gitweb.dragonflybsd.org Git - freebsd.git/commit

author	Hans Petter Selasky <hselasky@FreeBSD.org>
	Fri, 31 Mar 2023 17:14:18 +0000 (19:14 +0200)
committer	Hans Petter Selasky <hselasky@FreeBSD.org>
	Sat, 8 Apr 2023 15:11:31 +0000 (17:11 +0200)
commit	9b077d72bcc313baea2b9283afc7f568739eaadc
tree	9b5fb829c85dcf3d7db0c5caaf2aa47c5a10f045	tree \| snapshot
parent	03a2e432d5cc2eedb9304faea2b19051c84caecf	commit \| diff

usb(4): Separate the fast path and the slow path to avoid races and use-after-free for the USB FS interface.

Bad behaving user-space USB applicatoins may crash the kernel by issuing
USB FS related ioctl(2)'s out of their expected order. By default
the USB FS ioctl(2) interface is only available to the
administrator, root, and driver applications like webcamd(8) needs
to be hijacked in order for this to happen.

The issue is the fast-path code does not always see updates made
by the slow-path code, and may then work on freed memory.

This is easily fixed by using an EPOCH(9) type of synchronization
mechanism. A SX(9) lock will be used as a substitute for EPOCH(9),
due to the need for sleepability. In addition most calls going into
the fast-path originate from a single user-space process and the
need for multi-thread performance is not present.

Differential Revision: https://reviews.freebsd.org/D39373
Reviewed by: markj@
Reported by: C Turt <ecturt@gmail.com>
admbugs: 994
MFC after: 1 week
Sponsored by: NVIDIA Networking

sys/dev/usb/usb_dev.c		diff \| blob \| blame \| history
sys/dev/usb/usb_dev.h		diff \| blob \| blame \| history
sys/dev/usb/usb_device.c		diff \| blob \| blame \| history
sys/dev/usb/usb_generic.c		diff \| blob \| blame \| history