[PATCH] Prevent race condition between USB authorisation and USB discovery events

From: Andrew Worsley
Date: Mon Dec 17 2018 - 01:11:10 EST

Next message: syzbot: "KASAN: use-after-free Read in tipc_mcast_xmit"
Previous message: syzbot: "kernel BUG at fs/inode.c:LINE!"
Next in thread: Alan Stern: "Re: [PATCH] Prevent race condition between USB authorisation and USB discovery events"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

A sysfs driven USB authorisation change can trigger a usb_set_configuration
while a hub_event worker thread is running. This can result in a USB device
being disabled just after it was configured and bringing down all the
devices and impacting hardware and user processes that were established on
top of this these interfaces. In some cases the USB disable never completed
and the whole system hung.

At my work I had an occasional hang due to this race condition. Roughly 1
in 50 boots had the race occurrence and 1 in 4 of those resulted in a hang.
This patch fixed the problem and I had no problems (spurious disables
or hangs) in 750+ boots.

Signed-off-by: Andrew Worsley <amworsley@xxxxxxxxx>
---
drivers/usb/core/hub.c | 9 +++++++++
1 file changed, 9 insertions(+)

diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index f76b2e0aba9d..dabd07aa8602 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -51,6 +51,9 @@ static DEFINE_SPINLOCK(device_state_lock);
static struct workqueue_struct *hub_wq;
static void hub_event(struct work_struct *work);

+/* synchronize hub_event and authorize_device operations */
+DEFINE_MUTEX(usb_authorize_mutex);
+
/* synchronize hub-port add/remove and peering operations */
DEFINE_MUTEX(usb_port_peer_mutex);

@@ -2538,6 +2541,7 @@ int usb_new_device(struct usb_device *udev)
*/
int usb_deauthorize_device(struct usb_device *usb_dev)
{
+ mutex_lock(&usb_authorize_mutex);
usb_lock_device(usb_dev);
if (usb_dev->authorized == 0)
goto out_unauthorized;
@@ -2547,6 +2551,7 @@ int usb_deauthorize_device(struct usb_device *usb_dev)

out_unauthorized:
usb_unlock_device(usb_dev);
+ mutex_unlock(&usb_authorize_mutex);
return 0;
}

@@ -2555,6 +2560,7 @@ int usb_authorize_device(struct usb_device *usb_dev)
{
int result = 0, c;

+ mutex_lock(&usb_authorize_mutex);
usb_lock_device(usb_dev);
if (usb_dev->authorized == 1)
goto out_authorized;
@@ -2596,6 +2602,7 @@ int usb_authorize_device(struct usb_device *usb_dev)
error_autoresume:
out_authorized:
usb_unlock_device(usb_dev); /* complements locktree */
+ mutex_unlock(&usb_authorize_mutex);
return result;
}

@@ -5320,6 +5327,7 @@ static void hub_event(struct work_struct *work)
hub_dev = hub->intfdev;
intf = to_usb_interface(hub_dev);

+ mutex_lock(&usb_authorize_mutex);
dev_dbg(hub_dev, "state %d ports %d chg %04x evt %04x\n",
hdev->state, hdev->maxchild,
/* NOTE: expects max 15 ports... */
@@ -5422,6 +5430,7 @@ static void hub_event(struct work_struct *work)
usb_autopm_put_interface_no_suspend(intf);
out_hdev_lock:
usb_unlock_device(hdev);
+ mutex_unlock(&usb_authorize_mutex);

/* Balance the stuff in kick_hub_wq() and allow autosuspend */
usb_autopm_put_interface(intf);
--
2.19.2

Next message: syzbot: "KASAN: use-after-free Read in tipc_mcast_xmit"
Previous message: syzbot: "kernel BUG at fs/inode.c:LINE!"
Next in thread: Alan Stern: "Re: [PATCH] Prevent race condition between USB authorisation and USB discovery events"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]