* [PATCH 4.9 00/42] 4.9.328-rc1 review
@ 2022-09-13 14:07 Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 01/42] fbdev: fb_pm2fb: Avoid potential divide by zero error Greg Kroah-Hartman
` (46 more replies)
0 siblings, 47 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:07 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, slade
This is the start of the stable review cycle for the 4.9.328 release.
There are 42 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Thu, 15 Sep 2022 14:03:27 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.328-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 4.9.328-rc1
NeilBrown <neilb@suse.de>
SUNRPC: use _bh spinlocking on ->transport_lock
Yang Ling <gnaygnil@gmail.com>
MIPS: loongson32: ls1c: Fix hang during startup
Johan Hovold <johan+linaro@kernel.org>
usb: dwc3: fix PHY disable sequence
Toke Høiland-Jørgensen <toke@toke.dk>
sch_sfb: Also store skb len before calling child enqueue
Neal Cardwell <ncardwell@google.com>
tcp: fix early ETIMEDOUT after spurious non-SACK RTO
Dan Carpenter <dan.carpenter@oracle.com>
tipc: fix shift wrapping bug in map_get()
Toke Høiland-Jørgensen <toke@toke.dk>
sch_sfb: Don't assume the skb is still around after enqueueing to child
David Leadbeater <dgl@dgl.cx>
netfilter: nf_conntrack_irc: Fix forged IP logic
Harsh Modi <harshmodi@google.com>
netfilter: br_netfilter: Drop dst references before setting.
Isaac J. Manjarres <isaacmanjarres@google.com>
driver core: Don't probe devices after bus_type.match() probe deferral
Sreekanth Reddy <sreekanth.reddy@broadcom.com>
scsi: mpt3sas: Fix use-after-free warning
Dongxiang Ke <kdx.glider@gmail.com>
ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface()
Pattara Teerapong <pteerapong@chromium.org>
ALSA: aloop: Fix random zeros in capture data when using jiffies timer
Tasos Sahanidis <tasos@tasossah.com>
ALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc()
Yang Yingliang <yangyingliang@huawei.com>
fbdev: chipsfb: Add missing pci_disable_device() in chipsfb_pci_init()
Helge Deller <deller@gmx.de>
parisc: Add runtime check to prevent PA2.0 kernels on PA1.x machines
Li Qiong <liqiong@nfschina.com>
parisc: ccio-dma: Handle kmalloc failure in ccio_init_resources()
Zhenneng Li <lizhenneng@kylinos.cn>
drm/radeon: add a force flush to delay work when radeon
Yee Lee <yee.lee@mediatek.com>
Revert "mm: kmemleak: take a full lowmem check in kmemleak_*_phys()"
Linus Torvalds <torvalds@linux-foundation.org>
fs: only do a memory barrier for the first set_buffer_uptodate()
Takashi Iwai <tiwai@suse.de>
ALSA: seq: Fix data-race at module auto-loading
Takashi Iwai <tiwai@suse.de>
ALSA: seq: oss: Fix data-race for max_midi_devs access
Miquel Raynal <miquel.raynal@bootlin.com>
net: mac802154: Fix a condition in the receive path
Siddh Raman Pant <code@siddh.me>
wifi: mac80211: Don't finalize CSA in IBSS mode if state is disconnected
Krishna Kurapati <quic_kriskura@quicinc.com>
usb: gadget: mass_storage: Fix cdrom data transfers on MAC-OS
Alan Stern <stern@rowland.harvard.edu>
USB: core: Prevent nested device-reset calls
Josh Poimboeuf <jpoimboe@kernel.org>
s390: fix nospec table alignments
Gerald Schaefer <gerald.schaefer@linux.ibm.com>
s390/hugetlb: fix prepare_hugepage_range() check for 2 GB hugepages
Witold Lipieta <witold.lipieta@thaumatec.com>
usb-storage: Add ignore-residue quirk for NXP PN7462AU
Thierry GUIBERT <thierry.guibert@croix-rouge.fr>
USB: cdc-acm: Add Icom PMR F3400 support (0c26:0020)
Slark Xiao <slark_xiao@163.com>
USB: serial: option: add support for Cinterion MV32-WA/WB RmNet mode
Yan Xinyu <sdlyyxy@bupt.edu.cn>
USB: serial: option: add support for OPPO R11 diag port
Johan Hovold <johan@kernel.org>
USB: serial: cp210x: add Decagon UCA device id
Mathias Nyman <mathias.nyman@linux.intel.com>
xhci: Add grace period after xHC start to prevent premature runtime suspend.
Armin Wolf <W_Armin@gmx.de>
hwmon: (gpio-fan) Fix array out of bounds access
Niek Nooijens <niek.nooijens@omron.com>
USB: serial: ftdi_sio: add Omron CS1W-CIF31 device id
Helge Deller <deller@gmx.de>
vt: Clear selection before changing the font
Dan Carpenter <dan.carpenter@oracle.com>
staging: rtl8712: fix use after free bugs
Shenwei Wang <shenwei.wang@nxp.com>
serial: fsl_lpuart: RS485 RTS polariy is inverse
Dan Carpenter <dan.carpenter@oracle.com>
wifi: cfg80211: debugfs: fix return type in ht40allow_map_read()
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
platform/x86: pmc_atom: Fix SLP_TYPx bitfield mask
Letu Ren <fantasquex@gmail.com>
fbdev: fb_pm2fb: Avoid potential divide by zero error
-------------
Diffstat:
Makefile | 4 +--
arch/mips/loongson32/ls1c/board.c | 1 -
arch/parisc/kernel/head.S | 43 +++++++++++++++++++++++++++-
arch/s390/include/asm/hugetlb.h | 6 ++--
arch/s390/kernel/vmlinux.lds.S | 1 +
arch/x86/include/asm/pmc_atom.h | 6 ++--
arch/x86/platform/atom/pmc_atom.c | 2 +-
drivers/base/dd.c | 10 +++++++
drivers/gpu/drm/radeon/radeon_device.c | 3 ++
drivers/hwmon/gpio-fan.c | 3 ++
drivers/parisc/ccio-dma.c | 11 +++++--
drivers/scsi/mpt3sas/mpt3sas_scsih.c | 2 +-
drivers/staging/rtl8712/rtl8712_cmd.c | 36 -----------------------
drivers/tty/serial/fsl_lpuart.c | 4 +--
drivers/tty/vt/vt.c | 12 +++++---
drivers/usb/class/cdc-acm.c | 3 ++
drivers/usb/core/hub.c | 10 +++++++
drivers/usb/dwc3/core.c | 20 ++++++-------
drivers/usb/gadget/function/storage_common.c | 6 ++--
drivers/usb/host/xhci-hub.c | 11 +++++++
drivers/usb/host/xhci.c | 4 ++-
drivers/usb/host/xhci.h | 2 +-
drivers/usb/serial/cp210x.c | 1 +
drivers/usb/serial/ftdi_sio.c | 2 ++
drivers/usb/serial/ftdi_sio_ids.h | 6 ++++
drivers/usb/serial/option.c | 11 +++++++
drivers/usb/storage/unusual_devs.h | 7 +++++
drivers/video/fbdev/chipsfb.c | 1 +
drivers/video/fbdev/pm2fb.c | 5 ++++
include/linux/buffer_head.h | 11 +++++++
include/linux/usb.h | 2 ++
mm/kmemleak.c | 8 +++---
net/bridge/br_netfilter_hooks.c | 2 ++
net/bridge/br_netfilter_ipv6.c | 1 +
net/ipv4/tcp_input.c | 25 +++++++++++-----
net/mac80211/ibss.c | 4 +++
net/mac802154/rx.c | 2 +-
net/netfilter/nf_conntrack_irc.c | 5 ++--
net/sched/sch_sfb.c | 13 +++++----
net/sunrpc/xprt.c | 4 +--
net/tipc/monitor.c | 2 +-
net/wireless/debugfs.c | 3 +-
sound/core/seq/oss/seq_oss_midi.c | 2 ++
sound/core/seq/seq_clientmgr.c | 12 ++++----
sound/drivers/aloop.c | 7 +++--
sound/pci/emu10k1/emupcm.c | 2 +-
sound/usb/stream.c | 2 +-
47 files changed, 236 insertions(+), 104 deletions(-)
^ permalink raw reply [flat|nested] 50+ messages in thread
* [PATCH 4.9 01/42] fbdev: fb_pm2fb: Avoid potential divide by zero error
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
@ 2022-09-13 14:07 ` Greg Kroah-Hartman
2022-11-23 6:34 ` Ulrich Hecht
2022-09-13 14:07 ` [PATCH 4.9 02/42] platform/x86: pmc_atom: Fix SLP_TYPx bitfield mask Greg Kroah-Hartman
` (45 subsequent siblings)
46 siblings, 1 reply; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:07 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Zheyu Ma, Letu Ren, Helge Deller,
Sasha Levin
From: Letu Ren <fantasquex@gmail.com>
commit 19f953e7435644b81332dd632ba1b2d80b1e37af upstream.
In `do_fb_ioctl()` of fbmem.c, if cmd is FBIOPUT_VSCREENINFO, var will be
copied from user, then go through `fb_set_var()` and
`info->fbops->fb_check_var()` which could may be `pm2fb_check_var()`.
Along the path, `var->pixclock` won't be modified. This function checks
whether reciprocal of `var->pixclock` is too high. If `var->pixclock` is
zero, there will be a divide by zero error. So, it is necessary to check
whether denominator is zero to avoid crash. As this bug is found by
Syzkaller, logs are listed below.
divide error in pm2fb_check_var
Call Trace:
<TASK>
fb_set_var+0x367/0xeb0 drivers/video/fbdev/core/fbmem.c:1015
do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1110
fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1189
Reported-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Letu Ren <fantasquex@gmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/pm2fb.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/video/fbdev/pm2fb.c b/drivers/video/fbdev/pm2fb.c
index 9b32b9fc44a5c..50b569d047b10 100644
--- a/drivers/video/fbdev/pm2fb.c
+++ b/drivers/video/fbdev/pm2fb.c
@@ -619,6 +619,11 @@ static int pm2fb_check_var(struct fb_var_screeninfo *var, struct fb_info *info)
return -EINVAL;
}
+ if (!var->pixclock) {
+ DPRINTK("pixclock is zero\n");
+ return -EINVAL;
+ }
+
if (PICOS2KHZ(var->pixclock) > PM2_MAX_PIXCLOCK) {
DPRINTK("pixclock too high (%ldKHz)\n",
PICOS2KHZ(var->pixclock));
--
2.35.1
^ permalink raw reply related [flat|nested] 50+ messages in thread
* [PATCH 4.9 02/42] platform/x86: pmc_atom: Fix SLP_TYPx bitfield mask
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 01/42] fbdev: fb_pm2fb: Avoid potential divide by zero error Greg Kroah-Hartman
@ 2022-09-13 14:07 ` Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 03/42] wifi: cfg80211: debugfs: fix return type in ht40allow_map_read() Greg Kroah-Hartman
` (44 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:07 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Andy Shevchenko, Hans de Goede, Sasha Levin
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit 0a90ed8d0cfa29735a221eba14d9cb6c735d35b6 ]
On Intel hardware the SLP_TYPx bitfield occupies bits 10-12 as per ACPI
specification (see Table 4.13 "PM1 Control Registers Fixed Hardware
Feature Control Bits" for the details).
Fix the mask and other related definitions accordingly.
Fixes: 93e5eadd1f6e ("x86/platform: New Intel Atom SOC power management controller driver")
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://lore.kernel.org/r/20220801113734.36131-1-andriy.shevchenko@linux.intel.com
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/include/asm/pmc_atom.h | 6 ++++--
arch/x86/platform/atom/pmc_atom.c | 2 +-
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/arch/x86/include/asm/pmc_atom.h b/arch/x86/include/asm/pmc_atom.h
index aa8744c77c6d9..b25ac6eb1fdee 100644
--- a/arch/x86/include/asm/pmc_atom.h
+++ b/arch/x86/include/asm/pmc_atom.h
@@ -16,6 +16,8 @@
#ifndef PMC_ATOM_H
#define PMC_ATOM_H
+#include <linux/bits.h>
+
/* ValleyView Power Control Unit PCI Device ID */
#define PCI_DEVICE_ID_VLV_PMC 0x0F1C
/* CherryTrail Power Control Unit PCI Device ID */
@@ -148,9 +150,9 @@
#define ACPI_MMIO_REG_LEN 0x100
#define PM1_CNT 0x4
-#define SLEEP_TYPE_MASK 0xFFFFECFF
+#define SLEEP_TYPE_MASK GENMASK(12, 10)
#define SLEEP_TYPE_S5 0x1C00
-#define SLEEP_ENABLE 0x2000
+#define SLEEP_ENABLE BIT(13)
extern int pmc_atom_read(int offset, u32 *value);
extern int pmc_atom_write(int offset, u32 value);
diff --git a/arch/x86/platform/atom/pmc_atom.c b/arch/x86/platform/atom/pmc_atom.c
index 964ff4fc61f9b..b5b371d959141 100644
--- a/arch/x86/platform/atom/pmc_atom.c
+++ b/arch/x86/platform/atom/pmc_atom.c
@@ -213,7 +213,7 @@ static void pmc_power_off(void)
pm1_cnt_port = acpi_base_addr + PM1_CNT;
pm1_cnt_value = inl(pm1_cnt_port);
- pm1_cnt_value &= SLEEP_TYPE_MASK;
+ pm1_cnt_value &= ~SLEEP_TYPE_MASK;
pm1_cnt_value |= SLEEP_TYPE_S5;
pm1_cnt_value |= SLEEP_ENABLE;
--
2.35.1
^ permalink raw reply related [flat|nested] 50+ messages in thread
* [PATCH 4.9 03/42] wifi: cfg80211: debugfs: fix return type in ht40allow_map_read()
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 01/42] fbdev: fb_pm2fb: Avoid potential divide by zero error Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 02/42] platform/x86: pmc_atom: Fix SLP_TYPx bitfield mask Greg Kroah-Hartman
@ 2022-09-13 14:07 ` Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 04/42] serial: fsl_lpuart: RS485 RTS polariy is inverse Greg Kroah-Hartman
` (43 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:07 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Johannes Berg, Sasha Levin
From: Dan Carpenter <dan.carpenter@oracle.com>
[ Upstream commit d776763f48084926b5d9e25507a3ddb7c9243d5e ]
The return type is supposed to be ssize_t, which is signed long,
but "r" was declared as unsigned int. This means that on 64 bit systems
we return positive values instead of negative error codes.
Fixes: 80a3511d70e8 ("cfg80211: add debugfs HT40 allow map")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/YutvOQeJm0UjLhwU@kili
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/wireless/debugfs.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/wireless/debugfs.c b/net/wireless/debugfs.c
index 5d453916a4179..6a7f4432440a5 100644
--- a/net/wireless/debugfs.c
+++ b/net/wireless/debugfs.c
@@ -68,9 +68,10 @@ static ssize_t ht40allow_map_read(struct file *file,
{
struct wiphy *wiphy = file->private_data;
char *buf;
- unsigned int offset = 0, buf_size = PAGE_SIZE, i, r;
+ unsigned int offset = 0, buf_size = PAGE_SIZE, i;
enum nl80211_band band;
struct ieee80211_supported_band *sband;
+ ssize_t r;
buf = kzalloc(buf_size, GFP_KERNEL);
if (!buf)
--
2.35.1
^ permalink raw reply related [flat|nested] 50+ messages in thread
* [PATCH 4.9 04/42] serial: fsl_lpuart: RS485 RTS polariy is inverse
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2022-09-13 14:07 ` [PATCH 4.9 03/42] wifi: cfg80211: debugfs: fix return type in ht40allow_map_read() Greg Kroah-Hartman
@ 2022-09-13 14:07 ` Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 05/42] staging: rtl8712: fix use after free bugs Greg Kroah-Hartman
` (42 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:07 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, stable, Nicolas Diaz, Shenwei Wang
From: Shenwei Wang <shenwei.wang@nxp.com>
commit 846651eca073e2e02e37490a4a52752415d84781 upstream.
The setting of RS485 RTS polarity is inverse in the current driver.
When the property of 'rs485-rts-active-low' is enabled in the dts node,
the RTS signal should be LOW during sending. Otherwise, if there is no
such a property, the RTS should be HIGH during sending.
Fixes: 03895cf41d18 ("tty: serial: fsl_lpuart: Add support for RS-485")
Cc: stable <stable@kernel.org>
Signed-off-by: Nicolas Diaz <nicolas.diaz@nxp.com>
Signed-off-by: Shenwei Wang <shenwei.wang@nxp.com>
Link: https://lore.kernel.org/r/20220805144529.604856-1-shenwei.wang@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/fsl_lpuart.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/tty/serial/fsl_lpuart.c
+++ b/drivers/tty/serial/fsl_lpuart.c
@@ -951,9 +951,9 @@ static int lpuart_config_rs485(struct ua
* Note: UART is assumed to be active high.
*/
if (rs485->flags & SER_RS485_RTS_ON_SEND)
- modem &= ~UARTMODEM_TXRTSPOL;
- else if (rs485->flags & SER_RS485_RTS_AFTER_SEND)
modem |= UARTMODEM_TXRTSPOL;
+ else if (rs485->flags & SER_RS485_RTS_AFTER_SEND)
+ modem &= ~UARTMODEM_TXRTSPOL;
}
/* Store the new configuration */
^ permalink raw reply [flat|nested] 50+ messages in thread
* [PATCH 4.9 05/42] staging: rtl8712: fix use after free bugs
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2022-09-13 14:07 ` [PATCH 4.9 04/42] serial: fsl_lpuart: RS485 RTS polariy is inverse Greg Kroah-Hartman
@ 2022-09-13 14:07 ` Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 06/42] vt: Clear selection before changing the font Greg Kroah-Hartman
` (41 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:07 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, stable, Zheng Wang, Dan Carpenter
From: Dan Carpenter <dan.carpenter@oracle.com>
commit e230a4455ac3e9b112f0367d1b8e255e141afae0 upstream.
_Read/Write_MACREG callbacks are NULL so the read/write_macreg_hdl()
functions don't do anything except free the "pcmd" pointer. It
results in a use after free. Delete them.
Fixes: 2865d42c78a9 ("staging: r8712u: Add the new driver to the mainline kernel")
Cc: stable <stable@kernel.org>
Reported-by: Zheng Wang <hackerzheng666@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/Yw4ASqkYcUhUfoY2@kili
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/rtl8712/rtl8712_cmd.c | 36 ----------------------------------
1 file changed, 36 deletions(-)
--- a/drivers/staging/rtl8712/rtl8712_cmd.c
+++ b/drivers/staging/rtl8712/rtl8712_cmd.c
@@ -128,34 +128,6 @@ static void r871x_internal_cmd_hdl(struc
kfree(pdrvcmd->pbuf);
}
-static u8 read_macreg_hdl(struct _adapter *padapter, u8 *pbuf)
-{
- void (*pcmd_callback)(struct _adapter *dev, struct cmd_obj *pcmd);
- struct cmd_obj *pcmd = (struct cmd_obj *)pbuf;
-
- /* invoke cmd->callback function */
- pcmd_callback = cmd_callback[pcmd->cmdcode].callback;
- if (!pcmd_callback)
- r8712_free_cmd_obj(pcmd);
- else
- pcmd_callback(padapter, pcmd);
- return H2C_SUCCESS;
-}
-
-static u8 write_macreg_hdl(struct _adapter *padapter, u8 *pbuf)
-{
- void (*pcmd_callback)(struct _adapter *dev, struct cmd_obj *pcmd);
- struct cmd_obj *pcmd = (struct cmd_obj *)pbuf;
-
- /* invoke cmd->callback function */
- pcmd_callback = cmd_callback[pcmd->cmdcode].callback;
- if (!pcmd_callback)
- r8712_free_cmd_obj(pcmd);
- else
- pcmd_callback(padapter, pcmd);
- return H2C_SUCCESS;
-}
-
static u8 read_bbreg_hdl(struct _adapter *padapter, u8 *pbuf)
{
struct cmd_obj *pcmd = (struct cmd_obj *)pbuf;
@@ -224,14 +196,6 @@ static struct cmd_obj *cmd_hdl_filter(st
pcmd_r = NULL;
switch (pcmd->cmdcode) {
- case GEN_CMD_CODE(_Read_MACREG):
- read_macreg_hdl(padapter, (u8 *)pcmd);
- pcmd_r = pcmd;
- break;
- case GEN_CMD_CODE(_Write_MACREG):
- write_macreg_hdl(padapter, (u8 *)pcmd);
- pcmd_r = pcmd;
- break;
case GEN_CMD_CODE(_Read_BBREG):
read_bbreg_hdl(padapter, (u8 *)pcmd);
break;
^ permalink raw reply [flat|nested] 50+ messages in thread
* [PATCH 4.9 06/42] vt: Clear selection before changing the font
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2022-09-13 14:07 ` [PATCH 4.9 05/42] staging: rtl8712: fix use after free bugs Greg Kroah-Hartman
@ 2022-09-13 14:07 ` Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 07/42] USB: serial: ftdi_sio: add Omron CS1W-CIF31 device id Greg Kroah-Hartman
` (40 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:07 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, syzbot+14b0e8f3fd1612e35350, stable,
Khalid Masum, Helge Deller
From: Helge Deller <deller@gmx.de>
commit 566f9c9f89337792070b5a6062dff448b3e7977f upstream.
When changing the console font with ioctl(KDFONTOP) the new font size
can be bigger than the previous font. A previous selection may thus now
be outside of the new screen size and thus trigger out-of-bounds
accesses to graphics memory if the selection is removed in
vc_do_resize().
Prevent such out-of-memory accesses by dropping the selection before the
various con_font_set() console handlers are called.
Reported-by: syzbot+14b0e8f3fd1612e35350@syzkaller.appspotmail.com
Cc: stable <stable@kernel.org>
Tested-by: Khalid Masum <khalid.masum.92@gmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Link: https://lore.kernel.org/r/YuV9apZGNmGfjcor@p100
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/vt/vt.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -4183,9 +4183,11 @@ static int con_font_set(struct vc_data *
console_lock();
if (vc->vc_mode != KD_TEXT)
rc = -EINVAL;
- else if (vc->vc_sw->con_font_set)
+ else if (vc->vc_sw->con_font_set) {
+ if (vc_is_sel(vc))
+ clear_selection();
rc = vc->vc_sw->con_font_set(vc, &font, op->flags);
- else
+ } else
rc = -ENOSYS;
console_unlock();
kfree(font.data);
@@ -4212,9 +4214,11 @@ static int con_font_default(struct vc_da
console_unlock();
return -EINVAL;
}
- if (vc->vc_sw->con_font_default)
+ if (vc->vc_sw->con_font_default) {
+ if (vc_is_sel(vc))
+ clear_selection();
rc = vc->vc_sw->con_font_default(vc, &font, s);
- else
+ } else
rc = -ENOSYS;
console_unlock();
if (!rc) {
^ permalink raw reply [flat|nested] 50+ messages in thread
* [PATCH 4.9 07/42] USB: serial: ftdi_sio: add Omron CS1W-CIF31 device id
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2022-09-13 14:07 ` [PATCH 4.9 06/42] vt: Clear selection before changing the font Greg Kroah-Hartman
@ 2022-09-13 14:07 ` Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 08/42] hwmon: (gpio-fan) Fix array out of bounds access Greg Kroah-Hartman
` (39 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:07 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Niek Nooijens, Johan Hovold
From: Niek Nooijens <niek.nooijens@omron.com>
commit 001047ea241a9646010b2744451dfbc7289542f3 upstream.
works perfectly with:
modprobe ftdi_sio
echo "0590 00b2" | tee
/sys/module/ftdi_sio/drivers/usb-serial\:ftdi_sio/new_id > /dev/null
but doing this every reboot is a pain in the ass.
Signed-off-by: Niek Nooijens <niek.nooijens@omron.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/ftdi_sio.c | 2 ++
drivers/usb/serial/ftdi_sio_ids.h | 6 ++++++
2 files changed, 8 insertions(+)
--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -1040,6 +1040,8 @@ static const struct usb_device_id id_tab
/* IDS GmbH devices */
{ USB_DEVICE(IDS_VID, IDS_SI31A_PID) },
{ USB_DEVICE(IDS_VID, IDS_CM31A_PID) },
+ /* Omron devices */
+ { USB_DEVICE(OMRON_VID, OMRON_CS1W_CIF31_PID) },
/* U-Blox devices */
{ USB_DEVICE(UBLOX_VID, UBLOX_C099F9P_ZED_PID) },
{ USB_DEVICE(UBLOX_VID, UBLOX_C099F9P_ODIN_PID) },
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -661,6 +661,12 @@
#define INFINEON_TRIBOARD_TC2X7_PID 0x0043 /* DAS JTAG TriBoard TC2X7 V1.0 */
/*
+ * Omron corporation (https://www.omron.com)
+ */
+ #define OMRON_VID 0x0590
+ #define OMRON_CS1W_CIF31_PID 0x00b2
+
+/*
* Acton Research Corp.
*/
#define ACTON_VID 0x0647 /* Vendor ID */
^ permalink raw reply [flat|nested] 50+ messages in thread
* [PATCH 4.9 08/42] hwmon: (gpio-fan) Fix array out of bounds access
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2022-09-13 14:07 ` [PATCH 4.9 07/42] USB: serial: ftdi_sio: add Omron CS1W-CIF31 device id Greg Kroah-Hartman
@ 2022-09-13 14:07 ` Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 09/42] xhci: Add grace period after xHC start to prevent premature runtime suspend Greg Kroah-Hartman
` (38 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:07 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Armin Wolf, Guenter Roeck, Sasha Levin
From: Armin Wolf <W_Armin@gmx.de>
[ Upstream commit f233d2be38dbbb22299192292983037f01ab363c ]
The driver does not check if the cooling state passed to
gpio_fan_set_cur_state() exceeds the maximum cooling state as
stored in fan_data->num_speeds. Since the cooling state is later
used as an array index in set_fan_speed(), an array out of bounds
access can occur.
This can be exploited by setting the state of the thermal cooling device
to arbitrary values, causing for example a kernel oops when unavailable
memory is accessed this way.
Example kernel oops:
[ 807.987276] Unable to handle kernel paging request at virtual address ffffff80d0588064
[ 807.987369] Mem abort info:
[ 807.987398] ESR = 0x96000005
[ 807.987428] EC = 0x25: DABT (current EL), IL = 32 bits
[ 807.987477] SET = 0, FnV = 0
[ 807.987507] EA = 0, S1PTW = 0
[ 807.987536] FSC = 0x05: level 1 translation fault
[ 807.987570] Data abort info:
[ 807.987763] ISV = 0, ISS = 0x00000005
[ 807.987801] CM = 0, WnR = 0
[ 807.987832] swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000001165000
[ 807.987872] [ffffff80d0588064] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000
[ 807.987961] Internal error: Oops: 96000005 [#1] PREEMPT SMP
[ 807.987992] Modules linked in: cmac algif_hash aes_arm64 algif_skcipher af_alg bnep hci_uart btbcm bluetooth ecdh_generic ecc 8021q garp stp llc snd_soc_hdmi_codec brcmfmac vc4 brcmutil cec drm_kms_helper snd_soc_core cfg80211 snd_compress bcm2835_codec(C) snd_pcm_dmaengine syscopyarea bcm2835_isp(C) bcm2835_v4l2(C) sysfillrect v4l2_mem2mem bcm2835_mmal_vchiq(C) raspberrypi_hwmon sysimgblt videobuf2_dma_contig videobuf2_vmalloc fb_sys_fops videobuf2_memops rfkill videobuf2_v4l2 videobuf2_common i2c_bcm2835 snd_bcm2835(C) videodev snd_pcm snd_timer snd mc vc_sm_cma(C) gpio_fan uio_pdrv_genirq uio drm fuse drm_panel_orientation_quirks backlight ip_tables x_tables ipv6
[ 807.988508] CPU: 0 PID: 1321 Comm: bash Tainted: G C 5.15.56-v8+ #1575
[ 807.988548] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)
[ 807.988574] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 807.988608] pc : set_fan_speed.part.5+0x34/0x80 [gpio_fan]
[ 807.988654] lr : gpio_fan_set_cur_state+0x34/0x50 [gpio_fan]
[ 807.988691] sp : ffffffc008cf3bd0
[ 807.988710] x29: ffffffc008cf3bd0 x28: ffffff80019edac0 x27: 0000000000000000
[ 807.988762] x26: 0000000000000000 x25: 0000000000000000 x24: ffffff800747c920
[ 807.988787] x23: 000000000000000a x22: ffffff800369f000 x21: 000000001999997c
[ 807.988854] x20: ffffff800369f2e8 x19: ffffff8002ae8080 x18: 0000000000000000
[ 807.988877] x17: 0000000000000000 x16: 0000000000000000 x15: 000000559e271b70
[ 807.988938] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
[ 807.988960] x11: 0000000000000000 x10: ffffffc008cf3c20 x9 : ffffffcfb60c741c
[ 807.989018] x8 : 000000000000000a x7 : 00000000ffffffc9 x6 : 0000000000000009
[ 807.989040] x5 : 000000000000002a x4 : 0000000000000000 x3 : ffffff800369f2e8
[ 807.989062] x2 : 000000000000e780 x1 : 0000000000000001 x0 : ffffff80d0588060
[ 807.989084] Call trace:
[ 807.989091] set_fan_speed.part.5+0x34/0x80 [gpio_fan]
[ 807.989113] gpio_fan_set_cur_state+0x34/0x50 [gpio_fan]
[ 807.989199] cur_state_store+0x84/0xd0
[ 807.989221] dev_attr_store+0x20/0x38
[ 807.989262] sysfs_kf_write+0x4c/0x60
[ 807.989282] kernfs_fop_write_iter+0x130/0x1c0
[ 807.989298] new_sync_write+0x10c/0x190
[ 807.989315] vfs_write+0x254/0x378
[ 807.989362] ksys_write+0x70/0xf8
[ 807.989379] __arm64_sys_write+0x24/0x30
[ 807.989424] invoke_syscall+0x4c/0x110
[ 807.989442] el0_svc_common.constprop.3+0xfc/0x120
[ 807.989458] do_el0_svc+0x2c/0x90
[ 807.989473] el0_svc+0x24/0x60
[ 807.989544] el0t_64_sync_handler+0x90/0xb8
[ 807.989558] el0t_64_sync+0x1a0/0x1a4
[ 807.989579] Code: b9403801 f9402800 7100003f 8b35cc00 (b9400416)
[ 807.989627] ---[ end trace 8ded4c918658445b ]---
Fix this by checking the cooling state and return an error if it
exceeds the maximum cooling state.
Tested on a Raspberry Pi 3.
Fixes: b5cf88e46bad ("(gpio-fan): Add thermal control hooks")
Signed-off-by: Armin Wolf <W_Armin@gmx.de>
Link: https://lore.kernel.org/r/20220830011101.178843-1-W_Armin@gmx.de
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/gpio-fan.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/hwmon/gpio-fan.c b/drivers/hwmon/gpio-fan.c
index 685568b1236d4..f78e677b858e8 100644
--- a/drivers/hwmon/gpio-fan.c
+++ b/drivers/hwmon/gpio-fan.c
@@ -422,6 +422,9 @@ static int gpio_fan_set_cur_state(struct thermal_cooling_device *cdev,
if (!fan_data)
return -EINVAL;
+ if (state >= fan_data->num_speed)
+ return -EINVAL;
+
set_fan_speed(fan_data, state);
return 0;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 50+ messages in thread
* [PATCH 4.9 09/42] xhci: Add grace period after xHC start to prevent premature runtime suspend.
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2022-09-13 14:07 ` [PATCH 4.9 08/42] hwmon: (gpio-fan) Fix array out of bounds access Greg Kroah-Hartman
@ 2022-09-13 14:07 ` Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 10/42] USB: serial: cp210x: add Decagon UCA device id Greg Kroah-Hartman
` (37 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:07 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mathias Nyman
From: Mathias Nyman <mathias.nyman@linux.intel.com>
commit 33e321586e37b642ad10594b9ef25a613555cd08 upstream.
After xHC controller is started, either in probe or resume, it can take
a while before any of the connected usb devices are visible to the roothub
due to link training.
It's possible xhci driver loads, sees no acivity and suspends the host
before the USB device is visible.
In one testcase with a hotplugged xHC controller the host finally detected
the connected USB device and generated a wake 500ms after host initial
start.
If hosts didn't suspend the device duringe training it probablty wouldn't
take up to 500ms to detect it, but looking at specs reveal USB3 link
training has a couple long timeout values, such as 120ms
RxDetectQuietTimeout, and 360ms PollingLFPSTimeout.
So Add a 500ms grace period that keeps polling the roothub for 500ms after
start, preventing runtime suspend until USB devices are detected.
Cc: stable@vger.kernel.org
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20220825150840.132216-3-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci-hub.c | 11 +++++++++++
drivers/usb/host/xhci.c | 4 +++-
drivers/usb/host/xhci.h | 2 +-
3 files changed, 15 insertions(+), 2 deletions(-)
--- a/drivers/usb/host/xhci-hub.c
+++ b/drivers/usb/host/xhci-hub.c
@@ -1297,6 +1297,17 @@ int xhci_hub_status_data(struct usb_hcd
status = bus_state->resuming_ports;
+ /*
+ * SS devices are only visible to roothub after link training completes.
+ * Keep polling roothubs for a grace period after xHC start
+ */
+ if (xhci->run_graceperiod) {
+ if (time_before(jiffies, xhci->run_graceperiod))
+ status = 1;
+ else
+ xhci->run_graceperiod = 0;
+ }
+
mask = PORT_CSC | PORT_PEC | PORT_OCC | PORT_PLC | PORT_WRC | PORT_CEC;
/* For each port, did anything change? If so, set that bit in buf. */
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -144,9 +144,11 @@ static int xhci_start(struct xhci_hcd *x
xhci_err(xhci, "Host took too long to start, "
"waited %u microseconds.\n",
XHCI_MAX_HALT_USEC);
- if (!ret)
+ if (!ret) {
/* clear state flags. Including dying, halted or removing */
xhci->xhc_state = 0;
+ xhci->run_graceperiod = jiffies + msecs_to_jiffies(500);
+ }
return ret;
}
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -1607,7 +1607,7 @@ struct xhci_hcd {
/* Host controller watchdog timer structures */
unsigned int xhc_state;
-
+ unsigned long run_graceperiod;
u32 command;
struct s3_save s3;
/* Host controller is dying - not responding to commands. "I'm not dead yet!"
^ permalink raw reply [flat|nested] 50+ messages in thread
* [PATCH 4.9 10/42] USB: serial: cp210x: add Decagon UCA device id
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2022-09-13 14:07 ` [PATCH 4.9 09/42] xhci: Add grace period after xHC start to prevent premature runtime suspend Greg Kroah-Hartman
@ 2022-09-13 14:07 ` Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 11/42] USB: serial: option: add support for OPPO R11 diag port Greg Kroah-Hartman
` (36 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:07 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold
From: Johan Hovold <johan@kernel.org>
commit ceb4038472a4803e7046ed488b03d11551991514 upstream.
Add the device id for Decagon Devices USB Cable Adapter.
Link: https://lore.kernel.org/r/trinity-819f9db2-d3e1-40e9-a669-9c245817c046-1661523546680@msvc-mesg-web108
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/cp210x.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -128,6 +128,7 @@ static const struct usb_device_id id_tab
{ USB_DEVICE(0x10C4, 0x83AA) }, /* Mark-10 Digital Force Gauge */
{ USB_DEVICE(0x10C4, 0x83D8) }, /* DekTec DTA Plus VHF/UHF Booster/Attenuator */
{ USB_DEVICE(0x10C4, 0x8411) }, /* Kyocera GPS Module */
+ { USB_DEVICE(0x10C4, 0x8414) }, /* Decagon USB Cable Adapter */
{ USB_DEVICE(0x10C4, 0x8418) }, /* IRZ Automation Teleport SG-10 GSM/GPRS Modem */
{ USB_DEVICE(0x10C4, 0x846E) }, /* BEI USB Sensor Interface (VCP) */
{ USB_DEVICE(0x10C4, 0x8470) }, /* Juniper Networks BX Series System Console */
^ permalink raw reply [flat|nested] 50+ messages in thread
* [PATCH 4.9 11/42] USB: serial: option: add support for OPPO R11 diag port
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2022-09-13 14:07 ` [PATCH 4.9 10/42] USB: serial: cp210x: add Decagon UCA device id Greg Kroah-Hartman
@ 2022-09-13 14:07 ` Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 12/42] USB: serial: option: add support for Cinterion MV32-WA/WB RmNet mode Greg Kroah-Hartman
` (35 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:07 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Yan Xinyu, Johan Hovold
From: Yan Xinyu <sdlyyxy@bupt.edu.cn>
commit 8d5fc280392735e4441b35de14f2f4860fa8d83c upstream.
Add support for OPPO R11 USB diag serial port to option driver. This
phone uses Qualcomm Snapdragon 660 SoC.
usb-devices output:
T: Bus=03 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 10 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=22d9 ProdID=276c Rev=04.04
S: Manufacturer=OPPO
S: Product=SDM660-MTP _SN:09C6BCA7
S: SerialNumber=beb2c403
C: #Ifs= 2 Cfg#= 1 Atr=80 MxPwr=500mA
I: If#=0x0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
I: If#=0x1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs
Signed-off-by: Yan Xinyu <sdlyyxy@bupt.edu.cn>
Link: https://lore.kernel.org/r/20220714102037.4113889-1-sdlyyxy@bupt.edu.cn
Link: https://lore.kernel.org/r/Yt1WfSZk03Plpnan@hovoldconsulting.com
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -569,6 +569,10 @@ static void option_instat_callback(struc
#define WETELECOM_PRODUCT_6802 0x6802
#define WETELECOM_PRODUCT_WMD300 0x6803
+/* OPPO products */
+#define OPPO_VENDOR_ID 0x22d9
+#define OPPO_PRODUCT_R11 0x276c
+
/* Device flags */
@@ -2126,6 +2130,7 @@ static const struct usb_device_id option
{ USB_DEVICE_INTERFACE_CLASS(0x305a, 0x1404, 0xff) }, /* GosunCn GM500 RNDIS */
{ USB_DEVICE_INTERFACE_CLASS(0x305a, 0x1405, 0xff) }, /* GosunCn GM500 MBIM */
{ USB_DEVICE_INTERFACE_CLASS(0x305a, 0x1406, 0xff) }, /* GosunCn GM500 ECM/NCM */
+ { USB_DEVICE_AND_INTERFACE_INFO(OPPO_VENDOR_ID, OPPO_PRODUCT_R11, 0xff, 0xff, 0x30) },
{ } /* Terminating entry */
};
MODULE_DEVICE_TABLE(usb, option_ids);
^ permalink raw reply [flat|nested] 50+ messages in thread
* [PATCH 4.9 12/42] USB: serial: option: add support for Cinterion MV32-WA/WB RmNet mode
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2022-09-13 14:07 ` [PATCH 4.9 11/42] USB: serial: option: add support for OPPO R11 diag port Greg Kroah-Hartman
@ 2022-09-13 14:07 ` Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 13/42] USB: cdc-acm: Add Icom PMR F3400 support (0c26:0020) Greg Kroah-Hartman
` (34 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:07 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Slark Xiao, Johan Hovold
From: Slark Xiao <slark_xiao@163.com>
commit 8ffe20d08f2c95d702c453020d03a4c568a988f0 upstream.
We added PIDs for MV32-WA/WB MBIM mode before, now we need to add
support for RmNet mode.
Test evidence as below:
T: Bus=03 Lev=01 Prnt=01 Port=02 Cnt=03 Dev#= 3 Spd=480 MxCh= 0
D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=1e2d ProdID=00f3 Rev=05.04
S: Manufacturer=Cinterion
S: Product=Cinterion PID 0x00F3 USB Mobile Broadband
S: SerialNumber=d7b4be8d
C: #Ifs= 4 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#=0x0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
I: If#=0x1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
I: If#=0x3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
T: Bus=03 Lev=01 Prnt=01 Port=02 Cnt=03 Dev#= 10 Spd=480 MxCh= 0
D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=1e2d ProdID=00f4 Rev=05.04
S: Manufacturer=Cinterion
S: Product=Cinterion PID 0x00F4 USB Mobile Broadband
S: SerialNumber=d095087d
C: #Ifs= 4 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#=0x0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
I: If#=0x1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
I: If#=0x3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
Signed-off-by: Slark Xiao <slark_xiao@163.com>
[ johan: sort entries ]
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -434,6 +434,8 @@ static void option_instat_callback(struc
#define CINTERION_PRODUCT_MV31_2_RMNET 0x00b9
#define CINTERION_PRODUCT_MV32_WA 0x00f1
#define CINTERION_PRODUCT_MV32_WB 0x00f2
+#define CINTERION_PRODUCT_MV32_WA_RMNET 0x00f3
+#define CINTERION_PRODUCT_MV32_WB_RMNET 0x00f4
/* Olivetti products */
#define OLIVETTI_VENDOR_ID 0x0b3c
@@ -1966,8 +1968,12 @@ static const struct usb_device_id option
.driver_info = RSVD(0)},
{ USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_MV32_WA, 0xff),
.driver_info = RSVD(3)},
+ { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_MV32_WA_RMNET, 0xff),
+ .driver_info = RSVD(0) },
{ USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_MV32_WB, 0xff),
.driver_info = RSVD(3)},
+ { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_MV32_WB_RMNET, 0xff),
+ .driver_info = RSVD(0) },
{ USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD100),
.driver_info = RSVD(4) },
{ USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD120),
^ permalink raw reply [flat|nested] 50+ messages in thread
* [PATCH 4.9 13/42] USB: cdc-acm: Add Icom PMR F3400 support (0c26:0020)
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2022-09-13 14:07 ` [PATCH 4.9 12/42] USB: serial: option: add support for Cinterion MV32-WA/WB RmNet mode Greg Kroah-Hartman
@ 2022-09-13 14:07 ` Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 14/42] usb-storage: Add ignore-residue quirk for NXP PN7462AU Greg Kroah-Hartman
` (33 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:07 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Thierry GUIBERT, stable
From: Thierry GUIBERT <thierry.guibert@croix-rouge.fr>
commit a10bc71729b236fe36de0d8e4d35c959fd8dec3a upstream.
Supports for ICOM F3400 and ICOM F4400 PMR radios in CDC-ACM driver
enabling the AT serial port.
The Vendor Id is 0x0C26
The Product ID is 0x0020
Output of lsusb :
Bus 001 Device 009: ID 0c26:0020 Prolific Technology Inc. ICOM Radio
Couldn't open device, some information will be missing
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 2 Communications
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
idVendor 0x0c26 Prolific Technology Inc.
idProduct 0x0020
bcdDevice 0.00
iManufacturer 1 ICOM Inc.
iProduct 2 ICOM Radio
iSerial 3 *obfuscated*
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 0x0030
bNumInterfaces 2
bConfigurationValue 1
iConfiguration 0
bmAttributes 0xc0
Self Powered
MaxPower 0mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 1
bInterfaceClass 2 Communications
bInterfaceSubClass 2 Abstract (modem)
bInterfaceProtocol 1 AT-commands (v.25ter)
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x83 EP 3 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 12
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 1
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 10 CDC Data
bInterfaceSubClass 0
bInterfaceProtocol 0
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x82 EP 2 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x02 EP 2 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Signed-off-by: Thierry GUIBERT <thierry.guibert@croix-rouge.fr>
Cc: stable <stable@kernel.org>
Link: https://lore.kernel.org/r/20220819081702.84118-1-thierry.guibert@croix-rouge.fr
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/cdc-acm.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1774,6 +1774,9 @@ static const struct usb_device_id acm_id
{ USB_DEVICE(0x09d8, 0x0320), /* Elatec GmbH TWN3 */
.driver_info = NO_UNION_NORMAL, /* has misplaced union descriptor */
},
+ { USB_DEVICE(0x0c26, 0x0020), /* Icom ICF3400 Serie */
+ .driver_info = NO_UNION_NORMAL, /* reports zero length descriptor */
+ },
{ USB_DEVICE(0x0ca6, 0xa050), /* Castles VEGA3000 */
.driver_info = NO_UNION_NORMAL, /* reports zero length descriptor */
},
^ permalink raw reply [flat|nested] 50+ messages in thread
* [PATCH 4.9 14/42] usb-storage: Add ignore-residue quirk for NXP PN7462AU
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2022-09-13 14:07 ` [PATCH 4.9 13/42] USB: cdc-acm: Add Icom PMR F3400 support (0c26:0020) Greg Kroah-Hartman
@ 2022-09-13 14:07 ` Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 15/42] s390/hugetlb: fix prepare_hugepage_range() check for 2 GB hugepages Greg Kroah-Hartman
` (32 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:07 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Alan Stern, stable, Witold Lipieta
From: Witold Lipieta <witold.lipieta@thaumatec.com>
commit 2aa48857ad52236a9564c71183d6cc8893becd41 upstream.
This is USB mass storage primary boot loader for code download on
NXP PN7462AU.
Without the quirk it is impossible to write whole memory at once as
device restarts during the write due to bogus residue values reported.
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Cc: stable <stable@kernel.org>
Signed-off-by: Witold Lipieta <witold.lipieta@thaumatec.com>
Link: https://lore.kernel.org/r/20220809112911.462776-1-witold.lipieta@thaumatec.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/storage/unusual_devs.h | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/usb/storage/unusual_devs.h
+++ b/drivers/usb/storage/unusual_devs.h
@@ -2301,6 +2301,13 @@ UNUSUAL_DEV( 0x1e74, 0x4621, 0x0000, 0x0
USB_SC_DEVICE, USB_PR_DEVICE, NULL,
US_FL_BULK_IGNORE_TAG | US_FL_MAX_SECTORS_64 ),
+/* Reported by Witold Lipieta <witold.lipieta@thaumatec.com> */
+UNUSUAL_DEV( 0x1fc9, 0x0117, 0x0100, 0x0100,
+ "NXP Semiconductors",
+ "PN7462AU",
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_IGNORE_RESIDUE ),
+
/* Supplied with some Castlewood ORB removable drives */
UNUSUAL_DEV( 0x2027, 0xa001, 0x0000, 0x9999,
"Double-H Technology",
^ permalink raw reply [flat|nested] 50+ messages in thread
* [PATCH 4.9 15/42] s390/hugetlb: fix prepare_hugepage_range() check for 2 GB hugepages
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2022-09-13 14:07 ` [PATCH 4.9 14/42] usb-storage: Add ignore-residue quirk for NXP PN7462AU Greg Kroah-Hartman
@ 2022-09-13 14:07 ` Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 16/42] s390: fix nospec table alignments Greg Kroah-Hartman
` (31 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:07 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Alexander Gordeev, Gerald Schaefer,
Vasily Gorbik
From: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
commit 7c8d42fdf1a84b1a0dd60d6528309c8ec127e87c upstream.
The alignment check in prepare_hugepage_range() is wrong for 2 GB
hugepages, it only checks for 1 MB hugepage alignment.
This can result in kernel crash in __unmap_hugepage_range() at the
BUG_ON(start & ~huge_page_mask(h)) alignment check, for mappings
created with MAP_FIXED at unaligned address.
Fix this by correctly handling multiple hugepage sizes, similar to the
generic version of prepare_hugepage_range().
Fixes: d08de8e2d867 ("s390/mm: add support for 2GB hugepages")
Cc: <stable@vger.kernel.org> # 4.8+
Acked-by: Alexander Gordeev <agordeev@linux.ibm.com>
Signed-off-by: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/include/asm/hugetlb.h | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/arch/s390/include/asm/hugetlb.h
+++ b/arch/s390/include/asm/hugetlb.h
@@ -29,9 +29,11 @@ pte_t huge_ptep_get_and_clear(struct mm_
static inline int prepare_hugepage_range(struct file *file,
unsigned long addr, unsigned long len)
{
- if (len & ~HPAGE_MASK)
+ struct hstate *h = hstate_file(file);
+
+ if (len & ~huge_page_mask(h))
return -EINVAL;
- if (addr & ~HPAGE_MASK)
+ if (addr & ~huge_page_mask(h))
return -EINVAL;
return 0;
}
^ permalink raw reply [flat|nested] 50+ messages in thread
* [PATCH 4.9 16/42] s390: fix nospec table alignments
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2022-09-13 14:07 ` [PATCH 4.9 15/42] s390/hugetlb: fix prepare_hugepage_range() check for 2 GB hugepages Greg Kroah-Hartman
@ 2022-09-13 14:07 ` Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 17/42] USB: core: Prevent nested device-reset calls Greg Kroah-Hartman
` (30 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:07 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Josh Poimboeuf, Heiko Carstens,
Vasily Gorbik
From: Josh Poimboeuf <jpoimboe@kernel.org>
commit c9305b6c1f52060377c72aebe3a701389e9f3172 upstream.
