From patchwork Thu Sep  7 22:37:26 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yuxuan Luo <yuxuan.luo@canonical.com>
X-Patchwork-Id: 1831163
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=u1tgH2FJ;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4RhYzD3l3zz1yhG
	for <incoming@patchwork.ozlabs.org>; Fri,  8 Sep 2023 08:37:43 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1qeNcy-0003pq-IR; Thu, 07 Sep 2023 22:37:32 +0000
Received: from smtp-relay-internal-1.internal ([10.131.114.114]
 helo=smtp-relay-internal-1.canonical.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <yuxuan.luo@canonical.com>)
 id 1qeNcw-0003pU-LS
 for kernel-team@lists.ubuntu.com; Thu, 07 Sep 2023 22:37:30 +0000
Received: from mail-qv1-f72.google.com (mail-qv1-f72.google.com
 [209.85.219.72])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 677A43F18B
 for <kernel-team@lists.ubuntu.com>; Thu,  7 Sep 2023 22:37:30 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1694126250;
 bh=kyA7QqJa8KKmrfywqnhMIUidFsR3kbcPv48XTq9UItw=;
 h=From:To:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=u1tgH2FJdvgeayAW9s09ZCPs5rCjbdMhV8gH/sRgtZWsMTyLN/4FELaedfmnLOWXs
 o74tPfaVwbNMp0gCYSwOIZ4KvX4s10aG/ysXIxA/RtXzZBOeHfvYiYEZFhwhjT3G/t
 R3cxr0hBB7Twd+T4djXlCrCbG1MlycJaZQ5Pj9mly8Unt3VTob9Wixdb41ETHSc8jD
 6SMZZGaKk0hBjFJjcqTukvOHVVYKjrfzXgKCsnjxjK82PuD5unahyzp8Pua86cuurD
 eWipTo6oA7aPRj1iQ9TMbAXJA1HJJqPzQZ/ECPUwxLz3SdSiw+BDazyAI3Y+b7kGvR
 BDalUGBXU8Iuw==
Received: by mail-qv1-f72.google.com with SMTP id
 6a1803df08f44-64bca259c4bso17049926d6.1
 for <kernel-team@lists.ubuntu.com>; Thu, 07 Sep 2023 15:37:30 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1694126249; x=1694731049;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=kyA7QqJa8KKmrfywqnhMIUidFsR3kbcPv48XTq9UItw=;
 b=f4BCypMX4yua2upZJaqfeMQUNm8PcFh9/a1jMQAxbrpzOsrzwE9WKNp5RZOQGRdPbl
 9j0nfX1SHlocUTyKfI0smw5HxFxpmz/iRQ/bwN9fCCeeL5UhLS9ObKgJ3SJAL2cjgF4c
 wZeAbcArqA9seGkBGBOOr13gNVDYbeD1Q10yOlgCQU+l8OO5dmRbPTJeJ0nUXCAxcGSx
 PSfuYdAyOVmhWBLZ+5L1yJhIZHFmcj0yEbGynxLhdOntyKAMw/h+WQpW2PjyLx0IKGsx
 cBaj+5GCfxbQwQuk9TyHVX7xJ9R0sNBr1y4tZoVoxmg0/N6L+gcHuArPTFJWKvdk/VKP
 L46A==
X-Gm-Message-State: AOJu0YxFmQqPrAVO3Uk2s5hVqIfJvpcqTukjDrlGtAeFYgigGEMBT3Ow
 +MdVFpbTaK5CGB+SzTEFeBzmFC/s+Fpx8tkFN4/hSeuuMCLOKP1DQCuKep83ntzzo96VXaidp5S
 n+8iB1QLvdCEQZ+cu/C3Wvf40ohotplHSOm+gEokpV/YmoJnMlw==
X-Received: by 2002:a05:620a:254b:b0:76c:de57:7b61 with SMTP id
 s11-20020a05620a254b00b0076cde577b61mr998417qko.25.1694126249148;
 Thu, 07 Sep 2023 15:37:29 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IFj1zDN02vvKkvrywKjEueaQrNQkJCGUBIPZk0bK4CsJEjHBMkyBRSOOr44cLUEQ64vJWn7Gg==
X-Received: by 2002:a05:620a:254b:b0:76c:de57:7b61 with SMTP id
 s11-20020a05620a254b00b0076cde577b61mr998405qko.25.1694126248883;
 Thu, 07 Sep 2023 15:37:28 -0700 (PDT)
Received: from cache-ubuntu.hsd1.nj.comcast.net
 ([2601:86:200:98b0:99bd:e79d:4652:a396])
 by smtp.gmail.com with ESMTPSA id
 c23-20020ae9e217000000b0076eed604793sm110034qkc.130.2023.09.07.15.37.28
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 07 Sep 2023 15:37:28 -0700 (PDT)
From: Yuxuan Luo <yuxuan.luo@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][F/L][PATCH 1/1] media: usb: siano: Fix warning due to null
 work_func_t function pointer
Date: Thu,  7 Sep 2023 18:37:26 -0400
Message-Id: <20230907223726.54322-2-yuxuan.luo@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20230907223726.54322-1-yuxuan.luo@canonical.com>
References: <20230907223726.54322-1-yuxuan.luo@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Duoming Zhou <duoming@zju.edu.cn>

The previous commit ebad8e731c1c ("media: usb: siano: Fix use after
free bugs caused by do_submit_urb") adds cancel_work_sync() in
smsusb_stop_streaming(). But smsusb_stop_streaming() may be called,
even if the work_struct surb->wq has not been initialized. As a result,
the warning will occur. One of the processes that could lead to warning
is shown below:

smsusb_probe()
  smsusb_init_device()
    if (!dev->in_ep || !dev->out_ep || align < 0) {
         smsusb_term_device(intf);
           smsusb_stop_streaming()
             cancel_work_sync(&dev->surbs[i].wq);
               __cancel_work_timer()
                 __flush_work()
                   if (WARN_ON(!work->func)) // work->func is null

The log reported by syzbot is shown below:

WARNING: CPU: 0 PID: 897 at kernel/workqueue.c:3066 __flush_work+0x798/0xa80 kernel/workqueue.c:3063
Modules linked in:
CPU: 0 PID: 897 Comm: kworker/0:2 Not tainted 6.2.0-rc1-syzkaller #0
RIP: 0010:__flush_work+0x798/0xa80 kernel/workqueue.c:3066
...
RSP: 0018:ffffc9000464ebf8 EFLAGS: 00010246
RAX: 1ffff11002dbb420 RBX: 0000000000000021 RCX: 1ffffffff204fa4e
RDX: dffffc0000000000 RSI: 0000000000000001 RDI: ffff888016dda0e8
RBP: ffffc9000464ed98 R08: 0000000000000001 R09: ffffffff90253b2f
R10: 0000000000000001 R11: 0000000000000000 R12: ffff888016dda0e8
R13: ffff888016dda0e8 R14: ffff888016dda100 R15: 0000000000000001
FS:  0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd4331efe8 CR3: 000000000b48e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __cancel_work_timer+0x315/0x460 kernel/workqueue.c:3160
 smsusb_stop_streaming drivers/media/usb/siano/smsusb.c:182 [inline]
 smsusb_term_device+0xda/0x2d0 drivers/media/usb/siano/smsusb.c:344
 smsusb_init_device+0x400/0x9ce drivers/media/usb/siano/smsusb.c:419
 smsusb_probe+0xbbd/0xc55 drivers/media/usb/siano/smsusb.c:567
...

This patch adds check before cancel_work_sync(). If surb->wq has not
been initialized, the cancel_work_sync() will not be executed.

Reported-by: syzbot+27b0b464864741b18b99@syzkaller.appspotmail.com
Fixes: ebad8e731c1c ("media: usb: siano: Fix use after free bugs caused by do_submit_urb")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
(cherry picked from commit 6f489a966fbeb0da63d45c2c66a8957eab604bf6)
CVE-2023-4132
Signed-off-by: Yuxuan Luo <yuxuan.luo@canonical.com>
---
 drivers/media/usb/siano/smsusb.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c
index 6f443c542c6da..640737d3b8aeb 100644
--- a/drivers/media/usb/siano/smsusb.c
+++ b/drivers/media/usb/siano/smsusb.c
@@ -179,7 +179,8 @@ static void smsusb_stop_streaming(struct smsusb_device_t *dev)
 
 	for (i = 0; i < MAX_URBS; i++) {
 		usb_kill_urb(&dev->surbs[i].urb);
-		cancel_work_sync(&dev->surbs[i].wq);
+		if (dev->surbs[i].wq.func)
+			cancel_work_sync(&dev->surbs[i].wq);
 
 		if (dev->surbs[i].cb) {
 			smscore_putbuffer(dev->coredev, dev->surbs[i].cb);