system/linux
system/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux synced 2024-10-07 11:53:31 +00:00
Code Issues Packages Projects Releases Wiki Activity
linux/drivers/usb
History
Wesley Cheng 24729b307e usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete 
FFS based applications can utilize the aio_cancel() callback to dequeue
pending USB requests submitted to the UDC.  There is a scenario where the
FFS application issues an AIO cancel call, while the UDC is handling a
soft disconnect.  For a DWC3 based implementation, the callstack looks
like the following:

    DWC3 Gadget                               FFS Application
dwc3_gadget_soft_disconnect()              ...
  --> dwc3_stop_active_transfers()
    --> dwc3_gadget_giveback(-ESHUTDOWN)
      --> ffs_epfile_async_io_complete()   ffs_aio_cancel()
        --> usb_ep_free_request()            --> usb_ep_dequeue()

There is currently no locking implemented between the AIO completion
handler and AIO cancel, so the issue occurs if the completion routine is
running in parallel to an AIO cancel call coming from the FFS application.
As the completion call frees the USB request (io_data->req) the FFS
application is also referencing it for the usb_ep_dequeue() call.  This can
lead to accessing a stale/hanging pointer.

commit b566d38857 ("usb: gadget: f_fs: use io_data->status consistently")
relocated the usb_ep_free_request() into ffs_epfile_async_io_complete().
However, in order to properly implement locking to mitigate this issue, the
spinlock can't be added to ffs_epfile_async_io_complete(), as
usb_ep_dequeue() (if successfully dequeuing a USB request) will call the
function driver's completion handler in the same context.  Hence, leading
into a deadlock.

Fix this issue by moving the usb_ep_free_request() back to
ffs_user_copy_worker(), and ensuring that it explicitly sets io_data->req
to NULL after freeing it within the ffs->eps_lock.  This resolves the race
condition above, as the ffs_aio_cancel() routine will not continue
attempting to dequeue a request that has already been freed, or the
ffs_user_copy_work() not freeing the USB request until the AIO cancel is
done referencing it.

This fix depends on
  commit b566d38857 ("usb: gadget: f_fs: use io_data->status
  consistently")

Fixes: 2e4c7553cd ("usb: gadget: f_fs: add aio support")
Cc: stable <stable@kernel.org>	# b566d38857 ("usb: gadget: f_fs: use io_data->status consistently")
Signed-off-by: Wesley Cheng <quic_wcheng@quicinc.com>
Link: https://lore.kernel.org/r/20240409014059.6740-1-quic_wcheng@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-04-23 16:10:55 -07:00
..
atm usb: ueagle-atm: Use wait_event_freezable_timeout() in uea_wait() 2024-01-04 15:57:29 +01:00
c67x00 USB: c67x00: Remove unused declaration c67x00_hcd_msg_received() 2023-10-02 16:42:33 +02:00
cdns3 usb: cdns3: Fix spelling mistake "supporte" -> "supported" 2024-03-02 20:37:19 +01:00
chipidea usb: chipidea: core: handle power lost in workqueue 2024-01-27 16:39:14 -08:00
class Revert "usb: cdc-wdm: close race between read and workqueue" 2024-04-18 16:33:28 +02:00
common usb: ulpi: Fix debugfs directory leak 2024-01-27 17:41:42 -08:00
core usb: Disable USB3 LPM at shutdown 2024-04-04 17:00:08 +02:00
dwc2 usb: dwc2: host: Fix dereference issue in DDMA completion flow. 2024-04-09 17:29:38 +02:00
dwc3 usb: dwc3: ep0: Don't reset resource alloc flag 2024-04-18 16:42:21 +02:00
early
fotg210 USB / Thunderbolt changes for 6.8-rc1 2024-01-18 11:43:55 -08:00
gadget usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete 2024-04-23 16:10:55 -07:00
host xhci: Fix root hub port null pointer dereference in xhci tracepoints 2024-04-04 14:54:54 +02:00
image usb: image: mdc800: Remove redundant assignment to variable retval 2024-02-17 17:01:13 +01:00
isp1760 mm, slab: remove last vestiges of SLAB_MEM_SPREAD 2024-03-12 20:32:19 -07:00
misc usb: misc: onboard_usb_hub: Disable the USB hub clock on failure 2024-04-11 14:28:47 +02:00
mon usb: mon: Fix atomicity violation in mon_bin_vma_fault 2024-01-05 10:36:08 +01:00
mtu3 usb: mtu3: Add MT8195 MTU3 ip-sleep wakeup support 2024-01-27 17:36:50 -08:00
musb usb: musb: remove unused variable 'count' 2024-03-05 13:25:16 +00:00
phy Revert "usb: phy: generic: Get the vbus supply" 2024-03-26 14:57:22 +01:00
renesas_usbhs usb: Explicitly include correct DT includes 2023-07-25 18:20:02 +02:00
roles Merge v6.8-rc6 into usb-next 2024-02-26 06:53:50 +01:00
serial USB: serial: option: add Telit FN920C04 rmnet compositions 2024-04-18 17:14:49 +02:00
storage USB: UAS: return ENODEV when submit urbs fail with device not attached 2024-03-26 10:50:56 +01:00
typec usb: typec: mux: it5205: Fix ChipID value typo 2024-04-09 17:29:27 +02:00
usbip USB: core: Use device_driver directly in struct usb_driver and usb_device_driver 2024-01-04 16:06:32 +01:00
Kconfig usb: pci-quirks: handle HAS_IOPORT dependency for AMD quirk 2023-10-02 16:19:12 +02:00
Makefile usb: host: u132-hcd: Delete driver 2023-03-21 14:06:11 +01:00
usb-skeleton.c