Received: by 2002:a05:6358:489b:b0:bb:da1:e618 with SMTP id x27csp6763348rwn; Tue, 13 Sep 2022 08:42:20 -0700 (PDT) X-Google-Smtp-Source: AA6agR4s+Mh5aGxNs7TuizbpdTT/0i/0lqj76fz5lszqN6WjnDO4iz6vHH1AcK/I5fIjEehc3jAi X-Received: by 2002:aa7:d3cd:0:b0:452:5457:6375 with SMTP id o13-20020aa7d3cd000000b0045254576375mr3451691edr.111.1663083740093; Tue, 13 Sep 2022 08:42:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1663083740; cv=none; d=google.com; s=arc-20160816; b=jdZPt5YzUK3iZhpxoynyUrIoGmBnkDRd1Mw/GH1/97i1XYUBw9sVgd7XqlS9V8XX5e pYr9IKSy3Fg9TPZWqDaGZPf2UU+VxweC6AqvZcggRJjANkLZ7z1yfkXQ7eI+LM9MnskO AnKE6LS3nuVMWMY6+kRkdJyfyXbaVJdi0w66+ViR2L2Hy/uUkabx6/LmdjVvhRmfEbg+ WfY9rInP+8lC+9OcefcKl8GuvsV9DPEQkVAf5FuSwuHB/jSaiep/5rCOqsvm5rQqsqJH lW1MHhz0Hq7Kf6vxwrQ0jD2JW5CpZl2SjchN9IeVjbVppPSotaMjWKyuVeDCe5yqR4M0 26Tw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=HAPk93pDWjOwD9RV6Z1L0hNnm+ZDZJhf2puGgJBc3u4=; b=fR8Hz9/UD5JZMnEJkFEuihsz0cbHcm39jZzhcsNth9KPMK48Dr2xSxtsySlwJEG5aW a31ABht+zuRWYo87nheO+RJOUzJKoUhqG0ZLE1eQMGBBIkQiNCkoNLZwEjUic0k9JDMT B0o54saBp22DfQiH4CEUfkD/saGyPEC3NoOnGPJZe+exKA5ZjvPgpFMd5umomX/K/1RW leB+3xqDCNtqOMMOVB2Jpcv5BgogOlukvGH8mUBiYLvHCbMfwADrx1ouefN/gjccv2fO P6rPIxe/S0nr1axkkiAHGuXwTP3+Sjw9bynUQB1xmmeRBSRNJtUajblq2aEoCu3fx1Ly kGBA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=xzVOeHfg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s1-20020a056402520100b00450660e2766si9549155edd.78.2022.09.13.08.41.53; Tue, 13 Sep 2022 08:42:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=xzVOeHfg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235076AbiIMPCJ (ORCPT + 99 others); Tue, 13 Sep 2022 11:02:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40428 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231817AbiIMO7k (ORCPT ); Tue, 13 Sep 2022 10:59:40 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8E80C67C96; Tue, 13 Sep 2022 07:29:13 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 36139B80F88; Tue, 13 Sep 2022 14:28:45 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 842E3C433D6; Tue, 13 Sep 2022 14:28:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1663079323; bh=8KeMCIg+Pi0ZSD9ArrUQGZ0FqfMzxYSZnbkOkTiYLNE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=xzVOeHfgY4OumLxOlpvvQc1tRAZPNliOsQMqlW24/1DbgjZZ+7sBzfXWcWKkTZvvt aarMqQOnZ9vjq9Tf3yUa0duibLuOFg0LtlnDycd8sef9VvwlGPNjoSW16z0bEIwQrN 1tPJv/cTJBbw4fEuWDZdyZf8fNXTiGSlBuG656XU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alan Stern , Rondreis Subject: [PATCH 5.4 053/108] USB: core: Prevent nested device-reset calls Date: Tue, 13 Sep 2022 16:06:24 +0200 Message-Id: <20220913140355.910732567@linuxfoundation.org> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20220913140353.549108748@linuxfoundation.org> References: <20220913140353.549108748@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Alan Stern commit 9c6d778800b921bde3bff3cff5003d1650f942d1 upstream. Automatic kernel fuzzing revealed a recursive locking violation in usb-storage: ============================================ WARNING: possible recursive locking detected 5.18.0 #3 Not tainted -------------------------------------------- kworker/1:3/1205 is trying to acquire lock: ffff888018638db8 (&us_interface_key[i]){+.+.}-{3:3}, at: usb_stor_pre_reset+0x35/0x40 drivers/usb/storage/usb.c:230 but task is already holding lock: ffff888018638db8 (&us_interface_key[i]){+.+.}-{3:3}, at: usb_stor_pre_reset+0x35/0x40 drivers/usb/storage/usb.c:230 ... stack backtrace: CPU: 1 PID: 1205 Comm: kworker/1:3 Not tainted 5.18.0 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Workqueue: usb_hub_wq hub_event Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_deadlock_bug kernel/locking/lockdep.c:2988 [inline] check_deadlock kernel/locking/lockdep.c:3031 [inline] validate_chain kernel/locking/lockdep.c:3816 [inline] __lock_acquire.cold+0x152/0x3ca kernel/locking/lockdep.c:5053 lock_acquire kernel/locking/lockdep.c:5665 [inline] lock_acquire+0x1ab/0x520 kernel/locking/lockdep.c:5630 __mutex_lock_common kernel/locking/mutex.c:603 [inline] __mutex_lock+0x14f/0x1610 kernel/locking/mutex.c:747 usb_stor_pre_reset+0x35/0x40 drivers/usb/storage/usb.c:230 usb_reset_device+0x37d/0x9a0 drivers/usb/core/hub.c:6109 r871xu_dev_remove+0x21a/0x270 drivers/staging/rtl8712/usb_intf.c:622 usb_unbind_interface+0x1bd/0x890 drivers/usb/core/driver.c:458 device_remove drivers/base/dd.c:545 [inline] device_remove+0x11f/0x170 drivers/base/dd.c:537 __device_release_driver drivers/base/dd.c:1222 [inline] device_release_driver_internal+0x1a7/0x2f0 drivers/base/dd.c:1248 usb_driver_release_interface+0x102/0x180 drivers/usb/core/driver.c:627 usb_forced_unbind_intf+0x4d/0xa0 drivers/usb/core/driver.c:1118 usb_reset_device+0x39b/0x9a0 drivers/usb/core/hub.c:6114 This turned out not to be an error in usb-storage but rather a nested device reset attempt. That is, as the rtl8712 driver was being unbound from a composite device in preparation for an unrelated USB reset (that driver does not have pre_reset or post_reset callbacks), its ->remove routine called usb_reset_device() -- thus nesting one reset call within another. Performing a reset as part of disconnect processing is a questionable practice at best. However, the bug report points out that the USB core does not have any protection against nested resets. Adding a reset_in_progress flag and testing it will prevent such errors in the future. Link: https://lore.kernel.org/all/CAB7eexKUpvX-JNiLzhXBDWgfg2T9e9_0Tw4HQ6keN==voRbP0g@mail.gmail.com/ Cc: stable@vger.kernel.org Reported-and-tested-by: Rondreis Signed-off-by: Alan Stern Link: https://lore.kernel.org/r/YwkflDxvg0KWqyZK@rowland.harvard.edu Signed-off-by: Greg Kroah-Hartman --- drivers/usb/core/hub.c | 10 ++++++++++ include/linux/usb.h | 2 ++ 2 files changed, 12 insertions(+) --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -5923,6 +5923,11 @@ re_enumerate_no_bos: * the reset is over (using their post_reset method). * * Return: The same as for usb_reset_and_verify_device(). + * However, if a reset is already in progress (for instance, if a + * driver doesn't have pre_ or post_reset() callbacks, and while + * being unbound or re-bound during the ongoing reset its disconnect() + * or probe() routine tries to perform a second, nested reset), the + * routine returns -EINPROGRESS. * * Note: * The caller must own the device lock. For example, it's safe to use @@ -5956,6 +5961,10 @@ int usb_reset_device(struct usb_device * return -EISDIR; } + if (udev->reset_in_progress) + return -EINPROGRESS; + udev->reset_in_progress = 1; + port_dev = hub->ports[udev->portnum - 1]; /* @@ -6020,6 +6029,7 @@ int usb_reset_device(struct usb_device * usb_autosuspend_device(udev); memalloc_noio_restore(noio_flag); + udev->reset_in_progress = 0; return ret; } EXPORT_SYMBOL_GPL(usb_reset_device); --- a/include/linux/usb.h +++ b/include/linux/usb.h @@ -580,6 +580,7 @@ struct usb3_lpm_parameters { * @devaddr: device address, XHCI: assigned by HW, others: same as devnum * @can_submit: URBs may be submitted * @persist_enabled: USB_PERSIST enabled for this device + * @reset_in_progress: the device is being reset * @have_langid: whether string_langid is valid * @authorized: policy has said we can use it; * (user space) policy determines if we authorize this device to be @@ -665,6 +666,7 @@ struct usb_device { unsigned can_submit:1; unsigned persist_enabled:1; + unsigned reset_in_progress:1; unsigned have_langid:1; unsigned authorized:1; unsigned authenticated:1;