Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp1169934yba; Thu, 9 May 2019 11:55:16 -0700 (PDT) X-Google-Smtp-Source: APXvYqwlR6FJzQUnXyxtXGmjKSCITWtRwwjD2uMXWp5EVZv9JbfdvOelqecHWBw8Sq7pNczQigbl X-Received: by 2002:a63:1055:: with SMTP id 21mr7717460pgq.200.1557428116508; Thu, 09 May 2019 11:55:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557428116; cv=none; d=google.com; s=arc-20160816; b=bNW2Q2g9ZnXMSn9OdVzxEff2MehMLNhMxAHY0IIJNvshrluGvJuT/KFwFOyQci668M W9VTJWMSJqVwt80opm7WAYhTRk1lDeh2sbQYe48dLJ+58YNS6z+YDTnUfHth8HnCen2k WFFiMgmvGNgT3MgSMQ6Jg8dsjZ33c6H3YTcoO553GrN2IPA/ns+nq81BLnhX3P8ubhuC xLIPjQBEEv6qjAtODicE34aLDf0ycLdCf0omxwFjjdssmoygW0eYUYLgQtBAW7eK57xF /QYvJMoRSKui7fV14gxNNsejuILyeGmCn1igdwr7kY9+4eMVrVsRbz0sPxXptaz+EEpc lV+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ulaf19kxJvOTxrpKaq1vjL0IMgA1oBkokhWwp9aO2EQ=; b=cWDEoRoXms7do2vmV6Ws6S10VpVECuYhxJWG9IeiGKcPr1ycQYuw6FUtJXhVaqvQkD bbAzbbbhrjqa6qSktWL5dEEEdeOxgNz5/2iW/h8L1z4XB1hH0LbxUuKhOXSDpJ8XBXqO uf4Z8W44k3ak1pYOkc+S7oHbJ1/dtUQzBhtg0tU5kYt5nJz9kq72zXol2ArY2TMIuGMi Ulo8Hk+58cVCs+ukBLoF5fRxmI8FaKSH5xroeDVdZ5fTfCjHVQZhYCscD7loJdlraVD6 EOWOa3LmlU5zsIbC4a7D9E55hC6m800QkOQ7yDc7IIBpAN1NM98aACSN9oJhfUWffSYb LAMg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=yKQqLtic; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k5si3750401plt.179.2019.05.09.11.55.00; Thu, 09 May 2019 11:55:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=yKQqLtic; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729024AbfEISyL (ORCPT + 99 others); Thu, 9 May 2019 14:54:11 -0400 Received: from mail.kernel.org ([198.145.29.99]:48800 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728749AbfEISyI (ORCPT ); Thu, 9 May 2019 14:54:08 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 432DF2177E; Thu, 9 May 2019 18:54:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1557428047; bh=k/TeH7BaKVX1u50l//zvo0KDlOFkKEQ+Vt+mzlbxyaU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=yKQqLticbjJAzqMEqmJ5E13XuMNUFZP3F4OFzq52x/J/VtuuasTF3F+XQ27acIlCc JzivhFOpWQpcfschntm0bEV83ZyZNDovYjow5G0DSmQS3J0VqFlqF75DrzVmYnacjd 705XkVENIAiCx7VhP6PGEsqDCkXZn+OjHLYeEGFU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Johan Hovold , Oliver Neukum Subject: [PATCH 5.0 77/95] USB: cdc-acm: fix unthrottle races Date: Thu, 9 May 2019 20:42:34 +0200 Message-Id: <20190509181314.737330384@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190509181309.180685671@linuxfoundation.org> References: <20190509181309.180685671@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johan Hovold commit 764478f41130f1b8d8057575b89e69980a0f600d upstream. Fix two long-standing bugs which could potentially lead to memory corruption or leave the port throttled until it is reopened (on weakly ordered systems), respectively, when read-URB completion races with unthrottle(). First, the URB must not be marked as free before processing is complete to prevent it from being submitted by unthrottle() on another CPU. CPU 1 CPU 2 ================ ================ complete() unthrottle() process_urb(); smp_mb__before_atomic(); set_bit(i, free); if (test_and_clear_bit(i, free)) submit_urb(); Second, the URB must be marked as free before checking the throttled flag to prevent unthrottle() on another CPU from failing to observe that the URB needs to be submitted if complete() sees that the throttled flag is set. CPU 1 CPU 2 ================ ================ complete() unthrottle() set_bit(i, free); throttled = 0; smp_mb__after_atomic(); smp_mb(); if (throttled) if (test_and_clear_bit(i, free)) return; submit_urb(); Note that test_and_clear_bit() only implies barriers when the test is successful. To handle the case where the URB is still in use an explicit barrier needs to be added to unthrottle() for the second race condition. Also note that the first race was fixed by 36e59e0d70d6 ("cdc-acm: fix race between callback and unthrottle") back in 2015, but the bug was reintroduced a year later. Fixes: 1aba579f3cf5 ("cdc-acm: handle read pipe errors") Fixes: 088c64f81284 ("USB: cdc-acm: re-write read processing") Signed-off-by: Johan Hovold Acked-by: Oliver Neukum Cc: stable Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman --- drivers/usb/class/cdc-acm.c | 32 +++++++++++++++++++++++++------- 1 file changed, 25 insertions(+), 7 deletions(-) --- a/drivers/usb/class/cdc-acm.c +++ b/drivers/usb/class/cdc-acm.c @@ -470,12 +470,12 @@ static void acm_read_bulk_callback(struc struct acm *acm = rb->instance; unsigned long flags; int status = urb->status; + bool stopped = false; + bool stalled = false; dev_vdbg(&acm->data->dev, "got urb %d, len %d, status %d\n", rb->index, urb->actual_length, status); - set_bit(rb->index, &acm->read_urbs_free); - if (!acm->dev) { dev_dbg(&acm->data->dev, "%s - disconnected\n", __func__); return; @@ -488,15 +488,16 @@ static void acm_read_bulk_callback(struc break; case -EPIPE: set_bit(EVENT_RX_STALL, &acm->flags); - schedule_work(&acm->work); - return; + stalled = true; + break; case -ENOENT: case -ECONNRESET: case -ESHUTDOWN: dev_dbg(&acm->data->dev, "%s - urb shutting down with status: %d\n", __func__, status); - return; + stopped = true; + break; default: dev_dbg(&acm->data->dev, "%s - nonzero urb status received: %d\n", @@ -505,10 +506,24 @@ static void acm_read_bulk_callback(struc } /* - * Unthrottle may run on another CPU which needs to see events - * in the same order. Submission has an implict barrier + * Make sure URB processing is done before marking as free to avoid + * racing with unthrottle() on another CPU. Matches the barriers + * implied by the test_and_clear_bit() in acm_submit_read_urb(). */ smp_mb__before_atomic(); + set_bit(rb->index, &acm->read_urbs_free); + /* + * Make sure URB is marked as free before checking the throttled flag + * to avoid racing with unthrottle() on another CPU. Matches the + * smp_mb() in unthrottle(). + */ + smp_mb__after_atomic(); + + if (stopped || stalled) { + if (stalled) + schedule_work(&acm->work); + return; + } /* throttle device if requested by tty */ spin_lock_irqsave(&acm->read_lock, flags); @@ -842,6 +857,9 @@ static void acm_tty_unthrottle(struct tt acm->throttle_req = 0; spin_unlock_irq(&acm->read_lock); + /* Matches the smp_mb__after_atomic() in acm_read_bulk_callback(). */ + smp_mb(); + if (was_throttled) acm_submit_read_urbs(acm, GFP_KERNEL); }