From: Greg Kroah-Hartman Date: Tue, 20 Apr 2021 11:53:38 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v5.4.114~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d6199a99d8eb284e1bb93131ea641e3cc44222d6;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: usbip-add-sysfs_lock-to-synchronize-sysfs-code-paths.patch usbip-fix-incorrect-double-assignment-to-udc-ud.tcp_rx.patch usbip-stub-dev-synchronize-sysfs-code-paths.patch usbip-synchronize-event-handler-with-sysfs-code-paths.patch usbip-vudc-synchronize-sysfs-code-paths.patch --- diff --git a/queue-4.9/pcnet32-use-pci_resource_len-to-validate-pci-resourc.patch b/queue-4.9/pcnet32-use-pci_resource_len-to-validate-pci-resourc.patch index 2ab0e0c0fdf..5c28d117ff3 100644 --- a/queue-4.9/pcnet32-use-pci_resource_len-to-validate-pci-resourc.patch +++ b/queue-4.9/pcnet32-use-pci_resource_len-to-validate-pci-resourc.patch @@ -23,14 +23,12 @@ Signed-off-by: Guenter Roeck Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- - drivers/net/ethernet/amd/pcnet32.c | 5 +++-- + drivers/net/ethernet/amd/pcnet32.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -diff --git a/drivers/net/ethernet/amd/pcnet32.c b/drivers/net/ethernet/amd/pcnet32.c -index c22bf52d3320..c3887ac3d04d 100644 --- a/drivers/net/ethernet/amd/pcnet32.c +++ b/drivers/net/ethernet/amd/pcnet32.c -@@ -1493,8 +1493,7 @@ pcnet32_probe_pci(struct pci_dev *pdev, const struct pci_device_id *ent) +@@ -1493,8 +1493,7 @@ pcnet32_probe_pci(struct pci_dev *pdev, } pci_set_master(pdev); @@ -40,7 +38,7 @@ index c22bf52d3320..c3887ac3d04d 100644 if (pcnet32_debug & NETIF_MSG_PROBE) pr_err("card has no PCI IO resources, aborting\n"); return -ENODEV; -@@ -1506,6 +1505,8 @@ pcnet32_probe_pci(struct pci_dev *pdev, const struct pci_device_id *ent) +@@ -1506,6 +1505,8 @@ pcnet32_probe_pci(struct pci_dev *pdev, pr_err("architecture does not support 32bit PCI busmaster DMA\n"); return err; } @@ -49,6 +47,3 @@ index c22bf52d3320..c3887ac3d04d 100644 if (!request_region(ioaddr, PCNET32_TOTAL_SIZE, "pcnet32_probe_pci")) { if (pcnet32_debug & NETIF_MSG_PROBE) pr_err("io address range already allocated\n"); --- -2.30.2 - diff --git a/queue-4.9/series b/queue-4.9/series index 7541d3a1b02..666e9fc827a 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -20,3 +20,8 @@ net-davicom-fix-regulator-not-turned-off-on-failed-probe.patch net-sit-unregister-catch-all-devices.patch i40e-fix-the-panic-when-running-bpf-in-xdpdrv-mode.patch arm-9071-1-uprobes-don-t-hook-on-thumb-instructions.patch +usbip-fix-incorrect-double-assignment-to-udc-ud.tcp_rx.patch +usbip-add-sysfs_lock-to-synchronize-sysfs-code-paths.patch +usbip-stub-dev-synchronize-sysfs-code-paths.patch +usbip-vudc-synchronize-sysfs-code-paths.patch +usbip-synchronize-event-handler-with-sysfs-code-paths.patch diff --git a/queue-4.9/usbip-add-sysfs_lock-to-synchronize-sysfs-code-paths.patch b/queue-4.9/usbip-add-sysfs_lock-to-synchronize-sysfs-code-paths.patch new file mode 100644 index 00000000000..812fb1171e5 --- /dev/null +++ b/queue-4.9/usbip-add-sysfs_lock-to-synchronize-sysfs-code-paths.patch @@ -0,0 +1,153 @@ +From foo@baz Tue Apr 20 01:51:40 PM CEST 2021 +From: Tom Seewald +Date: Fri, 16 Apr 2021 15:53:16 -0500 +Subject: usbip: add sysfs_lock to synchronize sysfs code paths +To: stable@vger.kernel.org +Cc: Shuah Khan , syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com, Greg Kroah-Hartman , Tom Seewald , Valentina Manea , Shuah Khan +Message-ID: <20210416205319.14075-1-tseewald@gmail.com> + +From: Shuah Khan + +commit 4e9c93af7279b059faf5bb1897ee90512b258a12 upstream. + +Fuzzing uncovered race condition between sysfs code paths in usbip +drivers. Device connect/disconnect code paths initiated through +sysfs interface are prone to races if disconnect happens during +connect and vice versa. + +This problem is common to all drivers while it can be reproduced easily +in vhci_hcd. Add a sysfs_lock to usbip_device struct to protect the paths. + +Use this in vhci_hcd to protect sysfs paths. For a complete fix, usip_host +and usip-vudc drivers and the event handler will have to use this lock to +protect the paths. These changes will be done in subsequent patches. + +Cc: stable@vger.kernel.org # 4.9.x +Reported-and-tested-by: syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com +Signed-off-by: Shuah Khan +Link: https://lore.kernel.org/r/b6568f7beae702bbc236a545d3c020106ca75eac.1616807117.git.skhan@linuxfoundation.org +Signed-off-by: Tom Seewald +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/usbip/usbip_common.h | 3 +++ + drivers/usb/usbip/vhci_hcd.c | 1 + + drivers/usb/usbip/vhci_sysfs.c | 30 +++++++++++++++++++++++++----- + 3 files changed, 29 insertions(+), 5 deletions(-) + +--- a/drivers/usb/usbip/usbip_common.h ++++ b/drivers/usb/usbip/usbip_common.h +@@ -278,6 +278,9 @@ struct usbip_device { + /* lock for status */ + spinlock_t lock; + ++ /* mutex for synchronizing sysfs store paths */ ++ struct mutex sysfs_lock; ++ + int sockfd; + struct socket *tcp_socket; + +--- a/drivers/usb/usbip/vhci_hcd.c ++++ b/drivers/usb/usbip/vhci_hcd.c +@@ -907,6 +907,7 @@ static void vhci_device_init(struct vhci + vdev->ud.side = USBIP_VHCI; + vdev->ud.status = VDEV_ST_NULL; + spin_lock_init(&vdev->ud.lock); ++ mutex_init(&vdev->ud.sysfs_lock); + + INIT_LIST_HEAD(&vdev->priv_rx); + INIT_LIST_HEAD(&vdev->priv_tx); +--- a/drivers/usb/usbip/vhci_sysfs.c ++++ b/drivers/usb/usbip/vhci_sysfs.c +@@ -161,6 +161,8 @@ static int vhci_port_disconnect(struct v + + usbip_dbg_vhci_sysfs("enter\n"); + ++ mutex_lock(&vdev->ud.sysfs_lock); ++ + /* lock */ + spin_lock_irqsave(&vhci->lock, flags); + spin_lock(&vdev->ud.lock); +@@ -171,6 +173,7 @@ static int vhci_port_disconnect(struct v + /* unlock */ + spin_unlock(&vdev->ud.lock); + spin_unlock_irqrestore(&vhci->lock, flags); ++ mutex_unlock(&vdev->ud.sysfs_lock); + + return -EINVAL; + } +@@ -181,6 +184,8 @@ static int vhci_port_disconnect(struct v + + usbip_event_add(&vdev->ud, VDEV_EVENT_DOWN); + ++ mutex_unlock(&vdev->ud.sysfs_lock); ++ + return 0; + } + +@@ -309,30 +314,36 @@ static ssize_t store_attach(struct devic + vhci = hcd_to_vhci(hcd); + vdev = &vhci->vdev[rhport]; + ++ mutex_lock(&vdev->ud.sysfs_lock); ++ + /* Extract socket from fd. */ + socket = sockfd_lookup(sockfd, &err); + if (!socket) { + dev_err(dev, "failed to lookup sock"); +- return -EINVAL; ++ err = -EINVAL; ++ goto unlock_mutex; + } + if (socket->type != SOCK_STREAM) { + dev_err(dev, "Expecting SOCK_STREAM - found %d", + socket->type); + sockfd_put(socket); +- return -EINVAL; ++ err = -EINVAL; ++ goto unlock_mutex; + } + + /* create threads before locking */ + tcp_rx = kthread_create(vhci_rx_loop, &vdev->ud, "vhci_rx"); + if (IS_ERR(tcp_rx)) { + sockfd_put(socket); +- return -EINVAL; ++ err = -EINVAL; ++ goto unlock_mutex; + } + tcp_tx = kthread_create(vhci_tx_loop, &vdev->ud, "vhci_tx"); + if (IS_ERR(tcp_tx)) { + kthread_stop(tcp_rx); + sockfd_put(socket); +- return -EINVAL; ++ err = -EINVAL; ++ goto unlock_mutex; + } + + /* get task structs now */ +@@ -353,7 +364,8 @@ static ssize_t store_attach(struct devic + kthread_stop_put(tcp_tx); + + dev_err(dev, "port %d already used\n", rhport); +- return -EINVAL; ++ err = -EINVAL; ++ goto unlock_mutex; + } + + dev_info(dev, "pdev(%u) rhport(%u) sockfd(%d)\n", +@@ -378,7 +390,15 @@ static ssize_t store_attach(struct devic + + rh_port_connect(vdev, speed); + ++ dev_info(dev, "Device attached\n"); ++ ++ mutex_unlock(&vdev->ud.sysfs_lock); ++ + return count; ++ ++unlock_mutex: ++ mutex_unlock(&vdev->ud.sysfs_lock); ++ return err; + } + static DEVICE_ATTR(attach, S_IWUSR, NULL, store_attach); + diff --git a/queue-4.9/usbip-fix-incorrect-double-assignment-to-udc-ud.tcp_rx.patch b/queue-4.9/usbip-fix-incorrect-double-assignment-to-udc-ud.tcp_rx.patch new file mode 100644 index 00000000000..32ee73186cc --- /dev/null +++ b/queue-4.9/usbip-fix-incorrect-double-assignment-to-udc-ud.tcp_rx.patch @@ -0,0 +1,35 @@ +From 9858af27e69247c5d04c3b093190a93ca365f33d Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Thu, 11 Mar 2021 10:44:45 +0000 +Subject: usbip: Fix incorrect double assignment to udc->ud.tcp_rx + +From: Colin Ian King + +commit 9858af27e69247c5d04c3b093190a93ca365f33d upstream. + +Currently udc->ud.tcp_rx is being assigned twice, the second assignment +is incorrect, it should be to udc->ud.tcp_tx instead of rx. Fix this. + +Fixes: 46613c9dfa96 ("usbip: fix vudc usbip_sockfd_store races leading to gpf") +Acked-by: Shuah Khan +Signed-off-by: Colin Ian King +Cc: stable +Addresses-Coverity: ("Unused value") +Link: https://lore.kernel.org/r/20210311104445.7811-1-colin.king@canonical.com +Signed-off-by: Tom Seewald +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/usbip/vudc_sysfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/usbip/vudc_sysfs.c ++++ b/drivers/usb/usbip/vudc_sysfs.c +@@ -187,7 +187,7 @@ static ssize_t store_sockfd(struct devic + + udc->ud.tcp_socket = socket; + udc->ud.tcp_rx = tcp_rx; +- udc->ud.tcp_rx = tcp_tx; ++ udc->ud.tcp_tx = tcp_tx; + udc->ud.status = SDEV_ST_USED; + + spin_unlock_irq(&udc->ud.lock); diff --git a/queue-4.9/usbip-stub-dev-synchronize-sysfs-code-paths.patch b/queue-4.9/usbip-stub-dev-synchronize-sysfs-code-paths.patch new file mode 100644 index 00000000000..feaf405f59f --- /dev/null +++ b/queue-4.9/usbip-stub-dev-synchronize-sysfs-code-paths.patch @@ -0,0 +1,89 @@ +From foo@baz Tue Apr 20 01:51:40 PM CEST 2021 +From: Tom Seewald +Date: Fri, 16 Apr 2021 15:53:17 -0500 +Subject: usbip: stub-dev synchronize sysfs code paths +To: stable@vger.kernel.org +Cc: Shuah Khan , syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com, Greg Kroah-Hartman , Tom Seewald , Valentina Manea , Shuah Khan +Message-ID: <20210416205319.14075-2-tseewald@gmail.com> + +From: Shuah Khan + +commit 9dbf34a834563dada91366c2ac266f32ff34641a upstream. + +Fuzzing uncovered race condition between sysfs code paths in usbip +drivers. Device connect/disconnect code paths initiated through +sysfs interface are prone to races if disconnect happens during +connect and vice versa. + +Use sysfs_lock to protect sysfs paths in stub-dev. + +Cc: stable@vger.kernel.org # 4.9.x +Reported-and-tested-by: syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com +Signed-off-by: Shuah Khan +Link: https://lore.kernel.org/r/2b182f3561b4a065bf3bf6dce3b0e9944ba17b3f.1616807117.git.skhan@linuxfoundation.org +Signed-off-by: Tom Seewald +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/usbip/stub_dev.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/usb/usbip/stub_dev.c ++++ b/drivers/usb/usbip/stub_dev.c +@@ -77,6 +77,7 @@ static ssize_t store_sockfd(struct devic + + dev_info(dev, "stub up\n"); + ++ mutex_lock(&sdev->ud.sysfs_lock); + spin_lock_irq(&sdev->ud.lock); + + if (sdev->ud.status != SDEV_ST_AVAILABLE) { +@@ -101,13 +102,13 @@ static ssize_t store_sockfd(struct devic + tcp_rx = kthread_create(stub_rx_loop, &sdev->ud, "stub_rx"); + if (IS_ERR(tcp_rx)) { + sockfd_put(socket); +- return -EINVAL; ++ goto unlock_mutex; + } + tcp_tx = kthread_create(stub_tx_loop, &sdev->ud, "stub_tx"); + if (IS_ERR(tcp_tx)) { + kthread_stop(tcp_rx); + sockfd_put(socket); +- return -EINVAL; ++ goto unlock_mutex; + } + + /* get task structs now */ +@@ -126,6 +127,8 @@ static ssize_t store_sockfd(struct devic + wake_up_process(sdev->ud.tcp_rx); + wake_up_process(sdev->ud.tcp_tx); + ++ mutex_unlock(&sdev->ud.sysfs_lock); ++ + } else { + dev_info(dev, "stub down\n"); + +@@ -136,6 +139,7 @@ static ssize_t store_sockfd(struct devic + spin_unlock_irq(&sdev->ud.lock); + + usbip_event_add(&sdev->ud, SDEV_EVENT_DOWN); ++ mutex_unlock(&sdev->ud.sysfs_lock); + } + + return count; +@@ -144,6 +148,8 @@ sock_err: + sockfd_put(socket); + err: + spin_unlock_irq(&sdev->ud.lock); ++unlock_mutex: ++ mutex_unlock(&sdev->ud.sysfs_lock); + return -EINVAL; + } + static DEVICE_ATTR(usbip_sockfd, S_IWUSR, NULL, store_sockfd); +@@ -309,6 +315,7 @@ static struct stub_device *stub_device_a + sdev->ud.side = USBIP_STUB; + sdev->ud.status = SDEV_ST_AVAILABLE; + spin_lock_init(&sdev->ud.lock); ++ mutex_init(&sdev->ud.sysfs_lock); + sdev->ud.tcp_socket = NULL; + sdev->ud.sockfd = -1; + diff --git a/queue-4.9/usbip-synchronize-event-handler-with-sysfs-code-paths.patch b/queue-4.9/usbip-synchronize-event-handler-with-sysfs-code-paths.patch new file mode 100644 index 00000000000..0548190d3a0 --- /dev/null +++ b/queue-4.9/usbip-synchronize-event-handler-with-sysfs-code-paths.patch @@ -0,0 +1,48 @@ +From foo@baz Tue Apr 20 01:51:40 PM CEST 2021 +From: Tom Seewald +Date: Fri, 16 Apr 2021 15:53:19 -0500 +Subject: usbip: synchronize event handler with sysfs code paths +To: stable@vger.kernel.org +Cc: Shuah Khan , syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com, Greg Kroah-Hartman , Tom Seewald , Valentina Manea , Shuah Khan +Message-ID: <20210416205319.14075-4-tseewald@gmail.com> + +From: Shuah Khan + +commit 363eaa3a450abb4e63bd6e3ad79d1f7a0f717814 upstream. + +Fuzzing uncovered race condition between sysfs code paths in usbip +drivers. Device connect/disconnect code paths initiated through +sysfs interface are prone to races if disconnect happens during +connect and vice versa. + +Use sysfs_lock to synchronize event handler with sysfs paths +in usbip drivers. + +Cc: stable@vger.kernel.org # 4.9.x +Reported-and-tested-by: syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com +Signed-off-by: Shuah Khan +Link: https://lore.kernel.org/r/c5c8723d3f29dfe3d759cfaafa7dd16b0dfe2918.1616807117.git.skhan@linuxfoundation.org +Signed-off-by: Tom Seewald +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/usbip/usbip_event.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/usbip/usbip_event.c ++++ b/drivers/usb/usbip/usbip_event.c +@@ -84,6 +84,7 @@ static void event_handler(struct work_st + while ((ud = get_event()) != NULL) { + usbip_dbg_eh("pending event %lx\n", ud->event); + ++ mutex_lock(&ud->sysfs_lock); + /* + * NOTE: shutdown must come first. + * Shutdown the device. +@@ -104,6 +105,7 @@ static void event_handler(struct work_st + ud->eh_ops.unusable(ud); + unset_event(ud, USBIP_EH_UNUSABLE); + } ++ mutex_unlock(&ud->sysfs_lock); + + wake_up(&ud->eh_waitq); + } diff --git a/queue-4.9/usbip-vudc-synchronize-sysfs-code-paths.patch b/queue-4.9/usbip-vudc-synchronize-sysfs-code-paths.patch new file mode 100644 index 00000000000..05ef11cfeb0 --- /dev/null +++ b/queue-4.9/usbip-vudc-synchronize-sysfs-code-paths.patch @@ -0,0 +1,75 @@ +From foo@baz Tue Apr 20 01:51:40 PM CEST 2021 +From: Tom Seewald +Date: Fri, 16 Apr 2021 15:53:18 -0500 +Subject: usbip: vudc synchronize sysfs code paths +To: stable@vger.kernel.org +Cc: Shuah Khan , syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com, Greg Kroah-Hartman , Tom Seewald , Valentina Manea , Shuah Khan +Message-ID: <20210416205319.14075-3-tseewald@gmail.com> + +From: Shuah Khan + +commit bd8b82042269a95db48074b8bb400678dbac1815 upstream. + +Fuzzing uncovered race condition between sysfs code paths in usbip +drivers. Device connect/disconnect code paths initiated through +sysfs interface are prone to races if disconnect happens during +connect and vice versa. + +Use sysfs_lock to protect sysfs paths in vudc. + +Cc: stable@vger.kernel.org # 4.9.x # 4.14.x +Reported-and-tested-by: syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com +Signed-off-by: Shuah Khan +Link: https://lore.kernel.org/r/caabcf3fc87bdae970509b5ff32d05bb7ce2fb15.1616807117.git.skhan@linuxfoundation.org +Signed-off-by: Tom Seewald +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/usbip/vudc_dev.c | 1 + + drivers/usb/usbip/vudc_sysfs.c | 5 +++++ + 2 files changed, 6 insertions(+) + +--- a/drivers/usb/usbip/vudc_dev.c ++++ b/drivers/usb/usbip/vudc_dev.c +@@ -582,6 +582,7 @@ static int init_vudc_hw(struct vudc *udc + init_waitqueue_head(&udc->tx_waitq); + + spin_lock_init(&ud->lock); ++ mutex_init(&ud->sysfs_lock); + ud->status = SDEV_ST_AVAILABLE; + ud->side = USBIP_VUDC; + +--- a/drivers/usb/usbip/vudc_sysfs.c ++++ b/drivers/usb/usbip/vudc_sysfs.c +@@ -125,6 +125,7 @@ static ssize_t store_sockfd(struct devic + dev_err(dev, "no device"); + return -ENODEV; + } ++ mutex_lock(&udc->ud.sysfs_lock); + spin_lock_irqsave(&udc->lock, flags); + /* Don't export what we don't have */ + if (!udc->driver || !udc->pullup) { +@@ -200,6 +201,8 @@ static ssize_t store_sockfd(struct devic + + wake_up_process(udc->ud.tcp_rx); + wake_up_process(udc->ud.tcp_tx); ++ ++ mutex_unlock(&udc->ud.sysfs_lock); + return count; + + } else { +@@ -220,6 +223,7 @@ static ssize_t store_sockfd(struct devic + } + + spin_unlock_irqrestore(&udc->lock, flags); ++ mutex_unlock(&udc->ud.sysfs_lock); + + return count; + +@@ -229,6 +233,7 @@ unlock_ud: + spin_unlock_irq(&udc->ud.lock); + unlock: + spin_unlock_irqrestore(&udc->lock, flags); ++ mutex_unlock(&udc->ud.sysfs_lock); + + return ret; + }