Hello linux-usb and linux-arm.
Ccing security@ because "the kernel dma code is mapping randomish
kernel/user mem to a user process" seems to have security implications
even though i didnt research that aspect past "its a 100% reliable way
to crash a raspi from userspace".
tried submitting this through linux-arm-kernel ~2 weeks ago but
the only "response" i got was phishing-spam.
tried to follow up through raspi-internals chat, they suggested
i try linux-usb instead, but otoh the original reporter was
deflected from -usb to "try some other mls, they might care".
https://www.spinics.net/lists/linux-usb/msg173277.html
if i am not following some arcane ritual or indenting convention required
by regular users of these lists i apologize in advance, but i am not a
kernel developer, i am just here as a user with a bug and a patch.
(and the vger FAQ link 404s...)
i rediffed against HEAD even though the two weeks old patch still applied
cleanly with +2 offset.
# stepping off soap box # actual technical content starts here #
this is a followup to that thread from 2018-11:
https://www.spinics.net/lists/arm-kernel/msg685598.html
the issue was discussed in more detail than i can claim
to fully understand back then, but no fix ever merged.
but i would really like to use rtl_433 on a raspi without
having to build a custom-patched kernel first.
the attached patch is my stripdown/cleanup of a devel-diff
provided to me by the original reporter Steve Markgraf.
credits to him for the good parts, blame to me for the bad parts.
this does not cover the additional case of "PIO-based usb controllers"
mainly because i dont understand what that means (or how to handle it)
and if its broken right now (as the thread indicates) it might
as well stay broken until someone who understands cares enough.
could you please get this on track for merging?
regards,
x23
diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index b265ab5405f9..69594c2169ea 100644
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -238,9 +238,14 @@ static int usbdev_mmap(struct file *file, struct vm_area_struct *vma)
usbm->vma_use_count = 1;
INIT_LIST_HEAD(&usbm->memlist);
+#ifdef CONFIG_X86
if (remap_pfn_range(vma, vma->vm_start,
virt_to_phys(usbm->mem) >> PAGE_SHIFT,
size, vma->vm_page_prot) < 0) {
+#else /* !CONFIG_X86 */
+ if (dma_mmap_coherent(ps->dev->bus->sysdev,
+ vma, mem, dma_handle, size) < 0) {
+#endif /* !CONFIG_X86 */
dec_usb_memory_use_count(usbm, &usbm->vma_use_count);
return -EAGAIN;
}
