Received: by 2002:a05:6358:489b:b0:bb:da1:e618 with SMTP id x27csp6779337rwn; Tue, 13 Sep 2022 08:55:51 -0700 (PDT) X-Google-Smtp-Source: AA6agR4F86r5RUiN6GHXKLWeMWLyIGH8ukGumjbThLliHBN0qYjyj+VZFkpH0dmGW0SYfKo3IWQ+ X-Received: by 2002:a17:907:2724:b0:779:7545:5df6 with SMTP id d4-20020a170907272400b0077975455df6mr15747473ejl.325.1663084551458; Tue, 13 Sep 2022 08:55:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1663084551; cv=none; d=google.com; s=arc-20160816; b=Lw77Gj/YiRRAKGc9sK1DnsHkHQQ8/8V5oC6wT9uTmfkTTKz3XMQqXMjTiHZ7uljZUY FViYQVZsp87PwEFigzx/emRDwUQvzXIdyg1YjmtzHQ539SrK4yslMtZj64GZf8DW9M// OPg9fX4xysj+c4t4y6Jxup4uSCDXTrOF5g/bjcOUeoSAB082KYF0245mLyNz3pULmJe5 mhQc7CkBhgAnuq51NpokFq2mdLcWWzbzqCl8rjQDgBsd8swqo8lNhQh8xHTm47EOKyc9 LnzBl+7Z6ncdifWUQqIHT/5W2sSD53ANoBsCtgBDQ1hbblJ9phEutnRs1LXWMpR2+biQ 3x3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=n48v4xOOpgzTv2QkfbvHy5wgu7s76LezUK9s8274+IY=; b=rnxb5EQrVNPDxBUyxaUK9RShwq8gUXLigRy4On0+szjmJrOXDZlqSFVV0E20/nf93X LclbKTo3zHERKmt9jUs/5aUWel4Z+e4W2l0C1wdtgB+HFGiagoU6g71ie8vtFtH4XDgH H3j8d2If4TNS0EeKMx0QW8IyuEffDIU/u4xAqdCqZYZNr88UKNBJc/nmS0njhFaQ5obk 0AlEDEgq1GL7WDbnjlEbc4bX6U374XlfmAd4FUApxcJj2PyqlClCIscVDR1f7zXcSkq4 3n2mQ2fm9dtsMF8MKpUxeL+AqqfB04N0YJcy05mG7J80Hc985TfP+WgvQq+f0SZerPOn ehuw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=rZogGtYb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id r25-20020aa7d599000000b0044e74822f35si7942375edq.369.2022.09.13.08.55.24; Tue, 13 Sep 2022 08:55:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=rZogGtYb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236483AbiIMPcS (ORCPT + 99 others); Tue, 13 Sep 2022 11:32:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52290 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234707AbiIMPbs (ORCPT ); Tue, 13 Sep 2022 11:31:48 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0765C78599; Tue, 13 Sep 2022 07:40:05 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 3C1BAB8100C; Tue, 13 Sep 2022 14:35:36 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9D458C433D7; Tue, 13 Sep 2022 14:35:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1663079734; bh=gIiL6T4LvaFLNHSvjDxv/6KecjXwYvhUtfdxuCANdKg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=rZogGtYbcdmWCvcOs/nqZMafDSFIwnMEaJjDgxv6oXF4etOVQZO/zyzkcjMTx6VqM 4cziIigCKcG/GNmiIMBKPMDWqZodgyRN/4r8qiZ8wvCLHFIL9C43+5H0J9Tx3BnSCS L3An3bFKPmBz2irS5WFiElJmx5lNPhIShCC9DmB0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alan Stern , Rondreis Subject: [PATCH 4.14 28/61] USB: core: Prevent nested device-reset calls Date: Tue, 13 Sep 2022 16:07:30 +0200 Message-Id: <20220913140347.905656775@linuxfoundation.org> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20220913140346.422813036@linuxfoundation.org> References: <20220913140346.422813036@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Alan Stern commit 9c6d778800b921bde3bff3cff5003d1650f942d1 upstream. Automatic kernel fuzzing revealed a recursive locking violation in usb-storage: ============================================ WARNING: possible recursive locking detected 5.18.0 #3 Not tainted -------------------------------------------- kworker/1:3/1205 is trying to acquire lock: ffff888018638db8 (&us_interface_key[i]){+.+.}-{3:3}, at: usb_stor_pre_reset+0x35/0x40 drivers/usb/storage/usb.c:230 but task is already holding lock: ffff888018638db8 (&us_interface_key[i]){+.+.}-{3:3}, at: usb_stor_pre_reset+0x35/0x40 drivers/usb/storage/usb.c:230 ... stack backtrace: CPU: 1 PID: 1205 Comm: kworker/1:3 Not tainted 5.18.0 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Workqueue: usb_hub_wq hub_event Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_deadlock_bug kernel/locking/lockdep.c:2988 [inline] check_deadlock kernel/locking/lockdep.c:3031 [inline] validate_chain kernel/locking/lockdep.c:3816 [inline] __lock_acquire.cold+0x152/0x3ca kernel/locking/lockdep.c:5053 lock_acquire kernel/locking/lockdep.c:5665 [inline] lock_acquire+0x1ab/0x520 kernel/locking/lockdep.c:5630 __mutex_lock_common kernel/locking/mutex.c:603 [inline] __mutex_lock+0x14f/0x1610 kernel/locking/mutex.c:747 usb_stor_pre_reset+0x35/0x40 drivers/usb/storage/usb.c:230 usb_reset_device+0x37d/0x9a0 drivers/usb/core/hub.c:6109 r871xu_dev_remove+0x21a/0x270 drivers/staging/rtl8712/usb_intf.c:622 usb_unbind_interface+0x1bd/0x890 drivers/usb/core/driver.c:458 device_remove drivers/base/dd.c:545 [inline] device_remove+0x11f/0x170 drivers/base/dd.c:537 __device_release_driver drivers/base/dd.c:1222 [inline] device_release_driver_internal+0x1a7/0x2f0 drivers/base/dd.c:1248 usb_driver_release_interface+0x102/0x180 drivers/usb/core/driver.c:627 usb_forced_unbind_intf+0x4d/0xa0 drivers/usb/core/driver.c:1118 usb_reset_device+0x39b/0x9a0 drivers/usb/core/hub.c:6114 This turned out not to be an error in usb-storage but rather a nested device reset attempt. That is, as the rtl8712 driver was being unbound from a composite device in preparation for an unrelated USB reset (that driver does not have pre_reset or post_reset callbacks), its ->remove routine called usb_reset_device() -- thus nesting one reset call within another. Performing a reset as part of disconnect processing is a questionable practice at best. However, the bug report points out that the USB core does not have any protection against nested resets. Adding a reset_in_progress flag and testing it will prevent such errors in the future. Link: https://lore.kernel.org/all/CAB7eexKUpvX-JNiLzhXBDWgfg2T9e9_0Tw4HQ6keN==voRbP0g@mail.gmail.com/ Cc: stable@vger.kernel.org Reported-and-tested-by: Rondreis Signed-off-by: Alan Stern Link: https://lore.kernel.org/r/YwkflDxvg0KWqyZK@rowland.harvard.edu Signed-off-by: Greg Kroah-Hartman --- drivers/usb/core/hub.c | 10 ++++++++++ include/linux/usb.h | 2 ++ 2 files changed, 12 insertions(+) --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -5737,6 +5737,11 @@ re_enumerate_no_bos: * the reset is over (using their post_reset method). * * Return: The same as for usb_reset_and_verify_device(). + * However, if a reset is already in progress (for instance, if a + * driver doesn't have pre_ or post_reset() callbacks, and while + * being unbound or re-bound during the ongoing reset its disconnect() + * or probe() routine tries to perform a second, nested reset), the + * routine returns -EINPROGRESS. * * Note: * The caller must own the device lock. For example, it's safe to use @@ -5770,6 +5775,10 @@ int usb_reset_device(struct usb_device * return -EISDIR; } + if (udev->reset_in_progress) + return -EINPROGRESS; + udev->reset_in_progress = 1; + port_dev = hub->ports[udev->portnum - 1]; /* @@ -5834,6 +5843,7 @@ int usb_reset_device(struct usb_device * usb_autosuspend_device(udev); memalloc_noio_restore(noio_flag); + udev->reset_in_progress = 0; return ret; } EXPORT_SYMBOL_GPL(usb_reset_device); --- a/include/linux/usb.h +++ b/include/linux/usb.h @@ -568,6 +568,7 @@ struct usb3_lpm_parameters { * @level: number of USB hub ancestors * @can_submit: URBs may be submitted * @persist_enabled: USB_PERSIST enabled for this device + * @reset_in_progress: the device is being reset * @have_langid: whether string_langid is valid * @authorized: policy has said we can use it; * (user space) policy determines if we authorize this device to be @@ -646,6 +647,7 @@ struct usb_device { unsigned can_submit:1; unsigned persist_enabled:1; + unsigned reset_in_progress:1; unsigned have_langid:1; unsigned authorized:1; unsigned authenticated:1;