From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, John Keeping <john@metanate.com>,
Pratham Pratap <quic_ppratap@quicinc.com>,
Udipto Goswami <quic_ugoswami@quicinc.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 25/49] usb: f_fs: Fix use-after-free for epfile
Date: Mon, 14 Feb 2022 10:25:51 +0100 [thread overview]
Message-ID: <20220214092449.123615579@linuxfoundation.org> (raw)
In-Reply-To: <20220214092448.285381753@linuxfoundation.org>
From: Udipto Goswami <quic_ugoswami@quicinc.com>
[ Upstream commit ebe2b1add1055b903e2acd86b290a85297edc0b3 ]
Consider a case where ffs_func_eps_disable is called from
ffs_func_disable as part of composition switch and at the
same time ffs_epfile_release get called from userspace.
ffs_epfile_release will free up the read buffer and call
ffs_data_closed which in turn destroys ffs->epfiles and
mark it as NULL. While this was happening the driver has
already initialized the local epfile in ffs_func_eps_disable
which is now freed and waiting to acquire the spinlock. Once
spinlock is acquired the driver proceeds with the stale value
of epfile and tries to free the already freed read buffer
causing use-after-free.
Following is the illustration of the race:
CPU1 CPU2
ffs_func_eps_disable
epfiles (local copy)
ffs_epfile_release
ffs_data_closed
if (last file closed)
ffs_data_reset
ffs_data_clear
ffs_epfiles_destroy
spin_lock
dereference epfiles
Fix this races by taking epfiles local copy & assigning it under
spinlock and if epfiles(local) is null then update it in ffs->epfiles
then finally destroy it.
Extending the scope further from the race, protecting the ep related
structures, and concurrent accesses.
Fixes: a9e6f83c2df1 ("usb: gadget: f_fs: stop sleeping in ffs_func_eps_disable")
Co-developed-by: Udipto Goswami <quic_ugoswami@quicinc.com>
Reviewed-by: John Keeping <john@metanate.com>
Signed-off-by: Pratham Pratap <quic_ppratap@quicinc.com>
Signed-off-by: Udipto Goswami <quic_ugoswami@quicinc.com>
Link: https://lore.kernel.org/r/1643256595-10797-1-git-send-email-quic_ugoswami@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/gadget/function/f_fs.c | 56 ++++++++++++++++++++++--------
1 file changed, 42 insertions(+), 14 deletions(-)
diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index 9271a7009a00f..49eb4e3c760f4 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -1636,16 +1636,24 @@ static void ffs_data_put(struct ffs_data *ffs)
static void ffs_data_closed(struct ffs_data *ffs)
{
+ struct ffs_epfile *epfiles;
+ unsigned long flags;
+
ENTER();
if (atomic_dec_and_test(&ffs->opened)) {
if (ffs->no_disconnect) {
ffs->state = FFS_DEACTIVATED;
- if (ffs->epfiles) {
- ffs_epfiles_destroy(ffs->epfiles,
- ffs->eps_count);
- ffs->epfiles = NULL;
- }
+ spin_lock_irqsave(&ffs->eps_lock, flags);
+ epfiles = ffs->epfiles;
+ ffs->epfiles = NULL;
+ spin_unlock_irqrestore(&ffs->eps_lock,
+ flags);
+
+ if (epfiles)
+ ffs_epfiles_destroy(epfiles,
+ ffs->eps_count);
+
if (ffs->setup_state == FFS_SETUP_PENDING)
__ffs_ep0_stall(ffs);
} else {
@@ -1692,14 +1700,27 @@ static struct ffs_data *ffs_data_new(const char *dev_name)
static void ffs_data_clear(struct ffs_data *ffs)
{
+ struct ffs_epfile *epfiles;
+ unsigned long flags;
+
ENTER();
ffs_closed(ffs);
BUG_ON(ffs->gadget);
- if (ffs->epfiles) {
- ffs_epfiles_destroy(ffs->epfiles, ffs->eps_count);
+ spin_lock_irqsave(&ffs->eps_lock, flags);
+ epfiles = ffs->epfiles;
+ ffs->epfiles = NULL;
+ spin_unlock_irqrestore(&ffs->eps_lock, flags);
+
+ /*
+ * potential race possible between ffs_func_eps_disable
+ * & ffs_epfile_release therefore maintaining a local
+ * copy of epfile will save us from use-after-free.
