri, 16 Apr 2021 16:54:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44536 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234312AbhDPUyC (ORCPT ); Fri, 16 Apr 2021 16:54:02 -0400 Received: from mail-oi1-x231.google.com (mail-oi1-x231.google.com [IPv6:2607:f8b0:4864:20::231]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 47E3BC061574 for ; Fri, 16 Apr 2021 13:53:36 -0700 (PDT) Received: by mail-oi1-x231.google.com with SMTP id a21so16088988oib.10 for ; Fri, 16 Apr 2021 13:53:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=o2I1ugYhrAul2FqAdFz18RQe+MGL/+zQfL0tzztH0bQ=; b=OQfT/E2ZqchZoXoQQAw5uwIoaibNLFesoYDlEgtdXtxXqmn9wcA5NVeTv/n7uRX0zr OQrykjtAOD2lOcuSdeRrhRMoZPB6hNh/AtQTEDErP/Uppq9QOjpZaosvt114nlXoe0+/ r+FqmNxsHUIZc6vsqBVtynrVVFT7WxJfDbZSfkjNeaOdh5i6ko2L9XBrC5LRxLwvw4Oc 72diQ4ST0dhEI/jkzRBr9SRhv/ty4wvokAVaIb7ZyiHCSaL54qJJPQj5rsi18Gn5kz8f Bg6OReK95J59JgGPIxE8rJ7Vr0xYIgGFFYfNarjCs8Dfwca1GvWnkXE2sF3Y5USNMcjL B/mg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=o2I1ugYhrAul2FqAdFz18RQe+MGL/+zQfL0tzztH0bQ=; b=A8NbBE1DaImgLBLGgId3/t03wvZgAlI/ge9xhL4XasxDfhvI0rp2r4K9c++PLzUd3U JY2HYc5g1KOYDOKJ8NvqIEf5PTLmYRynira/yeArD7iOkMCtB3idcA/lZQE2Nm1sbl61 9sJp1v9RtxKOC2RB5fB31oqcuCqqBuvs2FxK1hiMVOWpQAZA3jHjkOFsjHVKjS4+2yDD KCt/WhWaE01udJ9RihktNu3kyXgWv0BTkyvBPSCrwPXZjyuzv9wSCrYePaT62BDG2isO BWwXBaNlmcmye3roZ/avPvPsA9qFMuFYBkz+kjMHMFYZfrMFglhIYdbtoa0hX2tyVTph UhqA== X-Gm-Message-State: AOAM532bsGAa+2GxpMdB1gp3S6u7+r2fw5uW1DHMLcF4BNij2hGiT7q5 zcrSDPblse/wFJOMDSb6YC88SG4HPaCTiVo4 X-Google-Smtp-Source: ABdhPJwgCpTxJLENCAWo4NQwJ1xV/7DQ7hya9BSOT6AMbqV1nJUlWxsaItb+CMdilQ+GhVqykAjF6g== X-Received: by 2002:a05:6808:d4c:: with SMTP id w12mr5188851oik.60.1618606415342; Fri, 16 Apr 2021 13:53:35 -0700 (PDT) Received: from proxmox.local.lan (2603-80a0-0e01-cc2f-0226-b9ff-fe41-ba6b.res6.spectrum.com. [2603:80a0:e01:cc2f:226:b9ff:fe41:ba6b]) by smtp.googlemail.com with ESMTPSA id c21sm1440847ooa.48.2021.04.16.13.53.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 16 Apr 2021 13:53:34 -0700 (PDT) From: Tom Seewald To: stable@vger.kernel.org Cc: Shuah Khan , syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com, Greg Kroah-Hartman , Tom Seewald , Valentina Manea , Shuah Khan Subject: [PATCH 2/4] usbip: stub-dev synchronize sysfs code paths Date: Fri, 16 Apr 2021 15:53:17 -0500 Message-Id: <20210416205319.14075-2-tseewald@gmail.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210416205319.14075-1-tseewald@gmail.com> References: <20210416205319.14075-1-tseewald@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Shuah Khan commit 9dbf34a834563dada91366c2ac266f32ff34641a upstream. Fuzzing uncovered race condition between sysfs code paths in usbip drivers. Device connect/disconnect code paths initiated through sysfs interface are prone to races if disconnect happens during connect and vice versa. Use sysfs_lock to protect sysfs paths in stub-dev. Cc: stable@vger.kernel.org # 4.9.x Reported-and-tested-by: syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com Signed-off-by: Shuah Khan Link: https://lore.kernel.org/r/2b182f3561b4a065bf3bf6dce3b0e9944ba17b3f.1616807117.git.skhan@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Tom Seewald --- drivers/usb/usbip/stub_dev.