--- /dev/null
+From 69ad4ef868c1fc7609daa235dfa46d28ba7a3ba3 Mon Sep 17 00:00:00 2001
+From: Matt Lupfer <mlupfer@ddn.com>
+Date: Tue, 8 Mar 2022 15:27:02 +0000
+Subject: scsi: mpt3sas: Page fault in reply q processing
+
+From: Matt Lupfer <mlupfer@ddn.com>
+
+commit 69ad4ef868c1fc7609daa235dfa46d28ba7a3ba3 upstream.
+
+A page fault was encountered in mpt3sas on a LUN reset error path:
+
+[ 145.763216] mpt3sas_cm1: Task abort tm failed: handle(0x0002),timeout(30) tr_method(0x0) smid(3) msix_index(0)
+[ 145.778932] scsi 1:0:0:0: task abort: FAILED scmd(0x0000000024ba29a2)
+[ 145.817307] scsi 1:0:0:0: attempting device reset! scmd(0x0000000024ba29a2)
+[ 145.827253] scsi 1:0:0:0: [sg1] tag#2 CDB: Receive Diagnostic 1c 01 01 ff fc 00
+[ 145.837617] scsi target1:0:0: handle(0x0002), sas_address(0x500605b0000272b9), phy(0)
+[ 145.848598] scsi target1:0:0: enclosure logical id(0x500605b0000272b8), slot(0)
+[ 149.858378] mpt3sas_cm1: Poll ReplyDescriptor queues for completion of smid(0), task_type(0x05), handle(0x0002)
+[ 149.875202] BUG: unable to handle page fault for address: 00000007fffc445d
+[ 149.885617] #PF: supervisor read access in kernel mode
+[ 149.894346] #PF: error_code(0x0000) - not-present page
+[ 149.903123] PGD 0 P4D 0
+[ 149.909387] Oops: 0000 [#1] PREEMPT SMP NOPTI
+[ 149.917417] CPU: 24 PID: 3512 Comm: scsi_eh_1 Kdump: loaded Tainted: G S O 5.10.89-altav-1 #1
+[ 149.934327] Hardware name: DDN 200NVX2 /200NVX2-MB , BIOS ATHG2.2.02.01 09/10/2021
+[ 149.951871] RIP: 0010:_base_process_reply_queue+0x4b/0x900 [mpt3sas]
+[ 149.961889] Code: 0f 84 22 02 00 00 8d 48 01 49 89 fd 48 8d 57 38 f0 0f b1 4f 38 0f 85 d8 01 00 00 49 8b 45 10 45 31 e4 41 8b 55 0c 48 8d 1c d0 <0f> b6 03 83 e0 0f 3c 0f 0f 85 a2 00 00 00 e9 e6 01 00 00 0f b7 ee
+[ 149.991952] RSP: 0018:ffffc9000f1ebcb8 EFLAGS: 00010246
+[ 150.000937] RAX: 0000000000000055 RBX: 00000007fffc445d RCX: 000000002548f071
+[ 150.011841] RDX: 00000000ffff8881 RSI: 0000000000000001 RDI: ffff888125ed50d8
+[ 150.022670] RBP: 0000000000000000 R08: 0000000000000000 R09: c0000000ffff7fff
+[ 150.033445] R10: ffffc9000f1ebb68 R11: ffffc9000f1ebb60 R12: 0000000000000000
+[ 150.044204] R13: ffff888125ed50d8 R14: 0000000000000080 R15: 34cdc00034cdea80
+[ 150.054963] FS: 0000000000000000(0000) GS:ffff88dfaf200000(0000) knlGS:0000000000000000
+[ 150.066715] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 150.076078] CR2: 00000007fffc445d CR3: 000000012448a006 CR4: 0000000000770ee0
+[ 150.086887] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 150.097670] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 150.108323] PKRU: 55555554
+[ 150.114690] Call Trace:
+[ 150.120497] ? printk+0x48/0x4a
+[ 150.127049] mpt3sas_scsih_issue_tm.cold.114+0x2e/0x2b3 [mpt3sas]
+[ 150.136453] mpt3sas_scsih_issue_locked_tm+0x86/0xb0 [mpt3sas]
+[ 150.145759] scsih_dev_reset+0xea/0x300 [mpt3sas]
+[ 150.153891] scsi_eh_ready_devs+0x541/0x9e0 [scsi_mod]
+[ 150.162206] ? __scsi_host_match+0x20/0x20 [scsi_mod]
+[ 150.170406] ? scsi_try_target_reset+0x90/0x90 [scsi_mod]
+[ 150.178925] ? blk_mq_tagset_busy_iter+0x45/0x60
+[ 150.186638] ? scsi_try_target_reset+0x90/0x90 [scsi_mod]
+[ 150.195087] scsi_error_handler+0x3a5/0x4a0 [scsi_mod]
+[ 150.203206] ? __schedule+0x1e9/0x610
+[ 150.209783] ? scsi_eh_get_sense+0x210/0x210 [scsi_mod]
+[ 150.217924] kthread+0x12e/0x150
+[ 150.224041] ? kthread_worker_fn+0x130/0x130
+[ 150.231206] ret_from_fork+0x1f/0x30
+
+This is caused by mpt3sas_base_sync_reply_irqs() using an invalid reply_q
+pointer outside of the list_for_each_entry() loop. At the end of the full
+list traversal the pointer is invalid.
+
+Move the _base_process_reply_queue() call inside of the loop.
+
+Link: https://lore.kernel.org/r/d625deae-a958-0ace-2ba3-0888dd0a415b@ddn.com
+Fixes: 711a923c14d9 ("scsi: mpt3sas: Postprocessing of target and LUN reset")
+Cc: stable@vger.kernel.org
+Acked-by: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
+Signed-off-by: Matt Lupfer <mlupfer@ddn.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/mpt3sas/mpt3sas_base.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/mpt3sas/mpt3sas_base.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_base.c
+@@ -2011,9 +2011,10 @@ mpt3sas_base_sync_reply_irqs(struct MPT3
+ enable_irq(reply_q->os_irq);
+ }
+ }
++
++ if (poll)
++ _base_process_reply_queue(reply_q);
+ }
+- if (poll)
+- _base_process_reply_queue(reply_q);
+ }
+
+ /**
net-mscc-ocelot-fix-backwards-compatibility-with-sin.patch
iavf-fix-hang-during-reboot-shutdown.patch
arm64-fix-clang-warning-about-tramp_valias.patch
+usb-gadget-rndis-prevent-integer-overflow-in-rndis_set_response.patch
+usb-gadget-fix-use-after-free-bug-by-not-setting-udc-dev.driver.patch
+usb-usbtmc-fix-bug-in-pipe-direction-for-control-transfers.patch
+scsi-mpt3sas-page-fault-in-reply-q-processing.patch
--- /dev/null
+From 16b1941eac2bd499f065a6739a40ce0011a3d740 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Sat, 5 Mar 2022 21:47:22 -0500
+Subject: usb: gadget: Fix use-after-free bug by not setting udc->dev.driver
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 16b1941eac2bd499f065a6739a40ce0011a3d740 upstream.
+
+The syzbot fuzzer found a use-after-free bug:
+
+BUG: KASAN: use-after-free in dev_uevent+0x712/0x780 drivers/base/core.c:2320
+Read of size 8 at addr ffff88802b934098 by task udevd/3689
+
+CPU: 2 PID: 3689 Comm: udevd Not tainted 5.17.0-rc4-syzkaller-00229-g4f12b742eb2b #0
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
+ print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255
+ __kasan_report mm/kasan/report.c:442 [inline]
+ kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
+ dev_uevent+0x712/0x780 drivers/base/core.c:2320
+ uevent_show+0x1b8/0x380 drivers/base/core.c:2391
+ dev_attr_show+0x4b/0x90 drivers/base/core.c:2094
+
+Although the bug manifested in the driver core, the real cause was a
+race with the gadget core. dev_uevent() does:
+
+ if (dev->driver)
+ add_uevent_var(env, "DRIVER=%s", dev->driver->name);
+
+and between the test and the dereference of dev->driver, the gadget
+core sets dev->driver to NULL.
+
+The race wouldn't occur if the gadget core registered its devices on
+a real bus, using the standard synchronization techniques of the
+driver core. However, it's not necessary to make such a large change
+in order to fix this bug; all we need to do is make sure that
+udc->dev.driver is always NULL.
+
+In fact, there is no reason for udc->dev.driver ever to be set to
+anything, let alone to the value it currently gets: the address of the
+gadget's driver. After all, a gadget driver only knows how to manage
+a gadget, not how to manage a UDC.
+
+This patch simply removes the statements in the gadget core that touch
+udc->dev.driver.
+
+Fixes: 2ccea03a8f7e ("usb: gadget: introduce UDC Class")
+CC: <stable@vger.kernel.org>
+Reported-and-tested-by: syzbot+348b571beb5eeb70a582@syzkaller.appspotmail.com
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/YiQgukfFFbBnwJ/9@rowland.harvard.edu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/core.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/usb/gadget/udc/core.c
++++ b/drivers/usb/gadget/udc/core.c
+@@ -1434,7 +1434,6 @@ static void usb_gadget_remove_driver(str
+ usb_gadget_udc_stop(udc);
+
+ udc->driver = NULL;
+- udc->dev.driver = NULL;
+ udc->gadget->dev.driver = NULL;
+ }
+
+@@ -1496,7 +1495,6 @@ static int udc_bind_to_driver(struct usb
+ driver->function);
+
+ udc->driver = driver;
+- udc->dev.driver = &driver->driver;
+ udc->gadget->dev.driver = &driver->driver;
+
+ usb_gadget_udc_set_speed(udc, driver->max_speed);
+@@ -1519,7 +1517,6 @@ err1:
+ dev_err(&udc->dev, "failed to start %s: %d\n",
+ udc->driver->function, ret);
+ udc->driver = NULL;
+- udc->dev.driver = NULL;
+ udc->gadget->dev.driver = NULL;
+ return ret;
+ }
--- /dev/null
+From 65f3324f4b6fed78b8761c3b74615ecf0ffa81fa Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 1 Mar 2022 11:04:24 +0300
+Subject: usb: gadget: rndis: prevent integer overflow in rndis_set_response()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 65f3324f4b6fed78b8761c3b74615ecf0ffa81fa upstream.
+
+If "BufOffset" is very large the "BufOffset + 8" operation can have an
+integer overflow.
+
+Cc: stable@kernel.org
+Fixes: 38ea1eac7d88 ("usb: gadget: rndis: check size of RNDIS_MSG_SET command")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/20220301080424.GA17208@kili
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/rndis.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/gadget/function/rndis.c
++++ b/drivers/usb/gadget/function/rndis.c
+@@ -640,6 +640,7 @@ static int rndis_set_response(struct rnd
+ BufLength = le32_to_cpu(buf->InformationBufferLength);
+ BufOffset = le32_to_cpu(buf->InformationBufferOffset);
+ if ((BufLength > RNDIS_MAX_TOTAL_SIZE) ||
++ (BufOffset > RNDIS_MAX_TOTAL_SIZE) ||
+ (BufOffset + 8 >= RNDIS_MAX_TOTAL_SIZE))
+ return -EINVAL;
+
--- /dev/null
+From e9b667a82cdcfe21d590344447d65daed52b353b Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Thu, 3 Mar 2022 16:00:17 -0500
+Subject: usb: usbtmc: Fix bug in pipe direction for control transfers
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit e9b667a82cdcfe21d590344447d65daed52b353b upstream.
+
+The syzbot fuzzer reported a minor bug in the usbtmc driver:
+
+usb 5-1: BOGUS control dir, pipe 80001e80 doesn't match bRequestType 0
+WARNING: CPU: 0 PID: 3813 at drivers/usb/core/urb.c:412
+usb_submit_urb+0x13a5/0x1970 drivers/usb/core/urb.c:410
+Modules linked in:
+CPU: 0 PID: 3813 Comm: syz-executor122 Not tainted
+5.17.0-rc5-syzkaller-00306-g2293be58d6a1 #0
+...
+Call Trace:
+ <TASK>
+ usb_start_wait_urb+0x113/0x530 drivers/usb/core/message.c:58
+ usb_internal_control_msg drivers/usb/core/message.c:102 [inline]
+ usb_control_msg+0x2a5/0x4b0 drivers/usb/core/message.c:153
+ usbtmc_ioctl_request drivers/usb/class/usbtmc.c:1947 [inline]
+
+The problem is that usbtmc_ioctl_request() uses usb_rcvctrlpipe() for
+all of its transfers, whether they are in or out. It's easy to fix.
+
+CC: <stable@vger.kernel.org>
+Reported-and-tested-by: syzbot+a48e3d1a875240cab5de@syzkaller.appspotmail.com
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/YiEsYTPEE6lOCOA5@rowland.harvard.edu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/usbtmc.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/class/usbtmc.c
++++ b/drivers/usb/class/usbtmc.c
+@@ -1919,6 +1919,7 @@ static int usbtmc_ioctl_request(struct u
+ struct usbtmc_ctrlrequest request;
+ u8 *buffer = NULL;
+ int rv;
++ unsigned int is_in, pipe;
+ unsigned long res;
+
+ res = copy_from_user(&request, arg, sizeof(struct usbtmc_ctrlrequest));
+@@ -1928,12 +1929,14 @@ static int usbtmc_ioctl_request(struct u
+ if (request.req.wLength > USBTMC_BUFSIZE)
+ return -EMSGSIZE;
+
++ is_in = request.req.bRequestType & USB_DIR_IN;
++
+ if (request.req.wLength) {
+ buffer = kmalloc(request.req.wLength, GFP_KERNEL);
+ if (!buffer)
+ return -ENOMEM;
+
+- if ((request.req.bRequestType & USB_DIR_IN) == 0) {
++ if (!is_in) {
+ /* Send control data to device */
+ res = copy_from_user(buffer, request.data,
+ request.req.wLength);
+@@ -1944,8 +1947,12 @@ static int usbtmc_ioctl_request(struct u
+ }
+ }
+
++ if (is_in)
++ pipe = usb_rcvctrlpipe(data->usb_dev, 0);
++ else
++ pipe = usb_sndctrlpipe(data->usb_dev, 0);
+ rv = usb_control_msg(data->usb_dev,
+- usb_rcvctrlpipe(data->usb_dev, 0),
++ pipe,
+ request.req.bRequest,
+ request.req.bRequestType,
+ request.req.wValue,
+@@ -1957,7 +1964,7 @@ static int usbtmc_ioctl_request(struct u
+ goto exit;
+ }
+
+- if (rv && (request.req.bRequestType & USB_DIR_IN)) {
++ if (rv && is_in) {
+ /* Read control data from device */
+ res = copy_to_user(request.data, buffer, rv);
+ if (res)
projects / thirdparty / kernel / stable-queue.git / commitdiff
