* [PATCH 1/4] usbip: add sysfs_lock to synchronize sysfs code paths
@ 2021-04-16 20:53 Tom Seewald
2021-04-16 20:53 ` [PATCH 2/4] usbip: stub-dev " Tom Seewald
` (3 more replies)
0 siblings, 4 replies; 12+ messages in thread
From: Tom Seewald @ 2021-04-16 20:53 UTC (permalink / raw)
To: stable
Cc: Shuah Khan, syzbot+a93fba6d384346a761e3, Greg Kroah-Hartman,
Tom Seewald, Valentina Manea, Shuah Khan
From: Shuah Khan <skhan@linuxfoundation.org>
commit 4e9c93af7279b059faf5bb1897ee90512b258a12 upstream.
Fuzzing uncovered race condition between sysfs code paths in usbip
drivers. Device connect/disconnect code paths initiated through
sysfs interface are prone to races if disconnect happens during
connect and vice versa.
This problem is common to all drivers while it can be reproduced easily
in vhci_hcd. Add a sysfs_lock to usbip_device struct to protect the paths.
Use this in vhci_hcd to protect sysfs paths. For a complete fix, usip_host
and usip-vudc drivers and the event handler will have to use this lock to
protect the paths. These changes will be done in subsequent patches.
Cc: stable@vger.kernel.org # 4.9.x
Reported-and-tested-by: syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Link: https://lore.kernel.org/r/b6568f7beae702bbc236a545d3c020106ca75eac.1616807117.git.skhan@linuxfoundation.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tom Seewald <tseewald@gmail.com>
---
drivers/usb/usbip/usbip_common.h | 3 +++
drivers/usb/usbip/vhci_hcd.c | 1 +
drivers/usb/usbip/vhci_sysfs.c | 30 +++++++++++++++++++++++++-----
3 files changed, 29 insertions(+), 5 deletions(-)
diff --git a/drivers/usb/usbip/usbip_common.h b/drivers/usb/usbip/usbip_common.h
index 0b199a2664c0..3d47c681aea2 100644
--- a/drivers/usb/usbip/usbip_common.h
+++ b/drivers/usb/usbip/usbip_common.h
@@ -278,6 +278,9 @@ struct usbip_device {
/* lock for status */
spinlock_t lock;
+ /* mutex for synchronizing sysfs store paths */
+ struct mutex sysfs_lock;
+
int sockfd;
struct socket *tcp_socket;
diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c
index 8bda6455dfcb..fb7b03029b8e 100644
--- a/drivers/usb/usbip/vhci_hcd.c
+++ b/drivers/usb/usbip/vhci_hcd.c
@@ -907,6 +907,7 @@ static void vhci_device_init(struct vhci_device *vdev)
vdev->ud.side = USBIP_VHCI;
vdev->ud.status = VDEV_ST_NULL;
spin_lock_init(&vdev->ud.lock);
+ mutex_init(&vdev->ud.sysfs_lock);
INIT_LIST_HEAD(&vdev->priv_rx);
INIT_LIST_HEAD(&vdev->priv_tx);
diff --git a/drivers/usb/usbip/vhci_sysfs.c b/drivers/usb/usbip/vhci_sysfs.c
index ca00d38d22af..3496b402aa1b 100644
--- a/drivers/usb/usbip/vhci_sysfs.c
+++ b/drivers/usb/usbip/vhci_sysfs.c
@@ -161,6 +161,8 @@ static int vhci_port_disconnect(struct vhci_hcd *vhci, __u32 rhport)
usbip_dbg_vhci_sysfs("enter\n");
+ mutex_lock(&vdev->ud.sysfs_lock);
+
/* lock */
spin_lock_irqsave(&vhci->lock, flags);
spin_lock(&vdev->ud.lock);
@@ -171,6 +173,7 @@ static int vhci_port_disconnect(struct vhci_hcd *vhci, __u32 rhport)
/* unlock */
spin_unlock(&vdev->ud.lock);
spin_unlock_irqrestore(&vhci->lock, flags);
+ mutex_unlock(&vdev->ud.sysfs_lock);
return -EINVAL;
}
@@ -181,6 +184,8 @@ static int vhci_port_disconnect(struct vhci_hcd *vhci, __u32 rhport)
usbip_event_add(&vdev->ud, VDEV_EVENT_DOWN);
+ mutex_unlock(&vdev->ud.sysfs_lock);
+
return 0;
}
@@ -309,30 +314,36 @@ static ssize_t store_attach(struct device *dev, struct device_attribute *attr,
vhci = hcd_to_vhci(hcd);
vdev = &vhci->vdev[rhport];
+ mutex_lock(&vdev->ud.sysfs_lock);
+
/* Extract socket from fd. */
socket = sockfd_lookup(sockfd, &err);
if (!socket) {
dev_err(dev, "failed to lookup sock");
- return -EINVAL;
+ err = -EINVAL;
+ goto unlock_mutex;
}
if (socket->type != SOCK_STREAM) {
dev_err(dev, "Expecting SOCK_STREAM - found %d",
socket->type);
sockfd_put(socket);
- return -EINVAL;
+ err = -EINVAL;
+ goto unlock_mutex;
}
/* create threads before locking */
tcp_rx = kthread_create(vhci_rx_loop, &vdev->ud, "vhci_rx");
if (IS_ERR(tcp_rx)) {
sockfd_put(socket);
- return -EINVAL;
+ err = -EINVAL;
+ goto unlock_mutex;
}
tcp_tx = kthread_create(vhci_tx_loop, &vdev->ud, "vhci_tx");
if (IS_ERR(tcp_tx)) {
kthread_stop(tcp_rx);
sockfd_put(socket);
- return -EINVAL;
+ err = -EINVAL;
+ goto unlock_mutex;
}
/* get task structs now */
@@ -353,7 +364,8 @@ static ssize_t store_attach(struct device *dev, struct device_attribute *attr,
kthread_stop_put(tcp_tx);
dev_err(dev, "port %d already used\n", rhport);
- return -EINVAL;
+ err = -EINVAL;
+ goto unlock_mutex;
}
dev_info(dev, "pdev(%u) rhport(%u) sockfd(%d)\n",
@@ -378,7 +390,15 @@ static ssize_t store_attach(struct device *dev, struct device_attribute *attr,
rh_port_connect(vdev, speed);
+ dev_info(dev, "Device attached\n");
+
+ mutex_unlock(&vdev->ud.sysfs_lock);
+
return count;
+
+unlock_mutex:
+ mutex_unlock(&vdev->ud.sysfs_lock);
+ return err;
}
static DEVICE_ATTR(attach, S_IWUSR, NULL, store_attach);
--
2.20.1
^ permalink raw reply related [flat|nested] 12+ messages in thread* [PATCH 2/4] usbip: stub-dev synchronize sysfs code paths
2021-04-16 20:53 [PATCH 1/4] usbip: add sysfs_lock to synchronize sysfs code paths Tom Seewald
@ 2021-04-16 20:53 ` Tom Seewald
2021-04-16 21:44 ` Shuah Khan
2021-04-16 20:53 ` [PATCH 3/4] usbip: vudc " Tom Seewald
` (2 subsequent siblings)
3 siblings, 1 reply; 12+ messages in thread
From: Tom Seewald @ 2021-04-16 20:53 UTC (permalink / raw)
To: stable
Cc: Shuah Khan, syzbot+a93fba6d384346a761e3, Greg Kroah-Hartman,
Tom Seewald, Valentina Manea, Shuah Khan
From: Shuah Khan <skhan@linuxfoundation.org>
commit 9dbf34a834563dada91366c2ac266f32ff34641a upstream.
Fuzzing uncovered race condition between sysfs code paths in usbip
drivers. Device connect/disconnect code paths initiated through
sysfs interface are prone to races if disconnect happens during
connect and vice versa.
Use sysfs_lock to protect sysfs paths in stub-dev.
Cc: stable@vger.kernel.org # 4.9.x
Reported-and-tested-by: syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Link: https://lore.kernel.org/r/2b182f3561b4a065bf3bf6dce3b0e9944ba17b3f.1616807117.git.skhan@linuxfoundation.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tom Seewald <tseewald@gmail.com>
---
drivers/usb/usbip/stub_dev.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/usbip/stub_dev.c b/drivers/usb/usbip/stub_dev.c
index 6b643e6c8f0b..cec5805feb25 100644
--- a/drivers/usb/usbip/stub_dev.c
+++ b/drivers/usb/usbip/stub_dev.c
@@ -77,6 +77,7 @@ static ssize_t store_sockfd(struct device *dev, struct device_attribute *attr,
dev_info(dev, "stub up\n");
+ mutex_lock(&sdev->ud.sysfs_lock);
spin_lock_irq(&sdev->ud.lock);
if (sdev->ud.status != SDEV_ST_AVAILABLE) {
@@ -101,13 +102,13 @@ static ssize_t store_sockfd(struct device *dev, struct device_attribute *attr,
tcp_rx = kthread_create(stub_rx_loop, &sdev->ud, "stub_rx");
if (IS_ERR(tcp_rx)) {
sockfd_put(socket);
- return -EINVAL;
+ goto unlock_mutex;
}
tcp_tx = kthread_create(stub_tx_loop, &sdev->ud, "stub_tx");
if (IS_ERR(tcp_tx)) {
kthread_stop(tcp_rx);
sockfd_put(socket);
- return -EINVAL;
+ goto unlock_mutex;
}
/* get task structs now */
@@ -126,6 +127,8 @@ static ssize_t store_sockfd(struct device *dev, struct device_attribute *attr,
wake_up_process(sdev->ud.tcp_rx);
wake_up_process(sdev->ud.tcp_tx);
+ mutex_unlock(&sdev->ud.sysfs_lock);
+
} else {
dev_info(dev, "stub down\n");
@@ -136,6 +139,7 @@ static ssize_t store_sockfd(struct device *dev, struct device_attribute *attr,
spin_unlock_irq(&sdev->ud.lock);
usbip_event_add(&sdev->ud, SDEV_EVENT_DOWN);
+ mutex_unlock(&sdev->ud.sysfs_lock);
}
return count;
@@ -144,6 +148,8 @@ static ssize_t store_sockfd(struct device *dev, struct device_attribute *attr,
sockfd_put(socket);
err:
spin_unlock_irq(&sdev->ud.lock);
+unlock_mutex:
+ mutex_unlock(&sdev->ud.sysfs_lock);
return -EINVAL;
}
static DEVICE_ATTR(usbip_sockfd, S_IWUSR, NULL, store_sockfd);
@@ -309,6 +315,7 @@ static struct stub_device *stub_device_alloc(struct usb_device *udev)
sdev->ud.side = USBIP_STUB;
sdev->ud.status = SDEV_ST_AVAILABLE;
spin_lock_init(&sdev->ud.lock);
+ mutex_init(&sdev->ud.sysfs_lock);
sdev->ud.tcp_socket = NULL;
sdev->ud.sockfd = -1;
--
2.20.1
^ permalink raw reply related [flat|nested] 12+ messages in thread* Re: [PATCH 2/4] usbip: stub-dev synchronize sysfs code paths
2021-04-16 20:53 ` [PATCH 2/4] usbip: stub-dev " Tom Seewald
@ 2021-04-16 21:44 ` Shuah Khan
0 siblings, 0 replies; 12+ messages in thread
From: Shuah Khan @ 2021-04-16 21:44 UTC (permalink / raw)
To: Tom Seewald, Greg Kroah-Hartman
Cc: syzbot+a93fba6d384346a761e3, Valentina Manea, Shuah Khan, stable,
Shuah Khan
On 4/16/21 2:53 PM, Tom Seewald wrote:
> From: Shuah Khan <skhan@linuxfoundation.org>
>
> commit 9dbf34a834563dada91366c2ac266f32ff34641a upstream.
