- Linux-stable-mirror - lists.linaro.org

FAILED: patch "[PATCH] netfilter: ipset: use bitmap infrastructure completely" failed to apply to 5.5-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.5-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 32c72165dbd0e246e69d16a3ad348a4851afd415 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kadlecsik=20J=C3=B3zsef?= <kadlec(a)blackhole.kfki.hu> Date: Sun, 19 Jan 2020 22:06:49 +0100 Subject: [PATCH] netfilter: ipset: use bitmap infrastructure completely The bitmap allocation did not use full unsigned long sizes when calculating the required size and that was triggered by KASAN as slab-out-of-bounds read in several places. The patch fixes all of them. Reported-by: syzbot+fabca5cbf5e54f3fe2de(a)syzkaller.appspotmail.com Reported-by: syzbot+827ced406c9a1d9570ed(a)syzkaller.appspotmail.com Reported-by: syzbot+190d63957b22ef673ea5(a)syzkaller.appspotmail.com Reported-by: syzbot+dfccdb2bdb4a12ad425e(a)syzkaller.appspotmail.com Reported-by: syzbot+df0d0f5895ef1f41a65b(a)syzkaller.appspotmail.com Reported-by: syzbot+b08bd19bb37513357fd4(a)syzkaller.appspotmail.com Reported-by: syzbot+53cdd0ec0bbabd53370a(a)syzkaller.appspotmail.com Signed-off-by: Jozsef Kadlecsik <kadlec(a)netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo(a)netfilter.org> diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h index 4d8b1eaf7708..908d38dbcb91 100644 --- a/include/linux/netfilter/ipset/ip_set.h +++ b/include/linux/netfilter/ipset/ip_set.h @@ -426,13 +426,6 @@ ip6addrptr(const struct sk_buff *skb, bool src, struct in6_addr *addr) sizeof(*addr)); } -/* Calculate the bytes required to store the inclusive range of a-b */ -static inline int -bitmap_bytes(u32 a, u32 b) -{ - return 4 * ((((b - a + 8) / 8) + 3) / 4); -} - /* How often should the gc be run by default */ #define IPSET_GC_TIME (3 * 60) diff --git a/net/netfilter/ipset/ip_set_bitmap_gen.h b/net/netfilter/ipset/ip_set_bitmap_gen.h index 077a2cb65fcb..26ab0e9612d8 100644 --- a/net/netfilter/ipset/ip_set_bitmap_gen.h +++ b/net/netfilter/ipset/ip_set_bitmap_gen.h @@ -75,7 +75,7 @@ mtype_flush(struct ip_set *set) if (set->extensions & IPSET_EXT_DESTROY) mtype_ext_cleanup(set); - memset(map->members, 0, map->memsize); + bitmap_zero(map->members, map->elements); set->elements = 0; set->ext_size = 0; } diff --git a/net/netfilter/ipset/ip_set_bitmap_ip.c b/net/netfilter/ipset/ip_set_bitmap_ip.c index abe8f77d7d23..0a2196f59106 100644 --- a/net/netfilter/ipset/ip_set_bitmap_ip.c +++ b/net/netfilter/ipset/ip_set_bitmap_ip.c @@ -37,7 +37,7 @@ MODULE_ALIAS("ip_set_bitmap:ip"); /* Type structure */ struct bitmap_ip { - void *members; /* the set members */ + unsigned long *members; /* the set members */ u32 first_ip; /* host byte order, included in range */ u32 last_ip; /* host byte order, included in range */ u32 elements; /* number of max elements in the set */ @@ -220,7 +220,7 @@ init_map_ip(struct ip_set *set, struct bitmap_ip *map, u32 first_ip, u32 last_ip, u32 elements, u32 hosts, u8 netmask) { - map->members = ip_set_alloc(map->memsize); + map->members = bitmap_zalloc(elements, GFP_KERNEL | __GFP_NOWARN); if (!map->members) return false; map->first_ip = first_ip; @@ -322,7 +322,7 @@ bitmap_ip_create(struct net *net, struct ip_set *set, struct nlattr *tb[], if (!map) return -ENOMEM; - map->memsize = bitmap_bytes(0, elements - 1); + map->memsize = BITS_TO_LONGS(elements) * sizeof(unsigned long); set->variant = &bitmap_ip; if (!init_map_ip(set, map, first_ip, last_ip, elements, hosts, netmask)) { diff --git a/net/netfilter/ipset/ip_set_bitmap_ipmac.c b/net/netfilter/ipset/ip_set_bitmap_ipmac.c index b618713297da..739e343efaf6 100644 --- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c +++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c @@ -42,7 +42,7 @@ enum { /* Type structure */ struct bitmap_ipmac { - void *members; /* the set members */ + unsigned long *members; /* the set members */ u32 first_ip; /* host byte order, included in range */ u32 last_ip; /* host byte order, included in range */ u32 elements; /* number of max elements in the set */ @@ -299,7 +299,7 @@ static bool init_map_ipmac(struct ip_set *set, struct bitmap_ipmac *map, u32 first_ip, u32 last_ip, u32 elements) { - map->members = ip_set_alloc(map->memsize); + map->members = bitmap_zalloc(elements, GFP_KERNEL | __GFP_NOWARN); if (!map->members) return false; map->first_ip = first_ip; @@ -360,7 +360,7 @@ bitmap_ipmac_create(struct net *net, struct ip_set *set, struct nlattr *tb[], if (!map) return -ENOMEM; - map->memsize = bitmap_bytes(0, elements - 1); + map->memsize = BITS_TO_LONGS(elements) * sizeof(unsigned long); set->variant = &bitmap_ipmac; if (!init_map_ipmac(set, map, first_ip, last_ip, elements)) { kfree(map); diff --git a/net/netfilter/ipset/ip_set_bitmap_port.c b/net/netfilter/ipset/ip_set_bitmap_port.c index 23d6095cb196..b49978dd810d 100644 --- a/net/netfilter/ipset/ip_set_bitmap_port.c +++ b/net/netfilter/ipset/ip_set_bitmap_port.c @@ -30,7 +30,7 @@ MODULE_ALIAS("ip_set_bitmap:port"); /* Type structure */ struct bitmap_port { - void *members; /* the set members */ + unsigned long *members; /* the set members */ u16 first_port; /* host byte order, included in range */ u16 last_port; /* host byte order, included in range */ u32 elements; /* number of max elements in the set */ @@ -231,7 +231,7 @@ static bool init_map_port(struct ip_set *set, struct bitmap_port *map, u16 first_port, u16 last_port) { - map->members = ip_set_alloc(map->memsize); + map->members = bitmap_zalloc(map->elements, GFP_KERNEL | __GFP_NOWARN); if (!map->members) return false; map->first_port = first_port; @@ -271,7 +271,7 @@ bitmap_port_create(struct net *net, struct ip_set *set, struct nlattr *tb[], return -ENOMEM; map->elements = elements; - map->memsize = bitmap_bytes(0, map->elements); + map->memsize = BITS_TO_LONGS(elements) * sizeof(unsigned long); set->variant = &bitmap_port; if (!init_map_port(set, map, first_port, last_port)) { kfree(map);

5 years, 9 months

1
0
0 0

[PATCH v4.19.y] ext4: validate the debug_want_extra_isize mount option at parse time

by Zubin Mithra

From: Theodore Ts'o <tytso(a)mit.edu> commit 9803387c55f7d2ce69aa64340c5fdc6b3027dbc8 upstream. Instead of setting s_want_extra_size and then making sure that it is a valid value afterwards, validate the field before we set it. This avoids races and other problems when remounting the file system. Link: https://lore.kernel.org/r/20191215063020.GA11512@mit.edu Cc: stable(a)kernel.org Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> Reported-and-tested-by: syzbot+4a39a025912b265cacef(a)syzkaller.appspotmail.com Signed-off-by: Zubin Mithra <zsm(a)chromium.org> --- Notes: * Syzkaller triggered a UAF on 4.19 kernels with the following stacktrace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xc8/0x129 lib/dump_stack.c:113 print_address_description+0x67/0x22a mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report mm/kasan/report.c:412 [inline] kasan_report+0x251/0x28f mm/kasan/report.c:396 ext4_xattr_set_entry+0x45e/0x2222 fs/ext4/xattr.c:1604 ext4_xattr_ibody_set+0x7d/0x226 fs/ext4/xattr.c:2240 ext4_xattr_set_handle+0x553/0xa92 fs/ext4/xattr.c:2396 ext4_xattr_set+0x16a/0x200 fs/ext4/xattr.c:2508 __vfs_setxattr+0xfc/0x13d fs/xattr.c:149 __vfs_setxattr_noperm+0xf5/0x19c fs/xattr.c:180 vfs_setxattr+0x9c/0xca fs/xattr.c:223 setxattr+0x20e/0x275 fs/xattr.c:450 path_setxattr+0xca/0x144 fs/xattr.c:469 __do_sys_lsetxattr fs/xattr.c:491 [inline] __se_sys_lsetxattr fs/xattr.c:487 [inline] __x64_sys_lsetxattr+0xd7/0xe1 fs/xattr.c:487 do_syscall_64+0xfe/0x137 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe * This commit is present in linux-5.4.y. A backport for 4.14.y has been sent separately. * This patch resolves conflicts related to the following commits not being present in linux-4.19.y: 188d20bcd1eb ("vfs: Add file timestamp range support") 4881c4971df0 ("ext4: Initialize timestamps limits") * Tests run: Chrome OS tryjobs, Syzkaller reproducer fs/ext4/super.c | 127 +++++++++++++++++++++++++----------------------- 1 file changed, 66 insertions(+), 61 deletions(-) diff --git a/fs/ext4/super.c b/fs/ext4/super.c index 1a8d57fe0b1a8..32d8bdf683bbf 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -1842,6 +1842,13 @@ static int handle_mount_opt(struct super_block *sb, char *opt, int token, arg = JBD2_DEFAULT_MAX_COMMIT_AGE; sbi->s_commit_interval = HZ * arg; } else if (token == Opt_debug_want_extra_isize) { + if ((arg & 1) || + (arg < 4) || + (arg > (sbi->s_inode_size - EXT4_GOOD_OLD_INODE_SIZE))) { + ext4_msg(sb, KERN_ERR, + "Invalid want_extra_isize %d", arg); + return -1; + } sbi->s_want_extra_isize = arg; } else if (token == Opt_max_batch_time) { sbi->s_max_batch_time = arg; @@ -3513,40 +3520,6 @@ int ext4_calculate_overhead(struct super_block *sb) return 0; } -static void ext4_clamp_want_extra_isize(struct super_block *sb) -{ - struct ext4_sb_info *sbi = EXT4_SB(sb); - struct ext4_super_block *es = sbi->s_es; - unsigned def_extra_isize = sizeof(struct ext4_inode) - - EXT4_GOOD_OLD_INODE_SIZE; - - if (sbi->s_inode_size == EXT4_GOOD_OLD_INODE_SIZE) { - sbi->s_want_extra_isize = 0; - return; - } - if (sbi->s_want_extra_isize < 4) { - sbi->s_want_extra_isize = def_extra_isize; - if (ext4_has_feature_extra_isize(sb)) { - if (sbi->s_want_extra_isize < - le16_to_cpu(es->s_want_extra_isize)) - sbi->s_want_extra_isize = - le16_to_cpu(es->s_want_extra_isize); - if (sbi->s_want_extra_isize < - le16_to_cpu(es->s_min_extra_isize)) - sbi->s_want_extra_isize = - le16_to_cpu(es->s_min_extra_isize); - } - } - /* Check if enough inode space is available */ - if ((sbi->s_want_extra_isize > sbi->s_inode_size) || - (EXT4_GOOD_OLD_INODE_SIZE + sbi->s_want_extra_isize > - sbi->s_inode_size)) { - sbi->s_want_extra_isize = def_extra_isize; - ext4_msg(sb, KERN_INFO, - "required extra inode space not available"); - } -} - static void ext4_set_resv_clusters(struct super_block *sb) { ext4_fsblk_t resv_clusters; @@ -3754,6 +3727,65 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) */ sbi->s_li_wait_mult = EXT4_DEF_LI_WAIT_MULT; + if (le32_to_cpu(es->s_rev_level) == EXT4_GOOD_OLD_REV) { + sbi->s_inode_size = EXT4_GOOD_OLD_INODE_SIZE; + sbi->s_first_ino = EXT4_GOOD_OLD_FIRST_INO; + } else { + sbi->s_inode_size = le16_to_cpu(es->s_inode_size); + sbi->s_first_ino = le32_to_cpu(es->s_first_ino); + if (sbi->s_first_ino < EXT4_GOOD_OLD_FIRST_INO) { + ext4_msg(sb, KERN_ERR, "invalid first ino: %u", + sbi->s_first_ino); + goto failed_mount; + } + if ((sbi->s_inode_size < EXT4_GOOD_OLD_INODE_SIZE) || + (!is_power_of_2(sbi->s_inode_size)) || + (sbi->s_inode_size > blocksize)) { + ext4_msg(sb, KERN_ERR, + "unsupported inode size: %d", + sbi->s_inode_size); + goto failed_mount; + } + /* + * i_atime_extra is the last extra field available for + * [acm]times in struct ext4_inode. Checking for that + * field should suffice to ensure we have extra space + * for all three. + */ + if (sbi->s_inode_size >= offsetof(struct ext4_inode, i_atime_extra) + + sizeof(((struct ext4_inode *)0)->i_atime_extra)) { + sb->s_time_gran = 1; + } else { + sb->s_time_gran = NSEC_PER_SEC; + } + } + if (sbi->s_inode_size > EXT4_GOOD_OLD_INODE_SIZE) { + sbi->s_want_extra_isize = sizeof(struct ext4_inode) - + EXT4_GOOD_OLD_INODE_SIZE; + if (ext4_has_feature_extra_isize(sb)) { + unsigned v, max = (sbi->s_inode_size - + EXT4_GOOD_OLD_INODE_SIZE); + + v = le16_to_cpu(es->s_want_extra_isize); + if (v > max) { + ext4_msg(sb, KERN_ERR, + "bad s_want_extra_isize: %d", v); + goto failed_mount; + } + if (sbi->s_want_extra_isize < v) + sbi->s_want_extra_isize = v; + + v = le16_to_cpu(es->s_min_extra_isize); + if (v > max) { + ext4_msg(sb, KERN_ERR, + "bad s_min_extra_isize: %d", v); + goto failed_mount; + } + if (sbi->s_want_extra_isize < v) + sbi->s_want_extra_isize = v; + } + } + if (sbi->s_es->s_mount_opts[0]) { char *s_mount_opts = kstrndup(sbi->s_es->s_mount_opts, sizeof(sbi->s_es->s_mount_opts), @@ -3955,29 +3987,6 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) has_huge_files); sb->s_maxbytes = ext4_max_size(sb->s_blocksize_bits, has_huge_files); - if (le32_to_cpu(es->s_rev_level) == EXT4_GOOD_OLD_REV) { - sbi->s_inode_size = EXT4_GOOD_OLD_INODE_SIZE; - sbi->s_first_ino = EXT4_GOOD_OLD_FIRST_INO; - } else { - sbi->s_inode_size = le16_to_cpu(es->s_inode_size); - sbi->s_first_ino = le32_to_cpu(es->s_first_ino); - if (sbi->s_first_ino < EXT4_GOOD_OLD_FIRST_INO) { - ext4_msg(sb, KERN_ERR, "invalid first ino: %u", - sbi->s_first_ino); - goto failed_mount; - } - if ((sbi->s_inode_size < EXT4_GOOD_OLD_INODE_SIZE) || - (!is_power_of_2(sbi->s_inode_size)) || - (sbi->s_inode_size > blocksize)) { - ext4_msg(sb, KERN_ERR, - "unsupported inode size: %d", - sbi->s_inode_size); - goto failed_mount; - } - if (sbi->s_inode_size > EXT4_GOOD_OLD_INODE_SIZE) - sb->s_time_gran = 1 << (EXT4_EPOCH_BITS - 2); - } - sbi->s_desc_size = le16_to_cpu(es->s_desc_size); if (ext4_has_feature_64bit(sb)) { if (sbi->s_desc_size < EXT4_MIN_DESC_SIZE_64BIT || @@ -4421,8 +4430,6 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) } else if (ret) goto failed_mount4a; - ext4_clamp_want_extra_isize(sb); - ext4_set_resv_clusters(sb); err = ext4_setup_system_zone(sb); @@ -5207,8 +5214,6 @@ static int ext4_remount(struct super_block *sb, int *flags, char *data) goto restore_opts; } - ext4_clamp_want_extra_isize(sb); - if ((old_opts.s_mount_opt & EXT4_MOUNT_JOURNAL_CHECKSUM) ^ test_opt(sb, JOURNAL_CHECKSUM)) { ext4_msg(sb, KERN_ERR, "changing journal_checksum " -- 2.25.0.341.g760bfbb309-goog

