October 2023 - Linux-stable-mirror

FAILED: patch "[PATCH] xhci: track port suspend state correctly in unsuccessful" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x d7cdfc319b2bcf6899ab0a05eec0958bc802a9a1 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2023101513-igloo-irregular-e6de@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d7cdfc319b2bcf6899ab0a05eec0958bc802a9a1 Mon Sep 17 00:00:00 2001 From: Mathias Nyman <mathias.nyman(a)linux.intel.com> Date: Fri, 15 Sep 2023 17:31:06 +0300 Subject: [PATCH] xhci: track port suspend state correctly in unsuccessful resume cases xhci-hub.c tracks suspended ports in a suspended_port bitfield. This is checked when responding to a Get_Status(PORT) request to see if a port in running U0 state was recently resumed, and adds the required USB_PORT_STAT_C_SUSPEND change bit in those cases. The suspended_port bit was left uncleared if a device is disconnected during suspend. The bit remained set even when a new device was connected and enumerated. The set bit resulted in a incorrect Get_Status(PORT) response with a bogus USB_PORT_STAT_C_SUSPEND change bit set once the new device reached U0 link state. USB_PORT_STAT_C_SUSPEND change bit is only used for USB2 ports, but xhci-hub keeps track of both USB2 and USB3 suspended ports. Cc: stable(a)vger.kernel.org Reported-by: Wesley Cheng <quic_wcheng(a)quicinc.com> Closes: https://lore.kernel.org/linux-usb/d68aa806-b26a-0e43-42fb-b8067325e967@quic… Fixes: 1d5810b6923c ("xhci: Rework port suspend structures for limited ports.") Tested-by: Wesley Cheng <quic_wcheng(a)quicinc.com> Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> Link: https://lore.kernel.org/r/20230915143108.1532163-3-mathias.nyman@linux.inte… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c index 0054d02239e2..0df5d807a77e 100644 --- a/drivers/usb/host/xhci-hub.c +++ b/drivers/usb/host/xhci-hub.c @@ -1062,19 +1062,19 @@ static void xhci_get_usb3_port_status(struct xhci_port *port, u32 *status, *status |= USB_PORT_STAT_C_CONFIG_ERROR << 16; /* USB3 specific wPortStatus bits */ - if (portsc & PORT_POWER) { + if (portsc & PORT_POWER) *status |= USB_SS_PORT_STAT_POWER; - /* link state handling */ - if (link_state == XDEV_U0) - bus_state->suspended_ports &= ~(1 << portnum); - } - /* remote wake resume signaling complete */ - if (bus_state->port_remote_wakeup & (1 << portnum) && + /* no longer suspended or resuming */ + if (link_state != XDEV_U3 && link_state != XDEV_RESUME && link_state != XDEV_RECOVERY) { - bus_state->port_remote_wakeup &= ~(1 << portnum); - usb_hcd_end_port_resume(&hcd->self, portnum); + /* remote wake resume signaling complete */ + if (bus_state->port_remote_wakeup & (1 << portnum)) { + bus_state->port_remote_wakeup &= ~(1 << portnum); + usb_hcd_end_port_resume(&hcd->self, portnum); + } + bus_state->suspended_ports &= ~(1 << portnum); } xhci_hub_report_usb3_link_state(xhci, status, portsc); @@ -1131,6 +1131,7 @@ static void xhci_get_usb2_port_status(struct xhci_port *port, u32 *status, usb_hcd_end_port_resume(&port->rhub->hcd->self, portnum); } port->rexit_active = 0; + bus_state->suspended_ports &= ~(1 << portnum); } }

2 years

1
0
0 0

[v2] xhci: Keep interrupt disabled in initialization until host is running.

