December 2019 - Linux-stable-mirror

stable RC build breakages (4.14.y, 4.19.y)

by Guenter Roeck

v4.14.y: arm64:defconfig: arch/arm64/boot/dts/nvidia/tegra186-p2771-0000.dts:5:10: fatal error: dt-bindings/input/gpio-keys.h: No such file or directory i386:allyesconfig: drivers/crypto/geode-aes.c:174:2: error: implicit declaration of function 'crypto_sync_skcipher_clear_flags and several similar errors. --- v4.19.y: arm64:defconfig: arch/arm64/boot/dts/allwinner/sun50i-a64-pinebook.dts:82.1-7 Label or path codec not found arch/arm64/boot/dts/allwinner/sun50i-a64-pinebook.dts:86.1-14 Label or path codec_analog not found arch/arm64/boot/dts/allwinner/sun50i-a64-pinebook.dts:91.1-5 Label or path dai not found arch/arm64/boot/dts/allwinner/sun50i-a64-pinebook.dts:297.1-7 Label or path sound not found i386:allyesconfig: Same as v4.14.y. Guenter

4 years, 10 months

4
3
0 0

Linux 4.19.89-rc1 5944fcdd errors

by Chris Paterson

Hello Greg, all, I've seen a few errors with 4.19.89-rc1 (5944fcdd). 1) Config: arm64 defconfig Link: https://gitlab.com/cip-playground/linux-stable-rc-ci/-/jobs/373484093#L267 Probable culprit: 227b635dcae6 ("bpf, arm64: fix getting subprog addr from aux for calls") Issue log: 267 arch/arm64/net/bpf_jit_comp.c: In function 'build_insn': 268 arch/arm64/net/bpf_jit_comp.c:633:9: error: implicit declaration of function 'bpf_jit_get_func_addr'; did you mean 'bpf_jit_binary_hdr'? [-Werror=implicit-function-declaration] 269 ret = bpf_jit_get_func_addr(ctx->prog, insn, extra_pass, 270 ^~~~~~~~~~~~~~~~~~~~~ 271 bpf_jit_binary_hdr 2) Config: arm multi_v7_defconfig Link: https://gitlab.com/cip-playground/linux-stable-rc-ci/-/jobs/373484091#L2147 Probable culprit: 192929fd944d ("dmaengine: xilinx_dma: Fix 64-bit simple CDMA transfer") Issue log: 2147 drivers/dma/xilinx/xilinx_dma.c: In function 'xilinx_cdma_start_transfer': 2148 drivers/dma/xilinx/xilinx_dma.c:1252:9: error: implicit declaration of function 'xilinx_prep_dma_addr_t'; did you mean 'xilinx_dma_start'? [-Werror=implicit-function-declaration] 2149 xilinx_prep_dma_addr_t(hw->src_addr)); 2150 ^~~~~~~~~~~~~~~~~~~~~~ 2151 xilinx_dma_start 3) Config: arm shmobile_defconfig Link: https://gitlab.com/cip-playground/linux-stable-rc-ci/-/jobs/373484089#L2249 Probable culprit: 984d7a8bff57 ("pinctrl: sh-pfc: r8a7792: Fix VIN versioned groups") Issue log: 2249 drivers/pinctrl/sh-pfc/pfc-r8a7792.c:1750:38: error: macro "VIN_DATA_PIN_GROUP" passed 3 arguments, but takes just 2 2250 VIN_DATA_PIN_GROUP(vin1_data, 24, _b), 2251 ^ 2252 drivers/pinctrl/sh-pfc/pfc-r8a7792.c:1750:2: error: 'VIN_DATA_PIN_GROUP' undeclared here (not in a function); did you mean 'PIN_MAP_TYPE_MUX_GROUP'? 2253 VIN_DATA_PIN_GROUP(vin1_data, 24, _b), 2254 ^~~~~~~~~~~~~~~~~~ 2255 PIN_MAP_TYPE_MUX_GROUP 2256 drivers/pinctrl/sh-pfc/pfc-r8a7792.c:1751:38: error: macro "VIN_DATA_PIN_GROUP" passed 3 arguments, but takes just 2 2257 VIN_DATA_PIN_GROUP(vin1_data, 20, _b), 2258 ^ 2259 drivers/pinctrl/sh-pfc/pfc-r8a7792.c:1753:38: error: macro "VIN_DATA_PIN_GROUP" passed 3 arguments, but takes just 2 2260 VIN_DATA_PIN_GROUP(vin1_data, 16, _b), 2261 ^ Kind regards, Chris

4 years, 10 months

4
14
0 0

[PATCH rh7.3 06/11] usb: iowarrior: fix deadlock on disconnect

by Mao Wenan

From: Oliver Neukum <oneukum(a)suse.com> mainline inclusion from mainline-5.3 commit c468a8aa790e0dfe0a7f8a39db282d39c2c00b46 category: bugfix bugzilla: NA DTS: NA CVE: CVE-2019-19528 ------------------------------------------------- We have to drop the mutex before we close() upon disconnect() as close() needs the lock. This is safe to do by dropping the mutex as intfdata is already set to NULL, so open() will fail. Fixes: 03f36e885fc26 ("USB: open disconnect race in iowarrior") Reported-by: syzbot+a64a382964bf6c71a9c0(a)syzkaller.appspotmail.com Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Oliver Neukum <oneukum(a)suse.com> Link: https://lore.kernel.org/r/20190808092728.23417-1-oneukum@suse.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Mao Wenan <maowenan(a)huawei.com> --- drivers/usb/misc/iowarrior.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c index 1950e87b4219..eb8c08a54a77 100644 --- a/drivers/usb/misc/iowarrior.c +++ b/drivers/usb/misc/iowarrior.c @@ -889,19 +889,20 @@ static void iowarrior_disconnect(struct usb_interface *interface) dev = usb_get_intfdata(interface); mutex_lock(&iowarrior_open_disc_lock); usb_set_intfdata(interface, NULL); + /* prevent device read, write and ioctl */ + dev->present = 0; minor = dev->minor; + mutex_unlock(&iowarrior_open_disc_lock); + /* give back our minor - this will call close() locks need to be dropped at this point*/ - /* give back our minor */ usb_deregister_dev(interface, &iowarrior_class); mutex_lock(&dev->mutex); /* prevent device read, write and ioctl */ - dev->present = 0; mutex_unlock(&dev->mutex); - mutex_unlock(&iowarrior_open_disc_lock); if (dev->opened) { /* There is a process that holds a filedescriptor to the device , -- 2.20.1

4 years, 10 months

2
1
0 0

[PATCH v5 2/2] can: tcan4x5x: put the device out of standby before register access

by Sean Nyekjaer

The m_can tries to detect if Non ISO Operation is available while in standby, this function results in the following error: tcan4x5x spi2.0 (unnamed net_device) (uninitialized): Failed to init module tcan4x5x spi2.0: m_can device registered (irq=84, version=32) tcan4x5x spi2.0 can2: TCAN4X5X successfully initialized. When the tcan device comes out of reset it comes out in standby mode. The m_can driver tries to access the control register but fails due to the device is in standby mode. So this patch will put the tcan device in normal mode before the m_can driver does the initialization. Fixes: 5443c226ba91 ("can: tcan4x5x: Add tcan4x5x driver to the kernel") Cc: stable(a)vger.kernel.org Signed-off-by: Sean Nyekjaer <sean(a)geanix.com> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> --- Changes since v3: - Fixed fixes tag Changes since v4: - None drivers/net/can/m_can/tcan4x5x.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/net/can/m_can/tcan4x5x.c b/drivers/net/can/m_can/tcan4x5x.c index 032d110e0870..3a3359ad3723 100644 --- a/drivers/net/can/m_can/tcan4x5x.c +++ b/drivers/net/can/m_can/tcan4x5x.c @@ -485,6 +485,10 @@ static int tcan4x5x_can_probe(struct spi_device *spi) if (ret) goto out_power; + ret = tcan4x5x_init(mcan_class); + if (ret) + goto out_power; + ret = m_can_class_register(mcan_class); if (ret) goto out_power; -- 2.24.0

4 years, 10 months

1
0
0 0

[PATCH v4 2/2] can: tcan4x5x: put the device out of standby before register access

by Sean Nyekjaer

The m_can tries to detect if Non ISO Operation is available while in standby, this function results in the following error: tcan4x5x spi2.0 (unnamed net_device) (uninitialized): Failed to init module tcan4x5x spi2.0: m_can device registered (irq=84, version=32) tcan4x5x spi2.0 can2: TCAN4X5X successfully initialized. When the tcan device comes out of reset it comes out in standby mode. The m_can driver tries to access the control register but fails due to the device is in standby mode. So this patch will put the tcan device in normal mode before the m_can driver does the initialization. Fixes: 5443c226ba91 ("can: tcan4x5x: Add tcan4x5x driver to the kernel") Cc: stable(a)vger.kernel.org Signed-off-by: Sean Nyekjaer <sean(a)geanix.com> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> --- Changes since v3: - Fixed fixes tag drivers/net/can/m_can/tcan4x5x.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/net/can/m_can/tcan4x5x.c b/drivers/net/can/m_can/tcan4x5x.c index 960a16aca7ca..32c16be5a9d8 100644 --- a/drivers/net/can/m_can/tcan4x5x.c +++ b/drivers/net/can/m_can/tcan4x5x.c @@ -475,6 +475,10 @@ static int tcan4x5x_can_probe(struct spi_device *spi) if (ret) goto out_power; + ret = tcan4x5x_init(mcan_class); + if (ret) + goto out_power; + ret = m_can_class_register(mcan_class); if (ret) goto out_power; -- 2.24.0

4 years, 10 months

1
0
0 0

[PATCH v3 1/2] can: m_can: tcan4x5x: put the device out of standby before register access

by Sean Nyekjaer

The m_can tries to detect if Non ISO Operation is available while in standby, this function results in the following error: tcan4x5x spi2.0 (unnamed net_device) (uninitialized): Failed to init module tcan4x5x spi2.0: m_can device registered (irq=84, version=32) tcan4x5x spi2.0 can2: TCAN4X5X successfully initialized. When the tcan device comes out of reset it comes out in standby mode. The m_can driver tries to access the control register but fails due to the device is in standby mode. So this patch will put the tcan device in normal mode before the m_can driver does the initialization. Fixes: a229abeed7f7 ("can: tcan4x5x: Turn on the power before parsing the config") Cc: stable(a)vger.kernel.org Signed-off-by: Sean Nyekjaer <sean(a)geanix.com> --- Changes since v2: - added error handling for tcan4x5x_init call drivers/net/can/m_can/tcan4x5x.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/net/can/m_can/tcan4x5x.c b/drivers/net/can/m_can/tcan4x5x.c index b6b2feca9e8f..1f04fec7723d 100644 --- a/drivers/net/can/m_can/tcan4x5x.c +++ b/drivers/net/can/m_can/tcan4x5x.c @@ -460,6 +460,10 @@ static int tcan4x5x_can_probe(struct spi_device *spi) if (ret) goto out_power; + ret = tcan4x5x_init(mcan_class); + if (ret) + goto out_power; + ret = m_can_class_register(mcan_class); if (ret) goto out_power; -- 2.24.0

4 years, 10 months

2
7
0 0

[PATCH rh7.3 07/11] USB: iowarrior: fix use-after-free on disconnect

by Mao Wenan

From: Johan Hovold <johan(a)kernel.org> mainline inclusion from mainline-5.4 commit edc4746f253d907d048de680a621e121517f484b category: bugfix bugzilla: NA DTS: NA CVE: CVE-2019-19528 ------------------------------------------------- A recent fix addressing a deadlock on disconnect introduced a new bug by moving the present flag out of the critical section protected by the driver-data mutex. This could lead to a racing release() freeing the driver data before disconnect() is done with it. Due to insufficient locking a related use-after-free could be triggered also before the above mentioned commit. Specifically, the driver needs to hold the driver-data mutex also while checking the opened flag at disconnect(). Fixes: c468a8aa790e ("usb: iowarrior: fix deadlock on disconnect") Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.") Cc: stable <stable(a)vger.kernel.org> # 2.6.21 Reported-by: syzbot+0761012cebf7bdb38137(a)syzkaller.appspotmail.com Signed-off-by: Johan Hovold <johan(a)kernel.org> Link: https://lore.kernel.org/r/20191009104846.5925-2-johan@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Mao Wenan <maowenan(a)huawei.com> --- drivers/usb/misc/iowarrior.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c index eb8c08a54a77..7844fd957a8d 100644 --- a/drivers/usb/misc/iowarrior.c +++ b/drivers/usb/misc/iowarrior.c @@ -889,8 +889,6 @@ static void iowarrior_disconnect(struct usb_interface *interface) dev = usb_get_intfdata(interface); mutex_lock(&iowarrior_open_disc_lock); usb_set_intfdata(interface, NULL); - /* prevent device read, write and ioctl */ - dev->present = 0; minor = dev->minor; mutex_unlock(&iowarrior_open_disc_lock); @@ -901,8 +899,7 @@ static void iowarrior_disconnect(struct usb_interface *interface) mutex_lock(&dev->mutex); /* prevent device read, write and ioctl */ - - mutex_unlock(&dev->mutex); + dev->present = 0; if (dev->opened) { /* There is a process that holds a filedescriptor to the device , @@ -912,8 +909,10 @@ static void iowarrior_disconnect(struct usb_interface *interface) usb_kill_urb(dev->int_in_urb); wake_up_interruptible(&dev->read_wait); wake_up_interruptible(&dev->write_wait); + mutex_unlock(&dev->mutex); } else { /* no process is using the device, cleanup now */ + mutex_unlock(&dev->mutex); iowarrior_delete(dev); } -- 2.20.1

4 years, 10 months

1
0
0 0

[PATCH rh7.3 05/11] USB: adutux: fix use-after-free on disconnect

by Mao Wenan

From: Johan Hovold <johan(a)kernel.org> mainline inclusion from mainline-5.4 commit 44efc269db7929f6275a1fa927ef082e533ecde0 category: bugfix bugzilla: NA DTS: NA CVE: CVE-2019-19523 ------------------------------------------------- The driver was clearing its struct usb_device pointer, which it used as an inverted disconnected flag, before deregistering the character device and without serialising against racing release(). This could lead to a use-after-free if a racing release() callback observes the cleared pointer and frees the driver data before disconnect() is finished with it. This could also lead to NULL-pointer dereferences in a racing open(). Fixes: f08812d5eb8f ("USB: FIx locks and urb->status in adutux (updated)") Cc: stable <stable(a)vger.kernel.org> # 2.6.24 Reported-by: syzbot+0243cb250a51eeefb8cc(a)syzkaller.appspotmail.com Tested-by: syzbot+0243cb250a51eeefb8cc(a)syzkaller.appspotmail.com Signed-off-by: Johan Hovold <johan(a)kernel.org> Link: https://lore.kernel.org/r/20190925092913.8608-1-johan@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Mao Wenan <maowenan(a)huawei.com> --- drivers/usb/misc/adutux.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/usb/misc/adutux.c b/drivers/usb/misc/adutux.c index 3071c0ef909b..2f308f5a415b 100644 --- a/drivers/usb/misc/adutux.c +++ b/drivers/usb/misc/adutux.c @@ -804,15 +804,16 @@ static void adu_disconnect(struct usb_interface *interface) dev = usb_get_intfdata(interface); - mutex_lock(&dev->mtx); /* not interruptible */ - dev->udev = NULL; /* poison */ minor = dev->minor; usb_deregister_dev(interface, &adu_class); - mutex_unlock(&dev->mtx); mutex_lock(&adutux_mutex); usb_set_intfdata(interface, NULL); + mutex_lock(&dev->mtx); /* not interruptible */ + dev->udev = NULL; /* poison */ + mutex_unlock(&dev->mtx); + /* if the device is not opened, then we clean up right now */ if (!dev->open_count) adu_delete(dev); -- 2.20.1

4 years, 10 months

1
0
0 0

[PATCH rh7.3 02/11] can: peak_usb: fix slab info leak

by Mao Wenan

From: Johan Hovold <johan(a)kernel.org> mainline inclusion from mainline-5.4 commit f7a1337f0d29b98733c8824e165fca3371d7d4fd category: bugfix bugzilla: NA DTS: NA CVE: CVE-2019-19534 ------------------------------------------------- Fix a small slab info leak due to a failure to clear the command buffer at allocation. The first 16 bytes of the command buffer are always sent to the device in pcan_usb_send_cmd() even though only the first two may have been initialised in case no argument payload is provided (e.g. when waiting for a response). Fixes: bb4785551f64 ("can: usb: PEAK-System Technik USB adapters driver core") Cc: stable <stable(a)vger.kernel.org> # 3.4 Reported-by: syzbot+863724e7128e14b26732(a)syzkaller.appspotmail.com Signed-off-by: Johan Hovold <johan(a)kernel.org> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> Signed-off-by: Mao Wenan <maowenan(a)huawei.com> --- drivers/net/can/usb/peak_usb/pcan_usb_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_core.c b/drivers/net/can/usb/peak_usb/pcan_usb_core.c index b9df329577a7..8320937a9fd1 100644 --- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c +++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c @@ -731,7 +731,7 @@ static int peak_usb_create_dev(struct peak_usb_adapter *peak_usb_adapter, dev = netdev_priv(netdev); /* allocate a buffer large enough to send commands */ - dev->cmd_buf = kmalloc(PCAN_USB_MAX_CMD_LEN, GFP_KERNEL); + dev->cmd_buf = kzalloc(PCAN_USB_MAX_CMD_LEN, GFP_KERNEL); if (!dev->cmd_buf) { err = -ENOMEM; goto lbl_free_candev; -- 2.20.1

4 years, 10 months

1
0
0 0

[PATCH 4/7] Input: gtco: fix endpoint sanity check

by Johan Hovold

The driver was checking the number of endpoints of the first alternate setting instead of the current one, something which could lead to the driver binding to an invalid interface. This in turn could cause the driver to misbehave or trigger a WARN() in usb_submit_urb() that kernels with panic_on_warn set would choke on. Fixes: 162f98dea487 ("Input: gtco - fix crash on detecting device without endpoints") Cc: stable <stable(a)vger.kernel.org> # 4.6 Cc: Vladis Dronov <vdronov(a)redhat.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/input/tablet/gtco.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c index 35031228a6d0..799c94dda651 100644 --- a/drivers/input/tablet/gtco.c +++ b/drivers/input/tablet/gtco.c @@ -875,18 +875,14 @@ static int gtco_probe(struct usb_interface *usbinterface, } /* Sanity check that a device has an endpoint */ - if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) { + if (usbinterface->cur_altsetting->desc.bNumEndpoints < 1) { dev_err(&usbinterface->dev, "Invalid number of endpoints\n"); error = -EINVAL; goto err_free_urb; } - /* - * The endpoint is always altsetting 0, we know this since we know - * this device only has one interrupt endpoint - */ - endpoint = &usbinterface->altsetting[0].endpoint[0].desc; + endpoint = &usbinterface->cur_altsetting->endpoint[0].desc; /* Some debug */ dev_dbg(&usbinterface->dev, "gtco # interfaces: %d\n", usbinterface->num_altsetting); @@ -973,7 +969,7 @@ static int gtco_probe(struct usb_interface *usbinterface, input_dev->dev.parent = &usbinterface->dev; /* Setup the URB, it will be posted later on open of input device */ - endpoint = &usbinterface->altsetting[0].endpoint[0].desc; + endpoint = &usbinterface->cur_altsetting->endpoint[0].desc; usb_fill_int_urb(gtco->urbinfo, udev, -- 2.24.0

4 years, 10 months

2
1
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror December 2019