From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
syzbot+fcf1a817ceb50935ce99@syzkaller.appspotmail.comm,
Ruihan Li <lrh2000@pku.edu.cn>,
Alan Stern <stern@rowland.harvard.edu>
Subject: [PATCH 5.4 32/45] usb: usbfs: Enforce page requirements for mmap
Date: Mon, 12 Jun 2023 12:26:26 +0200 [thread overview]
Message-ID: <20230612101655.957855054@linuxfoundation.org> (raw)
In-Reply-To: <20230612101654.644983109@linuxfoundation.org>
From: Ruihan Li <lrh2000@pku.edu.cn>
commit 0143d148d1e882fb1538dc9974c94d63961719b9 upstream.
The current implementation of usbdev_mmap uses usb_alloc_coherent to
allocate memory pages that will later be mapped into the user space.
Meanwhile, usb_alloc_coherent employs three different methods to
allocate memory, as outlined below:
* If hcd->localmem_pool is non-null, it uses gen_pool_dma_alloc to
allocate memory;
* If DMA is not available, it uses kmalloc to allocate memory;
* Otherwise, it uses dma_alloc_coherent.
However, it should be noted that gen_pool_dma_alloc does not guarantee
that the resulting memory will be page-aligned. Furthermore, trying to
map slab pages (i.e., memory allocated by kmalloc) into the user space
is not resonable and can lead to problems, such as a type confusion bug
when PAGE_TABLE_CHECK=y [1].
To address these issues, this patch introduces hcd_alloc_coherent_pages,
which addresses the above two problems. Specifically,
hcd_alloc_coherent_pages uses gen_pool_dma_alloc_align instead of
gen_pool_dma_alloc to ensure that the memory is page-aligned. To replace
kmalloc, hcd_alloc_coherent_pages directly allocates pages by calling
__get_free_pages.
Reported-by: syzbot+fcf1a817ceb50935ce99@syzkaller.appspotmail.comm
Closes: https://lore.kernel.org/lkml/000000000000258e5e05fae79fc1@google.com/ [1]
Fixes: f7d34b445abc ("USB: Add support for usbfs zerocopy.")
Fixes: ff2437befd8f ("usb: host: Fix excessive alignment restriction for local memory allocations")
Cc: stable@vger.kernel.org
Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/20230515130958.32471-2-lrh2000@pku.edu.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/buffer.c | 41 +++++++++++++++++++++++++++++++++++++++++
drivers/usb/core/devio.c | 9 +++++----
include/linux/usb/hcd.h | 5 +++++
3 files changed, 51 insertions(+), 4 deletions(-)
--- a/drivers/usb/core/buffer.c
+++ b/drivers/usb/core/buffer.c
@@ -170,3 +170,44 @@ void hcd_buffer_free(
}
dma_free_coherent(hcd->self.sysdev, size, addr, dma);
}
+
+void *hcd_buffer_alloc_pages(struct usb_hcd *hcd,
+ size_t size, gfp_t mem_flags, dma_addr_t *dma)
+{
+ if (size == 0)
+ return NULL;
+
+ if (hcd->localmem_pool)
+ return gen_pool_dma_alloc_align(hcd->localmem_pool,
+ size, dma, PAGE_SIZE);
+
+ /* some USB hosts just use PIO */
+ if (!hcd_uses_dma(hcd)) {
+ *dma = DMA_MAPPING_ERROR;
+ return (void *)__get_free_pages(mem_flags,
+ get_order(size));
+ }
+
+ return dma_alloc_coherent(hcd->self.sysdev,
+ size, dma, mem_flags);
+}
+
+void hcd_buffer_free_pages(struct usb_hcd *hcd,
+ size_t size, void *addr, dma_addr_t dma)
+{
+ if (!addr)
+ return;
+
+ if (hcd->localmem_pool) {
+ gen_pool_free(hcd->localmem_pool,
+ (unsigned long)addr, size);
+ return;
+ }
+
+ if (!hcd_uses_dma(hcd)) {
+ free_pages((unsigned long)addr, get_order(size));
+ return;
+ }
+
+ dma_free_coherent(hcd->self.sysdev, size, addr, dma);
+}
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -173,6 +173,7 @@ static int connected(struct usb_dev_stat
static void dec_usb_memory_use_count(struct usb_memory *usbm, int *count)
{
struct usb_dev_state *ps = usbm->ps;
+ struct usb_hcd *hcd = bus_to_hcd(ps->dev->bus);
unsigned long flags;
spin_lock_irqsave(&ps->lock, flags);
@@ -181,8 +182,8 @@ static void dec_usb_memory_use_count(str
list_del(&usbm->memlist);
spin_unlock_irqrestore(&ps->lock, flags);
- usb_free_coherent(ps->dev, usbm->size, usbm->mem,
- usbm->dma_handle);
+ hcd_buffer_free_pages(hcd, usbm->size,
+ usbm->mem, usbm->dma_handle);
usbfs_decrease_memory_usage(
usbm->size + sizeof(struct usb_memory));
kfree(usbm);
@@ -234,8 +235,8 @@ static int usbdev_mmap(struct file *file
goto error_decrease_mem;
}
- mem = usb_alloc_coherent(ps->dev, size, GFP_USER | __GFP_NOWARN,
- &dma_handle);
+ mem = hcd_buffer_alloc_pages(hcd,
+ size, GFP_USER | __GFP_NOWARN, &dma_handle);
if (!mem) {
ret = -ENOMEM;
goto error_free_usbm;
--- a/include/linux/usb/hcd.h
+++ b/include/linux/usb/hcd.h
@@ -503,6 +503,11 @@ void *hcd_buffer_alloc(struct usb_bus *b
void hcd_buffer_free(struct usb_bus *bus, size_t size,
void *addr, dma_addr_t dma);
+void *hcd_buffer_alloc_pages(struct usb_hcd *hcd,
+ size_t size, gfp_t mem_flags, dma_addr_t *dma);
+void hcd_buffer_free_pages(struct usb_hcd *hcd,
+ size_t size, void *addr, dma_addr_t dma);
+
/* generic bus glue, needed for host controllers that don't use PCI */
extern irqreturn_t usb_hcd_irq(int irq, void *__hcd);
next prev parent reply other threads:[~2023-06-12 10:31 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-12 10:25 [PATCH 5.4 00/45] 5.4.247-rc1 review Greg Kroah-Hartman
2023-06-12 10:25 ` [PATCH 5.4 01/45] blk-iocost: avoid 64-bit division in ioc_timer_fn Greg Kroah-Hartman
2023-06-12 10:25 ` [PATCH 5.4 02/45] block/blk-iocost (gcc13): keep large values in a new enum Greg Kroah-Hartman
2023-06-12 10:25 ` [PATCH 5.4 03/45] i40iw: fix build warning in i40iw_manage_apbvt() Greg Kroah-Hartman
2023-06-12 10:25 ` [PATCH 5.4 04/45] i40e: fix build warnings in i40e_alloc.h Greg Kroah-Hartman
2023-06-12 10:25 ` [PATCH 5.4 05/45] spi: qup: Request DMA before enabling clocks Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 06/45] neighbour: Replace zero-length array with flexible-array member Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 07/45] neighbour: fix unaligned access to pneigh_entry Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 08/45] net: dsa: lan9303: allow vid != 0 in port_fdb_{add|del} methods Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 09/45] Bluetooth: Fix l2cap_disconnect_req deadlock Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 10/45] Bluetooth: L2CAP: Add missing checks for invalid DCID Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 11/45] netfilter: conntrack: fix NULL pointer dereference in nf_confirm_cthelper Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 12/45] netfilter: ipset: Add schedule point in call_ad() Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 13/45] rfs: annotate lockless accesses to sk->sk_rxhash Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 14/45] rfs: annotate lockless accesses to RFS sock flow table Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 15/45] net: sched: move rtm_tca_policy declaration to include file Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 16/45] net: sched: fix possible refcount leak in tc_chain_tmplt_add() Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 17/45] lib: cpu_rmap: Fix potential use-after-free in irq_cpu_rmap_release() Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 18/45] bnxt_en: Query default VLAN before VNIC setup on a VF Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 19/45] batman-adv: Broken sync while rescheduling delayed work Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 20/45] Input: xpad - delete a Razer DeathAdder mouse VID/PID entry Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 21/45] Input: psmouse - fix OOB access in Elantech protocol Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 22/45] ALSA: hda/realtek: Add a quirk for HP Slim Desktop S01 Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 23/45] ALSA: hda/realtek: Add Lenovo P3 Tower platform Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 24/45] drm/amdgpu: fix xclk freq on CHIP_STONEY Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 25/45] can: j1939: j1939_sk_send_loop_abort(): improved error queue handling in J1939 Socket Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 26/45] can: j1939: change j1939_netdev_lock type to mutex Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 27/45] can: j1939: avoid possible use-after-free when j1939_can_rx_register fails Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 28/45] ceph: fix use-after-free bug for inodes when flushing capsnaps Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 29/45] Bluetooth: Fix use-after-free in hci_remove_ltk/hci_remove_irk Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 30/45] rbd: move RBD_OBJ_FLAG_COPYUP_ENABLED flag setting Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 31/45] pinctrl: meson-axg: add missing GPIOA_18 gpio group Greg Kroah-Hartman
2023-06-12 10:26 ` Greg Kroah-Hartman [this message]
2023-06-12 10:26 ` [PATCH 5.4 33/45] usb: usbfs: Use consistent mmap functions Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 34/45] bonding (gcc13): synchronize bond_{a,t}lb_xmit() types Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 35/45] i2c: sprd: Delete i2c adapter in .removes error path Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 36/45] eeprom: at24: also select REGMAP Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 37/45] ext4: only check dquot_initialize_needed() when debugging Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 38/45] cifs: get rid of unused parameter in reconn_setup_dfs_targets() Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 39/45] cifs: handle empty list of targets in cifs_reconnect() Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 40/45] drm/atomic: Dont pollute crtc_state->mode_blob with error pointers Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 41/45] rbd: get snapshot context after exclusive lock is ensured to be held Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 42/45] btrfs: check return value of btrfs_commit_transaction in relocation Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 43/45] btrfs: unset reloc control if transaction commit fails in prepare_to_relocate() Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 44/45] mtd: spinand: macronix: Add support for MX35LFxGE4AD Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 5.4 45/45] Revert "staging: rtl8192e: Replace macro RTL_PCI_DEVICE with PCI_DEVICE" Greg Kroah-Hartman
2023-06-12 21:54 ` [PATCH 5.4 00/45] 5.4.247-rc1 review Chris Paterson
2023-06-12 22:20 ` Shuah Khan
2023-06-13 8:38 ` Jon Hunter
2023-06-13 9:06 ` Naresh Kamboju
2023-06-13 12:16 ` Harshit Mogalapalli
2023-06-13 12:18 ` Sudip Mukherjee (Codethink)
2023-06-13 23:09 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230612101655.957855054@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=lrh2000@pku.edu.cn \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
--cc=syzbot+fcf1a817ceb50935ce99@syzkaller.appspotmail.comm \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.