On 12-12-22 07:05 pm, Greg Kroah-Hartman wrote:
On Mon, Dec 12, 2022 at 06:54:24PM +0530, Prashanth K wrote:
Function pointer ki_complete() expects 'long' as its second argument, but we pass integer from ffs_user_copy_worker. This might cause a CFI failure, as ki_complete is an indirect call with mismatched prototype. Fix this by typecasting the second argument to long.
"might"? Does it or not? If it does, why hasn't this been reported before?
Sorry for the confusion in commit text, We caught a CFI (Control Flow Integrity) failure internally on 5.15, hence pushed this patch. But later I came to know that CFI was implemented on 5.4 kernel for Android. Will push the same on ACK and share the related details there.
Thanks.
Cc: stable@vger.kernel.org # 5.15
CFI first showed up in 6.1, not 5.15, right?
Signed-off-by: Prashanth K quic_prashk@quicinc.com
drivers/usb/gadget/function/f_fs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c index 73dc10a7..9c26561 100644 --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -835,7 +835,7 @@ static void ffs_user_copy_worker(struct work_struct *work) kthread_unuse_mm(io_data->mm); }
- io_data->kiocb->ki_complete(io_data->kiocb, ret);
- io_data->kiocb->ki_complete(io_data->kiocb, (long)ret);
Why just fix up this one instance? What about ep_user_copy_worker()? And what about all other calls to ki_complete that are not using a (long) cast?
This feels wrong, what exactly is the reported error and how come other kernel calls to this function pointer have not had a problem with CFI? ceph_aio_complete() would be another example, right?
thanks,
greg k-h