Hi, Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> writes: > On Thu, Sep 21, 2017 at 01:23:58PM -0400, Alan Stern wrote: >> The gadgetfs driver (drivers/usb/gadget/legacy/inode.c) was written >> before the UDC and composite frameworks were adopted; it is a legacy >> driver. As such, it expects that once bound to a UDC controller, it >> will not be unbound until it unregisters itself. >> >> However, the UDC framework does unbind function drivers while they are >> still registered. When this happens, it can cause the gadgetfs driver >> to misbehave or crash. For example, userspace can cause a crash by >> opening the device file and doing an ioctl call before setting up a >> configuration (found by Andrey Konovalov using the syzkaller fuzzer). >> >> This patch adds checks and synchronization to prevent these bad >> behaviors. It adds a udc_usage counter that the driver increments at >> times when it is using a gadget interface without holding the private >> spinlock. The unbind routine waits for this counter to go to 0 before >> returning, thereby ensuring that the UDC is no longer in use. >> >> The patch also adds a check in the dev_ioctl() routine to make sure >> the driver is bound to a UDC before dereferencing the gadget pointer, >> and it makes destroy_ep_files() synchronize with the endpoint I/O >> routines, to prevent the user from accessing an endpoint data >> structure after it has been removed. >> >> Signed-off-by: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> >> Reported-by: Andrey Konovalov <andreyknvl@xxxxxxxxxx> >> Tested-by: Andrey Konovalov <andreyknvl@xxxxxxxxxx> >> CC: <stable@xxxxxxxxxxxxxxx> > > Felipe, any objection for me taking this, and the other gadget driver > fixes that Alan just sent out, directly in my tree? none whatsoever, for all of them: Acked-by: Felipe Balbi <felipe.balbi@xxxxxxxxxxxxxxx> I'll rebase my testing/fixes on top of your greg/usb-linus for the remaining of the -rc cycle ;-) -- balbi
Attachment:
signature.asc
Description: PGP signature
