Re: [syzbot] KASAN: use-after-free Write in gadgetfs_kill_sb

[Alan Stern <stern@rowland.harvard.edu>]

On Tue, Dec 13, 2022 at 12:51:26PM -0800, syzbot wrote:
> Hello,
> 
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> INFO: rcu detected stall in corrupted
> 
> rcu: INFO: rcu_preempt detected expedited stalls on CPUs/tasks: { P4116 } 2668 jiffies s: 2777 root: 0x0/T
> rcu: blocking rcu_node structures (internal RCU debug):
> 
> 
> Tested on:
> 
> commit:         830b3c68 Linux 6.1
> git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
> console output: https://syzkaller.appspot.com/x/log.txt?x=12066e8b880000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=5a194ed4fc682723
> dashboard link: https://syzkaller.appspot.com/bug?extid=33d7ad66d65044b93f16
> compiler:       Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> patch:          https://syzkaller.appspot.com/x/patch.diff?x=16793e8f880000

Let's see if this is related to the patch or something completely 
independent.

Alan Stern

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ 830b3c68c1fb

 drivers/usb/gadget/legacy/inode.c |   39 +++++++++++++++++++++++++++++++-------
 1 file changed, 32 insertions(+), 7 deletions(-)

Index: usb-devel/drivers/usb/gadget/legacy/inode.c
===================================================================
--- usb-devel.orig/drivers/usb/gadget/legacy/inode.c
+++ usb-devel/drivers/usb/gadget/legacy/inode.c
@@ -229,6 +229,7 @@ static void put_ep (struct ep_data *data
  */
 
 static const char *CHIP;
+static DEFINE_MUTEX(sb_mutex);		/* Serialize superblock maintenance */
 
 /*----------------------------------------------------------------------*/
 
@@ -2010,13 +2011,23 @@ gadgetfs_fill_super (struct super_block
 {
 	struct inode	*inode;
 	struct dev_data	*dev;
+	int		rc;
 
-	if (the_device)
-		return -ESRCH;
+	printk(KERN_INFO "fill_super A\n");
+	mutex_lock(&sb_mutex);
+
+	if (the_device) {
+		rc = -ESRCH;
+		goto Done;
+	}
+	printk(KERN_INFO "fill_super B\n");
 
 	CHIP = usb_get_gadget_udc_name();
-	if (!CHIP)
-		return -ENODEV;
+	if (!CHIP) {
+		rc = -ENODEV;
+		goto Done;
+	}
+	printk(KERN_INFO "fill_super C\n");
 
 	/* superblock */
 	sb->s_blocksize = PAGE_SIZE;
@@ -2029,6 +2040,7 @@ gadgetfs_fill_super (struct super_block
 	inode = gadgetfs_make_inode (sb,
 			NULL, &simple_dir_operations,
 			S_IFDIR | S_IRUGO | S_IXUGO);
+	printk(KERN_INFO "fill_super D\n");
 	if (!inode)
 		goto Enomem;
 	inode->i_op = &simple_dir_inode_operations;
@@ -2039,11 +2051,13 @@ gadgetfs_fill_super (struct super_block
 	 * user mode code can use it for sanity checks, like we do.
 	 */
 	dev = dev_new ();
+	printk(KERN_INFO "fill_super E\n");
 	if (!dev)
 		goto Enomem;
 
 	dev->sb = sb;
 	dev->dentry = gadgetfs_create_file(sb, CHIP, dev, &ep0_operations);
+	printk(KERN_INFO "fill_super F\n");
 	if (!dev->dentry) {
 		put_dev(dev);
 		goto Enomem;
@@ -2053,13 +2067,18 @@ gadgetfs_fill_super (struct super_block
 	 * from binding to a controller.
 	 */
 	the_device = dev;
-	return 0;
+	rc = 0;
+	goto Done;
 
-Enomem:
+ Enomem:
 	kfree(CHIP);
 	CHIP = NULL;
+	rc = -ENOMEM;
 
-	return -ENOMEM;
+ Done:
+	printk(KERN_INFO "fill_super G\n");
+	mutex_unlock(&sb_mutex);
+	return rc;
 }
 
 /* "mount -t gadgetfs path /dev/gadget" ends up here */
@@ -2081,13 +2100,19 @@ static int gadgetfs_init_fs_context(stru
 static void
 gadgetfs_kill_sb (struct super_block *sb)
 {
+	printk(KERN_INFO "kill_sb A\n");
+	mutex_lock(&sb_mutex);
+	printk(KERN_INFO "kill_sb B\n");
 	kill_litter_super (sb);
+	printk(KERN_INFO "kill_sb C\n");
 	if (the_device) {
 		put_dev (the_device);
 		the_device = NULL;
 	}
 	kfree(CHIP);
 	CHIP = NULL;
+	printk(KERN_INFO "kill_sb D\n");
+	mutex_unlock(&sb_mutex);
 }
 
 /*----------------------------------------------------------------------*/