From d5ff8b7b24d0b98f57526f241f157df2c5a14244 Mon Sep 17 00:00:00 2001 From: Qiang Yu Date: Mon, 25 Mar 2024 09:14:06 +0000 Subject: [PATCH] bus: mhi: host: Drop chan lock before queuing buffers stable inclusion from stable-v5.10.209 commit 20a6dea2d1c68d4e03c6bb50bc12e72e226b5c0e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I97NHA CVE: CVE-2023-52493 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=20a6dea2d1c68d4e03c6bb50bc12e72e226b5c0e -------------------------------- Ensure read and write locks for the channel are not taken in succession by dropping the read lock from parse_xfer_event() such that a callback given to client can potentially queue buffers and acquire the write lock in that process. Any queueing of buffers should be done without channel read lock acquired as it can result in multiple locks and a soft lockup. Cc: # 5.7 Fixes: 1d3173a3bae7 ("bus: mhi: core: Add support for processing events from client device") Signed-off-by: Qiang Yu Reviewed-by: Jeffrey Hugo Tested-by: Jeffrey Hugo Reviewed-by: Manivannan Sadhasivam Link: https://lore.kernel.org/r/1702276972-41296-3-git-send-email-quic_qianyu@quicinc.com [mani: added fixes tag and cc'ed stable] Signed-off-by: Manivannan Sadhasivam Signed-off-by: Greg Kroah-Hartman Signed-off-by: Guan Jing --- drivers/bus/mhi/host/main.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/bus/mhi/host/main.c b/drivers/bus/mhi/host/main.c index 82d6e9e8bddf..b0a83a725069 100644 --- a/drivers/bus/mhi/host/main.c +++ b/drivers/bus/mhi/host/main.c @@ -570,6 +570,8 @@ static int parse_xfer_event(struct mhi_controller *mhi_cntrl, mhi_del_ring_element(mhi_cntrl, tre_ring); local_rp = tre_ring->rp; + read_unlock_bh(&mhi_chan->lock); + /* notify client */ mhi_chan->xfer_cb(mhi_chan->mhi_dev, &result); @@ -592,6 +594,8 @@ static int parse_xfer_event(struct mhi_controller *mhi_cntrl, kfree(buf_info->cb_buf); } } + + read_lock_bh(&mhi_chan->lock); } break; } /* CC_EOT */ -- Gitee