Re: usb: f_fs: Fix CFI failure in ki_complete
From: Prashanth K
Date: Wed Dec 14 2022 - 08:08:41 EST
On 12-12-22 07:05 pm, Greg Kroah-Hartman wrote:
On Mon, Dec 12, 2022 at 06:54:24PM +0530, Prashanth K wrote:
Function pointer ki_complete() expects 'long' as its second
argument, but we pass integer from ffs_user_copy_worker. This
might cause a CFI failure, as ki_complete is an indirect call
with mismatched prototype. Fix this by typecasting the second
argument to long.
"might"? Does it or not? If it does, why hasn't this been reported
before?
Sorry for the confusion in commit text, We caught a CFI (Control Flow
Integrity) failure internally on 5.15, hence pushed this patch. But
later I came to know that CFI was implemented on 5.4 kernel for Android.
Will push the same on ACK and share the related details there.
Thanks.
Cc: <stable@xxxxxxxxxxxxxxx> # 5.15
CFI first showed up in 6.1, not 5.15, right?
Signed-off-by: Prashanth K <quic_prashk@xxxxxxxxxxx>
---
drivers/usb/gadget/function/f_fs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index 73dc10a7..9c26561 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -835,7 +835,7 @@ static void ffs_user_copy_worker(struct work_struct *work)
kthread_unuse_mm(io_data->mm);
}
- io_data->kiocb->ki_complete(io_data->kiocb, ret);
+ io_data->kiocb->ki_complete(io_data->kiocb, (long)ret);
Why just fix up this one instance? What about ep_user_copy_worker()?
And what about all other calls to ki_complete that are not using a
(long) cast?
This feels wrong, what exactly is the reported error and how come other
kernel calls to this function pointer have not had a problem with CFI?
ceph_aio_complete() would be another example, right?
thanks,
greg k-h