From patchwork Tue Jan 14 10:02:04 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 233943 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 55826C33CB2 for ; Tue, 14 Jan 2020 10:12:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 22DBC2468E for ; Tue, 14 Jan 2020 10:12:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578996753; bh=szTmjal4HSnrS63ZUWmwLqq0z7P6GeYyZyvacrzg/KA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=jFEBErGGgfMkVYmwlSePs5iCmyxD4NGPOIp4JxDal+G5OKYBTlLXJXdYu5FH1tLZS fvcfLu+TC7OD9jzVoYYt2MtsqaY9H767r6WpgQkDkVEBY5ISjWRZbrX9ojSohXh4hI Csorz5zLGeuF3WFwUEkbCZdvnwYZLzjWq41r1Bts= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729660AbgANKMb (ORCPT ); Tue, 14 Jan 2020 05:12:31 -0500 Received: from mail.kernel.org ([198.145.29.99]:48968 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729503AbgANKMa (ORCPT ); Tue, 14 Jan 2020 05:12:30 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E0907207FF; Tue, 14 Jan 2020 10:12:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578996749; bh=szTmjal4HSnrS63ZUWmwLqq0z7P6GeYyZyvacrzg/KA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ok48/CYxIkoeW5fHF4DFA8cr6p7dKSl+cXn4QeQYrWl3pzfRCOJqis6v2qz5zlVBX 1cPkgAe0MUxiQhRKFPypDu7blpBCN/71VooTlLTjEArILePny/CJhWUBrZorf3I80s HCzJyvHlpF8ORn2yah5lhFzYQqvGHlFqSwBC8EKw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hillf Danton , Andrew Morton , Al Viro , syzbot+82defefbbd8527e1c2cb@syzkaller.appspotmail.com, Will Deacon Subject: [PATCH 4.4 02/28] chardev: Avoid potential use-after-free in chrdev_open() Date: Tue, 14 Jan 2020 11:02:04 +0100 Message-Id: <20200114094337.950728924@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200114094336.845958665@linuxfoundation.org> References: <20200114094336.845958665@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Will Deacon commit 68faa679b8be1a74e6663c21c3a9d25d32f1c079 upstream. 'chrdev_open()' calls 'cdev_get()' to obtain a reference to the 'struct cdev *' stashed in the 'i_cdev' field of the target inode structure. If the pointer is NULL, then it is initialised lazily by looking up the kobject in the 'cdev_map' and so the whole procedure is protected by the 'cdev_lock' spinlock to serialise initialisation of the shared pointer. Unfortunately, it is possible for the initialising thread to fail *after* installing the new pointer, for example if the subsequent '->open()' call on the file fails. In this case, 'cdev_put()' is called, the reference count on the kobject is dropped and, if nobody else has taken a reference, the release function is called which finally clears 'inode->i_cdev' from 'cdev_purge()' before potentially freeing the object. The problem here is that a racing thread can happily take the 'cdev_lock' and see the non-NULL pointer in the inode, which can result in a refcount increment from zero and a warning: | ------------[ cut here ]------------ | refcount_t: addition on 0; use-after-free. | WARNING: CPU: 2 PID: 6385 at lib/refcount.c:25 refcount_warn_saturate+0x6d/0xf0 | Modules linked in: | CPU: 2 PID: 6385 Comm: repro Not tainted 5.5.0-rc2+ #22 | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 | RIP: 0010:refcount_warn_saturate+0x6d/0xf0 | Code: 05 55 9a 15 01 01 e8 9d aa c8 ff 0f 0b c3 80 3d 45 9a 15 01 00 75 ce 48 c7 c7 00 9c 62 b3 c6 08 | RSP: 0018:ffffb524c1b9bc70 EFLAGS: 00010282 | RAX: 0000000000000000 RBX: ffff9e9da1f71390 RCX: 0000000000000000 | RDX: ffff9e9dbbd27618 RSI: ffff9e9dbbd18798 RDI: ffff9e9dbbd18798 | RBP: 0000000000000000 R08: 000000000000095f R09: 0000000000000039 | R10: 0000000000000000 R11: ffffb524c1b9bb20 R12: ffff9e9da1e8c700 | R13: ffffffffb25ee8b0 R14: 0000000000000000 R15: ffff9e9da1e8c700 | FS: 00007f3b87d26700(0000) GS:ffff9e9dbbd00000(0000) knlGS:0000000000000000 | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 | CR2: 00007fc16909c000 CR3: 000000012df9c000 CR4: 00000000000006e0 | DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 | DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 | Call Trace: | kobject_get+0x5c/0x60 | cdev_get+0x2b/0x60 | chrdev_open+0x55/0x220 | ? cdev_put.part.3+0x20/0x20 | do_dentry_open+0x13a/0x390 | path_openat+0x2c8/0x1470 | do_filp_open+0x93/0x100 | ? selinux_file_ioctl+0x17f/0x220 | do_sys_open+0x186/0x220 | do_syscall_64+0x48/0x150 | entry_SYSCALL_64_after_hwframe+0x44/0xa9 | RIP: 0033:0x7f3b87efcd0e | Code: 89 54 24 08 e8 a3 f4 ff ff 8b 74 24 0c 48 8b 3c 24 41 89 c0 44 8b 54 24 08 b8 01 01 00 00 89 f4 | RSP: 002b:00007f3b87d259f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000101 | RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3b87efcd0e | RDX: 0000000000000000 RSI: 00007f3b87d25a80 RDI: 00000000ffffff9c | RBP: 00007f3b87d25e90 R08: 0000000000000000 R09: 0000000000000000 | R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffe188f504e | R13: 00007ffe188f504f R14: 00007f3b87d26700 R15: 0000000000000000 | ---[ end trace 24f53ca58db8180a ]--- Since 'cdev_get()' can already fail to obtain a reference, simply move it over to use 'kobject_get_unless_zero()' instead of 'kobject_get()', which will cause the racing thread to return -ENXIO if the initialising thread fails unexpectedly. Cc: Hillf Danton Cc: Andrew Morton Cc: Al Viro Reported-by: syzbot+82defefbbd8527e1c2cb@syzkaller.appspotmail.com Signed-off-by: Will Deacon Cc: stable Link: https://lore.kernel.org/r/20191219120203.32691-1-will@kernel.org Signed-off-by: Greg Kroah-Hartman --- fs/char_dev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/fs/char_dev.c +++ b/fs/char_dev.c @@ -332,7 +332,7 @@ static struct kobject *cdev_get(struct c if (owner && !try_module_get(owner)) return NULL; - kobj = kobject_get(&p->kobj); + kobj = kobject_get_unless_zero(&p->kobj); if (!kobj) module_put(owner); return kobj; From patchwork Tue Jan 14 10:02:06 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 233930 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 87896C33CB1 for ; Tue, 14 Jan 2020 10:14:36 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 5C5CA24682 for ; Tue, 14 Jan 2020 10:14:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578996876; bh=Vi4p4a1D/3rI5gNJLiMlWS4OLlAFCxSbpuibGAtCf10=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=ZO1kWV7fUtvnUR7OKhR/yBWO5QM3E2voF4W3qS6jq8C0K7QlUP8eaJZ/Pg53eseSo l5EJNywIutqg4LMFQE3PMGo/vqMZuzP00Wx/lIvjtQmSiLNYtHnFMogEoiO3ffWfJf eHaO/AUU/4OqOXySGPI/i0u9xC8mzH3QuwDEW6RI= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733075AbgANKMf (ORCPT ); Tue, 14 Jan 2020 05:12:35 -0500 Received: from mail.kernel.org ([198.145.29.99]:49122 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730843AbgANKMf (ORCPT ); Tue, 14 Jan 2020 05:12:35 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5E12724676; Tue, 14 Jan 2020 10:12:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578996754; bh=Vi4p4a1D/3rI5gNJLiMlWS4OLlAFCxSbpuibGAtCf10=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=XaW3tggBPsJ1b7iEm0zEjqsHGbAOpaUpjo4oGIx+CsDi/Wk6sgk+mZvYOVOLfHAz4 G0ESc8cq3jehXYJD+fm2YLiffz+6rBa5ooOSUx8RGHXxiXZhO1S0HQ8coqKdM2GM4w C90a/pm/pljP3nkQ6WybVlkSbBP9z1jlllK/lVag= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Takashi Iwai Subject: [PATCH 4.4 04/28] ALSA: usb-audio: Apply the sample rate quirk for Bose Companion 5 Date: Tue, 14 Jan 2020 11:02:06 +0100 Message-Id: <20200114094340.277563672@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200114094336.845958665@linuxfoundation.org> References: <20200114094336.845958665@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Takashi Iwai commit 51d4efab7865e6ea6a4ebcd25b3f03c019515c4c upstream. Bose Companion 5 (with USB ID 05a7:1020) doesn't seem supporting reading back the sample rate, so the existing quirk is needed. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=206063 Cc: Link: https://lore.kernel.org/r/20200104110936.14288-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/usb/quirks.c | 1 + 1 file changed, 1 insertion(+) --- a/sound/usb/quirks.c +++ b/sound/usb/quirks.c @@ -1142,6 +1142,7 @@ bool snd_usb_get_sample_rate_quirk(struc case USB_ID(0x04D8, 0xFEEA): /* Benchmark DAC1 Pre */ case USB_ID(0x0556, 0x0014): /* Phoenix Audio TMX320VC */ case USB_ID(0x05A3, 0x9420): /* ELP HD USB Camera */ + case USB_ID(0x05a7, 0x1020): /* Bose Companion 5 */ case USB_ID(0x074D, 0x3553): /* Outlaw RR2150 (Micronas UAC3553B) */ case USB_ID(0x1395, 0x740a): /* Sennheiser DECT */ case USB_ID(0x1901, 0x0191): /* GE B850V3 CP2114 audio interface */ From patchwork Tue Jan 14 10:02:07 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 233942 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CF1D9C33CB2 for ; Tue, 14 Jan 2020 10:12:39 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id A57862467D for ; Tue, 14 Jan 2020 10:12:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578996759; bh=8W7dvBwMRQLuHVRZsMPvivPXSG58cKKOr57Wv6sdDI8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=FyYnvkix6E8QdTtLj2ISRiXsSzXejTkkwDWkH0/q6moAHdh0WWlXffL3B833po5PT qu2qjThsOtop0albM7uilcHta0hdcYyn++dBYkUgGQ6J/oZp1AUCiWQDn1fbWnIDll IgtLgnXURqy27+T0MOWb/l/PCT6ONZbxBeb0kfyk= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733084AbgANKMi (ORCPT ); Tue, 14 Jan 2020 05:12:38 -0500 Received: from mail.kernel.org ([198.145.29.99]:49180 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1733081AbgANKMi (ORCPT ); Tue, 14 Jan 2020 05:12:38 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 07DC820678; Tue, 14 Jan 2020 10:12:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578996757; bh=8W7dvBwMRQLuHVRZsMPvivPXSG58cKKOr57Wv6sdDI8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=h/F/OrS+53d4w98T41LhAVyga53cNAxym9pSDQw9MVYGI5NG8OORtVtSbHMdiV6ai FdFfYaDDZgjpWh1skrWzjlaSz23GZXbjrPffFhZ1C0L9JRj4B5aihS91bGmqWo0Xsr PKya9Nc3t1TODbxQvL4MKMnI84rpt5wN3R2CYXow= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kaitao Cheng , "Steven Rostedt (VMware)" Subject: [PATCH 4.4 05/28] kernel/trace: Fix do not unregister tracepoints when register sched_migrate_task fail Date: Tue, 14 Jan 2020 11:02:07 +0100 Message-Id: <20200114094340.513473929@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200114094336.845958665@linuxfoundation.org> References: <20200114094336.845958665@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Kaitao Cheng commit 50f9ad607ea891a9308e67b81f774c71736d1098 upstream. In the function, if register_trace_sched_migrate_task() returns error, sched_switch/sched_wakeup_new/sched_wakeup won't unregister. That is why fail_deprobe_sched_switch was added. Link: http://lkml.kernel.org/r/20191231133530.2794-1-pilgrimtao@gmail.com Cc: stable@vger.kernel.org Fixes: 478142c39c8c2 ("tracing: do not grab lock in wakeup latency function tracing") Signed-off-by: Kaitao Cheng Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman --- kernel/trace/trace_sched_wakeup.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/kernel/trace/trace_sched_wakeup.c +++ b/kernel/trace/trace_sched_wakeup.c @@ -625,7 +625,7 @@ static void start_wakeup_tracer(struct t if (ret) { pr_info("wakeup trace: Couldn't activate tracepoint" " probe to kernel_sched_migrate_task\n"); - return; + goto fail_deprobe_sched_switch; } wakeup_reset(tr); @@ -643,6 +643,8 @@ static void start_wakeup_tracer(struct t printk(KERN_ERR "failed to start wakeup tracer\n"); return; +fail_deprobe_sched_switch: + unregister_trace_sched_switch(probe_wakeup_sched_switch, NULL); fail_deprobe_wake_new: unregister_trace_sched_wakeup_new(probe_wakeup, NULL); fail_deprobe: From patchwork Tue Jan 14 10:02:09 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 233941 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 083DFC33CB1 for ; Tue, 14 Jan 2020 10:12:46 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id D380B24680 for ; Tue, 14 Jan 2020 10:12:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578996765; bh=YK3CJYZemEg2rQGzQFkQQ62C9aHq0ZvdV48ceFQasXs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=bzUhOrbCpKQipnfwoukmo3teLs+LPeLQDR0p7TOmqWhxDFI61krEEMBH9its82A+K 7yxXBiJRomI/wuZkt8cp6v/psQDwyxWsf2xmh8/cOvlP720TampIu4YN7KfBIXXK+H bdDFLu72ELmRo9Xs0OvtXfo/Jsqnkjk5DDzMOqIc= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731276AbgANKMo (ORCPT ); Tue, 14 Jan 2020 05:12:44 -0500 Received: from mail.kernel.org ([198.145.29.99]:49350 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731337AbgANKMn (ORCPT ); Tue, 14 Jan 2020 05:12:43 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 50F4C207FF; Tue, 14 Jan 2020 10:12:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578996762; bh=YK3CJYZemEg2rQGzQFkQQ62C9aHq0ZvdV48ceFQasXs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=stahU4UYbRw8e+ZPo94Hbp4OB52ikCtW80M5ws45VwPJVsUy7kJLzvFqaLd/HSRbl GSiUxWQnV2TmnLpsrVrJTF390JedbpdUvAdOlkA6zryf1phIefd4BAh9hcLyuoe5xi SHApGer9q8gmUWUXOmDPdhqNJprC/XTdd0M3Np2U= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alan Stern , Jiri Kosina , syzbot+09ef48aa58261464b621@syzkaller.appspotmail.com Subject: [PATCH 4.4 07/28] HID: Fix slab-out-of-bounds read in hid_field_extract Date: Tue, 14 Jan 2020 11:02:09 +0100 Message-Id: <20200114094340.971996952@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200114094336.845958665@linuxfoundation.org> References: <20200114094336.845958665@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Alan Stern commit 8ec321e96e056de84022c032ffea253431a83c3c upstream. The syzbot fuzzer found a slab-out-of-bounds bug in the HID report handler. The bug was caused by a report descriptor which included a field with size 12 bits and count 4899, for a total size of 7349 bytes. The usbhid driver uses at most a single-page 4-KB buffer for reports. In the test there wasn't any problem about overflowing the buffer, since only one byte was received from the device. Rather, the bug occurred when the HID core tried to extract the data from the report fields, which caused it to try reading data beyond the end of the allocated buffer. This patch fixes the problem by rejecting any report whose total length exceeds the HID_MAX_BUFFER_SIZE limit (minus one byte to allow for a possible report index). In theory a device could have a report longer than that, but if there was such a thing we wouldn't handle it correctly anyway. Reported-and-tested-by: syzbot+09ef48aa58261464b621@syzkaller.appspotmail.com Signed-off-by: Alan Stern CC: Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman --- drivers/hid/hid-core.c | 6 ++++++ 1 file changed, 6 insertions(+) --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -269,6 +269,12 @@ static int hid_add_field(struct hid_pars offset = report->size; report->size += parser->global.report_size * parser->global.report_count; + /* Total size check: Allow for possible report index byte */ + if (report->size > (HID_MAX_BUFFER_SIZE - 1) << 3) { + hid_err(parser->device, "report is too long\n"); + return -1; + } + if (!parser->local.usage_index) /* Ignore padding fields */ return 0; From patchwork Tue Jan 14 10:02:13 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 233935 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CDD2CC33CB3 for ; Tue, 14 Jan 2020 10:13:55 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id A5637207FF for ; Tue, 14 Jan 2020 10:13:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578996835; bh=qe+amIO6FsqBNpi7ZCNhfwA0gpWZnUNTGkxW7VB5bHw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=ujxRqf67Ey2RyZHpC5X7Ri/LUWjHhFpydoUuIpQk015IiObqvGfjUkSTkddGp9R4Z b3Z5Io2u0Dd3hsmDncsEGm7tKWDnrS8fKD0fx0dppeH47xhZEos5/LYhiuFcm2X5C1 J7ekNdn0ZWOk2wqpS6Zs+Eg7vSwWFwiGyEI0BPow= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733116AbgANKNq (ORCPT ); Tue, 14 Jan 2020 05:13:46 -0500 Received: from mail.kernel.org ([198.145.29.99]:51536 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1733108AbgANKNp (ORCPT ); Tue, 14 Jan 2020 05:13:45 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3F22F24676; Tue, 14 Jan 2020 10:13:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578996824; bh=qe+amIO6FsqBNpi7ZCNhfwA0gpWZnUNTGkxW7VB5bHw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=lY/+flYmY86xiKKflXUEr9X7fMg029fCq/8yLSRvzKOD3b8Ugjwe/6d1xvSJWlVXV szdTQwd//Uh5uTBHgSpY4fRMfflN2QnKhVML66TLFf42ESdHEMUBrlBidV2e/ylHuV 3sxGNGOSJ1qmZofmKJ6IGTZqzc8yqoqM5MwfLjOQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Harry Wentland , Wayne Lin , Lyude Paul Subject: [PATCH 4.4 11/28] drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ Date: Tue, 14 Jan 2020 11:02:13 +0100 Message-Id: <20200114094341.718808413@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200114094336.845958665@linuxfoundation.org> References: <20200114094336.845958665@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Wayne Lin commit c4e4fccc5d52d881afaac11d3353265ef4eccb8b upstream. [Why] According to DP spec, it should shift left 4 digits for NO_STOP_BIT in REMOTE_I2C_READ message. Not 5 digits. In current code, NO_STOP_BIT is always set to zero which means I2C master is always generating a I2C stop at the end of each I2C write transaction while handling REMOTE_I2C_READ sideband message. This issue might have the generated I2C signal not meeting the requirement. Take random read in I2C for instance, I2C master should generate a repeat start to start to read data after writing the read address. This issue will cause the I2C master to generate a stop-start rather than a re-start which is not expected in I2C random read. [How] Correct the shifting value of NO_STOP_BIT for DP_REMOTE_I2C_READ case in drm_dp_encode_sideband_req(). Changes since v1:(https://patchwork.kernel.org/patch/11312667/) * Add more descriptions in commit and cc to stable Fixes: ad7f8a1f9ced ("drm/helper: add Displayport multi-stream helper (v0.6)") Reviewed-by: Harry Wentland Signed-off-by: Wayne Lin Cc: stable@vger.kernel.org Signed-off-by: Lyude Paul Link: https://patchwork.freedesktop.org/patch/msgid/20200103055001.10287-1-Wayne.Lin@amd.com Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/drm/drm_dp_mst_topology.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/gpu/drm/drm_dp_mst_topology.c +++ b/drivers/gpu/drm/drm_dp_mst_topology.c @@ -272,7 +272,7 @@ static void drm_dp_encode_sideband_req(s memcpy(&buf[idx], req->u.i2c_read.transactions[i].bytes, req->u.i2c_read.transactions[i].num_bytes); idx += req->u.i2c_read.transactions[i].num_bytes; - buf[idx] = (req->u.i2c_read.transactions[i].no_stop_bit & 0x1) << 5; + buf[idx] = (req->u.i2c_read.transactions[i].no_stop_bit & 0x1) << 4; buf[idx] |= (req->u.i2c_read.transactions[i].i2c_transaction_delay & 0xf); idx++; } From patchwork Tue Jan 14 10:02:14 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 233931 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BD31AC33CB1 for ; Tue, 14 Jan 2020 10:14:24 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 93826207FF for ; Tue, 14 Jan 2020 10:14:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578996864; bh=la7x7aFzLjJ5M5bG0q9rlD8zmmIiYStPzsQN80+IsqU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=LPuXRwABsXmdhi2diqCQvmQLCuugFsernuxVq7FvGVPXEwrcW2sL+dIh5jX6qKyX5 szRdoOQ93GR2pHh/luQ2LWOJ+QU1Ach//zVJLNP9+pHCVDx0d6pDHA4MqS6YAd+dOV EHIZyNxHhwQzrjIvTWvkeED5Z1iJUR+PMOoIU0aM= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729629AbgANKMy (ORCPT ); Tue, 14 Jan 2020 05:12:54 -0500 Received: from mail.kernel.org ([198.145.29.99]:49666 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729532AbgANKMy (ORCPT ); Tue, 14 Jan 2020 05:12:54 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 2FE252467D; Tue, 14 Jan 2020 10:12:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578996773; bh=la7x7aFzLjJ5M5bG0q9rlD8zmmIiYStPzsQN80+IsqU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=tnzTnC5+AMbcAA0S4icA/ZNni6sXWXGxeTLq+VmIh8OCXZl0gBaU+kfSNpGhLa+A4 wnNXj2KfffJkchtcyjdQkBx1vOviaBx7xJVYT9gLFWbi6pc/II71+52Nyfw4Uh8Sbb JMST/RbGlpMeBxxc6zS1P06SIXdATwxhD1WrgpUE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Johan Hovold , Marc Kleine-Budde Subject: [PATCH 4.4 12/28] can: gs_usb: gs_usb_probe(): use descriptors of current altsetting Date: Tue, 14 Jan 2020 11:02:14 +0100 Message-Id: <20200114094341.890032359@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200114094336.845958665@linuxfoundation.org> References: <20200114094336.845958665@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Johan Hovold commit 2f361cd9474ab2c4ab9ac8db20faf81e66c6279b upstream. Make sure to always use the descriptors of the current alternate setting to avoid future issues when accessing fields that may differ between settings. Signed-off-by: Johan Hovold Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices") Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman --- drivers/net/can/usb/gs_usb.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/drivers/net/can/usb/gs_usb.c +++ b/drivers/net/can/usb/gs_usb.c @@ -847,7 +847,7 @@ static int gs_usb_probe(struct usb_inter GS_USB_BREQ_HOST_FORMAT, USB_DIR_OUT|USB_TYPE_VENDOR|USB_RECIP_INTERFACE, 1, - intf->altsetting[0].desc.bInterfaceNumber, + intf->cur_altsetting->desc.bInterfaceNumber, hconf, sizeof(*hconf), 1000); @@ -870,7 +870,7 @@ static int gs_usb_probe(struct usb_inter GS_USB_BREQ_DEVICE_CONFIG, USB_DIR_IN|USB_TYPE_VENDOR|USB_RECIP_INTERFACE, 1, - intf->altsetting[0].desc.bInterfaceNumber, + intf->cur_altsetting->desc.bInterfaceNumber, dconf, sizeof(*dconf), 1000); From patchwork Tue Jan 14 10:02:15 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 233938 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0B711C33CB2 for ; Tue, 14 Jan 2020 10:13:22 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id D59AE24679 for ; Tue, 14 Jan 2020 10:13:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578996801; bh=k18qRjP/nywpIHZ3grDId+QnddItalWgK5eGRgAKNkk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=dr6gboO67Qk3bWUIG6wf0Vr/g/sjbREaSyShh8678tPSk0O5d4jUX8QmkB9lfzzwO fz1MzlfnNhk1d6qYV0NIurOHjyUjEXVRlRCN/B5ydf6ZSB1X7LwlbrA12p5QOO2Um8 ORNNnp9P0tredB6S2JZWCCoASkh3hoDN0Q4w1nYU= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732824AbgANKNU (ORCPT ); Tue, 14 Jan 2020 05:13:20 -0500 Received: from mail.kernel.org ([198.145.29.99]:50562 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1733174AbgANKNT (ORCPT ); Tue, 14 Jan 2020 05:13:19 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 597F420678; Tue, 14 Jan 2020 10:13:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578996798; bh=k18qRjP/nywpIHZ3grDId+QnddItalWgK5eGRgAKNkk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=DFJo32+TX3L+QQa559GBv0/ewbgX7itK+sWBpwBo+9Wx2duJdVc9MPzDf0FuN0CLp gaeJlPYd7avcQRqyTNTPxSVYgtgJsv/3yrrT398uyog95PYlCnnVRQRbqs40KsVqqo DocMGhUI15U+zIkA+KJL/Bm5GALezIzlLqOkaQZs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Florian Faber , Marc Kleine-Budde Subject: [PATCH 4.4 13/28] can: mscan: mscan_rx_poll(): fix rx path lockup when returning from polling to irq mode Date: Tue, 14 Jan 2020 11:02:15 +0100 Message-Id: <20200114094342.088889078@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200114094336.845958665@linuxfoundation.org> References: <20200114094336.845958665@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Florian Faber commit 2d77bd61a2927be8f4e00d9478fe6996c47e8d45 upstream. Under load, the RX side of the mscan driver can get stuck while TX still works. Restarting the interface locks up the system. This behaviour could be reproduced reliably on a MPC5121e based system. The patch fixes the return value of the NAPI polling function (should be the number of processed packets, not constant 1) and the condition under which IRQs are enabled again after polling is finished. With this patch, no more lockups were observed over a test period of ten days. Fixes: afa17a500a36 ("net/can: add driver for mscan family & mpc52xx_mscan") Signed-off-by: Florian Faber Cc: linux-stable Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman --- drivers/net/can/mscan/mscan.c | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) --- a/drivers/net/can/mscan/mscan.c +++ b/drivers/net/can/mscan/mscan.c @@ -392,13 +392,12 @@ static int mscan_rx_poll(struct napi_str struct net_device *dev = napi->dev; struct mscan_regs __iomem *regs = priv->reg_base; struct net_device_stats *stats = &dev->stats; - int npackets = 0; - int ret = 1; + int work_done = 0; struct sk_buff *skb; struct can_frame *frame; u8 canrflg; - while (npackets < quota) { + while (work_done < quota) { canrflg = in_8(®s->canrflg); if (!(canrflg & (MSCAN_RXF | MSCAN_ERR_IF))) break; @@ -419,18 +418,18 @@ static int mscan_rx_poll(struct napi_str stats->rx_packets++; stats->rx_bytes += frame->can_dlc; - npackets++; + work_done++; netif_receive_skb(skb); } - if (!(in_8(®s->canrflg) & (MSCAN_RXF | MSCAN_ERR_IF))) { - napi_complete(&priv->napi); - clear_bit(F_RX_PROGRESS, &priv->flags); - if (priv->can.state < CAN_STATE_BUS_OFF) - out_8(®s->canrier, priv->shadow_canrier); - ret = 0; + if (work_done < quota) { + if (likely(napi_complete_done(&priv->napi, work_done))) { + clear_bit(F_RX_PROGRESS, &priv->flags); + if (priv->can.state < CAN_STATE_BUS_OFF) + out_8(®s->canrier, priv->shadow_canrier); + } } - return ret; + return work_done; } static irqreturn_t mscan_isr(int irq, void *dev_id) From patchwork Tue Jan 14 10:02:18 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 233934 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8D820C33CB1 for ; Tue, 14 Jan 2020 10:14:05 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 62838207FF for ; Tue, 14 Jan 2020 10:14:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578996845; bh=++IoPrVeOtNpc/HS3RKMmAtk7RWzKjdx1GR1mIE0UVs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=lD7y8gHgzhePZcXrA21gAkIF3Ovb4xtZTMiZ0eVghzuT7M+VcjILSEIoUyN4VrZ1U kmpkvSNoAGLfpSny9VL81tQIucvY/G4s9TrEGSEiOoazs+Jc6OQOH5d0g4e1hCcOV7 WJkRtRAgO7OupU4tBFAHI0AhYLzCRW8Ux3040Bc0= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733198AbgANKNa (ORCPT ); Tue, 14 Jan 2020 05:13:30 -0500 Received: from mail.kernel.org ([198.145.29.99]:50874 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732259AbgANKN3 (ORCPT ); Tue, 14 Jan 2020 05:13:29 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 28CD120678; Tue, 14 Jan 2020 10:13:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578996808; bh=++IoPrVeOtNpc/HS3RKMmAtk7RWzKjdx1GR1mIE0UVs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jdQ1xVfQHG5DEWwUVYHL1Eh7ks7IxGbxhjSaJ4JVSWCKrD0OWs+geT8KkB5oh9VSe s6xCLugxAJcJuYdWVBxSdH4FhX2umsYuILdFzzs2Q2s5mkZ9we2q9KZCgqyMleuiYR cKaABerTD+ThFVEpbQvcVt1MtnJmuByAeivswQPk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Daniele Palmas , Johan Hovold Subject: [PATCH 4.4 16/28] USB: serial: option: add ZLP support for 0x1bc7/0x9010 Date: Tue, 14 Jan 2020 11:02:18 +0100 Message-Id: <20200114094342.713235890@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200114094336.845958665@linuxfoundation.org> References: <20200114094336.845958665@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Daniele Palmas commit 2438c3a19dec5e98905fd3ffcc2f24716aceda6b upstream. Telit FN980 flashing device 0x1bc7/0x9010 requires zero packet to be sent if out data size is is equal to the endpoint max size. Signed-off-by: Daniele Palmas [ johan: switch operands in conditional ] Cc: stable Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman --- drivers/usb/serial/option.c | 8 ++++++++ drivers/usb/serial/usb-wwan.h | 1 + drivers/usb/serial/usb_wwan.c | 4 ++++ 3 files changed, 13 insertions(+) --- a/drivers/usb/serial/option.c +++ b/drivers/usb/serial/option.c @@ -566,6 +566,9 @@ static void option_instat_callback(struc /* Interface is reserved */ #define RSVD(ifnum) ((BIT(ifnum) & 0xff) << 0) +/* Device needs ZLP */ +#define ZLP BIT(17) + static const struct usb_device_id option_ids[] = { { USB_DEVICE(OPTION_VENDOR_ID, OPTION_PRODUCT_COLT) }, @@ -1193,6 +1196,8 @@ static const struct usb_device_id option .driver_info = NCTRL(0) | RSVD(1) }, { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1901, 0xff), /* Telit LN940 (MBIM) */ .driver_info = NCTRL(0) }, + { USB_DEVICE(TELIT_VENDOR_ID, 0x9010), /* Telit SBL FN980 flashing device */ + .driver_info = NCTRL(0) | ZLP }, { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MF622, 0xff, 0xff, 0xff) }, /* ZTE WCDMA products */ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0002, 0xff, 0xff, 0xff), .driver_info = RSVD(1) }, @@ -2097,6 +2102,9 @@ static int option_attach(struct usb_seri if (!(device_flags & NCTRL(iface_desc->bInterfaceNumber))) data->use_send_setup = 1; + if (device_flags & ZLP) + data->use_zlp = 1; + spin_lock_init(&data->susp_lock); usb_set_serial_data(serial, data); --- a/drivers/usb/serial/usb-wwan.h +++ b/drivers/usb/serial/usb-wwan.h @@ -35,6 +35,7 @@ struct usb_wwan_intf_private { spinlock_t susp_lock; unsigned int suspended:1; unsigned int use_send_setup:1; + unsigned int use_zlp:1; int in_flight; unsigned int open_ports; void *private; --- a/drivers/usb/serial/usb_wwan.c +++ b/drivers/usb/serial/usb_wwan.c @@ -495,6 +495,7 @@ static struct urb *usb_wwan_setup_urb(st void (*callback) (struct urb *)) { struct usb_serial *serial = port->serial; + struct usb_wwan_intf_private *intfdata = usb_get_serial_data(serial); struct urb *urb; urb = usb_alloc_urb(0, GFP_KERNEL); /* No ISO */ @@ -505,6 +506,9 @@ static struct urb *usb_wwan_setup_urb(st usb_sndbulkpipe(serial->dev, endpoint) | dir, buf, len, callback, ctx); + if (intfdata->use_zlp && dir == USB_DIR_OUT) + urb->transfer_flags |= URB_ZERO_PACKET; + return urb; } From patchwork Tue Jan 14 10:02:19 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 233937 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id EE88AC33CB3 for ; Tue, 14 Jan 2020 10:13:34 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id C51CB24676 for ; Tue, 14 Jan 2020 10:13:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578996814; bh=DqdKq8k+ElV5a+yPjy3KKkiW09hq6K3B7z9btllzCrQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=lPp5jwrQr0C+nBs9AdZTnrd4Hpt95+GWV/qWtDwaB/Kk+rcZo4QSC9tCWuaHF8+U1 hzsiaZBOuQpfgu0zaIfgGxKT5iSLNkGChttYHwje1ERuWLL9edQ2fTTzm2mJOy4buo qAo+qYN4wclHpwIEi89GAW4hIotIi46yGYxUEnlM= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729406AbgANKNe (ORCPT ); Tue, 14 Jan 2020 05:13:34 -0500 Received: from mail.kernel.org ([198.145.29.99]:50976 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1733209AbgANKNc (ORCPT ); Tue, 14 Jan 2020 05:13:32 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6C58E24676; Tue, 14 Jan 2020 10:13:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578996812; bh=DqdKq8k+ElV5a+yPjy3KKkiW09hq6K3B7z9btllzCrQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=R+6ce4d+61TJWjuSfnzlRBg/Yghcz50pY3g0+JUyiOSQzdzM8nw+tW7BJKLfR2qye WHHIbbOLfmfuz0BEKBZc5wdxaRS+e6dFouU4TTzeEYou3P22KcjoEq0Yw2uKifqd3E oFiT/hRkcoOaksViD8xZ9EnaRcY0xmssJB2Mz7N8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Paul Cercueil , Bin Liu Subject: [PATCH 4.4 17/28] usb: musb: Disable pullup at init Date: Tue, 14 Jan 2020 11:02:19 +0100 Message-Id: <20200114094343.011684611@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200114094336.845958665@linuxfoundation.org> References: <20200114094336.845958665@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Paul Cercueil commit 96a0c12843109e5c4d5eb1e09d915fdd0ce31d25 upstream. The pullup may be already enabled before the driver is initialized. This happens for instance on JZ4740. It has to be disabled at init time, as we cannot guarantee that a gadget driver will be bound to the UDC. Signed-off-by: Paul Cercueil Suggested-by: Bin Liu Cc: stable@vger.kernel.org Signed-off-by: Bin Liu Link: https://lore.kernel.org/r/20200107152625.857-3-b-liu@ti.com Signed-off-by: Greg Kroah-Hartman --- drivers/usb/musb/musb_core.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/usb/musb/musb_core.c +++ b/drivers/usb/musb/musb_core.c @@ -2132,6 +2132,9 @@ musb_init_controller(struct device *dev, musb_platform_disable(musb); musb_generic_disable(musb); + /* MUSB_POWER_SOFTCONN might be already set, JZ4740 does this. */ + musb_writeb(musb->mregs, MUSB_POWER, 0); + /* Init IRQ workqueue before request_irq */ INIT_WORK(&musb->irq_work, musb_irq_work); INIT_DELAYED_WORK(&musb->deassert_reset_work, musb_deassert_reset); From patchwork Tue Jan 14 10:02:21 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 233936 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.8 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9B2BFC33CB3 for ; Tue, 14 Jan 2020 10:13:42 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 6794024676 for ; Tue, 14 Jan 2020 10:13:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578996822; bh=UzvXOQ4JYiy/++WCb2/wCMrivUf5J+A5FNqha8RRVPE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=CpuXDjsS24wQ9Eakf0hcIPZ0MsWIQApW2HWt9mLPotvan/jRQlI0cGk9Gjma6UoH+ 1Q1Qw5h85Oxf2zln3qSYEBZ+V2Il23y+fGv/8T/N+e13Uucjo9wMfrXmTaKsVoWzax ECYAc18m/KOLgc8mNHsY2RdvX+g5CkU0LSIh8ZOQ= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731453AbgANKNl (ORCPT ); Tue, 14 Jan 2020 05:13:41 -0500 Received: from mail.kernel.org ([198.145.29.99]:51322 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731615AbgANKNj (ORCPT ); Tue, 14 Jan 2020 05:13:39 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 63CB424676; Tue, 14 Jan 2020 10:13:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578996818; bh=UzvXOQ4JYiy/++WCb2/wCMrivUf5J+A5FNqha8RRVPE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vbV+vopZBPmtNjTPID21IX1TgLAbQW/ni2Hb44aUFgzEMWGUeQ9o6hdbwZ+iDDCxv 7NbqSghaV76jQqa9+vbx9HBTMC8tkXJqH1WSPtkIiNDIGVgEqvSTMmAhLPaDIFfKw6 FztV1UohW4dntp8h0znDuNU/j4hqG8uFxNBnSh1Q= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Michael Straube Subject: [PATCH 4.4 19/28] staging: rtl8188eu: Add device code for TP-Link TL-WN727N v5.21 Date: Tue, 14 Jan 2020 11:02:21 +0100 Message-Id: <20200114094343.412273247@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200114094336.845958665@linuxfoundation.org> References: <20200114094336.845958665@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Michael Straube commit 58dcc5bf4030cab548d5c98cd4cd3632a5444d5a upstream. This device was added to the stand-alone driver on github. Add it to the staging driver as well. Link: https://github.com/lwfinger/rtl8188eu/commit/b9b537aa25a8 Signed-off-by: Michael Straube Cc: stable Link: https://lore.kernel.org/r/20191228143725.24455-1-straube.linux@gmail.com Signed-off-by: Greg Kroah-Hartman --- drivers/staging/rtl8188eu/os_dep/usb_intf.c | 1 + 1 file changed, 1 insertion(+) --- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c +++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c @@ -49,6 +49,7 @@ static struct usb_device_id rtw_usb_id_t {USB_DEVICE(0x2001, 0x3311)}, /* DLink GO-USB-N150 REV B1 */ {USB_DEVICE(0x2001, 0x331B)}, /* D-Link DWA-121 rev B1 */ {USB_DEVICE(0x2357, 0x010c)}, /* TP-Link TL-WN722N v2 */ + {USB_DEVICE(0x2357, 0x0111)}, /* TP-Link TL-WN727N v5.21 */ {USB_DEVICE(0x0df6, 0x0076)}, /* Sitecom N150 v2 */ {USB_DEVICE(USB_VENDER_ID_REALTEK, 0xffef)}, /* Rosewill RNX-N150NUB */ {} /* Terminating entry */ From patchwork Tue Jan 14 10:02:23 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 233940 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6BA72C33CB3 for ; Tue, 14 Jan 2020 10:12:59 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 3FB672467A for ; Tue, 14 Jan 2020 10:12:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578996779; bh=5HIOlXodj6KSKqOwuWlEHpU/UGJ5CaP6WiWWcZyXtGM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=qBb0S2apg+TLuXI+HNxYxHcY6YSDO5ooqGkLBaMErWysi0dfNhN6MNNSsNX3io6AY f2AfARfISXrhz4nE2o1x8id4hykKOGLWHJE/hPw9RsAwkg3aBO9WZlOU5nV3iiH++D csSOfdtkjMx5M35+T9e2gLOWnu0+MSUSrhUA/uEQ= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729532AbgANKM5 (ORCPT ); Tue, 14 Jan 2020 05:12:57 -0500 Received: from mail.kernel.org ([198.145.29.99]:49772 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732871AbgANKM4 (ORCPT ); Tue, 14 Jan 2020 05:12:56 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E9D1920678; Tue, 14 Jan 2020 10:12:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578996776; bh=5HIOlXodj6KSKqOwuWlEHpU/UGJ5CaP6WiWWcZyXtGM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=F39plONbv/9rwFOU/z9qgkE713T/1qEa3mp3PpIHr97SJyYfBxYtFSVZ82LC3eUxe /jXr/hkEtWnGGncqpN+HFq2kAeDkWnj9BzkdvmxmD1kx0vNl9QJ4vdsmrieQByn6FB kLrqHYT90Y+4jaB+2bc4haM+bjpuiQQIsl5YOKXc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, "Kenneth R. Crudup" , Sudip Mukherjee Subject: [PATCH 4.4 21/28] tty: always relink the port Date: Tue, 14 Jan 2020 11:02:23 +0100 Message-Id: <20200114094343.787290745@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200114094336.845958665@linuxfoundation.org> References: <20200114094336.845958665@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Sudip Mukherjee commit 273f632912f1b24b642ba5b7eb5022e43a72f3b5 upstream. If the serial device is disconnected and reconnected, it re-enumerates properly but does not link it. fwiw, linking means just saving the port index, so allow it always as there is no harm in saving the same value again even if it tries to relink with the same port. Fixes: fb2b90014d78 ("tty: link tty and port before configuring it as console") Reported-by: Kenneth R. Crudup Signed-off-by: Sudip Mukherjee Cc: stable Link: https://lore.kernel.org/r/20191227174434.12057-1-sudipm.mukherjee@gmail.com Signed-off-by: Greg Kroah-Hartman --- drivers/tty/tty_port.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- a/drivers/tty/tty_port.c +++ b/drivers/tty/tty_port.c @@ -48,8 +48,7 @@ void tty_port_link_device(struct tty_por { if (WARN_ON(index >= driver->num)) return; - if (!driver->ports[index]) - driver->ports[index] = port; + driver->ports[index] = port; } EXPORT_SYMBOL_GPL(tty_port_link_device); From patchwork Tue Jan 14 10:02:25 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 233939 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9B740C33CB3 for ; Tue, 14 Jan 2020 10:13:05 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 652E320678 for ; Tue, 14 Jan 2020 10:13:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578996785; bh=NyxBHmM4o4wJ3SNfohOpP+c4dFvw3hcpd009Red+JrE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=h2prSLDgGw4DRJa20CvjWFISRJc05LPhDz3ap7+gIfTk/T5T4JnhNau4mSfE3gaIl UaUmFaZDGdRL5eJfCHzmNkE+CeQi/RGi59N68YM9HmWnlcl0MAAkh06IKMhgolmksi jSTeZkQQD1U2RqeVpVr/Tmmw1vY+rnq/pt4MVyqU= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730322AbgANKNE (ORCPT ); Tue, 14 Jan 2020 05:13:04 -0500 Received: from mail.kernel.org ([198.145.29.99]:50020 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729728AbgANKND (ORCPT ); Tue, 14 Jan 2020 05:13:03 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 266E024676; Tue, 14 Jan 2020 10:13:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578996782; bh=NyxBHmM4o4wJ3SNfohOpP+c4dFvw3hcpd009Red+JrE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=RJGElFEY5vrQbOHEdj34pSAnlyMfB2W5DiJ7MGc7gd6nlIRNpySrAmQTEKsxzx2XH DP8ip9j0IVyZ19LWnyYsGDuXbkAO/EwiGbRUNfQupURgOkpQRoJo8Um+Ad8tijh+tm 8fvGMJnAlEiWHp3ZiPQhu+j8ryXgH82cVQL6sjJo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Navid Emamdoost , Ganapathi Bhat , Kalle Valo , Ben Hutchings Subject: [PATCH 4.4 23/28] mwifiex: pcie: Fix memory leak in mwifiex_pcie_alloc_cmdrsp_buf Date: Tue, 14 Jan 2020 11:02:25 +0100 Message-Id: <20200114094344.171579223@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200114094336.845958665@linuxfoundation.org> References: <20200114094336.845958665@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Navid Emamdoost commit db8fd2cde93227e566a412cf53173ffa227998bc upstream. In mwifiex_pcie_alloc_cmdrsp_buf, a new skb is allocated which should be released if mwifiex_map_pci_memory() fails. The release is added. Fixes: fc3314609047 ("mwifiex: use pci_alloc/free_consistent APIs for PCIe") Signed-off-by: Navid Emamdoost Acked-by: Ganapathi Bhat Signed-off-by: Kalle Valo Cc: Ben Hutchings Signed-off-by: Greg Kroah-Hartman --- drivers/net/wireless/mwifiex/pcie.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/drivers/net/wireless/mwifiex/pcie.c +++ b/drivers/net/wireless/mwifiex/pcie.c @@ -921,8 +921,10 @@ static int mwifiex_pcie_alloc_cmdrsp_buf } skb_put(skb, MWIFIEX_UPLD_SIZE); if (mwifiex_map_pci_memory(adapter, skb, MWIFIEX_UPLD_SIZE, - PCI_DMA_FROMDEVICE)) + PCI_DMA_FROMDEVICE)) { + kfree_skb(skb); return -1; + } card->cmdrsp_buf = skb; From patchwork Tue Jan 14 10:02:26 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 233932 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4FB67C33CB6 for ; Tue, 14 Jan 2020 10:14:15 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 1A155207FF for ; Tue, 14 Jan 2020 10:14:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578996855; bh=N1dZ5j8ezG8ofFzlhREMnbtoxQubWfVwdRTWmdQ3sh4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=0aI9V7pakh/zxYI69Gnq7DF9G+fybYtJ7u1/yjZPXncP0sELikKXM7C7pi3FOTT9c NgK+vEzoJ5nGRuz+JC2dDWA4vkLB+b1EyFIZpNDwIc/DOM+oI8W39ZtIs0KTcLrPhf S3JFuE3khi0XX65tJCVWVRI/2oPz0ZO9TOR+awVg= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729963AbgANKNH (ORCPT ); Tue, 14 Jan 2020 05:13:07 -0500 Received: from mail.kernel.org ([198.145.29.99]:50144 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729728AbgANKNG (ORCPT ); Tue, 14 Jan 2020 05:13:06 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id CE03C24679; Tue, 14 Jan 2020 10:13:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578996786; bh=N1dZ5j8ezG8ofFzlhREMnbtoxQubWfVwdRTWmdQ3sh4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hMdj+uxCI/r/aTiGe8XGouO0WiLETp9HTRgUHTEpnP1Uko31qTuXSLQ4vWsAV1XR6 92RU3wQxlQ8iqeXH6UzoWClKjaY/hti1yk2LbrzQXU2xWwdwLZUSX30DuFwl/PC6IX i7txQIHfN4M9CwEPyqYM6tziOk91UI526fPBrFN8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Navid Emamdoost , "Martin K. Petersen" , Ben Hutchings Subject: [PATCH 4.4 24/28] scsi: bfa: release allocated memory in case of error Date: Tue, 14 Jan 2020 11:02:26 +0100 Message-Id: <20200114094344.348278212@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200114094336.845958665@linuxfoundation.org> References: <20200114094336.845958665@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Navid Emamdoost commit 0e62395da2bd5166d7c9e14cbc7503b256a34cb0 upstream. In bfad_im_get_stats if bfa_port_get_stats fails, allocated memory needs to be released. Link: https://lore.kernel.org/r/20190910234417.22151-1-navid.emamdoost@gmail.com Signed-off-by: Navid Emamdoost Signed-off-by: Martin K. Petersen Cc: Ben Hutchings Signed-off-by: Greg Kroah-Hartman --- drivers/scsi/bfa/bfad_attr.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/drivers/scsi/bfa/bfad_attr.c +++ b/drivers/scsi/bfa/bfad_attr.c @@ -282,8 +282,10 @@ bfad_im_get_stats(struct Scsi_Host *shos rc = bfa_port_get_stats(BFA_FCPORT(&bfad->bfa), fcstats, bfad_hcb_comp, &fcomp); spin_unlock_irqrestore(&bfad->bfad_lock, flags); - if (rc != BFA_STATUS_OK) + if (rc != BFA_STATUS_OK) { + kfree(fcstats); return NULL; + } wait_for_completion(&fcomp.comp); From patchwork Tue Jan 14 10:02:29 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 233933 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4D8E8C33CB2 for ; Tue, 14 Jan 2020 10:14:10 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 1D6BD207FF for ; Tue, 14 Jan 2020 10:14:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578996850; bh=Pu9MidR17lG9AJcWrlirF64G4m7jERiNKwipCx6fMDw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=CA3SZFQsLzcUGgXZ0s5AKkKSqQ3F7D81bKrrJRWZhurm8mQOMeKUDZTULE+cBJDQ/ 05b+CbIeAMQEp6w2HNGKgxZAoR+LQ4nrTrbII+DOoTmME6nI0NERMN5FQdXgCLQ8vV pS78MGUVKFXexFEhe+La3jcm05fpMBapbjaPEK5k= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733170AbgANKNR (ORCPT ); Tue, 14 Jan 2020 05:13:17 -0500 Received: from mail.kernel.org ([198.145.29.99]:50466 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1733160AbgANKNQ (ORCPT ); Tue, 14 Jan 2020 05:13:16 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D157120678; Tue, 14 Jan 2020 10:13:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578996795; bh=Pu9MidR17lG9AJcWrlirF64G4m7jERiNKwipCx6fMDw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=IrBn96fLaOnau6kt2zn+vYjLpyjKOIbDCtiVUUjB30SNnSHtqD1zO9BD/c0JjhX3T v/nOhydlqiBnuC1FWtJmFPMG27VnV7FJCW1PRyKxT1XQfzQ4ivL10r9yhJoINwBdaG aOYMYZxYmz4Cj11lNw4PYRaadxhPGqbIabIHTfqI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+d7358a458d8a81aee898@syzkaller.appspotmail.com, Florian Westphal , Cong Wang , Pablo Neira Ayuso Subject: [PATCH 4.4 27/28] netfilter: arp_tables: init netns pointer in xt_tgchk_param struct Date: Tue, 14 Jan 2020 11:02:29 +0100 Message-Id: <20200114094344.929291483@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200114094336.845958665@linuxfoundation.org> References: <20200114094336.845958665@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Florian Westphal commit 1b789577f655060d98d20ed0c6f9fbd469d6ba63 upstream. We get crash when the targets checkentry function tries to make use of the network namespace pointer for arptables. When the net pointer got added back in 2010, only ip/ip6/ebtables were changed to initialize it, so arptables has this set to NULL. This isn't a problem for normal arptables because no existing arptables target has a checkentry function that makes use of par->net. However, direct users of the setsockopt interface can provide any target they want as long as its registered for ARP or UNPSEC protocols. syzkaller managed to send a semi-valid arptables rule for RATEEST target which is enough to trigger NULL deref: kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN RIP: xt_rateest_tg_checkentry+0x11d/0xb40 net/netfilter/xt_RATEEST.c:109 [..] xt_check_target+0x283/0x690 net/netfilter/x_tables.c:1019 check_target net/ipv4/netfilter/arp_tables.c:399 [inline] find_check_entry net/ipv4/netfilter/arp_tables.c:422 [inline] translate_table+0x1005/0x1d70 net/ipv4/netfilter/arp_tables.c:572 do_replace net/ipv4/netfilter/arp_tables.c:977 [inline] do_arpt_set_ctl+0x310/0x640 net/ipv4/netfilter/arp_tables.c:1456 Fixes: add67461240c1d ("netfilter: add struct net * to target parameters") Reported-by: syzbot+d7358a458d8a81aee898@syzkaller.appspotmail.com Signed-off-by: Florian Westphal Acked-by: Cong Wang Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman --- net/ipv4/netfilter/arp_tables.c | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c @@ -488,11 +488,12 @@ next: return 1; } -static inline int check_target(struct arpt_entry *e, const char *name) +static int check_target(struct arpt_entry *e, struct net *net, const char *name) { struct xt_entry_target *t = arpt_get_target(e); int ret; struct xt_tgchk_param par = { + .net = net, .table = name, .entryinfo = e, .target = t->u.kernel.target, @@ -510,8 +511,9 @@ static inline int check_target(struct ar return 0; } -static inline int -find_check_entry(struct arpt_entry *e, const char *name, unsigned int size, +static int +find_check_entry(struct arpt_entry *e, struct net *net, const char *name, + unsigned int size, struct xt_percpu_counter_alloc_state *alloc_state) { struct xt_entry_target *t; @@ -531,7 +533,7 @@ find_check_entry(struct arpt_entry *e, c } t->u.kernel.target = target; - ret = check_target(e, name); + ret = check_target(e, net, name); if (ret) goto err; return 0; @@ -632,7 +634,9 @@ static inline void cleanup_entry(struct /* Checks and translates the user-supplied table segment (held in * newinfo). */ -static int translate_table(struct xt_table_info *newinfo, void *entry0, +static int translate_table(struct net *net, + struct xt_table_info *newinfo, + void *entry0, const struct arpt_replace *repl) { struct xt_percpu_counter_alloc_state alloc_state = { 0 }; @@ -709,7 +713,7 @@ static int translate_table(struct xt_tab /* Finally, each sanity check must pass */ i = 0; xt_entry_foreach(iter, entry0, newinfo->size) { - ret = find_check_entry(iter, repl->name, repl->size, + ret = find_check_entry(iter, net, repl->name, repl->size, &alloc_state); if (ret != 0) break; @@ -1114,7 +1118,7 @@ static int do_replace(struct net *net, c goto free_newinfo; } - ret = translate_table(newinfo, loc_cpu_entry, &tmp); + ret = translate_table(net, newinfo, loc_cpu_entry, &tmp); if (ret != 0) goto free_newinfo; @@ -1301,7 +1305,8 @@ compat_copy_entry_from_user(struct compa } } -static int translate_compat_table(struct xt_table_info **pinfo, +static int translate_compat_table(struct net *net, + struct xt_table_info **pinfo, void **pentry0, const struct compat_arpt_replace *compatr) { @@ -1371,7 +1376,7 @@ static int translate_compat_table(struct repl.num_counters = 0; repl.counters = NULL; repl.size = newinfo->size; - ret = translate_table(newinfo, entry1, &repl); + ret = translate_table(net, newinfo, entry1, &repl); if (ret) goto free_newinfo; @@ -1426,7 +1431,7 @@ static int compat_do_replace(struct net goto free_newinfo; } - ret = translate_compat_table(&newinfo, &loc_cpu_entry, &tmp); + ret = translate_compat_table(net, &newinfo, &loc_cpu_entry, &tmp); if (ret != 0) goto free_newinfo; @@ -1696,7 +1701,7 @@ struct xt_table *arpt_register_table(str loc_cpu_entry = newinfo->entries; memcpy(loc_cpu_entry, repl->entries, repl->size); - ret = translate_table(newinfo, loc_cpu_entry, repl); + ret = translate_table(net, newinfo, loc_cpu_entry, repl); duprintf("arpt_register_table: translate table gives %d\n", ret); if (ret != 0) goto out_free;