>
> Fuzzing uncovered race condition between sysfs code paths in usbip
> drivers. Device connect/disconnect code paths initiated through
> sysfs interface are prone to races if disconnect happens during
> connect and vice versa.
>
> Use sysfs_lock to protect sysfs paths in stub-dev.
>
> Cc: stable@vger.kernel.org # 4.9.x
> Reported-and-tested-by: syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com
> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
> Link: https://lore.kernel.org/r/2b182f3561b4a065bf3bf6dce3b0e9944ba17b3f.1616807117.git.skhan@linuxfoundation.org
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Signed-off-by: Tom Seewald <tseewald@gmail.com>
> ---
Thank you for the backport.
Reviewed-by: Shuah Khan <skhan@linuxfoundation.org>
Greg, please pick this up for 4.9.x
thanks,
-- Shuah
^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH 3/4] usbip: vudc synchronize sysfs code paths
2021-04-16 20:53 [PATCH 1/4] usbip: add sysfs_lock to synchronize sysfs code paths Tom Seewald
2021-04-16 20:53 ` [PATCH 2/4] usbip: stub-dev " Tom Seewald
@ 2021-04-16 20:53 ` Tom Seewald
2021-04-16 21:45 ` Shuah Khan
2021-04-16 20:53 ` [PATCH 4/4] usbip: synchronize event handler with " Tom Seewald
2021-04-16 21:43 ` [PATCH 1/4] usbip: add sysfs_lock to synchronize " Shuah Khan
3 siblings, 1 reply; 12+ messages in thread
From: Tom Seewald @ 2021-04-16 20:53 UTC (permalink / raw)
To: stable
Cc: Shuah Khan, syzbot+a93fba6d384346a761e3, Greg Kroah-Hartman,
Tom Seewald, Valentina Manea, Shuah Khan
From: Shuah Khan <skhan@linuxfoundation.org>
commit bd8b82042269a95db48074b8bb400678dbac1815 upstream.
Fuzzing uncovered race condition between sysfs code paths in usbip
drivers. Device connect/disconnect code paths initiated through
sysfs interface are prone to races if disconnect happens during
connect and vice versa.
Use sysfs_lock to protect sysfs paths in vudc.
Cc: stable@vger.kernel.org # 4.9.x # 4.14.x
Reported-and-tested-by: syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Link: https://lore.kernel.org/r/caabcf3fc87bdae970509b5ff32d05bb7ce2fb15.1616807117.git.skhan@linuxfoundation.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tom Seewald <tseewald@gmail.com>
---
drivers/usb/usbip/vudc_dev.c | 1 +
drivers/usb/usbip/vudc_sysfs.c | 5 +++++
2 files changed, 6 insertions(+)
diff --git a/drivers/usb/usbip/vudc_dev.c b/drivers/usb/usbip/vudc_dev.c
index 7091848df6c8..d61b22bb1d8b 100644
--- a/drivers/usb/usbip/vudc_dev.c
+++ b/drivers/usb/usbip/vudc_dev.c
@@ -582,6 +582,7 @@ static int init_vudc_hw(struct vudc *udc)
init_waitqueue_head(&udc->tx_waitq);
spin_lock_init(&ud->lock);
+ mutex_init(&ud->sysfs_lock);
ud->status = SDEV_ST_AVAILABLE;
ud->side = USBIP_VUDC;
diff --git a/drivers/usb/usbip/vudc_sysfs.c b/drivers/usb/usbip/vudc_sysfs.c
index f44d98eeb36a..e9d8dbd4e5a4 100644
--- a/drivers/usb/usbip/vudc_sysfs.c
+++ b/drivers/usb/usbip/vudc_sysfs.c
@@ -125,6 +125,7 @@ static ssize_t store_sockfd(struct device *dev,
dev_err(dev, "no device");
return -ENODEV;
}
+ mutex_lock(&udc->ud.sysfs_lock);
spin_lock_irqsave(&udc->lock, flags);
/* Don't export what we don't have */
if (!udc->driver || !udc->pullup) {
@@ -200,6 +201,8 @@ static ssize_t store_sockfd(struct device *dev,
wake_up_process(udc->ud.tcp_rx);
wake_up_process(udc->ud.tcp_tx);
+
+ mutex_unlock(&udc->ud.sysfs_lock);
return count;
} else {
@@ -220,6 +223,7 @@ static ssize_t store_sockfd(struct device *dev,
}
spin_unlock_irqrestore(&udc->lock, flags);
+ mutex_unlock(&udc->ud.sysfs_lock);
return count;
@@ -229,6 +233,7 @@ static ssize_t store_sockfd(struct device *dev,
spin_unlock_irq(&udc->ud.lock);
unlock:
spin_unlock_irqrestore(&udc->lock, flags);
+ mutex_unlock(&udc->ud.sysfs_lock);
return ret;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 12+ messages in thread* Re: [PATCH 3/4] usbip: vudc synchronize sysfs code paths
2021-04-16 20:53 ` [PATCH 3/4] usbip: vudc " Tom Seewald
@ 2021-04-16 21:45 ` Shuah Khan
0 siblings, 0 replies; 12+ messages in thread
From: Shuah Khan @ 2021-04-16 21:45 UTC (permalink / raw)
To: Tom Seewald, Greg Kroah-Hartman
Cc: syzbot+a93fba6d384346a761e3, Valentina Manea, Shuah Khan,
Shuah Khan, stable
On 4/16/21 2:53 PM, Tom Seewald wrote:
> From: Shuah Khan <skhan@linuxfoundation.org>
>
> commit bd8b82042269a95db48074b8bb400678dbac1815 upstream.
