From daa96891ae27e0f92f95c16c7fda52dbe79e051f Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 18 May 2020 10:12:01 +0200 Subject: [PATCH] 5.4-stable patches added patches: usb-usbfs-correct-kernel-user-page-attribute-mismatch.patch usb-usbfs-fix-mmap-dma-mismatch.patch --- queue-5.4/series | 2 + ...-kernel-user-page-attribute-mismatch.patch | 61 +++++++++++++++++++ .../usb-usbfs-fix-mmap-dma-mismatch.patch | 59 ++++++++++++++++++ 3 files changed, 122 insertions(+) create mode 100644 queue-5.4/usb-usbfs-correct-kernel-user-page-attribute-mismatch.patch create mode 100644 queue-5.4/usb-usbfs-fix-mmap-dma-mismatch.patch diff --git a/queue-5.4/series b/queue-5.4/series index c4e7c6eda91..259b5ffc233 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -100,3 +100,5 @@ gcc-10-disable-restrict-warning-for-now.patch gcc-10-warnings-fix-low-hanging-fruit.patch gcc-10-mark-more-functions-__init-to-avoid-section-mismatch-warnings.patch gcc-10-avoid-shadowing-standard-library-free-in-crypto.patch +usb-usbfs-correct-kernel-user-page-attribute-mismatch.patch +usb-usbfs-fix-mmap-dma-mismatch.patch diff --git a/queue-5.4/usb-usbfs-correct-kernel-user-page-attribute-mismatch.patch b/queue-5.4/usb-usbfs-correct-kernel-user-page-attribute-mismatch.patch new file mode 100644 index 00000000000..1978b516bc3 --- /dev/null +++ b/queue-5.4/usb-usbfs-correct-kernel-user-page-attribute-mismatch.patch @@ -0,0 +1,61 @@ +From 2bef9aed6f0e22391c8d4570749b1acc9bc3981e Mon Sep 17 00:00:00 2001 +From: Jeremy Linton +Date: Mon, 4 May 2020 15:13:48 -0500 +Subject: usb: usbfs: correct kernel->user page attribute mismatch + +From: Jeremy Linton + +commit 2bef9aed6f0e22391c8d4570749b1acc9bc3981e upstream. + +On some architectures (e.g. arm64) requests for +IO coherent memory may use non-cachable attributes if +the relevant device isn't cache coherent. If these +pages are then remapped into userspace as cacheable, +they may not be coherent with the non-cacheable mappings. + +In particular this happens with libusb, when it attempts +to create zero-copy buffers for use by rtl-sdr +(https://github.com/osmocom/rtl-sdr/). On low end arm +devices with non-coherent USB ports, the application will +be unexpectedly killed, while continuing to work fine on +arm machines with coherent USB controllers. + +This bug has been discovered/reported a few times over +the last few years. In the case of rtl-sdr a compile time +option to enable/disable zero copy was implemented to +work around it. + +Rather than relaying on application specific workarounds, +dma_mmap_coherent() can be used instead of remap_pfn_range(). +The page cache/etc attributes will then be correctly set in +userspace to match the kernel mapping. + +Signed-off-by: Jeremy Linton +Cc: stable +Link: https://lore.kernel.org/r/20200504201348.1183246-1-jeremy.linton@arm.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/devio.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/usb/core/devio.c ++++ b/drivers/usb/core/devio.c +@@ -217,6 +217,7 @@ static int usbdev_mmap(struct file *file + { + struct usb_memory *usbm = NULL; + struct usb_dev_state *ps = file->private_data; ++ struct usb_hcd *hcd = bus_to_hcd(ps->dev->bus); + size_t size = vma->vm_end - vma->vm_start; + void *mem; + unsigned long flags; +@@ -250,9 +251,7 @@ static int usbdev_mmap(struct file *file + usbm->vma_use_count = 1; + INIT_LIST_HEAD(&usbm->memlist); + +- if (remap_pfn_range(vma, vma->vm_start, +- virt_to_phys(usbm->mem) >> PAGE_SHIFT, +- size, vma->vm_page_prot) < 0) { ++ if (dma_mmap_coherent(hcd->self.sysdev, vma, mem, dma_handle, size)) { + dec_usb_memory_use_count(usbm, &usbm->vma_use_count); + return -EAGAIN; + } diff --git a/queue-5.4/usb-usbfs-fix-mmap-dma-mismatch.patch b/queue-5.4/usb-usbfs-fix-mmap-dma-mismatch.patch new file mode 100644 index 00000000000..c9fb94f35b5 --- /dev/null +++ b/queue-5.4/usb-usbfs-fix-mmap-dma-mismatch.patch @@ -0,0 +1,59 @@ +From a0e710a7def471b8eb779ff551fc27701da49599 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 14 May 2020 13:27:11 +0200 +Subject: USB: usbfs: fix mmap dma mismatch + +From: Greg Kroah-Hartman + +commit a0e710a7def471b8eb779ff551fc27701da49599 upstream. + +In commit 2bef9aed6f0e ("usb: usbfs: correct kernel->user page attribute +mismatch") we switched from always calling remap_pfn_range() to call +dma_mmap_coherent() to handle issues with systems with non-coherent USB host +controller drivers. Unfortunatly, as syzbot quickly told us, not all the world +is host controllers with DMA support, so we need to check what host controller +we are attempting to talk to before doing this type of allocation. + +Thanks to Christoph for the quick idea of how to fix this. + +Fixes: 2bef9aed6f0e ("usb: usbfs: correct kernel->user page attribute mismatch") +Cc: Christoph Hellwig +Cc: Hillf Danton +Cc: Thomas Gleixner +Cc: Jeremy Linton +Cc: stable +Reported-by: syzbot+353be47c9ce21b68b7ed@syzkaller.appspotmail.com +Reviewed-by: Jeremy Linton +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20200514112711.1858252-1-gregkh@linuxfoundation.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/devio.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +--- a/drivers/usb/core/devio.c ++++ b/drivers/usb/core/devio.c +@@ -251,9 +251,19 @@ static int usbdev_mmap(struct file *file + usbm->vma_use_count = 1; + INIT_LIST_HEAD(&usbm->memlist); + +- if (dma_mmap_coherent(hcd->self.sysdev, vma, mem, dma_handle, size)) { +- dec_usb_memory_use_count(usbm, &usbm->vma_use_count); +- return -EAGAIN; ++ if (hcd->localmem_pool || !hcd_uses_dma(hcd)) { ++ if (remap_pfn_range(vma, vma->vm_start, ++ virt_to_phys(usbm->mem) >> PAGE_SHIFT, ++ size, vma->vm_page_prot) < 0) { ++ dec_usb_memory_use_count(usbm, &usbm->vma_use_count); ++ return -EAGAIN; ++ } ++ } else { ++ if (dma_mmap_coherent(hcd->self.sysdev, vma, mem, dma_handle, ++ size)) { ++ dec_usb_memory_use_count(usbm, &usbm->vma_use_count); ++ return -EAGAIN; ++ } + } + + vma->vm_flags |= VM_IO; -- 2.47.3