Hosts the 0x221E linux distro kernel. https://universe.0xinfinity.dev/distro/kernel/atom?h=linux-6.9.y 2023-10-07T08:55:48Z 2023-10-07T08:55:48Z Takashi Iwai tiwai@suse.de 2023-09-22T12:38:07Z urn:sha1:a1766a4fd83befa0b34d932d532e7ebb7fab1fa7 imon driver probes two USB interfaces, and at the probe of the second interface, the driver assumes blindly that the first interface got bound with the same imon driver. It's usually true, but it's still possible that the first interface is bound with another driver via a malformed descriptor. Then it may lead to a memory corruption, as spotted by syzkaller; imon driver accesses the data from drvdata as struct imon_context object although it's a completely different one that was assigned by another driver. This patch adds a sanity check -- whether the first interface is really bound with the imon driver or not -- for avoiding the problem above at the probe time. Reported-by: syzbot+59875ffef5cb9c9b29e9@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/000000000000a838aa0603cc74d6@google.com/ Tested-by: Ricardo B. Marliere <ricardo@marliere.net> Link: https://lore.kernel.org/r/20230922005152.163640-1-ricardo@marliere.net Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> 2022-11-25T08:00:45Z Gautam Menghani gautammenghani201@gmail.com 2022-10-19T05:02:14Z urn:sha1:813ceef062b53d68f296aa3cb944b21a091fabdb The function send_packet() has a race condition as follows: func send_packet() { // do work call usb_submit_urb() mutex_unlock() wait_for_event_interruptible() <-- lock gone mutex_lock() } func vfd_write() { mutex_lock() call send_packet() <- prev call is not completed mutex_unlock() } When the mutex is unlocked and the function send_packet() waits for the call to complete, vfd_write() can start another call, which leads to the "URB submitted while active" warning in usb_submit_urb(). Fix this by removing the mutex_unlock() call in send_packet() and using mutex_lock_interruptible(). Link: https://syzkaller.appspot.com/bug?id=e378e6a51fbe6c5cc43e34f131cc9a315ef0337e Fixes: 21677cfc562a ("V4L/DVB: ir-core: add imon driver") Reported-by: syzbot+0c3cb6dc05fbbdc3ad66@syzkaller.appspotmail.com Signed-off-by: Gautam Menghani <gautammenghani201@gmail.com> Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org> 2022-09-24T05:50:12Z ye xingchen ye.xingchen@zte.com.cn 2022-08-30T08:30:27Z urn:sha1:2dfe2c4f1720b6b0860d36d25107ffa57f0bbc63 Return the value send_packet() directly instead of storing it in another redundant variable. Reported-by: Zeal Robot <zealci@zte.com.cn> Signed-off-by: ye xingchen <ye.xingchen@zte.com.cn> Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org> 2022-05-13T09:23:38Z Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp 2022-05-02T03:49:04Z urn:sha1:db264d4c66c0fe007b5d19fd007707cd0697603d Since usb_register_dev() from imon_init_display() from imon_probe() holds minor_rwsem while display_open() which holds driver_lock and ictx->lock is called with minor_rwsem held from usb_open(), holding driver_lock or ictx->lock when calling usb_register_dev() causes circular locking dependency problem. Since usb_deregister_dev() from imon_disconnect() holds minor_rwsem while display_open() which holds driver_lock is called with minor_rwsem held, holding driver_lock when calling usb_deregister_dev() also causes circular locking dependency problem. Sean Young explained that the problem is there are imon devices which have two usb interfaces, even though it is one device. The probe and disconnect function of both usb interfaces can run concurrently. Alan Stern responded that the driver and USB cores guarantee that when an interface is probed, both the interface and its USB device are locked. Ditto for when the disconnect callback gets run. So concurrent probing/ disconnection of multiple interfaces on the same device is not possible. Therefore, we don't need locks for handling race between imon_probe() and imon_disconnect(). But we still need to handle race between display_open() /vfd_write()/lcd_write()/display_close() and imon_disconnect(), for disconnect event can happen while file descriptors are in use. Since "struct file"->private_data is set by display_open(), vfd_write()/ lcd_write()/display_close() can assume that "struct file"->private_data is not NULL even after usb_set_intfdata(interface, NULL) was called. Replace insufficiently held driver_lock with refcount_t based management. Add a boolean flag for recording whether imon_disconnect() was already called. Use RCU for accessing this boolean flag and refcount_t. Since the boolean flag for imon_disconnect() is shared, disconnect event on either intf0 or intf1 affects both interfaces. But I assume that this change does not matter, for usually disconnect event would not happen while interfaces are in use. Link: https://syzkaller.appspot.com/bug?extid=c558267ad910fc494497 Reported-by: syzbot <syzbot+c558267ad910fc494497@syzkaller.appspotmail.com> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Tested-by: syzbot <syzbot+c558267ad910fc494497@syzkaller.appspotmail.com> Cc: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org> 2022-05-13T09:02:23Z Oliver Neukum oneukum@suse.com 2022-04-28T13:34:55Z urn:sha1:af2aa3c4e52bc63b532b55b1ac66f262ecff2fb3 The point of using get/put_device() is to keep references for as long as the device may be in use. That means dropping them must be the penultimate action right before freeing the memory. Signed-off-by: Oliver Neukum <oneukum@suse.com> Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org> 2022-05-13T09:02:22Z Oliver Neukum oneukum@suse.com 2022-04-28T13:34:54Z urn:sha1:07af64dddfb87d1af9360204155396be07b7aa70 The timer will report events for an input device. Reporting events for an unregistered device is bad. Hence the timer must be killed first. Signed-off-by: Oliver Neukum <oneukum@suse.com> Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org> 2022-05-13T09:02:22Z Oliver Neukum oneukum@suse.com 2022-04-28T13:34:53Z urn:sha1:a43617a5bf1b6782303d11bec01cf67a2dfc82e8 GFP_NOIO is fine here. Signed-off-by: Oliver Neukum <oneukum@suse.com> Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org> 2021-09-30T08:07:43Z Nil Yi teroincn@163.com 2021-08-14T10:29:39Z urn:sha1:c9458c6f8a8f9c8b09fef0e2a4d5798ded993ef8 After freed rx_urb, we should set the second interface urb to NULL, otherwise a double free would happen when the driver is removed from the first interface. Signed-off-by: Nil Yi <teroincn@163.com> Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> 2021-06-08T13:57:51Z Zhen Lei thunder.leizhen@huawei.com 2021-06-03T07:02:30Z urn:sha1:f1d9f315924f02ed8aabada04a04b20a0c6cc9be Use DEVICE_ATTR_RW() helper macro instead of DEVICE_ATTR(), which is simpler and more readable. Due to the names of the read and write functions of the sysfs attribute is normalized, there is a natural association. Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com> Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> 2020-07-19T12:00:32Z Alexander A. Klimov grandmaster@al2klimov.de 2020-07-13T15:31:53Z urn:sha1:276e2ee0765941e7fa20973a4c2215df830e8483 Rationale: Reduces attack surface on kernel devs opening the links for MITM as HTTPS traffic is much harder to manipulate. Deterministic algorithm: For each file: If not .svg: For each line: If doesn't contain `\bxmlns\b`: If neither `\bgnu\.org/license`, nor `\bmozilla\.org/MPL\b`: If both the HTTP and HTTPS versions return 200 OK and serve the same content: Replace HTTP with HTTPS. Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>