From: Greg Kroah-Hartman Date: Mon, 17 Jun 2024 17:59:59 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v6.1.95~105 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=334d6e789b1bc02ba87d5f8bca927b1fb520be54;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: drivers-core-synchronize-really_probe-and-dev_uevent.patch --- diff --git a/queue-5.4/drivers-core-synchronize-really_probe-and-dev_uevent.patch b/queue-5.4/drivers-core-synchronize-really_probe-and-dev_uevent.patch new file mode 100644 index 00000000000..03a37c2b7f6 --- /dev/null +++ b/queue-5.4/drivers-core-synchronize-really_probe-and-dev_uevent.patch @@ -0,0 +1,104 @@ +From c0a40097f0bc81deafc15f9195d1fb54595cd6d0 Mon Sep 17 00:00:00 2001 +From: Dirk Behme +Date: Mon, 13 May 2024 07:06:34 +0200 +Subject: drivers: core: synchronize really_probe() and dev_uevent() + +From: Dirk Behme + +commit c0a40097f0bc81deafc15f9195d1fb54595cd6d0 upstream. + +Synchronize the dev->driver usage in really_probe() and dev_uevent(). +These can run in different threads, what can result in the following +race condition for dev->driver uninitialization: + +Thread #1: +========== + +really_probe() { +... +probe_failed: +... +device_unbind_cleanup(dev) { + ... + dev->driver = NULL; // <= Failed probe sets dev->driver to NULL + ... + } +... +} + +Thread #2: +========== + +dev_uevent() { +... +if (dev->driver) + // If dev->driver is NULLed from really_probe() from here on, + // after above check, the system crashes + add_uevent_var(env, "DRIVER=%s", dev->driver->name); +... +} + +really_probe() holds the lock, already. So nothing needs to be done +there. dev_uevent() is called with lock held, often, too. But not +always. What implies that we can't add any locking in dev_uevent() +itself. So fix this race by adding the lock to the non-protected +path. This is the path where above race is observed: + + dev_uevent+0x235/0x380 + uevent_show+0x10c/0x1f0 <= Add lock here + dev_attr_show+0x3a/0xa0 + sysfs_kf_seq_show+0x17c/0x250 + kernfs_seq_show+0x7c/0x90 + seq_read_iter+0x2d7/0x940 + kernfs_fop_read_iter+0xc6/0x310 + vfs_read+0x5bc/0x6b0 + ksys_read+0xeb/0x1b0 + __x64_sys_read+0x42/0x50 + x64_sys_call+0x27ad/0x2d30 + do_syscall_64+0xcd/0x1d0 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Similar cases are reported by syzkaller in + +https://syzkaller.appspot.com/bug?extid=ffa8143439596313a85a + +But these are regarding the *initialization* of dev->driver + +dev->driver = drv; + +As this switches dev->driver to non-NULL these reports can be considered +to be false-positives (which should be "fixed" by this commit, as well, +though). + +The same issue was reported and tried to be fixed back in 2015 in + +https://lore.kernel.org/lkml/1421259054-2574-1-git-send-email-a.sangwan@samsung.com/ + +already. + +Fixes: 239378f16aa1 ("Driver core: add uevent vars for devices of a class") +Cc: stable +Cc: syzbot+ffa8143439596313a85a@syzkaller.appspotmail.com +Cc: Ashish Sangwan +Cc: Namjae Jeon +Signed-off-by: Dirk Behme +Link: https://lore.kernel.org/r/20240513050634.3964461-1-dirk.behme@de.bosch.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/base/core.c ++++ b/drivers/base/core.c +@@ -1273,8 +1273,11 @@ static ssize_t uevent_show(struct device + if (!env) + return -ENOMEM; + ++ /* Synchronize with really_probe() */ ++ device_lock(dev); + /* let the kset specific function add its keys */ + retval = kset->uevent_ops->uevent(kset, &dev->kobj, env); ++ device_unlock(dev); + if (retval) + goto out; + diff --git a/queue-5.4/ionic-fix-use-after-netif_napi_del.patch b/queue-5.4/ionic-fix-use-after-netif_napi_del.patch index 9159496966f..61b41444699 100644 --- a/queue-5.4/ionic-fix-use-after-netif_napi_del.patch +++ b/queue-5.4/ionic-fix-use-after-netif_napi_del.patch @@ -73,14 +73,12 @@ Link: https://lore.kernel.org/r/20240612060446.1754392-1-ap420073@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- - drivers/net/ethernet/pensando/ionic/ionic_lif.c | 4 +--- + drivers/net/ethernet/pensando/ionic/ionic_lif.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) -diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c -index e7d868da6a380..7adad91617d8c 100644 --- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c +++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c -@@ -205,10 +205,8 @@ static int ionic_qcq_enable(struct ionic_qcq *qcq) +@@ -205,10 +205,8 @@ static int ionic_qcq_enable(struct ionic if (ret) return ret; @@ -92,6 +90,3 @@ index e7d868da6a380..7adad91617d8c 100644 irq_set_affinity_hint(qcq->intr.vector, &qcq->intr.affinity_mask); ionic_intr_mask(idev->intr_ctrl, qcq->intr.index, --- -2.43.0 - diff --git a/queue-5.4/series b/queue-5.4/series index 4afdcdbeb67..2605815c2ae 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -78,3 +78,4 @@ netfilter-ipset-fix-race-between-namespace-cleanup-a.patch netfilter-use-flowlabel-flow-key-when-re-routing-man.patch net-ipv6-fix-the-rt-cache-flush-via-sysctl-using-a-p.patch ionic-fix-use-after-netif_napi_del.patch +drivers-core-synchronize-really_probe-and-dev_uevent.patch