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/usb/usbip/stub_dev.c b/drivers/usb/usbip/stub_dev.c index 6b643e6c8f0b..cec5805feb25 100644 --- a/drivers/usb/usbip/stub_dev.c +++ b/drivers/usb/usbip/stub_dev.c @@ -77,6 +77,7 @@ static ssize_t store_sockfd(struct device *dev, struct device_attribute *attr, dev_info(dev, "stub up\n"); + mutex_lock(&sdev->ud.sysfs_lock); spin_lock_irq(&sdev->ud.lock); if (sdev->ud.status != SDEV_ST_AVAILABLE) { @@ -101,13 +102,13 @@ static ssize_t store_sockfd(struct device *dev, struct device_attribute *attr, tcp_rx = kthread_create(stub_rx_loop, &sdev->ud, "stub_rx"); if (IS_ERR(tcp_rx)) { sockfd_put(socket); - return -EINVAL; + goto unlock_mutex; } tcp_tx = kthread_create(stub_tx_loop, &sdev->ud, "stub_tx"); if (IS_ERR(tcp_tx)) { kthread_stop(tcp_rx); sockfd_put(socket); - return -EINVAL; + goto unlock_mutex; } /* get task structs now */ @@ -126,6 +127,8 @@ static ssize_t store_sockfd(struct device *dev, struct device_attribute *attr, wake_up_process(sdev->ud.tcp_rx); wake_up_process(sdev->ud.tcp_tx); + mutex_unlock(&sdev->ud.sysfs_lock); + } else { dev_info(dev, "stub down\n"); @@ -136,6 +139,7 @@ static ssize_t store_sockfd(struct device *dev, struct device_attribute *attr, spin_unlock_irq(&sdev->ud.lock); usbip_event_add(&sdev->ud, SDEV_EVENT_DOWN); + mutex_unlock(&sdev->ud.sysfs_lock); } return count; @@ -144,6 +148,8 @@ static ssize_t store_sockfd(struct device *dev, struct device_attribute *attr, sockfd_put(socket); err: spin_unlock_irq(&sdev->ud.lock); +unlock_mutex: + mutex_unlock(&sdev->ud.sysfs_lock); return -EINVAL; } static DEVICE_ATTR(usbip_sockfd, S_IWUSR, NULL, store_sockfd); @@ -309,6 +315,7 @@ static struct stub_device *stub_device_alloc(struct usb_device *udev) sdev->ud.side = USBIP_STUB; sdev->ud.status = SDEV_ST_AVAILABLE; spin_lock_init(&sdev->ud.lock); + mutex_init(&sdev->ud.sysfs_lock); sdev->ud.tcp_socket = NULL; sdev->ud.sockfd = -1; From patchwork Fri Apr 16 20:53:18 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tom Seewald X-Patchwork-Id: 423278 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A6AA5C433ED for ; Fri, 16 Apr 2021 20:53:41 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 74D77613D0 for ; Fri, 16 Apr 2021 20:53:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236559AbhDPUyF (ORCPT ); Fri, 16 Apr 2021 16:54:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44552 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234312AbhDPUyF (ORCPT ); Fri, 16 Apr 2021 16:54:05 -0400 Received: from mail-oi1-x234.google.com (mail-oi1-x234.google.com [IPv6:2607:f8b0:4864:20::234]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 59CE0C061574 for ; Fri, 16 Apr 2021 13:53:40 -0700 (PDT) Received: by mail-oi1-x234.google.com with SMTP id v6so1353705oiv.3 for ; Fri, 16 Apr 2021 13:53:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=gClhNBz2PctsHGx1upM7EkuvRPvL47X9XJbsIPsu8zU=; b=d962BjDIdQlUnkkEJnbTsh90LjvOQ262ToC5vEnPgm+jJ35BJi5rDUeuR727ZF36A1 WlCFpT3u4YvxRh9LBW6FuDoZVR1VINYf66JRQDogK3YZiA2s9bA6bv6VEbddRV0Iif/A d2XV6lfTuMvCKVy+vSt25bCSQMDYmm8KteHmTiEbYK6NO/ACrBOXfK5lODLEd/PuGExD cI3/9hhD9Jx0T4Z3jbwJausA1wQCO9EFDUkN64Fo4jkblR4vSC/NFNXI23ZFPaNI/47W 5BjmnGx+CJPWu3QkG6iecfTSjrDk7dfBUVehfQioNDFvHaNVNzJaFBqYbcczLKe53si0 uYIg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=gClhNBz2PctsHGx1upM7EkuvRPvL47X9XJbsIPsu8zU=; b=NgR+5RFjUc4jaba65AAQOzLHgWSuDSveLAmxCv/GtRLnWZFK5MKAUpYPOrlkVc1kY+ 5CjtEb8gadP2ah7hp9XTjLxOyahLYw+KMuUm4EaJWKdbzRsVeEh5Iz3QmenUdv3eba6i YkECIw6huporm6815WtiTcAzuNEJwVECFkfmHXGMS9P0xX5yFMiFLdL6GV7O8y+f4zot gDnS+P7iCIdFUqbxh1epf5SN5kKJND88PBSknwZbc57osPWG7z2BuNWcUbfBkagmagg1 y7tfXLQ7FFcieJQoXbBzFo0+uPo9B1yTXprf1beMhXWc+0VbYxGWc1CUSDmTxfnpXgG3 S/1g== X-Gm-Message-State: AOAM530viJ+gTmAmbhPtPP5gsJTfv8sfyecxPaiNHHXcKFaWm2zbU7hh AtFqgL599fK5nIzrs6IMDaHfzNczUrBUTFAS X-Google-Smtp-Source: ABdhPJz4ET1JTITlFX36a1ra9NWgfkkhLHbznI52L+2Hnex5/D94x1yx+Hb4uawcy3pZfp5CAXwTlQ== X-Received: by 2002:a54:4005:: with SMTP id x5mr7912634oie.66.1618606419447; Fri, 16 Apr 2021 13:53:39 -0700 (PDT) Received: from proxmox.local.lan (2603-80a0-0e01-cc2f-0226-b9ff-fe41-ba6b.res6.spectrum.com. [2603:80a0:e01:cc2f:226:b9ff:fe41:ba6b]) by smtp.googlemail.com with ESMTPSA id c21sm1440847ooa.48.2021.04.16.13.53.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 16 Apr 2021 13:53:39 -0700 (PDT) From: Tom Seewald To: stable@vger.kernel.org Cc: Shuah Khan , syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com, Greg Kroah-Hartman , Tom Seewald , Valentina Manea , Shuah Khan Subject: [PATCH 3/4] usbip: vudc synchronize sysfs code paths Date: Fri, 16 Apr 2021 15:53:18 -0500 Message-Id: <20210416205319.14075-3-tseewald@gmail.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210416205319.14075-1-tseewald@gmail.com> References: <20210416205319.14075-1-tseewald@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Shuah Khan commit bd8b82042269a95db48074b8bb400678dbac1815 upstream. Fuzzing uncovered race condition between sysfs code paths in usbip drivers. Device connect/disconnect code paths initiated through sysfs interface are prone to races if disconnect happens during connect and vice versa. Use sysfs_lock to protect sysfs paths in vudc. Cc: stable@vger.kernel.org # 4.9.x # 4.14.x Reported-and-tested-by: syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com Signed-off-by: Shuah Khan Link: https://lore.kernel.org/r/caabcf3fc87bdae970509b5ff32d05bb7ce2fb15.1616807117.git.skhan@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Tom Seewald --- drivers/usb/usbip/vudc_dev.c | 1 + drivers/usb/usbip/vudc_sysfs.c | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/drivers/usb/usbip/vudc_dev.c b/drivers/usb/usbip/vudc_dev.c index 7091848df6c8..d61b22bb1d8b 100644 --- a/drivers/usb/usbip/vudc_dev.c +++ b/drivers/usb/usbip/vudc_dev.c @@ -582,6 +582,7 @@ static int init_vudc_hw(struct vudc *udc) init_waitqueue_head(&udc->tx_waitq); spin_lock_init(&ud->lock); + mutex_init(&ud->sysfs_lock); ud->status = SDEV_ST_AVAILABLE; ud->side = USBIP_VUDC; diff --git a/drivers/usb/usbip/vudc_sysfs.c b/drivers/usb/usbip/vudc_sysfs.c index f44d98eeb36a..e9d8dbd4e5a4 100644 --- a/drivers/usb/usbip/vudc_sysfs.c +++ b/drivers/usb/usbip/vudc_sysfs.c @@ -125,6 +125,7 @@ static ssize_t store_sockfd(struct device *dev, dev_err(dev, "no device"); return -ENODEV; } + mutex_lock(&udc->ud.sysfs_lock); spin_lock_irqsave(&udc->lock, flags); /* Don't export what we don't have */ if (!udc->driver || !udc->pullup) { @@ -200,6 +201,8 @@ static ssize_t store_sockfd(struct device *dev, wake_up_process(udc->ud.tcp_rx); wake_up_process(udc->ud.tcp_tx); + + mutex_unlock(&udc->ud.sysfs_lock); return count; } else { @@ -220,6 +223,7 @@ static ssize_t store_sockfd(struct device *dev, } spin_unlock_irqrestore(&udc->lock, flags); + mutex_unlock(&udc->ud.sysfs_lock); return count; @@ -229,6 +233,7 @@ static ssize_t store_sockfd(struct device *dev, spin_unlock_irq(&udc->ud.lock); unlock: spin_unlock_irqrestore(&udc->lock, flags); + mutex_unlock(&udc->ud.sysfs_lock); return ret; } From patchwork Fri Apr 16 20:53:19 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tom Seewald X-Patchwork-Id: 423818 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A2146C433ED for ; Fri, 16 Apr 2021 20:53:48 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 6892E613CF for ; Fri, 16 Apr 2021 20:53:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242473AbhDPUyM (ORCPT ); Fri, 16 Apr 2021 16:54:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44576 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240974AbhDPUyL (ORCPT ); Fri, 16 Apr 2021 16:54:11 -0400 Received: from mail-oi1-x236.google.com (mail-oi1-x236.google.com [IPv6:2607:f8b0:4864:20::236]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B9050C061574 for ; Fri, 16 Apr 2021 13:53:45 -0700 (PDT) Received: by mail-oi1-x236.google.com with SMTP id i81so29166642oif.6 for ; Fri, 16 Apr 2021 13:53:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=1XWPGM8zhiAwM9m1K9VVuFeSk75gHnDuWWcf0KSQw9E=; b=BEMwozo2p1Qb5DJ1yFaf70tsoQ1EdgA/Xd6HkUWN3RVqUXm9At3m4xnxUys+Vh0nbq crPkfQvAiTjxtvifizJx8EN3aqf9TmvaueawZ9MCa4ow0weL4t7d79rnmNlxVaNTatOI zRnz6fQm/G+UyVa/wW9mQ/B4Ha2HiSMMd2hhUaUzIjwLduXLRPvyq60LTaMUrYP6OybD z8mp2/ooCQHe4QNvVF43/H0PXmTTqbHHZJdnzbLvjrnHRZs0GJUk0yNQHjYDg26haWN5 tZcB1id4JPOwkRkNnSi+O9CHoffpC603qvFlYczQ9j+Rlx0yxLRPGFucMSI5uxpDd4wq 