5 years, 9 months

2
1
0 0

Re: [lee:android-3.18-preview 136/224] drivers/media/radio/si470x/radio-si470x-i2c.c:462:25-30: ERROR: reference preceded by free on line 460 (fwd)

by Lee Jones

On Fri, 31 Jan 2020, Julia Lawall wrote: > The code on line 462 looks suspicious. Thank you Julia. Have you already reported this to the other Stable Maintainers? This issue appears to affect; 4.4, 4.9, 4.14 and 4.19. > ---------- Forwarded message ---------- > Date: Fri, 31 Jan 2020 16:56:26 +0800 > From: kbuild test robot <lkp(a)intel.com> > To: kbuild(a)lists.01.org > Cc: Julia Lawall <julia.lawall(a)lip6.fr> > Subject: [lee:android-3.18-preview 136/224] > drivers/media/radio/si470x/radio-si470x-i2c.c:462:25-30: ERROR: reference > preceded by free on line 460 > > CC: kbuild-all(a)lists.01.org > BCC: philip.li(a)intel.com > TO: Lee Jones <lee.jones(a)linaro.org> > > tree: https://git.kernel.org/pub/scm/linux/kernel/git/lee/linux.git android-3.18-preview > head: 356017eeb20d27b17d236ff6b31c0b7d24dff865 > commit: 752c36757aa40c2f669d7da128aae237f9fd3318 [136/224] media: si470x-i2c: add missed operations in remove > :::::: branch date: 18 hours ago > :::::: commit date: 6 days ago > > If you fix the issue, kindly add following tag > Reported-by: kbuild test robot <lkp(a)intel.com> > Reported-by: Julia Lawall <julia.lawall(a)lip6.fr> > > >> drivers/media/radio/si470x/radio-si470x-i2c.c:462:25-30: ERROR: reference preceded by free on line 460 > > # https://git.kernel.org/pub/scm/linux/kernel/git/lee/linux.git/commit/?id=75… > git remote add lee https://git.kernel.org/pub/scm/linux/kernel/git/lee/linux.git > git remote update lee > git checkout 752c36757aa40c2f669d7da128aae237f9fd3318 > vim +462 drivers/media/radio/si470x/radio-si470x-i2c.c > > cc35bbddfe10f7 Joonyoung Shim 2009-08-09 449 > 9dcb79c2eedb5b Tobias Lorenz 2009-08-10 450 > 9dcb79c2eedb5b Tobias Lorenz 2009-08-10 451 /* > 9dcb79c2eedb5b Tobias Lorenz 2009-08-10 452 * si470x_i2c_remove - remove the device > 9dcb79c2eedb5b Tobias Lorenz 2009-08-10 453 */ > 4c62e9764ab403 Greg Kroah-Hartman 2012-12-21 454 static int si470x_i2c_remove(struct i2c_client *client) > cc35bbddfe10f7 Joonyoung Shim 2009-08-09 455 { > cc35bbddfe10f7 Joonyoung Shim 2009-08-09 456 struct si470x_device *radio = i2c_get_clientdata(client); > cc35bbddfe10f7 Joonyoung Shim 2009-08-09 457 > fe2137dd4e6e4b Joonyoung Shim 2009-12-10 458 free_irq(client->irq, radio); > 4967d53dbbcebf Hans Verkuil 2012-05-04 459 video_unregister_device(&radio->videodev); > cc35bbddfe10f7 Joonyoung Shim 2009-08-09 @460 kfree(radio); > cc35bbddfe10f7 Joonyoung Shim 2009-08-09 461 > 752c36757aa40c Chuhong Yuan 2019-11-10 @462 v4l2_ctrl_handler_free(&radio->hdl); > 752c36757aa40c Chuhong Yuan 2019-11-10 463 v4l2_device_unregister(&radio->v4l2_dev); > cc35bbddfe10f7 Joonyoung Shim 2009-08-09 464 return 0; > cc35bbddfe10f7 Joonyoung Shim 2009-08-09 465 } > cc35bbddfe10f7 Joonyoung Shim 2009-08-09 466 > > --- > 0-DAY kernel test infrastructure Open Source Technology Center > https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org Intel Corporation -- Lee Jones [李琼斯] Linaro Services Technical Lead Linaro.org │ Open source software for ARM SoCs Follow Linaro: Facebook | Twitter | Blog

