From f1ca11354ef2813327a1f57e7969f99aeb0ac7a5 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 16 Aug 2022 12:06:31 +0200 Subject: [PATCH] drop usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch from everywhere --- queue-4.14/series | 1 - ...se-after-free-read-in-usb_udc_uevent.patch | 72 ------------------- queue-4.19/series | 1 - ...se-after-free-read-in-usb_udc_uevent.patch | 72 ------------------- queue-4.9/series | 1 - ...se-after-free-read-in-usb_udc_uevent.patch | 72 ------------------- queue-5.10/series | 1 - ...se-after-free-read-in-usb_udc_uevent.patch | 72 ------------------- queue-5.15/series | 1 - ...se-after-free-read-in-usb_udc_uevent.patch | 72 ------------------- queue-5.18/series | 1 - ...se-after-free-read-in-usb_udc_uevent.patch | 72 ------------------- queue-5.19/series | 1 - ...se-after-free-read-in-usb_udc_uevent.patch | 72 ------------------- queue-5.4/series | 1 - ...se-after-free-read-in-usb_udc_uevent.patch | 72 ------------------- 16 files changed, 584 deletions(-) delete mode 100644 queue-4.14/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch delete mode 100644 queue-4.19/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch delete mode 100644 queue-4.9/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch delete mode 100644 queue-5.10/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch delete mode 100644 queue-5.15/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch delete mode 100644 queue-5.18/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch delete mode 100644 queue-5.19/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch delete mode 100644 queue-5.4/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch diff --git a/queue-4.14/series b/queue-4.14/series index 05ad6625cab..be05a7875b2 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -35,7 +35,6 @@ powerpc-fsl-pci-fix-class-code-of-pcie-root-port.patch powerpc-powernv-avoid-crashing-if-rng-is-null.patch mips-cpuinfo-fix-a-warning-for-config_cpumask_offstack.patch usb-hcd-fix-urb-giveback-issue-in-tasklet-function.patch -usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch netfilter-nf_tables-fix-null-deref-due-to-zeroed-list-head.patch arm64-do-not-forget-syscall-when-starting-a-new-thre.patch arm64-fix-oops-in-concurrently-setting-insn_emulatio.patch diff --git a/queue-4.14/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch b/queue-4.14/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch deleted file mode 100644 index 23752c995fb..00000000000 --- a/queue-4.14/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 2191c00855b03aa59c20e698be713d952d51fc18 Mon Sep 17 00:00:00 2001 -From: Alan Stern -Date: Thu, 21 Jul 2022 11:07:10 -0400 -Subject: USB: gadget: Fix use-after-free Read in usb_udc_uevent() - -From: Alan Stern - -commit 2191c00855b03aa59c20e698be713d952d51fc18 upstream. - -The syzbot fuzzer found a race between uevent callbacks and gadget -driver unregistration that can cause a use-after-free bug: - ---------------------------------------------------------------- -BUG: KASAN: use-after-free in usb_udc_uevent+0x11f/0x130 -drivers/usb/gadget/udc/core.c:1732 -Read of size 8 at addr ffff888078ce2050 by task udevd/2968 - -CPU: 1 PID: 2968 Comm: udevd Not tainted 5.19.0-rc4-next-20220628-syzkaller #0 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google -06/29/2022 -Call Trace: - - __dump_stack lib/dump_stack.c:88 [inline] - dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 - print_address_description mm/kasan/report.c:317 [inline] - print_report.cold+0x2ba/0x719 mm/kasan/report.c:433 - kasan_report+0xbe/0x1f0 mm/kasan/report.c:495 - usb_udc_uevent+0x11f/0x130 drivers/usb/gadget/udc/core.c:1732 - dev_uevent+0x290/0x770 drivers/base/core.c:2424 ---------------------------------------------------------------- - -The bug occurs because usb_udc_uevent() dereferences udc->driver but -does so without acquiring the udc_lock mutex, which protects this -field. If the gadget driver is unbound from the udc concurrently with -uevent processing, the driver structure may be accessed after it has -been deallocated. - -To prevent the race, we make sure that the routine holds the mutex -around the racing accesses. - -Link: -CC: stable@vger.kernel.org # fc274c1e9973 -Reported-and-tested-by: syzbot+b0de012ceb1e2a97891b@syzkaller.appspotmail.com -Signed-off-by: Alan Stern -Link: https://lore.kernel.org/r/YtlrnhHyrHsSky9m@rowland.harvard.edu -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/gadget/udc/core.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - ---- a/drivers/usb/gadget/udc/core.c -+++ b/drivers/usb/gadget/udc/core.c -@@ -1574,13 +1574,14 @@ static int usb_udc_uevent(struct device - return ret; - } - -- if (udc->driver) { -+ mutex_lock(&udc_lock); -+ if (udc->driver) - ret = add_uevent_var(env, "USB_UDC_DRIVER=%s", - udc->driver->function); -- if (ret) { -- dev_err(dev, "failed to add uevent USB_UDC_DRIVER\n"); -- return ret; -- } -+ mutex_unlock(&udc_lock); -+ if (ret) { -+ dev_err(dev, "failed to add uevent USB_UDC_DRIVER\n"); -+ return ret; - } - - return 0; diff --git a/queue-4.19/series b/queue-4.19/series index f85f92561f8..604c3fd04e5 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -35,7 +35,6 @@ powerpc-fsl-pci-fix-class-code-of-pcie-root-port.patch powerpc-powernv-avoid-crashing-if-rng-is-null.patch mips-cpuinfo-fix-a-warning-for-config_cpumask_offstack.patch usb-hcd-fix-urb-giveback-issue-in-tasklet-function.patch -usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch netfilter-nf_tables-do-not-allow-set_id-to-refer-to-another-table.patch netfilter-nf_tables-fix-null-deref-due-to-zeroed-list-head.patch arm64-do-not-forget-syscall-when-starting-a-new-thre.patch diff --git a/queue-4.19/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch b/queue-4.19/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch deleted file mode 100644 index c50773e6b72..00000000000 --- a/queue-4.19/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 2191c00855b03aa59c20e698be713d952d51fc18 Mon Sep 17 00:00:00 2001 -From: Alan Stern -Date: Thu, 21 Jul 2022 11:07:10 -0400 -Subject: USB: gadget: Fix use-after-free Read in usb_udc_uevent() - -From: Alan Stern - -commit 2191c00855b03aa59c20e698be713d952d51fc18 upstream. - -The syzbot fuzzer found a race between uevent callbacks and gadget -driver unregistration that can cause a use-after-free bug: - ---------------------------------------------------------------- -BUG: KASAN: use-after-free in usb_udc_uevent+0x11f/0x130 -drivers/usb/gadget/udc/core.c:1732 -Read of size 8 at addr ffff888078ce2050 by task udevd/2968 - -CPU: 1 PID: 2968 Comm: udevd Not tainted 5.19.0-rc4-next-20220628-syzkaller #0 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google -06/29/2022 -Call Trace: - - __dump_stack lib/dump_stack.c:88 [inline] - dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 - print_address_description mm/kasan/report.c:317 [inline] - print_report.cold+0x2ba/0x719 mm/kasan/report.c:433 - kasan_report+0xbe/0x1f0 mm/kasan/report.c:495 - usb_udc_uevent+0x11f/0x130 drivers/usb/gadget/udc/core.c:1732 - dev_uevent+0x290/0x770 drivers/base/core.c:2424 ---------------------------------------------------------------- - -The bug occurs because usb_udc_uevent() dereferences udc->driver but -does so without acquiring the udc_lock mutex, which protects this -field. If the gadget driver is unbound from the udc concurrently with -uevent processing, the driver structure may be accessed after it has -been deallocated. - -To prevent the race, we make sure that the routine holds the mutex -around the racing accesses. - -Link: -CC: stable@vger.kernel.org # fc274c1e9973 -Reported-and-tested-by: syzbot+b0de012ceb1e2a97891b@syzkaller.appspotmail.com -Signed-off-by: Alan Stern -Link: https://lore.kernel.org/r/YtlrnhHyrHsSky9m@rowland.harvard.edu -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/gadget/udc/core.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - ---- a/drivers/usb/gadget/udc/core.c -+++ b/drivers/usb/gadget/udc/core.c -@@ -1587,13 +1587,14 @@ static int usb_udc_uevent(struct device - return ret; - } - -- if (udc->driver) { -+ mutex_lock(&udc_lock); -+ if (udc->driver) - ret = add_uevent_var(env, "USB_UDC_DRIVER=%s", - udc->driver->function); -- if (ret) { -- dev_err(dev, "failed to add uevent USB_UDC_DRIVER\n"); -- return ret; -- } -+ mutex_unlock(&udc_lock); -+ if (ret) { -+ dev_err(dev, "failed to add uevent USB_UDC_DRIVER\n"); -+ return ret; - } - - return 0; diff --git a/queue-4.9/series b/queue-4.9/series index b7a1e4e5d9b..13ec8cb4a90 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -43,7 +43,6 @@ powerpc-fsl-pci-fix-class-code-of-pcie-root-port.patch powerpc-powernv-avoid-crashing-if-rng-is-null.patch mips-cpuinfo-fix-a-warning-for-config_cpumask_offstack.patch usb-hcd-fix-urb-giveback-issue-in-tasklet-function.patch -usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch netfilter-nf_tables-fix-null-deref-due-to-zeroed-list-head.patch scsi-zfcp-fix-missing-auto-port-scan-and-thus-missing-target-ports.patch x86-olpc-fix-logical-not-is-only-applied-to-the-left-hand-side.patch diff --git a/queue-4.9/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch b/queue-4.9/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch deleted file mode 100644 index 4807ff912d8..00000000000 --- a/queue-4.9/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 2191c00855b03aa59c20e698be713d952d51fc18 Mon Sep 17 00:00:00 2001 -From: Alan Stern -Date: Thu, 21 Jul 2022 11:07:10 -0400 -Subject: USB: gadget: Fix use-after-free Read in usb_udc_uevent() - -From: Alan Stern - -commit 2191c00855b03aa59c20e698be713d952d51fc18 upstream. - -The syzbot fuzzer found a race between uevent callbacks and gadget -driver unregistration that can cause a use-after-free bug: - ---------------------------------------------------------------- -BUG: KASAN: use-after-free in usb_udc_uevent+0x11f/0x130 -drivers/usb/gadget/udc/core.c:1732 -Read of size 8 at addr ffff888078ce2050 by task udevd/2968 - -CPU: 1 PID: 2968 Comm: udevd Not tainted 5.19.0-rc4-next-20220628-syzkaller #0 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google -06/29/2022 -Call Trace: - - __dump_stack lib/dump_stack.c:88 [inline] - dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 - print_address_description mm/kasan/report.c:317 [inline] - print_report.cold+0x2ba/0x719 mm/kasan/report.c:433 - kasan_report+0xbe/0x1f0 mm/kasan/report.c:495 - usb_udc_uevent+0x11f/0x130 drivers/usb/gadget/udc/core.c:1732 - dev_uevent+0x290/0x770 drivers/base/core.c:2424 ---------------------------------------------------------------- - -The bug occurs because usb_udc_uevent() dereferences udc->driver but -does so without acquiring the udc_lock mutex, which protects this -field. If the gadget driver is unbound from the udc concurrently with -uevent processing, the driver structure may be accessed after it has -been deallocated. - -To prevent the race, we make sure that the routine holds the mutex -around the racing accesses. - -Link: -CC: stable@vger.kernel.org # fc274c1e9973 -Reported-and-tested-by: syzbot+b0de012ceb1e2a97891b@syzkaller.appspotmail.com -Signed-off-by: Alan Stern -Link: https://lore.kernel.org/r/YtlrnhHyrHsSky9m@rowland.harvard.edu -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/gadget/udc/core.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - ---- a/drivers/usb/gadget/udc/core.c -+++ b/drivers/usb/gadget/udc/core.c -@@ -1527,13 +1527,14 @@ static int usb_udc_uevent(struct device - return ret; - } - -- if (udc->driver) { -+ mutex_lock(&udc_lock); -+ if (udc->driver) - ret = add_uevent_var(env, "USB_UDC_DRIVER=%s", - udc->driver->function); -- if (ret) { -- dev_err(dev, "failed to add uevent USB_UDC_DRIVER\n"); -- return ret; -- } -+ mutex_unlock(&udc_lock); -+ if (ret) { -+ dev_err(dev, "failed to add uevent USB_UDC_DRIVER\n"); -+ return ret; - } - - return 0; diff --git a/queue-5.10/series b/queue-5.10/series index ff638edd917..c44e7f95952 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -67,7 +67,6 @@ usb-typec-ucsi-acknowledge-the-get_error_status-command-completion.patch usb-hcd-fix-urb-giveback-issue-in-tasklet-function.patch arm-dts-uniphier-fix-usb-interrupts-for-pxs2-soc.patch arm64-dts-uniphier-fix-usb-interrupts-for-pxs3-soc.patch -usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch usb-dwc3-gadget-refactor-dwc3_repare_one_trb.patch usb-dwc3-gadget-fix-high-speed-multiplier-setting.patch lockdep-allow-tuning-tracing-capacity-constants.patch diff --git a/queue-5.10/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch b/queue-5.10/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch deleted file mode 100644 index 1ba25dbb650..00000000000 --- a/queue-5.10/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 2191c00855b03aa59c20e698be713d952d51fc18 Mon Sep 17 00:00:00 2001 -From: Alan Stern -Date: Thu, 21 Jul 2022 11:07:10 -0400 -Subject: USB: gadget: Fix use-after-free Read in usb_udc_uevent() - -From: Alan Stern - -commit 2191c00855b03aa59c20e698be713d952d51fc18 upstream. - -The syzbot fuzzer found a race between uevent callbacks and gadget -driver unregistration that can cause a use-after-free bug: - ---------------------------------------------------------------- -BUG: KASAN: use-after-free in usb_udc_uevent+0x11f/0x130 -drivers/usb/gadget/udc/core.c:1732 -Read of size 8 at addr ffff888078ce2050 by task udevd/2968 - -CPU: 1 PID: 2968 Comm: udevd Not tainted 5.19.0-rc4-next-20220628-syzkaller #0 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google -06/29/2022 -Call Trace: - - __dump_stack lib/dump_stack.c:88 [inline] - dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 - print_address_description mm/kasan/report.c:317 [inline] - print_report.cold+0x2ba/0x719 mm/kasan/report.c:433 - kasan_report+0xbe/0x1f0 mm/kasan/report.c:495 - usb_udc_uevent+0x11f/0x130 drivers/usb/gadget/udc/core.c:1732 - dev_uevent+0x290/0x770 drivers/base/core.c:2424 ---------------------------------------------------------------- - -The bug occurs because usb_udc_uevent() dereferences udc->driver but -does so without acquiring the udc_lock mutex, which protects this -field. If the gadget driver is unbound from the udc concurrently with -uevent processing, the driver structure may be accessed after it has -been deallocated. - -To prevent the race, we make sure that the routine holds the mutex -around the racing accesses. - -Link: -CC: stable@vger.kernel.org # fc274c1e9973 -Reported-and-tested-by: syzbot+b0de012ceb1e2a97891b@syzkaller.appspotmail.com -Signed-off-by: Alan Stern -Link: https://lore.kernel.org/r/YtlrnhHyrHsSky9m@rowland.harvard.edu -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/gadget/udc/core.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - ---- a/drivers/usb/gadget/udc/core.c -+++ b/drivers/usb/gadget/udc/core.c -@@ -1647,13 +1647,14 @@ static int usb_udc_uevent(struct device - return ret; - } - -- if (udc->driver) { -+ mutex_lock(&udc_lock); -+ if (udc->driver) - ret = add_uevent_var(env, "USB_UDC_DRIVER=%s", - udc->driver->function); -- if (ret) { -- dev_err(dev, "failed to add uevent USB_UDC_DRIVER\n"); -- return ret; -- } -+ mutex_unlock(&udc_lock); -+ if (ret) { -+ dev_err(dev, "failed to add uevent USB_UDC_DRIVER\n"); -+ return ret; - } - - return 0; diff --git a/queue-5.15/series b/queue-5.15/series index 7f908736412..2e33993efb0 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -100,7 +100,6 @@ usb-typec-ucsi-acknowledge-the-get_error_status-command-completion.patch usb-hcd-fix-urb-giveback-issue-in-tasklet-function.patch arm-dts-uniphier-fix-usb-interrupts-for-pxs2-soc.patch arm64-dts-uniphier-fix-usb-interrupts-for-pxs3-soc.patch -usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch usb-dwc3-gadget-refactor-dwc3_repare_one_trb.patch usb-dwc3-gadget-fix-high-speed-multiplier-setting.patch netfilter-nf_tables-do-not-allow-set_id-to-refer-to-another-table.patch diff --git a/queue-5.15/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch b/queue-5.15/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch deleted file mode 100644 index 591b512fa0c..00000000000 --- a/queue-5.15/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 2191c00855b03aa59c20e698be713d952d51fc18 Mon Sep 17 00:00:00 2001 -From: Alan Stern -Date: Thu, 21 Jul 2022 11:07:10 -0400 -Subject: USB: gadget: Fix use-after-free Read in usb_udc_uevent() - -From: Alan Stern - -commit 2191c00855b03aa59c20e698be713d952d51fc18 upstream. - -The syzbot fuzzer found a race between uevent callbacks and gadget -driver unregistration that can cause a use-after-free bug: - ---------------------------------------------------------------- -BUG: KASAN: use-after-free in usb_udc_uevent+0x11f/0x130 -drivers/usb/gadget/udc/core.c:1732 -Read of size 8 at addr ffff888078ce2050 by task udevd/2968 - -CPU: 1 PID: 2968 Comm: udevd Not tainted 5.19.0-rc4-next-20220628-syzkaller #0 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google -06/29/2022 -Call Trace: - - __dump_stack lib/dump_stack.c:88 [inline] - dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 - print_address_description mm/kasan/report.c:317 [inline] - print_report.cold+0x2ba/0x719 mm/kasan/report.c:433 - kasan_report+0xbe/0x1f0 mm/kasan/report.c:495 - usb_udc_uevent+0x11f/0x130 drivers/usb/gadget/udc/core.c:1732 - dev_uevent+0x290/0x770 drivers/base/core.c:2424 ---------------------------------------------------------------- - -The bug occurs because usb_udc_uevent() dereferences udc->driver but -does so without acquiring the udc_lock mutex, which protects this -field. If the gadget driver is unbound from the udc concurrently with -uevent processing, the driver structure may be accessed after it has -been deallocated. - -To prevent the race, we make sure that the routine holds the mutex -around the racing accesses. - -Link: -CC: stable@vger.kernel.org # fc274c1e9973 -Reported-and-tested-by: syzbot+b0de012ceb1e2a97891b@syzkaller.appspotmail.com -Signed-off-by: Alan Stern -Link: https://lore.kernel.org/r/YtlrnhHyrHsSky9m@rowland.harvard.edu -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/gadget/udc/core.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - ---- a/drivers/usb/gadget/udc/core.c -+++ b/drivers/usb/gadget/udc/core.c -@@ -1739,13 +1739,14 @@ static int usb_udc_uevent(struct device - return ret; - } - -- if (udc->driver) { -+ mutex_lock(&udc_lock); -+ if (udc->driver) - ret = add_uevent_var(env, "USB_UDC_DRIVER=%s", - udc->driver->function); -- if (ret) { -- dev_err(dev, "failed to add uevent USB_UDC_DRIVER\n"); -- return ret; -- } -+ mutex_unlock(&udc_lock); -+ if (ret) { -+ dev_err(dev, "failed to add uevent USB_UDC_DRIVER\n"); -+ return ret; - } - - return 0; diff --git a/queue-5.18/series b/queue-5.18/series index c58a6594b98..1410e3e0bc0 100644 --- a/queue-5.18/series +++ b/queue-5.18/series @@ -124,7 +124,6 @@ usb-hcd-fix-urb-giveback-issue-in-tasklet-function.patch revert-net-usb-ax88179_178a-needs-flag_send_zlp.patch arm-dts-uniphier-fix-usb-interrupts-for-pxs2-soc.patch arm64-dts-uniphier-fix-usb-interrupts-for-pxs3-soc.patch -usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch usb-dwc3-gadget-refactor-dwc3_repare_one_trb.patch usb-dwc3-gadget-fix-high-speed-multiplier-setting.patch netfilter-nf_tables-do-not-allow-set_id-to-refer-to-another-table.patch diff --git a/queue-5.18/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch b/queue-5.18/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch deleted file mode 100644 index 4dacb516ff3..00000000000 --- a/queue-5.18/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 2191c00855b03aa59c20e698be713d952d51fc18 Mon Sep 17 00:00:00 2001 -From: Alan Stern -Date: Thu, 21 Jul 2022 11:07:10 -0400 -Subject: USB: gadget: Fix use-after-free Read in usb_udc_uevent() - -From: Alan Stern - -commit 2191c00855b03aa59c20e698be713d952d51fc18 upstream. - -The syzbot fuzzer found a race between uevent callbacks and gadget -driver unregistration that can cause a use-after-free bug: - ---------------------------------------------------------------- -BUG: KASAN: use-after-free in usb_udc_uevent+0x11f/0x130 -drivers/usb/gadget/udc/core.c:1732 -Read of size 8 at addr ffff888078ce2050 by task udevd/2968 - -CPU: 1 PID: 2968 Comm: udevd Not tainted 5.19.0-rc4-next-20220628-syzkaller #0 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google -06/29/2022 -Call Trace: - - __dump_stack lib/dump_stack.c:88 [inline] - dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 - print_address_description mm/kasan/report.c:317 [inline] - print_report.cold+0x2ba/0x719 mm/kasan/report.c:433 - kasan_report+0xbe/0x1f0 mm/kasan/report.c:495 - usb_udc_uevent+0x11f/0x130 drivers/usb/gadget/udc/core.c:1732 - dev_uevent+0x290/0x770 drivers/base/core.c:2424 ---------------------------------------------------------------- - -The bug occurs because usb_udc_uevent() dereferences udc->driver but -does so without acquiring the udc_lock mutex, which protects this -field. If the gadget driver is unbound from the udc concurrently with -uevent processing, the driver structure may be accessed after it has -been deallocated. - -To prevent the race, we make sure that the routine holds the mutex -around the racing accesses. - -Link: -CC: stable@vger.kernel.org # fc274c1e9973 -Reported-and-tested-by: syzbot+b0de012ceb1e2a97891b@syzkaller.appspotmail.com -Signed-off-by: Alan Stern -Link: https://lore.kernel.org/r/YtlrnhHyrHsSky9m@rowland.harvard.edu -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/gadget/udc/core.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - ---- a/drivers/usb/gadget/udc/core.c -+++ b/drivers/usb/gadget/udc/core.c -@@ -1745,13 +1745,14 @@ static int usb_udc_uevent(struct device - return ret; - } - -- if (udc->driver) { -+ mutex_lock(&udc_lock); -+ if (udc->driver) - ret = add_uevent_var(env, "USB_UDC_DRIVER=%s", - udc->driver->function); -- if (ret) { -- dev_err(dev, "failed to add uevent USB_UDC_DRIVER\n"); -- return ret; -- } -+ mutex_unlock(&udc_lock); -+ if (ret) { -+ dev_err(dev, "failed to add uevent USB_UDC_DRIVER\n"); -+ return ret; - } - - return 0; diff --git a/queue-5.19/series b/queue-5.19/series index 2a7ae1c6d92..9214fddcc09 100644 --- a/queue-5.19/series +++ b/queue-5.19/series @@ -134,7 +134,6 @@ usb-hcd-fix-urb-giveback-issue-in-tasklet-function.patch revert-net-usb-ax88179_178a-needs-flag_send_zlp.patch arm-dts-uniphier-fix-usb-interrupts-for-pxs2-soc.patch arm64-dts-uniphier-fix-usb-interrupts-for-pxs3-soc.patch -usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch usb-dwc3-gadget-refactor-dwc3_repare_one_trb.patch usb-dwc3-gadget-fix-high-speed-multiplier-setting.patch netfilter-nf_tables-do-not-allow-set_id-to-refer-to-another-table.patch diff --git a/queue-5.19/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch b/queue-5.19/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch deleted file mode 100644 index dcacd412bb3..00000000000 --- a/queue-5.19/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 2191c00855b03aa59c20e698be713d952d51fc18 Mon Sep 17 00:00:00 2001 -From: Alan Stern -Date: Thu, 21 Jul 2022 11:07:10 -0400 -Subject: USB: gadget: Fix use-after-free Read in usb_udc_uevent() - -From: Alan Stern - -commit 2191c00855b03aa59c20e698be713d952d51fc18 upstream. - -The syzbot fuzzer found a race between uevent callbacks and gadget -driver unregistration that can cause a use-after-free bug: - ---------------------------------------------------------------- -BUG: KASAN: use-after-free in usb_udc_uevent+0x11f/0x130 -drivers/usb/gadget/udc/core.c:1732 -Read of size 8 at addr ffff888078ce2050 by task udevd/2968 - -CPU: 1 PID: 2968 Comm: udevd Not tainted 5.19.0-rc4-next-20220628-syzkaller #0 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google -06/29/2022 -Call Trace: - - __dump_stack lib/dump_stack.c:88 [inline] - dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 - print_address_description mm/kasan/report.c:317 [inline] - print_report.cold+0x2ba/0x719 mm/kasan/report.c:433 - kasan_report+0xbe/0x1f0 mm/kasan/report.c:495 - usb_udc_uevent+0x11f/0x130 drivers/usb/gadget/udc/core.c:1732 - dev_uevent+0x290/0x770 drivers/base/core.c:2424 ---------------------------------------------------------------- - -The bug occurs because usb_udc_uevent() dereferences udc->driver but -does so without acquiring the udc_lock mutex, which protects this -field. If the gadget driver is unbound from the udc concurrently with -uevent processing, the driver structure may be accessed after it has -been deallocated. - -To prevent the race, we make sure that the routine holds the mutex -around the racing accesses. - -Link: -CC: stable@vger.kernel.org # fc274c1e9973 -Reported-and-tested-by: syzbot+b0de012ceb1e2a97891b@syzkaller.appspotmail.com -Signed-off-by: Alan Stern -Link: https://lore.kernel.org/r/YtlrnhHyrHsSky9m@rowland.harvard.edu -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/gadget/udc/core.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - ---- a/drivers/usb/gadget/udc/core.c -+++ b/drivers/usb/gadget/udc/core.c -@@ -1728,13 +1728,14 @@ static int usb_udc_uevent(struct device - return ret; - } - -- if (udc->driver) { -+ mutex_lock(&udc_lock); -+ if (udc->driver) - ret = add_uevent_var(env, "USB_UDC_DRIVER=%s", - udc->driver->function); -- if (ret) { -- dev_err(dev, "failed to add uevent USB_UDC_DRIVER\n"); -- return ret; -- } -+ mutex_unlock(&udc_lock); -+ if (ret) { -+ dev_err(dev, "failed to add uevent USB_UDC_DRIVER\n"); -+ return ret; - } - - return 0; diff --git a/queue-5.4/series b/queue-5.4/series index 36296306a73..c247a022d87 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -46,7 +46,6 @@ coresight-clear-the-connection-field-properly.patch usb-hcd-fix-urb-giveback-issue-in-tasklet-function.patch arm-dts-uniphier-fix-usb-interrupts-for-pxs2-soc.patch arm64-dts-uniphier-fix-usb-interrupts-for-pxs3-soc.patch -usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch netfilter-nf_tables-do-not-allow-set_id-to-refer-to-another-table.patch netfilter-nf_tables-do-not-allow-rule_id-to-refer-to-another-chain.patch netfilter-nf_tables-fix-null-deref-due-to-zeroed-list-head.patch diff --git a/queue-5.4/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch b/queue-5.4/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch deleted file mode 100644 index 11d1d378c41..00000000000 --- a/queue-5.4/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 2191c00855b03aa59c20e698be713d952d51fc18 Mon Sep 17 00:00:00 2001 -From: Alan Stern -Date: Thu, 21 Jul 2022 11:07:10 -0400 -Subject: USB: gadget: Fix use-after-free Read in usb_udc_uevent() - -From: Alan Stern - -commit 2191c00855b03aa59c20e698be713d952d51fc18 upstream. - -The syzbot fuzzer found a race between uevent callbacks and gadget -driver unregistration that can cause a use-after-free bug: - ---------------------------------------------------------------- -BUG: KASAN: use-after-free in usb_udc_uevent+0x11f/0x130 -drivers/usb/gadget/udc/core.c:1732 -Read of size 8 at addr ffff888078ce2050 by task udevd/2968 - -CPU: 1 PID: 2968 Comm: udevd Not tainted 5.19.0-rc4-next-20220628-syzkaller #0 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google -06/29/2022 -Call Trace: - - __dump_stack lib/dump_stack.c:88 [inline] - dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 - print_address_description mm/kasan/report.c:317 [inline] - print_report.cold+0x2ba/0x719 mm/kasan/report.c:433 - kasan_report+0xbe/0x1f0 mm/kasan/report.c:495 - usb_udc_uevent+0x11f/0x130 drivers/usb/gadget/udc/core.c:1732 - dev_uevent+0x290/0x770 drivers/base/core.c:2424 ---------------------------------------------------------------- - -The bug occurs because usb_udc_uevent() dereferences udc->driver but -does so without acquiring the udc_lock mutex, which protects this -field. If the gadget driver is unbound from the udc concurrently with -uevent processing, the driver structure may be accessed after it has -been deallocated. - -To prevent the race, we make sure that the routine holds the mutex -around the racing accesses. - -Link: -CC: stable@vger.kernel.org # fc274c1e9973 -Reported-and-tested-by: syzbot+b0de012ceb1e2a97891b@syzkaller.appspotmail.com -Signed-off-by: Alan Stern -Link: https://lore.kernel.org/r/YtlrnhHyrHsSky9m@rowland.harvard.edu -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/gadget/udc/core.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - ---- a/drivers/usb/gadget/udc/core.c -+++ b/drivers/usb/gadget/udc/core.c -@@ -1592,13 +1592,14 @@ static int usb_udc_uevent(struct device - return ret; - } - -- if (udc->driver) { -+ mutex_lock(&udc_lock); -+ if (udc->driver) - ret = add_uevent_var(env, "USB_UDC_DRIVER=%s", - udc->driver->function); -- if (ret) { -- dev_err(dev, "failed to add uevent USB_UDC_DRIVER\n"); -- return ret; -- } -+ mutex_unlock(&udc_lock); -+ if (ret) { -+ dev_err(dev, "failed to add uevent USB_UDC_DRIVER\n"); -+ return ret; - } - - return 0; -- 2.47.3