9mog== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=1XWPGM8zhiAwM9m1K9VVuFeSk75gHnDuWWcf0KSQw9E=; b=PxUCTFsWWW3h7zREDUSFVIGlF9SA9acD0FzKzSO8GKy0zOkSdErb5KewvA5z1JmLsf X4pdOGPlY2CAQgmD1JIEHugJaO0TFBKClIRYDzc4L4f+5pXMCheJPXww4F3eyIC3m/G5 k0QgTCxx4K2neKXrXJ0zVW96GdIwnd3bHfiBfo+jMIRdolgLiJujQZ2wxR8Ht1fSekQO 7melORBrMeWnCHKersN7WAv3MYozODQT5ozQXzmDmLpGGQAdmtne6bCfN+/2M8ZngBVP 7qY5hfOFqyVtTFxS9GKHth5NW6N2o7tiVe5+HS8drZLdJlWhpvM2R0pufp2uTNf0Mx0T MmUQ== X-Gm-Message-State: AOAM530oVPPE7ZbrIgIzm9K8bREPMzPI7zmkJbiPeqB7w8LRaROGx8PC y84DgtfiRP18AuHgWvYvAUIMbHSlw04IhTDY X-Google-Smtp-Source: ABdhPJz44GgSua6mHpfFkvr4/NabMe/EzBlyRjO1TGYsPuXreIVTkI+MT6hXIwJKL3EdaJNMOKI0Jw== X-Received: by 2002:aca:aa8b:: with SMTP id t133mr7835515oie.150.1618606424823; Fri, 16 Apr 2021 13:53:44 -0700 (PDT) Received: from proxmox.local.lan (2603-80a0-0e01-cc2f-0226-b9ff-fe41-ba6b.res6.spectrum.com. [2603:80a0:e01:cc2f:226:b9ff:fe41:ba6b]) by smtp.googlemail.com with ESMTPSA id c21sm1440847ooa.48.2021.04.16.13.53.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 16 Apr 2021 13:53:44 -0700 (PDT) From: Tom Seewald To: stable@vger.kernel.org Cc: Shuah Khan , syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com, Greg Kroah-Hartman , Tom Seewald , Valentina Manea , Shuah Khan Subject: [PATCH 4/4] usbip: synchronize event handler with sysfs code paths Date: Fri, 16 Apr 2021 15:53:19 -0500 Message-Id: <20210416205319.14075-4-tseewald@gmail.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210416205319.14075-1-tseewald@gmail.com> References: <20210416205319.14075-1-tseewald@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Shuah Khan commit 363eaa3a450abb4e63bd6e3ad79d1f7a0f717814 upstream. Fuzzing uncovered race condition between sysfs code paths in usbip drivers. Device connect/disconnect code paths initiated through sysfs interface are prone to races if disconnect happens during connect and vice versa. Use sysfs_lock to synchronize event handler with sysfs paths in usbip drivers. Cc: stable@vger.kernel.org # 4.9.x Reported-and-tested-by: syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com Signed-off-by: Shuah Khan Link: https://lore.kernel.org/r/c5c8723d3f29dfe3d759cfaafa7dd16b0dfe2918.1616807117.git.skhan@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Tom Seewald --- drivers/usb/usbip/usbip_event.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/usb/usbip/usbip_event.c b/drivers/usb/usbip/usbip_event.c index f8f7f3803a99..01eaae1f265b 100644 --- a/drivers/usb/usbip/usbip_event.c +++ b/drivers/usb/usbip/usbip_event.c @@ -84,6 +84,7 @@ static void event_handler(struct work_struct *work) while ((ud = get_event()) != NULL) { usbip_dbg_eh("pending event %lx\n", ud->event); + mutex_lock(&ud->sysfs_lock); /* * NOTE: shutdown must come first. * Shutdown the device. @@ -104,6 +105,7 @@ static void event_handler(struct work_struct *work) ud->eh_ops.unusable(ud); unset_event(ud, USBIP_EH_UNUSABLE); } + mutex_unlock(&ud->sysfs_lock); wake_up(&ud->eh_waitq); }