releases/4.9.318/usb-usbip-add-missing-device-lock-on-tweak-configura.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 73c8918a35093bbee804a6387871b157ee9c8763 Mon Sep 17 00:00:00 2001
 From: Sasha Levin <sashal@kernel.org>
 Date: Tue, 12 Apr 2022 18:50:55 +0200
 Subject: usb: usbip: add missing device lock on tweak configuration cmd

 From: Niels Dossche <dossche.niels@gmail.com>

 [ Upstream commit d088fabace2ca337b275d1d4b36db4fe7771e44f ]

 The function documentation of usb_set_configuration says that its
 callers should hold the device lock. This lock is held for all
 callsites except tweak_set_configuration_cmd. The code path can be
 executed for example when attaching a remote USB device.
 The solution is to surround the call by the device lock.

 This bug was found using my experimental own-developed static analysis
 tool, which reported the missing lock on v5.17.2. I manually verified
 this bug report by doing code review as well. I runtime checked that
 the required lock is not held. I compiled and runtime tested this on
 x86_64 with a USB mouse. After applying this patch, my analyser no
 longer reports this potential bug.

 Fixes: 2c8c98158946 ("staging: usbip: let client choose device configuration")
 Reviewed-by: Shuah Khan <skhan@linuxfoundation.org>
 Signed-off-by: Niels Dossche <dossche.niels@gmail.com>
 Link: https://lore.kernel.org/r/20220412165055.257113-1-dossche.niels@gmail.com
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 Signed-off-by: Sasha Levin <sashal@kernel.org>
 ---
  drivers/usb/usbip/stub_rx.c | 2 ++
  1 file changed, 2 insertions(+)

 diff --git a/drivers/usb/usbip/stub_rx.c b/drivers/usb/usbip/stub_rx.c
 index d47176f9c310..dd6228a51d0d 100644
 --- a/drivers/usb/usbip/stub_rx.c
 +++ b/drivers/usb/usbip/stub_rx.c
 @@ -151,7 +151,9 @@ static int tweak_set_configuration_cmd(struct urb *urb)
  	req = (struct usb_ctrlrequest *) urb->setup_packet;
  	config = le16_to_cpu(req->wValue);

 +	usb_lock_device(sdev->udev);
  	err = usb_set_configuration(sdev->udev, config);
 +	usb_unlock_device(sdev->udev);
  	if (err && err != -ENODEV)
  		dev_err(&sdev->udev->dev, "can't set config #%d, error %d\n",
  			config, err);
 --
 2.35.1
	From 73c8918a35093bbee804a6387871b157ee9c8763 Mon Sep 17 00:00:00 2001
	From: Sasha Levin <sashal@kernel.org>
	Date: Tue, 12 Apr 2022 18:50:55 +0200
	Subject: usb: usbip: add missing device lock on tweak configuration cmd

	From: Niels Dossche <dossche.niels@gmail.com>

	[ Upstream commit d088fabace2ca337b275d1d4b36db4fe7771e44f ]

	The function documentation of usb_set_configuration says that its
	callers should hold the device lock. This lock is held for all
	callsites except tweak_set_configuration_cmd. The code path can be
	executed for example when attaching a remote USB device.
	The solution is to surround the call by the device lock.

	This bug was found using my experimental own-developed static analysis
	tool, which reported the missing lock on v5.17.2. I manually verified
	this bug report by doing code review as well. I runtime checked that
	the required lock is not held. I compiled and runtime tested this on
	x86_64 with a USB mouse. After applying this patch, my analyser no
	longer reports this potential bug.

	Fixes: 2c8c98158946 ("staging: usbip: let client choose device configuration")
	Reviewed-by: Shuah Khan <skhan@linuxfoundation.org>
	Signed-off-by: Niels Dossche <dossche.niels@gmail.com>
	Link: https://lore.kernel.org/r/20220412165055.257113-1-dossche.niels@gmail.com
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Signed-off-by: Sasha Levin <sashal@kernel.org>
	---
	drivers/usb/usbip/stub_rx.c \| 2 ++
	1 file changed, 2 insertions(+)

	diff --git a/drivers/usb/usbip/stub_rx.c b/drivers/usb/usbip/stub_rx.c
	index d47176f9c310..dd6228a51d0d 100644
	--- a/drivers/usb/usbip/stub_rx.c
	+++ b/drivers/usb/usbip/stub_rx.c
	@@ -151,7 +151,9 @@ static int tweak_set_configuration_cmd(struct urb *urb)
	req = (struct usb_ctrlrequest *) urb->setup_packet;
	config = le16_to_cpu(req->wValue);

	+ usb_lock_device(sdev->udev);
	err = usb_set_configuration(sdev->udev, config);
	+ usb_unlock_device(sdev->udev);
	if (err && err != -ENODEV)
	dev_err(&sdev->udev->dev, "can't set config #%d, error %d\n",
	config, err);
	--
	2.35.1