From 2b0e9643154a643abba31a0604bba6bb4fd03763 Mon Sep 17 00:00:00 2001 From: Mark Brown Date: Wed, 19 Jun 2024 11:48:45 +0800 Subject: [PATCH 1/3] spi: Fix deadlock when adding SPI controllers on SPI buses MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit mainline inclusion from mainline-v5.15-rc6 commit 6098475d4cb48d821bdf453c61118c56e26294f0 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RBZI CVE: CVE-2021-47469 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6098475d4cb48d821bdf453c61118c56e26294f0 -------------------------------- Currently we have a global spi_add_lock which we take when adding new devices so that we can check that we're not trying to reuse a chip select that's already controlled. This means that if the SPI device is itself a SPI controller and triggers the instantiation of further SPI devices we trigger a deadlock as we try to register and instantiate those devices while in the process of doing so for the parent controller and hence already holding the global spi_add_lock. Since we only care about concurrency within a single SPI bus move the lock to be per controller, avoiding the deadlock. This can be easily triggered in the case of spi-mux. Reported-by: Uwe Kleine-König Signed-off-by: Mark Brown Conflicts: drivers/spi/spi.c [Resolve conflicts due to several refactor patches not merged.] Signed-off-by: Zeng Heng --- drivers/spi/spi.c | 15 +++++---------- include/linux/spi/spi.h | 3 +++ 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c index 857a1399850c..d5bc995de16b 100644 --- a/drivers/spi/spi.c +++ b/drivers/spi/spi.c @@ -472,12 +472,6 @@ static LIST_HEAD(spi_controller_list); */ static DEFINE_MUTEX(board_lock); -/* - * Prevents addition of devices with same chip select and - * addition of devices below an unregistering controller. - */ -static DEFINE_MUTEX(spi_add_lock); - /** * spi_alloc_device - Allocate a new SPI device * @ctlr: Controller to which device is connected @@ -581,7 +575,7 @@ int spi_add_device(struct spi_device *spi) * chipselect **BEFORE** we call setup(), else we'll trash * its configuration. Lock against concurrent add() calls. */ - mutex_lock(&spi_add_lock); + mutex_lock(&ctlr->add_lock); status = bus_for_each_dev(&spi_bus_type, NULL, spi, spi_dev_check); if (status) { @@ -625,7 +619,7 @@ int spi_add_device(struct spi_device *spi) } done: - mutex_unlock(&spi_add_lock); + mutex_unlock(&ctlr->add_lock); return status; } EXPORT_SYMBOL_GPL(spi_add_device); @@ -2730,6 +2724,7 @@ int spi_register_controller(struct spi_controller *ctlr) spin_lock_init(&ctlr->bus_lock_spinlock); mutex_init(&ctlr->bus_lock_mutex); mutex_init(&ctlr->io_mutex); + mutex_init(&ctlr->add_lock); ctlr->bus_lock_flag = 0; init_completion(&ctlr->xfer_completion); if (!ctlr->max_dma_len) @@ -2875,7 +2870,7 @@ void spi_unregister_controller(struct spi_controller *ctlr) /* Prevent addition of new devices, unregister existing ones */ if (IS_ENABLED(CONFIG_SPI_DYNAMIC)) - mutex_lock(&spi_add_lock); + mutex_lock(&ctlr->add_lock); device_for_each_child(&ctlr->dev, NULL, __unregister); @@ -2906,7 +2901,7 @@ void spi_unregister_controller(struct spi_controller *ctlr) mutex_unlock(&board_lock); if (IS_ENABLED(CONFIG_SPI_DYNAMIC)) - mutex_unlock(&spi_add_lock); + mutex_unlock(&ctlr->add_lock); } EXPORT_SYMBOL_GPL(spi_unregister_controller); diff --git a/include/linux/spi/spi.h b/include/linux/spi/spi.h index e1d88630ff24..8f5ed0beeea4 100644 --- a/include/linux/spi/spi.h +++ b/include/linux/spi/spi.h @@ -527,6 +527,9 @@ struct spi_controller { /* I/O mutex */ struct mutex io_mutex; + /* Used to avoid adding the same CS twice */ + struct mutex add_lock; + /* lock and mutex for SPI bus locking */ spinlock_t bus_lock_spinlock; struct mutex bus_lock_mutex; -- Gitee From db2d81fa3f0b2997c66bed8dcb8ecf94e5c30e13 Mon Sep 17 00:00:00 2001 From: Michael Walle Date: Wed, 19 Jun 2024 11:48:46 +0800 Subject: [PATCH 2/3] spi: fix use-after-free of the add_lock mutex MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit mainline inclusion from mainline-v5.16-rc2 commit 6c53b45c71b4920b5e62f0ea8079a1da382b9434 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RBZI CVE: CVE-2021-47469 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6c53b45c71b4920b5e62f0ea8079a1da382b9434 -------------------------------- Commit 6098475d4cb4 ("spi: Fix deadlock when adding SPI controllers on SPI buses") introduced a per-controller mutex. But mutex_unlock() of said lock is called after the controller is already freed: spi_unregister_controller(ctlr) -> put_device(&ctlr->dev) -> spi_controller_release(dev) -> mutex_unlock(&ctrl->add_lock) Move the put_device() after the mutex_unlock(). Fixes: 6098475d4cb4 ("spi: Fix deadlock when adding SPI controllers on SPI buses") Signed-off-by: Michael Walle Reviewed-by: Uwe Kleine-König Reviewed-by: Lukas Wunner Cc: stable@vger.kernel.org # v5.15 Link: https://lore.kernel.org/r/20211111083713.3335171-1-michael@walle.cc Signed-off-by: Mark Brown Signed-off-by: Zeng Heng --- drivers/spi/spi.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c index d5bc995de16b..d510b9ca798f 100644 --- a/drivers/spi/spi.c +++ b/drivers/spi/spi.c @@ -2888,12 +2888,6 @@ void spi_unregister_controller(struct spi_controller *ctlr) device_del(&ctlr->dev); - /* Release the last reference on the controller if its driver - * has not yet been converted to devm_spi_alloc_master/slave(). - */ - if (!ctlr->devm_allocated) - put_device(&ctlr->dev); - /* free bus id */ mutex_lock(&board_lock); if (found == ctlr) @@ -2902,6 +2896,12 @@ void spi_unregister_controller(struct spi_controller *ctlr) if (IS_ENABLED(CONFIG_SPI_DYNAMIC)) mutex_unlock(&ctlr->add_lock); + + /* Release the last reference on the controller if its driver + * has not yet been converted to devm_spi_alloc_master/slave(). + */ + if (!ctlr->devm_allocated) + put_device(&ctlr->dev); } EXPORT_SYMBOL_GPL(spi_unregister_controller); -- Gitee From b84923cca4102ee6dcda0768a65cc0fe20132033 Mon Sep 17 00:00:00 2001 From: Zeng Heng Date: Wed, 19 Jun 2024 11:48:47 +0800 Subject: [PATCH 3/3] spi: fix kabi breakage in struct spi_controller hulk inclusion category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RBZI CVE: CVE-2021-47469 -------------------------------- Move struct mutex add_lock from struct spi_controller to struct device in case of kabi breakage in struct spi_controller. Fixes: 6098475d4cb4 ("spi: Fix deadlock when adding SPI controllers on SPI buses") Signed-off-by: Zeng Heng --- drivers/spi/spi.c | 37 ++++++++++++++++++++++++++----------- include/linux/device.h | 8 ++++++++ include/linux/spi/spi.h | 3 --- 3 files changed, 34 insertions(+), 14 deletions(-) diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c index d510b9ca798f..49ff49d97745 100644 --- a/drivers/spi/spi.c +++ b/drivers/spi/spi.c @@ -575,7 +575,7 @@ int spi_add_device(struct spi_device *spi) * chipselect **BEFORE** we call setup(), else we'll trash * its configuration. Lock against concurrent add() calls. */ - mutex_lock(&ctlr->add_lock); + mutex_lock(ctlr->dev.add_lock); status = bus_for_each_dev(&spi_bus_type, NULL, spi, spi_dev_check); if (status) { @@ -619,7 +619,7 @@ int spi_add_device(struct spi_device *spi) } done: - mutex_unlock(&ctlr->add_lock); + mutex_unlock(ctlr->dev.add_lock); return status; } EXPORT_SYMBOL_GPL(spi_add_device); @@ -2682,14 +2682,20 @@ int spi_register_controller(struct spi_controller *ctlr) if (status) return status; + ctlr->dev.add_lock = kmalloc(sizeof(struct mutex), GFP_KERNEL); + if (!ctlr->dev.add_lock) + return -ENOMEM; + if (ctlr->bus_num >= 0) { /* devices with a fixed bus num must check-in with the num */ mutex_lock(&board_lock); id = idr_alloc(&spi_master_idr, ctlr, ctlr->bus_num, ctlr->bus_num + 1, GFP_KERNEL); mutex_unlock(&board_lock); - if (WARN(id < 0, "couldn't get idr")) - return id == -ENOSPC ? -EBUSY : id; + if (WARN(id < 0, "couldn't get idr")) { + status = (id == -ENOSPC) ? -EBUSY : id; + goto free_add_lock; + } ctlr->bus_num = id; } else if (ctlr->dev.of_node) { /* allocate dynamic bus number using Linux idr */ @@ -2700,8 +2706,10 @@ int spi_register_controller(struct spi_controller *ctlr) id = idr_alloc(&spi_master_idr, ctlr, ctlr->bus_num, ctlr->bus_num + 1, GFP_KERNEL); mutex_unlock(&board_lock); - if (WARN(id < 0, "couldn't get idr")) - return id == -ENOSPC ? -EBUSY : id; + if (WARN(id < 0, "couldn't get idr")) { + status = (id == -ENOSPC) ? -EBUSY : id; + goto free_add_lock; + } } } if (ctlr->bus_num < 0) { @@ -2715,8 +2723,11 @@ int spi_register_controller(struct spi_controller *ctlr) id = idr_alloc(&spi_master_idr, ctlr, first_dynamic, 0, GFP_KERNEL); mutex_unlock(&board_lock); - if (WARN(id < 0, "couldn't get idr")) - return id; + if (WARN(id < 0, "couldn't get idr")) { + status = id; + goto free_add_lock; + } + ctlr->bus_num = id; } INIT_LIST_HEAD(&ctlr->queue); @@ -2724,7 +2735,7 @@ int spi_register_controller(struct spi_controller *ctlr) spin_lock_init(&ctlr->bus_lock_spinlock); mutex_init(&ctlr->bus_lock_mutex); mutex_init(&ctlr->io_mutex); - mutex_init(&ctlr->add_lock); + mutex_init(ctlr->dev.add_lock); ctlr->bus_lock_flag = 0; init_completion(&ctlr->xfer_completion); if (!ctlr->max_dma_len) @@ -2801,6 +2812,8 @@ int spi_register_controller(struct spi_controller *ctlr) mutex_lock(&board_lock); idr_remove(&spi_master_idr, ctlr->bus_num); mutex_unlock(&board_lock); +free_add_lock: + kfree(ctlr->dev.add_lock); return status; } EXPORT_SYMBOL_GPL(spi_register_controller); @@ -2870,7 +2883,7 @@ void spi_unregister_controller(struct spi_controller *ctlr) /* Prevent addition of new devices, unregister existing ones */ if (IS_ENABLED(CONFIG_SPI_DYNAMIC)) - mutex_lock(&ctlr->add_lock); + mutex_lock(ctlr->dev.add_lock); device_for_each_child(&ctlr->dev, NULL, __unregister); @@ -2895,7 +2908,9 @@ void spi_unregister_controller(struct spi_controller *ctlr) mutex_unlock(&board_lock); if (IS_ENABLED(CONFIG_SPI_DYNAMIC)) - mutex_unlock(&ctlr->add_lock); + mutex_unlock(ctlr->dev.add_lock); + + kfree(ctlr->dev.add_lock); /* Release the last reference on the controller if its driver * has not yet been converted to devm_spi_alloc_master/slave(). diff --git a/include/linux/device.h b/include/linux/device.h index 62b127bffdda..2f1de6f3d1c5 100644 --- a/include/linux/device.h +++ b/include/linux/device.h @@ -567,7 +567,15 @@ struct device { bool dma_ops_bypass : 1; #endif /* Use device_extended after all RESERVE fields used */ +#ifdef CONFIG_SPI_MASTER + /* + * Reserved for struct spi_controller. + * Used to avoid adding the same CS twice. + */ + KABI_USE(1, struct mutex *add_lock) +#else KABI_RESERVE(1) +#endif KABI_RESERVE(2) KABI_RESERVE(3) KABI_RESERVE(4) diff --git a/include/linux/spi/spi.h b/include/linux/spi/spi.h index 8f5ed0beeea4..e1d88630ff24 100644 --- a/include/linux/spi/spi.h +++ b/include/linux/spi/spi.h @@ -527,9 +527,6 @@ struct spi_controller { /* I/O mutex */ struct mutex io_mutex; - /* Used to avoid adding the same CS twice */ - struct mutex add_lock; - /* lock and mutex for SPI bus locking */ spinlock_t bus_lock_spinlock; struct mutex bus_lock_mutex; -- Gitee