--- /dev/null
+From e409a6a3e0690efdef9b8a96197bc61ff117cfaf Mon Sep 17 00:00:00 2001
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Date: Mon, 15 Mar 2021 12:50:08 +0100
+Subject: i2c: turn recovery error on init to debug
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+commit e409a6a3e0690efdef9b8a96197bc61ff117cfaf upstream.
+
+In some configurations, recovery is optional. So, don't throw an error
+when it is not used because e.g. pinctrl settings for recovery are not
+provided. Reword the message and make it debug output.
+
+Reported-by: Klaus Kudielka <klaus.kudielka@gmail.com>
+Tested-by: Klaus Kudielka <klaus.kudielka@gmail.com>
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/i2c-core-base.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/i2c/i2c-core-base.c
++++ b/drivers/i2c/i2c-core-base.c
+@@ -262,13 +262,14 @@ EXPORT_SYMBOL_GPL(i2c_recover_bus);
+ static void i2c_init_recovery(struct i2c_adapter *adap)
+ {
+ struct i2c_bus_recovery_info *bri = adap->bus_recovery_info;
+- char *err_str;
++ char *err_str, *err_level = KERN_ERR;
+
+ if (!bri)
+ return;
+
+ if (!bri->recover_bus) {
+- err_str = "no recover_bus() found";
++ err_str = "no suitable method provided";
++ err_level = KERN_DEBUG;
+ goto err;
+ }
+
+@@ -296,7 +297,7 @@ static void i2c_init_recovery(struct i2c
+
+ return;
+ err:
+- dev_err(&adap->dev, "Not using recovery: %s\n", err_str);
++ dev_printk(err_level, &adap->dev, "Not using recovery: %s\n", err_str);
+ adap->bus_recovery_info = NULL;
+ }
+
batman-adv-initialize-struct-batadv_tvlv_tt_vlan_data-reserved-field.patch
net-ensure-mac-header-is-set-in-virtio_net_hdr_to_skb.patch
net-sched-sch_teql-fix-null-pointer-dereference.patch
+usbip-add-sysfs_lock-to-synchronize-sysfs-code-paths.patch
+usbip-stub-dev-synchronize-sysfs-code-paths.patch
+usbip-synchronize-event-handler-with-sysfs-code-paths.patch
+i2c-turn-recovery-error-on-init-to-debug.patch
--- /dev/null
+From 4e9c93af7279b059faf5bb1897ee90512b258a12 Mon Sep 17 00:00:00 2001
+From: Shuah Khan <skhan@linuxfoundation.org>
+Date: Mon, 29 Mar 2021 19:36:48 -0600
+Subject: usbip: add sysfs_lock to synchronize sysfs code paths
+
+From: Shuah Khan <skhan@linuxfoundation.org>
+
+commit 4e9c93af7279b059faf5bb1897ee90512b258a12 upstream.
+
+Fuzzing uncovered race condition between sysfs code paths in usbip
+drivers. Device connect/disconnect code paths initiated through
+sysfs interface are prone to races if disconnect happens during
+connect and vice versa.
+
+This problem is common to all drivers while it can be reproduced easily
+in vhci_hcd. Add a sysfs_lock to usbip_device struct to protect the paths.
+
+Use this in vhci_hcd to protect sysfs paths. For a complete fix, usip_host
+and usip-vudc drivers and the event handler will have to use this lock to
+protect the paths. These changes will be done in subsequent patches.
+
+Cc: stable@vger.kernel.org
+Reported-and-tested-by: syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Link: https://lore.kernel.org/r/b6568f7beae702bbc236a545d3c020106ca75eac.1616807117.git.skhan@linuxfoundation.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/usbip/usbip_common.h | 3 +++
+ drivers/usb/usbip/vhci_hcd.c | 1 +
+ drivers/usb/usbip/vhci_sysfs.c | 30 +++++++++++++++++++++++++-----
+ 3 files changed, 29 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/usbip/usbip_common.h
++++ b/drivers/usb/usbip/usbip_common.h
+@@ -277,6 +277,9 @@ struct usbip_device {
+ /* lock for status */
+ spinlock_t lock;
+
++ /* mutex for synchronizing sysfs store paths */
++ struct mutex sysfs_lock;
++
+ int sockfd;
+ struct socket *tcp_socket;
+
+--- a/drivers/usb/usbip/vhci_hcd.c
++++ b/drivers/usb/usbip/vhci_hcd.c
+@@ -1115,6 +1115,7 @@ static void vhci_device_init(struct vhci
+ vdev->ud.side = USBIP_VHCI;
+ vdev->ud.status = VDEV_ST_NULL;
+ spin_lock_init(&vdev->ud.lock);
++ mutex_init(&vdev->ud.sysfs_lock);
+
+ INIT_LIST_HEAD(&vdev->priv_rx);
+ INIT_LIST_HEAD(&vdev->priv_tx);
+--- a/drivers/usb/usbip/vhci_sysfs.c
++++ b/drivers/usb/usbip/vhci_sysfs.c
+@@ -199,6 +199,8 @@ static int vhci_port_disconnect(struct v
+
+ usbip_dbg_vhci_sysfs("enter\n");
+
++ mutex_lock(&vdev->ud.sysfs_lock);
++
+ /* lock */
+ spin_lock_irqsave(&vhci->lock, flags);
+ spin_lock(&vdev->ud.lock);
+@@ -209,6 +211,7 @@ static int vhci_port_disconnect(struct v
+ /* unlock */
+ spin_unlock(&vdev->ud.lock);
+ spin_unlock_irqrestore(&vhci->lock, flags);
++ mutex_unlock(&vdev->ud.sysfs_lock);
+
+ return -EINVAL;
+ }
+@@ -219,6 +222,8 @@ static int vhci_port_disconnect(struct v
+
+ usbip_event_add(&vdev->ud, VDEV_EVENT_DOWN);
+
++ mutex_unlock(&vdev->ud.sysfs_lock);
++
+ return 0;
+ }
+
+@@ -363,30 +368,36 @@ static ssize_t store_attach(struct devic
+ else
+ vdev = &vhci->vhci_hcd_hs->vdev[rhport];
+
++ mutex_lock(&vdev->ud.sysfs_lock);
++
+ /* Extract socket from fd. */
+ socket = sockfd_lookup(sockfd, &err);
+ if (!socket) {
+ dev_err(dev, "failed to lookup sock");
+- return -EINVAL;
++ err = -EINVAL;
++ goto unlock_mutex;
+ }
+ if (socket->type != SOCK_STREAM) {
+ dev_err(dev, "Expecting SOCK_STREAM - found %d",
+ socket->type);
+ sockfd_put(socket);
+- return -EINVAL;
++ err = -EINVAL;
++ goto unlock_mutex;
+ }
+
+ /* create threads before locking */
+ tcp_rx = kthread_create(vhci_rx_loop, &vdev->ud, "vhci_rx");
+ if (IS_ERR(tcp_rx)) {
+ sockfd_put(socket);
+- return -EINVAL;
++ err = -EINVAL;
++ goto unlock_mutex;
+ }
+ tcp_tx = kthread_create(vhci_tx_loop, &vdev->ud, "vhci_tx");
+ if (IS_ERR(tcp_tx)) {
+ kthread_stop(tcp_rx);
+ sockfd_put(socket);
+- return -EINVAL;
++ err = -EINVAL;
++ goto unlock_mutex;
+ }
+
+ /* get task structs now */
+@@ -411,7 +422,8 @@ static ssize_t store_attach(struct devic
+ * Will be retried from userspace
+ * if there's another free port.
+ */
+- return -EBUSY;
++ err = -EBUSY;
++ goto unlock_mutex;
+ }
+
+ dev_info(dev, "pdev(%u) rhport(%u) sockfd(%d)\n",
+@@ -436,7 +448,15 @@ static ssize_t store_attach(struct devic
+
+ rh_port_connect(vdev, speed);
+
++ dev_info(dev, "Device attached\n");
++
++ mutex_unlock(&vdev->ud.sysfs_lock);
++
+ return count;
++
++unlock_mutex:
++ mutex_unlock(&vdev->ud.sysfs_lock);
++ return err;
+ }
+ static DEVICE_ATTR(attach, S_IWUSR, NULL, store_attach);
+
--- /dev/null
+From 9dbf34a834563dada91366c2ac266f32ff34641a Mon Sep 17 00:00:00 2001
+From: Shuah Khan <skhan@linuxfoundation.org>
+Date: Mon, 29 Mar 2021 19:36:49 -0600
+Subject: usbip: stub-dev synchronize sysfs code paths
+
+From: Shuah Khan <skhan@linuxfoundation.org>
+
+commit 9dbf34a834563dada91366c2ac266f32ff34641a upstream.
+
+Fuzzing uncovered race condition between sysfs code paths in usbip
+drivers. Device connect/disconnect code paths initiated through
+sysfs interface are prone to races if disconnect happens during
+connect and vice versa.
+
+Use sysfs_lock to protect sysfs paths in stub-dev.
+
+Cc: stable@vger.kernel.org
+Reported-and-tested-by: syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Link: https://lore.kernel.org/r/2b182f3561b4a065bf3bf6dce3b0e9944ba17b3f.1616807117.git.skhan@linuxfoundation.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/usbip/stub_dev.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/usbip/stub_dev.c
++++ b/drivers/usb/usbip/stub_dev.c
+@@ -77,6 +77,7 @@ static ssize_t store_sockfd(struct devic
+
+ dev_info(dev, "stub up\n");
+
++ mutex_lock(&sdev->ud.sysfs_lock);
+ spin_lock_irq(&sdev->ud.lock);
+
+ if (sdev->ud.status != SDEV_ST_AVAILABLE) {
+@@ -101,13 +102,13 @@ static ssize_t store_sockfd(struct devic
+ tcp_rx = kthread_create(stub_rx_loop, &sdev->ud, "stub_rx");
+ if (IS_ERR(tcp_rx)) {
+ sockfd_put(socket);
+- return -EINVAL;
++ goto unlock_mutex;
+ }
+ tcp_tx = kthread_create(stub_tx_loop, &sdev->ud, "stub_tx");
+ if (IS_ERR(tcp_tx)) {
+ kthread_stop(tcp_rx);
+ sockfd_put(socket);
+- return -EINVAL;
++ goto unlock_mutex;
+ }
+
+ /* get task structs now */
+@@ -126,6 +127,8 @@ static ssize_t store_sockfd(struct devic
+ wake_up_process(sdev->ud.tcp_rx);
+ wake_up_process(sdev->ud.tcp_tx);
+
++ mutex_unlock(&sdev->ud.sysfs_lock);
++
+ } else {
+ dev_info(dev, "stub down\n");
+
+@@ -136,6 +139,7 @@ static ssize_t store_sockfd(struct devic
+ spin_unlock_irq(&sdev->ud.lock);
+
+ usbip_event_add(&sdev->ud, SDEV_EVENT_DOWN);
++ mutex_unlock(&sdev->ud.sysfs_lock);
+ }
+
+ return count;
+@@ -144,6 +148,8 @@ sock_err:
+ sockfd_put(socket);
+ err:
+ spin_unlock_irq(&sdev->ud.lock);
++unlock_mutex:
++ mutex_unlock(&sdev->ud.sysfs_lock);
+ return -EINVAL;
+ }
+ static DEVICE_ATTR(usbip_sockfd, S_IWUSR, NULL, store_sockfd);
+@@ -309,6 +315,7 @@ static struct stub_device *stub_device_a
+ sdev->ud.side = USBIP_STUB;
+ sdev->ud.status = SDEV_ST_AVAILABLE;
+ spin_lock_init(&sdev->ud.lock);
++ mutex_init(&sdev->ud.sysfs_lock);
+ sdev->ud.tcp_socket = NULL;
+ sdev->ud.sockfd = -1;
+
--- /dev/null
+From 363eaa3a450abb4e63bd6e3ad79d1f7a0f717814 Mon Sep 17 00:00:00 2001
+From: Shuah Khan <skhan@linuxfoundation.org>
+Date: Mon, 29 Mar 2021 19:36:51 -0600
+Subject: usbip: synchronize event handler with sysfs code paths
+
+From: Shuah Khan <skhan@linuxfoundation.org>
+
+commit 363eaa3a450abb4e63bd6e3ad79d1f7a0f717814 upstream.
+
+Fuzzing uncovered race condition between sysfs code paths in usbip
+drivers. Device connect/disconnect code paths initiated through
+sysfs interface are prone to races if disconnect happens during
+connect and vice versa.
+
+Use sysfs_lock to synchronize event handler with sysfs paths
+in usbip drivers.
+
+Cc: stable@vger.kernel.org
+Reported-and-tested-by: syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Link: https://lore.kernel.org/r/c5c8723d3f29dfe3d759cfaafa7dd16b0dfe2918.1616807117.git.skhan@linuxfoundation.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/usbip/usbip_event.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/usbip/usbip_event.c
++++ b/drivers/usb/usbip/usbip_event.c
+@@ -84,6 +84,7 @@ static void event_handler(struct work_st
+ while ((ud = get_event()) != NULL) {
+ usbip_dbg_eh("pending event %lx\n", ud->event);
+
++ mutex_lock(&ud->sysfs_lock);
+ /*
+ * NOTE: shutdown must come first.
+ * Shutdown the device.
+@@ -104,6 +105,7 @@ static void event_handler(struct work_st
+ ud->eh_ops.unusable(ud);
+ unset_event(ud, USBIP_EH_UNUSABLE);
+ }
++ mutex_unlock(&ud->sysfs_lock);
+
+ wake_up(&ud->eh_waitq);
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
