From 9ac01f0c331bc80174c548e809835d69d5c898be Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 17 Jun 2024 19:59:39 +0200 Subject: [PATCH] 4.19-stable patches added patches: drivers-core-synchronize-really_probe-and-dev_uevent.patch --- ...chronize-really_probe-and-dev_uevent.patch | 104 ++++++++++++++++++ ...-rt-cache-flush-via-sysctl-using-a-p.patch | 9 +- queue-4.19/series | 1 + 3 files changed, 107 insertions(+), 7 deletions(-) create mode 100644 queue-4.19/drivers-core-synchronize-really_probe-and-dev_uevent.patch diff --git a/queue-4.19/drivers-core-synchronize-really_probe-and-dev_uevent.patch b/queue-4.19/drivers-core-synchronize-really_probe-and-dev_uevent.patch new file mode 100644 index 00000000000..1dcd092a675 --- /dev/null +++ b/queue-4.19/drivers-core-synchronize-really_probe-and-dev_uevent.patch @@ -0,0 +1,104 @@ +From c0a40097f0bc81deafc15f9195d1fb54595cd6d0 Mon Sep 17 00:00:00 2001 +From: Dirk Behme +Date: Mon, 13 May 2024 07:06:34 +0200 +Subject: drivers: core: synchronize really_probe() and dev_uevent() + +From: Dirk Behme + +commit c0a40097f0bc81deafc15f9195d1fb54595cd6d0 upstream. + +Synchronize the dev->driver usage in really_probe() and dev_uevent(). +These can run in different threads, what can result in the following +race condition for dev->driver uninitialization: + +Thread #1: +========== + +really_probe() { +... +probe_failed: +... +device_unbind_cleanup(dev) { + ... + dev->driver = NULL; // <= Failed probe sets dev->driver to NULL + ... + } +... +} + +Thread #2: +========== + +dev_uevent() { +... +if (dev->driver) + // If dev->driver is NULLed from really_probe() from here on, + // after above check, the system crashes + add_uevent_var(env, "DRIVER=%s", dev->driver->name); +... +} + +really_probe() holds the lock, already. So nothing needs to be done +there. dev_uevent() is called with lock held, often, too. But not +always. What implies that we can't add any locking in dev_uevent() +itself. So fix this race by adding the lock to the non-protected +path. This is the path where above race is observed: + + dev_uevent+0x235/0x380 + uevent_show+0x10c/0x1f0 <= Add lock here + dev_attr_show+0x3a/0xa0 + sysfs_kf_seq_show+0x17c/0x250 + kernfs_seq_show+0x7c/0x90 + seq_read_iter+0x2d7/0x940 + kernfs_fop_read_iter+0xc6/0x310 + vfs_read+0x5bc/0x6b0 + ksys_read+0xeb/0x1b0 + __x64_sys_read+0x42/0x50 + x64_sys_call+0x27ad/0x2d30 + do_syscall_64+0xcd/0x1d0 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Similar cases are reported by syzkaller in + +https://syzkaller.appspot.com/bug?extid=ffa8143439596313a85a + +But these are regarding the *initialization* of dev->driver + +dev->driver = drv; + +As this switches dev->driver to non-NULL these reports can be considered +to be false-positives (which should be "fixed" by this commit, as well, +though). + +The same issue was reported and tried to be fixed back in 2015 in + +https://lore.kernel.org/lkml/1421259054-2574-1-git-send-email-a.sangwan@samsung.com/ + +already. + +Fixes: 239378f16aa1 ("Driver core: add uevent vars for devices of a class") +Cc: stable +Cc: syzbot+ffa8143439596313a85a@syzkaller.appspotmail.com +Cc: Ashish Sangwan +Cc: Namjae Jeon +Signed-off-by: Dirk Behme +Link: https://lore.kernel.org/r/20240513050634.3964461-1-dirk.behme@de.bosch.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/base/core.c ++++ b/drivers/base/core.c +@@ -1236,8 +1236,11 @@ static ssize_t uevent_show(struct device + if (!env) + return -ENOMEM; + ++ /* Synchronize with really_probe() */ ++ device_lock(dev); + /* let the kset specific function add its keys */ + retval = kset->uevent_ops->uevent(kset, &dev->kobj, env); ++ device_unlock(dev); + if (retval) + goto out; + diff --git a/queue-4.19/net-ipv6-fix-the-rt-cache-flush-via-sysctl-using-a-p.patch b/queue-4.19/net-ipv6-fix-the-rt-cache-flush-via-sysctl-using-a-p.patch index 6ba76385af5..b3abc8862d6 100644 --- a/queue-4.19/net-ipv6-fix-the-rt-cache-flush-via-sysctl-using-a-p.patch +++ b/queue-4.19/net-ipv6-fix-the-rt-cache-flush-via-sysctl-using-a-p.patch @@ -26,14 +26,12 @@ Link: https://lore.kernel.org/r/20240607112828.30285-1-petr.pavlu@suse.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- - net/ipv6/route.c | 4 ++-- + net/ipv6/route.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -diff --git a/net/ipv6/route.c b/net/ipv6/route.c -index 50bf2ffe1f2a5..d060b22554a22 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c -@@ -5170,12 +5170,12 @@ int ipv6_sysctl_rtcache_flush(struct ctl_table *ctl, int write, +@@ -5170,12 +5170,12 @@ int ipv6_sysctl_rtcache_flush(struct ctl if (!write) return -EINVAL; @@ -48,6 +46,3 @@ index 50bf2ffe1f2a5..d060b22554a22 100644 fib6_run_gc(delay <= 0 ? 0 : (unsigned long)delay, net, delay > 0); return 0; } --- -2.43.0 - diff --git a/queue-4.19/series b/queue-4.19/series index 87b32988d01..ffba8f795c3 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -47,3 +47,4 @@ bluetooth-l2cap-fix-rejecting-l2cap_conn_param_updat.patch netfilter-use-flowlabel-flow-key-when-re-routing-man.patch ipv6-route-add-a-missing-check-on-proc_dointvec.patch net-ipv6-fix-the-rt-cache-flush-via-sysctl-using-a-p.patch +drivers-core-synchronize-really_probe-and-dev_uevent.patch -- 2.47.3