Linux-USB Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH 0/6] USB: iowarrior: disconnect fixes and locking cleanups
@ 2019-10-09 10:48 Johan Hovold
  2019-10-09 10:48 ` [PATCH 1/6] USB: iowarrior: fix use-after-free on disconnect Johan Hovold
                   ` (6 more replies)
  0 siblings, 7 replies; 8+ messages in thread
From: Johan Hovold @ 2019-10-09 10:48 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: Oliver Neukum, Valentin Vidic, linux-usb, linux-kernel, Johan Hovold

This series fixes a use-after-free bug introduced by a recent
disconnect-deadlock fix that was reported by syzbot. Turns out there was
already a related bug in the driver, and the first patch addresses both
issues.

While looking at the code I found two more use-after-free bugs, which
the next two patches fix.

The next two clean up the driver by dropping two redundant locks.

Tested using a mockup device.

Johan


Johan Hovold (6):
  USB: iowarrior: fix use-after-free on disconnect
  USB: iowarrior: fix use-after-free on release
  USB: iowarrior: fix use-after-free after driver unbind
  USB: iowarrior: drop redundant disconnect mutex
  USB: iowarrior: drop redundant iowarrior mutex
  USB: iowarrior: use pr_err()

 drivers/usb/misc/iowarrior.c | 48 +++++++++++-------------------------
 1 file changed, 15 insertions(+), 33 deletions(-)

-- 
2.23.0


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH 1/6] USB: iowarrior: fix use-after-free on disconnect
  2019-10-09 10:48 [PATCH 0/6] USB: iowarrior: disconnect fixes and locking cleanups Johan Hovold
@ 2019-10-09 10:48 ` Johan Hovold
  2019-10-09 10:48 ` [PATCH 2/6] USB: iowarrior: fix use-after-free on release Johan Hovold
                   ` (5 subsequent siblings)
  6 siblings, 0 replies; 8+ messages in thread
From: Johan Hovold @ 2019-10-09 10:48 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: Oliver Neukum, Valentin Vidic, linux-usb, linux-kernel,
	Johan Hovold, stable, syzbot+0761012cebf7bdb38137

A recent fix addressing a deadlock on disconnect introduced a new bug
by moving the present flag out of the critical section protected by the
driver-data mutex. This could lead to a racing release() freeing the
driver data before disconnect() is done with it.

Due to insufficient locking a related use-after-free could be triggered
also before the above mentioned commit. Specifically, the driver needs
to hold the driver-data mutex also while checking the opened flag at
disconnect().

Fixes: c468a8aa790e ("usb: iowarrior: fix deadlock on disconnect")
Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.")
Cc: stable <stable@vger.kernel.org>	# 2.6.21
Reported-by: syzbot+0761012cebf7bdb38137@syzkaller.appspotmail.com
Signed-off-by: Johan Hovold <johan@kernel.org>
---
 drivers/usb/misc/iowarrior.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
index f5bed9f29e56..4fe1d3267b3c 100644
--- a/drivers/usb/misc/iowarrior.c
+++ b/drivers/usb/misc/iowarrior.c
@@ -866,8 +866,6 @@ static void iowarrior_disconnect(struct usb_interface *interface)
 	dev = usb_get_intfdata(interface);
 	mutex_lock(&iowarrior_open_disc_lock);
 	usb_set_intfdata(interface, NULL);
-	/* prevent device read, write and ioctl */
-	dev->present = 0;
 
 	minor = dev->minor;
 	mutex_unlock(&iowarrior_open_disc_lock);
@@ -878,8 +876,7 @@ static void iowarrior_disconnect(struct usb_interface *interface)
 	mutex_lock(&dev->mutex);
 
 	/* prevent device read, write and ioctl */
-
-	mutex_unlock(&dev->mutex);
+	dev->present = 0;
 
 	if (dev->opened) {
 		/* There is a process that holds a filedescriptor to the device ,
@@ -889,8 +886,10 @@ static void iowarrior_disconnect(struct usb_interface *interface)
 		usb_kill_urb(dev->int_in_urb);
 		wake_up_interruptible(&dev->read_wait);
 		wake_up_interruptible(&dev->write_wait);
+		mutex_unlock(&dev->mutex);
 	} else {
 		/* no process is using the device, cleanup now */
+		mutex_unlock(&dev->mutex);
 		iowarrior_delete(dev);
 	}
 
-- 
2.23.0


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH 2/6] USB: iowarrior: fix use-after-free on release
  2019-10-09 10:48 [PATCH 0/6] USB: iowarrior: disconnect fixes and locking cleanups Johan Hovold
  2019-10-09 10:48 ` [PATCH 1/6] USB: iowarrior: fix use-after-free on disconnect Johan Hovold
@ 2019-10-09 10:48 ` Johan Hovold
  2019-10-09 10:48 ` [PATCH 3/6] USB: iowarrior: fix use-after-free after driver unbind Johan Hovold
                   ` (4 subsequent siblings)
  6 siblings, 0 replies; 8+ messages in thread
From: Johan Hovold @ 2019-10-09 10:48 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: Oliver Neukum, Valentin Vidic, linux-usb, linux-kernel,
	Johan Hovold, stable

The driver was accessing its struct usb_interface from its release()
callback without holding a reference. This would lead to a
use-after-free whenever debugging was enabled and the device was
disconnected while its character device was open.

Fixes: 549e83500b80 ("USB: iowarrior: Convert local dbg macro to dev_dbg")
Cc: stable <stable@vger.kernel.org>     # 3.16
Signed-off-by: Johan Hovold <johan@kernel.org>
---
 drivers/usb/misc/iowarrior.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
index 4fe1d3267b3c..6841267820c6 100644
--- a/drivers/usb/misc/iowarrior.c
+++ b/drivers/usb/misc/iowarrior.c
@@ -243,6 +243,7 @@ static inline void iowarrior_delete(struct iowarrior *dev)
 	kfree(dev->int_in_buffer);
 	usb_free_urb(dev->int_in_urb);
 	kfree(dev->read_queue);
+	usb_put_intf(dev->interface);
 	kfree(dev);
 }
 
@@ -764,7 +765,7 @@ static int iowarrior_probe(struct usb_interface *interface,
 	init_waitqueue_head(&dev->write_wait);
 
 	dev->udev = udev;
-	dev->interface = interface;
+	dev->interface = usb_get_intf(interface);
 
 	iface_desc = interface->cur_altsetting;
 	dev->product_id = le16_to_cpu(udev->descriptor.idProduct);
-- 
2.23.0


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH 3/6] USB: iowarrior: fix use-after-free after driver unbind
  2019-10-09 10:48 [PATCH 0/6] USB: iowarrior: disconnect fixes and locking cleanups Johan Hovold
  2019-10-09 10:48 ` [PATCH 1/6] USB: iowarrior: fix use-after-free on disconnect Johan Hovold
  2019-10-09 10:48 ` [PATCH 2/6] USB: iowarrior: fix use-after-free on release Johan Hovold
@ 2019-10-09 10:48 ` Johan Hovold
  2019-10-09 10:48 ` [PATCH 4/6] USB: iowarrior: drop redundant disconnect mutex Johan Hovold
                   ` (3 subsequent siblings)
  6 siblings, 0 replies; 8+ messages in thread
From: Johan Hovold @ 2019-10-09 10:48 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: Oliver Neukum, Valentin Vidic, linux-usb, linux-kernel,
	Johan Hovold, stable

Make sure to stop also the asynchronous write URBs on disconnect() to
avoid use-after-free in the completion handler after driver unbind.

Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.")
Cc: stable <stable@vger.kernel.org>	# 2.6.21: 51a2f077c44e ("USB: introduce usb_anchor")
Signed-off-by: Johan Hovold <johan@kernel.org>
---
 drivers/usb/misc/iowarrior.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
index 6841267820c6..f405fa734bcc 100644
--- a/drivers/usb/misc/iowarrior.c
+++ b/drivers/usb/misc/iowarrior.c
@@ -87,6 +87,7 @@ struct iowarrior {
 	char chip_serial[9];		/* the serial number string of the chip connected */
 	int report_size;		/* number of bytes in a report */
 	u16 product_id;
+	struct usb_anchor submitted;
 };
 
 /*--------------*/
@@ -425,11 +426,13 @@ static ssize_t iowarrior_write(struct file *file,
 			retval = -EFAULT;
 			goto error;
 		}
+		usb_anchor_urb(int_out_urb, &dev->submitted);
 		retval = usb_submit_urb(int_out_urb, GFP_KERNEL);
 		if (retval) {
 			dev_dbg(&dev->interface->dev,
 				"submit error %d for urb nr.%d\n",
 				retval, atomic_read(&dev->write_busy));
+			usb_unanchor_urb(int_out_urb);
 			goto error;
 		}
 		/* submit was ok */
@@ -770,6 +773,8 @@ static int iowarrior_probe(struct usb_interface *interface,
 	iface_desc = interface->cur_altsetting;
 	dev->product_id = le16_to_cpu(udev->descriptor.idProduct);
 
+	init_usb_anchor(&dev->submitted);
+
 	res = usb_find_last_int_in_endpoint(iface_desc, &dev->int_in_endpoint);
 	if (res) {
 		dev_err(&interface->dev, "no interrupt-in endpoint found\n");
@@ -885,6 +890,7 @@ static void iowarrior_disconnect(struct usb_interface *interface)
 		   Deleting the device is postponed until close() was called.
 		 */
 		usb_kill_urb(dev->int_in_urb);
+		usb_kill_anchored_urbs(&dev->submitted);
 		wake_up_interruptible(&dev->read_wait);
 		wake_up_interruptible(&dev->write_wait);
 		mutex_unlock(&dev->mutex);
-- 
2.23.0


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH 4/6] USB: iowarrior: drop redundant disconnect mutex
  2019-10-09 10:48 [PATCH 0/6] USB: iowarrior: disconnect fixes and locking cleanups Johan Hovold
                   ` (2 preceding siblings ...)
  2019-10-09 10:48 ` [PATCH 3/6] USB: iowarrior: fix use-after-free after driver unbind Johan Hovold
@ 2019-10-09 10:48 ` Johan Hovold
  2019-10-09 10:48 ` [PATCH 5/6] USB: iowarrior: drop redundant iowarrior mutex Johan Hovold
                   ` (2 subsequent siblings)
  6 siblings, 0 replies; 8+ messages in thread
From: Johan Hovold @ 2019-10-09 10:48 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: Oliver Neukum, Valentin Vidic, linux-usb, linux-kernel, Johan Hovold

Drop the redundant disconnect mutex which was introduced after the
open-disconnect race had been addressed generally in USB core by commit
d4ead16f50f9 ("USB: prevent char device open/deregister race").

Specifically, the rw-semaphore in core guarantees that all calls to
open() will have completed and that no new calls to open() will occur
after usb_deregister_dev() returns. Hence there is no need use the
driver data as an inverted disconnected flag.

Signed-off-by: Johan Hovold <johan@kernel.org>
---
 drivers/usb/misc/iowarrior.c | 17 ++---------------
 1 file changed, 2 insertions(+), 15 deletions(-)

diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
index f405fa734bcc..d844c2098e42 100644
--- a/drivers/usb/misc/iowarrior.c
+++ b/drivers/usb/misc/iowarrior.c
@@ -58,7 +58,6 @@ MODULE_LICENSE("GPL");
 static DEFINE_MUTEX(iowarrior_mutex);
 
 static struct usb_driver iowarrior_driver;
-static DEFINE_MUTEX(iowarrior_open_disc_lock);
 
 /*--------------*/
 /*     data     */
@@ -601,16 +600,13 @@ static int iowarrior_open(struct inode *inode, struct file *file)
 		return -ENODEV;
 	}
 
-	mutex_lock(&iowarrior_open_disc_lock);
 	dev = usb_get_intfdata(interface);
 	if (!dev) {
-		mutex_unlock(&iowarrior_open_disc_lock);
 		mutex_unlock(&iowarrior_mutex);
 		return -ENODEV;
 	}
 
 	mutex_lock(&dev->mutex);
-	mutex_unlock(&iowarrior_open_disc_lock);
 
 	/* Only one process can open each device, no sharing. */
 	if (dev->opened) {
@@ -842,7 +838,6 @@ static int iowarrior_probe(struct usb_interface *interface,
 	if (retval) {
 		/* something prevented us from registering this driver */
 		dev_err(&interface->dev, "Not able to get a minor for this device.\n");
-		usb_set_intfdata(interface, NULL);
 		goto error;
 	}
 
