linux-stable.git/drivers/memstick, branch v5.13.2 Linux kernel stable tree memstick: rtsx_usb_ms: fix UAF 2021-07-14T15:06:25+00:00 Tong Zhang ztong0001@gmail.com 2021-05-11T16:39:45+00:00 e0a53f67fed6f8563de7077879a54994ec4b721b [ Upstream commit 42933c8aa14be1caa9eda41f65cde8a3a95d3e39 ] This patch fixes the following issues: 1. memstick_free_host() will free the host, so the use of ms_dev(host) after it will be a problem. To fix this, move memstick_free_host() after when we are done with ms_dev(host). 2. In rtsx_usb_ms_drv_remove(), pm need to be disabled before we remove and free host otherwise memstick_check will be called and UAF will happen. [ 11.351173] BUG: KASAN: use-after-free in rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms] [ 11.357077] rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms] [ 11.357376] platform_remove+0x2a/0x50 [ 11.367531] Freed by task 298: [ 11.368537] kfree+0xa4/0x2a0 [ 11.368711] device_release+0x51/0xe0 [ 11.368905] kobject_put+0xa2/0x120 [ 11.369090] rtsx_usb_ms_drv_remove+0x8c/0x140 [rtsx_usb_ms] [ 11.369386] platform_remove+0x2a/0x50 [ 12.038408] BUG: KASAN: use-after-free in __mutex_lock.isra.0+0x3ec/0x7c0 [ 12.045432] mutex_lock+0xc9/0xd0 [ 12.046080] memstick_check+0x6a/0x578 [memstick] [ 12.046509] process_one_work+0x46d/0x750 [ 12.052107] Freed by task 297: [ 12.053115] kfree+0xa4/0x2a0 [ 12.053272] device_release+0x51/0xe0 [ 12.053463] kobject_put+0xa2/0x120 [ 12.053647] rtsx_usb_ms_drv_remove+0xc4/0x140 [rtsx_usb_ms] [ 12.053939] platform_remove+0x2a/0x50 Signed-off-by: Tong Zhang <ztong0001@gmail.com> Co-developed-by: Ulf Hansson <ulf.hansson@linaro.org> Link: https://lore.kernel.org/r/20210511163944.1233295-1-ztong0001@gmail.com Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 
[ Upstream commit 42933c8aa14be1caa9eda41f65cde8a3a95d3e39 ]

This patch fixes the following issues:
1. memstick_free_host() will free the host, so the use of ms_dev(host) after
it will be a problem. To fix this, move memstick_free_host() after when we
are done with ms_dev(host).
2. In rtsx_usb_ms_drv_remove(), pm need to be disabled before we remove
and free host otherwise memstick_check will be called and UAF will
happen.

[   11.351173] BUG: KASAN: use-after-free in rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]
[   11.357077]  rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]
[   11.357376]  platform_remove+0x2a/0x50
[   11.367531] Freed by task 298:
[   11.368537]  kfree+0xa4/0x2a0
[   11.368711]  device_release+0x51/0xe0
[   11.368905]  kobject_put+0xa2/0x120
[   11.369090]  rtsx_usb_ms_drv_remove+0x8c/0x140 [rtsx_usb_ms]
[   11.369386]  platform_remove+0x2a/0x50

[   12.038408] BUG: KASAN: use-after-free in __mutex_lock.isra.0+0x3ec/0x7c0
[   12.045432]  mutex_lock+0xc9/0xd0
[   12.046080]  memstick_check+0x6a/0x578 [memstick]
[   12.046509]  process_one_work+0x46d/0x750
[   12.052107] Freed by task 297:
[   12.053115]  kfree+0xa4/0x2a0
[   12.053272]  device_release+0x51/0xe0
[   12.053463]  kobject_put+0xa2/0x120
[   12.053647]  rtsx_usb_ms_drv_remove+0xc4/0x140 [rtsx_usb_ms]
[   12.053939]  platform_remove+0x2a/0x50

Signed-off-by: Tong Zhang <ztong0001@gmail.com>
Co-developed-by: Ulf Hansson <ulf.hansson@linaro.org>
Link: https://lore.kernel.org/r/20210511163944.1233295-1-ztong0001@gmail.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
memstick: r592: ignore kfifo_out() return code again 2021-04-26T09:08:23+00:00 Arnd Bergmann arnd@arndb.de 2021-04-21T13:51:58+00:00 2f156712be4ab4c2707e096d619dc8bfbd01d388 A minor cleanup to address a clang warning removed an assigned but unused local variable, but this now caused a gcc warning as kfifo_out() is annotated to require checking its return code: In file included from drivers/memstick/host/r592.h:13, from drivers/memstick/host/r592.c:21: drivers/memstick/host/r592.c: In function 'r592_flush_fifo_write': include/linux/kfifo.h:588:1: error: ignoring return value of '__kfifo_uint_must_check_helper' declared with attribute 'warn_unused_result' [-Werror=unused-result] 588 | __kfifo_uint_must_check_helper( \ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 589 | ({ \ | ~~~~ 590 | typeof((fifo) + 1) __tmp = (fifo); \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 591 | typeof(__tmp->ptr) __buf = (buf); \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 592 | unsigned long __n = (n); \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~ 593 | const size_t __recsize = sizeof(*__tmp->rectype); \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 594 | struct __kfifo *__kfifo = &__tmp->kfifo; \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 595 | (__recsize) ?\ | ~~~~~~~~~~~~~~ 596 | __kfifo_out_r(__kfifo, __buf, __n, __recsize) : \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 597 | __kfifo_out(__kfifo, __buf, __n); \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 598 | }) \ | ~~~~ 599 | ) | ~ drivers/memstick/host/r592.c:367:9: note: in expansion of macro 'kfifo_out' 367 | kfifo_out(&dev->pio_fifo, buffer, 4); | ^~~~~~~~~ The value was never checked here, and the purpose of the function is only to flush the contents, so restore the old behavior but add a cast to void and a comment, which hopefully warns with neither gcc nor clang now. If anyone has an idea for how to fix it without ignoring the return code, that is probably better. Fixes: 4b00ed3c5072 ("memstick: r592: remove unused variable") Signed-off-by: Arnd Bergmann <arnd@arndb.de> Link: https://lore.kernel.org/r/20210421135215.3414589-1-arnd@kernel.org Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> 
A minor cleanup to address a clang warning removed an assigned
but unused local variable, but this now caused a gcc warning as
kfifo_out() is annotated to require checking its return code:

In file included from drivers/memstick/host/r592.h:13,
                 from drivers/memstick/host/r592.c:21:
drivers/memstick/host/r592.c: In function 'r592_flush_fifo_write':
include/linux/kfifo.h:588:1: error: ignoring return value of '__kfifo_uint_must_check_helper' declared with attribute 'warn_unused_result' [-Werror=unused-result]
  588 | __kfifo_uint_must_check_helper( \
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  589 | ({ \
      | ~~~~
  590 |         typeof((fifo) + 1) __tmp = (fifo); \
      |         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  591 |         typeof(__tmp->ptr) __buf = (buf); \
      |         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  592 |         unsigned long __n = (n); \
      |         ~~~~~~~~~~~~~~~~~~~~~~~~~~
  593 |         const size_t __recsize = sizeof(*__tmp->rectype); \
      |         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  594 |         struct __kfifo *__kfifo = &__tmp->kfifo; \
      |         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  595 |         (__recsize) ?\
      |         ~~~~~~~~~~~~~~
  596 |         __kfifo_out_r(__kfifo, __buf, __n, __recsize) : \
      |         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  597 |         __kfifo_out(__kfifo, __buf, __n); \
      |         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  598 | }) \
      | ~~~~
  599 | )
      | ~
drivers/memstick/host/r592.c:367:9: note: in expansion of macro 'kfifo_out'
  367 |         kfifo_out(&dev->pio_fifo, buffer, 4);
      |         ^~~~~~~~~

The value was never checked here, and the purpose of the function
is only to flush the contents, so restore the old behavior but
add a cast to void and a comment, which hopefully warns with neither
gcc nor clang now.

If anyone has an idea for how to fix it without ignoring the return
code, that is probably better.

Fixes: 4b00ed3c5072 ("memstick: r592: remove unused variable")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Link: https://lore.kernel.org/r/20210421135215.3414589-1-arnd@kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
memstick: r592: remove unused variable 2021-04-15T09:00:03+00:00 Jiapeng Chong jiapeng.chong@linux.alibaba.com 2021-04-14T02:21:43+00:00 4b00ed3c5072751fc46677970f4d84683b555969 Fix the following clang warning: drivers/memstick/host/r592.c:363:6: warning: variable ‘len’ set but not used [-Wunused-but-set-variable]. Reported-by: Abaci Robot <abaci@linux.alibaba.com> Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com> Link: https://lore.kernel.org/r/1618366903-94346-1-git-send-email-jiapeng.chong@linux.alibaba.com Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> 
Fix the following clang warning:

drivers/memstick/host/r592.c:363:6: warning: variable ‘len’ set but not
used [-Wunused-but-set-variable].

Reported-by: Abaci Robot <abaci@linux.alibaba.com>
Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
Link: https://lore.kernel.org/r/1618366903-94346-1-git-send-email-jiapeng.chong@linux.alibaba.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
memstick: Remove useless else branch 2021-03-30T09:42:04+00:00 Joey Pabalan jpabalanb@gmail.com 2021-03-13T17:37:40+00:00 9a8a369bd0b0c172b880f3393bb0322de98dc97c Remove else branch on line 334 of memstick.c, after the return of the previous branch. Found by checkpatch. Signed-off-by: Joey Pabalan <jpabalanb@gmail.com> Link: https://lore.kernel.org/r/20210313173740.GA580681@joeylaptop Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> 
Remove else branch on line 334 of memstick.c, after the return of the
previous branch. Found by checkpatch.

Signed-off-by: Joey Pabalan <jpabalanb@gmail.com>
Link: https://lore.kernel.org/r/20210313173740.GA580681@joeylaptop
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
memstick: core: Assign error code of mspro_block_resume() 2021-03-30T09:42:02+00:00 Jia-Ju Bai baijiaju1990@gmail.com 2021-03-05T02:14:45+00:00 8c87dab92f90c4c8f45d7ac302da878e269d3695 When mspro_block_init_card() fails, no error return code of mspro_block_resume() is assigned/propagated. Let's fix this. Reported-by: TOTE Robot <oslab@tsinghua.edu.cn> Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> Link: https://lore.kernel.org/r/20210305021445.3435-1-baijiaju1990@gmail.com Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> 
When mspro_block_init_card() fails, no error return code of
mspro_block_resume() is assigned/propagated. Let's fix this.

Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Link: https://lore.kernel.org/r/20210305021445.3435-1-baijiaju1990@gmail.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
memstick: r592: Fix error return in r592_probe() 2020-12-04T11:27:10+00:00 Jing Xiangfeng jingxiangfeng@huawei.com 2020-11-25T01:47:18+00:00 db29d3d1c2451e673e29c7257471e3ce9d50383a Fix to return a error code from the error handling case instead of 0. Fixes: 926341250102 ("memstick: add driver for Ricoh R5C592 card reader") Signed-off-by: Jing Xiangfeng <jingxiangfeng@huawei.com> Link: https://lore.kernel.org/r/20201125014718.153563-1-jingxiangfeng@huawei.com Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> 
Fix to return a error code from the error handling case instead of 0.

Fixes: 926341250102 ("memstick: add driver for Ricoh R5C592 card reader")
Signed-off-by: Jing Xiangfeng <jingxiangfeng@huawei.com>
Link: https://lore.kernel.org/r/20201125014718.153563-1-jingxiangfeng@huawei.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
memstick: fix a double-free bug in memstick_check 2020-11-24T10:26:55+00:00 Qinglang Miao miaoqinglang@huawei.com 2020-11-20T07:48:46+00:00 e3e9ced5c93803d5b2ea1942c4bf0192622531d6 kfree(host->card) has been called in put_device so that another kfree would raise cause a double-free bug. Fixes: 0193383a5833 ("memstick: core: fix device_register() error handling") Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: Qinglang Miao <miaoqinglang@huawei.com> Link: https://lore.kernel.org/r/20201120074846.31322-1-miaoqinglang@huawei.com Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> 
kfree(host->card) has been called in put_device so that
another kfree would raise cause a double-free bug.

Fixes: 0193383a5833 ("memstick: core: fix device_register() error handling")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Qinglang Miao <miaoqinglang@huawei.com>
Link: https://lore.kernel.org/r/20201120074846.31322-1-miaoqinglang@huawei.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
memstick: tifm: remove unneeded semicolon 2020-11-16T10:59:28+00:00 Tom Rix trix@redhat.com 2020-10-31T14:27:56+00:00 a85344d347284cc3d81e8fc230788d3f82b9bb45 A semicolon is not needed after a switch statement. Signed-off-by: Tom Rix <trix@redhat.com> Link: https://lore.kernel.org/r/20201031142756.2140029-1-trix@redhat.com Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> 
A semicolon is not needed after a switch statement.

Signed-off-by: Tom Rix <trix@redhat.com>
Link: https://lore.kernel.org/r/20201031142756.2140029-1-trix@redhat.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
memstick: mspro_block: remove unneeded semicolon 2020-11-16T10:59:28+00:00 Tom Rix trix@redhat.com 2020-10-31T13:48:18+00:00 8c3c0aca1a0cef20ac739b63f26971849b0f453a A semicolon is not needed after a switch statement. Signed-off-by: Tom Rix <trix@redhat.com> Link: https://lore.kernel.org/r/20201031134818.2135446-1-trix@redhat.com Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> 
A semicolon is not needed after a switch statement.

Signed-off-by: Tom Rix <trix@redhat.com>
Link: https://lore.kernel.org/r/20201031134818.2135446-1-trix@redhat.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
memstick: jmb38x_ms: remove unneeded semicolon 2020-11-16T10:59:28+00:00 Tom Rix trix@redhat.com 2020-10-31T14:25:05+00:00 fb8298631b11ba81e4326f8a8e54505e8439d28d A semicolon is not needed after a switch statement. Signed-off-by: Tom Rix <trix@redhat.com> Link: https://lore.kernel.org/r/20201031142505.2139539-1-trix@redhat.com Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> 
A semicolon is not needed after a switch statement.

Signed-off-by: Tom Rix <trix@redhat.com>
Link: https://lore.kernel.org/r/20201031142505.2139539-1-trix@redhat.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>