Received: by 2002:a05:7412:2a8c:b0:e2:908c:2ebd with SMTP id u12csp1750690rdh; Tue, 26 Sep 2023 02:20:59 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGTvlG0QE2ZW+wZQmQVs3Ufh5UuKyR4KMpChrEqjVkZMHrlmV1WtwuY0/O0Zx0toneKeCtr X-Received: by 2002:a05:6a21:3381:b0:160:d030:ae9 with SMTP id yy1-20020a056a21338100b00160d0300ae9mr1626936pzb.25.1695720059194; Tue, 26 Sep 2023 02:20:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695720059; cv=none; d=google.com; s=arc-20160816; b=KUhvmF1YNza3j7HxLUYHZe86LtoFZsY21KLosoBdVh8vSLisLdHy7ouDO1sQqMX+lX FfAzZJphOxEFBvfMVDKMjbzxxh/kGS1Y5oED9UFhum9fClrV3hAfFKy1JF0yGc9SMAN8 l7jRENjdzg6hZpkV9IJjwDE4cbvz2Ca4fHEWEa6u2aF9cqfzcvvadDFA9J/lWKz0Rqu1 b4c8nwNg8uiOv0icyNIf2bxUFYw4gyfQCvh/fdop45QyjZNEfpZ9OC4GKZ7GRnlKk/zM hfb6BYbs2wYKkpALClkDyHXVBM6fYJtDYDN+4EkpLBcndgqrGBDKmA6sNVsYURjpFEmH 5dCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=Xg4OvG6QnDX5BjA8VnVDy+E0oubXnSmUV4s6zR1XPSk=; fh=OkYegwfPisCOGcvOh1eDbvoEomuqY03S4jFCf7g0jT0=; b=isAA6glNAhW3xZkkJfOxGu/mw4oMWmcOIdnMIyeJcEdyOMOSyPpeRj1TJ1daXhuBDV X+Vrzx27JN+Fo5cHH9baIKwh/2ofIvBkYTHDKelp18KexsRyMTt4tSUn+k0tHBZgdirz 6smeD0bZpVieNI/kj3iqjPu9yoO8lU9IEOCCm9UHSlxUEmlvl2NiMYb4NWOfOpfshLTD BG7NHGpBAZPVftZMRMYT1xPKY5WJ4uwGUyUtpcweM5jY0Nv5Ja72M0NAx3vDFA/k9Fke INIXcJH2t69CSgf9DSYkf1bm8d52Ss6j0De3Ax8Oh3n7l28di0M5zYCXz4nuOaL6mR6y 6CmA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@buaa.edu.cn header.s=buaa header.b=P+mTQWuj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=buaa.edu.cn Return-Path: Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7]) by mx.google.com with ESMTPS id k8-20020a170902c40800b001bbd0450af8si6690826plk.187.2023.09.26.02.20.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 26 Sep 2023 02:20:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) client-ip=2620:137:e000::3:7; Authentication-Results: mx.google.com; dkim=pass header.i=@buaa.edu.cn header.s=buaa header.b=P+mTQWuj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=buaa.edu.cn Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id 30F72814E34A; Mon, 25 Sep 2023 19:44:17 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233525AbjIZCoT (ORCPT + 99 others); Mon, 25 Sep 2023 22:44:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52112 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229525AbjIZCoS (ORCPT ); Mon, 25 Sep 2023 22:44:18 -0400 Received: from zg8tmtyylji0my4xnjqumte4.icoremail.net (zg8tmtyylji0my4xnjqumte4.icoremail.net [162.243.164.118]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 7EE42A3; Mon, 25 Sep 2023 19:44:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=buaa.edu.cn; s=buaa; h=Received:From:To:Cc:Subject:Date: Message-Id:MIME-Version:Content-Transfer-Encoding; bh=Xg4OvG6QnD X5BjA8VnVDy+E0oubXnSmUV4s6zR1XPSk=; b=P+mTQWujAJAGbzSh+lLaztQQzi ptldJfrxOtx4yi15ObNVpWbPRhnxTwiiA7ov1PDwXBOuhfPmCXcgLs8GhT27dpvj BHkYQe+38sYE8LZTOb8cbg/0zrGMR8d+y7JwfhQV1R2oyuvkB1DqD/0uM9Y7zH/V euKmyf0OhNIch8SeI= Received: from oslab.. (unknown [10.130.159.144]) by coremail-app2 (Coremail) with SMTP id Nyz+CgC3c9l1RRJl3TC7AA--.1155S4; Tue, 26 Sep 2023 10:44:06 +0800 (CST) From: Jia-Ju Bai To: hminas@synopsys.com, gregkh@linuxfoundation.org Cc: gregory.herrero@intel.com, balbi@ti.com, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Jia-Ju Bai Subject: [PATCH v3] usb: dwc2: fix possible NULL pointer dereference caused by driver concurrency Date: Tue, 26 Sep 2023 10:44:04 +0800 Message-Id: <20230926024404.832096-1-baijiaju@buaa.edu.cn> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-CM-TRANSID: Nyz+CgC3c9l1RRJl3TC7AA--.1155S4 X-Coremail-Antispam: 1UD129KBjvJXoW7Aw48XF4UZr4xtr43tF4fZrb_yoW8Kr47pa 92qFySyw1qqFsxtw4UJFs5Wa13JwsxXryUCr4xJayrAws2vryxJ3WfKFyF9rWFyrZ5Cana gF1jvw4kCrWqya7anT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUkE1xkIjI8I6I8E6xAIw20EY4v20xvaj40_Wr0E3s1l1IIY67AE w4v_Jr0_Jr4l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0rcxSw2x7M28EF7xvwVC0I7IYx2 IY67AKxVWDJVCq3wA2z4x0Y4vE2Ix0cI8IcVCY1x0267AKxVW8Jr0_Cr1UM28EF7xvwVC2 z280aVAFwI0_GcCE3s1l84ACjcxK6I8E87Iv6xkF7I0E14v26rxl6s0DM2AIxVAIcxkEcV Aq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40Ex7xfMcIj6xIIjxv20xvE14v26r1j 6r18McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x0Yz7v_Jr0_Gr1lF7xvr2IYc2Ij64 vIr41lF7I21c0EjII2zVCS5cI20VAGYxC7MxkIecxEwVCm-wCF04k20xvY0x0EwIxGrwCF 04k20xvE74AGY7Cv6cx26F1DJr1UJwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c02F4 0E14v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_JF0_Jw1l IxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7CjxV AFwI0_Jr0_Gr1lIxAIcVCF04k26cxKx2IYs7xG6r1j6r1xMIIF0xvEx4A2jsIE14v26r1j 6r4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Gr0_Gr1UYxBIdaVFxhVjvjDU0xZFpf9x0JUdHU DUUUUU= X-CM-SenderInfo: yrruji46exttoohg3hdfq/ X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Mon, 25 Sep 2023 19:44:17 -0700 (PDT) In _dwc2_hcd_urb_enqueue(), "urb->hcpriv = NULL" is executed without holding the lock "hsotg->lock". In _dwc2_hcd_urb_dequeue(): spin_lock_irqsave(&hsotg->lock, flags); ... if (!urb->hcpriv) { dev_dbg(hsotg->dev, "## urb->hcpriv is NULL ##\n"); goto out; } rc = dwc2_hcd_urb_dequeue(hsotg, urb->hcpriv); // Use urb->hcpriv ... out: spin_unlock_irqrestore(&hsotg->lock, flags); When _dwc2_hcd_urb_enqueue() and _dwc2_hcd_urb_dequeue() are concurrently executed, the NULL check of "urb->hcpriv" can be executed before "urb->hcpriv = NULL". After urb->hcpriv is NULL, it can be used in the function call to dwc2_hcd_urb_dequeue(), which can cause a NULL pointer dereference. This possible bug is found by an experimental static analysis tool developed by myself. This tool analyzes the locking APIs to extract function pairs that can be concurrently executed, and then analyzes the instructions in the paired functions to identify possible concurrency bugs including data races and atomicity violations. The above possible bug is reported, when my tool analyzes the source code of Linux 6.5. To fix this possible bug, "urb->hcpriv = NULL" should be executed with holding the lock "hsotg->lock". After using this patch, my tool never reports the possible bug, with the kernelconfiguration allyesconfig for x86_64. Because I have no associated hardware, I cannot test the patch in runtime testing, and just verify it according to the code logic. Fixes: 33ad261aa62b ("usb: dwc2: host: spinlock urb_enqueue") Signed-off-by: Jia-Ju Bai --- v3: * Add more details about bug finding in the description. --- drivers/usb/dwc2/hcd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/dwc2/hcd.c b/drivers/usb/dwc2/hcd.c index 657f1f659ffa..35c7a4df8e71 100644 --- a/drivers/usb/dwc2/hcd.c +++ b/drivers/usb/dwc2/hcd.c @@ -4769,8 +4769,8 @@ static int _dwc2_hcd_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, if (qh_allocated && qh->channel && qh->channel->qh == qh) qh->channel->qh = NULL; fail2: - spin_unlock_irqrestore(&hsotg->lock, flags); urb->hcpriv = NULL; + spin_unlock_irqrestore(&hsotg->lock, flags); kfree(qtd); fail1: if (qh_allocated) { -- 2.34.1