Commit ac6de40e authored by Alan Stern's avatar Alan Stern Committed by Thadeu Lima de Souza Cascardo

USB: gadgetfs: Fix crash caused by inadequate synchronization

BugLink: http://bugs.launchpad.net/bugs/1724783

commit 520b72fc upstream.

The gadgetfs driver (drivers/usb/gadget/legacy/inode.c) was written
before the UDC and composite frameworks were adopted; it is a legacy
driver.  As such, it expects that once bound to a UDC controller, it
will not be unbound until it unregisters itself.

However, the UDC framework does unbind function drivers while they are
still registered.  When this happens, it can cause the gadgetfs driver
to misbehave or crash.  For example, userspace can cause a crash by
opening the device file and doing an ioctl call before setting up a
configuration (found by Andrey Konovalov using the syzkaller fuzzer).

This patch adds checks and synchronization to prevent these bad
behaviors.  It adds a udc_usage counter that the driver increments at
times when it is using a gadget interface without holding the private
spinlock.  The unbind routine waits for this counter to go to 0 before
returning, thereby ensuring that the UDC is no longer in use.

The patch also adds a check in the dev_ioctl() routine to make sure
the driver is bound to a UDC before dereferencing the gadget pointer,
and it makes destroy_ep_files() synchronize with the endpoint I/O
routines, to prevent the user from accessing an endpoint data
structure after it has been removed.
Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
Tested-by: default avatarAndrey Konovalov <andreyknvl@google.com>
Acked-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
Signed-off-by: default avatarThadeu Lima de Souza Cascardo <cascardo@canonical.com>
parent 95c9773b
...@@ -27,7 +27,7 @@ ...@@ -27,7 +27,7 @@
#include <linux/mmu_context.h> #include <linux/mmu_context.h>
#include <linux/aio.h> #include <linux/aio.h>
#include <linux/uio.h> #include <linux/uio.h>
#include <linux/delay.h>
#include <linux/device.h> #include <linux/device.h>
#include <linux/moduleparam.h> #include <linux/moduleparam.h>
...@@ -116,6 +116,7 @@ enum ep0_state { ...@@ -116,6 +116,7 @@ enum ep0_state {
struct dev_data { struct dev_data {
spinlock_t lock; spinlock_t lock;
atomic_t count; atomic_t count;
int udc_usage;
enum ep0_state state; /* P: lock */ enum ep0_state state; /* P: lock */
struct usb_gadgetfs_event event [N_EVENT]; struct usb_gadgetfs_event event [N_EVENT];
unsigned ev_next; unsigned ev_next;
...@@ -512,9 +513,9 @@ static void ep_aio_complete(struct usb_ep *ep, struct usb_request *req) ...@@ -512,9 +513,9 @@ static void ep_aio_complete(struct usb_ep *ep, struct usb_request *req)
INIT_WORK(&priv->work, ep_user_copy_worker); INIT_WORK(&priv->work, ep_user_copy_worker);
schedule_work(&priv->work); schedule_work(&priv->work);
} }
spin_unlock(&epdata->dev->lock);
usb_ep_free_request(ep, req); usb_ep_free_request(ep, req);
spin_unlock(&epdata->dev->lock);
put_ep(epdata); put_ep(epdata);
} }
...@@ -938,9 +939,11 @@ ep0_read (struct file *fd, char __user *buf, size_t len, loff_t *ptr) ...@@ -938,9 +939,11 @@ ep0_read (struct file *fd, char __user *buf, size_t len, loff_t *ptr)
struct usb_request *req = dev->req; struct usb_request *req = dev->req;
if ((retval = setup_req (ep, req, 0)) == 0) { if ((retval = setup_req (ep, req, 0)) == 0) {
++dev->udc_usage;
spin_unlock_irq (&dev->lock); spin_unlock_irq (&dev->lock);
retval = usb_ep_queue (ep, req, GFP_KERNEL); retval = usb_ep_queue (ep, req, GFP_KERNEL);
spin_lock_irq (&dev->lock); spin_lock_irq (&dev->lock);
--dev->udc_usage;
} }
dev->state = STATE_DEV_CONNECTED; dev->state = STATE_DEV_CONNECTED;
...@@ -1130,6 +1133,7 @@ ep0_write (struct file *fd, const char __user *buf, size_t len, loff_t *ptr) ...@@ -1130,6 +1133,7 @@ ep0_write (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
retval = setup_req (dev->gadget->ep0, dev->req, len); retval = setup_req (dev->gadget->ep0, dev->req, len);
if (retval == 0) { if (retval == 0) {
dev->state = STATE_DEV_CONNECTED; dev->state = STATE_DEV_CONNECTED;
++dev->udc_usage;
spin_unlock_irq (&dev->lock); spin_unlock_irq (&dev->lock);
if (copy_from_user (dev->req->buf, buf, len)) if (copy_from_user (dev->req->buf, buf, len))
retval = -EFAULT; retval = -EFAULT;