5 years, 9 months

2
1
0 0

FAILED: patch "[PATCH] iio: st_gyro: Correct data for LSM9DS0 gyro" failed to apply to 4.9-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From e825070f697abddf3b9b0a675ed0ff1884114818 Mon Sep 17 00:00:00 2001 From: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> Date: Tue, 17 Dec 2019 19:10:38 +0200 Subject: [PATCH] iio: st_gyro: Correct data for LSM9DS0 gyro The commit 41c128cb25ce ("iio: st_gyro: Add lsm9ds0-gyro support") assumes that gyro in LSM9DS0 is the same as others with 0xd4 WAI ID, but datasheet tells slight different story, i.e. the first scale factor for the chip is 245 dps, and not 250 dps. Correct this by introducing a separate settings for LSM9DS0. Fixes: 41c128cb25ce ("iio: st_gyro: Add lsm9ds0-gyro support") Depends-on: 45a4e4220bf4 ("iio: gyro: st_gyro: fix L3GD20H support") Cc: Leonard Crestez <leonard.crestez(a)nxp.com> Cc: Lorenzo Bianconi <lorenzo.bianconi83(a)gmail.com> Cc: <Stable(a)vger.kernel.org> Signed-off-by: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> diff --git a/drivers/iio/gyro/st_gyro_core.c b/drivers/iio/gyro/st_gyro_core.c index 57be68b291fa..26c50b24bc08 100644 --- a/drivers/iio/gyro/st_gyro_core.c +++ b/drivers/iio/gyro/st_gyro_core.c @@ -138,7 +138,6 @@ static const struct st_sensor_settings st_gyro_sensors_settings[] = { [2] = LSM330DLC_GYRO_DEV_NAME, [3] = L3G4IS_GYRO_DEV_NAME, [4] = LSM330_GYRO_DEV_NAME, - [5] = LSM9DS0_GYRO_DEV_NAME, }, .ch = (struct iio_chan_spec *)st_gyro_16bit_channels, .odr = { @@ -208,6 +207,80 @@ static const struct st_sensor_settings st_gyro_sensors_settings[] = { .multi_read_bit = true, .bootime = 2, }, + { + .wai = 0xd4, + .wai_addr = ST_SENSORS_DEFAULT_WAI_ADDRESS, + .sensors_supported = { + [0] = LSM9DS0_GYRO_DEV_NAME, + }, + .ch = (struct iio_chan_spec *)st_gyro_16bit_channels, + .odr = { + .addr = 0x20, + .mask = GENMASK(7, 6), + .odr_avl = { + { .hz = 95, .value = 0x00, }, + { .hz = 190, .value = 0x01, }, + { .hz = 380, .value = 0x02, }, + { .hz = 760, .value = 0x03, }, + }, + }, + .pw = { + .addr = 0x20, + .mask = BIT(3), + .value_on = ST_SENSORS_DEFAULT_POWER_ON_VALUE, + .value_off = ST_SENSORS_DEFAULT_POWER_OFF_VALUE, + }, + .enable_axis = { + .addr = ST_SENSORS_DEFAULT_AXIS_ADDR, + .mask = ST_SENSORS_DEFAULT_AXIS_MASK, + }, + .fs = { + .addr = 0x23, + .mask = GENMASK(5, 4), + .fs_avl = { + [0] = { + .num = ST_GYRO_FS_AVL_245DPS, + .value = 0x00, + .gain = IIO_DEGREE_TO_RAD(8750), + }, + [1] = { + .num = ST_GYRO_FS_AVL_500DPS, + .value = 0x01, + .gain = IIO_DEGREE_TO_RAD(17500), + }, + [2] = { + .num = ST_GYRO_FS_AVL_2000DPS, + .value = 0x02, + .gain = IIO_DEGREE_TO_RAD(70000), + }, + }, + }, + .bdu = { + .addr = 0x23, + .mask = BIT(7), + }, + .drdy_irq = { + .int2 = { + .addr = 0x22, + .mask = BIT(3), + }, + /* + * The sensor has IHL (active low) and open + * drain settings, but only for INT1 and not + * for the DRDY line on INT2. + */ + .stat_drdy = { + .addr = ST_SENSORS_DEFAULT_STAT_ADDR, + .mask = GENMASK(2, 0), + }, + }, + .sim = { + .addr = 0x23, + .value = BIT(0), + }, + .multi_read_bit = true, + .bootime = 2, + }, { .wai = 0xd7, .wai_addr = ST_SENSORS_DEFAULT_WAI_ADDRESS,