@@ -866,16 +861,8 @@ static int iowarrior_probe(struct usb_interface *interface,
  */
 static void iowarrior_disconnect(struct usb_interface *interface)
 {
-	struct iowarrior *dev;
-	int minor;
-
-	dev = usb_get_intfdata(interface);
-	mutex_lock(&iowarrior_open_disc_lock);
-	usb_set_intfdata(interface, NULL);
-
-	minor = dev->minor;
-	mutex_unlock(&iowarrior_open_disc_lock);
-	/* give back our minor - this will call close() locks need to be dropped at this point*/
+	struct iowarrior *dev = usb_get_intfdata(interface);
+	int minor = dev->minor;
 
 	usb_deregister_dev(interface, &iowarrior_class);
 
-- 
2.23.0


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH 5/6] USB: iowarrior: drop redundant iowarrior mutex
  2019-10-09 10:48 [PATCH 0/6] USB: iowarrior: disconnect fixes and locking cleanups Johan Hovold
                   ` (3 preceding siblings ...)
  2019-10-09 10:48 ` [PATCH 4/6] USB: iowarrior: drop redundant disconnect mutex Johan Hovold
@ 2019-10-09 10:48 ` Johan Hovold
  2019-10-09 10:48 ` [PATCH 6/6] USB: iowarrior: use pr_err() Johan Hovold
  2019-10-10 10:45 ` [PATCH 0/6] USB: iowarrior: disconnect fixes and locking cleanups Greg Kroah-Hartman
  6 siblings, 0 replies; 8+ messages in thread
From: Johan Hovold @ 2019-10-09 10:48 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: Oliver Neukum, Valentin Vidic, linux-usb, linux-kernel, Johan Hovold

Drop the redundant iowarrior mutex introduced by commit 925ce689bb31
("USB: autoconvert trivial BKL users to private mutex") which replaced
an earlier BKL use.

The lock serialised calls to open() against other open() and ioctl(),
but neither is needed.

Signed-off-by: Johan Hovold <johan@kernel.org>
---
 drivers/usb/misc/iowarrior.c | 13 +------------
 1 file changed, 1 insertion(+), 12 deletions(-)

diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
index d844c2098e42..ad29ef51e53f 100644
--- a/drivers/usb/misc/iowarrior.c
+++ b/drivers/usb/misc/iowarrior.c
@@ -54,9 +54,6 @@ MODULE_AUTHOR(DRIVER_AUTHOR);
 MODULE_DESCRIPTION(DRIVER_DESC);
 MODULE_LICENSE("GPL");
 
-/* Module parameters */
-static DEFINE_MUTEX(iowarrior_mutex);
-
 static struct usb_driver iowarrior_driver;
 
 /*--------------*/
@@ -480,8 +477,6 @@ static long iowarrior_ioctl(struct file *file, unsigned int cmd,
 	if (!buffer)
 		return -ENOMEM;
 
-	/* lock this object */
-	mutex_lock(&iowarrior_mutex);
 	mutex_lock(&dev->mutex);
 
 	/* verify that the device wasn't unplugged */
@@ -574,7 +569,6 @@ static long iowarrior_ioctl(struct file *file, unsigned int cmd,
 error_out:
 	/* unlock the device */
 	mutex_unlock(&dev->mutex);
-	mutex_unlock(&iowarrior_mutex);
 	kfree(buffer);
 	return retval;
 }
@@ -589,22 +583,18 @@ static int iowarrior_open(struct inode *inode, struct file *file)
 	int subminor;
 	int retval = 0;
 
-	mutex_lock(&iowarrior_mutex);
 	subminor = iminor(inode);
 
 	interface = usb_find_interface(&iowarrior_driver, subminor);
 	if (!interface) {
-		mutex_unlock(&iowarrior_mutex);
 		printk(KERN_ERR "%s - error, can't find device for minor %d\n",
 		       __func__, subminor);
 		return -ENODEV;
 	}
 
 	dev = usb_get_intfdata(interface);
-	if (!dev) {
-		mutex_unlock(&iowarrior_mutex);
+	if (!dev)
 		return -ENODEV;
-	}
 
 	mutex_lock(&dev->mutex);
 
@@ -628,7 +618,6 @@ static int iowarrior_open(struct inode *inode, struct file *file)
 
 out:
 	mutex_unlock(&dev->mutex);
-	mutex_unlock(&iowarrior_mutex);
 	return retval;
 }
 
-- 
2.23.0


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH 6/6] USB: iowarrior: use pr_err()
  2019-10-09 10:48 [PATCH 0/6] USB: iowarrior: disconnect fixes and locking cleanups Johan Hovold
                   ` (4 preceding siblings ...)
  2019-10-09 10:48 ` [PATCH 5/6] USB: iowarrior: drop redundant iowarrior mutex Johan Hovold
@ 2019-10-09 10:48 ` Johan Hovold
  2019-10-10 10:45 ` [PATCH 0/6] USB: iowarrior: disconnect fixes and locking cleanups Greg Kroah-Hartman
  6 siblings, 0 replies; 8+ messages in thread
From: Johan Hovold @ 2019-10-09 10:48 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: Oliver Neukum, Valentin Vidic, linux-usb, linux-kernel, Johan Hovold

Replace the one remaining printk with pr_err().

Signed-off-by: Johan Hovold <johan@kernel.org>
---
 drivers/usb/misc/iowarrior.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
index ad29ef51e53f..dce44fbf031f 100644
--- a/drivers/usb/misc/iowarrior.c
+++ b/drivers/usb/misc/iowarrior.c
@@ -587,7 +587,7 @@ static int iowarrior_open(struct inode *inode, struct file *file)
 
 	interface = usb_find_interface(&iowarrior_driver, subminor);
 	if (!interface) {
-		printk(KERN_ERR "%s - error, can't find device for minor %d\n",
+		pr_err("%s - error, can't find device for minor %d\n",
 		       __func__, subminor);
 		return -ENODEV;
 	}
-- 
2.23.0


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH 0/6] USB: iowarrior: disconnect fixes and locking cleanups
  2019-10-09 10:48 [PATCH 0/6] USB: iowarrior: disconnect fixes and locking cleanups Johan Hovold
                   ` (5 preceding siblings ...)
  2019-10-09 10:48 ` [PATCH 6/6] USB: iowarrior: use pr_err() Johan Hovold
@ 2019-10-10 10:45 ` Greg Kroah-Hartman
  6 siblings, 0 replies; 8+ messages in thread
From: Greg Kroah-Hartman @ 2019-10-10 10:45 UTC (permalink / raw)
  To: Johan Hovold; +Cc: Oliver Neukum, Valentin Vidic, linux-usb, linux-kernel

On Wed, Oct 09, 2019 at 12:48:40PM +0200, Johan Hovold wrote:
> This series fixes a use-after-free bug introduced by a recent
> disconnect-deadlock fix that was reported by syzbot. Turns out there was
> already a related bug in the driver, and the first patch addresses both
> issues.
> 
> While looking at the code I found two more use-after-free bugs, which
> the next two patches fix.
> 
> The next two clean up the driver by dropping two redundant locks.
> 
> Tested using a mockup device.

Thanks for these patches, now queued up.  I have one of these devices
(their new one) and need to fix the driver up to work with it, but I'll
start on that on top of these fixes :)

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, back to index

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-09 10:48 [PATCH 0/6] USB: iowarrior: disconnect fixes and locking cleanups Johan Hovold
2019-10-09 10:48 ` [PATCH 1/6] USB: iowarrior: fix use-after-free on disconnect Johan Hovold
2019-10-09 10:48 ` [PATCH 2/6] USB: iowarrior: fix use-after-free on release Johan Hovold
2019-10-09 10:48 ` [PATCH 3/6] USB: iowarrior: fix use-after-free after driver unbind Johan Hovold
2019-10-09 10:48 ` [PATCH 4/6] USB: iowarrior: drop redundant disconnect mutex Johan Hovold
2019-10-09 10:48 ` [PATCH 5/6] USB: iowarrior: drop redundant iowarrior mutex Johan Hovold
2019-10-09 10:48 ` [PATCH 6/6] USB: iowarrior: use pr_err() Johan Hovold
2019-10-10 10:45 ` [PATCH 0/6] USB: iowarrior: disconnect fixes and locking cleanups Greg Kroah-Hartman

Linux-USB Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-usb/0 linux-usb/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-usb linux-usb/ https://lore.kernel.org/linux-usb \
		linux-usb@vger.kernel.org linux-usb@archiver.kernel.org
	public-inbox-index linux-usb

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-usb


AGPL code for this site: git clone https://public-inbox.org/ public-inbox