- Linux-stable-mirror - lists.linaro.org

[PATCH RESEND 2/4] USB: legousbtower: fix deadlock on disconnect

by Johan Hovold

Fix a potential deadlock if disconnect races with open. Since commit d4ead16f50f9 ("USB: prevent char device open/deregister race") core holds an rw-semaphore while open is called and when releasing the minor number during deregistration. This can lead to an ABBA deadlock if a driver takes a lock in open which it also holds during deregistration. This effectively reverts commit 78663ecc344b ("USB: disconnect open race in legousbtower") which needlessly introduced this issue after a generic fix for this race had been added to core by commit d4ead16f50f9 ("USB: prevent char device open/deregister race"). Fixes: 78663ecc344b ("USB: disconnect open race in legousbtower") Cc: stable <stable(a)vger.kernel.org> # 2.6.24 Reported-by: syzbot+f9549f5ee8a5416f0b95(a)syzkaller.appspotmail.com Tested-by: syzbot+f9549f5ee8a5416f0b95(a)syzkaller.appspotmail.com Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/usb/misc/legousbtower.c | 19 ++----------------- 1 file changed, 2 insertions(+), 17 deletions(-) diff --git a/drivers/usb/misc/legousbtower.c b/drivers/usb/misc/legousbtower.c index 1db07d4dc738..773e4188f336 100644 --- a/drivers/usb/misc/legousbtower.c +++ b/drivers/usb/misc/legousbtower.c @@ -179,7 +179,6 @@ static const struct usb_device_id tower_table[] = { }; MODULE_DEVICE_TABLE (usb, tower_table); -static DEFINE_MUTEX(open_disc_mutex); #define LEGO_USB_TOWER_MINOR_BASE 160 @@ -332,18 +331,14 @@ static int tower_open (struct inode *inode, struct file *file) goto exit; } - mutex_lock(&open_disc_mutex); dev = usb_get_intfdata(interface); - if (!dev) { - mutex_unlock(&open_disc_mutex); retval = -ENODEV; goto exit; } /* lock this device */ if (mutex_lock_interruptible(&dev->lock)) { - mutex_unlock(&open_disc_mutex); retval = -ERESTARTSYS; goto exit; } @@ -351,12 +346,10 @@ static int tower_open (struct inode *inode, struct file *file) /* allow opening only once */ if (dev->open_count) { - mutex_unlock(&open_disc_mutex); retval = -EBUSY; goto unlock_exit; } dev->open_count = 1; - mutex_unlock(&open_disc_mutex); /* reset the tower */ result = usb_control_msg (dev->udev, @@ -423,10 +416,9 @@ static int tower_release (struct inode *inode, struct file *file) if (dev == NULL) { retval = -ENODEV; - goto exit_nolock; + goto exit; } - mutex_lock(&open_disc_mutex); if (mutex_lock_interruptible(&dev->lock)) { retval = -ERESTARTSYS; goto exit; @@ -456,10 +448,7 @@ static int tower_release (struct inode *inode, struct file *file) unlock_exit: mutex_unlock(&dev->lock); - exit: - mutex_unlock(&open_disc_mutex); -exit_nolock: return retval; } @@ -912,7 +901,6 @@ static int tower_probe (struct usb_interface *interface, const struct usb_device if (retval) { /* something prevented us from registering this driver */ dev_err(idev, "Not able to get a minor for this device.\n"); - usb_set_intfdata (interface, NULL); goto error; } dev->minor = interface->minor; @@ -944,16 +932,13 @@ static void tower_disconnect (struct usb_interface *interface) int minor; dev = usb_get_intfdata (interface); - mutex_lock(&open_disc_mutex); - usb_set_intfdata (interface, NULL); minor = dev->minor; - /* give back our minor */ + /* give back our minor and prevent further open() */ usb_deregister_dev (interface, &tower_class); mutex_lock(&dev->lock); - mutex_unlock(&open_disc_mutex); /* if the device is not opened, then we clean up right now */ if (!dev->open_count) { -- 2.23.0

5 years, 8 months

1
0
0 0

[PATCH RESEND 1/4] USB: legousbtower: fix slab info leak at probe

by Johan Hovold

Make sure to check for short transfers when retrieving the version information at probe to avoid leaking uninitialised slab data when logging it. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/usb/misc/legousbtower.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/usb/misc/legousbtower.c b/drivers/usb/misc/legousbtower.c index 006cf13b2199..1db07d4dc738 100644 --- a/drivers/usb/misc/legousbtower.c +++ b/drivers/usb/misc/legousbtower.c @@ -891,8 +891,10 @@ static int tower_probe (struct usb_interface *interface, const struct usb_device get_version_reply, sizeof(*get_version_reply), 1000); - if (result < 0) { - dev_err(idev, "LEGO USB Tower get version control request failed\n"); + if (result < sizeof(*get_version_reply)) { + if (result >= 0) + result = -EIO; + dev_err(idev, "get version request failed: %d\n", result); retval = result; goto error; } -- 2.23.0

5 years, 8 months

1
0
0 0

[PATCH 3/4] USB: legousbtower: fix potential NULL-deref on disconnect

by Johan Hovold

The driver is using its struct usb_device pointer as an inverted disconnected flag, but was setting it to NULL before making sure all completion handlers had run. This could lead to a NULL-pointer dereference in a number of dev_dbg and dev_err statements in the completion handlers which relies on said pointer. Fix this by unconditionally stopping all I/O and preventing resubmissions by poisoning the interrupt URBs at disconnect and using a dedicated disconnected flag. This also makes sure that all I/O has completed by the time the disconnect callback returns. Fixes: 9d974b2a06e3 ("USB: legousbtower.c: remove err() usage") Fixes: fef526cae700 ("USB: legousbtower: remove custom debug macro") Fixes: 4dae99638097 ("USB: legotower: remove custom debug macro and module parameter") Cc: stable <stable(a)vger.kernel.org> # 3.5 Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/usb/misc/legousbtower.c | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/drivers/usb/misc/legousbtower.c b/drivers/usb/misc/legousbtower.c index 773e4188f336..4fa999882635 100644 --- a/drivers/usb/misc/legousbtower.c +++ b/drivers/usb/misc/legousbtower.c @@ -190,6 +190,7 @@ struct lego_usb_tower { unsigned char minor; /* the starting minor number for this device */ int open_count; /* number of times this port has been opened */ + unsigned long disconnected:1; char* read_buffer; size_t read_buffer_length; /* this much came in */ @@ -289,8 +290,6 @@ static inline void lego_usb_tower_debug_data(struct device *dev, */ static inline void tower_delete (struct lego_usb_tower *dev) { - tower_abort_transfers (dev); - /* free data structures */ usb_free_urb(dev->interrupt_in_urb); usb_free_urb(dev->interrupt_out_urb); @@ -430,7 +429,8 @@ static int tower_release (struct inode *inode, struct file *file) retval = -ENODEV; goto unlock_exit; } - if (dev->udev == NULL) { + + if (dev->disconnected) { /* the device was unplugged before the file was released */ /* unlock here as tower_delete frees dev */ @@ -466,10 +466,9 @@ static void tower_abort_transfers (struct lego_usb_tower *dev) if (dev->interrupt_in_running) { dev->interrupt_in_running = 0; mb(); - if (dev->udev) - usb_kill_urb (dev->interrupt_in_urb); + usb_kill_urb(dev->interrupt_in_urb); } - if (dev->interrupt_out_busy && dev->udev) + if (dev->interrupt_out_busy) usb_kill_urb(dev->interrupt_out_urb); } @@ -505,7 +504,7 @@ static __poll_t tower_poll (struct file *file, poll_table *wait) dev = file->private_data; - if (!dev->udev) + if (dev->disconnected) return EPOLLERR | EPOLLHUP; poll_wait(file, &dev->read_wait, wait); @@ -552,7 +551,7 @@ static ssize_t tower_read (struct file *file, char __user *buffer, size_t count, } /* verify that the device wasn't unplugged */ - if (dev->udev == NULL) { + if (dev->disconnected) { retval = -ENODEV; pr_err("No device or device unplugged %d\n", retval); goto unlock_exit; @@ -638,7 +637,7 @@ static ssize_t tower_write (struct file *file, const char __user *buffer, size_t } /* verify that the device wasn't unplugged */ - if (dev->udev == NULL) { + if (dev->disconnected) { retval = -ENODEV; pr_err("No device or device unplugged %d\n", retval); goto unlock_exit; @@ -748,7 +747,7 @@ static void tower_interrupt_in_callback (struct urb *urb) resubmit: /* resubmit if we're still running */ - if (dev->interrupt_in_running && dev->udev) { + if (dev->interrupt_in_running) { retval = usb_submit_urb (dev->interrupt_in_urb, GFP_ATOMIC); if (retval) dev_err(&dev->udev->dev, @@ -813,6 +812,7 @@ static int tower_probe (struct usb_interface *interface, const struct usb_device dev->udev = udev; dev->open_count = 0; + dev->disconnected = 0; dev->read_buffer = NULL; dev->read_buffer_length = 0; @@ -938,6 +938,10 @@ static void tower_disconnect (struct usb_interface *interface) /* give back our minor and prevent further open() */ usb_deregister_dev (interface, &tower_class); + /* stop I/O */ + usb_poison_urb(dev->interrupt_in_urb); + usb_poison_urb(dev->interrupt_out_urb); + mutex_lock(&dev->lock); /* if the device is not opened, then we clean up right now */ @@ -945,7 +949,7 @@ static void tower_disconnect (struct usb_interface *interface) mutex_unlock(&dev->lock); tower_delete (dev); } else { - dev->udev = NULL; + dev->disconnected = 1; /* wake up pollers */ wake_up_interruptible_all(&dev->read_wait); wake_up_interruptible_all(&dev->write_wait); -- 2.23.0

