USB: gadgetfs: Fix race between mounting and unmounting

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The syzbot fuzzer and Gerald Lee have identified a use-after-free bug
in the gadgetfs driver, involving processes concurrently mounting and
unmounting the gadgetfs filesystem. In particular, gadgetfs_fill_super()
can race with gadgetfs_kill_sb(), causing the latter to deallocate
the_device while the former is using it. The output from KASAN says,
in part:

BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:102 [inline]
BUG: KASAN: use-after-free in atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]
BUG: KASAN: use-after-free in __refcount_sub_and_test include/linux/refcount.h:272 [inline]
BUG: KASAN: use-after-free in __refcount_dec_and_test include/linux/refcount.h:315 [inline]
BUG: KASAN: use-after-free in refcount_dec_and_test include/linux/refcount.h:333 [inline]
BUG: KASAN: use-after-free in put_dev drivers/usb/gadget/legacy/inode.c:159 [inline]
BUG: KASAN: use-after-free in gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086
Write of size 4 at addr ffff8880276d7840 by task syz-executor126/18689

CPU: 0 PID: 18689 Comm: syz-executor126 Not tainted 6.1.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<TASK>
...
atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]
__refcount_sub_and_test include/linux/refcount.h:272 [inline]
__refcount_dec_and_test include/linux/refcount.h:315 [inline]
refcount_dec_and_test include/linux/refcount.h:333 [inline]
put_dev drivers/usb/gadget/legacy/inode.c:159 [inline]
gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086
deactivate_locked_super+0xa7/0xf0 fs/super.c:332
vfs_get_super fs/super.c:1190 [inline]
get_tree_single+0xd0/0x160 fs/super.c:1207
vfs_get_tree+0x88/0x270 fs/super.c:1531
vfs_fsconfig_locked fs/fsopen.c:232 [inline]

The simplest solution is to ensure that gadgetfs_fill_super() and
gadgetfs_kill_sb() are serialized by making them both acquire a new
mutex.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-and-tested-by: syzbot+33d7ad66d65044b93f16@syzkaller.appspotmail.com
Reported-and-tested-by: Gerald Lee <sundaywind2004@gmail.com>
Link: https://lore.kernel.org/linux-usb/CAO3qeMVzXDP-JU6v1u5Ags6Q-bb35kg3=C6d04DjzA9ffa5x1g@mail.gmail.com/
Fixes: e5d82a7360d1 ("vfs: Convert gadgetfs to use the new mount API")
CC: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/Y6XCPXBpn3tmjdCC@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Alan Stern and committed by

Greg Kroah-Hartman 3 years ago d18dcfe9 1301c7b9

+21 -7

1 changed file

expand all

drivers

usb

gadget

legacy

inode.c

+21 -7

drivers/usb/gadget/legacy/inode.c

··· 229 229 */ 230 230 231 231 static const char *CHIP; 232 + static DEFINE_MUTEX(sb_mutex); /* Serialize superblock operations */ 232 233 233 234 /*----------------------------------------------------------------------*/ 234 235 ··· 2011 2010 { 2012 2011 struct inode *inode; 2013 2012 struct dev_data *dev; 2013 + int rc; 2014 2014 2015 - if (the_device) 2016 - return -ESRCH; 2015 + mutex_lock(&sb_mutex); 2016 + 2017 + if (the_device) { 2018 + rc = -ESRCH; 2019 + goto Done; 2020 + } 2017 2021 2018 2022 CHIP = usb_get_gadget_udc_name(); 2019 - if (!CHIP) 2020 - return -ENODEV; 2023 + if (!CHIP) { 2024 + rc = -ENODEV; 2025 + goto Done; 2026 + } 2021 2027 2022 2028 /* superblock */ 2023 2029 sb->s_blocksize = PAGE_SIZE; ··· 2061 2053 * from binding to a controller. 2062 2054 */ 2063 2055 the_device = dev; 2064 - return 0; 2056 + rc = 0; 2057 + goto Done; 2065 2058 2066 - Enomem: 2059 + Enomem: 2067 2060 kfree(CHIP); 2068 2061 CHIP = NULL; 2062 + rc = -ENOMEM; 2069 2063 2070 - return -ENOMEM; 2064 + Done: 2065 + mutex_unlock(&sb_mutex); 2066 + return rc; 2071 2067 } 2072 2068 2073 2069 /* "mount -t gadgetfs path /dev/gadget" ends up here */ ··· 2093 2081 static void 2094 2082 gadgetfs_kill_sb (struct super_block *sb) 2095 2083 { 2084 + mutex_lock(&sb_mutex); 2096 2085 kill_litter_super (sb); 2097 2086 if (the_device) { 2098 2087 put_dev (the_device); ··· 2101 2088 } 2102 2089 kfree(CHIP); 2103 2090 CHIP = NULL; 2091 + mutex_unlock(&sb_mutex); 2104 2092 } 2105 2093 2106 2094 /*----------------------------------------------------------------------*/