USB: gadgetfs: Fix race between mounting and unmounting
commit d18dcfe9860e842f394e37ba01ca9440ab2178f4 upstream.
The syzbot fuzzer and Gerald Lee have identified a use-after-free bug
in the gadgetfs driver, involving processes concurrently mounting and
unmounting the gadgetfs filesystem. In particular, gadgetfs_fill_super()
can race with gadgetfs_kill_sb(), causing the latter to deallocate
the_device while the former is using it. The output from KASAN says,
in part:
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:102 [inline]
BUG: KASAN: use-after-free in atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]
BUG: KASAN: use-after-free in __refcount_sub_and_test include/linux/refcount.h:272 [inline]
BUG: KASAN: use-after-free in __refcount_dec_and_test include/linux/refcount.h:315 [inline]
BUG: KASAN: use-after-free in refcount_dec_and_test include/linux/refcount.h:333 [inline]
BUG: KASAN: use-after-free in put_dev drivers/usb/gadget/legacy/inode.c:159 [inline]
BUG: KASAN: use-after-free in gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086
Write of size 4 at addr ffff8880276d7840 by task syz-executor126/18689
CPU: 0 PID: 18689 Comm: syz-executor126 Not tainted 6.1.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<TASK>
...
atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]
__refcount_sub_and_test include/linux/refcount.h:272 [inline]
__refcount_dec_and_test include/linux/refcount.h:315 [inline]
refcount_dec_and_test include/linux/refcount.h:333 [inline]
put_dev drivers/usb/gadget/legacy/inode.c:159 [inline]
gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086
deactivate_locked_super+0xa7/0xf0 fs/super.c:332
vfs_get_super fs/super.c:1190 [inline]
get_tree_single+0xd0/0x160 fs/super.c:1207
vfs_get_tree+0x88/0x270 fs/super.c:1531
vfs_fsconfig_locked fs/fsopen.c:232 [inline]
The simplest solution is to ensure that gadgetfs_fill_super() and
gadgetfs_kill_sb() are serialized by making them both acquire a new
mutex.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-and-tested-by: syzbot+33d7ad66d65044b93f16@syzkaller.appspotmail.com
Reported-and-tested-by: Gerald Lee <sundaywind2004@gmail.com>
Link: https://lore.kernel.org/linux-usb/CAO3qeMVzXDP-JU6v1u5Ags6Q-bb35kg3=C6d04DjzA9ffa5x1g@mail.gmail.com/
Fixes: e5d82a7360
("vfs: Convert gadgetfs to use the new mount API")
CC: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/Y6XCPXBpn3tmjdCC@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
1bc1fdd73f
commit
9a39f4626b
@ -229,6 +229,7 @@ static void put_ep (struct ep_data *data)
|
||||
*/
|
||||
|
||||
static const char *CHIP;
|
||||
static DEFINE_MUTEX(sb_mutex); /* Serialize superblock operations */
|
||||
|
||||
/*----------------------------------------------------------------------*/
|
||||
|
||||
@ -2013,13 +2014,20 @@ gadgetfs_fill_super (struct super_block *sb, struct fs_context *fc)
|
||||
{
|
||||
struct inode *inode;
|
||||
struct dev_data *dev;
|
||||
int rc;
|
||||
|
||||
if (the_device)
|
||||
return -ESRCH;
|
||||
mutex_lock(&sb_mutex);
|
||||
|
||||
if (the_device) {
|
||||
rc = -ESRCH;
|
||||
goto Done;
|
||||
}
|
||||
|
||||
CHIP = usb_get_gadget_udc_name();
|
||||
if (!CHIP)
|
||||
return -ENODEV;
|
||||
if (!CHIP) {
|
||||
rc = -ENODEV;
|
||||
goto Done;
|
||||
}
|
||||
|
||||
/* superblock */
|
||||
sb->s_blocksize = PAGE_SIZE;
|
||||
@ -2056,13 +2064,17 @@ gadgetfs_fill_super (struct super_block *sb, struct fs_context *fc)
|
||||
* from binding to a controller.
|
||||
*/
|
||||
the_device = dev;
|
||||
return 0;
|
||||
rc = 0;
|
||||
goto Done;
|
||||
|
||||
Enomem:
|
||||
Enomem:
|
||||
kfree(CHIP);
|
||||
CHIP = NULL;
|
||||
rc = -ENOMEM;
|
||||
|
||||
return -ENOMEM;
|
||||
Done:
|
||||
mutex_unlock(&sb_mutex);
|
||||
return rc;
|
||||
}
|
||||
|
||||
/* "mount -t gadgetfs path /dev/gadget" ends up here */
|
||||
@ -2084,6 +2096,7 @@ static int gadgetfs_init_fs_context(struct fs_context *fc)
|
||||
static void
|
||||
gadgetfs_kill_sb (struct super_block *sb)
|
||||
{
|
||||
mutex_lock(&sb_mutex);
|
||||
kill_litter_super (sb);
|
||||
if (the_device) {
|
||||
put_dev (the_device);
|
||||
@ -2091,6 +2104,7 @@ gadgetfs_kill_sb (struct super_block *sb)
|
||||
}
|
||||
kfree(CHIP);
|
||||
CHIP = NULL;
|
||||
mutex_unlock(&sb_mutex);
|
||||
}
|
||||
|
||||
/*----------------------------------------------------------------------*/
|
||||
|
Loading…
Reference in New Issue
Block a user