>
> Fuzzing uncovered race condition between sysfs code paths in usbip
> drivers. Device connect/disconnect code paths initiated through
> sysfs interface are prone to races if disconnect happens during
> connect and vice versa.
>
> Use sysfs_lock to protect sysfs paths in vudc.
>
> Cc: stable@vger.kernel.org # 4.9.x # 4.14.x
> Reported-and-tested-by: syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com
> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
> Link: https://lore.kernel.org/r/caabcf3fc87bdae970509b5ff32d05bb7ce2fb15.1616807117.git.skhan@linuxfoundation.org
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Signed-off-by: Tom Seewald <tseewald@gmail.com>
Thank you for the backport.
Reviewed-by: Shuah Khan <skhan@linuxfoundation.org>
Greg, please pick this up for 4.9.x and 4.14.x
thanks,
-- Shuah
^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH 4/4] usbip: synchronize event handler with sysfs code paths
2021-04-16 20:53 [PATCH 1/4] usbip: add sysfs_lock to synchronize sysfs code paths Tom Seewald
2021-04-16 20:53 ` [PATCH 2/4] usbip: stub-dev " Tom Seewald
2021-04-16 20:53 ` [PATCH 3/4] usbip: vudc " Tom Seewald
@ 2021-04-16 20:53 ` Tom Seewald
2021-04-16 21:45 ` Shuah Khan
2021-04-16 21:43 ` [PATCH 1/4] usbip: add sysfs_lock to synchronize " Shuah Khan
3 siblings, 1 reply; 12+ messages in thread
From: Tom Seewald @ 2021-04-16 20:53 UTC (permalink / raw)
To: stable
Cc: Shuah Khan, syzbot+a93fba6d384346a761e3, Greg Kroah-Hartman,
Tom Seewald, Valentina Manea, Shuah Khan
From: Shuah Khan <skhan@linuxfoundation.org>
commit 363eaa3a450abb4e63bd6e3ad79d1f7a0f717814 upstream.
Fuzzing uncovered race condition between sysfs code paths in usbip
drivers. Device connect/disconnect code paths initiated through
sysfs interface are prone to races if disconnect happens during
connect and vice versa.
Use sysfs_lock to synchronize event handler with sysfs paths
in usbip drivers.
Cc: stable@vger.kernel.org # 4.9.x
Reported-and-tested-by: syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Link: https://lore.kernel.org/r/c5c8723d3f29dfe3d759cfaafa7dd16b0dfe2918.1616807117.git.skhan@linuxfoundation.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tom Seewald <tseewald@gmail.com>
---
drivers/usb/usbip/usbip_event.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/usb/usbip/usbip_event.c b/drivers/usb/usbip/usbip_event.c
index f8f7f3803a99..01eaae1f265b 100644
--- a/drivers/usb/usbip/usbip_event.c
+++ b/drivers/usb/usbip/usbip_event.c
@@ -84,6 +84,7 @@ static void event_handler(struct work_struct *work)
while ((ud = get_event()) != NULL) {
usbip_dbg_eh("pending event %lx\n", ud->event);
+ mutex_lock(&ud->sysfs_lock);
/*
* NOTE: shutdown must come first.
* Shutdown the device.
@@ -104,6 +105,7 @@ static void event_handler(struct work_struct *work)
ud->eh_ops.unusable(ud);
unset_event(ud, USBIP_EH_UNUSABLE);
}
+ mutex_unlock(&ud->sysfs_lock);
wake_up(&ud->eh_waitq);
}
--
2.20.1
^ permalink raw reply related [flat|nested] 12+ messages in thread* Re: [PATCH 4/4] usbip: synchronize event handler with sysfs code paths
2021-04-16 20:53 ` [PATCH 4/4] usbip: synchronize event handler with " Tom Seewald
@ 2021-04-16 21:45 ` Shuah Khan
0 siblings, 0 replies; 12+ messages in thread
From: Shuah Khan @ 2021-04-16 21:45 UTC (permalink / raw)
To: Tom Seewald, Greg Kroah-Hartman
Cc: syzbot+a93fba6d384346a761e3, Valentina Manea, Shuah Khan, stable,
Shuah Khan
On 4/16/21 2:53 PM, Tom Seewald wrote:
> From: Shuah Khan <skhan@linuxfoundation.org>
>
> commit 363eaa3a450abb4e63bd6e3ad79d1f7a0f717814 upstream.
>
> Fuzzing uncovered race condition between sysfs code paths in usbip
> drivers. Device connect/disconnect code paths initiated through
> sysfs interface are prone to races if disconnect happens during
> connect and vice versa.
>
> Use sysfs_lock to synchronize event handler with sysfs paths
> in usbip drivers.
>
> Cc: stable@vger.kernel.org # 4.9.x
> Reported-and-tested-by: syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com
> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
> Link: https://lore.kernel.org/r/c5c8723d3f29dfe3d759cfaafa7dd16b0dfe2918.1616807117.git.skhan@linuxfoundation.org
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Signed-off-by: Tom Seewald <tseewald@gmail.com>
> ---
> drivers/usb/usbip/usbip_event.c | 2 ++
> 1 file changed, 2 insertions(+)
>
Thank you for the backport.
Reviewed-by: Shuah Khan <skhan@linuxfoundation.org>
Greg, please pick this up for 4.9.x
thanks,
-- Shuah
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 1/4] usbip: add sysfs_lock to synchronize sysfs code paths
2021-04-16 20:53 [PATCH 1/4] usbip: add sysfs_lock to synchronize sysfs code paths Tom Seewald
` (2 preceding siblings ...)
2021-04-16 20:53 ` [PATCH 4/4] usbip: synchronize event handler with " Tom Seewald
@ 2021-04-16 21:43 ` Shuah Khan
2021-04-19 12:23 ` Greg Kroah-Hartman
3 siblings, 1 reply; 12+ messages in thread
From: Shuah Khan @ 2021-04-16 21:43 UTC (permalink / raw)
To: Tom Seewald, Greg Kroah-Hartman
Cc: syzbot+a93fba6d384346a761e3, Valentina Manea, Shuah Khan,
Shuah Khan, stable
On 4/16/21 2:53 PM, Tom Seewald wrote:
> From: Shuah Khan <skhan@linuxfoundation.org>
>
> commit 4e9c93af7279b059faf5bb1897ee90512b258a12 upstream.
>
> Fuzzing uncovered race condition between sysfs code paths in usbip
> drivers. Device connect/disconnect code paths initiated through
> sysfs interface are prone to races if disconnect happens during
> connect and vice versa.
>
> This problem is common to all drivers while it can be reproduced easily
> in vhci_hcd. Add a sysfs_lock to usbip_device struct to protect the paths.
>
> Use this in vhci_hcd to protect sysfs paths. For a complete fix, usip_host
> and usip-vudc drivers and the event handler will have to use this lock to
> protect the paths. These changes will be done in subsequent patches.
>
> Cc: stable@vger.kernel.org # 4.9.x
> Reported-and-tested-by: syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com
> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
> Link: https://lore.kernel.org/r/b6568f7beae702bbc236a545d3c020106ca75eac.1616807117.git.skhan@linuxfoundation.org
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Signed-off-by: Tom Seewald <tseewald@gmail.com>
> ---
> drivers/usb/usbip/usbip_common.h | 3 +++
> drivers/usb/usbip/vhci_hcd.c | 1 +
> drivers/usb/usbip/vhci_sysfs.c | 30 +++++++++++++++++++++++++-----
> 3 files changed, 29 insertions(+), 5 deletions(-)
>
Thank you for the backport.
Reviewed-by: Shuah Khan <skhan@linuxfoundation.org>
Greg, please pick this up for 4.9.x
thanks,
-- Shuah
^ permalink raw reply [flat|nested] 12+ messages in thread* Re: [PATCH 1/4] usbip: add sysfs_lock to synchronize sysfs code paths
2021-04-16 21:43 ` [PATCH 1/4] usbip: add sysfs_lock to synchronize " Shuah Khan
@ 2021-04-19 12:23 ` Greg Kroah-Hartman
2021-04-19 21:42 ` Shuah Khan
0 siblings, 1 reply; 12+ messages in thread
From: Greg Kroah-Hartman @ 2021-04-19 12:23 UTC (permalink / raw)
To: Shuah Khan
Cc: Tom Seewald, syzbot+a93fba6d384346a761e3, Valentina Manea,
Shuah Khan, stable
On Fri, Apr 16, 2021 at 03:43:45PM -0600, Shuah Khan wrote:
> On 4/16/21 2:53 PM, Tom Seewald wrote:
> > From: Shuah Khan <skhan@linuxfoundation.org>
> >
> > commit 4e9c93af7279b059faf5bb1897ee90512b258a12 upstream.
> >
> > Fuzzing uncovered race condition between sysfs code paths in usbip
> > drivers. Device connect/disconnect code paths initiated through
> > sysfs interface are prone to races if disconnect happens during
> > connect and vice versa.
> >
> > This problem is common to all drivers while it can be reproduced easily
> > in vhci_hcd. Add a sysfs_lock to usbip_device struct to protect the paths.
> >
> > Use this in vhci_hcd to protect sysfs paths. For a complete fix, usip_host
> > and usip-vudc drivers and the event handler will have to use this lock to
> > protect the paths. These changes will be done in subsequent patches.
> >
> > Cc: stable@vger.kernel.org # 4.9.x
> > Reported-and-tested-by: syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com
> > Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
> > Link: https://lore.kernel.org/r/b6568f7beae702bbc236a545d3c020106ca75eac.1616807117.git.skhan@linuxfoundation.org
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > Signed-off-by: Tom Seewald <tseewald@gmail.com>
> > ---
> > drivers/usb/usbip/usbip_common.h | 3 +++
> > drivers/usb/usbip/vhci_hcd.c | 1 +
> > drivers/usb/usbip/vhci_sysfs.c | 30 +++++++++++++++++++++++++-----
> > 3 files changed, 29 insertions(+), 5 deletions(-)
> >
>
> Thank you for the backport.
>
> Reviewed-by: Shuah Khan <skhan@linuxfoundation.org>
>
> Greg, please pick this up for 4.9.x
Also for 4.14.y, right?
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 1/4] usbip: add sysfs_lock to synchronize sysfs code paths
2021-04-19 12:23 ` Greg Kroah-Hartman
@ 2021-04-19 21:42 ` Shuah Khan
2021-04-20 7:30 ` Greg Kroah-Hartman
0 siblings, 1 reply; 12+ messages in thread
From: Shuah Khan @ 2021-04-19 21:42 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Tom Seewald, syzbot+a93fba6d384346a761e3, Valentina Manea,
Shuah Khan, stable, Shuah Khan
On 4/19/21 6:23 AM, Greg Kroah-Hartman wrote:
> On Fri, Apr 16, 2021 at 03:43:45PM -0600, Shuah Khan wrote:
>> On 4/16/21 2:53 PM, Tom Seewald wrote:
>>> From: Shuah Khan <skhan@linuxfoundation.org>
>>>
>>> commit 4e9c93af7279b059faf5bb1897ee90512b258a12 upstream.
>>>
>>> Fuzzing uncovered race condition between sysfs code paths in usbip
>>> drivers. Device connect/disconnect code paths initiated through
>>> sysfs interface are prone to races if disconnect happens during
>>> connect and vice versa.
>>>
>>> This problem is common to all drivers while it can be reproduced easily
>>> in vhci_hcd. Add a sysfs_lock to usbip_device struct to protect the paths.
>>>
>>> Use this in vhci_hcd to protect sysfs paths. For a complete fix, usip_host
>>> and usip-vudc drivers and the event handler will have to use this lock to
>>> protect the paths. These changes will be done in subsequent patches.
>>>
>>> Cc: stable@vger.kernel.org # 4.9.x
>>> Reported-and-tested-by: syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com
>>> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
>>> Link: https://lore.kernel.org/r/b6568f7beae702bbc236a545d3c020106ca75eac.1616807117.git.skhan@linuxfoundation.org
>>> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>> Signed-off-by: Tom Seewald <tseewald@gmail.com>
>>> ---
>>> drivers/usb/usbip/usbip_common.h | 3 +++
>>> drivers/usb/usbip/vhci_hcd.c | 1 +
>>> drivers/usb/usbip/vhci_sysfs.c | 30 +++++++++++++++++++++++++-----
>>> 3 files changed, 29 insertions(+), 5 deletions(-)
>>>
>>
>> Thank you for the backport.
>>
>> Reviewed-by: Shuah Khan <skhan@linuxfoundation.org>
>>
>> Greg, please pick this up for 4.9.x
>
> Also for 4.14.y, right?
>
It made it into 4.14 already. We are good with 4.14.y
5f2a149564ee2b41ab09e90add21153bd5be64d3
thanks,
-- Shuah
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 1/4] usbip: add sysfs_lock to synchronize sysfs code paths
2021-04-19 21:42 ` Shuah Khan
@ 2021-04-20 7:30 ` Greg Kroah-Hartman
0 siblings, 0 replies; 12+ messages in thread
From: Greg Kroah-Hartman @ 2021-04-20 7:30 UTC (permalink / raw)
To: Shuah Khan
Cc: Tom Seewald, syzbot+a93fba6d384346a761e3, Valentina Manea,
Shuah Khan, stable
On Mon, Apr 19, 2021 at 03:42:06PM -0600, Shuah Khan wrote:
> On 4/19/21 6:23 AM, Greg Kroah-Hartman wrote:
> > On Fri, Apr 16, 2021 at 03:43:45PM -0600, Shuah Khan wrote:
> > > On 4/16/21 2:53 PM, Tom Seewald wrote:
> > > > From: Shuah Khan <skhan@linuxfoundation.org>
> > > >
> > > > commit 4e9c93af7279b059faf5bb1897ee90512b258a12 upstream.
> > > >
> > > > Fuzzing uncovered race condition between sysfs code paths in usbip
> > > > drivers. Device connect/disconnect code paths initiated through
> > > > sysfs interface are prone to races if disconnect happens during
> > > > connect and vice versa.
> > > >
> > > > This problem is common to all drivers while it can be reproduced easily
> > > > in vhci_hcd. Add a sysfs_lock to usbip_device struct to protect the paths.
> > > >
> > > > Use this in vhci_hcd to protect sysfs paths. For a complete fix, usip_host
> > > > and usip-vudc drivers and the event handler will have to use this lock to
> > > > protect the paths. These changes will be done in subsequent patches.
