From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Alan Stern" <stern@rowland.harvard.edu>,
"Ajay Kaher" <ajay.kaher@samsung.com>
Subject: [PATCH 3.2 14/59] USB: Proper handling of Race Condition when two USB class drivers try to call init_usb_class simultaneously
Date: Fri, 18 Aug 2017 14:13:13 +0100 [thread overview]
Message-ID: <lsq.1503061993.682322856@decadent.org.uk> (raw)
In-Reply-To: <lsq.1503061990.137512306@decadent.org.uk>
3.2.92-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ajay Kaher <ajay.kaher@samsung.com>
commit 2f86a96be0ccb1302b7eee7855dbee5ce4dc5dfb upstream.
There is race condition when two USB class drivers try to call
init_usb_class at the same time and leads to crash.
code path: probe->usb_register_dev->init_usb_class
To solve this, mutex locking has been added in init_usb_class() and
destroy_usb_class().
As pointed by Alan, removed "if (usb_class)" test from destroy_usb_class()
because usb_class can never be NULL there.
Signed-off-by: Ajay Kaher <ajay.kaher@samsung.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/core/file.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/drivers/usb/core/file.c
+++ b/drivers/usb/core/file.c
@@ -26,6 +26,7 @@
#define MAX_USB_MINORS 256
static const struct file_operations *usb_minors[MAX_USB_MINORS];
static DECLARE_RWSEM(minor_rwsem);
+static DEFINE_MUTEX(init_usb_class_mutex);
static int usb_open(struct inode * inode, struct file * file)
{
@@ -116,8 +117,9 @@ static void release_usb_class(struct kre
static void destroy_usb_class(void)
{
- if (usb_class)
- kref_put(&usb_class->kref, release_usb_class);
+ mutex_lock(&init_usb_class_mutex);
+ kref_put(&usb_class->kref, release_usb_class);
+ mutex_unlock(&init_usb_class_mutex);
}
int usb_major_init(void)
@@ -179,7 +181,10 @@ int usb_register_dev(struct usb_interfac
if (intf->minor >= 0)
return -EADDRINUSE;
+ mutex_lock(&init_usb_class_mutex);
retval = init_usb_class();
+ mutex_unlock(&init_usb_class_mutex);
+
if (retval)
return retval;
next prev parent reply other threads:[~2017-08-18 13:14 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-18 13:13 [PATCH 3.2 00/59] 3.2.92-rc1 review Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 23/59] padata: free correct variable Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 04/59] ath9k_htc: Add PID/VID for a Ubiquiti WiFiStation Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 11/59] usb: hub: Fix error loop seen after hub communication errors Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 43/59] IB/core: For multicast functions, verify that LIDs are multicast LIDs Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 05/59] ath9k_htc: Add device ID for Buffalo WLI-UV-AG300P Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 13/59] [media] mceusb: fix NULL-deref at probe Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 08/59] ath9k_htc: Add support of AirTies 1eda:2315 AR9271 device Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 09/59] serial: sh-sci: Fix panic when serial console and DMA are enabled Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 45/59] net: ethernet: ucc_geth: fix MEM_PART_MURAM mode Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 29/59] PCI: Only allow WC mmap on prefetchable resources Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 51/59] cifs: small underflow in cnvrtDosUnixTm() Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 56/59] ipv6: avoid overflow of offset in ip6_find_1stfragopt Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 44/59] libata: reject passthrough WRITE SAME requests Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 18/59] [media] usbvision: fix NULL-deref at probe Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 02/59] [media] pvrusb2: reduce stack usage pvr2_eeprom_analyze() Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 17/59] [media] gspca: konica: add missing endpoint sanity check Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 22/59] [media] cx231xx-audio: fix NULL-deref at probe Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 41/59] usb: Make sure usb/phy/of gets built-in Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 30/59] PCI: Freeze PME scan before suspending devices Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 55/59] x86/mm/32: Set the '__vmalloc_start_set' flag in initmem_init() Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 33/59] [media] dw2102: Don't use dynamic static allocation Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 31/59] [media] ttusb2: Don't use stack variables for DMA Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 19/59] [media] cx231xx: fix double free and leaks on failure path in cx231xx_usb_probe() Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 53/59] um: Fix PTRACE_POKEUSER on x86_64 Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 49/59] ipv6: Need to export ipv6_push_frag_opts for tunneling now Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 32/59] [media] ttusb2: limit messages to buffer size Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 28/59] PCI: Fix another sanity check bug in /proc/pci mmap Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 39/59] netfilter: ctnetlink: make it safer when updating ct->status Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 27/59] PCI: Ignore write combining when mapping I/O port space Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 48/59] ip6_tunnel: Fix missing tunnel encapsulation limit option Ben Hutchings
2017-08-18 13:13 ` Ben Hutchings [this message]
2017-08-18 13:13 ` [PATCH 3.2 26/59] [media] zr364xx: enforce minimum size when reading header Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 59/59] packet: fix tp_reserve race in packet_set_ring Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 34/59] [media] dw2102: some missing unlocks on error Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 01/59] drm/i915: fix use-after-free in page_flip_completed() Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 54/59] fbdev: sti: don't select CONFIG_VT Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 20/59] [media] cx231xx-cards: fix NULL-deref at probe Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 50/59] tcp: fix wraparound issue in tcp_lp Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 57/59] timerfd: Protect the might cancel mechanism proper Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 03/59] ath9k_htc: Add Panasonic N5HBZ0000055 device id Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 12/59] usb: hub: Do not attempt to autosuspend disconnected devices Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 24/59] PCI: Fix pci_mmap_fits() for HAVE_PCI_RESOURCE_TO_USER platforms Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 36/59] [media] ov2640: fix vflip control Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 06/59] ath9k_htc: Add new USB ID Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 16/59] ath9k_htc: fix NULL-deref at probe Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 52/59] Set unicode flag on cifs echo request to avoid Mac error Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 47/59] power: supply: pda_power: move from timer to delayed_work Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 46/59] Bluetooth: Fix user channel for 32bit userspace on 64bit kernel Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 35/59] [media] dw2102: limit messages to buffer size Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 25/59] [media] digitv: " Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 38/59] x86/boot: Fix BSS corruption/overwrite bug in early x86 kernel startup Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 40/59] PCI: Disable boot interrupt quirk for ASUS M2N-LR Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 58/59] mqueue: fix a use-after-free in sys_mq_notify() Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 37/59] usb: host: xhci: print correct command ring address Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 07/59] ath9k_htc: add device ID for Toshiba WLM-20U2/GN-1080 Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 15/59] cdc-acm: fix possible invalid access when processing notification Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 42/59] IB/core: If the MGID/MLID pair is not on the list return an error Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 21/59] [media] cx231xx-audio: fix init error path Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 10/59] zd1211rw: fix NULL-deref at probe Ben Hutchings
2017-08-18 14:54 ` [PATCH 3.2 00/59] 3.2.92-rc1 review Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=lsq.1503061993.682322856@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=ajay.kaher@samsung.com \
--cc=akpm@linux-foundation.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox