From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Shuah Khan <skhan@linuxfoundation.org>,
Tom Seewald <tseewald@gmail.com>,
syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com
Subject: [PATCH 4.9 25/37] usbip: stub-dev synchronize sysfs code paths
Date: Mon, 26 Apr 2021 09:29:26 +0200 [thread overview]
Message-ID: <20210426072818.102188378@linuxfoundation.org> (raw)
In-Reply-To: <20210426072817.245304364@linuxfoundation.org>
From: Shuah Khan <skhan@linuxfoundation.org>
commit 9dbf34a834563dada91366c2ac266f32ff34641a upstream.
Fuzzing uncovered race condition between sysfs code paths in usbip
drivers. Device connect/disconnect code paths initiated through
sysfs interface are prone to races if disconnect happens during
connect and vice versa.
Use sysfs_lock to protect sysfs paths in stub-dev.
Cc: stable@vger.kernel.org # 4.9.x
Reported-and-tested-by: syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Link: https://lore.kernel.org/r/2b182f3561b4a065bf3bf6dce3b0e9944ba17b3f.1616807117.git.skhan@linuxfoundation.org
Signed-off-by: Tom Seewald <tseewald@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/usbip/stub_dev.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/drivers/usb/usbip/stub_dev.c
+++ b/drivers/usb/usbip/stub_dev.c
@@ -77,6 +77,7 @@ static ssize_t store_sockfd(struct devic
dev_info(dev, "stub up\n");
+ mutex_lock(&sdev->ud.sysfs_lock);
spin_lock_irq(&sdev->ud.lock);
if (sdev->ud.status != SDEV_ST_AVAILABLE) {
@@ -101,13 +102,13 @@ static ssize_t store_sockfd(struct devic
tcp_rx = kthread_create(stub_rx_loop, &sdev->ud, "stub_rx");
if (IS_ERR(tcp_rx)) {
sockfd_put(socket);
- return -EINVAL;
+ goto unlock_mutex;
}
tcp_tx = kthread_create(stub_tx_loop, &sdev->ud, "stub_tx");
if (IS_ERR(tcp_tx)) {
kthread_stop(tcp_rx);
sockfd_put(socket);
- return -EINVAL;
+ goto unlock_mutex;
}
/* get task structs now */
@@ -126,6 +127,8 @@ static ssize_t store_sockfd(struct devic
wake_up_process(sdev->ud.tcp_rx);
wake_up_process(sdev->ud.tcp_tx);
+ mutex_unlock(&sdev->ud.sysfs_lock);
+
} else {
dev_info(dev, "stub down\n");
@@ -136,6 +139,7 @@ static ssize_t store_sockfd(struct devic
spin_unlock_irq(&sdev->ud.lock);
usbip_event_add(&sdev->ud, SDEV_EVENT_DOWN);
+ mutex_unlock(&sdev->ud.sysfs_lock);
}
return count;
@@ -144,6 +148,8 @@ sock_err:
sockfd_put(socket);
err:
spin_unlock_irq(&sdev->ud.lock);
+unlock_mutex:
+ mutex_unlock(&sdev->ud.sysfs_lock);
return -EINVAL;
}
static DEVICE_ATTR(usbip_sockfd, S_IWUSR, NULL, store_sockfd);
@@ -309,6 +315,7 @@ static struct stub_device *stub_device_a
sdev->ud.side = USBIP_STUB;
sdev->ud.status = SDEV_ST_AVAILABLE;
spin_lock_init(&sdev->ud.lock);
+ mutex_init(&sdev->ud.sysfs_lock);
sdev->ud.tcp_socket = NULL;
sdev->ud.sockfd = -1;
next prev parent reply other threads:[~2021-04-26 7:33 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-26 7:29 [PATCH 4.9 00/37] 4.9.268-rc1 review Greg Kroah-Hartman
2021-04-26 7:29 ` [PATCH 4.9 01/37] net/sctp: fix race condition in sctp_destroy_sock Greg Kroah-Hartman
2021-04-26 7:29 ` [PATCH 4.9 02/37] Input: nspire-keypad - enable interrupts only when opened Greg Kroah-Hartman
2021-04-26 7:29 ` [PATCH 4.9 03/37] dmaengine: dw: Make it dependent to HAS_IOMEM Greg Kroah-Hartman
2021-04-26 7:29 ` [PATCH 4.9 04/37] ARM: dts: Fix moving mmc devices with aliases for omap4 & 5 Greg Kroah-Hartman
2021-04-26 7:29 ` [PATCH 4.9 05/37] arc: kernel: Return -EFAULT if copy_to_user() fails Greg Kroah-Hartman
2021-04-26 7:29 ` [PATCH 4.9 06/37] neighbour: Disregard DEAD dst in neigh_update Greg Kroah-Hartman
2021-04-26 7:29 ` [PATCH 4.9 07/37] ARM: keystone: fix integer overflow warning Greg Kroah-Hartman
2021-04-26 7:29 ` [PATCH 4.9 08/37] ASoC: fsl_esai: Fix TDM slot setup for I2S mode Greg Kroah-Hartman
2021-04-26 7:29 ` [PATCH 4.9 09/37] net: ieee802154: stop dump llsec keys for monitors Greg Kroah-Hartman
2021-04-26 7:29 ` [PATCH 4.9 10/37] net: ieee802154: stop dump llsec devs " Greg Kroah-Hartman
2021-04-26 7:29 ` [PATCH 4.9 11/37] net: ieee802154: forbid monitor for add llsec dev Greg Kroah-Hartman
2021-04-26 7:29 ` [PATCH 4.9 12/37] net: ieee802154: stop dump llsec devkeys for monitors Greg Kroah-Hartman
2021-04-26 7:29 ` [PATCH 4.9 13/37] net: ieee802154: forbid monitor for add llsec devkey Greg Kroah-Hartman
2021-04-26 7:29 ` [PATCH 4.9 14/37] net: ieee802154: stop dump llsec seclevels for monitors Greg Kroah-Hartman
2021-04-26 7:29 ` [PATCH 4.9 15/37] net: ieee802154: forbid monitor for add llsec seclevel Greg Kroah-Hartman
2021-04-26 7:29 ` [PATCH 4.9 16/37] pcnet32: Use pci_resource_len to validate PCI resource Greg Kroah-Hartman
2021-04-26 7:29 ` [PATCH 4.9 17/37] Input: i8042 - fix Pegatron C15B ID entry Greg Kroah-Hartman
2021-04-26 7:29 ` [PATCH 4.9 18/37] scsi: libsas: Reset num_scatter if libata marks qc as NODATA Greg Kroah-Hartman
2021-04-26 7:29 ` [PATCH 4.9 19/37] net: davicom: Fix regulator not turned off on failed probe Greg Kroah-Hartman
2021-04-26 7:29 ` [PATCH 4.9 20/37] net: sit: Unregister catch-all devices Greg Kroah-Hartman
2021-04-26 7:29 ` [PATCH 4.9 21/37] i40e: fix the panic when running bpf in xdpdrv mode Greg Kroah-Hartman
2021-04-26 7:29 ` [PATCH 4.9 22/37] ARM: 9071/1: uprobes: Dont hook on thumb instructions Greg Kroah-Hartman
2021-04-26 7:29 ` [PATCH 4.9 23/37] usbip: Fix incorrect double assignment to udc->ud.tcp_rx Greg Kroah-Hartman
2021-04-26 7:29 ` [PATCH 4.9 24/37] usbip: add sysfs_lock to synchronize sysfs code paths Greg Kroah-Hartman
2021-04-26 7:29 ` Greg Kroah-Hartman [this message]
2021-04-26 7:29 ` [PATCH 4.9 26/37] usbip: vudc " Greg Kroah-Hartman
2021-04-26 7:29 ` [PATCH 4.9 27/37] usbip: synchronize event handler with " Greg Kroah-Hartman
2021-04-26 7:29 ` [PATCH 4.9 28/37] net: hso: fix null-ptr-deref during tty device unregistration Greg Kroah-Hartman
2021-04-26 7:29 ` [PATCH 4.9 29/37] ext4: correct error label in ext4_rename() Greg Kroah-Hartman
2021-04-26 7:29 ` [PATCH 4.9 30/37] HID: alps: fix error return code in alps_input_configured() Greg Kroah-Hartman
2021-04-26 7:29 ` [PATCH 4.9 31/37] ARM: dts: Fix swapped mmc order for omap3 Greg Kroah-Hartman
2021-04-26 7:29 ` [PATCH 4.9 32/37] s390/entry: save the caller of psw_idle Greg Kroah-Hartman
2021-04-26 7:29 ` [PATCH 4.9 33/37] xen-netback: Check for hotplug-status existence before watching Greg Kroah-Hartman
2021-04-26 7:29 ` [PATCH 4.9 34/37] cavium/liquidio: Fix duplicate argument Greg Kroah-Hartman
2021-04-26 7:29 ` [PATCH 4.9 35/37] ia64: fix discontig.c section mismatches Greg Kroah-Hartman
2021-04-26 7:29 ` [PATCH 4.9 36/37] ia64: tools: remove duplicate definition of ia64_mf() on ia64 Greg Kroah-Hartman
2021-04-26 7:29 ` [PATCH 4.9 37/37] x86/crash: Fix crash_setup_memmap_entries() out-of-bounds access Greg Kroah-Hartman
2021-04-26 17:26 ` [PATCH 4.9 00/37] 4.9.268-rc1 review Florian Fainelli
2021-04-26 18:32 ` Guenter Roeck
2021-04-26 23:47 ` Shuah Khan
2021-04-27 7:36 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210426072818.102188378@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=skhan@linuxfoundation.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com \
--cc=tseewald@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox