From patchwork Mon Aug 10 15:21:26 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 266670 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B9D99C433E0 for ; Mon, 10 Aug 2020 15:29:58 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 980B022D08 for ; Mon, 10 Aug 2020 15:29:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073398; bh=153lkc7ni49tWjnOa1AHM2bGXCUgmkpx6h3coe7FnQs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=cdNp3paU2xn3Xus5qHrFqaSw95D3BiKzHX/I1sKE3tz5n4TRKeynL6svLf9CiNyHJ 73fLdJRMUJtHJDhbD+EbiNNnKbYZKhTRVKNzRMSbAah4fcdq9ywljhY7pUBQZXNWsF PABNuhYPB1jg7k1J+AMQVTgmJa61QEcJwOdpj6bI= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729031AbgHJP35 (ORCPT ); Mon, 10 Aug 2020 11:29:57 -0400 Received: from mail.kernel.org ([198.145.29.99]:36558 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729023AbgHJP3z (ORCPT ); Mon, 10 Aug 2020 11:29:55 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id CC68422B47; Mon, 10 Aug 2020 15:29:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073395; bh=153lkc7ni49tWjnOa1AHM2bGXCUgmkpx6h3coe7FnQs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hSDgoCODA2ih/DnZjEFv/jplbjEoh2a+CIjRykhamglJ65DTmutR6FvN9UaKGjAxH b/Tyx/HfOjSmgGuJIV9ILDZgD6hA9XaxkIWs+3hKND9FYcbpKtsYNEzbt/kxv2nXVU 9O1nD2XAremimnm/5VjKPr8hxTxvPazS7sOYZ5X8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Mathias Nyman , Forest Crossman Subject: [PATCH 4.19 04/48] usb: xhci: Fix ASMedia ASM1142 DMA addressing Date: Mon, 10 Aug 2020 17:21:26 +0200 Message-Id: <20200810151804.430808893@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200810151804.199494191@linuxfoundation.org> References: <20200810151804.199494191@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Forest Crossman commit ec37198acca7b4c17b96247697406e47aafe0605 upstream. I've confirmed that the ASMedia ASM1142 has the same problem as the ASM2142/ASM3142, in that it too reports that it supports 64-bit DMA addresses when in fact it does not. As with the ASM2142/ASM3142, this can cause problems on systems where the upper bits matter, and adding the XHCI_NO_64BIT_SUPPORT quirk completely fixes the issue. Acked-by: Mathias Nyman Signed-off-by: Forest Crossman Cc: stable Link: https://lore.kernel.org/r/20200728042408.180529-3-cyrozap@gmail.com Signed-off-by: Greg Kroah-Hartman --- drivers/usb/host/xhci-pci.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/drivers/usb/host/xhci-pci.c +++ b/drivers/usb/host/xhci-pci.c @@ -49,6 +49,7 @@ #define PCI_DEVICE_ID_AMD_PROMONTORYA_1 0x43bc #define PCI_DEVICE_ID_ASMEDIA_1042_XHCI 0x1042 #define PCI_DEVICE_ID_ASMEDIA_1042A_XHCI 0x1142 +#define PCI_DEVICE_ID_ASMEDIA_1142_XHCI 0x1242 #define PCI_DEVICE_ID_ASMEDIA_2142_XHCI 0x2142 static const char hcd_name[] = "xhci_hcd"; @@ -234,7 +235,8 @@ static void xhci_pci_quirks(struct devic pdev->device == PCI_DEVICE_ID_ASMEDIA_1042A_XHCI) xhci->quirks |= XHCI_TRUST_TX_LENGTH; if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA && - pdev->device == PCI_DEVICE_ID_ASMEDIA_2142_XHCI) + (pdev->device == PCI_DEVICE_ID_ASMEDIA_1142_XHCI || + pdev->device == PCI_DEVICE_ID_ASMEDIA_2142_XHCI)) xhci->quirks |= XHCI_NO_64BIT_SUPPORT; if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA && From patchwork Mon Aug 10 15:21:27 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 266654 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0061AC433E0 for ; Mon, 10 Aug 2020 15:32:59 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id CCB15207FF for ; Mon, 10 Aug 2020 15:32:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073578; bh=PZcRqQCNsNEq1ZS0iX1apEtdikPbEajs+XFzXYEZ6VM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=UpbArU6lgBqaGwN5JPy2zP3QHRImnQdVdkwR3MWtdxxfiY3X7nWr3CgoehHaOe1ZY qjYn9A64YgYVSp0Df9t7mLbEqX/SeWFDgq668dEKzET1GSnKg5fnj3bRJS5Tp2TBia HXfPZdgiZYQKmZvbTwip+1sMKHOSFm9QRsiytcdo= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728152AbgHJPaA (ORCPT ); Mon, 10 Aug 2020 11:30:00 -0400 Received: from mail.kernel.org ([198.145.29.99]:36608 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729033AbgHJP36 (ORCPT ); Mon, 10 Aug 2020 11:29:58 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6BF0622D02; Mon, 10 Aug 2020 15:29:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073397; bh=PZcRqQCNsNEq1ZS0iX1apEtdikPbEajs+XFzXYEZ6VM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=CJyY/hDz5ge29JKa5430OqgN+RSleU8wioh6yBfZeoPlSWDEDQe838mIoY0hgyjPd 6+uOG/ahZgH+A4Jn6gODWGjYAh1xwYMweemNf4ToUSzqNK3kIPQhv8EsNXxc0HjvKx kL5/sjdJe3nJ3uR7pX2DLRXFYzc/zcxjvjoT+SPI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hui Wang , Takashi Iwai Subject: [PATCH 4.19 05/48] Revert "ALSA: hda: call runtime_allow() for all hda controllers" Date: Mon, 10 Aug 2020 17:21:27 +0200 Message-Id: <20200810151804.483653043@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200810151804.199494191@linuxfoundation.org> References: <20200810151804.199494191@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Hui Wang commit 07c9983b567d0ef33aefc063299de95a987e12a8 upstream. This reverts commit 9a6418487b56 ("ALSA: hda: call runtime_allow() for all hda controllers"). The reverted patch already introduced some regressions on some machines: - on gemini-lake machines, the error of "azx_get_response timeout" happens in the hda driver. - on the machines with alc662 codec, the audio jack detection doesn't work anymore. Fixes: 9a6418487b56 ("ALSA: hda: call runtime_allow() for all hda controllers") BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=208511 Cc: Signed-off-by: Hui Wang Link: https://lore.kernel.org/r/20200803064638.6139-1-hui.wang@canonical.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/pci/hda/hda_intel.c | 1 - 1 file changed, 1 deletion(-) --- a/sound/pci/hda/hda_intel.c +++ b/sound/pci/hda/hda_intel.c @@ -2478,7 +2478,6 @@ static int azx_probe_continue(struct azx if (azx_has_pm_runtime(chip)) { pm_runtime_use_autosuspend(&pci->dev); - pm_runtime_allow(&pci->dev); pm_runtime_put_autosuspend(&pci->dev); } From patchwork Mon Aug 10 15:21:30 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 266655 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2A501C433DF for ; Mon, 10 Aug 2020 15:32:57 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id F2801207FF for ; Mon, 10 Aug 2020 15:32:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073577; bh=kBMYDFhRnChutM/t5d6Xdcinvd6tqSpoUz7KNV5h4G0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=aQS+FGPaX5smWIXpeVGuuq9b+2v1X7NHkGRAXc0AihkZOkgOyFj6dsIfMO74sRkOs M6P2QAJE/x+nGnyL3jy/j5Urhe00OMJQLaIbh6b2Pi95FwcRS77wRew7LApIzjJP0L fu+TQU5fU/f9sFqenjLQCs0NpWOjsWk1zGY1xPPM= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729054AbgHJPaG (ORCPT ); Mon, 10 Aug 2020 11:30:06 -0400 Received: from mail.kernel.org ([198.145.29.99]:36804 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729048AbgHJPaF (ORCPT ); Mon, 10 Aug 2020 11:30:05 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 609D022D08; Mon, 10 Aug 2020 15:30:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073404; bh=kBMYDFhRnChutM/t5d6Xdcinvd6tqSpoUz7KNV5h4G0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=AIAK9XlJbOSJjykCdMIKxjl21muabZUWXBn31Bkas2Cg//w+CFLltJ9hbel6NpwB3 ctF1PQm152yjaxP0XzY4VhtwvJjlbGnUpy0Gq+sQMJItHpjhcvQc66seUTOKElpZEs zp48D/dvNtkgoGgKesi2ryHPn9CCQm4FMtfhCpJE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com, Peilin Ye , Marcel Holtmann Subject: [PATCH 4.19 08/48] Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt() Date: Mon, 10 Aug 2020 17:21:30 +0200 Message-Id: <20200810151804.617146256@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200810151804.199494191@linuxfoundation.org> References: <20200810151804.199494191@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Peilin Ye commit 51c19bf3d5cfaa66571e4b88ba2a6f6295311101 upstream. Check upon `num_rsp` is insufficient. A malformed event packet with a large `num_rsp` number makes hci_extended_inquiry_result_evt() go out of bounds. Fix it. This patch fixes the following syzbot bug: https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2 Reported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Signed-off-by: Peilin Ye Acked-by: Greg Kroah-Hartman Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman --- net/bluetooth/hci_event.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -4151,7 +4151,7 @@ static void hci_extended_inquiry_result_ BT_DBG("%s num_rsp %d", hdev->name, num_rsp); - if (!num_rsp) + if (!num_rsp || skb->len < num_rsp * sizeof(*info) + 1) return; if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) From patchwork Mon Aug 10 15:21:33 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 266672 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 15608C433DF for ; Mon, 10 Aug 2020 15:29:28 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id DCBA422D0B for ; Mon, 10 Aug 2020 15:29:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073367; bh=dX9lryERl7HaFYydM0XwqRAKMHC6Yu+pe1USL54S/PU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=lqep/wyvYdas3RX7PG1Sh0qL8XiYO0xKP+hoDmlPmGVI65JHRHrPKsJOxjiVtxVDH /cBNtOk+MPR9pZmLmQOhUOLoV7Rp7w4/8TPfKAUBCJP6iiUIc2rHgdPkkJEP8/rDwS KDZaQ1Wgxgc4getsVyOALwS81VwjEXiIeR/v2mdU= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728081AbgHJP3Z (ORCPT ); Mon, 10 Aug 2020 11:29:25 -0400 Received: from mail.kernel.org ([198.145.29.99]:35760 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728717AbgHJP3X (ORCPT ); Mon, 10 Aug 2020 11:29:23 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E610422D06; Mon, 10 Aug 2020 15:29:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073363; bh=dX9lryERl7HaFYydM0XwqRAKMHC6Yu+pe1USL54S/PU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=JfvCseM/Kh19fEw7MTZSYnnRmr/MAKmGOkZxbede9maQSdG3fgPeFm6bET794OJjt jAnVZKGZjlbuHw1TYlUIZKyEXX8FJ1xpDytOwgwIjq6Fnxf8+5CkIxiod3KVDysQuZ 9fWDl4+u6AlldAgL1XgsAIg3TDgmIKAdRN/UruZk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Adam Ford , Tomi Valkeinen , Dave Airlie , Rob Clark , Bartlomiej Zolnierkiewicz Subject: [PATCH 4.19 11/48] omapfb: dss: Fix max fclk divider for omap36xx Date: Mon, 10 Aug 2020 17:21:33 +0200 Message-Id: <20200810151804.764621059@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200810151804.199494191@linuxfoundation.org> References: <20200810151804.199494191@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Adam Ford commit 254503a2b186caa668a188dbbd7ab0d25149c0a5 upstream. The drm/omap driver was fixed to correct an issue where using a divider of 32 breaks the DSS despite the TRM stating 32 is a valid number. Through experimentation, it appears that 31 works, and it is consistent with the value used by the drm/omap driver. This patch fixes the divider for fbdev driver instead of the drm. Fixes: f76ee892a99e ("omapfb: copy omapdss & displays for omapfb") Cc: #4.5+ Signed-off-by: Adam Ford Reviewed-by: Tomi Valkeinen Cc: Dave Airlie Cc: Rob Clark [b.zolnierkie: mark patch as applicable to stable 4.5+ (was 4.9+)] Signed-off-by: Bartlomiej Zolnierkiewicz Link: https://patchwork.freedesktop.org/patch/msgid/20200630182636.439015-1-aford173@gmail.com Signed-off-by: Greg Kroah-Hartman --- drivers/video/fbdev/omap2/omapfb/dss/dss.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/video/fbdev/omap2/omapfb/dss/dss.c +++ b/drivers/video/fbdev/omap2/omapfb/dss/dss.c @@ -844,7 +844,7 @@ static const struct dss_features omap34x }; static const struct dss_features omap3630_dss_feats = { - .fck_div_max = 32, + .fck_div_max = 31, .dss_fck_multiplier = 1, .parent_clk_name = "dpll4_ck", .dpi_select_source = &dss_dpi_select_source_omap2_omap3, From patchwork Mon Aug 10 15:21:34 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 266649 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A722EC433E0 for ; Mon, 10 Aug 2020 15:33:57 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 84D91207FF for ; Mon, 10 Aug 2020 15:33:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073637; bh=G9w4Q3Szv8jx+0G63ivsWPC4EUybm+kD0niEhp7N65c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=MVbdLeBgwR+YR8kCvML3yjNdy/bjpqtK5kHA8FA6SAA6Usmd6e8p2QF4sZJ13nWgY eh56ITWOHatCQwcd3sPRABKY9tN9GCNYotysW5XqvLPn4rxDuhx6Tn2xRknD6NQ0a0 mWb/Mu7GpKmiwb0DCSIEb74gVqWJrG6+iXmB7dtg= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728046AbgHJP32 (ORCPT ); Mon, 10 Aug 2020 11:29:28 -0400 Received: from mail.kernel.org ([198.145.29.99]:35816 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728476AbgHJP30 (ORCPT ); Mon, 10 Aug 2020 11:29:26 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 60DC022D07; Mon, 10 Aug 2020 15:29:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073365; bh=G9w4Q3Szv8jx+0G63ivsWPC4EUybm+kD0niEhp7N65c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Ng3DWV/uW7kGQH5fI9B0+m2qGuywGuZH3M9imo+B2TRJwIri1Rn4frB6JZBZxkgCI pLoXcw7P9D4Oa9dN1Lu6gbk99D/+YsKIIJg5q5NBWeChUGZUOMzPzx+IrDrxbkDDdS O2L4uW8+RN6cAtz+NqkKa8Tv/rNuOkwxcSyMTfSk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Todd Kjos , Jann Horn , Martijn Coenen Subject: [PATCH 4.19 12/48] binder: Prevent context manager from incrementing ref 0 Date: Mon, 10 Aug 2020 17:21:34 +0200 Message-Id: <20200810151804.813964612@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200810151804.199494191@linuxfoundation.org> References: <20200810151804.199494191@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Jann Horn commit 4b836a1426cb0f1ef2a6e211d7e553221594f8fc upstream. Binder is designed such that a binder_proc never has references to itself. If this rule is violated, memory corruption can occur when a process sends a transaction to itself; see e.g. . There is a remaining edgecase through which such a transaction-to-self can still occur from the context of a task with BINDER_SET_CONTEXT_MGR access: - task A opens /dev/binder twice, creating binder_proc instances P1 and P2 - P1 becomes context manager - P2 calls ACQUIRE on the magic handle 0, allocating index 0 in its handle table - P1 dies (by closing the /dev/binder fd and waiting a bit) - P2 becomes context manager - P2 calls ACQUIRE on the magic handle 0, allocating index 1 in its handle table [this triggers a warning: "binder: 1974:1974 tried to acquire reference to desc 0, got 1 instead"] - task B opens /dev/binder once, creating binder_proc instance P3 - P3 calls P2 (via magic handle 0) with (void*)1 as argument (two-way transaction) - P2 receives the handle and uses it to call P3 (two-way transaction) - P3 calls P2 (via magic handle 0) (two-way transaction) - P2 calls P2 (via handle 1) (two-way transaction) And then, if P2 does *NOT* accept the incoming transaction work, but instead closes the binder fd, we get a crash. Solve it by preventing the context manager from using ACQUIRE on ref 0. There shouldn't be any legitimate reason for the context manager to do that. Additionally, print a warning if someone manages to find another way to trigger a transaction-to-self bug in the future. Cc: stable@vger.kernel.org Fixes: 457b9a6f09f0 ("Staging: android: add binder driver") Acked-by: Todd Kjos Signed-off-by: Jann Horn Reviewed-by: Martijn Coenen Link: https://lore.kernel.org/r/20200727120424.1627555-1-jannh@google.com Signed-off-by: Greg Kroah-Hartman --- drivers/android/binder.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -2862,6 +2862,12 @@ static void binder_transaction(struct bi goto err_dead_binder; } e->to_node = target_node->debug_id; + if (WARN_ON(proc == target_proc)) { + return_error = BR_FAILED_REPLY; + return_error_param = -EINVAL; + return_error_line = __LINE__; + goto err_invalid_target_handle; + } if (security_binder_transaction(proc->tsk, target_proc->tsk) < 0) { return_error = BR_FAILED_REPLY; @@ -3366,10 +3372,17 @@ static int binder_thread_write(struct bi struct binder_node *ctx_mgr_node; mutex_lock(&context->context_mgr_node_lock); ctx_mgr_node = context->binder_context_mgr_node; - if (ctx_mgr_node) + if (ctx_mgr_node) { + if (ctx_mgr_node->proc == proc) { + binder_user_error("%d:%d context manager tried to acquire desc 0\n", + proc->pid, thread->pid); + mutex_unlock(&context->context_mgr_node_lock); + return -EINVAL; + } ret = binder_inc_ref_for_node( proc, ctx_mgr_node, strong, NULL, &rdata); + } mutex_unlock(&context->context_mgr_node_lock); } if (ret) From patchwork Mon Aug 10 15:21:37 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 266650 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 54233C433E0 for ; Mon, 10 Aug 2020 15:33:50 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 2431322CF6 for ; Mon, 10 Aug 2020 15:33:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073630; bh=E9e+b6nOC+nrI0dB8hflg2VpIRpGqLRK2yj0Sw9Wt8g=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=ETOQGh3vaEdMMvmh9uYX29le6m5uy9YsWDTgSsOCcAS+47ff2tBoEKxSMcyGiaoyy jnjNyKbdzVpmdrob+PV+SVE/dGmUoCeTJHYWJehpvcLZCvoPJ4P+06YH+sSaYfv59M tYMmolTpz2P1hf3Y/MC/VtaAwez/sfwdXz06Ps4g= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728573AbgHJPds (ORCPT ); Mon, 10 Aug 2020 11:33:48 -0400 Received: from mail.kernel.org ([198.145.29.99]:36040 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728968AbgHJP3d (ORCPT ); Mon, 10 Aug 2020 11:29:33 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 916B822EBD; Mon, 10 Aug 2020 15:29:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073373; bh=E9e+b6nOC+nrI0dB8hflg2VpIRpGqLRK2yj0Sw9Wt8g=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=R4cVIcEn5G5DdqIVK726v19WEosS/QJKCdq3b6P23K8hWuCReFXt3ccAqJRkj96ly t+oInERZIvxAjz+10jULNSXUiVUMpcQP/rGtd8UFaDu1LXWMl+xDvirUrk0hhO3L3t yOzAp6748k+sy0tprto8WB9+42UF4HdN8+doO/Ko= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Amitoj Kaur Chawla , Johan Hovold , Pavel Machek Subject: [PATCH 4.19 15/48] leds: wm831x-status: fix use-after-free on unbind Date: Mon, 10 Aug 2020 17:21:37 +0200 Message-Id: <20200810151804.963646027@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200810151804.199494191@linuxfoundation.org> References: <20200810151804.199494191@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Johan Hovold commit 47a459ecc800a17109d0c496a4e21e478806ee40 upstream. Several MFD child drivers register their class devices directly under the parent device. This means you cannot blindly do devres conversions so that deregistration ends up being tied to the parent device, something which leads to use-after-free on driver unbind when the class device is released while still being registered. Fixes: 8d3b6a4001ce ("leds: wm831x-status: Use devm_led_classdev_register") Cc: stable # 4.6 Cc: Amitoj Kaur Chawla Signed-off-by: Johan Hovold Signed-off-by: Pavel Machek Signed-off-by: Greg Kroah-Hartman --- drivers/leds/leds-wm831x-status.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) --- a/drivers/leds/leds-wm831x-status.c +++ b/drivers/leds/leds-wm831x-status.c @@ -273,12 +273,23 @@ static int wm831x_status_probe(struct pl drvdata->cdev.blink_set = wm831x_status_blink_set; drvdata->cdev.groups = wm831x_status_groups; - ret = devm_led_classdev_register(wm831x->dev, &drvdata->cdev); + ret = led_classdev_register(wm831x->dev, &drvdata->cdev); if (ret < 0) { dev_err(&pdev->dev, "Failed to register LED: %d\n", ret); return ret; } + platform_set_drvdata(pdev, drvdata); + + return 0; +} + +static int wm831x_status_remove(struct platform_device *pdev) +{ + struct wm831x_status *drvdata = platform_get_drvdata(pdev); + + led_classdev_unregister(&drvdata->cdev); + return 0; } @@ -287,6 +298,7 @@ static struct platform_driver wm831x_sta .name = "wm831x-status", }, .probe = wm831x_status_probe, + .remove = wm831x_status_remove, }; module_platform_driver(wm831x_status_driver); From patchwork Mon Aug 10 15:21:39 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 266671 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 84006C433DF for ; Mon, 10 Aug 2020 15:29:41 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 49F4A22D0B for ; Mon, 10 Aug 2020 15:29:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073381; bh=KaxY1NvNPtD69tQs/t0IdTuYAOTR+KNMEfLbGZkbrm4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=OJh7QkL3H4izYiOq/XwPgHOwfFEoRVyH4qKhWQDiN5ClDQZFo1SZDq0u2kAZ33lrK siO11WXbZH3lGeFXBij/MKeAFO61md6Zz3wZKsXk1W5sOzalmEW1s9rOYT/X5HNpwZ 0AMM+meCgMGbTeD37Y98y4mV8LlfsMfu7gRApLDY= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728982AbgHJP3k (ORCPT ); Mon, 10 Aug 2020 11:29:40 -0400 Received: from mail.kernel.org ([198.145.29.99]:36140 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728758AbgHJP3j (ORCPT ); Mon, 10 Aug 2020 11:29:39 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 033CB22D07; Mon, 10 Aug 2020 15:29:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073378; bh=KaxY1NvNPtD69tQs/t0IdTuYAOTR+KNMEfLbGZkbrm4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=CSq5639sLdo59uqbNcR97Jfvvbqu46yZc5Wxif3U8wHs6GUxL8u5xDSD9ELbvfORm vPWKk4RjdBQlCPzGm+CX9sjQt+xeFUJRApC3iHjDWbsnvW5NRepxJm9nYkop7Kt66A ItQs/jW0a+fXAiqvZuaPHtFl58c/DNzUJp5CfpMo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Amitoj Kaur Chawla , Johan Hovold , Pavel Machek Subject: [PATCH 4.19 17/48] leds: lm3533: fix use-after-free on unbind Date: Mon, 10 Aug 2020 17:21:39 +0200 Message-Id: <20200810151805.062885325@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200810151804.199494191@linuxfoundation.org> References: <20200810151804.199494191@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Johan Hovold commit d584221e683bbd173738603b83a315f27d27d043 upstream. Several MFD child drivers register their class devices directly under the parent device. This means you cannot blindly do devres conversions so that deregistration ends up being tied to the parent device, something which leads to use-after-free on driver unbind when the class device is released while still being registered. Fixes: 50154e29e5cc ("leds: lm3533: Use devm_led_classdev_register") Cc: stable # 4.6 Cc: Amitoj Kaur Chawla Signed-off-by: Johan Hovold Signed-off-by: Pavel Machek Signed-off-by: Greg Kroah-Hartman --- drivers/leds/leds-lm3533.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) --- a/drivers/leds/leds-lm3533.c +++ b/drivers/leds/leds-lm3533.c @@ -698,7 +698,7 @@ static int lm3533_led_probe(struct platf platform_set_drvdata(pdev, led); - ret = devm_led_classdev_register(pdev->dev.parent, &led->cdev); + ret = led_classdev_register(pdev->dev.parent, &led->cdev); if (ret) { dev_err(&pdev->dev, "failed to register LED %d\n", pdev->id); return ret; @@ -708,13 +708,18 @@ static int lm3533_led_probe(struct platf ret = lm3533_led_setup(led, pdata); if (ret) - return ret; + goto err_deregister; ret = lm3533_ctrlbank_enable(&led->cb); if (ret) - return ret; + goto err_deregister; return 0; + +err_deregister: + led_classdev_unregister(&led->cdev); + + return ret; } static int lm3533_led_remove(struct platform_device *pdev) @@ -724,6 +729,7 @@ static int lm3533_led_remove(struct plat dev_dbg(&pdev->dev, "%s\n", __func__); lm3533_ctrlbank_disable(&led->cb); + led_classdev_unregister(&led->cdev); return 0; } From patchwork Mon Aug 10 15:21:40 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 266651 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E1F2DC433E1 for ; Mon, 10 Aug 2020 15:33:41 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id B342622CAE for ; Mon, 10 Aug 2020 15:33:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073621; bh=HhvuGrhIoMOLBd1KuBa1rj5Gqz6wjjeu2yg+vgrPcn4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=kWLB6FrvLGBgZZ9xJpETZFbXNyEO38mg93VmiQyPqhIeoLbmeI2s41CdXvozUaKS+ vBrJW0++tlAlZ7phsZlg92/LkLiodM0a0oCg2DlL+1T07gbbSCRUa01PgkuM2P91dZ huMLPR3kMJfgZusOA06m0xbUXrJ3HYfdhzJIAsWA= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728990AbgHJP3m (ORCPT ); Mon, 10 Aug 2020 11:29:42 -0400 Received: from mail.kernel.org ([198.145.29.99]:36210 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728986AbgHJP3l (ORCPT ); Mon, 10 Aug 2020 11:29:41 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6FD0F22D02; Mon, 10 Aug 2020 15:29:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073380; bh=HhvuGrhIoMOLBd1KuBa1rj5Gqz6wjjeu2yg+vgrPcn4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=OcqOwsrVK28NTdnSAI5yEH21CL9nTZ5XZFD6AnPW1BxELnFAMapV4UZECxEJITRpp UhEjMLQCyW77399MD3nrO6mcOfkdbCTJ3M+y1Fv3HDVsnxAkenWiOG2RDyxjHpyR2c fneGa1lRt7BZI2U5iAHTL6dcMt4XAobQvPDwmKwo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Amitoj Kaur Chawla , Johan Hovold , Pavel Machek Subject: [PATCH 4.19 18/48] leds: 88pm860x: fix use-after-free on unbind Date: Mon, 10 Aug 2020 17:21:40 +0200 Message-Id: <20200810151805.114105793@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200810151804.199494191@linuxfoundation.org> References: <20200810151804.199494191@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Johan Hovold commit eca21c2d8655387823d695b26e6fe78cf3975c05 upstream. Several MFD child drivers register their class devices directly under the parent device. This means you cannot blindly do devres conversions so that deregistration ends up being tied to the parent device, something which leads to use-after-free on driver unbind when the class device is released while still being registered. Fixes: 375446df95ee ("leds: 88pm860x: Use devm_led_classdev_register") Cc: stable # 4.6 Cc: Amitoj Kaur Chawla Signed-off-by: Johan Hovold Signed-off-by: Pavel Machek Signed-off-by: Greg Kroah-Hartman --- drivers/leds/leds-88pm860x.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) --- a/drivers/leds/leds-88pm860x.c +++ b/drivers/leds/leds-88pm860x.c @@ -207,21 +207,33 @@ static int pm860x_led_probe(struct platf data->cdev.brightness_set_blocking = pm860x_led_set; mutex_init(&data->lock); - ret = devm_led_classdev_register(chip->dev, &data->cdev); + ret = led_classdev_register(chip->dev, &data->cdev); if (ret < 0) { dev_err(&pdev->dev, "Failed to register LED: %d\n", ret); return ret; } pm860x_led_set(&data->cdev, 0); + + platform_set_drvdata(pdev, data); + return 0; } +static int pm860x_led_remove(struct platform_device *pdev) +{ + struct pm860x_led *data = platform_get_drvdata(pdev); + + led_classdev_unregister(&data->cdev); + + return 0; +} static struct platform_driver pm860x_led_driver = { .driver = { .name = "88pm860x-led", }, .probe = pm860x_led_probe, + .remove = pm860x_led_remove, }; module_platform_driver(pm860x_led_driver); From patchwork Mon Aug 10 15:21:41 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 266652 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 55CECC433DF for ; Mon, 10 Aug 2020 15:33:37 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 2348E22CAE for ; Mon, 10 Aug 2020 15:33:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073617; bh=nVybSTm6sL9M4bV5bm6tORYXEDhYC+smj9cDIJK+l7Q=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=AEtMN4FvNImKRvpDZTG4h/7OPWSMT9+mOS3/o6NRSWrUqNEDV2RXmBaQ7CeKFjEww 1VzAYd6ngS8habX9dH00++WZYiy+X7jMFgzG2GqGiIaa7X1lpZnoBY/tiyiR8UEul6 mVtokq/5P+OC5TEPBhMg1ab0CkZNjQSYhq/eTVxg= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729003AbgHJP3p (ORCPT ); Mon, 10 Aug 2020 11:29:45 -0400 Received: from mail.kernel.org ([198.145.29.99]:36270 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728999AbgHJP3n (ORCPT ); Mon, 10 Aug 2020 11:29:43 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id CD36C22D06; Mon, 10 Aug 2020 15:29:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073383; bh=nVybSTm6sL9M4bV5bm6tORYXEDhYC+smj9cDIJK+l7Q=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=UIbiGxeaBSpQRftZB0LYV5188nBHUkuqJRBs8iSesK9fM52l7f3Fm3fHfd4YqgdkZ 0B0xkktNF2BFkyRRJEijwdDb7/x9500bKUj8v+U7ldTqgsTqj+NnXtRSsgwYLhIHLl SUQ4PiM62imlua+k4L4LznEx7Y0JIJviAgyV28aA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+e6f77e16ff68b2434a2c@syzkaller.appspotmail.com, Christoph Hellwig , Dominique Martinet , Sasha Levin Subject: [PATCH 4.19 19/48] net/9p: validate fds in p9_fd_open Date: Mon, 10 Aug 2020 17:21:41 +0200 Message-Id: <20200810151805.162250250@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200810151804.199494191@linuxfoundation.org> References: <20200810151804.199494191@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Christoph Hellwig [ Upstream commit a39c46067c845a8a2d7144836e9468b7f072343e ] p9_fd_open just fgets file descriptors passed in from userspace, but doesn't verify that they are valid for read or writing. This gets cought down in the VFS when actually attempting a read or write, but a new warning added in linux-next upsets syzcaller. Fix this by just verifying the fds early on. Link: http://lkml.kernel.org/r/20200710085722.435850-1-hch@lst.de Reported-by: syzbot+e6f77e16ff68b2434a2c@syzkaller.appspotmail.com Signed-off-by: Christoph Hellwig [Dominique: amend goto as per Doug Nazar's review] Signed-off-by: Dominique Martinet Signed-off-by: Sasha Levin --- net/9p/trans_fd.c | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c index d28c2cc9618fa..b6dcb40fa8a7d 100644 --- a/net/9p/trans_fd.c +++ b/net/9p/trans_fd.c @@ -831,20 +831,28 @@ static int p9_fd_open(struct p9_client *client, int rfd, int wfd) return -ENOMEM; ts->rd = fget(rfd); + if (!ts->rd) + goto out_free_ts; + if (!(ts->rd->f_mode & FMODE_READ)) + goto out_put_rd; ts->wr = fget(wfd); - if (!ts->rd || !ts->wr) { - if (ts->rd) - fput(ts->rd); - if (ts->wr) - fput(ts->wr); - kfree(ts); - return -EIO; - } + if (!ts->wr) + goto out_put_rd; + if (!(ts->wr->f_mode & FMODE_WRITE)) + goto out_put_wr; client->trans = ts; client->status = Connected; return 0; + +out_put_wr: + fput(ts->wr); +out_put_rd: + fput(ts->rd); +out_free_ts: + kfree(ts); + return -EIO; } static int p9_socket_open(struct p9_client *client, struct socket *csocket) From patchwork Mon Aug 10 15:21:43 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 266653 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DE3E5C433DF for ; Mon, 10 Aug 2020 15:33:31 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id AFB4422CAE for ; Mon, 10 Aug 2020 15:33:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073611; bh=VKaJERNSz+3XNKtG98/BzX7fGxRhNyOOax5a2lSDGBU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=Dt6lkcfTgwxjB7cOYi9VUEzzIqO98Yw6bEb/y7k0VYM9kvGzqRU20JX/5BLOsca0Y N6Ladu7wyMp97IXcIjUc1brBgK+QPhgNtkvKrgKqETVbc+8qQQWziqs2AsJ5GrfW+X HvQrAjt16h/sY3akrHNWJNmIiPgsp7OIbf9KaUwM= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728431AbgHJPd1 (ORCPT ); Mon, 10 Aug 2020 11:33:27 -0400 Received: from mail.kernel.org ([198.145.29.99]:36394 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729009AbgHJP3u (ORCPT ); Mon, 10 Aug 2020 11:29:50 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id EC98722D02; Mon, 10 Aug 2020 15:29:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073390; bh=VKaJERNSz+3XNKtG98/BzX7fGxRhNyOOax5a2lSDGBU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Kt6wGF/Tf6igYx6dZxXfH8p2YniSk1RhCmvT04fvZ2I6VIpmT90Btrbyy85HOpCvd lkanATCLfglcoWzaeN7ivpIxguKabzSCiHwa0fRdXAlVgP5M6RkJk5k9Givn5Szznn ZPoT32OFwOWmyoox6nuexDF8ElBTC5NCuHOo6Fus= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ben Skeggs , Sasha Levin Subject: [PATCH 4.19 21/48] drm/nouveau/fbcon: zero-initialise the mode_cmd2 structure Date: Mon, 10 Aug 2020 17:21:43 +0200 Message-Id: <20200810151805.259303158@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200810151804.199494191@linuxfoundation.org> References: <20200810151804.199494191@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Ben Skeggs [ Upstream commit 15fbc3b938534cc8eaac584a7b0c1183fc968b86 ] This is tripping up the format modifier patches. Signed-off-by: Ben Skeggs Signed-off-by: Sasha Levin --- drivers/gpu/drm/nouveau/nouveau_fbcon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/nouveau/nouveau_fbcon.c b/drivers/gpu/drm/nouveau/nouveau_fbcon.c index fef38ea146a2a..406cb99af7f21 100644 --- a/drivers/gpu/drm/nouveau/nouveau_fbcon.c +++ b/drivers/gpu/drm/nouveau/nouveau_fbcon.c @@ -315,7 +315,7 @@ nouveau_fbcon_create(struct drm_fb_helper *helper, struct nouveau_framebuffer *fb; struct nouveau_channel *chan; struct nouveau_bo *nvbo; - struct drm_mode_fb_cmd2 mode_cmd; + struct drm_mode_fb_cmd2 mode_cmd = {}; int ret; mode_cmd.width = sizes->surface_width; From patchwork Mon Aug 10 15:21:44 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 266663 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 04F02C433DF for ; Mon, 10 Aug 2020 15:31:40 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C789D2224D for ; Mon, 10 Aug 2020 15:31:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073499; bh=2PCh6oLuxOyKaB0b/W2A72/vMsTCi5EUt/McGv1HIXY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=HEMjQfmfA0c8xJKBq/DwUoISyXB64E1AXjwJb8PVxSdknn+JOICkCDPuoHan1rx0G Az0gCJROYTrw+q1aaTke5w4QGLlKg1mY/KkDqhuOrGQjTTu87Y7FeGdNpnGiS0d3XJ VkY+lRkduFWFwSmoE9FacwgvxyvyTeA0HaE4lHGU= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728177AbgHJPbh (ORCPT ); Mon, 10 Aug 2020 11:31:37 -0400 Received: from mail.kernel.org ([198.145.29.99]:38864 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728723AbgHJPb3 (ORCPT ); Mon, 10 Aug 2020 11:31:29 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 2316320774; Mon, 10 Aug 2020 15:31:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073488; bh=2PCh6oLuxOyKaB0b/W2A72/vMsTCi5EUt/McGv1HIXY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=q2LXODy7++fog29JxXbUe8nPJCnH5lMLxIiCzSSYfvpEG3/xBbWe+hb61IjBaygLe YDxyfin/jua6BB5FKggTm3h0/1U7ym8395OJy/Q4PBK9Mr7WsEakIEN6NhbKcJML9s 4UitCrb/9bvNcMigEmCE6lGnAQC2ArL9TTJ/8RVo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Wolfram Sang , Alain Volmat , Wolfram Sang , Sasha Levin Subject: [PATCH 4.19 22/48] i2c: slave: improve sanity check when registering Date: Mon, 10 Aug 2020 17:21:44 +0200 Message-Id: <20200810151805.310493685@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200810151804.199494191@linuxfoundation.org> References: <20200810151804.199494191@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Wolfram Sang [ Upstream commit 1b1be3bf27b62f5abcf85c6f3214bdb9c7526685 ] Add check for ERR_PTR and simplify code while here. Signed-off-by: Wolfram Sang Reviewed-by: Alain Volmat Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin --- drivers/i2c/i2c-core-slave.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/drivers/i2c/i2c-core-slave.c b/drivers/i2c/i2c-core-slave.c index 47a9f70a24a97..88959c8580ce0 100644 --- a/drivers/i2c/i2c-core-slave.c +++ b/drivers/i2c/i2c-core-slave.c @@ -22,10 +22,8 @@ int i2c_slave_register(struct i2c_client *client, i2c_slave_cb_t slave_cb) { int ret; - if (!client || !slave_cb) { - WARN(1, "insufficient data\n"); + if (WARN(IS_ERR_OR_NULL(client) || !slave_cb, "insufficient data\n")) return -EINVAL; - } if (!(client->flags & I2C_CLIENT_SLAVE)) dev_warn(&client->dev, "%s: client slave flag not set. You might see address collisions\n", From patchwork Mon Aug 10 15:21:45 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 266656 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 14222C433E0 for ; Mon, 10 Aug 2020 15:32:52 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id D90F622CAE for ; Mon, 10 Aug 2020 15:32:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073571; bh=O8uxpY19oMyTmj5VGnKGFEp+hLgqpN7HCtchkQbSam4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=Da194EfbTxZ3Wnk4CsfRR0bgzJdYLubQwVXXpwUN5eb4s1eVKkXbZDU+lZV3xJkT7 v58mvF9KmkZd3RwHznSZyRTaX+OUDWwzEOhcJeKuX7z/EV+G07Xg2iU0HePvvpIuZO x7wjKXKCQHoFOsaeucm7GiJEvFNRQyGJcErqF648= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728384AbgHJPcv (ORCPT ); Mon, 10 Aug 2020 11:32:51 -0400 Received: from mail.kernel.org ([198.145.29.99]:36954 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728678AbgHJPaN (ORCPT ); Mon, 10 Aug 2020 11:30:13 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 03B8522D74; Mon, 10 Aug 2020 15:30:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073413; bh=O8uxpY19oMyTmj5VGnKGFEp+hLgqpN7HCtchkQbSam4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jiiBHXRXWpzBWbFQ7OJVPm5UgI6i58IiYUAVpp3hl01zHk8BjPbRV/mL+wSYnQb5Q 4ItqS639oOzZNMjqKhAD3OTM5c+hphFKszxk8zT3Y6FiVC5uabRHdM3ZoHl1Vx32YG U7oKuV4W2jlIgcC6FpaCDPVm3gPt7NQtsiPjL0ts= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Wolfram Sang , Alain Volmat , Wolfram Sang , Sasha Levin Subject: [PATCH 4.19 23/48] i2c: slave: add sanity check when unregistering Date: Mon, 10 Aug 2020 17:21:45 +0200 Message-Id: <20200810151805.359915557@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200810151804.199494191@linuxfoundation.org> References: <20200810151804.199494191@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Wolfram Sang [ Upstream commit 8808981baf96e1b3dea1f08461e4d958aa0dbde1 ] Signed-off-by: Wolfram Sang Reviewed-by: Alain Volmat Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin --- drivers/i2c/i2c-core-slave.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/i2c/i2c-core-slave.c b/drivers/i2c/i2c-core-slave.c index 88959c8580ce0..f2e7e373ee478 100644 --- a/drivers/i2c/i2c-core-slave.c +++ b/drivers/i2c/i2c-core-slave.c @@ -62,6 +62,9 @@ int i2c_slave_unregister(struct i2c_client *client) { int ret; + if (IS_ERR_OR_NULL(client)) + return -EINVAL; + if (!client->adapter->algo->unreg_slave) { dev_err(&client->dev, "%s: not supported by adapter\n", __func__); return -EOPNOTSUPP; From patchwork Mon Aug 10 15:21:48 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 266664 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5ACECC433E1 for ; Mon, 10 Aug 2020 15:31:17 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 2535420838 for ; Mon, 10 Aug 2020 15:31:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073477; bh=AGdYApRkl/MI0MZX28LEMG91c/WjS4eEBNI1jcaazac=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=aJ3zKqw2QUL2Q1Jj4+65bkH/yS/3hmCOyxKErG09uO4CpwXMKgVOJxOaQZhHRaOb4 FrWCMoO3SHmvCBfq6hNIrqLSjDGa5IUtwi+SJU9gbQhrBpa7jLRwFhCNBdG1XZhW1L 525aooXXXiyOuFYVHIXz13wiQhkVM/kI8S7zcFdk= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728508AbgHJPbP (ORCPT ); Mon, 10 Aug 2020 11:31:15 -0400 Received: from mail.kernel.org ([198.145.29.99]:38504 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729179AbgHJPbM (ORCPT ); Mon, 10 Aug 2020 11:31:12 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 057042080C; Mon, 10 Aug 2020 15:31:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073471; bh=AGdYApRkl/MI0MZX28LEMG91c/WjS4eEBNI1jcaazac=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=0wAyRxjwotSK+3FfgcMq3EUr5LcL/nVgTAegCeTmKHIhCIpzIPNJytX8I8BIjmWVo aA449lNyARGhydhOmtSv9UQLI6b/dcrrPAP+EKuwY7bWIfBLE5lK4u82wnYGifWF3y iokRwIz5JcPKOUt36caf0f2xTP5UXyah9zaphM1c= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Julian Squires , Johannes Berg , Sasha Levin Subject: [PATCH 4.19 26/48] cfg80211: check vendor command doit pointer before use Date: Mon, 10 Aug 2020 17:21:48 +0200 Message-Id: <20200810151805.502158557@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200810151804.199494191@linuxfoundation.org> References: <20200810151804.199494191@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Julian Squires [ Upstream commit 4052d3d2e8f47a15053320bbcbe365d15610437d ] In the case where a vendor command does not implement doit, and has no flags set, doit would not be validated and a NULL pointer dereference would occur, for example when invoking the vendor command via iw. I encountered this while developing new vendor commands. Perhaps in practice it is advisable to always implement doit along with dumpit, but it seems reasonable to me to always check doit anyway, not just when NEED_WDEV. Signed-off-by: Julian Squires Link: https://lore.kernel.org/r/20200706211353.2366470-1-julian@cipht.net Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin --- net/wireless/nl80211.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index 0221849b72180..996b68b48a878 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -12392,13 +12392,13 @@ static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info) if (!wdev_running(wdev)) return -ENETDOWN; } - - if (!vcmd->doit) - return -EOPNOTSUPP; } else { wdev = NULL; } + if (!vcmd->doit) + return -EOPNOTSUPP; + if (info->attrs[NL80211_ATTR_VENDOR_DATA]) { data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]); len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]); From patchwork Mon Aug 10 15:21:49 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 266661 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1D1B6C433DF for ; Mon, 10 Aug 2020 15:32:01 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E1A6622CA1 for ; Mon, 10 Aug 2020 15:32:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073521; bh=ZyWuUtROHZf3ZDH6q3M+Ty6NXtyMPtEnfvtiWpfN87I=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=XSG/UuMhd2aiFPm4n1yZz+iafbwyaMXD4BO2Bv+go4XTzVi+ZxjspAnmBHvXmmDGg sxFdrkJgzOp7otIXaF5+qnrntEfIiZL7vhifl/C8Wfpy+bIwD26n+lGnnEznSkibXf K7pnzVNU5qfZ//JYIFFuTcjTF6ISifSZr4IGRk80= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728694AbgHJPbP (ORCPT ); Mon, 10 Aug 2020 11:31:15 -0400 Received: from mail.kernel.org ([198.145.29.99]:38566 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729177AbgHJPbO (ORCPT ); Mon, 10 Aug 2020 11:31:14 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D03FD20791; Mon, 10 Aug 2020 15:31:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073474; bh=ZyWuUtROHZf3ZDH6q3M+Ty6NXtyMPtEnfvtiWpfN87I=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=KNKFJG3pUHYmk1wMODJwco4cyFnb/99Zb9vf7VuzV5F7bSZQ+EPB/hpAVsTlM4lu2 QJxQJqgbXkTur1a5wwfRROCpdAwhVMY9nyugFOslWHs4+v4lvpXdtBTODamXqFeedN lbGUUHiZYoYCANebxaSkxyQ6t28Kl5EoA0brWLe8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Francesco Ruggeri , Aaron Brown , Tony Nguyen , Sasha Levin Subject: [PATCH 4.19 27/48] igb: reinit_locked() should be called with rtnl_lock Date: Mon, 10 Aug 2020 17:21:49 +0200 Message-Id: <20200810151805.549199604@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200810151804.199494191@linuxfoundation.org> References: <20200810151804.199494191@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Francesco Ruggeri [ Upstream commit 024a8168b749db7a4aa40a5fbdfa04bf7e77c1c0 ] We observed two panics involving races with igb_reset_task. The first panic is caused by this race condition: kworker reboot -f igb_reset_task igb_reinit_locked igb_down napi_synchronize __igb_shutdown igb_clear_interrupt_scheme igb_free_q_vectors igb_free_q_vector adapter->q_vector[v_idx] = NULL; napi_disable Panics trying to access adapter->q_vector[v_idx].napi_state The second panic (a divide error) is caused by this race: kworker reboot -f tx packet igb_reset_task __igb_shutdown rtnl_lock() ... igb_clear_interrupt_scheme igb_free_q_vectors adapter->num_tx_queues = 0 ... rtnl_unlock() rtnl_lock() igb_reinit_locked igb_down igb_up netif_tx_start_all_queues dev_hard_start_xmit igb_xmit_frame igb_tx_queue_mapping Panics on r_idx % adapter->num_tx_queues This commit applies to igb_reset_task the same changes that were applied to ixgbe in commit 2f90b8657ec9 ("ixgbe: this patch adds support for DCB to the kernel and ixgbe driver"), commit 8f4c5c9fb87a ("ixgbe: reinit_locked() should be called with rtnl_lock") and commit 88adce4ea8f9 ("ixgbe: fix possible race in reset subtask"). Signed-off-by: Francesco Ruggeri Tested-by: Aaron Brown Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin --- drivers/net/ethernet/intel/igb/igb_main.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c index 36db874f3c928..d85eb80d82497 100644 --- a/drivers/net/ethernet/intel/igb/igb_main.c +++ b/drivers/net/ethernet/intel/igb/igb_main.c @@ -6226,9 +6226,18 @@ static void igb_reset_task(struct work_struct *work) struct igb_adapter *adapter; adapter = container_of(work, struct igb_adapter, reset_task); + rtnl_lock(); + /* If we're already down or resetting, just bail */ + if (test_bit(__IGB_DOWN, &adapter->state) || + test_bit(__IGB_RESETTING, &adapter->state)) { + rtnl_unlock(); + return; + } + igb_dump(adapter); netdev_err(adapter->netdev, "Reset adapter\n"); igb_reinit_locked(adapter); + rtnl_unlock(); } /** From patchwork Mon Aug 10 15:21:51 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 266662 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B8EE3C433DF for ; Mon, 10 Aug 2020 15:31:52 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 80AC720791 for ; Mon, 10 Aug 2020 15:31:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073512; bh=Ka0X3R84+wL9sJ0uP64uoi5nGecyy9yu9g4zvt3PM+o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=Y2gZLDGFon+sUed75LQCw8uvssNm/gNKubj0Vs69vmqZYjGbDcIYuB7n01RprqtNK F7psDKBDw1K3e1i10nLIcw5oaegTmAQGYcCzqWaDvOZCmztDGChcVi4d1lhss1z/JM J+pe/+bbD8Mle1xUwX8dIqbZsKdPn4/SLhSxOv/U= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729200AbgHJPbV (ORCPT ); Mon, 10 Aug 2020 11:31:21 -0400 Received: from mail.kernel.org ([198.145.29.99]:38720 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729199AbgHJPbU (ORCPT ); Mon, 10 Aug 2020 11:31:20 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3546020791; Mon, 10 Aug 2020 15:31:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073479; bh=Ka0X3R84+wL9sJ0uP64uoi5nGecyy9yu9g4zvt3PM+o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=aBLvDmHB0TFvbbfwXCOyM4FQmjlxrFy4Imx8PcH2zPXK1bo0cwbi0Qn2eBAj+VDbm WTGlZOWQZkmqW+icMT1PHElg6NXDOg4e4CkURVacteuDsojrCQMUBL6kMJKr/GqobQ NQMc8wMnXNVFVOegY4nfzT4fIAnLY4+RlL5hOTH0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Philippe Duplessis-Guindon , "Steven Rostedt (VMware)" , Arnaldo Carvalho de Melo , Sasha Levin Subject: [PATCH 4.19 29/48] tools lib traceevent: Fix memory leak in process_dynamic_array_len Date: Mon, 10 Aug 2020 17:21:51 +0200 Message-Id: <20200810151805.639628728@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200810151804.199494191@linuxfoundation.org> References: <20200810151804.199494191@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Philippe Duplessis-Guindon [ Upstream commit e24c6447ccb7b1a01f9bf0aec94939e6450c0b4d ] I compiled with AddressSanitizer and I had these memory leaks while I was using the tep_parse_format function: Direct leak of 28 byte(s) in 4 object(s) allocated from: #0 0x7fb07db49ffe in __interceptor_realloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dffe) #1 0x7fb07a724228 in extend_token /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:985 #2 0x7fb07a724c21 in __read_token /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1140 #3 0x7fb07a724f78 in read_token /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1206 #4 0x7fb07a725191 in __read_expect_type /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1291 #5 0x7fb07a7251df in read_expect_type /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1299 #6 0x7fb07a72e6c8 in process_dynamic_array_len /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:2849 #7 0x7fb07a7304b8 in process_function /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:3161 #8 0x7fb07a730900 in process_arg_token /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:3207 #9 0x7fb07a727c0b in process_arg /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1786 #10 0x7fb07a731080 in event_read_print_args /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:3285 #11 0x7fb07a731722 in event_read_print /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:3369 #12 0x7fb07a740054 in __tep_parse_format /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:6335 #13 0x7fb07a74047a in __parse_event /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:6389 #14 0x7fb07a740536 in tep_parse_format /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:6431 #15 0x7fb07a785acf in parse_event ../../../src/fs-src/fs.c:251 #16 0x7fb07a785ccd in parse_systems ../../../src/fs-src/fs.c:284 #17 0x7fb07a786fb3 in read_metadata ../../../src/fs-src/fs.c:593 #18 0x7fb07a78760e in ftrace_fs_source_init ../../../src/fs-src/fs.c:727 #19 0x7fb07d90c19c in add_component_with_init_method_data ../../../../src/lib/graph/graph.c:1048 #20 0x7fb07d90c87b in add_source_component_with_initialize_method_data ../../../../src/lib/graph/graph.c:1127 #21 0x7fb07d90c92a in bt_graph_add_source_component ../../../../src/lib/graph/graph.c:1152 #22 0x55db11aa632e in cmd_run_ctx_create_components_from_config_components ../../../src/cli/babeltrace2.c:2252 #23 0x55db11aa6fda in cmd_run_ctx_create_components ../../../src/cli/babeltrace2.c:2347 #24 0x55db11aa780c in cmd_run ../../../src/cli/babeltrace2.c:2461 #25 0x55db11aa8a7d in main ../../../src/cli/babeltrace2.c:2673 #26 0x7fb07d5460b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) The token variable in the process_dynamic_array_len function is allocated in the read_expect_type function, but is not freed before calling the read_token function. Free the token variable before calling read_token in order to plug the leak. Signed-off-by: Philippe Duplessis-Guindon Reviewed-by: Steven Rostedt (VMware) Link: https://lore.kernel.org/linux-trace-devel/20200730150236.5392-1-pduplessis@efficios.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin --- tools/lib/traceevent/event-parse.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/lib/traceevent/event-parse.c b/tools/lib/traceevent/event-parse.c index 382e476629fb1..c0fcc8af2a3ef 100644 --- a/tools/lib/traceevent/event-parse.c +++ b/tools/lib/traceevent/event-parse.c @@ -2766,6 +2766,7 @@ process_dynamic_array_len(struct event_format *event, struct print_arg *arg, if (read_expected(EVENT_DELIM, ")") < 0) goto out_err; + free_token(token); type = read_token(&token); *tok = token; From patchwork Mon Aug 10 15:21:54 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 266669 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 89CFAC433E0 for ; Mon, 10 Aug 2020 15:30:21 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 5541C22D74 for ; Mon, 10 Aug 2020 15:30:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073421; bh=MW7J+hsXgn9nQY2RcNiaq6t9NpgkfUGMv8o3WrLLBRI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=MwElvZtAnaZq1Qbh/iEs5rJeGSl9PGxMJrZZa4AK4Px5At2JnBC7AGf5Wwe4dtvF6 knawawR24G24tKkdhRx+xF4ak8eZTgJh90d1UVu8RThkNBEHKmeFG1PIP9ugG7a9Hg WLh76iMWxVJxQ4xThI9ndCNK+QhkxCZRelLkH5bI= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729065AbgHJPaS (ORCPT ); Mon, 10 Aug 2020 11:30:18 -0400 Received: from mail.kernel.org ([198.145.29.99]:37064 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729063AbgHJPaQ (ORCPT ); Mon, 10 Aug 2020 11:30:16 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B2DB620791; Mon, 10 Aug 2020 15:30:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073416; bh=MW7J+hsXgn9nQY2RcNiaq6t9NpgkfUGMv8o3WrLLBRI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=kEQe//z5f/BuDqgm4HpNEj8eAvYAGns5a610y+yPmAWptG1J+YnVSfms5u29WGuTJ jz8FqRx+7IrLE8rOfwz7OCbRHxPsjkyFGwVMVy8XKp0YHo0ISCOQaf1Q+DOKxdMcY6 c5M1eR/KecaPW114IKCsyKSP34aZ2NX9Rn3Q0Ygw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ido Schimmel , Jiri Pirko , "David S. Miller" Subject: [PATCH 4.19 32/48] ipv4: Silence suspicious RCU usage warning Date: Mon, 10 Aug 2020 17:21:54 +0200 Message-Id: <20200810151805.790694863@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200810151804.199494191@linuxfoundation.org> References: <20200810151804.199494191@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Ido Schimmel [ Upstream commit 83f3522860f702748143e022f1a546547314c715 ] fib_trie_unmerge() is called with RTNL held, but not from an RCU read-side critical section. This leads to the following warning [1] when the FIB alias list in a leaf is traversed with hlist_for_each_entry_rcu(). Since the function is always called with RTNL held and since modification of the list is protected by RTNL, simply use hlist_for_each_entry() and silence the warning. [1] WARNING: suspicious RCU usage 5.8.0-rc4-custom-01520-gc1f937f3f83b #30 Not tainted ----------------------------- net/ipv4/fib_trie.c:1867 RCU-list traversed in non-reader section!! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by ip/164: #0: ffffffff85a27850 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x49a/0xbd0 stack backtrace: CPU: 0 PID: 164 Comm: ip Not tainted 5.8.0-rc4-custom-01520-gc1f937f3f83b #30 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-2.fc32 04/01/2014 Call Trace: dump_stack+0x100/0x184 lockdep_rcu_suspicious+0x153/0x15d fib_trie_unmerge+0x608/0xdb0 fib_unmerge+0x44/0x360 fib4_rule_configure+0xc8/0xad0 fib_nl_newrule+0x37a/0x1dd0 rtnetlink_rcv_msg+0x4f7/0xbd0 netlink_rcv_skb+0x17a/0x480 rtnetlink_rcv+0x22/0x30 netlink_unicast+0x5ae/0x890 netlink_sendmsg+0x98a/0xf40 ____sys_sendmsg+0x879/0xa00 ___sys_sendmsg+0x122/0x190 __sys_sendmsg+0x103/0x1d0 __x64_sys_sendmsg+0x7d/0xb0 do_syscall_64+0x54/0xa0 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7fc80a234e97 Code: Bad RIP value. RSP: 002b:00007ffef8b66798 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc80a234e97 RDX: 0000000000000000 RSI: 00007ffef8b66800 RDI: 0000000000000003 RBP: 000000005f141b1c R08: 0000000000000001 R09: 0000000000000000 R10: 00007fc80a2a8ac0 R11: 0000000000000246 R12: 0000000000000001 R13: 0000000000000000 R14: 00007ffef8b67008 R15: 0000556fccb10020 Fixes: 0ddcf43d5d4a ("ipv4: FIB Local/MAIN table collapse") Signed-off-by: Ido Schimmel Reviewed-by: Jiri Pirko Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/ipv4/fib_trie.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/ipv4/fib_trie.c +++ b/net/ipv4/fib_trie.c @@ -1749,7 +1749,7 @@ struct fib_table *fib_trie_unmerge(struc while ((l = leaf_walk_rcu(&tp, key)) != NULL) { struct key_vector *local_l = NULL, *local_tp; - hlist_for_each_entry_rcu(fa, &l->leaf, fa_list) { + hlist_for_each_entry(fa, &l->leaf, fa_list) { struct fib_alias *new_fa; if (local_tb->tb_id != fa->tb_id) From patchwork Mon Aug 10 15:21:56 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 266657 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D76D8C433E0 for ; Mon, 10 Aug 2020 15:32:49 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A8A85207FF for ; Mon, 10 Aug 2020 15:32:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073569; bh=STaAiDozz5Ey94ASQtqCmUMNQiuV/yBML8B1zscPEZ0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=Hve+na/RrReRvVHQDtVUTYCdbVTLaKdxN3lOvDkfuPjZZjT2zRAEog4E/0+ecGfZ0 xv/8h7cZJ6iJgOrdxSRvn/EDXuwPDqtqDZnHCSzQ8TIWxJZL95wIU3iWQDLKdVDdiz usiHDU6CVg+Da1UOy5aIMgbCoLB2uIBju855hSlM= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728458AbgHJPcn (ORCPT ); Mon, 10 Aug 2020 11:32:43 -0400 Received: from mail.kernel.org ([198.145.29.99]:37182 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729057AbgHJPaW (ORCPT ); Mon, 10 Aug 2020 11:30:22 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 89C1820791; Mon, 10 Aug 2020 15:30:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073422; bh=STaAiDozz5Ey94ASQtqCmUMNQiuV/yBML8B1zscPEZ0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Um8zrUZLsngtYTP7TyyrZxq2uMFVZV3xwFgJOmYZpsfOenMiTczeKKOzGP3ybnvmk Esa+vGKWmzuHa2Y45waM3y7YtL7/bknAkJHYb2srlKJcOkbtwGnvUInxJEXH6m8EGX 7nZoyPSKnSwfVyK+FpaeGf3azu2SColLy6XWoqZo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Landen Chao , Frank Wunderlich , Andrew Lunn , "David S. Miller" Subject: [PATCH 4.19 34/48] net: ethernet: mtk_eth_soc: fix MTU warnings Date: Mon, 10 Aug 2020 17:21:56 +0200 Message-Id: <20200810151805.896505636@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200810151804.199494191@linuxfoundation.org> References: <20200810151804.199494191@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Landen Chao [ Upstream commit 555a893303872e044fb86f0a5834ce78d41ad2e2 ] in recent kernel versions there are warnings about incorrect MTU size like these: eth0: mtu greater than device maximum mtk_soc_eth 1b100000.ethernet eth0: error -22 setting MTU to include DSA overhead Fixes: bfcb813203e6 ("net: dsa: configure the MTU for switch ports") Fixes: 72579e14a1d3 ("net: dsa: don't fail to probe if we couldn't set the MTU") Fixes: 7a4c53bee332 ("net: report invalid mtu value via netlink extack") Signed-off-by: Landen Chao Signed-off-by: Frank Wunderlich Reviewed-by: Andrew Lunn Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- drivers/net/ethernet/mediatek/mtk_eth_soc.c | 2 ++ 1 file changed, 2 insertions(+) --- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c +++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c @@ -2452,6 +2452,8 @@ static int mtk_add_mac(struct mtk_eth *e eth->netdev[id]->irq = eth->irq[0]; eth->netdev[id]->dev.of_node = np; + eth->netdev[id]->max_mtu = MTK_MAX_RX_LENGTH - MTK_RX_ETH_HLEN; + return 0; free_netdev: From patchwork Mon Aug 10 15:21:58 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 266658 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C2703C433E1 for ; Mon, 10 Aug 2020 15:32:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 9F28622D73 for ; Mon, 10 Aug 2020 15:32:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073553; bh=svSMAr6v2ZQ6WmxVzTEmE9bCbZf8H/CeYCuzFEXsHmw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=QaRbBCIZODIn52VgL3QBitDY8OVcRQZuRW8p60YxYtHxoPUC+ch6m/JksSuj0b6L6 zibg5U+qvrAmQ4Uh7yyJWynNCeL/VbvRbIjH0+0y/bSJ/uc1SsvinBZFu0+XIxQxvy t30PxdF9EgMeMuY7KyNBOhoWcA/ZfvCiTJtWLvxk= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729068AbgHJPaa (ORCPT ); Mon, 10 Aug 2020 11:30:30 -0400 Received: from mail.kernel.org ([198.145.29.99]:37342 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729087AbgHJPa2 (ORCPT ); Mon, 10 Aug 2020 11:30:28 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 22A8B20774; Mon, 10 Aug 2020 15:30:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073427; bh=svSMAr6v2ZQ6WmxVzTEmE9bCbZf8H/CeYCuzFEXsHmw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=f9WTMfsYxPttpwshB6esbNBXpHb0iEOv2w+lz88PH2Euny28U7vU5zzGISgZAm5uh Of0of/sbKZmoioveoMsLllPctyIeWoHcTSw90L5vX/TI7tfI8pkbSQITLacajTBpIk bEAEe4QED9OhqCi/U6yj5BlcYFfU475M4MMrW3IA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Johan Hovold , "David S. Miller" Subject: [PATCH 4.19 36/48] net: lan78xx: replace bogus endpoint lookup Date: Mon, 10 Aug 2020 17:21:58 +0200 Message-Id: <20200810151805.993740717@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200810151804.199494191@linuxfoundation.org> References: <20200810151804.199494191@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Johan Hovold [ Upstream commit ea060b352654a8de1e070140d25fe1b7e4d50310 ] Drop the bogus endpoint-lookup helper which could end up accepting interfaces based on endpoints belonging to unrelated altsettings. Note that the returned bulk pipes and interrupt endpoint descriptor were never actually used. Instead the bulk-endpoint numbers are hardcoded to 1 and 2 (matching the specification), while the interrupt- endpoint descriptor was assumed to be the third descriptor created by USB core. Try to bring some order to this by dropping the bogus lookup helper and adding the missing endpoint sanity checks while keeping the interrupt- descriptor assumption for now. Signed-off-by: Johan Hovold Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- drivers/net/usb/lan78xx.c | 117 +++++++++++----------------------------------- 1 file changed, 30 insertions(+), 87 deletions(-) --- a/drivers/net/usb/lan78xx.c +++ b/drivers/net/usb/lan78xx.c @@ -388,10 +388,6 @@ struct lan78xx_net { struct tasklet_struct bh; struct delayed_work wq; - struct usb_host_endpoint *ep_blkin; - struct usb_host_endpoint *ep_blkout; - struct usb_host_endpoint *ep_intr; - int msg_enable; struct urb *urb_intr; @@ -2883,78 +2879,12 @@ lan78xx_start_xmit(struct sk_buff *skb, return NETDEV_TX_OK; } -static int -lan78xx_get_endpoints(struct lan78xx_net *dev, struct usb_interface *intf) -{ - int tmp; - struct usb_host_interface *alt = NULL; - struct usb_host_endpoint *in = NULL, *out = NULL; - struct usb_host_endpoint *status = NULL; - - for (tmp = 0; tmp < intf->num_altsetting; tmp++) { - unsigned ep; - - in = NULL; - out = NULL; - status = NULL; - alt = intf->altsetting + tmp; - - for (ep = 0; ep < alt->desc.bNumEndpoints; ep++) { - struct usb_host_endpoint *e; - int intr = 0; - - e = alt->endpoint + ep; - switch (e->desc.bmAttributes) { - case USB_ENDPOINT_XFER_INT: - if (!usb_endpoint_dir_in(&e->desc)) - continue; - intr = 1; - /* FALLTHROUGH */ - case USB_ENDPOINT_XFER_BULK: - break; - default: - continue; - } - if (usb_endpoint_dir_in(&e->desc)) { - if (!intr && !in) - in = e; - else if (intr && !status) - status = e; - } else { - if (!out) - out = e; - } - } - if (in && out) - break; - } - if (!alt || !in || !out) - return -EINVAL; - - dev->pipe_in = usb_rcvbulkpipe(dev->udev, - in->desc.bEndpointAddress & - USB_ENDPOINT_NUMBER_MASK); - dev->pipe_out = usb_sndbulkpipe(dev->udev, - out->desc.bEndpointAddress & - USB_ENDPOINT_NUMBER_MASK); - dev->ep_intr = status; - - return 0; -} - static int lan78xx_bind(struct lan78xx_net *dev, struct usb_interface *intf) { struct lan78xx_priv *pdata = NULL; int ret; int i; - ret = lan78xx_get_endpoints(dev, intf); - if (ret) { - netdev_warn(dev->net, "lan78xx_get_endpoints failed: %d\n", - ret); - return ret; - } - dev->data[0] = (unsigned long)kzalloc(sizeof(*pdata), GFP_KERNEL); pdata = (struct lan78xx_priv *)(dev->data[0]); @@ -3726,6 +3656,7 @@ static void lan78xx_stat_monitor(struct static int lan78xx_probe(struct usb_interface *intf, const struct usb_device_id *id) { + struct usb_host_endpoint *ep_blkin, *ep_blkout, *ep_intr; struct lan78xx_net *dev; struct net_device *netdev; struct usb_device *udev; @@ -3774,6 +3705,34 @@ static int lan78xx_probe(struct usb_inte mutex_init(&dev->stats.access_lock); + if (intf->cur_altsetting->desc.bNumEndpoints < 3) { + ret = -ENODEV; + goto out2; + } + + dev->pipe_in = usb_rcvbulkpipe(udev, BULK_IN_PIPE); + ep_blkin = usb_pipe_endpoint(udev, dev->pipe_in); + if (!ep_blkin || !usb_endpoint_is_bulk_in(&ep_blkin->desc)) { + ret = -ENODEV; + goto out2; + } + + dev->pipe_out = usb_sndbulkpipe(udev, BULK_OUT_PIPE); + ep_blkout = usb_pipe_endpoint(udev, dev->pipe_out); + if (!ep_blkout || !usb_endpoint_is_bulk_out(&ep_blkout->desc)) { + ret = -ENODEV; + goto out2; + } + + ep_intr = &intf->cur_altsetting->endpoint[2]; + if (!usb_endpoint_is_int_in(&ep_intr->desc)) { + ret = -ENODEV; + goto out2; + } + + dev->pipe_intr = usb_rcvintpipe(dev->udev, + usb_endpoint_num(&ep_intr->desc)); + ret = lan78xx_bind(dev, intf); if (ret < 0) goto out2; @@ -3786,23 +3745,7 @@ static int lan78xx_probe(struct usb_inte netdev->max_mtu = MAX_SINGLE_PACKET_SIZE; netif_set_gso_max_size(netdev, MAX_SINGLE_PACKET_SIZE - MAX_HEADER); - if (intf->cur_altsetting->desc.bNumEndpoints < 3) { - ret = -ENODEV; - goto out3; - } - - dev->ep_blkin = (intf->cur_altsetting)->endpoint + 0; - dev->ep_blkout = (intf->cur_altsetting)->endpoint + 1; - dev->ep_intr = (intf->cur_altsetting)->endpoint + 2; - - dev->pipe_in = usb_rcvbulkpipe(udev, BULK_IN_PIPE); - dev->pipe_out = usb_sndbulkpipe(udev, BULK_OUT_PIPE); - - dev->pipe_intr = usb_rcvintpipe(dev->udev, - dev->ep_intr->desc.bEndpointAddress & - USB_ENDPOINT_NUMBER_MASK); - period = dev->ep_intr->desc.bInterval; - + period = ep_intr->desc.bInterval; maxp = usb_maxpacket(dev->udev, dev->pipe_intr, 0); buf = kmalloc(maxp, GFP_KERNEL); if (buf) { From patchwork Mon Aug 10 15:22:01 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 266668 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 76B41C433E1 for ; Mon, 10 Aug 2020 15:30:40 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 4C055207FF for ; Mon, 10 Aug 2020 15:30:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073440; bh=yCnOv7z6QR8V//pqvrVl+elidpg/YiHVrVZ9pqUErzk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=eF3kKK7EMSIHBZDXViX6wkEFcBv63/ImAQ1pgH4PY6uEIQu2W91WaTmT6jlUMo4Bp 9wtRfg+pPQh/pfLqDacDsoHso7RLZlTw3ImDPFPqhmJrY9mj29ulzK0qdCyEbbHXap I9919MvYOvBLQqsJFtpdvo4tg0KXOMrnxZGoY2K4= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728605AbgHJPaj (ORCPT ); Mon, 10 Aug 2020 11:30:39 -0400 Received: from mail.kernel.org ([198.145.29.99]:37638 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728318AbgHJPah (ORCPT ); Mon, 10 Aug 2020 11:30:37 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 655DA20774; Mon, 10 Aug 2020 15:30:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073436; bh=yCnOv7z6QR8V//pqvrVl+elidpg/YiHVrVZ9pqUErzk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=0Eix6MotZRTq77L5XkIg+eDqmqRe63MhzXhclL4qi4X4zuon3BscF7ytxw35Te6q2 vPOEPqGLRPIaxyFyHiwbzKzBhepZ0+dveAdZh9YWrUSXtufKd9m4BRuAANNlzGIFzK OZCXQ11voLLBu2b6Jvo7gEmO5wIPWie0NFMnkFGk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, "Rafael P." , Dean Nelson , Xin Long , "David S. Miller" Subject: [PATCH 4.19 39/48] net: thunderx: use spin_lock_bh in nicvf_set_rx_mode_task() Date: Mon, 10 Aug 2020 17:22:01 +0200 Message-Id: <20200810151806.141225080@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200810151804.199494191@linuxfoundation.org> References: <20200810151804.199494191@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Xin Long [ Upstream commit bab9693a9a8c6dd19f670408ec1e78e12a320682 ] A dead lock was triggered on thunderx driver: CPU0 CPU1 ---- ---- [01] lock(&(&nic->rx_mode_wq_lock)->rlock); [11] lock(&(&mc->mca_lock)->rlock); [12] lock(&(&nic->rx_mode_wq_lock)->rlock); [02] lock(&(&mc->mca_lock)->rlock); The path for each is: [01] worker_thread() -> process_one_work() -> nicvf_set_rx_mode_task() [02] mld_ifc_timer_expire() [11] ipv6_add_dev() -> ipv6_dev_mc_inc() -> igmp6_group_added() -> [12] dev_mc_add() -> __dev_set_rx_mode() -> nicvf_set_rx_mode() To fix it, it needs to disable bh on [1], so that the timer on [2] wouldn't be triggered until rx_mode_wq_lock is released. So change to use spin_lock_bh() instead of spin_lock(). Thanks to Paolo for helping with this. v1->v2: - post to netdev. Reported-by: Rafael P. Tested-by: Dean Nelson Fixes: 469998c861fa ("net: thunderx: prevent concurrent data re-writing by nicvf_set_rx_mode") Signed-off-by: Xin Long Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- drivers/net/ethernet/cavium/thunder/nicvf_main.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/drivers/net/ethernet/cavium/thunder/nicvf_main.c +++ b/drivers/net/ethernet/cavium/thunder/nicvf_main.c @@ -2015,11 +2015,11 @@ static void nicvf_set_rx_mode_task(struc /* Save message data locally to prevent them from * being overwritten by next ndo_set_rx_mode call(). */ - spin_lock(&nic->rx_mode_wq_lock); + spin_lock_bh(&nic->rx_mode_wq_lock); mode = vf_work->mode; mc = vf_work->mc; vf_work->mc = NULL; - spin_unlock(&nic->rx_mode_wq_lock); + spin_unlock_bh(&nic->rx_mode_wq_lock); __nicvf_set_rx_mode_task(mode, mc, nic); } From patchwork Mon Aug 10 15:22:04 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 266667 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DDF08C433E0 for ; Mon, 10 Aug 2020 15:30:54 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A11B32080C for ; Mon, 10 Aug 2020 15:30:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073454; bh=yDP87lINzHFiLkOkm6RlyKNPAAeN6uTzlS7Nkl4gNvc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=UoyNMXVdnfOhaPHnF4F2Z4O/GIZzuT83i0ReNF1VzNPErx5MkCtclujt95NRbPd8c ONMOeZIeaM4cgzBPPi31cYom53dUNLgw677kF7a2Y9AEHGeQ1aaOMGGTu09oKnYzWg zYZIUGWM7a4Te3By9H79mNL22kKWMDqm9NpygTrE= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729132AbgHJPax (ORCPT ); Mon, 10 Aug 2020 11:30:53 -0400 Received: from mail.kernel.org ([198.145.29.99]:37902 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728898AbgHJPat (ORCPT ); Mon, 10 Aug 2020 11:30:49 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D7290207FF; Mon, 10 Aug 2020 15:30:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073448; bh=yDP87lINzHFiLkOkm6RlyKNPAAeN6uTzlS7Nkl4gNvc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=0SVUtQX8HrIOabhrD4KQuXftMCjRgVGdT+wdM9H3BIzaLgDB8O54gTPO539lkhlj9 xidKUfz3XGDuZqjGeuiF4NABqsubwXtvoUNAqrfHaAW52Sdg+YM0RcHvnqh14g2BSe WI50e79oVSQkhsu/iI/SMwa6LXov3lLCIT6/dSXw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Colin Ian King , Willem de Bruijn , "David S. Miller" Subject: [PATCH 4.19 42/48] selftests/net: relax cpu affinity requirement in msg_zerocopy test Date: Mon, 10 Aug 2020 17:22:04 +0200 Message-Id: <20200810151806.286411554@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200810151804.199494191@linuxfoundation.org> References: <20200810151804.199494191@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Willem de Bruijn [ Upstream commit 16f6458f2478b55e2b628797bc81a4455045c74e ] The msg_zerocopy test pins the sender and receiver threads to separate cores to reduce variance between runs. But it hardcodes the cores and skips core 0, so it fails on machines with the selected cores offline, or simply fewer cores. The test mainly gives code coverage in automated runs. The throughput of zerocopy ('-z') and non-zerocopy runs is logged for manual inspection. Continue even when sched_setaffinity fails. Just log to warn anyone interpreting the data. Fixes: 07b65c5b31ce ("test: add msg_zerocopy test") Reported-by: Colin Ian King Signed-off-by: Willem de Bruijn Acked-by: Colin Ian King Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- tools/testing/selftests/net/msg_zerocopy.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) --- a/tools/testing/selftests/net/msg_zerocopy.c +++ b/tools/testing/selftests/net/msg_zerocopy.c @@ -125,9 +125,8 @@ static int do_setcpu(int cpu) CPU_ZERO(&mask); CPU_SET(cpu, &mask); if (sched_setaffinity(0, sizeof(mask), &mask)) - error(1, 0, "setaffinity %d", cpu); - - if (cfg_verbose) + fprintf(stderr, "cpu: unable to pin, may increase variance.\n"); + else if (cfg_verbose) fprintf(stderr, "cpu: %u\n", cpu); return 0; From patchwork Mon Aug 10 15:22:05 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 266659 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 16247C433E0 for ; Mon, 10 Aug 2020 15:32:19 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id DF74122D04 for ; Mon, 10 Aug 2020 15:32:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073538; bh=G9NxIXCH0bjECpC9RNT5/j8tAX+qRyVYFRyKLO9ualk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=sLq7Y4fciD+XYvUshbc/iwZnmuU0QOZsl3JxwZzvbG7lnQfSJ+9jeJo3//ug+HWQX XDWIE5IPqisn8TqFsem5yrcQnhTkgHiRVbv7rEgPyIpwG4oVBtdQVYx0/W/7RYi76D aKdogsTmQI0CJIzUgFs+gzeVZiWtgOdnxdLO6EFE= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728565AbgHJPcS (ORCPT ); Mon, 10 Aug 2020 11:32:18 -0400 Received: from mail.kernel.org ([198.145.29.99]:37968 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728629AbgHJPav (ORCPT ); Mon, 10 Aug 2020 11:30:51 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9E0C720774; Mon, 10 Aug 2020 15:30:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073451; bh=G9NxIXCH0bjECpC9RNT5/j8tAX+qRyVYFRyKLO9ualk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=PjBcCqpKcCF3FP1Q/JjZzXp6bzzn8eTFpZngmiTCkroya5IJV2a653IleLi2j4qoy ZHd7LFv0hAhjn5jrqDIhaT+eD1VobkLQiI9Q+qVPUVLvA2pkRaQDt4Zwp1MTecyOD0 KJYC2fXUo6oIE0NwSWwOkE4slEgXyE9WplRZxOX8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+b54969381df354936d96@syzkaller.appspotmail.com, David Howells , Marc Dionne , "David S. Miller" Subject: [PATCH 4.19 43/48] rxrpc: Fix race between recvmsg and sendmsg on immediate call failure Date: Mon, 10 Aug 2020 17:22:05 +0200 Message-Id: <20200810151806.336320258@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200810151804.199494191@linuxfoundation.org> References: <20200810151804.199494191@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: David Howells [ Upstream commit 65550098c1c4db528400c73acf3e46bfa78d9264 ] There's a race between rxrpc_sendmsg setting up a call, but then failing to send anything on it due to an error, and recvmsg() seeing the call completion occur and trying to return the state to the user. An assertion fails in rxrpc_recvmsg() because the call has already been released from the socket and is about to be released again as recvmsg deals with it. (The recvmsg_q queue on the socket holds a ref, so there's no problem with use-after-free.) We also have to be careful not to end up reporting an error twice, in such a way that both returns indicate to userspace that the user ID supplied with the call is no longer in use - which could cause the client to malfunction if it recycles the user ID fast enough. Fix this by the following means: (1) When sendmsg() creates a call after the point that the call has been successfully added to the socket, don't return any errors through sendmsg(), but rather complete the call and let recvmsg() retrieve them. Make sendmsg() return 0 at this point. Further calls to sendmsg() for that call will fail with ESHUTDOWN. Note that at this point, we haven't send any packets yet, so the server doesn't yet know about the call. (2) If sendmsg() returns an error when it was expected to create a new call, it means that the user ID wasn't used. (3) Mark the call disconnected before marking it completed to prevent an oops in rxrpc_release_call(). (4) recvmsg() will then retrieve the error and set MSG_EOR to indicate that the user ID is no longer known by the kernel. An oops like the following is produced: kernel BUG at net/rxrpc/recvmsg.c:605! ... RIP: 0010:rxrpc_recvmsg+0x256/0x5ae ... Call Trace: ? __init_waitqueue_head+0x2f/0x2f ____sys_recvmsg+0x8a/0x148 ? import_iovec+0x69/0x9c ? copy_msghdr_from_user+0x5c/0x86 ___sys_recvmsg+0x72/0xaa ? __fget_files+0x22/0x57 ? __fget_light+0x46/0x51 ? fdget+0x9/0x1b do_recvmmsg+0x15e/0x232 ? _raw_spin_unlock+0xa/0xb ? vtime_delta+0xf/0x25 __x64_sys_recvmmsg+0x2c/0x2f do_syscall_64+0x4c/0x78 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: 357f5ef64628 ("rxrpc: Call rxrpc_release_call() on error in rxrpc_new_client_call()") Reported-by: syzbot+b54969381df354936d96@syzkaller.appspotmail.com Signed-off-by: David Howells Reviewed-by: Marc Dionne Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/rxrpc/call_object.c | 27 +++++++++++++++++++-------- net/rxrpc/conn_object.c | 8 +++++--- net/rxrpc/recvmsg.c | 2 +- net/rxrpc/sendmsg.c | 3 +++ 4 files changed, 28 insertions(+), 12 deletions(-) --- a/net/rxrpc/call_object.c +++ b/net/rxrpc/call_object.c @@ -290,7 +290,7 @@ struct rxrpc_call *rxrpc_new_client_call */ ret = rxrpc_connect_call(rx, call, cp, srx, gfp); if (ret < 0) - goto error; + goto error_attached_to_socket; trace_rxrpc_call(call, rxrpc_call_connected, atomic_read(&call->usage), here, NULL); @@ -310,18 +310,29 @@ struct rxrpc_call *rxrpc_new_client_call error_dup_user_ID: write_unlock(&rx->call_lock); release_sock(&rx->sk); - ret = -EEXIST; - -error: __rxrpc_set_call_completion(call, RXRPC_CALL_LOCAL_ERROR, - RX_CALL_DEAD, ret); + RX_CALL_DEAD, -EEXIST); trace_rxrpc_call(call, rxrpc_call_error, atomic_read(&call->usage), - here, ERR_PTR(ret)); + here, ERR_PTR(-EEXIST)); rxrpc_release_call(rx, call); mutex_unlock(&call->user_mutex); rxrpc_put_call(call, rxrpc_call_put); - _leave(" = %d", ret); - return ERR_PTR(ret); + _leave(" = -EEXIST"); + return ERR_PTR(-EEXIST); + + /* We got an error, but the call is attached to the socket and is in + * need of release. However, we might now race with recvmsg() when + * completing the call queues it. Return 0 from sys_sendmsg() and + * leave the error to recvmsg() to deal with. + */ +error_attached_to_socket: + trace_rxrpc_call(call, rxrpc_call_error, atomic_read(&call->usage), + here, ERR_PTR(ret)); + set_bit(RXRPC_CALL_DISCONNECTED, &call->flags); + __rxrpc_set_call_completion(call, RXRPC_CALL_LOCAL_ERROR, + RX_CALL_DEAD, ret); + _leave(" = c=%08x [err]", call->debug_id); + return call; } /* --- a/net/rxrpc/conn_object.c +++ b/net/rxrpc/conn_object.c @@ -215,9 +215,11 @@ void rxrpc_disconnect_call(struct rxrpc_ call->peer->cong_cwnd = call->cong_cwnd; - spin_lock_bh(&conn->params.peer->lock); - hlist_del_rcu(&call->error_link); - spin_unlock_bh(&conn->params.peer->lock); + if (!hlist_unhashed(&call->error_link)) { + spin_lock_bh(&call->peer->lock); + hlist_del_rcu(&call->error_link); + spin_unlock_bh(&call->peer->lock); + } if (rxrpc_is_client_call(call)) return rxrpc_disconnect_client_call(call); --- a/net/rxrpc/recvmsg.c +++ b/net/rxrpc/recvmsg.c @@ -530,7 +530,7 @@ try_again: goto error_unlock_call; } - if (msg->msg_name) { + if (msg->msg_name && call->peer) { struct sockaddr_rxrpc *srx = msg->msg_name; size_t len = sizeof(call->peer->srx); --- a/net/rxrpc/sendmsg.c +++ b/net/rxrpc/sendmsg.c @@ -654,6 +654,9 @@ int rxrpc_do_sendmsg(struct rxrpc_sock * if (IS_ERR(call)) return PTR_ERR(call); /* ... and we have the call lock. */ + ret = 0; + if (READ_ONCE(call->state) == RXRPC_CALL_COMPLETE) + goto out_put_unlock; } else { switch (READ_ONCE(call->state)) { case RXRPC_CALL_UNINITIALISED: From patchwork Mon Aug 10 15:22:06 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 266660 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BE524C433E0 for ; Mon, 10 Aug 2020 15:32:09 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8CEB822D06 for ; Mon, 10 Aug 2020 15:32:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073529; bh=GdpXVV8DMlKmH9TVZ8I3srjFaDu0mJ60QwCti/S4+20=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=MZQtvqKPqxTxO+jzBTnByb+XrpDQSxwuoMTP+4xXYfcR7o+AKMkNZybBD96a2ycnr A2rW3MNGJHHOs5cWt5ihfwFjV7QGY7mQPDNPqhgjb+h+Dcq2WR0CnranEairxPRr0p 5is6rAF+wda0sq7uJDF7KBD2XrGPVh29sknZtSbQ= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728979AbgHJPcI (ORCPT ); Mon, 10 Aug 2020 11:32:08 -0400 Received: from mail.kernel.org ([198.145.29.99]:38012 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728906AbgHJPay (ORCPT ); Mon, 10 Aug 2020 11:30:54 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E24B020791; Mon, 10 Aug 2020 15:30:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073454; bh=GdpXVV8DMlKmH9TVZ8I3srjFaDu0mJ60QwCti/S4+20=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=KHBQ6lp/t61vspWIyPtRIcwL0xCP9SIrYw2XdBXbfUSxnA9irHdZ5pH/Xk8B7/qKR vIF3N4ZHrtPfp1PrsTJY12CqCpezGDXRoK/l7yPlVLg7SpN7ivXL5BwCFQLqJkDyDw pBOUDEcc8sYNCHcoaxTkxkviavTGgmlSRkvs6am4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Greg Kroah-Hartman , Sergey Nemov , Andrew Bowers , Jeff Kirsher , Jesse Brandeburg Subject: [PATCH 4.19 44/48] i40e: add num_vectors checker in iwarp handler Date: Mon, 10 Aug 2020 17:22:06 +0200 Message-Id: <20200810151806.389164727@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200810151804.199494191@linuxfoundation.org> References: <20200810151804.199494191@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Sergey Nemov [ Upstream commit 7015ca3df965378bcef072cca9cd63ed098665b5 ] Field num_vectors from struct virtchnl_iwarp_qvlist_info should not be larger than num_msix_vectors_vf in the hw struct. The iwarp uses the same set of vectors as the LAN VF driver. Fixes: e3219ce6a7754 ("i40e: Add support for client interface for IWARP driver") Signed-off-by: Sergey Nemov Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher Signed-off-by: Jesse Brandeburg Signed-off-by: Greg Kroah-Hartman --- drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 10 ++++++++++ 1 file changed, 10 insertions(+) --- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c @@ -442,6 +442,16 @@ static int i40e_config_iwarp_qvlist(stru u32 next_q_idx, next_q_type; u32 msix_vf, size; + msix_vf = pf->hw.func_caps.num_msix_vectors_vf; + + if (qvlist_info->num_vectors > msix_vf) { + dev_warn(&pf->pdev->dev, + "Incorrect number of iwarp vectors %u. Maximum %u allowed.\n", + qvlist_info->num_vectors, + msix_vf); + goto err; + } + size = sizeof(struct virtchnl_iwarp_qvlist_info) + (sizeof(struct virtchnl_iwarp_qv_info) * (qvlist_info->num_vectors - 1)); From patchwork Mon Aug 10 15:22:07 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 266666 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id AF737C433DF for ; Mon, 10 Aug 2020 15:31:03 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 79C412080C for ; Mon, 10 Aug 2020 15:31:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073463; bh=unHX8a/jW92snIToUjOuWFq1WAuVmtWd2MRdQGFa8oY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=AyhzyCbPFUzBUSwC7Zif1KCbeBsxXxCZGJwcXk5x6imcsNkBruMduXq5mSFWzj6Sw 9nQf8zfzYL7VaP82oIu2eyrYDAJHKQmWn77Uc46+I/GeNsIzqsSaqidl9o0R+yf0wL 66apbMjV24+7BhXfMiQbKjXK85Vz1TJi7zetNEps= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729150AbgHJPa6 (ORCPT ); Mon, 10 Aug 2020 11:30:58 -0400 Received: from mail.kernel.org ([198.145.29.99]:38102 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728622AbgHJPa5 (ORCPT ); Mon, 10 Aug 2020 11:30:57 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id A7B4420791; Mon, 10 Aug 2020 15:30:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073457; bh=unHX8a/jW92snIToUjOuWFq1WAuVmtWd2MRdQGFa8oY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1GEB97nba/qdnhQEoPNdjOy7C8hurtAd0OxT7mPTURA6uKSvebKIPreZqYor931m8 ddWR1xeWUVwFaiqx8W8DFqniV6IRd4RcA0j/H9XWXQ6mF+LiaeOYdjDYyldcIZw9V5 eTZDlhHAHuCQION008IiXD/mMfR+sLsB6JIOxVII= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Greg Kroah-Hartman , Grzegorz Siwik , Andrew Bowers , Jeff Kirsher , Jesse Brandeburg Subject: [PATCH 4.19 45/48] i40e: Wrong truncation from u16 to u8 Date: Mon, 10 Aug 2020 17:22:07 +0200 Message-Id: <20200810151806.435542438@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200810151804.199494191@linuxfoundation.org> References: <20200810151804.199494191@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Grzegorz Siwik [ Upstream commit c004804dceee9ca384d97d9857ea2e2795c2651d ] In this patch fixed wrong truncation method from u16 to u8 during validation. It was changed by changing u8 to u32 parameter in method declaration and arguments were changed to u32. Fixes: 5c3c48ac6bf56 ("i40e: implement virtual device interface") Signed-off-by: Grzegorz Siwik Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher Signed-off-by: Jesse Brandeburg Signed-off-by: Greg Kroah-Hartman --- drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c @@ -196,7 +196,7 @@ static inline bool i40e_vc_isvalid_queue * * check for the valid vector id **/ -static inline bool i40e_vc_isvalid_vector_id(struct i40e_vf *vf, u8 vector_id) +static inline bool i40e_vc_isvalid_vector_id(struct i40e_vf *vf, u32 vector_id) { struct i40e_pf *pf = vf->pf; From patchwork Mon Aug 10 15:22:10 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 266665 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6A7EFC433E1 for ; Mon, 10 Aug 2020 15:31:07 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3B8EB20791 for ; Mon, 10 Aug 2020 15:31:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073467; bh=N98FjzgorEjTBLATZ61u6SCyC3kXTLPSWDm1Auha4ZE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=mzB6jeR8pVMtcadfAXc7ZRjwEs5U1UleGke8oSkiK1lI1QixE6HS7J7+byplbVfrd WP6Kg9sKos2ndPx2P2qZVubOweFRN0LatSzEYcrI7HX4gEtBKg7aR2RSYSKD3enIZj kZcZp+6pUKsxiuL8ojSEjSuQNIdkMc7hgUgcKH2g= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729169AbgHJPbG (ORCPT ); Mon, 10 Aug 2020 11:31:06 -0400 Received: from mail.kernel.org ([198.145.29.99]:38292 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728622AbgHJPbG (ORCPT ); Mon, 10 Aug 2020 11:31:06 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 507AB2080C; Mon, 10 Aug 2020 15:31:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073465; bh=N98FjzgorEjTBLATZ61u6SCyC3kXTLPSWDm1Auha4ZE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=iLaFtAc91irn9XUuQV5MEzQjAGTWzEhubsIwDzK+1KNHNYNOEDS11smDUhR8ainoj UgmYUYbVCzGaMEtPNNrzCS4S8jYa9CJAOhcYUxQM8Kx6l/GKDwtL1YhwLwZ7ow1kc6 QUw6Ow1rHhATiLtuD9wDF0NydvcCN8fm6M9pdNfI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+e6416dabb497a650da40@syzkaller.appspotmail.com, Eric Biggers , Casey Schaufler Subject: [PATCH 4.19 48/48] Smack: fix use-after-free in smk_write_relabel_self() Date: Mon, 10 Aug 2020 17:22:10 +0200 Message-Id: <20200810151806.591377001@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200810151804.199494191@linuxfoundation.org> References: <20200810151804.199494191@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Eric Biggers commit beb4ee6770a89646659e6a2178538d2b13e2654e upstream. smk_write_relabel_self() frees memory from the task's credentials with no locking, which can easily cause a use-after-free because multiple tasks can share the same credentials structure. Fix this by using prepare_creds() and commit_creds() to correctly modify the task's credentials. Reproducer for "BUG: KASAN: use-after-free in smk_write_relabel_self": #include #include #include static void *thrproc(void *arg) { int fd = open("/sys/fs/smackfs/relabel-self", O_WRONLY); for (;;) write(fd, "foo", 3); } int main() { pthread_t t; pthread_create(&t, NULL, thrproc, NULL); thrproc(NULL); } Reported-by: syzbot+e6416dabb497a650da40@syzkaller.appspotmail.com Fixes: 38416e53936e ("Smack: limited capability for changing process label") Cc: # v4.4+ Signed-off-by: Eric Biggers Signed-off-by: Casey Schaufler Signed-off-by: Greg Kroah-Hartman --- security/smack/smackfs.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c @@ -2746,7 +2746,6 @@ static int smk_open_relabel_self(struct static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf, size_t count, loff_t *ppos) { - struct task_smack *tsp = current_security(); char *data; int rc; LIST_HEAD(list_tmp); @@ -2771,11 +2770,21 @@ static ssize_t smk_write_relabel_self(st kfree(data); if (!rc || (rc == -EINVAL && list_empty(&list_tmp))) { + struct cred *new; + struct task_smack *tsp; + + new = prepare_creds(); + if (!new) { + rc = -ENOMEM; + goto out; + } + tsp = new->security; smk_destroy_label_list(&tsp->smk_relabel); list_splice(&list_tmp, &tsp->smk_relabel); + commit_creds(new); return count; } - +out: smk_destroy_label_list(&list_tmp); return rc; }