by Prashanth K

From: Hongyu Xie <xy521521(a)gmail.com> [ Upstream commit a808925075fb750804a60ff0710614466c396db4 ] irq is disabled in xhci_quiesce(called by xhci_halt, with bit:2 cleared in USBCMD register), but xhci_run(called by usb_add_hcd) re-enable it. It's possible that you will receive thousands of interrupt requests after initialization for 2.0 roothub. And you will get a lot of warning like, "xHCI dying, ignoring interrupt. Shouldn't IRQs be disabled?". This amount of interrupt requests will cause the entire system to freeze. This problem was first found on a device with ASM2142 host controller on it. [tidy up old code while moving it, reword header -Mathias] Cc: stable(a)kernel.org Signed-off-by: Hongyu Xie <xiehongyu1(a)kylinos.cn> Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> Link: https://lore.kernel.org/r/20220623111945.1557702-2-mathias.nyman@linux.inte… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Cc: <stable(a)vger.kernel.org> # 5.15 Signed-off-by: Prashanth K <quic_prashk(a)quicinc.com> --- v2: Added a missing newline to avoid merge conflicts in future. drivers/usb/host/xhci.c | 35 ++++++++++++++++++++++------------- 1 file changed, 22 insertions(+), 13 deletions(-) diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c index 541fe4d..0803f9b 100644 --- a/drivers/usb/host/xhci.c +++ b/drivers/usb/host/xhci.c @@ -607,8 +607,27 @@ static int xhci_init(struct usb_hcd *hcd) static int xhci_run_finished(struct xhci_hcd *xhci) { + unsigned long flags; + u32 temp; + + /* + * Enable interrupts before starting the host (xhci 4.2 and 5.5.2). + * Protect the short window before host is running with a lock + */ + spin_lock_irqsave(&xhci->lock, flags); + + xhci_dbg_trace(xhci, trace_xhci_dbg_init, "Enable interrupts"); + temp = readl(&xhci->op_regs->command); + temp |= (CMD_EIE); + writel(temp, &xhci->op_regs->command); + + xhci_dbg_trace(xhci, trace_xhci_dbg_init, "Enable primary interrupter"); + temp = readl(&xhci->ir_set->irq_pending); + writel(ER_IRQ_ENABLE(temp), &xhci->ir_set->irq_pending); + if (xhci_start(xhci)) { xhci_halt(xhci); + spin_unlock_irqrestore(&xhci->lock, flags); return -ENODEV; } xhci->shared_hcd->state = HC_STATE_RUNNING; @@ -619,6 +638,9 @@ static int xhci_run_finished(struct xhci_hcd *xhci) xhci_dbg_trace(xhci, trace_xhci_dbg_init, "Finished xhci_run for USB3 roothub"); + + spin_unlock_irqrestore(&xhci->lock, flags); + return 0; } @@ -667,19 +689,6 @@ int xhci_run(struct usb_hcd *hcd) temp |= (xhci->imod_interval / 250) & ER_IRQ_INTERVAL_MASK; writel(temp, &xhci->ir_set->irq_control); - /* Set the HCD state before we enable the irqs */ - temp = readl(&xhci->op_regs->command); - temp |= (CMD_EIE); - xhci_dbg_trace(xhci, trace_xhci_dbg_init, - "// Enable interrupts, cmd = 0x%x.", temp); - writel(temp, &xhci->op_regs->command); - - temp = readl(&xhci->ir_set->irq_pending); - xhci_dbg_trace(xhci, trace_xhci_dbg_init, - "// Enabling event ring interrupter %p by writing 0x%x to irq_pending", - xhci->ir_set, (unsigned int) ER_IRQ_ENABLE(temp)); - writel(ER_IRQ_ENABLE(temp), &xhci->ir_set->irq_pending); - if (xhci->quirks & XHCI_NEC_HOST) { struct xhci_command *command; -- 2.7.4

2 years

2
1
0 0

[PATCH 5.10 0/3] net: add sysctl accept_ra_min_lft

by Patrick Rohr

I am following up on https://lore.kernel.org/stable/20230925211034.905320-1-prohr@google.com/ with cherry-picks for 5.10.198. I have run our test suite with the changes applied and all relevant tests passed. Thanks, -Patrick Patrick Rohr (3): net: add sysctl accept_ra_min_rtr_lft net: change accept_ra_min_rtr_lft to affect all RA lifetimes net: release reference to inet6_dev pointer Documentation/networking/ip-sysctl.rst | 8 ++++++++ include/linux/ipv6.h | 1 + include/uapi/linux/ipv6.h | 7 +++++++ net/ipv6/addrconf.c | 13 +++++++++++++ net/ipv6/ndisc.c | 13 +++++++++++-- 5 files changed, 40 insertions(+), 2 deletions(-) -- 2.42.0.655.g421f12c284-goog

2 years

3
5
0 0

[PATCH 4.19 00/29] 4.19.282-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.19.282 release. There are 29 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 26 Apr 2023 13:11:11 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.282-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.19.282-rc1 Ekaterina Orlova <vorobushek.ok(a)gmail.com> ASN.1: Fix check for strdup() success Dan Carpenter <error27(a)gmail.com> iio: adc: at91-sama5d2_adc: fix an error code in at91_adc_allocate_trigger() William Breathitt Gray <william.gray(a)linaro.org> counter: 104-quad-8: Fix race condition between FLAG and CNTR reads Kuniyuki Iwashima <kuniyu(a)amazon.com> sctp: Call inet6_destroy_sock() via sk->sk_destruct(). Kuniyuki Iwashima <kuniyu(a)amazon.com> dccp: Call inet6_destroy_sock() via sk->sk_destruct(). Kuniyuki Iwashima <kuniyu(a)amazon.com> inet6: Remove inet6_destroy_sock() in sk->sk_prot->destroy(). Kuniyuki Iwashima <kuniyu(a)amazon.com> tcp/udp: Call inet6_destroy_sock() in IPv6 sk->sk_destruct(). Kuniyuki Iwashima <kuniyu(a)amazon.com> udp: Call inet6_destroy_sock() in setsockopt(IPV6_ADDRFORM). Baokun Li <libaokun1(a)huawei.com> ext4: fix use-after-free in ext4_xattr_set_entry Ritesh Harjani <riteshh(a)linux.ibm.com> ext4: remove duplicate definition of ext4_xattr_ibody_inline_set() Tudor Ambarus <tudor.ambarus(a)linaro.org> Revert "ext4: fix use-after-free in ext4_xattr_set_entry" Pingfan Liu <kernelfans(a)gmail.com> x86/purgatory: Don't generate debug info for purgatory.ro Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> memstick: fix memory leak if card device is never registered Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: initialize unused bytes in segment summary blocks Juergen Gross <jgross(a)suse.com> xen/netback: use same error messages for same errors Heiko Carstens <hca(a)linux.ibm.com> s390/ptrace: fix PTRACE_GET_LAST_BREAK error handling Álvaro Fernández Rojas <noltari(a)gmail.com> net: dsa: b53: mmap: add phy ops Damien Le Moal <damien.lemoal(a)opensource.wdc.com> scsi: core: Improve scsi_vpd_inquiry() checks Tomas Henzl <thenzl(a)redhat.com> scsi: megaraid_sas: Fix fw_crash_buffer_show() Nick Desaulniers <ndesaulniers(a)google.com> selftests: sigaltstack: fix -Wuninitialized Jonathan Denose <jdenose(a)chromium.org> Input: i8042 - add quirk for Fujitsu Lifebook A574/H Douglas Raillard <douglas.raillard(a)arm.com> f2fs: Fix f2fs_truncate_partial_nodes ftrace event Sebastian Basierski <sebastianx.basierski(a)intel.com> e1000e: Disable TSO on i219-LM card to increase speed Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> mlxfw: fix null-ptr-deref in mlxfw_mfa2_tlv_next() Aleksandr Loktionov <aleksandr.loktionov(a)intel.com> i40e: fix i40e_setup_misc_vector() error handling Aleksandr Loktionov <aleksandr.loktionov(a)intel.com> i40e: fix accessing vsi->active_filters without holding lock Xuan Zhuo <xuanzhuo(a)linux.alibaba.com> virtio_net: bugfix overflow inside xdp_linearize_page() Gwangun Jung <exsociety(a)gmail.com> net: sched: sch_qfq: prevent slab-out-of-bounds in qfq_activate_agg Jianqun Xu <jay.xu(a)rock-chips.com> ARM: dts: rockchip: fix a typo error for rk3288 spdif node ------------- Diffstat: Makefile | 4 +- arch/arm/boot/dts/rk3288.dtsi | 2 +- arch/s390/kernel/ptrace.c | 8 +--- arch/x86/purgatory/Makefile | 5 ++- drivers/iio/adc/at91-sama5d2_adc.c | 2 +- drivers/iio/counter/104-quad-8.c | 14 +----- drivers/input/serio/i8042-x86ia64io.h | 8 ++++ drivers/memstick/core/memstick.c | 5 ++- drivers/net/dsa/b53/b53_mmap.c | 14 ++++++ drivers/net/ethernet/intel/e1000e/netdev.c | 51 +++++++++++----------- drivers/net/ethernet/intel/i40e/i40e_main.c | 9 ++-- .../ethernet/mellanox/mlxfw/mlxfw_mfa2_tlv_multi.c | 2 + drivers/net/virtio_net.c | 8 +++- drivers/net/xen-netback/netback.c | 6 +-- drivers/scsi/megaraid/megaraid_sas_base.c | 2 +- drivers/scsi/scsi.c | 11 ++++- fs/ext4/inline.c | 11 +++-- fs/ext4/xattr.c | 26 +---------- fs/ext4/xattr.h | 6 +-- fs/nilfs2/segment.c | 20 +++++++++ include/net/ipv6.h | 2 + include/net/udp.h | 2 +- include/net/udplite.h | 8 ---- include/trace/events/f2fs.h | 2 +- net/dccp/dccp.h | 1 + net/dccp/ipv6.c | 15 ++++--- net/dccp/proto.c | 8 +++- net/ipv4/udp.c | 9 ++-- net/ipv4/udplite.c | 8 ++++ net/ipv6/af_inet6.c | 15 ++++++- net/ipv6/ipv6_sockglue.c | 20 ++++----- net/ipv6/ping.c | 6 --- net/ipv6/raw.c | 2 - net/ipv6/tcp_ipv6.c | 8 +--- net/ipv6/udp.c | 17 ++++++-- net/ipv6/udp_impl.h | 1 + net/ipv6/udplite.c | 9 +++- net/l2tp/l2tp_ip6.c | 2 - net/sched/sch_qfq.c | 13 +++--- net/sctp/socket.c | 29 ++++++++---- scripts/asn1_compiler.c | 2 +- .../selftests/sigaltstack/current_stack_pointer.h | 23 ++++++++++ tools/testing/selftests/sigaltstack/sas.c | 7 +-- 43 files changed, 251 insertions(+), 172 deletions(-)

2 years

7
43
0 0

[PATCH] media: mtk-jpeg: Fix use after free bug due to uncanceled work

by Zheng Wang

This is a security bug that has been reported to google. It affected all platforms on chrome-os. Please apply this patch to 5.10. Due to the directory structure change, the file path to be patched is different from that in upstream. [ Upstream commit c677d7ae83141d390d1253abebafa49c962afb52 ] In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with mtk_jpeg_job_timeout_work. Then mtk_jpeg_dec_device_run and mtk_jpeg_enc_device_run may be called to start the work. If we remove the module which will call mtk_jpeg_remove to make cleanup, there may be a unfinished work. The possible sequence is as follows, which will cause a typical UAF bug. Fix it by canceling the work before cleanup in the mtk_jpeg_remove CPU0 CPU1 |mtk_jpeg_job_timeout_work mtk_jpeg_remove | v4l2_m2m_release | kfree(m2m_dev); | | | v4l2_m2m_get_curr_priv | m2m_dev->curr_ctx //use Fixes: b2f0d2724ba4 ("[media] vcodec: mediatek: Add Mediatek JPEG Decoder Driver") Signed-off-by: Zheng Wang <zyytlz.wz(a)163.com> Reviewed-by: Alexandre Mergnat <amergnat(a)baylibre.com> Reviewed-by: Chen-Yu Tsai <wenst(a)chromium.org> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Cc: stable(a)vger.kernel.org --- drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c b/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c index 227245ccaedc..753c7c7be358 100644 --- a/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c +++ b/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c @@ -1447,6 +1447,7 @@ static int mtk_jpeg_remove(struct platform_device *pdev) { struct mtk_jpeg_dev *jpeg = platform_get_drvdata(pdev); + cancel_delayed_work_sync(&jpeg->job_timeout_work); pm_runtime_disable(&pdev->dev); video_unregister_device(jpeg->vdev); video_device_release(jpeg->vdev); -- 2.25.1

2 years

2
1
0 0

Re: [PATCH] riscv: signal: fix sigaltstack frame size checking

by Aurelien Jarno

Hi, The patch below is an important fix, as it is necessary to run rustc on riscv. It has been merged as commit 14a270bfab7ab1c4b605c01eeca5557447ad5a2b. I have seen that other commits from the same pull request have already been queued for 6.5, but not this one. Would it be possible to queue it for stable 6.5? Thanks Aurelien On 2023-08-22 16:49, Andy Chiu wrote: > The alternative stack checking in get_sigframe introduced by the Vector > support is not needed and has a problem. It is not needed as we have > already validate it at the beginning of the function if we are already > on an altstack. If not, the size of an altstack is always validated at > its allocation stage with sigaltstack_size_valid(). > > Besides, we must only regard the size of an altstack if the handler of a > signal is registered with SA_ONSTACK. So, blindly checking overflow of > an altstack if sas_ss_size not equals to zero will check against wrong > signal handlers if only a subset of signals are registered with > SA_ONSTACK. > > Fixes: 8ee0b41898fa ("riscv: signal: Add sigcontext save/restore for vector") > Reported-by: Prashanth Swaminathan <prashanthsw(a)google.com> > Signed-off-by: Andy Chiu <andy.chiu(a)sifive.com> > --- > arch/riscv/kernel/signal.c | 7 ------- > 1 file changed, 7 deletions(-) > > diff --git a/arch/riscv/kernel/signal.c b/arch/riscv/kernel/signal.c > index 180d951d3624..21a4d0e111bc 100644 > --- a/arch/riscv/kernel/signal.c > +++ b/arch/riscv/kernel/signal.c > @@ -311,13 +311,6 @@ static inline void __user *get_sigframe(struct ksignal *ksig, > /* Align the stack frame. */ > sp &= ~0xfUL; > > - /* > - * Fail if the size of the altstack is not large enough for the > - * sigframe construction. > - */ > - if (current->sas_ss_size && sp < current->sas_ss_sp) > - return (void __user __force *)-1UL; > - > return (void __user *)sp; > } > > -- > 2.17.1 > > > _______________________________________________ > linux-riscv mailing list > linux-riscv(a)lists.infradead.org > http://lists.infradead.org/mailman/listinfo/linux-riscv > -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurelien(a)aurel32.net http://aurel32.net

2 years

2
1
0 0

[PATCH] media: mtk-jpeg: Fix use after free bug due to uncanceled work

by Zheng Wang

This is a security bug that has been reported to google. It affected all platforms on chrome-os. Please apply this patch to 5.10. Due to the directory structure change, the file path to be be patched is different from that in upstream. [ Upstream commit c677d7ae83141d390d1253abebafa49c962afb52 ] In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with mtk_jpeg_job_timeout_work. Then mtk_jpeg_dec_device_run and mtk_jpeg_enc_device_run may be called to start the work. If we remove the module which will call mtk_jpeg_remove to make cleanup, there may be a unfinished work. The possible sequence is as follows, which will cause a typical UAF bug. Fix it by canceling the work before cleanup in the mtk_jpeg_remove CPU0 CPU1 |mtk_jpeg_job_timeout_work mtk_jpeg_remove | v4l2_m2m_release | kfree(m2m_dev); | | | v4l2_m2m_get_curr_priv | m2m_dev->curr_ctx //use Fixes: b2f0d2724ba4 ("[media] vcodec: mediatek: Add Mediatek JPEG Decoder Driver") Signed-off-by: Zheng Wang <zyytlz.wz(a)163.com> Reviewed-by: Alexandre Mergnat <amergnat(a)baylibre.com> Reviewed-by: Chen-Yu Tsai <wenst(a)chromium.org> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Cc: stable(a)vger.kernel.org --- drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c b/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c index ee802fc3bcdf..67c9ca4cfcd2 100644 --- a/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c +++ b/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c @@ -1189,6 +1189,7 @@ static int mtk_jpeg_remove(struct platform_device *pdev) { struct mtk_jpeg_dev *jpeg = platform_get_drvdata(pdev); + ancel_delayed_work_sync(&jpeg->job_timeout_work); pm_runtime_disable(&pdev->dev); video_unregister_device(jpeg->dec_vdev); video_device_release(jpeg->dec_vdev); -- 2.25.1

2 years

2
1
0 0

[PATCH] media: mtk-jpeg: Fix use after free bug due to uncanceled work

by Zheng Wang

This is a security bug that has been reported to google. It affected all platforms on chrome-os. Please apply this patch to 5.15. Due to the directory structure change, the file path to be patched is different from that in upstream. [ Upstream commit c677d7ae83141d390d1253abebafa49c962afb52 ] In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with mtk_jpeg_job_timeout_work. Then mtk_jpeg_dec_device_run and mtk_jpeg_enc_device_run may be called to start the work. If we remove the module which will call mtk_jpeg_remove to make cleanup, there may be a unfinished work. The possible sequence is as follows, which will cause a typical UAF bug. Fix it by canceling the work before cleanup in the mtk_jpeg_remove CPU0 CPU1 |mtk_jpeg_job_timeout_work mtk_jpeg_remove | v4l2_m2m_release | kfree(m2m_dev); | | | v4l2_m2m_get_curr_priv | m2m_dev->curr_ctx //use Fixes: b2f0d2724ba4 ("[media] vcodec: mediatek: Add Mediatek JPEG Decoder Driver") Signed-off-by: Zheng Wang <zyytlz.wz(a)163.com> Reviewed-by: Alexandre Mergnat <amergnat(a)baylibre.com> Reviewed-by: Chen-Yu Tsai <wenst(a)chromium.org> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Cc: stable(a)vger.kernel.org --- drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c b/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c index a89c7b206eef..d3af699ad72f 100644 --- a/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c +++ b/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c @@ -1455,6 +1455,7 @@ static int mtk_jpeg_remove(struct platform_device *pdev) { struct mtk_jpeg_dev *jpeg = platform_get_drvdata(pdev); + cancel_delayed_work_sync(&jpeg->job_timeout_work); pm_runtime_disable(&pdev->dev); video_unregister_device(jpeg->vdev); video_device_release(jpeg->vdev); -- 2.25.1

2 years

1
0
0 0

[PATCH AUTOSEL 6.5 1/7] x86/reboot: VMCLEAR active VMCSes before emergency reboot

by Sasha Levin

From: Sean Christopherson <seanjc(a)google.com> [ Upstream commit b23c83ad2c638420ec0608a9de354507c41bec29 ] VMCLEAR active VMCSes before any emergency reboot, not just if the kernel may kexec into a new kernel after a crash. Per Intel's SDM, the VMX architecture doesn't require the CPU to flush the VMCS cache on INIT. If an emergency reboot doesn't RESET CPUs, cached VMCSes could theoretically be kept and only be written back to memory after the new kernel is booted, i.e. could effectively corrupt memory after reboot. Opportunistically remove the setting of the global pointer to NULL to make checkpatch happy. Cc: Andrew Cooper <Andrew.Cooper3(a)citrix.com> Link: https://lore.kernel.org/r/20230721201859.2307736-2-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc(a)google.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- arch/x86/include/asm/kexec.h | 2 -- arch/x86/include/asm/reboot.h | 2 ++ arch/x86/kernel/crash.c | 31 ------------------------------- arch/x86/kernel/reboot.c | 22 ++++++++++++++++++++++ arch/x86/kvm/vmx/vmx.c | 10 +++------- 5 files changed, 27 insertions(+), 40 deletions(-) diff --git a/arch/x86/include/asm/kexec.h b/arch/x86/include/asm/kexec.h index 5b77bbc28f969..819046974b997 100644 --- a/arch/x86/include/asm/kexec.h +++ b/arch/x86/include/asm/kexec.h @@ -205,8 +205,6 @@ int arch_kimage_file_post_load_cleanup(struct kimage *image); #endif #endif -typedef void crash_vmclear_fn(void); -extern crash_vmclear_fn __rcu *crash_vmclear_loaded_vmcss; extern void kdump_nmi_shootdown_cpus(void); #endif /* __ASSEMBLY__ */ diff --git a/arch/x86/include/asm/reboot.h b/arch/x86/include/asm/reboot.h index 9177b4354c3f5..dc201724a6433 100644 --- a/arch/x86/include/asm/reboot.h +++ b/arch/x86/include/asm/reboot.h @@ -25,6 +25,8 @@ void __noreturn machine_real_restart(unsigned int type); #define MRR_BIOS 0 #define MRR_APM 1 +typedef void crash_vmclear_fn(void); +extern crash_vmclear_fn __rcu *crash_vmclear_loaded_vmcss; void cpu_emergency_disable_virtualization(void); typedef void (*nmi_shootdown_cb)(int, struct pt_regs*); diff --git a/arch/x86/kernel/crash.c b/arch/x86/kernel/crash.c index cdd92ab43cda4..54cd959cb3160 100644 --- a/arch/x86/kernel/crash.c +++ b/arch/x86/kernel/crash.c @@ -48,38 +48,12 @@ struct crash_memmap_data { unsigned int type; }; -/* - * This is used to VMCLEAR all VMCSs loaded on the - * processor. And when loading kvm_intel module, the - * callback function pointer will be assigned. - * - * protected by rcu. - */ -crash_vmclear_fn __rcu *crash_vmclear_loaded_vmcss = NULL; -EXPORT_SYMBOL_GPL(crash_vmclear_loaded_vmcss); - -static inline void cpu_crash_vmclear_loaded_vmcss(void) -{ - crash_vmclear_fn *do_vmclear_operation = NULL; - - rcu_read_lock(); - do_vmclear_operation = rcu_dereference(crash_vmclear_loaded_vmcss); - if (do_vmclear_operation) - do_vmclear_operation(); - rcu_read_unlock(); -} - #if defined(CONFIG_SMP) && defined(CONFIG_X86_LOCAL_APIC) static void kdump_nmi_callback(int cpu, struct pt_regs *regs) { crash_save_cpu(regs, cpu); - /* - * VMCLEAR VMCSs loaded on all cpus if needed. - */ - cpu_crash_vmclear_loaded_vmcss(); - /* * Disable Intel PT to stop its logging */ @@ -133,11 +107,6 @@ void native_machine_crash_shutdown(struct pt_regs *regs) crash_smp_send_stop(); - /* - * VMCLEAR VMCSs loaded on this cpu if needed. - */ - cpu_crash_vmclear_loaded_vmcss(); - cpu_emergency_disable_virtualization(); /* diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c index 3adbe97015c13..3fa4c6717a1db 100644 --- a/arch/x86/kernel/reboot.c +++ b/arch/x86/kernel/reboot.c @@ -787,6 +787,26 @@ void machine_crash_shutdown(struct pt_regs *regs) } #endif +/* + * This is used to VMCLEAR all VMCSs loaded on the + * processor. And when loading kvm_intel module, the + * callback function pointer will be assigned. + * + * protected by rcu. + */ +crash_vmclear_fn __rcu *crash_vmclear_loaded_vmcss; +EXPORT_SYMBOL_GPL(crash_vmclear_loaded_vmcss); + +static inline void cpu_crash_vmclear_loaded_vmcss(void) +{ + crash_vmclear_fn *do_vmclear_operation = NULL; + + rcu_read_lock(); + do_vmclear_operation = rcu_dereference(crash_vmclear_loaded_vmcss); + if (do_vmclear_operation) + do_vmclear_operation(); + rcu_read_unlock(); +} /* This is the CPU performing the emergency shutdown work. */ int crashing_cpu = -1; @@ -798,6 +818,8 @@ int crashing_cpu = -1; */ void cpu_emergency_disable_virtualization(void) { + cpu_crash_vmclear_loaded_vmcss(); + cpu_emergency_vmxoff(); cpu_emergency_svm_disable(); } diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index df461f387e20d..f60fb79fea881 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -41,7 +41,7 @@ #include <asm/idtentry.h> #include <asm/io.h> #include <asm/irq_remapping.h> -#include <asm/kexec.h> +#include <asm/reboot.h> #include <asm/perf_event.h> #include <asm/mmu_context.h> #include <asm/mshyperv.h> @@ -754,7 +754,6 @@ static int vmx_set_guest_uret_msr(struct vcpu_vmx *vmx, return ret; } -#ifdef CONFIG_KEXEC_CORE static void crash_vmclear_local_loaded_vmcss(void) { int cpu = raw_smp_processor_id(); @@ -764,7 +763,6 @@ static void crash_vmclear_local_loaded_vmcss(void) loaded_vmcss_on_cpu_link) vmcs_clear(v->vmcs); } -#endif /* CONFIG_KEXEC_CORE */ static void __loaded_vmcs_clear(void *arg) { @@ -8622,10 +8620,9 @@ static void __vmx_exit(void) { allow_smaller_maxphyaddr = false; -#ifdef CONFIG_KEXEC_CORE RCU_INIT_POINTER(crash_vmclear_loaded_vmcss, NULL); synchronize_rcu(); -#endif + vmx_cleanup_l1d_flush(); } @@ -8674,10 +8671,9 @@ static int __init vmx_init(void) pi_init_cpu(cpu); } -#ifdef CONFIG_KEXEC_CORE rcu_assign_pointer(crash_vmclear_loaded_vmcss, crash_vmclear_local_loaded_vmcss); -#endif + vmx_check_vmcs12_offsets(); /* -- 2.40.1

2 years

2
7
0 0

[RESEND PATCH v2] media: mtk-jpeg: Fix use after free bug due to uncanceled work

by Zheng Wang

This is a security bug that has been reported to google. It affected all platforms on chrome-os. Please apply this patch to 4.14 4.19 5.4 5.10 and 5.15. [ Upstream commit c677d7ae83141d390d1253abebafa49c962afb52 ] In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with mtk_jpeg_job_timeout_work. Then mtk_jpeg_dec_device_run and mtk_jpeg_enc_device_run may be called to start the work. If we remove the module which will call mtk_jpeg_remove to make cleanup, there may be a unfinished work. The possible sequence is as follows, which will cause a typical UAF bug. Fix it by canceling the work before cleanup in the mtk_jpeg_remove CPU0 CPU1 |mtk_jpeg_job_timeout_work mtk_jpeg_remove | v4l2_m2m_release | kfree(m2m_dev); | | | v4l2_m2m_get_curr_priv | m2m_dev->curr_ctx //use Fixes: b2f0d2724ba4 ("[media] vcodec: mediatek: Add Mediatek JPEG Decoder Driver") Signed-off-by: Zheng Wang <zyytlz.wz(a)163.com> Reviewed-by: Alexandre Mergnat <amergnat(a)baylibre.com> Reviewed-by: Chen-Yu Tsai <wenst(a)chromium.org> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Cc: stable(a)vger.kernel.org --- - v2: use cancel_delayed_work_sync instead of cancel_delayed_work suggested by Kyrie. --- drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c index 0051f372a66c..6069ecf420b0 100644 --- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c +++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c @@ -1816,6 +1816,7 @@ static void mtk_jpeg_remove(struct platform_device *pdev) { struct mtk_jpeg_dev *jpeg = platform_get_drvdata(pdev); + cancel_delayed_work_sync(&jpeg->job_timeout_work); pm_runtime_disable(&pdev->dev); video_unregister_device(jpeg->vdev); v4l2_m2m_release(jpeg->m2m_dev); -- 2.25.1

2 years

3
2
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror October 2023