...@@ -1141,6 +1145,7 @@ ep0_write (struct file *fd, const char __user *buf, size_t len, loff_t *ptr) ...@@ -1141,6 +1145,7 @@ ep0_write (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
GFP_KERNEL); GFP_KERNEL);
} }
spin_lock_irq(&dev->lock); spin_lock_irq(&dev->lock);
--dev->udc_usage;
if (retval < 0) { if (retval < 0) {
clean_req (dev->gadget->ep0, dev->req); clean_req (dev->gadget->ep0, dev->req);
} else } else
...@@ -1239,9 +1244,21 @@ static long dev_ioctl (struct file *fd, unsigned code, unsigned long value) ...@@ -1239,9 +1244,21 @@ static long dev_ioctl (struct file *fd, unsigned code, unsigned long value)
struct usb_gadget *gadget = dev->gadget; struct usb_gadget *gadget = dev->gadget;
long ret = -ENOTTY; long ret = -ENOTTY;
if (gadget->ops->ioctl) spin_lock_irq(&dev->lock);
if (dev->state == STATE_DEV_OPENED ||
dev->state == STATE_DEV_UNBOUND) {
/* Not bound to a UDC */
} else if (gadget->ops->ioctl) {
++dev->udc_usage;
spin_unlock_irq(&dev->lock);
ret = gadget->ops->ioctl (gadget, code, value); ret = gadget->ops->ioctl (gadget, code, value);
spin_lock_irq(&dev->lock);
--dev->udc_usage;
}
spin_unlock_irq(&dev->lock);
return ret; return ret;
} }
...@@ -1459,10 +1476,12 @@ gadgetfs_setup (struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl) ...@@ -1459,10 +1476,12 @@ gadgetfs_setup (struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
if (value < 0) if (value < 0)
break; break;
++dev->udc_usage;
spin_unlock (&dev->lock); spin_unlock (&dev->lock);
value = usb_ep_queue (gadget->ep0, dev->req, value = usb_ep_queue (gadget->ep0, dev->req,
GFP_KERNEL); GFP_KERNEL);
spin_lock (&dev->lock); spin_lock (&dev->lock);
--dev->udc_usage;
if (value < 0) { if (value < 0) {
clean_req (gadget->ep0, dev->req); clean_req (gadget->ep0, dev->req);
break; break;
...@@ -1486,8 +1505,12 @@ gadgetfs_setup (struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl) ...@@ -1486,8 +1505,12 @@ gadgetfs_setup (struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
req->length = value; req->length = value;
req->zero = value < w_length; req->zero = value < w_length;
++dev->udc_usage;
spin_unlock (&dev->lock); spin_unlock (&dev->lock);
value = usb_ep_queue (gadget->ep0, req, GFP_KERNEL); value = usb_ep_queue (gadget->ep0, req, GFP_KERNEL);
spin_lock(&dev->lock);
--dev->udc_usage;
spin_unlock(&dev->lock);
if (value < 0) { if (value < 0) {
DBG (dev, "ep_queue --> %d\n", value); DBG (dev, "ep_queue --> %d\n", value);
req->status = 0; req->status = 0;
...@@ -1514,21 +1537,24 @@ static void destroy_ep_files (struct dev_data *dev) ...@@ -1514,21 +1537,24 @@ static void destroy_ep_files (struct dev_data *dev)
/* break link to FS */ /* break link to FS */
ep = list_first_entry (&dev->epfiles, struct ep_data, epfiles); ep = list_first_entry (&dev->epfiles, struct ep_data, epfiles);
list_del_init (&ep->epfiles); list_del_init (&ep->epfiles);
spin_unlock_irq (&dev->lock);
dentry = ep->dentry; dentry = ep->dentry;
ep->dentry = NULL; ep->dentry = NULL;
parent = d_inode(dentry->d_parent); parent = d_inode(dentry->d_parent);
/* break link to controller */ /* break link to controller */
mutex_lock(&ep->lock);
if (ep->state == STATE_EP_ENABLED) if (ep->state == STATE_EP_ENABLED)
(void) usb_ep_disable (ep->ep); (void) usb_ep_disable (ep->ep);
ep->state = STATE_EP_UNBOUND; ep->state = STATE_EP_UNBOUND;
usb_ep_free_request (ep->ep, ep->req); usb_ep_free_request (ep->ep, ep->req);
ep->ep = NULL; ep->ep = NULL;
mutex_unlock(&ep->lock);
wake_up (&ep->wait); wake_up (&ep->wait);
put_ep (ep); put_ep (ep);
spin_unlock_irq (&dev->lock);
/* break link to dcache */ /* break link to dcache */
mutex_lock (&parent->i_mutex); mutex_lock (&parent->i_mutex);
d_delete (dentry); d_delete (dentry);
...@@ -1599,6 +1625,11 @@ gadgetfs_unbind (struct usb_gadget *gadget) ...@@ -1599,6 +1625,11 @@ gadgetfs_unbind (struct usb_gadget *gadget)
spin_lock_irq (&dev->lock); spin_lock_irq (&dev->lock);
dev->state = STATE_DEV_UNBOUND; dev->state = STATE_DEV_UNBOUND;
while (dev->udc_usage > 0) {
spin_unlock_irq(&dev->lock);
usleep_range(1000, 2000);
spin_lock_irq(&dev->lock);
}
spin_unlock_irq (&dev->lock); spin_unlock_irq (&dev->lock);
destroy_ep_files (dev); destroy_ep_files (dev);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment