--- /dev/null
+From 4a8737ff068724f509d583fef404d349adba80d6 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Fri, 10 Dec 2021 10:03:09 +0100
+Subject: can: gs_usb: fix use of uninitialized variable, detach device on reception of invalid USB data
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit 4a8737ff068724f509d583fef404d349adba80d6 upstream.
+
+The received data contains the channel the received data is associated
+with. If the channel number is bigger than the actual number of
+channels assume broken or malicious USB device and shut it down.
+
+This fixes the error found by clang:
+
+| drivers/net/can/usb/gs_usb.c:386:6: error: variable 'dev' is used
+| uninitialized whenever 'if' condition is true
+| if (hf->channel >= GS_MAX_INTF)
+| ^~~~~~~~~~~~~~~~~~~~~~~~~~
+| drivers/net/can/usb/gs_usb.c:474:10: note: uninitialized use occurs here
+| hf, dev->gs_hf_size, gs_usb_receive_bulk_callback,
+| ^~~
+
+Link: https://lore.kernel.org/all/20211210091158.408326-1-mkl@pengutronix.de
+Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices")
+Cc: stable@vger.kernel.org
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/gs_usb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/can/usb/gs_usb.c
++++ b/drivers/net/can/usb/gs_usb.c
+@@ -328,7 +328,7 @@ static void gs_usb_receive_bulk_callback
+
+ /* device reports out of range channel id */
+ if (hf->channel >= GS_MAX_INTF)
+- goto resubmit_urb;
++ goto device_detach;
+
+ dev = usbcan->canch[hf->channel];
+
+@@ -413,6 +413,7 @@ static void gs_usb_receive_bulk_callback
+
+ /* USB failure take down all interfaces */
+ if (rc == -ENODEV) {
++ device_detach:
+ for (rc = 0; rc < GS_MAX_INTF; rc++) {
+ if (usbcan->canch[rc])
+ netif_device_detach(usbcan->canch[rc]->netdev);
--- /dev/null
+From 89d58aebe14a365c25ba6645414afdbf4e41cea4 Mon Sep 17 00:00:00 2001
+From: Brian Silverman <brian.silverman@bluerivertech.com>
+Date: Wed, 5 Jan 2022 16:29:50 -0800
+Subject: can: gs_usb: gs_can_start_xmit(): zero-initialize hf->{flags,reserved}
+
+From: Brian Silverman <brian.silverman@bluerivertech.com>
+
+commit 89d58aebe14a365c25ba6645414afdbf4e41cea4 upstream.
+
+No information is deliberately sent in hf->flags in host -> device
+communications, but the open-source candleLight firmware echoes it
+back, which can result in the GS_CAN_FLAG_OVERFLOW flag being set and
+generating spurious ERRORFRAMEs.
+
+While there also initialize the reserved member with 0.
+
+Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices")
+Link: https://lore.kernel.org/all/20220106002952.25883-1-brian.silverman@bluerivertech.com
+Link: https://github.com/candle-usb/candleLight_fw/issues/87
+Cc: stable@vger.kernel.org
+Signed-off-by: Brian Silverman <brian.silverman@bluerivertech.com>
+[mkl: initialize the reserved member, too]
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/gs_usb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/can/usb/gs_usb.c
++++ b/drivers/net/can/usb/gs_usb.c
+@@ -515,6 +515,8 @@ static netdev_tx_t gs_can_start_xmit(str
+
+ hf->echo_id = idx;
+ hf->channel = dev->channel;
++ hf->flags = 0;
++ hf->reserved = 0;
+
+ cf = (struct can_frame *)skb->data;
+
--- /dev/null
+From 009ba8568be497c640cab7571f7bfd18345d7b24 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Mon, 20 Dec 2021 16:41:57 -0600
+Subject: random: fix data race on crng init time
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 009ba8568be497c640cab7571f7bfd18345d7b24 upstream.
+
+_extract_crng() does plain loads of crng->init_time and
+crng_global_init_time, which causes undefined behavior if
+crng_reseed() and RNDRESEEDCRNG modify these corrently.
+
+Use READ_ONCE() and WRITE_ONCE() to make the behavior defined.
+
+Don't fix the race on crng->init_time by protecting it with crng->lock,
+since it's not a problem for duplicate reseedings to occur. I.e., the
+lockless access with READ_ONCE() is fine.
+
+Fixes: d848e5f8e1eb ("random: add new ioctl RNDRESEEDCRNG")
+Fixes: e192be9d9a30 ("random: replace non-blocking pool with a Chacha20-based CRNG")
+Cc: stable@vger.kernel.org
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Acked-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -951,7 +951,7 @@ static void crng_reseed(struct crng_stat
+ crng->state[i+4] ^= buf.key[i] ^ rv;
+ }
+ memzero_explicit(&buf, sizeof(buf));
+- crng->init_time = jiffies;
++ WRITE_ONCE(crng->init_time, jiffies);
+ spin_unlock_irqrestore(&crng->lock, flags);
+ if (crng == &primary_crng && crng_init < 2) {
+ invalidate_batched_entropy();
+@@ -978,12 +978,15 @@ static void crng_reseed(struct crng_stat
+ static void _extract_crng(struct crng_state *crng,
+ __u8 out[CHACHA20_BLOCK_SIZE])
+ {
+- unsigned long v, flags;
++ unsigned long v, flags, init_time;
+
+- if (crng_ready() &&
+- (time_after(crng_global_init_time, crng->init_time) ||
+- time_after(jiffies, crng->init_time + CRNG_RESEED_INTERVAL)))
+- crng_reseed(crng, crng == &primary_crng ? &input_pool : NULL);
++ if (crng_ready()) {
++ init_time = READ_ONCE(crng->init_time);
++ if (time_after(READ_ONCE(crng_global_init_time), init_time) ||
++ time_after(jiffies, init_time + CRNG_RESEED_INTERVAL))
++ crng_reseed(crng, crng == &primary_crng ?
++ &input_pool : NULL);
++ }
+ spin_lock_irqsave(&crng->lock, flags);
+ if (arch_get_random_long(&v))
+ crng->state[14] ^= v;
+@@ -1987,7 +1990,7 @@ static long random_ioctl(struct file *f,
+ if (crng_init < 2)
+ return -ENODATA;
+ crng_reseed(&primary_crng, &input_pool);
+- crng_global_init_time = jiffies - 1;
++ WRITE_ONCE(crng_global_init_time, jiffies - 1);
+ return 0;
+ default:
+ return -EINVAL;
--- /dev/null
+From 5d73d1e320c3fd94ea15ba5f79301da9a8bcc7de Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Mon, 20 Dec 2021 16:41:56 -0600
+Subject: random: fix data race on crng_node_pool
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 5d73d1e320c3fd94ea15ba5f79301da9a8bcc7de upstream.
+
+extract_crng() and crng_backtrack_protect() load crng_node_pool with a
+plain load, which causes undefined behavior if do_numa_crng_init()
+modifies it concurrently.
+
+Fix this by using READ_ONCE(). Note: as per the previous discussion
+https://lore.kernel.org/lkml/20211219025139.31085-1-ebiggers@kernel.org/T/#u,
+READ_ONCE() is believed to be sufficient here, and it was requested that
+it be used here instead of smp_load_acquire().
+
+Also change do_numa_crng_init() to set crng_node_pool using
+cmpxchg_release() instead of mb() + cmpxchg(), as the former is
+sufficient here but is more lightweight.
+
+Fixes: 1e7f583af67b ("random: make /dev/urandom scalable for silly userspace programs")
+Cc: stable@vger.kernel.org
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Acked-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 42 ++++++++++++++++++++++--------------------
+ 1 file changed, 22 insertions(+), 20 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -813,8 +813,8 @@ static void do_numa_crng_init(struct wor
+ crng_initialize(crng);
+ pool[i] = crng;
+ }
+- mb();
+- if (cmpxchg(&crng_node_pool, NULL, pool)) {
++ /* pairs with READ_ONCE() in select_crng() */
++ if (cmpxchg_release(&crng_node_pool, NULL, pool) != NULL) {
+ for_each_node(i)
+ kfree(pool[i]);
+ kfree(pool);
+@@ -827,8 +827,26 @@ static void numa_crng_init(void)
+ {
+ schedule_work(&numa_crng_init_work);
+ }
++
++static struct crng_state *select_crng(void)
++{
++ struct crng_state **pool;
++ int nid = numa_node_id();
++
++ /* pairs with cmpxchg_release() in do_numa_crng_init() */
++ pool = READ_ONCE(crng_node_pool);
++ if (pool && pool[nid])
++ return pool[nid];
++
++ return &primary_crng;
++}
+ #else
+ static void numa_crng_init(void) {}
++
++static struct crng_state *select_crng(void)
++{
++ return &primary_crng;
++}
+ #endif
+
+ /*
+@@ -977,15 +995,7 @@ static void _extract_crng(struct crng_st
+
+ static void extract_crng(__u8 out[CHACHA20_BLOCK_SIZE])
+ {
+- struct crng_state *crng = NULL;
+-
+-#ifdef CONFIG_NUMA
+- if (crng_node_pool)
+- crng = crng_node_pool[numa_node_id()];
+- if (crng == NULL)
+-#endif
+- crng = &primary_crng;
+- _extract_crng(crng, out);
++ _extract_crng(select_crng(), out);
+ }
+
+ /*
+@@ -1014,15 +1024,7 @@ static void _crng_backtrack_protect(stru
+
+ static void crng_backtrack_protect(__u8 tmp[CHACHA20_BLOCK_SIZE], int used)
+ {
+- struct crng_state *crng = NULL;
+-
+-#ifdef CONFIG_NUMA
+- if (crng_node_pool)
+- crng = crng_node_pool[numa_node_id()];
+- if (crng == NULL)
+-#endif
+- crng = &primary_crng;
+- _crng_backtrack_protect(crng, tmp, used);
++ _crng_backtrack_protect(select_crng(), tmp, used);
+ }
+
+ static ssize_t extract_crng_user(void __user *buf, size_t nbytes)
usb-core-fix-bug-in-resuming-hub-s-handling-of-wakeup-requests.patch
usb-fix-slab-out-of-bounds-write-bug-in-usb_hcd_poll_rh_status.patch
mfd-intel-lpss-fix-too-early-pm-enablement-in-the-acpi-probe.patch
+can-gs_usb-fix-use-of-uninitialized-variable-detach-device-on-reception-of-invalid-usb-data.patch
+can-gs_usb-gs_can_start_xmit-zero-initialize-hf-flags-reserved.patch
+random-fix-data-race-on-crng_node_pool.patch
+random-fix-data-race-on-crng-init-time.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
