Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751866AbdIUSUt (ORCPT ); Thu, 21 Sep 2017 14:20:49 -0400 Received: from mail-io0-f171.google.com ([209.85.223.171]:48928 "EHLO mail-io0-f171.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751621AbdIUSUr (ORCPT ); Thu, 21 Sep 2017 14:20:47 -0400 X-Google-Smtp-Source: AOwi7QBT0qncsJVq3scEiA6gHU3+340+1nkpSKOg/V8mxmQE+tmBsMyyY1ybhlZ/Omy4s/G+5UgzfjZdDBv084xuulI= MIME-Version: 1.0 In-Reply-To: References: From: Andrey Konovalov Date: Thu, 21 Sep 2017 20:20:46 +0200 Message-ID: Subject: Re: usb/gadget: copy_to_user called with spinlock held To: Alan Stern Cc: Felipe Balbi , Greg Kroah-Hartman , USB list , LKML , Dmitry Vyukov , Kostya Serebryany , syzkaller Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1984 Lines: 51 On Thu, Sep 21, 2017 at 7:35 PM, Alan Stern wrote: > On Thu, 21 Sep 2017, Andrey Konovalov wrote: > >> Hi! >> >> I've got the following report while fuzzing the kernel with syzkaller. >> >> On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18). >> >> Line numbers might be a little off, due to some local changes to >> gadgetfs code but the issue is AFAIU with calling copy_to_user() with >> spinlock held in ep0_read(). I see that there's a FIXME exactly about >> that and I was wondering if there's any chance of getting this fixed? >> >> Thanks! > > The patch below, which goes on top of the gadgetfs patch from a few > days ago, should eliminate this problem. This patch seems to be fixing the crashes. Tested-by: Andrey Konovalov Thanks once again! > > Alan Stern > > > > Index: usb-4.x/drivers/usb/gadget/legacy/inode.c > =================================================================== > --- usb-4.x.orig/drivers/usb/gadget/legacy/inode.c > +++ usb-4.x/drivers/usb/gadget/legacy/inode.c > @@ -986,11 +986,14 @@ ep0_read (struct file *fd, char __user * > retval = -EIO; > else { > len = min (len, (size_t)dev->req->actual); > -// FIXME don't call this with the spinlock held ... > + ++dev->udc_usage; > + spin_unlock_irq(&dev->lock); > if (copy_to_user (buf, dev->req->buf, len)) > retval = -EFAULT; > else > retval = len; > + spin_lock_irq(&dev->lock); > + --dev->udc_usage; > clean_req (dev->gadget->ep0, dev->req); > /* NOTE userspace can't yet choose to stall */ > } >