On Fri, Nov 14, 2025 at 07:46:14AM +0000, Al Viro wrote: > On Thu, Nov 13, 2025 at 04:20:08PM -0500, Greg Kroah-Hartman wrote: > > > Sorry for the delay. Yes, we should be grabing the mutex in there, good > > catch. There's been more issues pointed out with the gadget code in the > > past year or so as more people are starting to actually use it and > > stress it more. So if you have a patch for this, I'll gladly take it :) > > How about the following? > > commit 330837c8101578438f64cfaec3fb85521d668e56 > Author: Al Viro <[email protected]> > Date: Fri Nov 14 02:18:22 2025 -0500 > > functionfs: fix the open/removal races > > ffs_epfile_open() can race with removal, ending up with file->private_data
Very apt prefix though. (Like Paul would say: "Sorry, couldn't resist.") > pointing to freed object. > > There is a total count of opened files on functionfs (both ep0 and > dynamic ones) and when it hits zero, dynamic files get removed. > Unfortunately, that removal can happen while another thread is > in ffs_epfile_open(), but has not incremented the count yet. > In that case open will succeed, leaving us with UAF on any subsequent > read() or write(). > > The root cause is that ffs->opened is misused; atomic_dec_and_test() vs. > atomic_add_return() is not a good idea, when object remains visible all > along. > > To untangle that > * serialize openers on ffs->mutex (both for ep0 and for dynamic > files) > * have dynamic ones use atomic_inc_not_zero() and fail if we had > zero ->opened; in that case the file we are opening is doomed. > * have the inodes of dynamic files marked on removal (from the > callback of simple_recursive_removal()) - clear ->i_private there. > * have open of dynamic ones verify they hadn't been already > removed, > along with checking that state is FFS_ACTIVE. > > Fix another abuse of ->opened, while we are at it - it starts equal to 0, > is incremented on opens and decremented on ->release()... *and* > decremented > (always from 0 to -1) in ->kill_sb(). Handling that case has no business > in ffs_data_closed() (or to ->opened); just have ffs_kill_sb() do what > ffs_data_closed() would in case of decrement to negative rather than > calling ffs_data_closed() there. > > And don't bother with bumping ffs->ref when opening a file - superblock > already holds the reference and it won't go away while there are any > opened > files on the filesystem. > > Signed-off-by: Al Viro <[email protected]> > > diff --git a/drivers/usb/gadget/function/f_fs.c > b/drivers/usb/gadget/function/f_fs.c > index 47cfbe41fdff..ed7fa869ea77 100644 > --- a/drivers/usb/gadget/function/f_fs.c > +++ b/drivers/usb/gadget/function/f_fs.c > @@ -640,13 +640,22 @@ static ssize_t ffs_ep0_read(struct file *file, char > __user *buf, > > static int ffs_ep0_open(struct inode *inode, struct file *file) > { > - struct ffs_data *ffs = inode->i_private; > + struct ffs_data *ffs = inode->i_sb->s_fs_info; > + int ret; > > - if (ffs->state == FFS_CLOSING) > - return -EBUSY; > + /* Acquire mutex */ > + ret = ffs_mutex_lock(&ffs->mutex, file->f_flags & O_NONBLOCK); > + if (ret < 0) > + return ret; > > - file->private_data = ffs; > ffs_data_opened(ffs); > + if (ffs->state == FFS_CLOSING) { > + ffs_data_closed(ffs); > + mutex_unlock(&ffs->mutex); > + return -EBUSY; > + } > + mutex_unlock(&ffs->mutex); > + file->private_data = ffs; > > return stream_open(inode, file); > } > @@ -1193,14 +1202,33 @@ static ssize_t ffs_epfile_io(struct file *file, > struct ffs_io_data *io_data) > static int > ffs_epfile_open(struct inode *inode, struct file *file) > { > - struct ffs_epfile *epfile = inode->i_private; > + struct ffs_data *ffs = inode->i_sb->s_fs_info; > + struct ffs_epfile *epfile; > + int ret; > > - if (WARN_ON(epfile->ffs->state != FFS_ACTIVE)) > + /* Acquire mutex */ > + ret = ffs_mutex_lock(&ffs->mutex, file->f_flags & O_NONBLOCK); > + if (ret < 0) > + return ret; > + > + if (!atomic_inc_not_zero(&ffs->opened)) { > + mutex_unlock(&ffs->mutex); > return -ENODEV; > + } > + /* > + * we want the state to be FFS_ACTIVE; FFS_ACTIVE alone is > + * not enough, though - we might have been through FFS_CLOSING > + * and back to FFS_ACTIVE, with our file already removed. > + */ > + epfile = smp_load_acquire(&inode->i_private); > + if (unlikely(ffs->state != FFS_ACTIVE || !epfile)) { > + mutex_unlock(&ffs->mutex); > + ffs_data_closed(ffs); > + return -ENODEV; > + } > + mutex_unlock(&ffs->mutex); > > file->private_data = epfile; > - ffs_data_opened(epfile->ffs); > - > return stream_open(inode, file); > } > > @@ -1332,7 +1360,7 @@ static void ffs_dmabuf_put(struct dma_buf_attachment > *attach) > static int > ffs_epfile_release(struct inode *inode, struct file *file) > { > - struct ffs_epfile *epfile = inode->i_private; > + struct ffs_epfile *epfile = file->private_data; > struct ffs_dmabuf_priv *priv, *tmp; > struct ffs_data *ffs = epfile->ffs; > > @@ -2071,12 +2099,18 @@ static int ffs_fs_init_fs_context(struct fs_context > *fc) > return 0; > } > > +static void ffs_data_reset(struct ffs_data *ffs); > + > static void > ffs_fs_kill_sb(struct super_block *sb) > { > kill_litter_super(sb); > - if (sb->s_fs_info) > - ffs_data_closed(sb->s_fs_info); > + if (sb->s_fs_info) { > + struct ffs_data *ffs = sb->s_fs_info; > + ffs->state = FFS_CLOSING; > + ffs_data_reset(ffs); > + ffs_data_put(ffs); > + } > } > > static struct file_system_type ffs_fs_type = { > @@ -2114,7 +2148,6 @@ static void functionfs_cleanup(void) > /* ffs_data and ffs_function construction and destruction code > **************/ > > static void ffs_data_clear(struct ffs_data *ffs); > -static void ffs_data_reset(struct ffs_data *ffs); > > static void ffs_data_get(struct ffs_data *ffs) > { > @@ -2123,7 +2156,6 @@ static void ffs_data_get(struct ffs_data *ffs) > > static void ffs_data_opened(struct ffs_data *ffs) > { > - refcount_inc(&ffs->ref); > if (atomic_add_return(1, &ffs->opened) == 1 && > ffs->state == FFS_DEACTIVATED) { > ffs->state = FFS_CLOSING; > @@ -2148,11 +2180,11 @@ static void ffs_data_put(struct ffs_data *ffs) > > static void ffs_data_closed(struct ffs_data *ffs) > { > - struct ffs_epfile *epfiles; > - unsigned long flags; > - > if (atomic_dec_and_test(&ffs->opened)) { > if (ffs->no_disconnect) { > + struct ffs_epfile *epfiles; > + unsigned long flags; > + > ffs->state = FFS_DEACTIVATED; > spin_lock_irqsave(&ffs->eps_lock, flags); > epfiles = ffs->epfiles; > @@ -2171,12 +2203,6 @@ static void ffs_data_closed(struct ffs_data *ffs) > ffs_data_reset(ffs); > } > } > - if (atomic_read(&ffs->opened) < 0) { > - ffs->state = FFS_CLOSING; > - ffs_data_reset(ffs); > - } > - > - ffs_data_put(ffs); > } > > static struct ffs_data *ffs_data_new(const char *dev_name) > @@ -2352,6 +2378,11 @@ static int ffs_epfiles_create(struct ffs_data *ffs) > return 0; > } > > +static void clear_one(struct dentry *dentry) > +{ > + smp_store_release(&dentry->d_inode->i_private, NULL); > +} > + > static void ffs_epfiles_destroy(struct ffs_epfile *epfiles, unsigned count) > { > struct ffs_epfile *epfile = epfiles; > @@ -2359,7 +2390,7 @@ static void ffs_epfiles_destroy(struct ffs_epfile > *epfiles, unsigned count) > for (; count; --count, ++epfile) { > BUG_ON(mutex_is_locked(&epfile->mutex)); > if (epfile->dentry) { > - simple_recursive_removal(epfile->dentry, NULL); > + simple_recursive_removal(epfile->dentry, clear_one); > epfile->dentry = NULL; > } > }
