Received: by 10.223.185.116 with SMTP id b49csp6379399wrg;
        Wed, 28 Feb 2018 08:27:05 -0800 (PST)
X-Google-Smtp-Source: AH8x227CMjtLtwrd77nEnHP6so2TFwfs6dOtAwEbs3R4HpkkmesZmVYmPZUJeBKathdhFWLpIW3+
X-Received: by 10.101.90.10 with SMTP id y10mr14652193pgs.34.1519835225640;
        Wed, 28 Feb 2018 08:27:05 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1519835225; cv=none;
        d=google.com; s=arc-20160816;
        b=ElPDewClXktS2AYoSsR3anBuXx4cPgCbaLAmmE82tI2k405j0+FQ5hqb3inLZcrvP1
         HnCbEXLwfhPBNj/NaDB5UFnP/Zwh2RPd6LCKyeRwSLh3pbYXlDw1Slxj81vEKe9PCmch
         H7LHVFc7U3XM+y/L7rwEQqOLJKVS2C+VeZYk5uRZd7Wn8TEPZtDAxkKD2FLGsLwveJcM
         EzkFPEGrXg+lQ8h9STOirwsrgpaBjstUVX2PLmJS8py5Kk8jx0scKGloNvv88f7FxkRm
         R0CZm64cBWbf4ThxVOV5QALq0Zeyr+HQ19EnZ/Bhd9BMHmERaqGLaEEoPY2piMD6TcKh
         algA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to
         :from:mime-version:content-transfer-encoding:content-disposition
         :arc-authentication-results;
        bh=CQj/lbL7yKb0tJyIFALgCbIFbxBRTqRmFz9akKX7kio=;
        b=IfjPW2FrBJiDZ1qkUzZvdVOBImBHwWkVDLWc99aQ4JZeFbAV/KQStYyVjEfbIQk1df
         TkAFpp9uNKUuunLg4sr8+g1JxuX+wjRHD8yBOgy5/PHKeCw8iRDQFnBqueZtggA5OXeT
         hyOX+aFZyDym038OuGHqOtLzDTdNhFOx5zXfKRFyVcM1/mlr6eap0MrihdnBz+iZLSKS
         4xGDBeTr5Ggf2Jcpnn38MXcV2XZkZjvJ+sazGHQDdfi6zpHGd2Q3lLl0ltSlqJ9DT0yb
         DhoH8VTcRZcaWEY68SLUXFZCdOi5AC1hePFrasxWBAlTUr+fqvxCAd05FBQLoTJzpgDg
         6irg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id k67si1457697pfj.298.2018.02.28.08.26.49;
        Wed, 28 Feb 2018 08:27:05 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S935117AbeB1QUZ (ORCPT <rfc822;speed.demon0047@gmail.com>
        + 99 others); Wed, 28 Feb 2018 11:20:25 -0500
Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:35339 "EHLO
        shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S935024AbeB1QUW (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 28 Feb 2018 11:20:22 -0500
Received: from [2a02:8011:400e:2:6f00:88c8:c921:d332] (helo=deadeye)
        by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
        (Exim 4.84_2)
        (envelope-from <ben@decadent.org.uk>)
        id 1er3Yq-0006Xd-Kb; Wed, 28 Feb 2018 15:22:28 +0000
Received: from ben by deadeye with local (Exim 4.90_1)
        (envelope-from <ben@decadent.org.uk>)
        id 1er3Yj-0000Ep-Ag; Wed, 28 Feb 2018 15:22:21 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
From:   Ben Hutchings <ben@decadent.org.uk>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
CC:     akpm@linux-foundation.org,
        "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
        "" <syzbot+f9831b881b3e849829fc@syzkaller.appspotmail.com>,
        "Pete Zaitcev" <zaitcev@redhat.com>
Date:   Wed, 28 Feb 2018 15:20:18 +0000
Message-ID: <lsq.1519831218.929926917@decadent.org.uk>
X-Mailer: LinuxStableQueue (scripts by bwh)
Subject: [PATCH 3.16 190/254] USB: fix usbmon BUG trigger
In-Reply-To: <lsq.1519831217.271785318@decadent.org.uk>
X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332
X-SA-Exim-Mail-From: ben@decadent.org.uk
X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Pete Zaitcev <zaitcev@redhat.com>

commit 46eb14a6e1585d99c1b9f58d0e7389082a5f466b upstream.

Automated tests triggered this by opening usbmon and accessing the
mmap while simultaneously resizing the buffers. This bug was with
us since 2006, because typically applications only size the buffers
once and thus avoid racing. Reported by Kirill A. Shutemov.

Reported-by: <syzbot+f9831b881b3e849829fc@syzkaller.appspotmail.com>
Signed-off-by: Pete Zaitcev <zaitcev@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/mon/mon_bin.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

--- a/drivers/usb/mon/mon_bin.c
+++ b/drivers/usb/mon/mon_bin.c
@@ -1000,7 +1000,9 @@ static long mon_bin_ioctl(struct file *f
 		break;
 
 	case MON_IOCQ_RING_SIZE:
+		mutex_lock(&rp->fetch_lock);
 		ret = rp->b_size;
+		mutex_unlock(&rp->fetch_lock);
 		break;
 
 	case MON_IOCT_RING_SIZE:
@@ -1227,12 +1229,16 @@ static int mon_bin_vma_fault(struct vm_a
 	unsigned long offset, chunk_idx;
 	struct page *pageptr;
 
+	mutex_lock(&rp->fetch_lock);
 	offset = vmf->pgoff << PAGE_SHIFT;
-	if (offset >= rp->b_size)
+	if (offset >= rp->b_size) {
+		mutex_unlock(&rp->fetch_lock);
 		return VM_FAULT_SIGBUS;
+	}
 	chunk_idx = offset / CHUNK_SIZE;
 	pageptr = rp->b_vec[chunk_idx].pg;
 	get_page(pageptr);
+	mutex_unlock(&rp->fetch_lock);
 	vmf->page = pageptr;
 	return 0;
 }