linux-usb.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] usblp: poison URBs upon disconnect
@ 2020-05-07  8:58 Oliver Neukum
  2020-05-15 20:31 ` Pete Zaitcev
  0 siblings, 1 reply; 3+ messages in thread
From: Oliver Neukum @ 2020-05-07  8:58 UTC (permalink / raw)
  To: zaitcev, gregkh, linux-usb; +Cc: Oliver Neukum

syzkaller reported an URB that should have been killed to be active.
We do not understand it, but this should fix the issue if it is real.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
Reported-by: syzbot+be5b5f86a162a6c281e6@syzkaller.appspotmail.com
---
 drivers/usb/class/usblp.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/class/usblp.c b/drivers/usb/class/usblp.c
index 0d8e3f3804a3..084c48c5848f 100644
--- a/drivers/usb/class/usblp.c
+++ b/drivers/usb/class/usblp.c
@@ -468,7 +468,8 @@ static int usblp_release(struct inode *inode, struct file *file)
 	usb_autopm_put_interface(usblp->intf);
 
 	if (!usblp->present)		/* finish cleanup from disconnect */
-		usblp_cleanup(usblp);
+		usblp_cleanup(usblp);	/* any URBs must be dead */
+
 	mutex_unlock(&usblp_mutex);
 	return 0;
 }
@@ -1375,9 +1376,11 @@ static void usblp_disconnect(struct usb_interface *intf)
 
 	usblp_unlink_urbs(usblp);
 	mutex_unlock(&usblp->mut);
+	usb_poison_anchored_urbs(&usblp->urbs);
 
 	if (!usblp->used)
 		usblp_cleanup(usblp);
+
 	mutex_unlock(&usblp_mutex);
 }
 
-- 
2.16.4


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] usblp: poison URBs upon disconnect
  2020-05-07  8:58 [PATCH] usblp: poison URBs upon disconnect Oliver Neukum
@ 2020-05-15 20:31 ` Pete Zaitcev
  2020-05-18  7:53   ` Oliver Neukum
  0 siblings, 1 reply; 3+ messages in thread
From: Pete Zaitcev @ 2020-05-15 20:31 UTC (permalink / raw)
  To: Oliver Neukum; +Cc: gregkh, linux-usb, Alan Stern, zaitcev

On Thu,  7 May 2020 10:58:06 +0200
Oliver Neukum <oneukum@suse.com> wrote:

> syzkaller reported an URB that should have been killed to be active.
> We do not understand it, but this should fix the issue if it is real.

> @@ -1375,9 +1376,11 @@ static void usblp_disconnect(struct usb_interface *intf)
>  
>  	usblp_unlink_urbs(usblp);
>  	mutex_unlock(&usblp->mut);
> +	usb_poison_anchored_urbs(&usblp->urbs);
>  
>  	if (!usblp->used)
>  		usblp_cleanup(usblp);
>  	mutex_unlock(&usblp_mutex);
>  }

Sorry, it took me this long to think about it. I am against the duplication
of effort between usblp_unlink_urbs, which is exactly usb_kill_anchored_urbs,
and usb_poison_anchored_urbs. If you think that poisoning may help against
what the bot identified, we may try this instead:

diff --git a/drivers/usb/class/usblp.c b/drivers/usb/class/usblp.c
index 0d8e3f3804a3..eae5eaf5d4f1 100644
--- a/drivers/usb/class/usblp.c
+++ b/drivers/usb/class/usblp.c
@@ -1373,7 +1373,7 @@ static void usblp_disconnect(struct usb_interface *intf)
        wake_up(&usblp->rwait);
        usb_set_intfdata(intf, NULL);
 
-       usblp_unlink_urbs(usblp);
+       usb_poison_anchored_urbs(&usblp->urbs);
        mutex_unlock(&usblp->mut);
 
        if (!usblp->used)

I'm still concerned that we didn't identify the scenario tht led to bot's
findings.

The usblp->present was supposed to play a role of the poison pill, at the
driver level. The difference with poisoning the anchor is that ->present
is protected by the most outlying mutex, and therefore cannot be meaninfully
checked in URB callbacks. But the anchor's poison flag is protected by a
spinlock, so callbacks check it. But what does it matter for us? This driver
does not re-submit URBs from callbacks.

So, I'm suspicious of attempts to hit at the problem in the dark and hope
for a miracle.

-- Pete


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] usblp: poison URBs upon disconnect
  2020-05-15 20:31 ` Pete Zaitcev
@ 2020-05-18  7:53   ` Oliver Neukum
  0 siblings, 0 replies; 3+ messages in thread
From: Oliver Neukum @ 2020-05-18  7:53 UTC (permalink / raw)
  To: Pete Zaitcev; +Cc: gregkh, linux-usb, Alan Stern

Am Freitag, den 15.05.2020, 15:31 -0500 schrieb Pete Zaitcev:
> 
> and usb_poison_anchored_urbs. If you think that poisoning may help against
> what the bot identified, we may try this instead:

Sure. Would you send in a patch?

> I'm still concerned that we didn't identify the scenario tht led to bot's
> findings.

So am I. Yet as far as I can tell the code of usblp is correct. Even
worse, it is casting doubt on our testing framework.

> The usblp->present was supposed to play a role of the poison pill, at the
> driver level. The difference with poisoning the anchor is that ->present
> is protected by the most outlying mutex, and therefore cannot be meaninfully
> checked in URB callbacks. But the anchor's poison flag is protected by a
> spinlock, so callbacks check it. But what does it matter for us? This driver
> does not re-submit URBs from callbacks.

It also makes resubmission impossible. In fact, considering that, we
might better poison before we go for usblp->present.

> So, I'm suspicious of attempts to hit at the problem in the dark and hope
> for a miracle.

Right. The only thing worse would be doing nothing. At the risk of
repeating myself, usblp looks correct to me.

	Regards
		Oliver


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-05-18  7:53 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-07  8:58 [PATCH] usblp: poison URBs upon disconnect Oliver Neukum
2020-05-15 20:31 ` Pete Zaitcev
2020-05-18  7:53   ` Oliver Neukum

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).