Received: by 2002:a05:6500:1b45:b0:1f5:f2ab:c469 with SMTP id cz5csp448002lqb; Wed, 17 Apr 2024 00:39:27 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWBrEtWpKS2pgtK8mYPc3wYxA/Fqg2Ye45++PUuKpNee9P1o6q3OFyQd3hovO+PYR76Hf2ftx3Co4WNST8cGuB1lapFy2EkTuHtWVqnog== X-Google-Smtp-Source: AGHT+IFE5wnnx5MjMIXxv9TjKi5Lv2536id0DB6NkInFUuf9PzR5WkAWAjA7/VXw5KhJlsPTWuNg X-Received: by 2002:a05:6214:905:b0:69b:540d:2a76 with SMTP id dj5-20020a056214090500b0069b540d2a76mr15214231qvb.4.1713339567565; Wed, 17 Apr 2024 00:39:27 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1713339567; cv=pass; d=google.com; s=arc-20160816; b=phmBVjqRAd3u9ebIcQ5tqL9H0KSZkQ0elm/BY3GqczUt+Ux69+iXJc+7GrTpYwnvnO NfxLdk9fBGBht+jH9OlfR8hi86PiNMgsWtDEybCQpXE9ktMeQNNqxj2T5DtkKMCof5CS DV4IGnGXT4wTDjPY66b0Z4OPNrhj9dpGzIvUG82YRAX/MuTh7X+zKyqOl1BALYyMHR6G nrMAxwOzVIMWM6Gs7qGQx3XvRTyQvw9AVz1QhupW3g7CZsIqQOz6cJRJrc5RgroP/W2X rXD6Qs1Jk3CXeevU0YUWzfWFkyYk9DHeB31LBNyhjftDbouK2OhCcFZzBhOZDcnbuMmc 16rA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=6hqZsS5WFXp2anKYp/KMCMRd0WZLVdKrhJY6wlW+zA8=; fh=hg5SEEteHFHJD0Nz0PaGXPpB/OSjd72Hd0sZZinJmxQ=; b=JxujPa7QcL0eYvf3sdI49BCoouk4txfLef2qe56hsWJxNris5CVh4jazVTOhm1rKUG zh8Hdups/iKCUgr2WK1ossVwMYeRg4dePiqoHmn3gIYr1tTKy2HnPz3tNUjHKzyZ+0xL p03h6oOv/Br74nnBl9OtGCR/LE1spT2siH1Dnn+VwlguemL5/mHu0TjpYxnDG9Vj7IfW W7joStQZUyaZh0SlHb3kvREUd3A2iUdahj9t+ljoPLhnf+UZby6GgSeHbSJqlocZVB5v I6n/HpCxihoyznBdYJd7QwPiuMoNrxFY7jOiTtM4B1VR6adZW7+G9HfmwXlX/lrmsPoW ihTA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=DZm+RTm5; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-148067-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-148067-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id jq9-20020ad45fc9000000b00696b323a01asi15603243qvb.604.2024.04.17.00.39.27 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 Apr 2024 00:39:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-148067-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=DZm+RTm5; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-148067-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-148067-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 3D0FD1C20C75 for ; Wed, 17 Apr 2024 07:39:27 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 57C456E61B; Wed, 17 Apr 2024 07:39:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="DZm+RTm5" Received: from mail-ed1-f54.google.com (mail-ed1-f54.google.com [209.85.208.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CDE3B184D; Wed, 17 Apr 2024 07:39:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.54 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713339558; cv=none; b=M/3FUN0uk+wZ9pUJ1EQNR7ZLi9lWMrPki/F7xBsHI4I4kVCvPzlH3Hs+OgHLXkFwQqbiKOvsKVXvQZN8cS6BGQ9SHd2qEG0dJbq1ZTtPzXFIYwAU9yEYJcFQ6+34N5N5g7eSEB4lS28WYTYozqfQIyoe8hnAad5E/y1cPdN76/M= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713339558; c=relaxed/simple; bh=7sbLFB24/YkE/uJ7LyMqaRUnqPin2KGBb/ZMZwIVLkM=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=A4ntM42v80gTHFXYQ4TQDtNfswNi/hiTa90CKlKQoL8vvVbWpiQiKU6ap2MSLeha1hjUvU5bHEjS8t4VnvMySvYgh9AYQbSRJXoHSIscyk9eRwRKRTFDwkjtLu8zB6joTqOfXOYatbJjpw0TfON9z/IzWCYgTfWQrRGG849ydBo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=DZm+RTm5; arc=none smtp.client-ip=209.85.208.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-ed1-f54.google.com with SMTP id 4fb4d7f45d1cf-56e48d0a632so8109979a12.2; Wed, 17 Apr 2024 00:39:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713339555; x=1713944355; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=6hqZsS5WFXp2anKYp/KMCMRd0WZLVdKrhJY6wlW+zA8=; b=DZm+RTm5kVpW9ExT7IcuEnZqG1P9AxGT44GvyhhsshRBrST1FEQhnJNl0Q8hOJH3U2 cH6u5K/fPyNtSV/p7533kv/hmWJkA1nvdu8WXjhZerpwuoKjJPffLgAQNJhMLAPDv8io xl8cdtuFaF3PbX7JKI9qCbZUZDf2f9aG+MZzGYs0hpOAH/0XcxkyOM4U9hgi0j50/m1v j9unbiyH3Y1EWWSCk41Xj+LcMq49ofyMcFO21THIw2oBBwW2Mv1i1DOMxCkUC0pwlm2M dErc7Fk9VKUm5h76Xf5QaTRcz/DRsCC0TY2C68BpLfOGeb/HCDFFjUDLu06Hu/GEcNwO 5pUQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713339555; x=1713944355; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=6hqZsS5WFXp2anKYp/KMCMRd0WZLVdKrhJY6wlW+zA8=; b=jiDEWfiW0TrGK/2lsqNX+Yzaklooxzlpt7eQFu3TDkzdxOZqQ3hT6yFxlBGZoz1Pzs MO5Vksc7u/39haHPiVXSyww2LWlwkkg9ijmyHu2Dubsl081kZU/dTgWB3QF8IJTe3olS MtHLd187AsR/3HGrskfCYYAtyUjJg4y8fJk1uv+w7xb4NKU8f5oZc4GWsHy2YP08NzVE yORdP0+5zsFJ1xhJL6kvCj57Da4QBKeY6TTareCk6o6+Td4WBD5/jjx9vMUkVNhZQsoK xfcQgrRjfvK+kVaC5GcsUGyDOLsqv2ShxiIxMAcwiIoWuR6hH9u3PivUaV8Ud1POwtfX rQXA== X-Forwarded-Encrypted: i=1; AJvYcCXL9eSX9CltPxa+I03TVP6b/8X0KvGI2AUztId5nMr8w3cAfydLOEaEeYbUsm8WqXXUxh7P5JBc7dRJltKdGzpqIHdFu+4yq/cm X-Gm-Message-State: AOJu0YwB4as1zFgEWJEy4MTdaR8bBW4Nnt7i/Kprl17zVCUHvoPoG00T oh3baWGa0qqCoRpzn9IVDEI4nzYMeHDDfbVqZVmE1JMzSOluIgRUOfJ+ojfbom9PfJgrYCwJUK+ 25gVcgbgIQNE8RVynLrmcpogMOZE= X-Received: by 2002:a17:907:1b29:b0:a52:617d:d77f with SMTP id mp41-20020a1709071b2900b00a52617dd77fmr7776390ejc.56.1713339554627; Wed, 17 Apr 2024 00:39:14 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <92fe8e95-bc01-4d7d-9678-8cfc55cc4a7b@rowland.harvard.edu> <45e246ab-01e8-40b7-8ede-b47957df0d7b@rowland.harvard.edu> <69a6f4c9-6470-40d1-99f1-aaf532497d02@rowland.harvard.edu> <5704ac63-5e5b-416c-a2a1-57528e76a02f@rowland.harvard.edu> <5f3526a6-6ede-4181-a4ff-076e022cfb49@rowland.harvard.edu> In-Reply-To: <5f3526a6-6ede-4181-a4ff-076e022cfb49@rowland.harvard.edu> From: Sam Sun Date: Wed, 17 Apr 2024 15:39:02 +0800 Message-ID: Subject: Re: [Linux kernel bug] general protection fault in disable_store To: Alan Stern Cc: linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, Greg KH , swboyd@chromium.org, ricardo@marliere.net, hkallweit1@gmail.com, heikki.krogerus@linux.intel.com, mathias.nyman@linux.intel.com, royluo@google.com, syzkaller-bugs@googlegroups.com, xrivendell7@gmail.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, Apr 17, 2024 at 12:35=E2=80=AFAM Alan Stern wrote: > > On Tue, Apr 16, 2024 at 05:05:55PM +0800, Sam Sun wrote: > > On Mon, Apr 15, 2024 at 10:47=E2=80=AFPM Alan Stern wrote: > > > > > > Actually, I've got a completely different patch which I think will fi= x > > > the problem you encountered. Instead of using mutual exclusion to > > > avoid the race, it prevents the two routines from being called at the > > > same time so the race can't occur in the first place. It also should > > > guarantee the usb_hub_to_struct_hub() doesn't return NULL when > > > disable_store() calls it. > > > > > > Can you try the patch below, instead of (not along with) the first > > > patch? Thanks. > > > > > > Alan Stern > > > I tried this patch and it worked. I agree this patch is better and it > > avoids introducing new locks. > > It turns out that patch is no good. The reason is mentioned in the > changelog for commit 543d7784b07f ("USB: fix race between hub_disconnect > and recursively_mark_NOTATTACHED"); it says that the port devices have to > be removed _after_ maxchild has been set to 0. > I checked the commit you mentioned. Maybe your first fix is all we need to fix the problem? At least no race would occur for hdev->maxchild and usb_set_intfdata(). > So okay, here's a third attempt to fix the problem. This doesn't try to > avoid the race or anything like that. Instead it just adds checks for > usb_hub_to_struct_hub() returning NULL. That should be enough to prevent > the invalid pointer dereference you encountered. > > This should be tested by itself, without either of the first two patches. > > Alan Stern > > > > Index: usb-devel/drivers/usb/core/port.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > --- usb-devel.orig/drivers/usb/core/port.c > +++ usb-devel/drivers/usb/core/port.c > @@ -51,13 +51,15 @@ static ssize_t disable_show(struct devic > struct usb_port *port_dev =3D to_usb_port(dev); > struct usb_device *hdev =3D to_usb_device(dev->parent->parent); > struct usb_hub *hub =3D usb_hub_to_struct_hub(hdev); > - struct usb_interface *intf =3D to_usb_interface(hub->intfdev); > + struct usb_interface *intf =3D to_usb_interface(dev->parent); > int port1 =3D port_dev->portnum; > u16 portstatus, unused; > bool disabled; > int rc; > struct kernfs_node *kn; > > + if (!hub) > + return -ENODEV; > hub_get(hub); > rc =3D usb_autopm_get_interface(intf); > if (rc < 0) > @@ -101,12 +103,14 @@ static ssize_t disable_store(struct devi > struct usb_port *port_dev =3D to_usb_port(dev); > struct usb_device *hdev =3D to_usb_device(dev->parent->parent); > struct usb_hub *hub =3D usb_hub_to_struct_hub(hdev); > - struct usb_interface *intf =3D to_usb_interface(hub->intfdev); > + struct usb_interface *intf =3D to_usb_interface(dev->parent); > int port1 =3D port_dev->portnum; > bool disabled; > int rc; > struct kernfs_node *kn; > > + if (!hub) > + return -ENODEV; > rc =3D kstrtobool(buf, &disabled); > if (rc) > return rc; > I applied this patch and it also can fix the warning. I am not sure which one is better. Best, Yue