On Thu, Sep 21, 2017 at 7:35 PM, Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> wrote:
> On Thu, 21 Sep 2017, Andrey Konovalov wrote:
>
>> Hi!
>>
>> I've got the following report while fuzzing the kernel with syzkaller.
>>
>> On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
>>
>> Line numbers might be a little off, due to some local changes to
>> gadgetfs code but the issue is AFAIU with calling copy_to_user() with
>> spinlock held in ep0_read(). I see that there's a FIXME exactly about
>> that and I was wondering if there's any chance of getting this fixed?
>>
>> Thanks!
>
> The patch below, which goes on top of the gadgetfs patch from a few
> days ago, should eliminate this problem.
This patch seems to be fixing the crashes.
Tested-by: Andrey Konovalov <andreyknvl@xxxxxxxxxx>
Thanks once again!
>
> Alan Stern
>
>
>
> Index: usb-4.x/drivers/usb/gadget/legacy/inode.c
> ===================================================================
> --- usb-4.x.orig/drivers/usb/gadget/legacy/inode.c
> +++ usb-4.x/drivers/usb/gadget/legacy/inode.c
> @@ -986,11 +986,14 @@ ep0_read (struct file *fd, char __user *
> retval = -EIO;
> else {
> len = min (len, (size_t)dev->req->actual);
> -// FIXME don't call this with the spinlock held ...
> + ++dev->udc_usage;
> + spin_unlock_irq(&dev->lock);
> if (copy_to_user (buf, dev->req->buf, len))
> retval = -EFAULT;
> else
> retval = len;
> + spin_lock_irq(&dev->lock);
> + --dev->udc_usage;
> clean_req (dev->gadget->ep0, dev->req);
> /* NOTE userspace can't yet choose to stall */
> }
>
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
