Linux kernel development work - see feature branches https://git.zx2c4.com/linux-dev/atom/drivers/memstick/host?h=master 2021-10-19T11:04:42Z 2021-10-19T11:04:42Z Zheyu Ma zheyuma97@gmail.com 2021-10-16T11:26:21Z urn:sha1:738216c1953e802aa9f930c5d15b8f9092c847ff In r592_remove(), the driver will free dma after freeing the host, which may cause a UAF bug. The following log reveals it: [ 45.361796 ] BUG: KASAN: use-after-free in r592_remove+0x269/0x350 [r592] [ 45.364286 ] Call Trace: [ 45.364472 ] dump_stack_lvl+0xa8/0xd1 [ 45.364751 ] print_address_description+0x87/0x3b0 [ 45.365137 ] kasan_report+0x172/0x1c0 [ 45.365415 ] ? r592_remove+0x269/0x350 [r592] [ 45.365834 ] ? r592_remove+0x269/0x350 [r592] [ 45.366168 ] __asan_report_load8_noabort+0x14/0x20 [ 45.366531 ] r592_remove+0x269/0x350 [r592] [ 45.378785 ] [ 45.378903 ] Allocated by task 4674: [ 45.379162 ] ____kasan_kmalloc+0xb5/0xe0 [ 45.379455 ] __kasan_kmalloc+0x9/0x10 [ 45.379730 ] __kmalloc+0x150/0x280 [ 45.379984 ] memstick_alloc_host+0x2a/0x190 [ 45.380664 ] [ 45.380781 ] Freed by task 5509: [ 45.381014 ] kasan_set_track+0x3d/0x70 [ 45.381293 ] kasan_set_free_info+0x23/0x40 [ 45.381635 ] ____kasan_slab_free+0x10b/0x140 [ 45.381950 ] __kasan_slab_free+0x11/0x20 [ 45.382241 ] slab_free_freelist_hook+0x81/0x150 [ 45.382575 ] kfree+0x13e/0x290 [ 45.382805 ] memstick_free+0x1c/0x20 [ 45.383070 ] device_release+0x9c/0x1d0 [ 45.383349 ] kobject_put+0x2ef/0x4c0 [ 45.383616 ] put_device+0x1f/0x30 [ 45.383865 ] memstick_free_host+0x24/0x30 [ 45.384162 ] r592_remove+0x242/0x350 [r592] [ 45.384473 ] pci_device_remove+0xa9/0x250 Signed-off-by: Zheyu Ma <zheyuma97@gmail.com> Link: https://lore.kernel.org/r/1634383581-11055-1-git-send-email-zheyuma97@gmail.com Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> 2021-10-12T08:24:39Z Dan Carpenter dan.carpenter@oracle.com 2021-10-11T12:39:12Z urn:sha1:beae4a6258e64af609ad5995cc6b6056eb0d898e The "msh" pointer is device managed, meaning that memstick_alloc_host() calls device_initialize() on it. That means that it can't be free using kfree() but must instead be freed with memstick_free_host(). Otherwise it leads to a tiny memory leak of device resources. Fixes: 60fdd931d577 ("memstick: add support for JMicron jmb38x MemoryStick host controller") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Link: https://lore.kernel.org/r/20211011123912.GD15188@kili Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> 2021-10-12T08:21:17Z Len Baker len.baker@gmx.com 2021-09-11T13:19:33Z urn:sha1:16e9bde21ab6592aa55f1d3cb29338117c84cea5 As noted in the "Deprecated Interfaces, Language Features, Attributes, and Conventions" documentation [1], size calculations (especially multiplication) should not be performed in memory allocator (or similar) function arguments due to the risk of them overflowing. This could lead to values wrapping around and a smaller allocation being made than the caller was expecting. Using those allocations could lead to linear overflows of heap memory and other misbehaviors. So, use the struct_size() helper to do the arithmetic instead of the argument "size + count * size" in the kzalloc() function. [1] https://www.kernel.org/doc/html/v5.14/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments Signed-off-by: Len Baker <len.baker@gmx.com> Link: https://lore.kernel.org/r/20210911131933.2089-1-len.baker@gmx.com Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> 2021-08-24T14:59:39Z Christophe JAILLET christophe.jaillet@wanadoo.fr 2021-08-21T21:13:07Z urn:sha1:89d74b30f44371c2fc388f7fb172a583977ef0d8 The wrappers in include/linux/pci-dma-compat.h should go away. The patch has been generated with the coccinelle script below. It has been compile tested. No memory allocation in involved in this patch, so no GFP_ tweak is needed. @@ @@ - PCI_DMA_BIDIRECTIONAL + DMA_BIDIRECTIONAL @@ @@ - PCI_DMA_TODEVICE + DMA_TO_DEVICE @@ @@ - PCI_DMA_FROMDEVICE + DMA_FROM_DEVICE @@ @@ - PCI_DMA_NONE + DMA_NONE @@ expression e1, e2, e3; @@ - pci_alloc_consistent(e1, e2, e3) + dma_alloc_coherent(&e1->dev, e2, e3, GFP_) @@ expression e1, e2, e3; @@ - pci_zalloc_consistent(e1, e2, e3) + dma_alloc_coherent(&e1->dev, e2, e3, GFP_) @@ expression e1, e2, e3, e4; @@ - pci_free_consistent(e1, e2, e3, e4) + dma_free_coherent(&e1->dev, e2, e3, e4) @@ expression e1, e2, e3, e4; @@ - pci_map_single(e1, e2, e3, e4) + dma_map_single(&e1->dev, e2, e3, e4) @@ expression e1, e2, e3, e4; @@ - pci_unmap_single(e1, e2, e3, e4) + dma_unmap_single(&e1->dev, e2, e3, e4) @@ expression e1, e2, e3, e4, e5; @@ - pci_map_page(e1, e2, e3, e4, e5) + dma_map_page(&e1->dev, e2, e3, e4, e5) @@ expression e1, e2, e3, e4; @@ - pci_unmap_page(e1, e2, e3, e4) + dma_unmap_page(&e1->dev, e2, e3, e4) @@ expression e1, e2, e3, e4; @@ - pci_map_sg(e1, e2, e3, e4) + dma_map_sg(&e1->dev, e2, e3, e4) @@ expression e1, e2, e3, e4; @@ - pci_unmap_sg(e1, e2, e3, e4) + dma_unmap_sg(&e1->dev, e2, e3, e4) @@ expression e1, e2, e3, e4; @@ - pci_dma_sync_single_for_cpu(e1, e2, e3, e4) + dma_sync_single_for_cpu(&e1->dev, e2, e3, e4) @@ expression e1, e2, e3, e4; @@ - pci_dma_sync_single_for_device(e1, e2, e3, e4) + dma_sync_single_for_device(&e1->dev, e2, e3, e4) @@ expression e1, e2, e3, e4; @@ - pci_dma_sync_sg_for_cpu(e1, e2, e3, e4) + dma_sync_sg_for_cpu(&e1->dev, e2, e3, e4) @@ expression e1, e2, e3, e4; @@ - pci_dma_sync_sg_for_device(e1, e2, e3, e4) + dma_sync_sg_for_device(&e1->dev, e2, e3, e4) @@ expression e1, e2; @@ - pci_dma_mapping_error(e1, e2) + dma_mapping_error(&e1->dev, e2) @@ expression e1, e2; @@ - pci_set_dma_mask(e1, e2) + dma_set_mask(&e1->dev, e2) @@ expression e1, e2; @@ - pci_set_consistent_dma_mask(e1, e2) + dma_set_coherent_mask(&e1->dev, e2) Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> Link: https://lore.kernel.org/r/f6fe24f2372c8c627a08ace7187bfe60d35788b6.1629580314.git.christophe.jaillet@wanadoo.fr Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> 2021-08-24T14:59:38Z Christophe JAILLET christophe.jaillet@wanadoo.fr 2021-08-21T21:17:15Z urn:sha1:2b50c81fb7284d9122b98e8227cd8c6495238bd6 This driver is all about r592. Axe the reference to r852 in the 'pci_driver' structure name. This is likely a copy/paste typo left as is when the driver has been created. Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> Link: https://lore.kernel.org/r/258f76acc73d5c448b9cb5dab4c39d80d517c7a9.1629580585.git.christophe.jaillet@wanadoo.fr Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> 2021-06-14T11:57:39Z Tong Zhang ztong0001@gmail.com 2021-05-11T16:39:45Z urn:sha1:42933c8aa14be1caa9eda41f65cde8a3a95d3e39 This patch fixes the following issues: 1. memstick_free_host() will free the host, so the use of ms_dev(host) after it will be a problem. To fix this, move memstick_free_host() after when we are done with ms_dev(host). 2. In rtsx_usb_ms_drv_remove(), pm need to be disabled before we remove and free host otherwise memstick_check will be called and UAF will happen. [ 11.351173] BUG: KASAN: use-after-free in rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms] [ 11.357077] rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms] [ 11.357376] platform_remove+0x2a/0x50 [ 11.367531] Freed by task 298: [ 11.368537] kfree+0xa4/0x2a0 [ 11.368711] device_release+0x51/0xe0 [ 11.368905] kobject_put+0xa2/0x120 [ 11.369090] rtsx_usb_ms_drv_remove+0x8c/0x140 [rtsx_usb_ms] [ 11.369386] platform_remove+0x2a/0x50 [ 12.038408] BUG: KASAN: use-after-free in __mutex_lock.isra.0+0x3ec/0x7c0 [ 12.045432] mutex_lock+0xc9/0xd0 [ 12.046080] memstick_check+0x6a/0x578 [memstick] [ 12.046509] process_one_work+0x46d/0x750 [ 12.052107] Freed by task 297: [ 12.053115] kfree+0xa4/0x2a0 [ 12.053272] device_release+0x51/0xe0 [ 12.053463] kobject_put+0xa2/0x120 [ 12.053647] rtsx_usb_ms_drv_remove+0xc4/0x140 [rtsx_usb_ms] [ 12.053939] platform_remove+0x2a/0x50 Signed-off-by: Tong Zhang <ztong0001@gmail.com> Co-developed-by: Ulf Hansson <ulf.hansson@linaro.org> Link: https://lore.kernel.org/r/20210511163944.1233295-1-ztong0001@gmail.com Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> 2021-04-26T09:08:23Z Arnd Bergmann arnd@arndb.de 2021-04-21T13:51:58Z urn:sha1:2f156712be4ab4c2707e096d619dc8bfbd01d388 A minor cleanup to address a clang warning removed an assigned but unused local variable, but this now caused a gcc warning as kfifo_out() is annotated to require checking its return code: In file included from drivers/memstick/host/r592.h:13, from drivers/memstick/host/r592.c:21: drivers/memstick/host/r592.c: In function 'r592_flush_fifo_write': include/linux/kfifo.h:588:1: error: ignoring return value of '__kfifo_uint_must_check_helper' declared with attribute 'warn_unused_result' [-Werror=unused-result] 588 | __kfifo_uint_must_check_helper( \ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 589 | ({ \ | ~~~~ 590 | typeof((fifo) + 1) __tmp = (fifo); \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 591 | typeof(__tmp->ptr) __buf = (buf); \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 592 | unsigned long __n = (n); \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~ 593 | const size_t __recsize = sizeof(*__tmp->rectype); \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 594 | struct __kfifo *__kfifo = &__tmp->kfifo; \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 595 | (__recsize) ?\ | ~~~~~~~~~~~~~~ 596 | __kfifo_out_r(__kfifo, __buf, __n, __recsize) : \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 597 | __kfifo_out(__kfifo, __buf, __n); \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 598 | }) \ | ~~~~ 599 | ) | ~ drivers/memstick/host/r592.c:367:9: note: in expansion of macro 'kfifo_out' 367 | kfifo_out(&dev->pio_fifo, buffer, 4); | ^~~~~~~~~ The value was never checked here, and the purpose of the function is only to flush the contents, so restore the old behavior but add a cast to void and a comment, which hopefully warns with neither gcc nor clang now. If anyone has an idea for how to fix it without ignoring the return code, that is probably better. Fixes: 4b00ed3c5072 ("memstick: r592: remove unused variable") Signed-off-by: Arnd Bergmann <arnd@arndb.de> Link: https://lore.kernel.org/r/20210421135215.3414589-1-arnd@kernel.org Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> 2021-04-15T09:00:03Z Jiapeng Chong jiapeng.chong@linux.alibaba.com 2021-04-14T02:21:43Z urn:sha1:4b00ed3c5072751fc46677970f4d84683b555969 Fix the following clang warning: drivers/memstick/host/r592.c:363:6: warning: variable ‘len’ set but not used [-Wunused-but-set-variable]. Reported-by: Abaci Robot <abaci@linux.alibaba.com> Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com> Link: https://lore.kernel.org/r/1618366903-94346-1-git-send-email-jiapeng.chong@linux.alibaba.com Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> 2020-12-04T11:27:10Z Jing Xiangfeng jingxiangfeng@huawei.com 2020-11-25T01:47:18Z urn:sha1:db29d3d1c2451e673e29c7257471e3ce9d50383a Fix to return a error code from the error handling case instead of 0. Fixes: 926341250102 ("memstick: add driver for Ricoh R5C592 card reader") Signed-off-by: Jing Xiangfeng <jingxiangfeng@huawei.com> Link: https://lore.kernel.org/r/20201125014718.153563-1-jingxiangfeng@huawei.com Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> 2020-11-16T10:59:28Z Tom Rix trix@redhat.com 2020-10-31T14:27:56Z urn:sha1:a85344d347284cc3d81e8fc230788d3f82b9bb45 A semicolon is not needed after a switch statement. Signed-off-by: Tom Rix <trix@redhat.com> Link: https://lore.kernel.org/r/20201031142756.2140029-1-trix@redhat.com Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>