| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 17 Dec 2018 17:10:33 +1100
From: Andrew Worsley <amworsley@...il.com>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Alan Stern <stern@...land.harvard.edu>,
Mathias Nyman <mathias.nyman@...ux.intel.com>,
Nicolas Boichat <drinkcat@...omium.org>,
Jon Flatley <jflat@...omium.org>,
Kai-Heng Feng <kai.heng.feng@...onical.com>,
Bin Liu <b-liu@...com>, Benson Leung <bleung@...omium.org>,
linux-usb@...r.kernel.org (open list:USB SUBSYSTEM),
linux-kernel@...r.kernel.org (open list)
Cc: Andrew Worsley <amworsley@...il.com>
Subject: [PATCH] Prevent race condition between USB authorisation and USB discovery events
A sysfs driven USB authorisation change can trigger a usb_set_configuration
while a hub_event worker thread is running. This can result in a USB device
being disabled just after it was configured and bringing down all the
devices and impacting hardware and user processes that were established on
top of this these interfaces. In some cases the USB disable never completed
and the whole system hung.
At my work I had an occasional hang due to this race condition. Roughly 1
in 50 boots had the race occurrence and 1 in 4 of those resulted in a hang.
This patch fixed the problem and I had no problems (spurious disables
or hangs) in 750+ boots.
Signed-off-by: Andrew Worsley <amworsley@...il.com>
---
drivers/usb/core/hub.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index f76b2e0aba9d..dabd07aa8602 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -51,6 +51,9 @@ static DEFINE_SPINLOCK(device_state_lock);
static struct workqueue_struct *hub_wq;
static void hub_event(struct work_struct *work);
+/* synchronize hub_event and authorize_device operations */
+DEFINE_MUTEX(usb_authorize_mutex);
+
/* synchronize hub-port add/remove and peering operations */
DEFINE_MUTEX(usb_port_peer_mutex);
@@ -2538,6 +2541,7 @@ int usb_new_device(struct usb_device *udev)
*/
int usb_deauthorize_device(struct usb_device *usb_dev)
{
+ mutex_lock(&usb_authorize_mutex);
usb_lock_device(usb_dev);
if (usb_dev->authorized == 0)
goto out_unauthorized;
@@ -2547,6 +2551,7 @@ int usb_deauthorize_device(struct usb_device *usb_dev)
out_unauthorized:
usb_unlock_device(usb_dev);
+ mutex_unlock(&usb_authorize_mutex);
return 0;
}
@@ -2555,6 +2560,7 @@ int usb_authorize_device(struct usb_device *usb_dev)
{
int result = 0, c;
+ mutex_lock(&usb_authorize_mutex);
usb_lock_device(usb_dev);
if (usb_dev->authorized == 1)
goto out_authorized;
@@ -2596,6 +2602,7 @@ int usb_authorize_device(struct usb_device *usb_dev)
error_autoresume:
out_authorized:
usb_unlock_device(usb_dev); /* complements locktree */
+ mutex_unlock(&usb_authorize_mutex);
return result;
}
@@ -5320,6 +5327,7 @@ static void hub_event(struct work_struct *work)
hub_dev = hub->intfdev;
intf = to_usb_interface(hub_dev);
+ mutex_lock(&usb_authorize_mutex);
dev_dbg(hub_dev, "state %d ports %d chg %04x evt %04x\n",
hdev->state, hdev->maxchild,
/* NOTE: expects max 15 ports... */
@@ -5422,6 +5430,7 @@ static void hub_event(struct work_struct *work)
usb_autopm_put_interface_no_suspend(intf);
out_hdev_lock:
usb_unlock_device(hdev);
+ mutex_unlock(&usb_authorize_mutex);
/* Balance the stuff in kick_hub_wq() and allow autosuspend */
usb_autopm_put_interface(intf);
--
2.19.2
Powered by blists - more mailing lists