Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751866AbdIUSUt (ORCPT <rfc822;w@1wt.eu>);
        Thu, 21 Sep 2017 14:20:49 -0400
Received: from mail-io0-f171.google.com ([209.85.223.171]:48928 "EHLO
        mail-io0-f171.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751621AbdIUSUr (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 21 Sep 2017 14:20:47 -0400
X-Google-Smtp-Source: AOwi7QBT0qncsJVq3scEiA6gHU3+340+1nkpSKOg/V8mxmQE+tmBsMyyY1ybhlZ/Omy4s/G+5UgzfjZdDBv084xuulI=
MIME-Version: 1.0
In-Reply-To: <Pine.LNX.4.44L0.1709211328030.1299-100000@iolanthe.rowland.org>
References: <CAAeHK+yi+OiEM8pVdMyJM4ptCytctWOuCno2r5ThMe1+c=B1Hg@mail.gmail.com>
 <Pine.LNX.4.44L0.1709211328030.1299-100000@iolanthe.rowland.org>
From: Andrey Konovalov <andreyknvl@google.com>
Date: Thu, 21 Sep 2017 20:20:46 +0200
Message-ID: <CAAeHK+xek2+xwBkrxpST+qKqtDEKf=1m0p7KgkqLkE8mYUvetg@mail.gmail.com>
Subject: Re: usb/gadget: copy_to_user called with spinlock held
To: Alan Stern <stern@rowland.harvard.edu>
Cc: Felipe Balbi <balbi@kernel.org>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        USB list <linux-usb@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Dmitry Vyukov <dvyukov@google.com>, Kostya Serebryany <kcc@google.com>,
        syzkaller <syzkaller@googlegroups.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1984
Lines: 51

On Thu, Sep 21, 2017 at 7:35 PM, Alan Stern <stern@rowland.harvard.edu> wrote:
> On Thu, 21 Sep 2017, Andrey Konovalov wrote:
>
>> Hi!
>>
>> I've got the following report while fuzzing the kernel with syzkaller.
>>
>> On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
>>
>> Line numbers might be a little off, due to some local changes to
>> gadgetfs code but the issue is AFAIU with calling copy_to_user() with
>> spinlock held in ep0_read(). I see that there's a FIXME exactly about
>> that and I was wondering if there's any chance of getting this fixed?
>>
>> Thanks!
>
> The patch below, which goes on top of the gadgetfs patch from a few
> days ago, should eliminate this problem.

This patch seems to be fixing the crashes.

Tested-by: Andrey Konovalov <andreyknvl@google.com>

Thanks once again!

>
> Alan Stern
>
>
>
> Index: usb-4.x/drivers/usb/gadget/legacy/inode.c
> ===================================================================
> --- usb-4.x.orig/drivers/usb/gadget/legacy/inode.c
> +++ usb-4.x/drivers/usb/gadget/legacy/inode.c
> @@ -986,11 +986,14 @@ ep0_read (struct file *fd, char __user *
>                                 retval = -EIO;
>                         else {
>                                 len = min (len, (size_t)dev->req->actual);
> -// FIXME don't call this with the spinlock held ...
> +                               ++dev->udc_usage;
> +                               spin_unlock_irq(&dev->lock);
>                                 if (copy_to_user (buf, dev->req->buf, len))
>                                         retval = -EFAULT;
>                                 else
>                                         retval = len;
> +                               spin_lock_irq(&dev->lock);
> +                               --dev->udc_usage;
>                                 clean_req (dev->gadget->ep0, dev->req);
>                                 /* NOTE userspace can't yet choose to stall */
>                         }
>