From 1c8c451d1bc67499d3001aef84b0f67b3c38593c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 20 Mar 2022 11:27:46 +0100 Subject: [PATCH] 5.16-stable patches added patches: scsi-mpt3sas-page-fault-in-reply-q-processing.patch usb-gadget-fix-use-after-free-bug-by-not-setting-udc-dev.driver.patch usb-gadget-rndis-prevent-integer-overflow-in-rndis_set_response.patch usb-usbtmc-fix-bug-in-pipe-direction-for-control-transfers.patch --- ...sas-page-fault-in-reply-q-processing.patch | 88 +++++++++++++++++++ queue-5.16/series | 4 + ...ee-bug-by-not-setting-udc-dev.driver.patch | 86 ++++++++++++++++++ ...teger-overflow-in-rndis_set_response.patch | 31 +++++++ ...pipe-direction-for-control-transfers.patch | 86 ++++++++++++++++++ 5 files changed, 295 insertions(+) create mode 100644 queue-5.16/scsi-mpt3sas-page-fault-in-reply-q-processing.patch create mode 100644 queue-5.16/usb-gadget-fix-use-after-free-bug-by-not-setting-udc-dev.driver.patch create mode 100644 queue-5.16/usb-gadget-rndis-prevent-integer-overflow-in-rndis_set_response.patch create mode 100644 queue-5.16/usb-usbtmc-fix-bug-in-pipe-direction-for-control-transfers.patch diff --git a/queue-5.16/scsi-mpt3sas-page-fault-in-reply-q-processing.patch b/queue-5.16/scsi-mpt3sas-page-fault-in-reply-q-processing.patch new file mode 100644 index 00000000000..b1c63aa9d8f --- /dev/null +++ b/queue-5.16/scsi-mpt3sas-page-fault-in-reply-q-processing.patch @@ -0,0 +1,88 @@ +From 69ad4ef868c1fc7609daa235dfa46d28ba7a3ba3 Mon Sep 17 00:00:00 2001 +From: Matt Lupfer +Date: Tue, 8 Mar 2022 15:27:02 +0000 +Subject: scsi: mpt3sas: Page fault in reply q processing + +From: Matt Lupfer + +commit 69ad4ef868c1fc7609daa235dfa46d28ba7a3ba3 upstream. + +A page fault was encountered in mpt3sas on a LUN reset error path: + +[ 145.763216] mpt3sas_cm1: Task abort tm failed: handle(0x0002),timeout(30) tr_method(0x0) smid(3) msix_index(0) +[ 145.778932] scsi 1:0:0:0: task abort: FAILED scmd(0x0000000024ba29a2) +[ 145.817307] scsi 1:0:0:0: attempting device reset! scmd(0x0000000024ba29a2) +[ 145.827253] scsi 1:0:0:0: [sg1] tag#2 CDB: Receive Diagnostic 1c 01 01 ff fc 00 +[ 145.837617] scsi target1:0:0: handle(0x0002), sas_address(0x500605b0000272b9), phy(0) +[ 145.848598] scsi target1:0:0: enclosure logical id(0x500605b0000272b8), slot(0) +[ 149.858378] mpt3sas_cm1: Poll ReplyDescriptor queues for completion of smid(0), task_type(0x05), handle(0x0002) +[ 149.875202] BUG: unable to handle page fault for address: 00000007fffc445d +[ 149.885617] #PF: supervisor read access in kernel mode +[ 149.894346] #PF: error_code(0x0000) - not-present page +[ 149.903123] PGD 0 P4D 0 +[ 149.909387] Oops: 0000 [#1] PREEMPT SMP NOPTI +[ 149.917417] CPU: 24 PID: 3512 Comm: scsi_eh_1 Kdump: loaded Tainted: G S O 5.10.89-altav-1 #1 +[ 149.934327] Hardware name: DDN 200NVX2 /200NVX2-MB , BIOS ATHG2.2.02.01 09/10/2021 +[ 149.951871] RIP: 0010:_base_process_reply_queue+0x4b/0x900 [mpt3sas] +[ 149.961889] Code: 0f 84 22 02 00 00 8d 48 01 49 89 fd 48 8d 57 38 f0 0f b1 4f 38 0f 85 d8 01 00 00 49 8b 45 10 45 31 e4 41 8b 55 0c 48 8d 1c d0 <0f> b6 03 83 e0 0f 3c 0f 0f 85 a2 00 00 00 e9 e6 01 00 00 0f b7 ee +[ 149.991952] RSP: 0018:ffffc9000f1ebcb8 EFLAGS: 00010246 +[ 150.000937] RAX: 0000000000000055 RBX: 00000007fffc445d RCX: 000000002548f071 +[ 150.011841] RDX: 00000000ffff8881 RSI: 0000000000000001 RDI: ffff888125ed50d8 +[ 150.022670] RBP: 0000000000000000 R08: 0000000000000000 R09: c0000000ffff7fff +[ 150.033445] R10: ffffc9000f1ebb68 R11: ffffc9000f1ebb60 R12: 0000000000000000 +[ 150.044204] R13: ffff888125ed50d8 R14: 0000000000000080 R15: 34cdc00034cdea80 +[ 150.054963] FS: 0000000000000000(0000) GS:ffff88dfaf200000(0000) knlGS:0000000000000000 +[ 150.066715] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 150.076078] CR2: 00000007fffc445d CR3: 000000012448a006 CR4: 0000000000770ee0 +[ 150.086887] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 150.097670] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 150.108323] PKRU: 55555554 +[ 150.114690] Call Trace: +[ 150.120497] ? printk+0x48/0x4a +[ 150.127049] mpt3sas_scsih_issue_tm.cold.114+0x2e/0x2b3 [mpt3sas] +[ 150.136453] mpt3sas_scsih_issue_locked_tm+0x86/0xb0 [mpt3sas] +[ 150.145759] scsih_dev_reset+0xea/0x300 [mpt3sas] +[ 150.153891] scsi_eh_ready_devs+0x541/0x9e0 [scsi_mod] +[ 150.162206] ? __scsi_host_match+0x20/0x20 [scsi_mod] +[ 150.170406] ? scsi_try_target_reset+0x90/0x90 [scsi_mod] +[ 150.178925] ? blk_mq_tagset_busy_iter+0x45/0x60 +[ 150.186638] ? scsi_try_target_reset+0x90/0x90 [scsi_mod] +[ 150.195087] scsi_error_handler+0x3a5/0x4a0 [scsi_mod] +[ 150.203206] ? __schedule+0x1e9/0x610 +[ 150.209783] ? scsi_eh_get_sense+0x210/0x210 [scsi_mod] +[ 150.217924] kthread+0x12e/0x150 +[ 150.224041] ? kthread_worker_fn+0x130/0x130 +[ 150.231206] ret_from_fork+0x1f/0x30 + +This is caused by mpt3sas_base_sync_reply_irqs() using an invalid reply_q +pointer outside of the list_for_each_entry() loop. At the end of the full +list traversal the pointer is invalid. + +Move the _base_process_reply_queue() call inside of the loop. + +Link: https://lore.kernel.org/r/d625deae-a958-0ace-2ba3-0888dd0a415b@ddn.com +Fixes: 711a923c14d9 ("scsi: mpt3sas: Postprocessing of target and LUN reset") +Cc: stable@vger.kernel.org +Acked-by: Sreekanth Reddy +Signed-off-by: Matt Lupfer +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/mpt3sas/mpt3sas_base.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/mpt3sas/mpt3sas_base.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_base.c +@@ -2011,9 +2011,10 @@ mpt3sas_base_sync_reply_irqs(struct MPT3 + enable_irq(reply_q->os_irq); + } + } ++ ++ if (poll) ++ _base_process_reply_queue(reply_q); + } +- if (poll) +- _base_process_reply_queue(reply_q); + } + + /** diff --git a/queue-5.16/series b/queue-5.16/series index a4fc3607570..079ea880c92 100644 --- a/queue-5.16/series +++ b/queue-5.16/series @@ -25,3 +25,7 @@ net-bcmgenet-skip-invalid-partial-checksums.patch net-mscc-ocelot-fix-backwards-compatibility-with-sin.patch iavf-fix-hang-during-reboot-shutdown.patch arm64-fix-clang-warning-about-tramp_valias.patch +usb-gadget-rndis-prevent-integer-overflow-in-rndis_set_response.patch +usb-gadget-fix-use-after-free-bug-by-not-setting-udc-dev.driver.patch +usb-usbtmc-fix-bug-in-pipe-direction-for-control-transfers.patch +scsi-mpt3sas-page-fault-in-reply-q-processing.patch diff --git a/queue-5.16/usb-gadget-fix-use-after-free-bug-by-not-setting-udc-dev.driver.patch b/queue-5.16/usb-gadget-fix-use-after-free-bug-by-not-setting-udc-dev.driver.patch new file mode 100644 index 00000000000..4e1c6ffe10b --- /dev/null +++ b/queue-5.16/usb-gadget-fix-use-after-free-bug-by-not-setting-udc-dev.driver.patch @@ -0,0 +1,86 @@ +From 16b1941eac2bd499f065a6739a40ce0011a3d740 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Sat, 5 Mar 2022 21:47:22 -0500 +Subject: usb: gadget: Fix use-after-free bug by not setting udc->dev.driver + +From: Alan Stern + +commit 16b1941eac2bd499f065a6739a40ce0011a3d740 upstream. + +The syzbot fuzzer found a use-after-free bug: + +BUG: KASAN: use-after-free in dev_uevent+0x712/0x780 drivers/base/core.c:2320 +Read of size 8 at addr ffff88802b934098 by task udevd/3689 + +CPU: 2 PID: 3689 Comm: udevd Not tainted 5.17.0-rc4-syzkaller-00229-g4f12b742eb2b #0 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 + print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255 + __kasan_report mm/kasan/report.c:442 [inline] + kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 + dev_uevent+0x712/0x780 drivers/base/core.c:2320 + uevent_show+0x1b8/0x380 drivers/base/core.c:2391 + dev_attr_show+0x4b/0x90 drivers/base/core.c:2094 + +Although the bug manifested in the driver core, the real cause was a +race with the gadget core. dev_uevent() does: + + if (dev->driver) + add_uevent_var(env, "DRIVER=%s", dev->driver->name); + +and between the test and the dereference of dev->driver, the gadget +core sets dev->driver to NULL. + +The race wouldn't occur if the gadget core registered its devices on +a real bus, using the standard synchronization techniques of the +driver core. However, it's not necessary to make such a large change +in order to fix this bug; all we need to do is make sure that +udc->dev.driver is always NULL. + +In fact, there is no reason for udc->dev.driver ever to be set to +anything, let alone to the value it currently gets: the address of the +gadget's driver. After all, a gadget driver only knows how to manage +a gadget, not how to manage a UDC. + +This patch simply removes the statements in the gadget core that touch +udc->dev.driver. + +Fixes: 2ccea03a8f7e ("usb: gadget: introduce UDC Class") +CC: +Reported-and-tested-by: syzbot+348b571beb5eeb70a582@syzkaller.appspotmail.com +Signed-off-by: Alan Stern +Link: https://lore.kernel.org/r/YiQgukfFFbBnwJ/9@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/core.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/usb/gadget/udc/core.c ++++ b/drivers/usb/gadget/udc/core.c +@@ -1436,7 +1436,6 @@ static void usb_gadget_remove_driver(str + usb_gadget_udc_stop(udc); + + udc->driver = NULL; +- udc->dev.driver = NULL; + udc->gadget->dev.driver = NULL; + } + +@@ -1498,7 +1497,6 @@ static int udc_bind_to_driver(struct usb + driver->function); + + udc->driver = driver; +- udc->dev.driver = &driver->driver; + udc->gadget->dev.driver = &driver->driver; + + usb_gadget_udc_set_speed(udc, driver->max_speed); +@@ -1521,7 +1519,6 @@ err1: + dev_err(&udc->dev, "failed to start %s: %d\n", + udc->driver->function, ret); + udc->driver = NULL; +- udc->dev.driver = NULL; + udc->gadget->dev.driver = NULL; + return ret; + } diff --git a/queue-5.16/usb-gadget-rndis-prevent-integer-overflow-in-rndis_set_response.patch b/queue-5.16/usb-gadget-rndis-prevent-integer-overflow-in-rndis_set_response.patch new file mode 100644 index 00000000000..001e879c856 --- /dev/null +++ b/queue-5.16/usb-gadget-rndis-prevent-integer-overflow-in-rndis_set_response.patch @@ -0,0 +1,31 @@ +From 65f3324f4b6fed78b8761c3b74615ecf0ffa81fa Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 1 Mar 2022 11:04:24 +0300 +Subject: usb: gadget: rndis: prevent integer overflow in rndis_set_response() + +From: Dan Carpenter + +commit 65f3324f4b6fed78b8761c3b74615ecf0ffa81fa upstream. + +If "BufOffset" is very large the "BufOffset + 8" operation can have an +integer overflow. + +Cc: stable@kernel.org +Fixes: 38ea1eac7d88 ("usb: gadget: rndis: check size of RNDIS_MSG_SET command") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20220301080424.GA17208@kili +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/rndis.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/gadget/function/rndis.c ++++ b/drivers/usb/gadget/function/rndis.c +@@ -640,6 +640,7 @@ static int rndis_set_response(struct rnd + BufLength = le32_to_cpu(buf->InformationBufferLength); + BufOffset = le32_to_cpu(buf->InformationBufferOffset); + if ((BufLength > RNDIS_MAX_TOTAL_SIZE) || ++ (BufOffset > RNDIS_MAX_TOTAL_SIZE) || + (BufOffset + 8 >= RNDIS_MAX_TOTAL_SIZE)) + return -EINVAL; + diff --git a/queue-5.16/usb-usbtmc-fix-bug-in-pipe-direction-for-control-transfers.patch b/queue-5.16/usb-usbtmc-fix-bug-in-pipe-direction-for-control-transfers.patch new file mode 100644 index 00000000000..e5b59ff0ab0 --- /dev/null +++ b/queue-5.16/usb-usbtmc-fix-bug-in-pipe-direction-for-control-transfers.patch @@ -0,0 +1,86 @@ +From e9b667a82cdcfe21d590344447d65daed52b353b Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Thu, 3 Mar 2022 16:00:17 -0500 +Subject: usb: usbtmc: Fix bug in pipe direction for control transfers + +From: Alan Stern + +commit e9b667a82cdcfe21d590344447d65daed52b353b upstream. + +The syzbot fuzzer reported a minor bug in the usbtmc driver: + +usb 5-1: BOGUS control dir, pipe 80001e80 doesn't match bRequestType 0 +WARNING: CPU: 0 PID: 3813 at drivers/usb/core/urb.c:412 +usb_submit_urb+0x13a5/0x1970 drivers/usb/core/urb.c:410 +Modules linked in: +CPU: 0 PID: 3813 Comm: syz-executor122 Not tainted +5.17.0-rc5-syzkaller-00306-g2293be58d6a1 #0 +... +Call Trace: + + usb_start_wait_urb+0x113/0x530 drivers/usb/core/message.c:58 + usb_internal_control_msg drivers/usb/core/message.c:102 [inline] + usb_control_msg+0x2a5/0x4b0 drivers/usb/core/message.c:153 + usbtmc_ioctl_request drivers/usb/class/usbtmc.c:1947 [inline] + +The problem is that usbtmc_ioctl_request() uses usb_rcvctrlpipe() for +all of its transfers, whether they are in or out. It's easy to fix. + +CC: +Reported-and-tested-by: syzbot+a48e3d1a875240cab5de@syzkaller.appspotmail.com +Signed-off-by: Alan Stern +Link: https://lore.kernel.org/r/YiEsYTPEE6lOCOA5@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/class/usbtmc.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/usb/class/usbtmc.c ++++ b/drivers/usb/class/usbtmc.c +@@ -1919,6 +1919,7 @@ static int usbtmc_ioctl_request(struct u + struct usbtmc_ctrlrequest request; + u8 *buffer = NULL; + int rv; ++ unsigned int is_in, pipe; + unsigned long res; + + res = copy_from_user(&request, arg, sizeof(struct usbtmc_ctrlrequest)); +@@ -1928,12 +1929,14 @@ static int usbtmc_ioctl_request(struct u + if (request.req.wLength > USBTMC_BUFSIZE) + return -EMSGSIZE; + ++ is_in = request.req.bRequestType & USB_DIR_IN; ++ + if (request.req.wLength) { + buffer = kmalloc(request.req.wLength, GFP_KERNEL); + if (!buffer) + return -ENOMEM; + +- if ((request.req.bRequestType & USB_DIR_IN) == 0) { ++ if (!is_in) { + /* Send control data to device */ + res = copy_from_user(buffer, request.data, + request.req.wLength); +@@ -1944,8 +1947,12 @@ static int usbtmc_ioctl_request(struct u + } + } + ++ if (is_in) ++ pipe = usb_rcvctrlpipe(data->usb_dev, 0); ++ else ++ pipe = usb_sndctrlpipe(data->usb_dev, 0); + rv = usb_control_msg(data->usb_dev, +- usb_rcvctrlpipe(data->usb_dev, 0), ++ pipe, + request.req.bRequest, + request.req.bRequestType, + request.req.wValue, +@@ -1957,7 +1964,7 @@ static int usbtmc_ioctl_request(struct u + goto exit; + } + +- if (rv && (request.req.bRequestType & USB_DIR_IN)) { ++ if (rv && is_in) { + /* Read control data from device */ + res = copy_to_user(request.data, buffer, rv); + if (res) -- 2.47.3