5 years, 9 months

3
2
0 0

e1000e: Revert "e1000e: Make watchdog use delayed work" in 5.4

by Joakim Tjernlund

Obove commit was reverted because it mask som e1000e cards unstable: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/dri… 5.4 does not have this revert, feels forgotten? bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1787026 https://bugzilla.kernel.org/show_bug.cgi?id=205067

5 years, 9 months

2
2
0 0

Re: KASAN: use-after-free Read in snd_timer_resolution

by Takashi Iwai

On Mon, 03 Feb 2020 06:51:22 +0100, Hillf Danton wrote: > > > Sun, 02 Feb 2020 04:56:10 -0800 (PST) > > syzbot has found a reproducer for the following crash on: > > > > HEAD commit: 2747d5fd Add linux-next specific files for 20200116 This looks like a fairly old head, and missing the fix that is already included in 5.5 release: 60adcfde92fa40fcb2dbf7cc52f9b096e0cd109a ALSA: seq: Fix racy access for queue timer in proc read thanks, Takashi

5 years, 9 months

1
0
0 0

FAILED: patch "[PATCH] usb: dwc3: turn off VBUS when leaving host mode" failed to apply to 4.9-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 09ed259fac621634d51cd986aa8d65f035662658 Mon Sep 17 00:00:00 2001 From: Bin Liu <b-liu(a)ti.com> Date: Wed, 11 Dec 2019 10:10:03 -0600 Subject: [PATCH] usb: dwc3: turn off VBUS when leaving host mode VBUS should be turned off when leaving the host mode. Set GCTL_PRTCAP to device mode in teardown to de-assert DRVVBUS pin to turn off VBUS power. Fixes: 5f94adfeed97 ("usb: dwc3: core: refactor mode initialization to its own function") Cc: stable(a)vger.kernel.org Signed-off-by: Bin Liu <b-liu(a)ti.com> Signed-off-by: Felipe Balbi <balbi(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c index f561c6c9e8a9..1d85c42b9c67 100644 --- a/drivers/usb/dwc3/core.c +++ b/drivers/usb/dwc3/core.c @@ -1246,6 +1246,9 @@ static void dwc3_core_exit_mode(struct dwc3 *dwc) /* do nothing */ break; } + + /* de-assert DRVVBUS for HOST and OTG mode */ + dwc3_set_prtcap(dwc, DWC3_GCTL_PRTCAP_DEVICE); } static void dwc3_get_properties(struct dwc3 *dwc)

5 years, 9 months

2
1
0 0

FAILED: patch "[PATCH] rsi: fix use-after-free on failed probe and unbind" failed to apply to 4.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From e93cd35101b61e4c79149be2cfc927c4b28dc60c Mon Sep 17 00:00:00 2001 From: Johan Hovold <johan(a)kernel.org> Date: Thu, 28 Nov 2019 18:22:00 +0100 Subject: [PATCH] rsi: fix use-after-free on failed probe and unbind Make sure to stop both URBs before returning after failed probe as well as on disconnect to avoid use-after-free in the completion handler. Reported-by: syzbot+b563b7f8dbe8223a51e8(a)syzkaller.appspotmail.com Fixes: a4302bff28e2 ("rsi: add bluetooth rx endpoint") Fixes: dad0d04fa7ba ("rsi: Add RS9113 wireless driver") Cc: stable <stable(a)vger.kernel.org> # 3.15 Cc: Siva Rebbagondla <siva.rebbagondla(a)redpinesignals.com> Cc: Prameela Rani Garnepudi <prameela.j04cs(a)gmail.com> Cc: Amitkumar Karwar <amit.karwar(a)redpinesignals.com> Cc: Fariya Fatima <fariyaf(a)gmail.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> Signed-off-by: Kalle Valo <kvalo(a)codeaurora.org> diff --git a/drivers/net/wireless/rsi/rsi_91x_usb.c b/drivers/net/wireless/rsi/rsi_91x_usb.c index 53f41fc2cadf..30bed719486e 100644 --- a/drivers/net/wireless/rsi/rsi_91x_usb.c +++ b/drivers/net/wireless/rsi/rsi_91x_usb.c @@ -292,6 +292,15 @@ static void rsi_rx_done_handler(struct urb *urb) dev_kfree_skb(rx_cb->rx_skb); } +static void rsi_rx_urb_kill(struct rsi_hw *adapter, u8 ep_num) +{ + struct rsi_91x_usbdev *dev = (struct rsi_91x_usbdev *)adapter->rsi_dev; + struct rx_usb_ctrl_block *rx_cb = &dev->rx_cb[ep_num - 1]; + struct urb *urb = rx_cb->rx_urb; + + usb_kill_urb(urb); +} + /** * rsi_rx_urb_submit() - This function submits the given URB to the USB stack. * @adapter: Pointer to the adapter structure. @@ -823,10 +832,13 @@ static int rsi_probe(struct usb_interface *pfunction, if (adapter->priv->coex_mode > 1) { status = rsi_rx_urb_submit(adapter, BT_EP); if (status) - goto err1; + goto err_kill_wlan_urb; } return 0; + +err_kill_wlan_urb: + rsi_rx_urb_kill(adapter, WLAN_EP); err1: rsi_deinit_usb_interface(adapter); err: @@ -857,6 +869,10 @@ static void rsi_disconnect(struct usb_interface *pfunction) adapter->priv->bt_adapter = NULL; } + if (adapter->priv->coex_mode > 1) + rsi_rx_urb_kill(adapter, BT_EP); + rsi_rx_urb_kill(adapter, WLAN_EP); + rsi_reset_card(adapter); rsi_deinit_usb_interface(adapter); rsi_91x_deinit(adapter);

5 years, 9 months

2
1
0 0

FAILED: patch "[PATCH] crypto: pcrypt - Fix user-after-free on module unload" failed to apply to 4.19-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 07bfd9bdf568a38d9440c607b72342036011f727 Mon Sep 17 00:00:00 2001 From: Herbert Xu <herbert(a)gondor.apana.org.au> Date: Tue, 19 Nov 2019 17:41:31 +0800 Subject: [PATCH] crypto: pcrypt - Fix user-after-free on module unload On module unload of pcrypt we must unregister the crypto algorithms first and then tear down the padata structure. As otherwise the crypto algorithms are still alive and can be used while the padata structure is being freed. Fixes: 5068c7a883d1 ("crypto: pcrypt - Add pcrypt crypto...") Cc: <stable(a)vger.kernel.org> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> diff --git a/crypto/pcrypt.c b/crypto/pcrypt.c index 543792e0ebf0..81bbea7f2ba6 100644 --- a/crypto/pcrypt.c +++ b/crypto/pcrypt.c @@ -362,11 +362,12 @@ static int __init pcrypt_init(void) static void __exit pcrypt_exit(void) { + crypto_unregister_template(&pcrypt_tmpl); + pcrypt_fini_padata(pencrypt); pcrypt_fini_padata(pdecrypt); kset_unregister(pcrypt_kset); - crypto_unregister_template(&pcrypt_tmpl); } subsys_initcall(pcrypt_init);

5 years, 9 months

2
1
0 0

Patch fd24a86 ("KVM: PPC: Book3S PR: Fix -Werror=return-type build failure") for 5.5

by David Michael

Hi, Can you please apply the following trivial patch to the next 5.5 stable release? It corrects a build failure for a PowerPC KVM configuration. https://github.com/torvalds/linux/commit/fd24a8624eb29d3b6b7df68096ce0321b1… Thanks. David

5 years, 9 months

2
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror