On Thu, Sep 21, 2017 at 01:23:58PM -0400, Alan Stern wrote: > The gadgetfs driver (drivers/usb/gadget/legacy/inode.c) was written > before the UDC and composite frameworks were adopted; it is a legacy > driver. As such, it expects that once bound to a UDC controller, it > will not be unbound until it unregisters itself. > > However, the UDC framework does unbind function drivers while they are > still registered. When this happens, it can cause the gadgetfs driver > to misbehave or crash. For example, userspace can cause a crash by > opening the device file and doing an ioctl call before setting up a > configuration (found by Andrey Konovalov using the syzkaller fuzzer). > > This patch adds checks and synchronization to prevent these bad > behaviors. It adds a udc_usage counter that the driver increments at > times when it is using a gadget interface without holding the private > spinlock. The unbind routine waits for this counter to go to 0 before > returning, thereby ensuring that the UDC is no longer in use. > > The patch also adds a check in the dev_ioctl() routine to make sure > the driver is bound to a UDC before dereferencing the gadget pointer, > and it makes destroy_ep_files() synchronize with the endpoint I/O > routines, to prevent the user from accessing an endpoint data > structure after it has been removed. > > Signed-off-by: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> > Reported-by: Andrey Konovalov <andreyknvl@xxxxxxxxxx> > Tested-by: Andrey Konovalov <andreyknvl@xxxxxxxxxx> > CC: <stable@xxxxxxxxxxxxxxx> Felipe, any objection for me taking this, and the other gadget driver fixes that Alan just sent out, directly in my tree? thanks, greg k-h -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