5 years, 8 months

1
0
0 0

[PATCH 2/4] USB: legousbtower: fix deadlock on disconnect

by Johan Hovold

Fix a potential deadlock if disconnect races with open. Since commit d4ead16f50f9 ("USB: prevent char device open/deregister race") core holds an rw-semaphore while open is called and when releasing the minor number during deregistration. This can lead to an ABBA deadlock if a driver takes a lock in open which it also holds during deregistration. This effectively reverts commit 78663ecc344b ("USB: disconnect open race in legousbtower") which needlessly introduced this issue after a generic fix for this race had been added to core by commit d4ead16f50f9 ("USB: prevent char device open/deregister race"). Fixes: 78663ecc344b ("USB: disconnect open race in legousbtower") Cc: stable <stable(a)vger.kernel.org> # 2.6.24 Reported-by: syzbot+f9549f5ee8a5416f0b95(a)syzkaller.appspotmail.com Tested-by: syzbot+f9549f5ee8a5416f0b95(a)syzkaller.appspotmail.com Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/usb/misc/legousbtower.c | 19 ++----------------- 1 file changed, 2 insertions(+), 17 deletions(-) diff --git a/drivers/usb/misc/legousbtower.c b/drivers/usb/misc/legousbtower.c index 1db07d4dc738..773e4188f336 100644 --- a/drivers/usb/misc/legousbtower.c +++ b/drivers/usb/misc/legousbtower.c @@ -179,7 +179,6 @@ static const struct usb_device_id tower_table[] = { }; MODULE_DEVICE_TABLE (usb, tower_table); -static DEFINE_MUTEX(open_disc_mutex); #define LEGO_USB_TOWER_MINOR_BASE 160 @@ -332,18 +331,14 @@ static int tower_open (struct inode *inode, struct file *file) goto exit; } - mutex_lock(&open_disc_mutex); dev = usb_get_intfdata(interface); - if (!dev) { - mutex_unlock(&open_disc_mutex); retval = -ENODEV; goto exit; } /* lock this device */ if (mutex_lock_interruptible(&dev->lock)) { - mutex_unlock(&open_disc_mutex); retval = -ERESTARTSYS; goto exit; } @@ -351,12 +346,10 @@ static int tower_open (struct inode *inode, struct file *file) /* allow opening only once */ if (dev->open_count) { - mutex_unlock(&open_disc_mutex); retval = -EBUSY; goto unlock_exit; } dev->open_count = 1; - mutex_unlock(&open_disc_mutex); /* reset the tower */ result = usb_control_msg (dev->udev, @@ -423,10 +416,9 @@ static int tower_release (struct inode *inode, struct file *file) if (dev == NULL) { retval = -ENODEV; - goto exit_nolock; + goto exit; } - mutex_lock(&open_disc_mutex); if (mutex_lock_interruptible(&dev->lock)) { retval = -ERESTARTSYS; goto exit; @@ -456,10 +448,7 @@ static int tower_release (struct inode *inode, struct file *file) unlock_exit: mutex_unlock(&dev->lock); - exit: - mutex_unlock(&open_disc_mutex); -exit_nolock: return retval; } @@ -912,7 +901,6 @@ static int tower_probe (struct usb_interface *interface, const struct usb_device if (retval) { /* something prevented us from registering this driver */ dev_err(idev, "Not able to get a minor for this device.\n"); - usb_set_intfdata (interface, NULL); goto error; } dev->minor = interface->minor; @@ -944,16 +932,13 @@ static void tower_disconnect (struct usb_interface *interface) int minor; dev = usb_get_intfdata (interface); - mutex_lock(&open_disc_mutex); - usb_set_intfdata (interface, NULL); minor = dev->minor; - /* give back our minor */ + /* give back our minor and prevent further open() */ usb_deregister_dev (interface, &tower_class); mutex_lock(&dev->lock); - mutex_unlock(&open_disc_mutex); /* if the device is not opened, then we clean up right now */ if (!dev->open_count) { -- 2.23.0

5 years, 8 months

1
0
0 0

[PATCH 1/4] USB: legousbtower: fix slab info leak at probe

by Johan Hovold

Make sure to check for short transfers when retrieving the version information at probe to avoid leaking uninitialised slab data when logging it. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/usb/misc/legousbtower.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/usb/misc/legousbtower.c b/drivers/usb/misc/legousbtower.c index 006cf13b2199..1db07d4dc738 100644 --- a/drivers/usb/misc/legousbtower.c +++ b/drivers/usb/misc/legousbtower.c @@ -891,8 +891,10 @@ static int tower_probe (struct usb_interface *interface, const struct usb_device get_version_reply, sizeof(*get_version_reply), 1000); - if (result < 0) { - dev_err(idev, "LEGO USB Tower get version control request failed\n"); + if (result < sizeof(*get_version_reply)) { + if (result >= 0) + result = -EIO; + dev_err(idev, "get version request failed: %d\n", result); retval = result; goto error; } -- 2.23.0

5 years, 8 months

1
0
0 0

[PATCH 5.2 00/85] 5.2.16-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.2.16 release. There are 85 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri 20 Sep 2019 06:09:47 AM UTC. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.2.16-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.2.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.2.16-rc1 Linus Torvalds <torvalds(a)linux-foundation.org> x86/build: Add -Wnoaddress-of-packed-member to REALMODE_CFLAGS, to silence GCC9 build warning Hui Peng <benquike(a)gmail.com> rsi: fix a double free bug in rsi_91x_deinit() Enrico Weigelt <info(a)metux.net> platform/x86: pcengines-apuv2: use KEY_RESTART for front button Steffen Dirkwinkel <s.dirkwinkel(a)beckhoff.com> platform/x86: pmc_atom: Add CB4063 Beckhoff Automation board to critclk_systems DMI table Liran Alon <liran.alon(a)oracle.com> KVM: SVM: Fix detection of AMD Errata 1096 Jim Mattson <jmattson(a)google.com> kvm: nVMX: Remove unnecessary sync_roots from handle_invept Jessica Yu <jeyu(a)kernel.org> modules: always page-align module section allocations Yang Yingliang <yangyingliang(a)huawei.com> modules: fix compile error if don't have strict module rwx Yang Yingliang <yangyingliang(a)huawei.com> modules: fix BUG when load module with rodata=n Olivier Moysan <olivier.moysan(a)st.com> iio: adc: stm32-dfsdm: fix data type Olivier Moysan <olivier.moysan(a)st.com> iio: adc: stm32-dfsdm: fix output resolution Mario Limonciello <mario.limonciello(a)dell.com> Revert "Bluetooth: btusb: driver to enable the usb-wakeup feature" Gustavo A. R. Silva <gustavo(a)embeddedor.com> mm/z3fold.c: fix lock/unlock imbalance in z3fold_page_isolate Henry Burns <henryburns(a)google.com> mm/z3fold.c: remove z3fold_migration trylock Nishka Dasgupta <nishkadg.linux(a)gmail.com> drm/mediatek: mtk_drm_drv.c: Add of_node_put() before goto Hans de Goede <hdegoede(a)redhat.com> drm: panel-orientation-quirks: Add extra quirk table entry for GPD MicroPC Andrew F. Davis <afd(a)ti.com> firmware: ti_sci: Always request response from firmware Christophe Leroy <christophe.leroy(a)c-s.fr> crypto: talitos - HMAC SNOOP NO AFEU mode requires SW icv checking. Christophe Leroy <christophe.leroy(a)c-s.fr> crypto: talitos - Do not modify req->cryptlen on decryption. Christophe Leroy <christophe.leroy(a)c-s.fr> crypto: talitos - fix ECB algs ivsize Christophe Leroy <christophe.leroy(a)c-s.fr> crypto: talitos - check data blocksize in ablkcipher. Christophe Leroy <christophe.leroy(a)c-s.fr> crypto: talitos - fix CTR alg blocksize Christophe Leroy <christophe.leroy(a)c-s.fr> crypto: talitos - check AES key size Muchun Song <smuchun(a)gmail.com> driver core: Fix use-after-free and double free on glue directory Richard Weinberger <richard(a)nod.at> ubifs: Correctly use tnc_next() in search_dh_cookie() Alex Williamson <alex.williamson(a)redhat.com> PCI: Always allow probing with driver_override Xiaolei Li <xiaolei.li(a)mediatek.com> mtd: rawnand: mtk: Fix wrongly assigned OOB buffer pointer issue Douglas Anderson <dianders(a)chromium.org> clk: rockchip: Don't yell about bad mmc phases when getting Dan Carpenter <dan.carpenter(a)oracle.com> mt76: mt7615: Use after free in mt7615_mcu_set_bcn() Dan Carpenter <dan.carpenter(a)oracle.com> mt76: Fix a signedness bug in mt7615_add_interface() Stephen Boyd <sboyd(a)kernel.org> clk: Simplify debugfs printing and add a newline Chen-Yu Tsai <wens(a)csie.org> clk: Fix debugfs clk_possible_parents for clks without parent string names Neil Armstrong <narmstrong(a)baylibre.com> drm/meson: Add support for XBGR8888 & ABGR8888 formats Mimi Zohar <zohar(a)linux.ibm.com> x86/ima: check EFI SetupMode too Junichi Nomura <j-nomura(a)ce.jp.nec.com> x86/boot: Use efi_setup_data for searching RSDP on kexec-ed kernels YueHaibing <yuehaibing(a)huawei.com> kernel/module: Fix mem leak in module_add_modinfo_attrs Suraj Jitindar Singh <sjitindarsingh(a)gmail.com> powerpc: Add barrier_nospec to raw_copy_in_user() Steve Wahl <steve.wahl(a)hpe.com> x86/purgatory: Change compiler flags from -mcmodel=kernel to -mcmodel=large to fix kexec relocation errors Paolo Bonzini <pbonzini(a)redhat.com> KVM: nVMX: handle page fault in vmread Sean Christopherson <sean.j.christopherson(a)intel.com> KVM: x86/mmu: Reintroduce fast invalidate/zap for flushing memslot Fuqian Huang <huangfq.daxian(a)gmail.com> KVM: x86: work around leak of uninitialized stack contents Thomas Huth <thuth(a)redhat.com> KVM: s390: Do not leak kernel stack data in the KVM_S390_INTERRUPT ioctl Igor Mammedov <imammedo(a)redhat.com> KVM: s390: kvm_s390_vm_start_migration: check dirty_bitmap before using it as target for memset() Andreas Kemnade <andreas(a)kemnade.info> regulator: twl: voltage lists for vdd1/2 on twl4030 Yunfeng Ye <yeyunfeng(a)huawei.com> genirq: Prevent NULL pointer dereference in resend_irqs() Stanislaw Gruszka <sgruszka(a)redhat.com> mt76: mt76x0e: disable 5GHz band for MT7630E Stanislaw Gruszka <sgruszka(a)redhat.com> Revert "rt2800: enable TX_PIN_CFG_LNA_PE_ bits per band" Alexander Duyck <alexander.h.duyck(a)linux.intel.com> ixgbe: Prevent u8 wrapping of ITR value to something less than 10us Ilya Maximets <i.maximets(a)samsung.com> ixgbe: fix double clean of Tx descriptors with xdp Arnd Bergmann <arnd(a)arndb.de> ipc: fix sparc64 ipc() wrapper Arnd Bergmann <arnd(a)arndb.de> ipc: fix semtimedop for generic 32-bit architectures Chris Wilson <chris(a)chris-wilson.co.uk> drm/i915: Restore relaxed padding (OCL_OOB_SUPPRES_ENABLE) for skl+ Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915: Limit MST to <= 8bpc once again Vasily Khoruzhick <anarsoul(a)gmail.com> drm/lima: fix lima_gem_wait() return value Ulf Hansson <ulf.hansson(a)linaro.org> mmc: tmio: Fixup runtime PM management during remove Ulf Hansson <ulf.hansson(a)linaro.org> mmc: tmio: Fixup runtime PM management during probe Daniel Drake <drake(a)endlessm.com> Revert "mmc: sdhci: Remove unneeded quirk2 flag of O2 SD host controller" Stefan Wahren <wahrenst(a)gmx.net> Revert "mmc: bcm2835: Terminate timeout work synchronously" Roman Gushchin <guro(a)fb.com> cgroup: freezer: fix frozen state inheritance Filipe Manana <fdmanana(a)suse.com> Btrfs: fix assertion failure during fsync and use of stale transaction Kent Gibson <warthog618(a)gmail.com> gpio: fix line flag validation in lineevent_create Kent Gibson <warthog618(a)gmail.com> gpio: fix line flag validation in linehandle_create Wei Yongjun <weiyongjun1(a)huawei.com> gpio: mockup: add missing single_release() Hans de Goede <hdegoede(a)redhat.com> gpiolib: acpi: Add gpiolib_acpi_run_edge_events_on_boot option and blacklist John Fastabend <john.fastabend(a)gmail.com> net: sock_map, fix missing ulp check in sock hash case Xin Long <lucien.xin(a)gmail.com> sctp: fix the missing put_user when dumping transport thresholds Moritz Fischer <mdf(a)kernel.org> net: fixed_phy: Add forward declaration for struct gpio_desc; Maciej Żenczykowski <maze(a)google.com> ipv6: addrconf_f6i_alloc - fix non-null pointer check to !IS_ERR() Maciej Żenczykowski <maze(a)google.com> net-ipv6: fix excessive RTF_ADDRCONF flag on ::1/128 local route (and others) Yang Yingliang <yangyingliang(a)huawei.com> tun: fix use-after-free when register netdev failed Xin Long <lucien.xin(a)gmail.com> tipc: add NULL pointer check before calling kfree_rcu Neal Cardwell <ncardwell(a)google.com> tcp: fix tcp_ecn_withdraw_cwr() to clear TCP_ECN_QUEUE_CWR Xin Long <lucien.xin(a)gmail.com> sctp: use transport pf_retrans in sctp_do_8_2_transport_strike Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> sctp: Fix the link time qualifier of 'sctp_ctrlsock_exit()' Cong Wang <xiyou.wangcong(a)gmail.com> sch_hhf: ensure quantum and hhf_non_hh_weight are non-zero Eric Dumazet <edumazet(a)google.com> net: sched: fix reordering issues Stefan Chulski <stefanc(a)marvell.com> net: phylink: Fix flow control resolution Shmulik Ladkani <shmulik(a)metanetworks.com> net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list Subash Abhinov Kasiviswanathan <subashab(a)codeaurora.org> net: Fix null de-reference of device refcount Jeff Kirsher <jeffrey.t.kirsher(a)intel.com> ixgbevf: Fix secpath usage for IPsec Tx offload Steffen Klassert <steffen.klassert(a)secunet.com> ixgbe: Fix secpath usage for IPsec TX offload. Eric Biggers <ebiggers(a)google.com> isdn/capi: check message length in capi_write() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> ipv6: Fix the link time qualifier of 'ping_v6_proc_exit_net()' Bjørn Mork <bjorn(a)mork.no> cdc_ether: fix rndis support for Mediatek based smartphones Nicolas Dichtel <nicolas.dichtel(a)6wind.com> bridge/mdb: remove wrong use of NLM_F_MULTI ------------- Diffstat: Makefile | 4 +- arch/powerpc/include/asm/uaccess.h | 1 + arch/s390/kvm/interrupt.c | 10 ++ arch/s390/kvm/kvm-s390.c | 4 +- arch/sparc/kernel/sys_sparc_64.c | 33 +++-- arch/x86/Makefile | 1 + arch/x86/boot/compressed/acpi.c | 143 +++++++++++++----- arch/x86/include/asm/kvm_host.h | 2 + arch/x86/kernel/ima_arch.c | 12 +- arch/x86/kvm/mmu.c | 101 ++++++++++++- arch/x86/kvm/svm.c | 42 +++++- arch/x86/kvm/vmx/nested.c | 12 +- arch/x86/kvm/x86.c | 7 + arch/x86/purgatory/Makefile | 35 +++-- drivers/base/core.c | 53 ++++++- drivers/bluetooth/btusb.c | 5 - drivers/clk/clk.c | 38 ++++- drivers/clk/rockchip/clk-mmc-phase.c | 4 +- drivers/crypto/talitos.c | 70 ++++++--- drivers/firmware/ti_sci.c | 8 +- drivers/gpio/gpio-mockup.c | 1 + drivers/gpio/gpiolib-acpi.c | 42 +++++- drivers/gpio/gpiolib.c | 16 +- drivers/gpu/drm/drm_panel_orientation_quirks.c | 12 ++ drivers/gpu/drm/i915/intel_dp_mst.c | 10 +- drivers/gpu/drm/i915/intel_workarounds.c | 5 - drivers/gpu/drm/lima/lima_gem.c | 2 +- drivers/gpu/drm/mediatek/mtk_drm_drv.c | 5 +- drivers/gpu/drm/meson/meson_plane.c | 16 ++ drivers/iio/adc/stm32-dfsdm-adc.c | 162 ++++++++++++++++----- drivers/iio/adc/stm32-dfsdm.h | 24 ++- drivers/isdn/capi/capi.c | 10 +- drivers/mmc/host/bcm2835.c | 2 +- drivers/mmc/host/sdhci-pci-o2micro.c | 2 +- drivers/mmc/host/tmio_mmc.h | 1 + drivers/mmc/host/tmio_mmc_core.c | 16 +- drivers/mtd/nand/raw/mtk_nand.c | 21 ++- drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 7 +- drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c | 29 ++-- drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c | 3 +- drivers/net/phy/phylink.c | 6 +- drivers/net/tun.c | 16 +- drivers/net/usb/cdc_ether.c | 10 +- drivers/net/wireless/mediatek/mt76/mt7615/main.c | 5 +- drivers/net/wireless/mediatek/mt76/mt7615/mcu.c | 2 +- drivers/net/wireless/mediatek/mt76/mt76x0/eeprom.c | 5 + drivers/net/wireless/ralink/rt2x00/rt2800lib.c | 18 +-- drivers/net/wireless/rsi/rsi_91x_usb.c | 1 - drivers/pci/pci-driver.c | 3 +- drivers/platform/x86/pcengines-apuv2.c | 2 +- drivers/platform/x86/pmc_atom.c | 8 + drivers/regulator/twl-regulator.c | 23 ++- fs/btrfs/tree-log.c | 16 +- fs/ubifs/tnc.c | 16 +- include/linux/phy_fixed.h | 1 + include/linux/syscalls.h | 19 +++ include/uapi/asm-generic/unistd.h | 2 +- include/uapi/linux/isdn/capicmd.h | 1 + ipc/util.h | 25 +--- kernel/cgroup/cgroup.c | 10 +- kernel/irq/resend.c | 2 + kernel/module.c | 51 ++++--- mm/z3fold.c | 7 +- net/bridge/br_mdb.c | 2 +- net/core/dev.c | 2 + net/core/skbuff.c | 19 +++ net/core/sock_map.c | 3 + net/ipv4/tcp_input.c | 2 +- net/ipv6/ping.c | 2 +- net/ipv6/route.c | 8 +- net/sched/sch_generic.c | 9 +- net/sched/sch_hhf.c | 2 +- net/sctp/protocol.c | 2 +- net/sctp/sm_sideeffect.c | 2 +- net/sctp/socket.c | 3 +- net/tipc/name_distr.c | 3 +- 76 files changed, 956 insertions(+), 323 deletions(-)

5 years, 8 months

6
93
0 0

[PATCH v3 1/5] powerpc: Allow flush_icache_range to work across ranges >4GB

by Alastair D'Silva

From: Alastair D'Silva <alastair(a)d-silva.org> When calling flush_icache_range with a size >4GB, we were masking off the upper 32 bits, so we would incorrectly flush a range smaller than intended. __kernel_sync_dicache in the 64 bit VDSO has the same bug. This patch replaces the 32 bit shifts with 64 bit ones, so that the full size is accounted for. Signed-off-by: Alastair D'Silva <alastair(a)d-silva.org> Cc: stable(a)vger.kernel.org --- arch/powerpc/kernel/misc_64.S | 4 ++-- arch/powerpc/kernel/vdso64/cacheflush.S | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/arch/powerpc/kernel/misc_64.S b/arch/powerpc/kernel/misc_64.S index b55a7b4cb543..9bc0aa9aeb65 100644 --- a/arch/powerpc/kernel/misc_64.S +++ b/arch/powerpc/kernel/misc_64.S @@ -82,7 +82,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_COHERENT_ICACHE) subf r8,r6,r4 /* compute length */ add r8,r8,r5 /* ensure we get enough */ lwz r9,DCACHEL1LOGBLOCKSIZE(r10) /* Get log-2 of cache block size */ - srw. r8,r8,r9 /* compute line count */ + srd. r8,r8,r9 /* compute line count */ beqlr /* nothing to do? */ mtctr r8 1: dcbst 0,r6 @@ -98,7 +98,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_COHERENT_ICACHE) subf r8,r6,r4 /* compute length */ add r8,r8,r5 lwz r9,ICACHEL1LOGBLOCKSIZE(r10) /* Get log-2 of Icache block size */ - srw. r8,r8,r9 /* compute line count */ + srd. r8,r8,r9 /* compute line count */ beqlr /* nothing to do? */ mtctr r8 2: icbi 0,r6 diff --git a/arch/powerpc/kernel/vdso64/cacheflush.S b/arch/powerpc/kernel/vdso64/cacheflush.S index 3f92561a64c4..526f5ba2593e 100644 --- a/arch/powerpc/kernel/vdso64/cacheflush.S +++ b/arch/powerpc/kernel/vdso64/cacheflush.S @@ -35,7 +35,7 @@ V_FUNCTION_BEGIN(__kernel_sync_dicache) subf r8,r6,r4 /* compute length */ add r8,r8,r5 /* ensure we get enough */ lwz r9,CFG_DCACHE_LOGBLOCKSZ(r10) - srw. r8,r8,r9 /* compute line count */ + srd. r8,r8,r9 /* compute line count */ crclr cr0*4+so beqlr /* nothing to do? */ mtctr r8 @@ -52,7 +52,7 @@ V_FUNCTION_BEGIN(__kernel_sync_dicache) subf r8,r6,r4 /* compute length */ add r8,r8,r5 lwz r9,CFG_ICACHE_LOGBLOCKSZ(r10) - srw. r8,r8,r9 /* compute line count */ + srd. r8,r8,r9 /* compute line count */ crclr cr0*4+so beqlr /* nothing to do? */ mtctr r8 -- 2.21.0

5 years, 8 months

2
2
0 0

[PATCH 4.14 00/45] 4.14.145-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.14.145 release. There are 45 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri 20 Sep 2019 06:09:47 AM UTC. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.145-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.14.145-rc1 Linus Torvalds <torvalds(a)linux-foundation.org> x86/build: Add -Wnoaddress-of-packed-member to REALMODE_CFLAGS, to silence GCC9 build warning Jean Delvare <jdelvare(a)suse.de> nvmem: Use the same permissions for eeprom as for nvmem Steffen Dirkwinkel <s.dirkwinkel(a)beckhoff.com> platform/x86: pmc_atom: Add CB4063 Beckhoff Automation board to critclk_systems DMI table Mario Limonciello <mario.limonciello(a)dell.com> Revert "Bluetooth: btusb: driver to enable the usb-wakeup feature" Nishka Dasgupta <nishkadg.linux(a)gmail.com> drm/mediatek: mtk_drm_drv.c: Add of_node_put() before goto Andrew F. Davis <afd(a)ti.com> firmware: ti_sci: Always request response from firmware Christophe Leroy <christophe.leroy(a)c-s.fr> crypto: talitos - HMAC SNOOP NO AFEU mode requires SW icv checking. Christophe Leroy <christophe.leroy(a)c-s.fr> crypto: talitos - Do not modify req->cryptlen on decryption. Christophe Leroy <christophe.leroy(a)c-s.fr> crypto: talitos - fix ECB algs ivsize Christophe Leroy <christophe.leroy(a)c-s.fr> crypto: talitos - check data blocksize in ablkcipher. Christophe Leroy <christophe.leroy(a)c-s.fr> crypto: talitos - fix CTR alg blocksize Christophe Leroy <christophe.leroy(a)c-s.fr> crypto: talitos - check AES key size Muchun Song <smuchun(a)gmail.com> driver core: Fix use-after-free and double free on glue directory Richard Weinberger <richard(a)nod.at> ubifs: Correctly use tnc_next() in search_dh_cookie() Alex Williamson <alex.williamson(a)redhat.com> PCI: Always allow probing with driver_override Xiaolei Li <xiaolei.li(a)mediatek.com> mtd: rawnand: mtk: Fix wrongly assigned OOB buffer pointer issue Douglas Anderson <dianders(a)chromium.org> clk: rockchip: Don't yell about bad mmc phases when getting Neil Armstrong <narmstrong(a)baylibre.com> drm/meson: Add support for XBGR8888 & ABGR8888 formats Suraj Jitindar Singh <sjitindarsingh(a)gmail.com> powerpc: Add barrier_nospec to raw_copy_in_user() Paul Burton <paul.burton(a)mips.com> MIPS: VDSO: Use same -m%-float cflag as the kernel proper Paul Burton <paul.burton(a)mips.com> MIPS: VDSO: Prevent use of smp_processor_id() Paolo Bonzini <pbonzini(a)redhat.com> KVM: nVMX: handle page fault in vmread Fuqian Huang <huangfq.daxian(a)gmail.com> KVM: x86: work around leak of uninitialized stack contents Thomas Huth <thuth(a)redhat.com> KVM: s390: Do not leak kernel stack data in the KVM_S390_INTERRUPT ioctl Yunfeng Ye <yeyunfeng(a)huawei.com> genirq: Prevent NULL pointer dereference in resend_irqs() Filipe Manana <fdmanana(a)suse.com> Btrfs: fix assertion failure during fsync and use of stale transaction Kent Gibson <warthog618(a)gmail.com> gpio: fix line flag validation in lineevent_create Kent Gibson <warthog618(a)gmail.com> gpio: fix line flag validation in linehandle_create Hans de Goede <hdegoede(a)redhat.com> gpiolib: acpi: Add gpiolib_acpi_run_edge_events_on_boot option and blacklist Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "MIPS: SiByte: Enable swiotlb for SWARM, LittleSur and BigSur" Johannes Thumshirn <jthumshirn(a)suse.de> btrfs: correctly validate compression type David Sterba <dsterba(a)suse.com> btrfs: compression: add helper for type to string conversion Yang Yingliang <yangyingliang(a)huawei.com> tun: fix use-after-free when register netdev failed Xin Long <lucien.xin(a)gmail.com> tipc: add NULL pointer check before calling kfree_rcu Neal Cardwell <ncardwell(a)google.com> tcp: fix tcp_ecn_withdraw_cwr() to clear TCP_ECN_QUEUE_CWR Xin Long <lucien.xin(a)gmail.com> sctp: use transport pf_retrans in sctp_do_8_2_transport_strike Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> sctp: Fix the link time qualifier of 'sctp_ctrlsock_exit()' Cong Wang <xiyou.wangcong(a)gmail.com> sch_hhf: ensure quantum and hhf_non_hh_weight are non-zero Stefan Chulski <stefanc(a)marvell.com> net: phylink: Fix flow control resolution Shmulik Ladkani <shmulik(a)metanetworks.com> net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list Subash Abhinov Kasiviswanathan <subashab(a)codeaurora.org> net: Fix null de-reference of device refcount Eric Biggers <ebiggers(a)google.com> isdn/capi: check message length in capi_write() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> ipv6: Fix the link time qualifier of 'ping_v6_proc_exit_net()' Bjørn Mork <bjorn(a)mork.no> cdc_ether: fix rndis support for Mediatek based smartphones Nicolas Dichtel <nicolas.dichtel(a)6wind.com> bridge/mdb: remove wrong use of NLM_F_MULTI ------------- Diffstat: Makefile | 4 +- arch/mips/Kconfig | 3 -- arch/mips/include/asm/smp.h | 12 +++++- arch/mips/sibyte/common/Makefile | 1 - arch/mips/sibyte/common/dma.c | 14 ------- arch/mips/vdso/Makefile | 4 +- arch/powerpc/include/asm/uaccess.h | 1 + arch/s390/kvm/interrupt.c | 10 +++++ arch/s390/kvm/kvm-s390.c | 2 +- arch/x86/Makefile | 1 + arch/x86/kvm/vmx.c | 7 +++- arch/x86/kvm/x86.c | 7 ++++ drivers/base/core.c | 53 ++++++++++++++++++++++++++- drivers/bluetooth/btusb.c | 5 --- drivers/clk/rockchip/clk-mmc-phase.c | 4 +- drivers/crypto/talitos.c | 67 +++++++++++++++++++++++++--------- drivers/firmware/ti_sci.c | 8 ++-- drivers/gpio/gpiolib-acpi.c | 42 +++++++++++++++++++-- drivers/gpio/gpiolib.c | 20 +++++++--- drivers/gpu/drm/mediatek/mtk_drm_drv.c | 5 ++- drivers/gpu/drm/meson/meson_plane.c | 16 ++++++++ drivers/isdn/capi/capi.c | 10 ++++- drivers/mtd/nand/mtk_nand.c | 21 +++++------ drivers/net/phy/phylink.c | 6 +-- drivers/net/tun.c | 16 +++++--- drivers/net/usb/cdc_ether.c | 13 +++++-- drivers/nvmem/core.c | 15 ++++++-- drivers/pci/pci-driver.c | 3 +- drivers/platform/x86/pmc_atom.c | 8 ++++ fs/btrfs/compression.c | 31 ++++++++++++++++ fs/btrfs/compression.h | 3 ++ fs/btrfs/props.c | 6 +-- fs/btrfs/tree-log.c | 8 ++-- fs/ubifs/tnc.c | 16 +++++--- include/uapi/linux/isdn/capicmd.h | 1 + kernel/irq/resend.c | 2 + net/bridge/br_mdb.c | 2 +- net/core/dev.c | 2 + net/core/skbuff.c | 19 ++++++++++ net/ipv4/tcp_input.c | 2 +- net/ipv6/ping.c | 2 +- net/sched/sch_hhf.c | 2 +- net/sctp/protocol.c | 2 +- net/sctp/sm_sideeffect.c | 2 +- net/tipc/name_distr.c | 3 +- 45 files changed, 366 insertions(+), 115 deletions(-)

5 years, 8 months

6
50
0 0

stable-rc/linux-4.19.y boot: 134 boots: 0 failed, 124 passed with 10 offline (v4.19.73-51-g7290521ed4bd)

by kernelci.org bot

stable-rc/linux-4.19.y boot: 134 boots: 0 failed, 124 passed with 10 offline (v4.19.73-51-g7290521ed4bd) Full Boot Summary: https://kernelci.org/boot/all/job/stable-rc/branch/linux-4.19.y/kernel/v4.1… Full Build Summary: https://kernelci.org/build/stable-rc/branch/linux-4.19.y/kernel/v4.19.73-51… Tree: stable-rc Branch: linux-4.19.y Git Describe: v4.19.73-51-g7290521ed4bd Git Commit: 7290521ed4bdf6c7ec60cab4c19507fd1f53214a Git URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git Tested: 73 unique boards, 25 SoC families, 15 builds out of 206 Offline Platforms: arm64: defconfig: gcc-8 apq8016-sbc: 1 offline lab arm: multi_v7_defconfig: gcc-8 qcom-apq8064-cm-qs600: 1 offline lab qcom-apq8064-ifc6410: 1 offline lab sun5i-r8-chip: 1 offline lab sunxi_defconfig: gcc-8 sun5i-r8-chip: 1 offline lab sun7i-a20-bananapi: 1 offline lab davinci_all_defconfig: gcc-8 dm365evm,legacy: 1 offline lab qcom_defconfig: gcc-8 qcom-apq8064-cm-qs600: 1 offline lab qcom-apq8064-ifc6410: 1 offline lab exynos_defconfig: gcc-8 exynos5800-peach-pi: 1 offline lab --- For more info write to <info(a)kernelci.org>

5 years, 8 months

1
0
0 0

[PATCH 6/6] rpmsg: glink: Free pending deferred work on remove

by Bjorn Andersson

By just cancelling the deferred rx worker during GLINK instance teardown any pending deferred commands are leaked, so free them. Fixes: b4f8e52b89f6 ("rpmsg: Introduce Qualcomm RPM glink driver") Cc: stable(a)vger.kernel.org Signed-off-by: Bjorn Andersson <bjorn.andersson(a)linaro.org> --- drivers/rpmsg/qcom_glink_native.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c index 0d7518a6ebf0..5920432e697a 100644 --- a/drivers/rpmsg/qcom_glink_native.c +++ b/drivers/rpmsg/qcom_glink_native.c @@ -1562,6 +1562,18 @@ static void qcom_glink_work(struct work_struct *work) } } +static void qcom_glink_cancel_rx_work(struct qcom_glink *glink) +{ + struct glink_defer_cmd *dcmd; + struct glink_defer_cmd *tmp; + + /* cancel any pending deferred rx_work */ + cancel_work_sync(&glink->rx_work); + + list_for_each_entry_safe(dcmd, tmp, &glink->rx_queue, node) + kfree(dcmd); +} + struct qcom_glink *qcom_glink_native_probe(struct device *dev, unsigned long features, struct qcom_glink_pipe *rx, @@ -1640,7 +1652,7 @@ void qcom_glink_native_remove(struct qcom_glink *glink) unsigned long flags; disable_irq(glink->irq); - cancel_work_sync(&glink->rx_work); + qcom_glink_cancel_rx_work(glink); ret = device_for_each_child(glink->dev, NULL, qcom_glink_remove_device); if (ret) -- 2.18.0

5 years, 8 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror