From ab5272903b0531a6cd5fc4053a92294012cbb5da Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 12 Aug 2025 18:22:05 +0200 Subject: [PATCH] 5.4-stable patches added patches: mips-mm-tlb-r4k-uniquify-tlb-entries-on-init.patch usb-gadget-fix-use-after-free-in-composite_dev_cleanup.patch --- ...tlb-r4k-uniquify-tlb-entries-on-init.patch | 98 +++++++++++++++++++ queue-5.4/series | 2 + ...-after-free-in-composite_dev_cleanup.patch | 51 ++++++++++ 3 files changed, 151 insertions(+) create mode 100644 queue-5.4/mips-mm-tlb-r4k-uniquify-tlb-entries-on-init.patch create mode 100644 queue-5.4/usb-gadget-fix-use-after-free-in-composite_dev_cleanup.patch diff --git a/queue-5.4/mips-mm-tlb-r4k-uniquify-tlb-entries-on-init.patch b/queue-5.4/mips-mm-tlb-r4k-uniquify-tlb-entries-on-init.patch new file mode 100644 index 0000000000..cdfe118eba --- /dev/null +++ b/queue-5.4/mips-mm-tlb-r4k-uniquify-tlb-entries-on-init.patch @@ -0,0 +1,98 @@ +From 35ad7e181541aa5757f9f316768d3e64403ec843 Mon Sep 17 00:00:00 2001 +From: Jiaxun Yang +Date: Sat, 7 Jun 2025 13:43:56 +0100 +Subject: MIPS: mm: tlb-r4k: Uniquify TLB entries on init + +From: Jiaxun Yang + +commit 35ad7e181541aa5757f9f316768d3e64403ec843 upstream. + +Hardware or bootloader will initialize TLB entries to any value, which +may collide with kernel's UNIQUE_ENTRYHI value. On MIPS microAptiv/M5150 +family of cores this will trigger machine check exception and cause boot +failure. On M5150 simulation this could happen 7 times out of 1000 boots. + +Replace local_flush_tlb_all() with r4k_tlb_uniquify() which probes each +TLB ENTRIHI unique value for collisions before it's written, and in case +of collision try a different ASID. + +Cc: stable@kernel.org +Signed-off-by: Jiaxun Yang +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/mm/tlb-r4k.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 55 insertions(+), 1 deletion(-) + +--- a/arch/mips/mm/tlb-r4k.c ++++ b/arch/mips/mm/tlb-r4k.c +@@ -497,6 +497,60 @@ static int __init set_ntlb(char *str) + + __setup("ntlb=", set_ntlb); + ++/* Initialise all TLB entries with unique values */ ++static void r4k_tlb_uniquify(void) ++{ ++ int entry = num_wired_entries(); ++ ++ htw_stop(); ++ write_c0_entrylo0(0); ++ write_c0_entrylo1(0); ++ ++ while (entry < current_cpu_data.tlbsize) { ++ unsigned long asid_mask = cpu_asid_mask(¤t_cpu_data); ++ unsigned long asid = 0; ++ int idx; ++ ++ /* Skip wired MMID to make ginvt_mmid work */ ++ if (cpu_has_mmid) ++ asid = MMID_KERNEL_WIRED + 1; ++ ++ /* Check for match before using UNIQUE_ENTRYHI */ ++ do { ++ if (cpu_has_mmid) { ++ write_c0_memorymapid(asid); ++ write_c0_entryhi(UNIQUE_ENTRYHI(entry)); ++ } else { ++ write_c0_entryhi(UNIQUE_ENTRYHI(entry) | asid); ++ } ++ mtc0_tlbw_hazard(); ++ tlb_probe(); ++ tlb_probe_hazard(); ++ idx = read_c0_index(); ++ /* No match or match is on current entry */ ++ if (idx < 0 || idx == entry) ++ break; ++ /* ++ * If we hit a match, we need to try again with ++ * a different ASID. ++ */ ++ asid++; ++ } while (asid < asid_mask); ++ ++ if (idx >= 0 && idx != entry) ++ panic("Unable to uniquify TLB entry %d", idx); ++ ++ write_c0_index(entry); ++ mtc0_tlbw_hazard(); ++ tlb_write_indexed(); ++ entry++; ++ } ++ ++ tlbw_use_hazard(); ++ htw_start(); ++ flush_micro_tlb(); ++} ++ + /* + * Configure TLB (for init or after a CPU has been powered off). + */ +@@ -536,7 +590,7 @@ static void r4k_tlb_configure(void) + temp_tlb_entry = current_cpu_data.tlbsize - 1; + + /* From this point on the ARC firmware is dead. */ +- local_flush_tlb_all(); ++ r4k_tlb_uniquify(); + + /* Did I tell you that ARC SUCKS? */ + } diff --git a/queue-5.4/series b/queue-5.4/series index 1408b65db5..5e1178accd 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -151,3 +151,5 @@ perf-core-prevent-vma-split-of-buffer-mappings.patch net-packet-fix-a-race-in-packet_set_ring-and-packet_notifier.patch vsock-do-not-allow-binding-to-vmaddr_port_any.patch usb-serial-option-add-foxconn-t99w709.patch +mips-mm-tlb-r4k-uniquify-tlb-entries-on-init.patch +usb-gadget-fix-use-after-free-in-composite_dev_cleanup.patch diff --git a/queue-5.4/usb-gadget-fix-use-after-free-in-composite_dev_cleanup.patch b/queue-5.4/usb-gadget-fix-use-after-free-in-composite_dev_cleanup.patch new file mode 100644 index 0000000000..ccbe1d6237 --- /dev/null +++ b/queue-5.4/usb-gadget-fix-use-after-free-in-composite_dev_cleanup.patch @@ -0,0 +1,51 @@ +From 151c0aa896c47a4459e07fee7d4843f44c1bb18e Mon Sep 17 00:00:00 2001 +From: Tao Xue +Date: Mon, 21 Jul 2025 17:39:08 +0800 +Subject: usb: gadget : fix use-after-free in composite_dev_cleanup() + +From: Tao Xue + +commit 151c0aa896c47a4459e07fee7d4843f44c1bb18e upstream. + +1. In func configfs_composite_bind() -> composite_os_desc_req_prepare(): +if kmalloc fails, the pointer cdev->os_desc_req will be freed but not +set to NULL. Then it will return a failure to the upper-level function. +2. in func configfs_composite_bind() -> composite_dev_cleanup(): +it will checks whether cdev->os_desc_req is NULL. If it is not NULL, it +will attempt to use it.This will lead to a use-after-free issue. + +BUG: KASAN: use-after-free in composite_dev_cleanup+0xf4/0x2c0 +Read of size 8 at addr 0000004827837a00 by task init/1 + +CPU: 10 PID: 1 Comm: init Tainted: G O 5.10.97-oh #1 + kasan_report+0x188/0x1cc + __asan_load8+0xb4/0xbc + composite_dev_cleanup+0xf4/0x2c0 + configfs_composite_bind+0x210/0x7ac + udc_bind_to_driver+0xb4/0x1ec + usb_gadget_probe_driver+0xec/0x21c + gadget_dev_desc_UDC_store+0x264/0x27c + +Fixes: 37a3a533429e ("usb: gadget: OS Feature Descriptors support") +Cc: stable +Signed-off-by: Tao Xue +Link: https://lore.kernel.org/r/20250721093908.14967-1-xuetao09@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/composite.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -2241,6 +2241,11 @@ int composite_os_desc_req_prepare(struct + if (!cdev->os_desc_req->buf) { + ret = -ENOMEM; + usb_ep_free_request(ep0, cdev->os_desc_req); ++ /* ++ * Set os_desc_req to NULL so that composite_dev_cleanup() ++ * will not try to free it again. ++ */ ++ cdev->os_desc_req = NULL; + goto end; + } + cdev->os_desc_req->context = cdev; -- 2.47.3