Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2521924pxj;
        Mon, 10 May 2021 05:07:38 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyHDfwwc26FzOD9bxy91J1xb9Bb2TC+mZbDrp9mPeF962B8GrPMoP4pfM6GI6tIYw39pStq
X-Received: by 2002:a17:906:5285:: with SMTP id c5mr25117246ejm.282.1620648458540;
        Mon, 10 May 2021 05:07:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1620648458; cv=none;
        d=google.com; s=arc-20160816;
        b=F3sDbdCs/Tp/0cNaJ5YSlpAfgPca5tKMKKu8cOsPheD8yYUpjpG6r5DBjCyofZrpGF
         ky6QMjdPCCGca4CCrEaRp83haToqnGxZvk2acTGDYLU7r4A50Zu9+7VI/r0CmjHsVN4M
         WP1MUz3iYfqPIvHt43gcIHi+C5cKQixFhcd1dBVbEJoEVwBO/UHgHt35+iRACIrobqhy
         3lLJPJ6qXqMTHM2H0v5NkFzJnl5X+e9sHAl2AXi9IjZdfhH20P+5ULM21X3Kx/ZrDmmt
         4pAl38QXqlRyVRjiRQdrUqMxnlIBBmJikeXYckNUVJ7HBVZeWQLVyvqoHCBtI1I+Jt0w
         VfhQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=3jeP/T88CJAhLJb8izHr77emxtQ6pJNd6U2H6c9hBSs=;
        b=CcWJbtzLirmFCxTFsOLItM7Mc/jhpwpcQbvXVFC8/cugFfjwJAao7WgndX7Fwx9EWc
         pe4Fq3Gc3FebkmwDmL+GNUcdDa7YvYh/dKDV+R3uMb1cyCYX/fFgKtZ+wyBLR0kaaiCC
         bMHn7SdxVbvwjm95DNvIBPryD4RI5JDD8xjhc6m/6/kNB3k+O0FJAkrQBIsuq4trEU22
         3971hFAYTM/uNqWIogUG4mmmXfA0O6lzX7Bo5jdzav6Y6E/5y6rCPEmKTe36tHt+TOWi
         PPtyi6dex6gnAZm98hru9uLur9mxKgnKdGYPS37jXGNlBLHuazniyTTr3ToTeqouqxzC
         0uDw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=M0yJ3ZLI;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id mh7si13367695ejb.585.2021.05.10.05.07.13;
        Mon, 10 May 2021 05:07:38 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=M0yJ3ZLI;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S244293AbhEJL6p (ORCPT <rfc822;lkml.email@gmail.com> + 99 others);
        Mon, 10 May 2021 07:58:45 -0400
Received: from mail.kernel.org ([198.145.29.99]:45204 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S235860AbhEJLGZ (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 10 May 2021 07:06:25 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 892B1613CA;
        Mon, 10 May 2021 10:56:43 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1620644204;
        bh=QWmGX5c9qnPYxPio/sCv/iTUFCnIt42AyHnKqsnFfv4=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=M0yJ3ZLIfitVsjWUsG0p+fHiNm1yQMMVpSJqqtGlz5iSdcIl7Nb995VST858pyDIe
         OnLVS/p/QBbDuSLCbKP6WgywmXcnQt7d2JXveJcahTZ2LQHcuDQyJYtVmB0InvlB2E
         /YQ/5KDM/FH39qA7cGmfjCwtBhftLl/k1YYZUPgM=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        syzbot+eb4674092e6cc8d9e0bd@syzkaller.appspotmail.com,
        Alan Stern <stern@rowland.harvard.edu>,
        Anirudh Rayabharam <mail@anirudhrb.com>
Subject: [PATCH 5.11 322/342] usb: gadget: dummy_hcd: fix gpf in gadget_setup
Date:   Mon, 10 May 2021 12:21:52 +0200
Message-Id: <20210510102020.756009766@linuxfoundation.org>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20210510102010.096403571@linuxfoundation.org>
References: <20210510102010.096403571@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Anirudh Rayabharam <mail@anirudhrb.com>

commit 4a5d797a9f9c4f18585544237216d7812686a71f upstream.

Fix a general protection fault reported by syzbot due to a race between
gadget_setup() and gadget_unbind() in raw_gadget.

The gadget core is supposed to guarantee that there won't be any more
callbacks to the gadget driver once the driver's unbind routine is
called. That guarantee is enforced in usb_gadget_remove_driver as
follows:

        usb_gadget_disconnect(udc->gadget);
        if (udc->gadget->irq)
                synchronize_irq(udc->gadget->irq);
        udc->driver->unbind(udc->gadget);
        usb_gadget_udc_stop(udc);

usb_gadget_disconnect turns off the pullup resistor, telling the host
that the gadget is no longer connected and preventing the transmission
of any more USB packets. Any packets that have already been received
are sure to processed by the UDC driver's interrupt handler by the time
synchronize_irq returns.

But this doesn't work with dummy_hcd, because dummy_hcd doesn't use
interrupts; it uses a timer instead. It does have code to emulate the
effect of synchronize_irq, but that code doesn't get invoked at the
right time -- it currently runs in usb_gadget_udc_stop, after the unbind
callback instead of before. Indeed, there's no way for
usb_gadget_remove_driver to invoke this code before the unbind callback.

To fix this, move the synchronize_irq() emulation code to dummy_pullup
so that it runs before unbind. Also, add a comment explaining why it is
necessary to have it there.

Reported-by: syzbot+eb4674092e6cc8d9e0bd@syzkaller.appspotmail.com
Suggested-by: Alan Stern <stern@rowland.harvard.edu>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
Link: https://lore.kernel.org/r/20210419033713.3021-1-mail@anirudhrb.com
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/gadget/udc/dummy_hcd.c |   23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

--- a/drivers/usb/gadget/udc/dummy_hcd.c
+++ b/drivers/usb/gadget/udc/dummy_hcd.c
@@ -903,6 +903,21 @@ static int dummy_pullup(struct usb_gadge
 	spin_lock_irqsave(&dum->lock, flags);
 	dum->pullup = (value != 0);
 	set_link_state(dum_hcd);
+	if (value == 0) {
+		/*
+		 * Emulate synchronize_irq(): wait for callbacks to finish.
+		 * This seems to be the best place to emulate the call to
+		 * synchronize_irq() that's in usb_gadget_remove_driver().
+		 * Doing it in dummy_udc_stop() would be too late since it
+		 * is called after the unbind callback and unbind shouldn't
+		 * be invoked until all the other callbacks are finished.
+		 */
+		while (dum->callback_usage > 0) {
+			spin_unlock_irqrestore(&dum->lock, flags);
+			usleep_range(1000, 2000);
+			spin_lock_irqsave(&dum->lock, flags);
+		}
+	}
 	spin_unlock_irqrestore(&dum->lock, flags);
 
 	usb_hcd_poll_rh_status(dummy_hcd_to_hcd(dum_hcd));
@@ -1004,14 +1019,6 @@ static int dummy_udc_stop(struct usb_gad
 	spin_lock_irq(&dum->lock);
 	dum->ints_enabled = 0;
 	stop_activity(dum);
-
-	/* emulate synchronize_irq(): wait for callbacks to finish */
-	while (dum->callback_usage > 0) {
-		spin_unlock_irq(&dum->lock);
-		usleep_range(1000, 2000);
-		spin_lock_irq(&dum->lock);
-	}
-
 	dum->driver = NULL;
 	spin_unlock_irq(&dum->lock);