kernel/linux.git/drivers/usb/mon, branch v4.4.235Linux kernel stable tree (mirror)https://git.radix-linux.su/kernel/linux.git/atom?h=v4.4.2352019-12-21T09:35:17+00:00usb: mon: Fix a deadlock in usbmon between mmap and read2019-12-21T09:35:17+00:00Pete Zaitcevzaitcev@redhat.com2019-12-05T02:39:41+00:00urn:sha1:da7e912ea10ceb569b1032ee23fd37250ab0a5c3
commit 19e6317d24c25ee737c65d1ffb7483bdda4bb54a upstream.
The problem arises because our read() function grabs a lock of the
circular buffer, finds something of interest, then invokes copy_to_user()
straight from the buffer, which in turn takes mm->mmap_sem. In the same
time, the callback mon_bin_vma_fault() is invoked under mm->mmap_sem.
It attempts to take the fetch lock and deadlocks.
This patch does away with protecting of our page list with any
semaphores, and instead relies on the kernel not close the device
while mmap is active in a process.
In addition, we prohibit re-sizing of a buffer while mmap is active.
This way, when (now unlocked) fault is processed, it works with the
page that is intended to be mapped-in, and not some other random page.
Note that this may have an ABI impact, but hopefully no legitimate
program is this wrong.
Signed-off-by: Pete Zaitcev <zaitcev@redhat.com>
Reported-by: syzbot+56f9673bb4cdcbeb0e92@syzkaller.appspotmail.com
Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
Fixes: 46eb14a6e158 ("USB: fix usbmon BUG trigger")
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191204203941.3503452b@suzdal.zaitcev.lan
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: usbmon: Read text within supplied buffer size2018-03-18T10:17:53+00:00Pete Zaitcevzaitcev@kotori.zaitcev.us2018-03-09T06:21:14+00:00urn:sha1:abe0ecd5597c31c6b70dc347145789000f4cf68f
commit a5f596830e27e15f7a0ecd6be55e433d776986d8 upstream.
This change fixes buffer overflows and silent data corruption with the
usbmon device driver text file read operations.
Signed-off-by: Fredrik Noring <noring@nocrew.org>
Signed-off-by: Pete Zaitcev <zaitcev@redhat.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
USB: usbmon: remove assignment from IS_ERR argument2018-03-18T10:17:53+00:00Julia LawallJulia.Lawall@lip6.fr2015-12-26T21:57:44+00:00urn:sha1:2feea85fe95e3ad89d0b28fef10840696b5094f9
commit 46c236dc7d1212d7417e6fb0317f91c44c719322 upstream.
The semantic patch that makes this change is as follows:
(http://coccinelle.lip6.fr/)
// <smpl>
@@
expression e1,e2;
statement S1,S2;
@@
+e1 = e2;
if (IS_ERR(
e1
- = e2
)) S1 else S2
// </smpl>
Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
USB: fix usbmon BUG trigger2018-01-17T08:35:31+00:00Pete Zaitcevzaitcev@redhat.com2018-01-08T21:46:41+00:00urn:sha1:3f577093c5111454d015395daa789b1eab072876
commit 46eb14a6e1585d99c1b9f58d0e7389082a5f466b upstream.
Automated tests triggered this by opening usbmon and accessing the
mmap while simultaneously resizing the buffers. This bug was with
us since 2006, because typically applications only size the buffers
once and thus avoid racing. Reported by Kirill A. Shutemov.
Reported-by: <syzbot+f9831b881b3e849829fc@syzkaller.appspotmail.com>
Signed-off-by: Pete Zaitcev <zaitcev@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
USB: mon_stat.c: move assignment out of if () block2015-05-10T14:01:11+00:00Greg Kroah-Hartmangregkh@linuxfoundation.org2015-04-30T09:32:58+00:00urn:sha1:4c08ccf0dc50a7a4e8d1ddc41e9e6d5d25aacdc1
We should not be doing assignments within an if () block
so fix up the code to not do this.
change was created using Coccinelle.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Felipe Balbi <balbi@ti.com>
USB: mon_main.c: move assignment out of if () block2015-05-10T14:01:11+00:00Greg Kroah-Hartmangregkh@linuxfoundation.org2015-04-30T09:32:57+00:00urn:sha1:d4950d5dab78a78c90c0c5cd6113af28cbac516f
We should not be doing assignments within an if () block
so fix up the code to not do this.
change was created using Coccinelle.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Felipe Balbi <balbi@ti.com>
USB: mon_bin.c: move assignment out of if () block2015-05-10T14:01:11+00:00Greg Kroah-Hartmangregkh@linuxfoundation.org2015-04-30T09:32:56+00:00urn:sha1:0296951a62bb863008821b33343cff446fce4b84
We should not be doing assignments within an if () block
so fix up the code to not do this.
change was created using Coccinelle.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Felipe Balbi <balbi@ti.com>
USB: regroup all depends on USB within an if USB block2013-04-09T23:49:07+00:00Florian Fainelliflorian@openwrt.org2013-04-09T12:29:25+00:00urn:sha1:25e11ec4fe5271c4895265ecbb69531e6b0c0dd5
This patch removes the depends on USB from all config symbols in
drivers/usb/host/Kconfig and replace that with an if USB / endif block
as suggested by Alan Stern. Some source ... Kconfig lines have been
shuffled around to permit a better regroupment of the Kconfig files
depending on "config USB" item. No functionnal change is introduced.
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Florian Fainelli <florian@openwrt.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
mm: kill vma flag VM_RESERVED and mm->reserved_vm counter2012-10-09T07:22:19+00:00Konstantin Khlebnikovkhlebnikov@openvz.org2012-10-08T23:29:02+00:00urn:sha1:314e51b9851b4f4e8ab302243ff5a6fc6147f379
A long time ago, in v2.4, VM_RESERVED kept swapout process off VMA,
currently it lost original meaning but still has some effects:
| effect | alternative flags
-+------------------------+---------------------------------------------
1| account as reserved_vm | VM_IO
2| skip in core dump | VM_IO, VM_DONTDUMP
3| do not merge or expand | VM_IO, VM_DONTEXPAND, VM_HUGETLB, VM_PFNMAP
4| do not mlock | VM_IO, VM_DONTEXPAND, VM_HUGETLB, VM_PFNMAP
This patch removes reserved_vm counter from mm_struct. Seems like nobody
cares about it, it does not exported into userspace directly, it only
reduces total_vm showed in proc.
Thus VM_RESERVED can be replaced with VM_IO or pair VM_DONTEXPAND | VM_DONTDUMP.
remap_pfn_range() and io_remap_pfn_range() set VM_IO|VM_DONTEXPAND|VM_DONTDUMP.
remap_vmalloc_range() set VM_DONTEXPAND | VM_DONTDUMP.
[akpm@linux-foundation.org: drivers/vfio/pci/vfio_pci.c fixup]
Signed-off-by: Konstantin Khlebnikov <khlebnikov@openvz.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Carsten Otte <cotte@de.ibm.com>
Cc: Chris Metcalf <cmetcalf@tilera.com>
Cc: Cyrill Gorcunov <gorcunov@openvz.org>
Cc: Eric Paris <eparis@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: James Morris <james.l.morris@oracle.com>
Cc: Jason Baron <jbaron@redhat.com>
Cc: Kentaro Takeda <takedakn@nttdata.co.jp>
Cc: Matt Helsley <matthltc@us.ibm.com>
Cc: Nick Piggin <npiggin@kernel.dk>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Robert Richter <robert.richter@amd.com>
Cc: Suresh Siddha <suresh.b.siddha@intel.com>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: Venkatesh Pallipadi <venki@google.com>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
usb: Add export.h for EXPORT_SYMBOL/THIS_MODULE where needed2011-10-31T23:31:25+00:00Paul Gortmakerpaul.gortmaker@windriver.com2011-05-27T13:56:31+00:00urn:sha1:f940fcd8eadfe5b909a1474b57de7755edeee62b
With module.h being implicitly everywhere via device.h, the absence
of explicitly including something for EXPORT_SYMBOL went unnoticed.
Since we are heading to fix things up and clean module.h from the
device.h file, we need to explicitly include these files now.
Use the lightweight version of the header that has just THIS_MODULE
and EXPORT_SYMBOL variants.
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>