> > > >
> > > > Cc: stable@vger.kernel.org # 4.9.x
> > > > Reported-and-tested-by: syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com
> > > > Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
> > > > Link: https://lore.kernel.org/r/b6568f7beae702bbc236a545d3c020106ca75eac.1616807117.git.skhan@linuxfoundation.org
> > > > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > > > Signed-off-by: Tom Seewald <tseewald@gmail.com>
> > > > ---
> > > > drivers/usb/usbip/usbip_common.h | 3 +++
> > > > drivers/usb/usbip/vhci_hcd.c | 1 +
> > > > drivers/usb/usbip/vhci_sysfs.c | 30 +++++++++++++++++++++++++-----
> > > > 3 files changed, 29 insertions(+), 5 deletions(-)
> > > >
> > >
> > > Thank you for the backport.
> > >
> > > Reviewed-by: Shuah Khan <skhan@linuxfoundation.org>
> > >
> > > Greg, please pick this up for 4.9.x
> >
> > Also for 4.14.y, right?
> >
>
> It made it into 4.14 already. We are good with 4.14.y
>
> 5f2a149564ee2b41ab09e90add21153bd5be64d3
Ugh, sorry, my fault, I hadn't updated my "what was released in what
stable version" on my laptop that I was working from yesterday. They
are obviously all merged in 4.14 :(
Thanks for this.
greg k-h
^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH 0/4] usbip synchronize sysfs code paths
@ 2021-03-30 1:36 Shuah Khan
2021-03-30 1:36 ` [PATCH 1/4] usbip: add sysfs_lock to " Shuah Khan
0 siblings, 1 reply; 12+ messages in thread
From: Shuah Khan @ 2021-03-30 1:36 UTC (permalink / raw)
To: valentina.manea.m, shuah, gregkh; +Cc: Shuah Khan, linux-usb, linux-kernel
Fuzzing uncovered race condition between sysfs code paths in usbip
drivers. Device connect/disconnect code paths initiated through
sysfs interface are prone to races if disconnect happens during
connect and vice versa.
This problem is common to all drivers while it can be reproduced easily
in vhci_hcd. Add a sysfs_lock to usbip_device struct to protect the paths.
For a complete fix, all usbip drivers have to use sysfs_lock to protect
sysfs code paths and common event handler will have to use this lock to
synchonize with the sysfs paths in drivers.
This patch series adds sysfs_lock and uses it in vhci_hcd in the first
patch. Subsequent patches fix usbip_host, vudc and the last patch fixes
the common event handler code path.
Shuah Khan (4):
usbip: add sysfs_lock to synchronize sysfs code paths
usbip: stub-dev synchronize sysfs code paths
usbip: vudc synchronize sysfs code paths
usbip: synchronize event handler with sysfs code paths
drivers/usb/usbip/stub_dev.c | 11 +++++++++--
drivers/usb/usbip/usbip_common.h | 3 +++
drivers/usb/usbip/usbip_event.c | 2 ++
drivers/usb/usbip/vhci_hcd.c | 1 +
drivers/usb/usbip/vhci_sysfs.c | 30 +++++++++++++++++++++++++-----
drivers/usb/usbip/vudc_dev.c | 1 +
drivers/usb/usbip/vudc_sysfs.c | 5 +++++
7 files changed, 46 insertions(+), 7 deletions(-)
--
2.27.0
^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH 1/4] usbip: add sysfs_lock to synchronize sysfs code paths
2021-03-30 1:36 [PATCH 0/4] usbip " Shuah Khan
@ 2021-03-30 1:36 ` Shuah Khan
0 siblings, 0 replies; 12+ messages in thread
From: Shuah Khan @ 2021-03-30 1:36 UTC (permalink / raw)
To: valentina.manea.m, shuah, gregkh
Cc: Shuah Khan, linux-usb, linux-kernel, syzbot+a93fba6d384346a761e3, stable
Fuzzing uncovered race condition between sysfs code paths in usbip
drivers. Device connect/disconnect code paths initiated through
sysfs interface are prone to races if disconnect happens during
connect and vice versa.
This problem is common to all drivers while it can be reproduced easily
in vhci_hcd. Add a sysfs_lock to usbip_device struct to protect the paths.
Use this in vhci_hcd to protect sysfs paths. For a complete fix, usip_host
and usip-vudc drivers and the event handler will have to use this lock to
protect the paths. These changes will be done in subsequent patches.
Reported-and-tested-by: syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
---
drivers/usb/usbip/usbip_common.h | 3 +++
drivers/usb/usbip/vhci_hcd.c | 1 +
drivers/usb/usbip/vhci_sysfs.c | 30 +++++++++++++++++++++++++-----
3 files changed, 29 insertions(+), 5 deletions(-)
diff --git a/drivers/usb/usbip/usbip_common.h b/drivers/usb/usbip/usbip_common.h
index d60ce17d3dd2..ea2a20e6d27d 100644
--- a/drivers/usb/usbip/usbip_common.h
+++ b/drivers/usb/usbip/usbip_common.h
@@ -263,6 +263,9 @@ struct usbip_device {
/* lock for status */
spinlock_t lock;
+ /* mutex for synchronizing sysfs store paths */
+ struct mutex sysfs_lock;
+
int sockfd;
struct socket *tcp_socket;
diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c
index a20a8380ca0c..4ba6bcdaa8e9 100644
--- a/drivers/usb/usbip/vhci_hcd.c
+++ b/drivers/usb/usbip/vhci_hcd.c
@@ -1101,6 +1101,7 @@ static void vhci_device_init(struct vhci_device *vdev)
vdev->ud.side = USBIP_VHCI;
vdev->ud.status = VDEV_ST_NULL;
spin_lock_init(&vdev->ud.lock);
+ mutex_init(&vdev->ud.sysfs_lock);
INIT_LIST_HEAD(&vdev->priv_rx);
INIT_LIST_HEAD(&vdev->priv_tx);
diff --git a/drivers/usb/usbip/vhci_sysfs.c b/drivers/usb/usbip/vhci_sysfs.c
index c4b4256e5dad..e2847cd3e6e3 100644
--- a/drivers/usb/usbip/vhci_sysfs.c
+++ b/drivers/usb/usbip/vhci_sysfs.c
@@ -185,6 +185,8 @@ static int vhci_port_disconnect(struct vhci_hcd *vhci_hcd, __u32 rhport)
usbip_dbg_vhci_sysfs("enter\n");
+ mutex_lock(&vdev->ud.sysfs_lock);
+
/* lock */
spin_lock_irqsave(&vhci->lock, flags);
spin_lock(&vdev->ud.lock);
@@ -195,6 +197,7 @@ static int vhci_port_disconnect(struct vhci_hcd *vhci_hcd, __u32 rhport)
/* unlock */
spin_unlock(&vdev->ud.lock);
spin_unlock_irqrestore(&vhci->lock, flags);
+ mutex_unlock(&vdev->ud.sysfs_lock);
return -EINVAL;
}
@@ -205,6 +208,8 @@ static int vhci_port_disconnect(struct vhci_hcd *vhci_hcd, __u32 rhport)
usbip_event_add(&vdev->ud, VDEV_EVENT_DOWN);
+ mutex_unlock(&vdev->ud.sysfs_lock);
+
return 0;
}
@@ -349,30 +354,36 @@ static ssize_t attach_store(struct device *dev, struct device_attribute *attr,
else
vdev = &vhci->vhci_hcd_hs->vdev[rhport];
+ mutex_lock(&vdev->ud.sysfs_lock);
+
/* Extract socket from fd. */
socket = sockfd_lookup(sockfd, &err);
if (!socket) {
dev_err(dev, "failed to lookup sock");
- return -EINVAL;
+ err = -EINVAL;
+ goto unlock_mutex;
}
if (socket->type != SOCK_STREAM) {
dev_err(dev, "Expecting SOCK_STREAM - found %d",
socket->type);
sockfd_put(socket);
- return -EINVAL;
+ err = -EINVAL;
+ goto unlock_mutex;
}
/* create threads before locking */
tcp_rx = kthread_create(vhci_rx_loop, &vdev->ud, "vhci_rx");
if (IS_ERR(tcp_rx)) {
sockfd_put(socket);
- return -EINVAL;
+ err = -EINVAL;
+ goto unlock_mutex;
}
tcp_tx = kthread_create(vhci_tx_loop, &vdev->ud, "vhci_tx");
if (IS_ERR(tcp_tx)) {
kthread_stop(tcp_rx);
sockfd_put(socket);
- return -EINVAL;
+ err = -EINVAL;
+ goto unlock_mutex;
}
/* get task structs now */
@@ -397,7 +408,8 @@ static ssize_t attach_store(struct device *dev, struct device_attribute *attr,
* Will be retried from userspace
* if there's another free port.
*/
- return -EBUSY;
+ err = -EBUSY;
+ goto unlock_mutex;
}
dev_info(dev, "pdev(%u) rhport(%u) sockfd(%d)\n",
@@ -423,7 +435,15 @@ static ssize_t attach_store(struct device *dev, struct device_attribute *attr,
rh_port_connect(vdev, speed);
+ dev_info(dev, "Device attached\n");
+
+ mutex_unlock(&vdev->ud.sysfs_lock);
+
return count;
+
+unlock_mutex:
+ mutex_unlock(&vdev->ud.sysfs_lock);
+ return err;
}
static DEVICE_ATTR_WO(attach);
--
2.27.0
^ permalink raw reply related [flat|nested] 12+ messages in thread
end of thread, other threads:[~2021-04-20 7:30 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-16 20:53 [PATCH 1/4] usbip: add sysfs_lock to synchronize sysfs code paths Tom Seewald
2021-04-16 20:53 ` [PATCH 2/4] usbip: stub-dev " Tom Seewald
2021-04-16 21:44 ` Shuah Khan
2021-04-16 20:53 ` [PATCH 3/4] usbip: vudc " Tom Seewald
2021-04-16 21:45 ` Shuah Khan
2021-04-16 20:53 ` [PATCH 4/4] usbip: synchronize event handler with " Tom Seewald
2021-04-16 21:45 ` Shuah Khan
2021-04-16 21:43 ` [PATCH 1/4] usbip: add sysfs_lock to synchronize " Shuah Khan
2021-04-19 12:23 ` Greg Kroah-Hartman
2021-04-19 21:42 ` Shuah Khan
2021-04-20 7:30 ` Greg Kroah-Hartman
-- strict thread matches above, loose matches on Subject: below --
2021-03-30 1:36 [PATCH 0/4] usbip " Shuah Khan
2021-03-30 1:36 ` [PATCH 1/4] usbip: add sysfs_lock to " Shuah Khan
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.