+ */
+ if (epfiles) {
+ ffs_epfiles_destroy(epfiles, ffs->eps_count);
ffs->epfiles = NULL;
}
@@ -1847,12 +1868,15 @@ static void ffs_epfiles_destroy(struct ffs_epfile *epfiles, unsigned count)
static void ffs_func_eps_disable(struct ffs_function *func)
{
- struct ffs_ep *ep = func->eps;
- struct ffs_epfile *epfile = func->ffs->epfiles;
- unsigned count = func->ffs->eps_count;
+ struct ffs_ep *ep;
+ struct ffs_epfile *epfile;
+ unsigned short count;
unsigned long flags;
spin_lock_irqsave(&func->ffs->eps_lock, flags);
+ count = func->ffs->eps_count;
+ epfile = func->ffs->epfiles;
+ ep = func->eps;
while (count--) {
/* pending requests get nuked */
if (likely(ep->ep))
@@ -1870,14 +1894,18 @@ static void ffs_func_eps_disable(struct ffs_function *func)
static int ffs_func_eps_enable(struct ffs_function *func)
{
- struct ffs_data *ffs = func->ffs;
- struct ffs_ep *ep = func->eps;
- struct ffs_epfile *epfile = ffs->epfiles;
- unsigned count = ffs->eps_count;
+ struct ffs_data *ffs;
+ struct ffs_ep *ep;
+ struct ffs_epfile *epfile;
+ unsigned short count;
unsigned long flags;
int ret = 0;
spin_lock_irqsave(&func->ffs->eps_lock, flags);
+ ffs = func->ffs;
+ ep = func->eps;
+ epfile = ffs->epfiles;
+ count = ffs->eps_count;
while(count--) {
ep->ep->driver_data = ep;
--
2.34.1
next prev parent reply other threads:[~2022-02-14 9:36 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-14 9:25 [PATCH 4.19 00/49] 4.19.230-rc1 review Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.19 01/49] integrity: check the return value of audit_log_start() Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.19 02/49] ima: Remove ima_policy file before directory Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.19 03/49] ima: Allow template selection with ima_template[_fmt]= after ima_hash= Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.19 04/49] mmc: sdhci-of-esdhc: Check for error num after setting mask Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.19 05/49] net: phy: marvell: Fix MDI-x polarity setting in 88e1118-compatible PHYs Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.19 06/49] NFS: Fix initialisation of nfs_client cl_flags field Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.19 07/49] NFSD: Clamp WRITE offsets Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.19 08/49] NFSD: Fix offset type in I/O trace points Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.19 09/49] NFSv4 only print the label when its queried Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.19 10/49] nfs: nfs4clinet: check the return value of kstrdup() Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.19 11/49] NFSv4.1: Fix uninitialised variable in devicenotify Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.19 12/49] NFSv4 remove zero number of fs_locations entries error check Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.19 13/49] NFSv4 expose nfs_parse_server_name function Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.19 14/49] net: sched: Clarify error message when qdisc kind is unknown Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.19 15/49] scsi: target: iscsi: Make sure the np under each tpg is unique Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.19 16/49] usb: dwc2: gadget: dont try to disable ep0 in dwc2_hsotg_suspend Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.19 17/49] net: stmmac: dwmac-sun8i: use return val of readl_poll_timeout() Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.19 18/49] bpf: Add kconfig knob for disabling unpriv bpf by default Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.19 19/49] ARM: dts: imx23-evk: Remove MX23_PAD_SSP1_DETECT from hog group Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.19 20/49] net: bridge: fix stale eth hdr pointer in br_dev_xmit Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.19 21/49] perf probe: Fix ppc64 perf probe add events failed case Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.19 22/49] ARM: dts: meson: Fix the UART compatible strings Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.19 23/49] staging: fbtft: Fix error path in fbtft_driver_module_init() Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.19 24/49] ARM: dts: imx6qdl-udoo: Properly describe the SD card detect Greg Kroah-Hartman
2022-02-14 9:25 ` Greg Kroah-Hartman [this message]
2022-02-14 9:25 ` [PATCH 4.19 26/49] ixgbevf: Require large buffers for build_skb on 82599VF Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.19 27/49] bonding: pair enable_port with slave_arr_updates Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.19 28/49] ipmr,ip6mr: acquire RTNL before calling ip[6]mr_free_table() on failure path Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.19 29/49] net: do not keep the dst cache when uncloning an skb dst and its metadata Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.19 30/49] net: fix a memleak " Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.19 31/49] veth: fix races around rq->rx_notify_masked Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.19 32/49] tipc: rate limit warning for received illegal binding update Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.19 33/49] net: amd-xgbe: disable interrupts during pci removal Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 4.19 34/49] vt_ioctl: fix array_index_nospec in vt_setactivate Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 4.19 35/49] vt_ioctl: add array_index_nospec to VT_ACTIVATE Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 4.19 36/49] n_tty: wake up poll(POLLRDNORM) on receiving data Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 4.19 37/49] usb: ulpi: Move of_node_put to ulpi_dev_release Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 4.19 38/49] usb: ulpi: Call of_node_put correctly Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 4.19 39/49] usb: dwc3: gadget: Prevent core from processing stale TRBs Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 4.19 40/49] USB: gadget: validate interface OS descriptor requests Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 4.19 41/49] usb: gadget: rndis: check size of RNDIS_MSG_SET command Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 4.19 42/49] USB: serial: ftdi_sio: add support for Brainboxes US-159/235/320 Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 4.19 43/49] USB: serial: option: add ZTE MF286D modem Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 4.19 44/49] USB: serial: ch341: add support for GW Instek USB2.0-Serial devices Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 4.19 45/49] USB: serial: cp210x: add NCR Retail IO box id Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 4.19 46/49] USB: serial: cp210x: add CPI Bulk Coin Recycler id Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 4.19 47/49] seccomp: Invalidate seccomp mode to catch death failures Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 4.19 48/49] hwmon: (dell-smm) Speed up setting of fan speed Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 4.19 49/49] perf: Fix list corruption in perf_cgroup_switch() Greg Kroah-Hartman
2022-02-14 11:35 ` [PATCH 4.19 00/49] 4.19.230-rc1 review Pavel Machek
2022-02-14 14:22 ` Jon Hunter
2022-02-14 18:50 ` Jeffrin Thalakkottoor
2022-02-14 20:38 ` Slade Watkins
2022-02-14 22:32 ` Shuah Khan
2022-02-15 1:51 ` Guenter Roeck
2022-02-15 9:19 ` Naresh Kamboju
2022-02-15 15:42 ` Sudip Mukherjee
2022-02-16 0:52 ` Samuel Zou
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220214092449.123615579@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=john@metanate.com \
--cc=linux-kernel@vger.kernel.org \
--cc=quic_ppratap@quicinc.com \
--cc=quic_ugoswami@quicinc.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox