gcc-10-warnings-fix-low-hanging-fruit.patch
gcc-10-mark-more-functions-__init-to-avoid-section-mismatch-warnings.patch
gcc-10-avoid-shadowing-standard-library-free-in-crypto.patch
+usb-usbfs-correct-kernel-user-page-attribute-mismatch.patch
+usb-usbfs-fix-mmap-dma-mismatch.patch
--- /dev/null
+From 2bef9aed6f0e22391c8d4570749b1acc9bc3981e Mon Sep 17 00:00:00 2001
+From: Jeremy Linton <jeremy.linton@arm.com>
+Date: Mon, 4 May 2020 15:13:48 -0500
+Subject: usb: usbfs: correct kernel->user page attribute mismatch
+
+From: Jeremy Linton <jeremy.linton@arm.com>
+
+commit 2bef9aed6f0e22391c8d4570749b1acc9bc3981e upstream.
+
+On some architectures (e.g. arm64) requests for
+IO coherent memory may use non-cachable attributes if
+the relevant device isn't cache coherent. If these
+pages are then remapped into userspace as cacheable,
+they may not be coherent with the non-cacheable mappings.
+
+In particular this happens with libusb, when it attempts
+to create zero-copy buffers for use by rtl-sdr
+(https://github.com/osmocom/rtl-sdr/). On low end arm
+devices with non-coherent USB ports, the application will
+be unexpectedly killed, while continuing to work fine on
+arm machines with coherent USB controllers.
+
+This bug has been discovered/reported a few times over
+the last few years. In the case of rtl-sdr a compile time
+option to enable/disable zero copy was implemented to
+work around it.
+
+Rather than relaying on application specific workarounds,
+dma_mmap_coherent() can be used instead of remap_pfn_range().
+The page cache/etc attributes will then be correctly set in
+userspace to match the kernel mapping.
+
+Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200504201348.1183246-1-jeremy.linton@arm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/core/devio.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -217,6 +217,7 @@ static int usbdev_mmap(struct file *file
+ {
+ struct usb_memory *usbm = NULL;
+ struct usb_dev_state *ps = file->private_data;
++ struct usb_hcd *hcd = bus_to_hcd(ps->dev->bus);
+ size_t size = vma->vm_end - vma->vm_start;
+ void *mem;
+ unsigned long flags;
+@@ -250,9 +251,7 @@ static int usbdev_mmap(struct file *file
+ usbm->vma_use_count = 1;
+ INIT_LIST_HEAD(&usbm->memlist);
+
+- if (remap_pfn_range(vma, vma->vm_start,
+- virt_to_phys(usbm->mem) >> PAGE_SHIFT,
+- size, vma->vm_page_prot) < 0) {
++ if (dma_mmap_coherent(hcd->self.sysdev, vma, mem, dma_handle, size)) {
+ dec_usb_memory_use_count(usbm, &usbm->vma_use_count);
+ return -EAGAIN;
+ }
--- /dev/null
+From a0e710a7def471b8eb779ff551fc27701da49599 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Thu, 14 May 2020 13:27:11 +0200
+Subject: USB: usbfs: fix mmap dma mismatch
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit a0e710a7def471b8eb779ff551fc27701da49599 upstream.
+
+In commit 2bef9aed6f0e ("usb: usbfs: correct kernel->user page attribute
+mismatch") we switched from always calling remap_pfn_range() to call
+dma_mmap_coherent() to handle issues with systems with non-coherent USB host
+controller drivers. Unfortunatly, as syzbot quickly told us, not all the world
+is host controllers with DMA support, so we need to check what host controller
+we are attempting to talk to before doing this type of allocation.
+
+Thanks to Christoph for the quick idea of how to fix this.
+
+Fixes: 2bef9aed6f0e ("usb: usbfs: correct kernel->user page attribute mismatch")
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Hillf Danton <hdanton@sina.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Jeremy Linton <jeremy.linton@arm.com>
+Cc: stable <stable@vger.kernel.org>
+Reported-by: syzbot+353be47c9ce21b68b7ed@syzkaller.appspotmail.com
+Reviewed-by: Jeremy Linton <jeremy.linton@arm.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20200514112711.1858252-1-gregkh@linuxfoundation.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/devio.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -251,9 +251,19 @@ static int usbdev_mmap(struct file *file
+ usbm->vma_use_count = 1;
+ INIT_LIST_HEAD(&usbm->memlist);
+
+- if (dma_mmap_coherent(hcd->self.sysdev, vma, mem, dma_handle, size)) {
+- dec_usb_memory_use_count(usbm, &usbm->vma_use_count);
+- return -EAGAIN;
++ if (hcd->localmem_pool || !hcd_uses_dma(hcd)) {
++ if (remap_pfn_range(vma, vma->vm_start,
++ virt_to_phys(usbm->mem) >> PAGE_SHIFT,
++ size, vma->vm_page_prot) < 0) {
++ dec_usb_memory_use_count(usbm, &usbm->vma_use_count);
++ return -EAGAIN;
++ }
++ } else {
++ if (dma_mmap_coherent(hcd->self.sysdev, vma, mem, dma_handle,
++ size)) {
++ dec_usb_memory_use_count(usbm, &usbm->vma_use_count);
++ return -EAGAIN;
++ }
+ }
+
+ vma->vm_flags |= VM_IO;
projects / thirdparty / kernel / stable-queue.git / commitdiff
