Received: by 2002:a05:6358:489b:b0:bb:da1:e618 with SMTP id x27csp6766705rwn; Tue, 13 Sep 2022 08:45:11 -0700 (PDT) X-Google-Smtp-Source: AA6agR7LM/1nqbozQiJSR9DRq12wikVxvRX007Eboq39+i4jSvvmNqtFxZav7GS8tksDyz8KgNqa X-Received: by 2002:a17:907:96a2:b0:776:15f3:1ffe with SMTP id hd34-20020a17090796a200b0077615f31ffemr18323146ejc.406.1663083910962; Tue, 13 Sep 2022 08:45:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1663083910; cv=none; d=google.com; s=arc-20160816; b=ELZn+NUPBFlzxzmd5nKDGYiC2hNC2a27IUB/efuJFxDugr8q3v0Sb9wGi3hqz5+eaC hUr/1KdpJo5StWYgU2Bt5O1UDBbtJwLywLjkQU8x91hbbx/r1iwFpf5NmH06ATzBjnKv 5ewkK3faK0+2IuH1DPfkZQQg8Gp5cgOT/IvaeLTZH/iy24sCqG+fixcRtSX1r/BXy1Ke yU+CdJdZjeID8rkOI3a4flzM2Ur5Ku/MrEs2wvKczEOD3Yxhj98yz1SlhSlgFoDE0EAX 4VlApHWW2c8Vuzk1EMxQ1toV3HkmmkAjdeFi1nM9/pGyvnWYSABEoRj+JvVFskDjzrmE SKZQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=dk2cFEN/t38nMlFF1xfwEsdN9q7oDGidqWixcFj5joc=; b=T6Uxxukth8ZjeaH58Q9Yg8eLLYAXeAo4Df90CkdnBtup2hyG2nItFyUDI6mKJ0ui3L EZVO1asgIJcsUwMzDS9jhwn36WW06YIiln9PFCcy+wuMHKA6lzInP29EJbLrJw/r/p5f QsRyutcrscHksfpwx23uaSA+KeVohke2SLSPeLXChs9HP42Gn5mu3q6fe54cSm9bKQdj hQ03W994dMGFYFTkLdpan73bom+ZzSlLZWbG1VSwoswBR/xJzSM4Qxeavq/7oQaOAXan CK+9N0JmCtWqbOkUnJrMGBEPBxSOjv/cQg6tkGG+uoEWOapMqsreTIoGnOJVyYQuEA3j z0EQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=jmx1E1gZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q11-20020a1709060f8b00b007269ef1872esi8012575ejj.897.2022.09.13.08.44.41; Tue, 13 Sep 2022 08:45:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=jmx1E1gZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235616AbiIMPOh (ORCPT + 99 others); Tue, 13 Sep 2022 11:14:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49966 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235549AbiIMPMA (ORCPT ); Tue, 13 Sep 2022 11:12:00 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A4E121C11A; Tue, 13 Sep 2022 07:32:42 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 5A1BAB80F88; Tue, 13 Sep 2022 14:31:20 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B6B45C433C1; Tue, 13 Sep 2022 14:31:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1663079479; bh=8S5RKtHTTDPWGeVR4LZwgHPOe71w51OawdHeFyszY7g=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jmx1E1gZsJvNht9SpYiHhZSK+qiit4AIOj51P0mRWlg9/lKDoaXjA4T7m/LBX9hiq BmxR4ofHawQkBCH+XWFyGjw8k3yCJJM4iKdksvmHU+3xceUXuDJ2Pl0PBRzXksxR4A dKOzi60UpaP4iOIShOOk7aMNV+g/QNNYuLMNgkk4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alan Stern , Rondreis Subject: [PATCH 4.19 43/79] USB: core: Prevent nested device-reset calls Date: Tue, 13 Sep 2022 16:07:01 +0200 Message-Id: <20220913140350.994589719@linuxfoundation.org> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20220913140348.835121645@linuxfoundation.org> References: <20220913140348.835121645@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Alan Stern commit 9c6d778800b921bde3bff3cff5003d1650f942d1 upstream. Automatic kernel fuzzing revealed a recursive locking violation in usb-storage: ============================================ WARNING: possible recursive locking detected 5.18.0 #3 Not tainted -------------------------------------------- kworker/1:3/1205 is trying to acquire lock: ffff888018638db8 (&us_interface_key[i]){+.+.}-{3:3}, at: usb_stor_pre_reset+0x35/0x40 drivers/usb/storage/usb.c:230 but task is already holding lock: ffff888018638db8 (&us_interface_key[i]){+.+.}-{3:3}, at: usb_stor_pre_reset+0x35/0x40 drivers/usb/storage/usb.c:230 ... stack backtrace: CPU: 1 PID: 1205 Comm: kworker/1:3 Not tainted 5.18.0 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Workqueue: usb_hub_wq hub_event Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_deadlock_bug kernel/locking/lockdep.c:2988 [inline] check_deadlock kernel/locking/lockdep.c:3031 [inline] validate_chain kernel/locking/lockdep.c:3816 [inline] __lock_acquire.cold+0x152/0x3ca kernel/locking/lockdep.c:5053 lock_acquire kernel/locking/lockdep.c:5665 [inline] lock_acquire+0x1ab/0x520 kernel/locking/lockdep.c:5630 __mutex_lock_common kernel/locking/mutex.c:603 [inline] __mutex_lock+0x14f/0x1610 kernel/locking/mutex.c:747 usb_stor_pre_reset+0x35/0x40 drivers/usb/storage/usb.c:230 usb_reset_device+0x37d/0x9a0 drivers/usb/core/hub.c:6109 r871xu_dev_remove+0x21a/0x270 drivers/staging/rtl8712/usb_intf.c:622 usb_unbind_interface+0x1bd/0x890 drivers/usb/core/driver.c:458 device_remove drivers/base/dd.c:545 [inline] device_remove+0x11f/0x170 drivers/base/dd.c:537 __device_release_driver drivers/base/dd.c:1222 [inline] device_release_driver_internal+0x1a7/0x2f0 drivers/base/dd.c:1248 usb_driver_release_interface+0x102/0x180 drivers/usb/core/driver.c:627 usb_forced_unbind_intf+0x4d/0xa0 drivers/usb/core/driver.c:1118 usb_reset_device+0x39b/0x9a0 drivers/usb/core/hub.c:6114 This turned out not to be an error in usb-storage but rather a nested device reset attempt. That is, as the rtl8712 driver was being unbound from a composite device in preparation for an unrelated USB reset (that driver does not have pre_reset or post_reset callbacks), its ->remove routine called usb_reset_device() -- thus nesting one reset call within another. Performing a reset as part of disconnect processing is a questionable practice at best. However, the bug report points out that the USB core does not have any protection against nested resets. Adding a reset_in_progress flag and testing it will prevent such errors in the future. Link: https://lore.kernel.org/all/CAB7eexKUpvX-JNiLzhXBDWgfg2T9e9_0Tw4HQ6keN==voRbP0g@mail.gmail.com/ Cc: stable@vger.kernel.org Reported-and-tested-by: Rondreis Signed-off-by: Alan Stern Link: https://lore.kernel.org/r/YwkflDxvg0KWqyZK@rowland.harvard.edu Signed-off-by: Greg Kroah-Hartman --- drivers/usb/core/hub.c | 10 ++++++++++ include/linux/usb.h | 2 ++ 2 files changed, 12 insertions(+) --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -5851,6 +5851,11 @@ re_enumerate_no_bos: * the reset is over (using their post_reset method). * * Return: The same as for usb_reset_and_verify_device(). + * However, if a reset is already in progress (for instance, if a + * driver doesn't have pre_ or post_reset() callbacks, and while + * being unbound or re-bound during the ongoing reset its disconnect() + * or probe() routine tries to perform a second, nested reset), the + * routine returns -EINPROGRESS. * * Note: * The caller must own the device lock. For example, it's safe to use @@ -5884,6 +5889,10 @@ int usb_reset_device(struct usb_device * return -EISDIR; } + if (udev->reset_in_progress) + return -EINPROGRESS; + udev->reset_in_progress = 1; + port_dev = hub->ports[udev->portnum - 1]; /* @@ -5948,6 +5957,7 @@ int usb_reset_device(struct usb_device * usb_autosuspend_device(udev); memalloc_noio_restore(noio_flag); + udev->reset_in_progress = 0; return ret; } EXPORT_SYMBOL_GPL(usb_reset_device); --- a/include/linux/usb.h +++ b/include/linux/usb.h @@ -580,6 +580,7 @@ struct usb3_lpm_parameters { * @level: number of USB hub ancestors * @can_submit: URBs may be submitted * @persist_enabled: USB_PERSIST enabled for this device + * @reset_in_progress: the device is being reset * @have_langid: whether string_langid is valid * @authorized: policy has said we can use it; * (user space) policy determines if we authorize this device to be @@ -664,6 +665,7 @@ struct usb_device { unsigned can_submit:1; unsigned persist_enabled:1; + unsigned reset_in_progress:1; unsigned have_langid:1; unsigned authorized:1; unsigned authenticated:1;