From: Chris Wright <chrisw@sous-sol.org>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
torvalds@osdl.org, akpm@osdl.org, alan@lxorguk.ukuu.org.uk,
Alan Stern <stern@rowland.harvard.edu>,
Greg Kroah-Hartman <gregkh@suse.de>
Subject: [PATCH 61/61] usbfs: private mutex for open, release, and remove
Date: Tue, 31 Oct 2006 21:34:41 -0800 [thread overview]
Message-ID: <20061101054629.573680000@sous-sol.org> (raw)
In-Reply-To: 20061101053340.305569000@sous-sol.org
[-- Attachment #1: usbfs-private-mutex-for-open-release-and-remove.patch --]
[-- Type: text/plain, Size: 4681 bytes --]
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
The usbfs code doesn't provide sufficient mutual exclusion among open,
release, and remove. Release vs. remove is okay because they both
acquire the device lock, but open is not exclusive with either one. All
three routines modify the udev->filelist linked list, so they must not
run concurrently.
Apparently someone gave this a minimum amount of thought in the past by
explicitly acquiring the BKL at the start of the usbdev_open routine.
Oddly enough, there's a comment pointing out that locking is unnecessary
because chrdev_open already has acquired the BKL.
But this ignores the point that the files in /proc/bus/usb/* are not
char device files; they are regular files and so they don't get any
special locking. Furthermore it's necessary to acquire the same lock in
the release and remove routines, which the code does not do.
Yet another problem arises because the same file_operations structure is
accessible through both the /proc/bus/usb/* and /dev/usb/usbdev* file
nodes. Even when one of them has been removed, it's still possible for
userspace to open the other. So simple locking around the individual
remove routines is insufficient; we need to lock the entire
usb_notify_remove_device notifier chain.
Rather than rely on the BKL, this patch (as723) introduces a new private
mutex for the purpose. Holding the BKL while invoking a notifier chain
doesn't seem like a good idea.
Cc: Dave Jones <davej@redhat.com>
[https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212952]
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
drivers/usb/core/devio.c | 26 +++++++++++++++-----------
drivers/usb/core/notify.c | 3 +++
drivers/usb/core/usb.h | 1 +
3 files changed, 19 insertions(+), 11 deletions(-)
--- linux-2.6.18.1.orig/drivers/usb/core/devio.c
+++ linux-2.6.18.1/drivers/usb/core/devio.c
@@ -59,6 +59,9 @@
#define USB_DEVICE_MAX USB_MAXBUS * 128
static struct class *usb_device_class;
+/* Mutual exclusion for removal, open, and release */
+DEFINE_MUTEX(usbfs_mutex);
+
struct async {
struct list_head asynclist;
struct dev_state *ps;
@@ -541,15 +544,13 @@ static int usbdev_open(struct inode *ino
struct dev_state *ps;
int ret;
- /*
- * no locking necessary here, as chrdev_open has the kernel lock
- * (still acquire the kernel lock for safety)
- */
+ /* Protect against simultaneous removal or release */
+ mutex_lock(&usbfs_mutex);
+
ret = -ENOMEM;
if (!(ps = kmalloc(sizeof(struct dev_state), GFP_KERNEL)))
- goto out_nolock;
+ goto out;
- lock_kernel();
ret = -ENOENT;
/* check if we are called from a real node or usbfs */
if (imajor(inode) == USB_DEVICE_MAJOR)
@@ -579,9 +580,8 @@ static int usbdev_open(struct inode *ino
list_add_tail(&ps->list, &dev->filelist);
file->private_data = ps;
out:
- unlock_kernel();
- out_nolock:
- return ret;
+ mutex_unlock(&usbfs_mutex);
+ return ret;
}
static int usbdev_release(struct inode *inode, struct file *file)
@@ -591,7 +591,12 @@ static int usbdev_release(struct inode *
unsigned int ifnum;
usb_lock_device(dev);
+
+ /* Protect against simultaneous open */
+ mutex_lock(&usbfs_mutex);
list_del_init(&ps->list);
+ mutex_unlock(&usbfs_mutex);
+
for (ifnum = 0; ps->ifclaimed && ifnum < 8*sizeof(ps->ifclaimed);
ifnum++) {
if (test_bit(ifnum, &ps->ifclaimed))
@@ -600,9 +605,8 @@ static int usbdev_release(struct inode *
destroy_all_async(ps);
usb_unlock_device(dev);
usb_put_dev(dev);
- ps->dev = NULL;
kfree(ps);
- return 0;
+ return 0;
}
static int proc_control(struct dev_state *ps, void __user *arg)
--- linux-2.6.18.1.orig/drivers/usb/core/notify.c
+++ linux-2.6.18.1/drivers/usb/core/notify.c
@@ -50,8 +50,11 @@ void usb_notify_add_device(struct usb_de
void usb_notify_remove_device(struct usb_device *udev)
{
+ /* Protect against simultaneous usbfs open */
+ mutex_lock(&usbfs_mutex);
blocking_notifier_call_chain(&usb_notifier_list,
USB_DEVICE_REMOVE, udev);
+ mutex_unlock(&usbfs_mutex);
}
void usb_notify_add_bus(struct usb_bus *ubus)
--- linux-2.6.18.1.orig/drivers/usb/core/usb.h
+++ linux-2.6.18.1/drivers/usb/core/usb.h
@@ -59,6 +59,7 @@ static inline int is_active(struct usb_i
extern const char *usbcore_name;
/* usbfs stuff */
+extern struct mutex usbfs_mutex;
extern struct usb_driver usbfs_driver;
extern struct file_operations usbfs_devices_fops;
extern struct file_operations usbfs_device_file_operations;
--
prev parent reply other threads:[~2006-11-01 5:52 UTC|newest]
Thread overview: 91+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-11-01 5:33 [PATCH 00/61] 2.6.18-stable review Chris Wright
2006-11-01 5:33 ` [PATCH 01/61] [DECNET]: Fix sfuzz hanging on 2.6.18 Chris Wright
2006-11-01 5:33 ` [PATCH 02/61] splice: fix pipe_to_file() ->prepare_write() error path Chris Wright
2006-11-01 5:33 ` [PATCH 03/61] [S390] __div64_32 for 31 bit Chris Wright
2006-11-01 5:33 ` [PATCH 04/61] mm: fix a race condition under SMC + COW Chris Wright
2006-11-01 5:33 ` [PATCH 05/61] sky2: MSI test race and message Chris Wright
2006-11-01 5:33 ` [PATCH 06/61] sky2: pause parameter adjustment Chris Wright
2006-11-01 5:33 ` [PATCH 07/61] sky2: turn off PHY IRQ on shutdown Chris Wright
2006-11-01 5:33 ` [PATCH 08/61] ALSA: emu10k1: Fix outl() in snd_emu10k1_resume_regs() Chris Wright
2006-11-01 5:33 ` [PATCH 09/61] ALSA: powermac - Fix Oops when conflicting with aoa driver Chris Wright
2006-11-01 5:33 ` [PATCH 10/61] sound/pci/au88x0/au88x0.c: ioremap balanced with iounmap Chris Wright
2006-11-01 5:33 ` [PATCH 11/61] ALSA: Dereference after free in snd_hwdep_release() Chris Wright
2006-11-01 5:33 ` [PATCH 12/61] ALSA: Fix bug in snd-usb-usx2ys usX2Y_pcms_lock_check() Chris Wright
2006-11-01 5:33 ` [PATCH 13/61] ALSA: Repair snd-usb-usx2y for usb 2.6.18 Chris Wright
2006-11-01 5:33 ` [PATCH 14/61] sky2: accept multicast pause frames Chris Wright
2006-11-01 5:33 ` [PATCH 15/61] sky2: GMAC pause frame Chris Wright
2006-11-01 5:33 ` [PATCH 16/61] uml: fix processor selection to exclude unsupported processors and features Chris Wright
2006-11-01 5:33 ` [PATCH 17/61] SCSI: DAC960: PCI id table fixup Chris Wright
2006-11-01 5:33 ` [PATCH 18/61] Fix uninitialised spinlock in via-pmu-backlight code Chris Wright
2006-11-01 5:33 ` [PATCH 19/61] SERIAL: Fix resume handling bug Chris Wright
2006-11-01 5:34 ` [PATCH 20/61] SERIAL: Fix oops when removing suspended serial port Chris Wright
2006-11-01 5:34 ` [PATCH 21/61] Bluetooth: Check if DLC is still attached to the TTY Chris Wright
2006-11-01 5:34 ` [PATCH 22/61] JFS: pageno needs to be long Chris Wright
2006-11-01 5:34 ` [PATCH 23/61] SPARC64: Fix central/FHC bus handling on Ex000 systems Chris Wright
2006-11-01 5:34 ` [PATCH 24/61] SPARC64: Fix memory corruption in pci_4u_free_consistent() Chris Wright
2006-11-01 5:34 ` [PATCH 25/61] bcm43xx: fix watchdog timeouts Chris Wright
2006-11-01 15:13 ` John W. Linville
2006-11-01 5:34 ` [PATCH 26/61] DVB: fix dvb_pll_attach for mt352/zl10353 in cx88-dvb, and nxt200x Chris Wright
2006-11-01 5:34 ` [PATCH 27/61] ALSA: Fix re-use of va_list Chris Wright
2006-11-01 5:34 ` [PATCH 28/61] md: Fix bug where spares dont always get rebuilt properly when they become live Chris Wright
2006-11-01 5:34 ` [PATCH 29/61] md: Fix calculation of ->degraded for multipath and raid10 Chris Wright
2006-11-01 5:34 ` [PATCH 30/61] knfsd: Fix race that can disable NFS server Chris Wright
2006-11-01 7:11 ` Willy Tarreau
2006-11-04 21:06 ` Willy Tarreau
2006-11-05 23:55 ` Neil Brown
2006-11-06 4:11 ` Willy Tarreau
2006-11-01 5:34 ` [PATCH 31/61] SCSI: aic7xxx: avoid checking SBLKCTL register for certain cards Chris Wright
2006-11-01 5:34 ` [PATCH 32/61] IPoIB: Rejoin all multicast groups after a port event Chris Wright
2006-11-01 5:34 ` [PATCH 33/61] IB/mthca: Use mmiowb after doorbell ring Chris Wright
2006-11-01 5:34 ` [PATCH 34/61] fuse: fix hang on SMP Chris Wright
2006-11-01 5:34 ` [PATCH 35/61] Fix potential interrupts during alternative patching Chris Wright
2006-11-01 5:34 ` [PATCH 36/61] sky2: 88E803X transmit lockup (2.6.18) Chris Wright
2006-11-01 5:34 ` [PATCH 37/61] SCSI: aic7xxx: pause sequencer before touching SBLKCTL Chris Wright
2006-11-01 5:34 ` [PATCH 38/61] Audit: fix missing ifdefs in syscall classes hookup for generic targets Chris Wright
2006-11-01 5:34 ` [PATCH 39/61] NET: Fix skb_segment() handling of fully linear SKBs Chris Wright
2006-11-01 5:34 ` [PATCH 40/61] SCTP: Always linearise packet on input Chris Wright
2006-11-01 7:17 ` Willy Tarreau
2006-11-01 6:23 ` David Miller
2006-11-01 5:34 ` [PATCH 41/61] x86-64: Fix C3 timer test Chris Wright
2006-11-01 6:19 ` Len Brown
2006-11-01 5:34 ` [PATCH 42/61] uml: make Uml compile on FC6 kernel headers Chris Wright
2006-11-01 5:34 ` [PATCH 43/61] uml: remove warnings added by previous -stable patch Chris Wright
2006-11-01 5:34 ` [PATCH 44/61] ALSA: snd_rtctimer: handle RTC interrupts with a tasklet Chris Wright
2006-11-01 5:34 ` [PATCH 45/61] Watchdog: sc1200wdt - fix missing pnp_unregister_driver() Chris Wright
2006-11-01 7:45 ` Willy Tarreau
2006-11-01 13:14 ` Wim Van Sebroeck
2006-11-01 5:34 ` [PATCH 46/61] fix Intel RNG detection Chris Wright
2006-11-20 23:45 ` Dave Jones
2006-11-21 2:21 ` [stable] " Chris Wright
2006-11-21 9:32 ` Jan Beulich
2006-11-22 1:50 ` Chris Wright
2006-11-22 7:53 ` Jan Beulich
2006-11-24 20:27 ` Dave Jones
2006-11-27 8:30 ` Jan Beulich
2006-11-29 8:46 ` Jan Beulich
2006-12-13 19:50 ` dean gaudet
2006-12-13 20:33 ` Chris Wright
2006-12-13 23:00 ` dean gaudet
2006-12-14 7:54 ` Jan Beulich
2006-12-14 8:40 ` dean gaudet
2006-12-14 10:12 ` Jan Beulich
2006-11-21 9:05 ` Michael Buesch
2006-11-01 5:34 ` [PATCH 47/61] posix-cpu-timers: prevent signal delivery starvation Chris Wright
2006-11-01 5:34 ` [PATCH 48/61] rtc-max6902: month conversion fix Chris Wright
2006-11-01 5:34 ` [PATCH 49/61] ISDN: fix drivers, by handling errors thrown by ->readstat() Chris Wright
2006-11-01 6:02 ` Jeff Garzik
2006-11-01 7:49 ` Willy Tarreau
2006-11-01 9:18 ` Karsten Keil
2006-11-01 5:34 ` [PATCH 50/61] SPARC64: Fix PCI memory space root resource on Hummingbird Chris Wright
2006-11-01 5:34 ` [PATCH 51/61] PCI: Remove quirk_via_abnormal_poweroff Chris Wright
2006-11-01 6:20 ` Len Brown
2006-11-01 5:34 ` [PATCH 52/61] Reintroduce NODES_SPAN_OTHER_NODES for powerpc Chris Wright
2006-11-01 5:34 ` [PATCH 53/61] NFS: nfs_lookup - dont hash dentry when optimising away the lookup Chris Wright
2006-11-01 5:34 ` [PATCH 54/61] vmscan: Fix temp_priority race Chris Wright
2006-11-01 5:34 ` [PATCH 55/61] Use min of two prio settings in calculating distress for reclaim Chris Wright
2006-11-01 5:34 ` [PATCH 56/61] fill_tgid: fix task_struct leak and possible oops Chris Wright
2006-11-01 5:34 ` [PATCH 57/61] JMB 368 PATA detection Chris Wright
2006-11-01 5:34 ` [PATCH 58/61] tcp: cubic scaling error Chris Wright
2006-11-01 5:34 ` [PATCH 59/61] IPV6: fix lockup via /proc/net/ip6_flowlabel [CVE-2006-5619] Chris Wright
2006-11-01 5:34 ` [PATCH 60/61] md: check bio address after mapping through partitions Chris Wright
2006-11-01 5:34 ` Chris Wright [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20061101054629.573680000@sous-sol.org \
--to=chrisw@sous-sol.org \
--cc=akpm@osdl.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=gregkh@suse.de \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkrufky@linuxtv.org \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=stable@kernel.org \
--cc=stern@rowland.harvard.edu \
--cc=torvalds@osdl.org \
--cc=tytso@mit.edu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox