From: Zheng Wang <zyytlz.wz(a)163.com>
mainline inclusion
from mainline-v6.4-rc1
commit 2b947f8769be8b8181dc795fd292d3e7120f5204
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7EDYS
CVE: CVE-2023-35828
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
In renesas_usb3_probe, role_work is bound with renesas_usb3_role_work.
renesas_usb3_start will be called to start the work.
If we remove the driver which will call usbhs_remove, there may be
an unfinished work. The possible sequence is as follows:
CPU0 CPU1
renesas_usb3_role_work
renesas_usb3_remove
usb_role_switch_unregister
device_unregister
kfree(sw)
//free usb3->role_sw
usb_role_switch_set_role
//use usb3->role_sw
The usb3->role_sw could be freed under such circumstance and then
used in usb_role_switch_set_role.
This bug was found by static analysis. And note that removing a
driver is a root-only operation, and should never happen in normal
case. But the root user may directly remove the device which
will also trigger the remove function.
Fix it by canceling the work before cleanup in the renesas_usb3_remove.
Fixes: 39facfa01c9f ("usb: gadget: udc: renesas_usb3: Add register of usb role switch")
Signed-off-by: Zheng Wang <zyytlz.wz(a)163.com>
Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com>
Link: https://lore.kernel.org/r/20230320062931.505170-1-zyytlz.wz@163.com
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Signed-off-by: Jialin Zhang <zhangjialin11(a)huawei.com>
Reviewed-by: Wei Li <liwei391(a)huawei.com>
Reviewed-by: Wang Weiyang <wangweiyang2(a)huawei.com>
Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com>
---
drivers/usb/gadget/udc/renesas_usb3.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/usb/gadget/udc/renesas_usb3.c b/drivers/usb/gadget/udc/renesas_usb3.c
index a5254e82d628..3cbb372db432 100644
--- a/drivers/usb/gadget/udc/renesas_usb3.c
+++ b/drivers/usb/gadget/udc/renesas_usb3.c
@@ -2477,6 +2477,7 @@ static int renesas_usb3_remove(struct platform_device *pdev)
debugfs_remove_recursive(usb3->dentry);
device_remove_file(&pdev->dev, &dev_attr_role);
+ cancel_work_sync(&usb3->role_work);
usb_role_switch_unregister(usb3->role_sw);
usb_del_gadget_udc(&usb3->gadget);
--
2.25.1
From: Zheng Wang <zyytlz.wz(a)163.com>
mainline inclusion
from mainline-v6.4-rc1
commit 2b947f8769be8b8181dc795fd292d3e7120f5204
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7EDYS
CVE: CVE-2023-35828
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
In renesas_usb3_probe, role_work is bound with renesas_usb3_role_work.
renesas_usb3_start will be called to start the work.
If we remove the driver which will call usbhs_remove, there may be
an unfinished work. The possible sequence is as follows:
CPU0 CPU1
renesas_usb3_role_work
renesas_usb3_remove
usb_role_switch_unregister
device_unregister
kfree(sw)
//free usb3->role_sw
usb_role_switch_set_role
//use usb3->role_sw
The usb3->role_sw could be freed under such circumstance and then
used in usb_role_switch_set_role.
This bug was found by static analysis. And note that removing a
driver is a root-only operation, and should never happen in normal
case. But the root user may directly remove the device which
will also trigger the remove function.
Fix it by canceling the work before cleanup in the renesas_usb3_remove.
Fixes: 39facfa01c9f ("usb: gadget: udc: renesas_usb3: Add register of usb role switch")
Signed-off-by: Zheng Wang <zyytlz.wz(a)163.com>
Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com>
Link: https://lore.kernel.org/r/20230320062931.505170-1-zyytlz.wz@163.com
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Signed-off-by: Jialin Zhang <zhangjialin11(a)huawei.com>
---
drivers/usb/gadget/udc/renesas_usb3.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/usb/gadget/udc/renesas_usb3.c b/drivers/usb/gadget/udc/renesas_usb3.c
index 601829a6b4ba..a10f41c4a3f2 100644
--- a/drivers/usb/gadget/udc/renesas_usb3.c
+++ b/drivers/usb/gadget/udc/renesas_usb3.c
@@ -2568,6 +2568,7 @@ static int renesas_usb3_remove(struct platform_device *pdev)
debugfs_remove_recursive(usb3->dentry);
device_remove_file(&pdev->dev, &dev_attr_role);
+ cancel_work_sync(&usb3->role_work);
usb_role_switch_unregister(usb3->role_sw);
usb_del_gadget_udc(&usb3->gadget);
--
2.25.1
From: Moshe Tal <moshet(a)nvidia.com>
mainline inclusion
from mainline-v5.17-rc2
commit e2f08207c558bc0bc8abaa557cdb29bad776ac7b
category: feature
bugzilla: 188943
CVE: NA
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
The link extended sub-states are assigned as enum that is an integer
size but read from a union as u8, this is working for small values on
little endian systems but for big endian this always give 0. Fix the
variable in the union to match the enum size.
Fixes: ecc31c60240b ("ethtool: Add link extended state")
Signed-off-by: Moshe Tal <moshet(a)nvidia.com>
Reviewed-by: Ido Schimmel <idosch(a)nvidia.com>
Tested-by: Ido Schimmel <idosch(a)nvidia.com>
Reviewed-by: Gal Pressman <gal(a)nvidia.com>
Reviewed-by: Amit Cohen <amcohen(a)nvidia.com>
Signed-off-by: David S. Miller <davem(a)davemloft.net>
Conflicts:
include/linux/ethtool.h
Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com>
---
include/linux/ethtool.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/linux/ethtool.h b/include/linux/ethtool.h
index 726c1b27f3c4..cdfb3cc0951d 100644
--- a/include/linux/ethtool.h
+++ b/include/linux/ethtool.h
@@ -112,7 +112,7 @@ struct ethtool_link_ext_state_info {
enum ethtool_link_ext_substate_link_logical_mismatch link_logical_mismatch;
enum ethtool_link_ext_substate_bad_signal_integrity bad_signal_integrity;
enum ethtool_link_ext_substate_cable_issue cable_issue;
- u8 __link_ext_substate;
+ u32 __link_ext_substate;
};
};
--
2.34.1
From: Moshe Tal <moshet(a)nvidia.com>
mainline inclusion
from mainline-v5.17-rc2
commit e2f08207c558bc0bc8abaa557cdb29bad776ac7b
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I7GNV3
CVE: NA
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
The link extended sub-states are assigned as enum that is an integer
size but read from a union as u8, this is working for small values on
little endian systems but for big endian this always give 0. Fix the
variable in the union to match the enum size.
Fixes: ecc31c60240b ("ethtool: Add link extended state")
Signed-off-by: Moshe Tal <moshet(a)nvidia.com>
Reviewed-by: Ido Schimmel <idosch(a)nvidia.com>
Tested-by: Ido Schimmel <idosch(a)nvidia.com>
Reviewed-by: Gal Pressman <gal(a)nvidia.com>
Reviewed-by: Amit Cohen <amcohen(a)nvidia.com>
Signed-off-by: David S. Miller <davem(a)davemloft.net>
Conflicts:
include/linux/ethtool.h
Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com>
---
v2: modify comment
---
include/linux/ethtool.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/linux/ethtool.h b/include/linux/ethtool.h
index 726c1b27f3c4..cdfb3cc0951d 100644
--- a/include/linux/ethtool.h
+++ b/include/linux/ethtool.h
@@ -112,7 +112,7 @@ struct ethtool_link_ext_state_info {
enum ethtool_link_ext_substate_link_logical_mismatch link_logical_mismatch;
enum ethtool_link_ext_substate_bad_signal_integrity bad_signal_integrity;
enum ethtool_link_ext_substate_cable_issue cable_issue;
- u8 __link_ext_substate;
+ u32 __link_ext_substate;
};
};
--
2.34.1