From patchwork Thu Sep 17 14:41:49 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "M. Vefa Bicakci" X-Patchwork-Id: 297598 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.6 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A247EC2BBD1 for ; Thu, 17 Sep 2020 19:57:05 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A8E1620717 for ; Thu, 17 Sep 2020 19:57:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727696AbgIQOoA (ORCPT ); Thu, 17 Sep 2020 10:44:00 -0400 Received: from aibo.runbox.com ([91.220.196.211]:55470 "EHLO aibo.runbox.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727648AbgIQOmS (ORCPT ); Thu, 17 Sep 2020 10:42:18 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=runbox.com; s=selector2; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To :Message-Id:Date:Subject:Cc:To:From; bh=WaCu4zldHM3wFml3XoeYbHVyOElXbVex+B6UOeOoYQs=; b=K5nbWtU2dkwkGPzspMmSTpOjNX lXlAcg9cV3ApcaEGvrjC/EaeltW8ObTwpXDVerxkdpOMJFeHdnaJSkZwzGW0gr3Fm3YSRljTAohW2 H6K+q/asalUdLPBBh9zmyqt+1rDaieydvu8fD4IJPy2RMzNuVa4BOLf9HZsTpixmh6TgALK3aIqPq bYd5tMkGTS0+gB2/gyuK3nD7WSrLhFKc0OKW4/EkXTb/qj4cWj6RagaVXI26mGVa4AGLNQttj3Dot nAM0gtLKF3aq2NQBGa9f5uar92GpNBZVx26DOLyBoa5a6n5IOPOPv9Hirnq+wazpNNSAhMFkCKHNV /lqiI7QQ==; Received: from [10.9.9.72] (helo=submission01.runbox) by mailtransmit03.runbox with esmtp (Exim 4.86_2) (envelope-from ) id 1kIv6z-0007ku-MD; Thu, 17 Sep 2020 16:42:13 +0200 Received: by submission01.runbox with esmtpsa [Authenticated alias (536975)] (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) id 1kIv6m-0002ee-8o; Thu, 17 Sep 2020 16:42:00 +0200 From: "M. Vefa Bicakci" To: linux-usb@vger.kernel.org Cc: "M. Vefa Bicakci" , Andrey Konovalov , stable@vger.kernel.org, Greg Kroah-Hartman , Alan Stern , Bastien Nocera , syzkaller@googlegroups.com Subject: [PATCH 1/3] usbcore/driver: Fix specific driver selection Date: Thu, 17 Sep 2020 17:41:49 +0300 Message-Id: <20200917144151.355848-1-m.v.b@runbox.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org This commit resolves a bug in the selection/discovery of more specific USB device drivers for devices that are currently bound to generic USB device drivers. The bug is in the logic that determines whether a device currently bound to a generic USB device driver should be re-probed by a more specific USB device driver or not. The code in __usb_bus_reprobe_drivers() used to have the following lines: if (usb_device_match_id(udev, new_udriver->id_table) == NULL && (!new_udriver->match || new_udriver->match(udev) != 0)) return 0; ret = device_reprobe(dev); As the reader will notice, the code checks whether the USB device in consideration matches the identifier table (id_table) of a specific USB device_driver (new_udriver), followed by a similar check, but this time with the USB device driver's match function. However, the match function's return value is not checked correctly. When match() returns zero, it means that the specific USB device driver is *not* applicable to the USB device in question, but the code then goes on to reprobe the device with the new USB device driver under consideration. All this to say, the logic is inverted. This bug was found by code inspection and instrumentation after Andrey Konovalov's report indicating USB/IP subsystem's misbehaviour with the generic USB device driver matching code. Reported-by: Andrey Konovalov Fixes: d5643d2249 ("USB: Fix device driver race") Link: https://lore.kernel.org/linux-usb/CAAeHK+zOrHnxjRFs=OE8T=O9208B9HP_oo8RZpyVOZ9AJ54pAA@mail.gmail.com/ Cc: # 5.8 Cc: Greg Kroah-Hartman Cc: Alan Stern Cc: Bastien Nocera Cc: Signed-off-by: M. Vefa Bicakci --- drivers/usb/core/driver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) base-commit: 871e6496207c6aa94134448779c77631a11bfa2e diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c index c976ea9f9582..950044a6e77f 100644 --- a/drivers/usb/core/driver.c +++ b/drivers/usb/core/driver.c @@ -924,7 +924,7 @@ static int __usb_bus_reprobe_drivers(struct device *dev, void *data) udev = to_usb_device(dev); if (usb_device_match_id(udev, new_udriver->id_table) == NULL && - (!new_udriver->match || new_udriver->match(udev) != 0)) + (!new_udriver->match || new_udriver->match(udev) == 0)) return 0; ret = device_reprobe(dev); From patchwork Thu Sep 17 14:41:50 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "M. Vefa Bicakci" X-Patchwork-Id: 258514 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.6 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E8E4FC433E2 for ; Thu, 17 Sep 2020 14:44:46 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 03D5121582 for ; Thu, 17 Sep 2020 14:44:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727722AbgIQOoa (ORCPT ); Thu, 17 Sep 2020 10:44:30 -0400 Received: from aibo.runbox.com ([91.220.196.211]:44958 "EHLO aibo.runbox.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727635AbgIQOmR (ORCPT ); Thu, 17 Sep 2020 10:42:17 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=runbox.com; s=selector2; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To :Message-Id:Date:Subject:Cc:To:From; bh=Acb83lDQUxJQj91yQAdseCCeGfKFWuDFFfIoGna9aek=; b=n0DkPng3dG+8RcJuA5zwIacHb1 TXe5LLPwDoZwWp8ela6FZimISCPatyIPhmJc/s9ol5h9NfkPzofrC5/T5Id0AWZGO4g1QfR3zfMOR LW7IQ891IP5ALTcxuisRUYWBpgC2EeTm3qsddzP8WN5+PS/kctuEMxarZUmyVpoCbwZWJPYYRxJKW xL1mFhcpbxrPGzVyF23657tvhv0vvg6+Sh2ycarDYQw8MgCLnPErMP3QAhtZjhrw9T5VCZkL3JZI8 1HKAcrhnG6pseVbqREsGVrPNsmHJO0lo+HnbdY2XVqHxowAKGn2NvJx+dnDMfwt/3i86mVVNqMNk5 Tn/WK/Zw==; Received: from [10.9.9.72] (helo=submission01.runbox) by mailtransmit02.runbox with esmtp (Exim 4.86_2) (envelope-from ) id 1kIv6z-0001Ks-3U; Thu, 17 Sep 2020 16:42:13 +0200 Received: by submission01.runbox with esmtpsa [Authenticated alias (536975)] (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) id 1kIv6o-0002ee-Bs; Thu, 17 Sep 2020 16:42:02 +0200 From: "M. Vefa Bicakci" To: linux-usb@vger.kernel.org Cc: "M. Vefa Bicakci" , stable@vger.kernel.org, Greg Kroah-Hartman , Alan Stern , Bastien Nocera , Andrey Konovalov , syzkaller@googlegroups.com Subject: [PATCH 2/3] usbcore/driver: Fix incorrect downcast Date: Thu, 17 Sep 2020 17:41:50 +0300 Message-Id: <20200917144151.355848-2-m.v.b@runbox.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200917144151.355848-1-m.v.b@runbox.com> References: <20200917144151.355848-1-m.v.b@runbox.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org This commit resolves a minor bug in the selection/discovery of more specific USB device drivers for devices that are currently bound to generic USB device drivers. The bug is related to the way a candidate USB device driver is compared against the generic USB device driver. The code in is_dev_usb_generic_driver() assumes that the device driver in question is a USB device driver by calling to_usb_device_driver(dev->driver) to downcast; however I have observed that this assumption is not always true, through code instrumentation. Given that USB device drivers are bound to struct device instances with of the type &usb_device_type, this commit checks the return value of is_usb_device() before the call to is_dev_usb_generic_driver(), and therefore ensures that incorrect type downcasts do not occur. The use of is_usb_device() was suggested by Bastien Nocera. This bug was found while investigating Andrey Konovalov's report indicating USB/IP subsystem's misbehaviour with the generic USB device driver matching code. Fixes: d5643d2249 ("USB: Fix device driver race") Link: https://lore.kernel.org/linux-usb/CAAeHK+zOrHnxjRFs=OE8T=O9208B9HP_oo8RZpyVOZ9AJ54pAA@mail.gmail.com/ Cc: # 5.8 Cc: Greg Kroah-Hartman Cc: Alan Stern Cc: Bastien Nocera Cc: Andrey Konovalov Cc: Signed-off-by: M. Vefa Bicakci --- drivers/usb/core/driver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c index 950044a6e77f..ba7acd6e7cc4 100644 --- a/drivers/usb/core/driver.c +++ b/drivers/usb/core/driver.c @@ -919,7 +919,7 @@ static int __usb_bus_reprobe_drivers(struct device *dev, void *data) struct usb_device *udev; int ret; - if (!is_dev_usb_generic_driver(dev)) + if (!is_usb_device(dev) || !is_dev_usb_generic_driver(dev)) return 0; udev = to_usb_device(dev); From patchwork Thu Sep 17 14:41:51 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "M. Vefa Bicakci" X-Patchwork-Id: 297603 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.6 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 32D2BC433E2 for ; Thu, 17 Sep 2020 14:44:09 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 4F51B206DB for ; Thu, 17 Sep 2020 14:44:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727685AbgIQOng (ORCPT ); Thu, 17 Sep 2020 10:43:36 -0400 Received: from aibo.runbox.com ([91.220.196.211]:44960 "EHLO aibo.runbox.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727641AbgIQOmQ (ORCPT ); Thu, 17 Sep 2020 10:42:16 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=runbox.com; s=selector2; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To :Message-Id:Date:Subject:Cc:To:From; bh=jYC5vfpyAOB01Xz9fU7PjyTQCLGjlSBNPFV1rX8wF80=; b=UdIyK5YcbcJK/sE20vl9eIdY+0 7Yuwn/2NTwL2mPvPbiwx+wmxKwJ/2E3jSMUZ48DFehw6Sr1pkR4vPZN24T+Smi+iTkCS185isl9V9 VpV7avfNrKsAPgUHUZAJTiQt7ucOtwFlM7A7nq6E7MXaLuMZiQ1b9FiFfIt7vml6PJ0wLYwwdX/kK pS4kw/8+Ezf6SPMhEZffiohd8jKkWR0JU4l/1clxSvCvtgxf31OkwUhsk39hV3fk+lWrdBR+qKWSz oPJm/avtxGWfBCJw9Ovupm0nWEmMJ6lvr8wX0dCK0+s4qtBD3VwMAo1T3WkH8JpyWgfRMPDwGbSJc GYIag1lA==; Received: from [10.9.9.72] (helo=submission01.runbox) by mailtransmit02.runbox with esmtp (Exim 4.86_2) (envelope-from ) id 1kIv6y-0001Ko-KU; Thu, 17 Sep 2020 16:42:12 +0200 Received: by submission01.runbox with esmtpsa [Authenticated alias (536975)] (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) id 1kIv6p-0002ee-CS; Thu, 17 Sep 2020 16:42:03 +0200 From: "M. Vefa Bicakci" To: linux-usb@vger.kernel.org Cc: "M. Vefa Bicakci" , Andrey Konovalov , stable@vger.kernel.org, Bastien Nocera , Valentina Manea , Shuah Khan , Greg Kroah-Hartman , Alan Stern , syzkaller@googlegroups.com Subject: [PATCH 3/3] usbip: Make the driver's match function specific Date: Thu, 17 Sep 2020 17:41:51 +0300 Message-Id: <20200917144151.355848-3-m.v.b@runbox.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200917144151.355848-1-m.v.b@runbox.com> References: <20200917144151.355848-1-m.v.b@runbox.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org Prior to this commit, the USB-IP subsystem's USB device driver match function used to match all USB devices (by returning true unconditionally). Unfortunately, this is not correct behaviour and is likely the root cause of the bug reported by Andrey Konovalov. USB-IP should only match USB devices that the user-space asked the kernel to handle via USB-IP, by writing to the match_busid sysfs file, which is what this commit aims to achieve. This is done by making the match function check that the passed in USB device was indeed requested by the user-space to be handled by USB-IP. Reported-by: Andrey Konovalov Fixes: 7a2f2974f2 ("usbip: Implement a match function to fix usbip") Link: https://lore.kernel.org/linux-usb/CAAeHK+zOrHnxjRFs=OE8T=O9208B9HP_oo8RZpyVOZ9AJ54pAA@mail.gmail.com/ Cc: # 5.8 Cc: Bastien Nocera Cc: Valentina Manea Cc: Shuah Khan Cc: Greg Kroah-Hartman Cc: Alan Stern Cc: Signed-off-by: M. Vefa Bicakci --- drivers/usb/usbip/stub_dev.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/drivers/usb/usbip/stub_dev.c b/drivers/usb/usbip/stub_dev.c index 9d7d642022d1..3d9c8ff6762e 100644 --- a/drivers/usb/usbip/stub_dev.c +++ b/drivers/usb/usbip/stub_dev.c @@ -463,7 +463,20 @@ static void stub_disconnect(struct usb_device *udev) static bool usbip_match(struct usb_device *udev) { - return true; + bool match; + struct bus_id_priv *busid_priv; + const char *udev_busid = dev_name(&udev->dev); + + busid_priv = get_busid_priv(udev_busid); + if (!busid_priv) + return false; + + match = (busid_priv->status != STUB_BUSID_REMOV && + busid_priv->status != STUB_BUSID_OTHER); + + put_busid_priv(busid_priv); + + return match; } #ifdef CONFIG_PM