Add proper alignment for .nospec_call_table and .nospec_return_table in
vmlinux.
[hca@linux.ibm.com]: The problem with the missing alignment of the nospec
tables exist since a long time, however only since commit e6ed91fd0768
("s390/alternatives: remove padding generation code") and with
CONFIG_RELOCATABLE=n the kernel may also crash at boot time.
The above named commit reduced the size of struct alt_instr by one byte,
so its new size is 11 bytes. Therefore depending on the number of cpu
alternatives the size of the __alt_instructions array maybe odd, which
again also causes that the addresses of the nospec tables will be odd.
If the address of __nospec_call_start is odd and the kernel is compiled
With CONFIG_RELOCATABLE=n the compiler may generate code that loads the
address of __nospec_call_start with a 'larl' instruction.
This will generate incorrect code since the 'larl' instruction only works
with even addresses. In result the members of the nospec tables will be
accessed with an off-by-one offset, which subsequently may lead to
addressing exceptions within __nospec_revert().
Fixes: f19fbd5ed642 ("s390: introduce execute-trampolines for branches")
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
Link: https://lore.kernel.org/r/8719bf1ce4a72ebdeb575200290094e9ce047bcc.1661557333.git.jpoimboe@kernel.org
Cc: <stable@vger.kernel.org> # 4.16
Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/kernel/vmlinux.lds.S | 1 +
1 file changed, 1 insertion(+)
--- a/arch/s390/kernel/vmlinux.lds.S
+++ b/arch/s390/kernel/vmlinux.lds.S
@@ -125,6 +125,7 @@ SECTIONS
/*
* Table with the patch locations to undo expolines
*/
+ . = ALIGN(4);
.nospec_call_table : {
__nospec_call_start = . ;
*(.s390_indirect*)
^ permalink raw reply [flat|nested] 50+ messages in thread
* [PATCH 4.9 17/42] USB: core: Prevent nested device-reset calls
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2022-09-13 14:07 ` [PATCH 4.9 16/42] s390: fix nospec table alignments Greg Kroah-Hartman
@ 2022-09-13 14:07 ` Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 18/42] usb: gadget: mass_storage: Fix cdrom data transfers on MAC-OS Greg Kroah-Hartman
` (29 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:07 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alan Stern, Rondreis
From: Alan Stern <stern@rowland.harvard.edu>
commit 9c6d778800b921bde3bff3cff5003d1650f942d1 upstream.
Automatic kernel fuzzing revealed a recursive locking violation in
usb-storage:
============================================
WARNING: possible recursive locking detected
5.18.0 #3 Not tainted
--------------------------------------------
kworker/1:3/1205 is trying to acquire lock:
ffff888018638db8 (&us_interface_key[i]){+.+.}-{3:3}, at:
usb_stor_pre_reset+0x35/0x40 drivers/usb/storage/usb.c:230
but task is already holding lock:
ffff888018638db8 (&us_interface_key[i]){+.+.}-{3:3}, at:
usb_stor_pre_reset+0x35/0x40 drivers/usb/storage/usb.c:230
...
stack backtrace:
CPU: 1 PID: 1205 Comm: kworker/1:3 Not tainted 5.18.0 #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_deadlock_bug kernel/locking/lockdep.c:2988 [inline]
check_deadlock kernel/locking/lockdep.c:3031 [inline]
validate_chain kernel/locking/lockdep.c:3816 [inline]
__lock_acquire.cold+0x152/0x3ca kernel/locking/lockdep.c:5053
lock_acquire kernel/locking/lockdep.c:5665 [inline]
lock_acquire+0x1ab/0x520 kernel/locking/lockdep.c:5630
__mutex_lock_common kernel/locking/mutex.c:603 [inline]
__mutex_lock+0x14f/0x1610 kernel/locking/mutex.c:747
usb_stor_pre_reset+0x35/0x40 drivers/usb/storage/usb.c:230
usb_reset_device+0x37d/0x9a0 drivers/usb/core/hub.c:6109
r871xu_dev_remove+0x21a/0x270 drivers/staging/rtl8712/usb_intf.c:622
usb_unbind_interface+0x1bd/0x890 drivers/usb/core/driver.c:458
device_remove drivers/base/dd.c:545 [inline]
device_remove+0x11f/0x170 drivers/base/dd.c:537
__device_release_driver drivers/base/dd.c:1222 [inline]
device_release_driver_internal+0x1a7/0x2f0 drivers/base/dd.c:1248
usb_driver_release_interface+0x102/0x180 drivers/usb/core/driver.c:627
usb_forced_unbind_intf+0x4d/0xa0 drivers/usb/core/driver.c:1118
usb_reset_device+0x39b/0x9a0 drivers/usb/core/hub.c:6114
This turned out not to be an error in usb-storage but rather a nested
device reset attempt. That is, as the rtl8712 driver was being
unbound from a composite device in preparation for an unrelated USB
reset (that driver does not have pre_reset or post_reset callbacks),
its ->remove routine called usb_reset_device() -- thus nesting one
reset call within another.
Performing a reset as part of disconnect processing is a questionable
practice at best. However, the bug report points out that the USB
core does not have any protection against nested resets. Adding a
reset_in_progress flag and testing it will prevent such errors in the
future.
Link: https://lore.kernel.org/all/CAB7eexKUpvX-JNiLzhXBDWgfg2T9e9_0Tw4HQ6keN==voRbP0g@mail.gmail.com/
Cc: stable@vger.kernel.org
Reported-and-tested-by: Rondreis <linhaoguo86@gmail.com>
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/YwkflDxvg0KWqyZK@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/hub.c | 10 ++++++++++
include/linux/usb.h | 2 ++
2 files changed, 12 insertions(+)
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -5701,6 +5701,11 @@ re_enumerate_no_bos:
* the reset is over (using their post_reset method).
*
* Return: The same as for usb_reset_and_verify_device().
+ * However, if a reset is already in progress (for instance, if a
+ * driver doesn't have pre_ or post_reset() callbacks, and while
+ * being unbound or re-bound during the ongoing reset its disconnect()
+ * or probe() routine tries to perform a second, nested reset), the
+ * routine returns -EINPROGRESS.
*
* Note:
* The caller must own the device lock. For example, it's safe to use
@@ -5734,6 +5739,10 @@ int usb_reset_device(struct usb_device *
return -EISDIR;
}
+ if (udev->reset_in_progress)
+ return -EINPROGRESS;
+ udev->reset_in_progress = 1;
+
port_dev = hub->ports[udev->portnum - 1];
/*
@@ -5798,6 +5807,7 @@ int usb_reset_device(struct usb_device *
usb_autosuspend_device(udev);
memalloc_noio_restore(noio_flag);
+ udev->reset_in_progress = 0;
return ret;
}
EXPORT_SYMBOL_GPL(usb_reset_device);
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
@@ -531,6 +531,7 @@ struct usb3_lpm_parameters {
* @level: number of USB hub ancestors
* @can_submit: URBs may be submitted
* @persist_enabled: USB_PERSIST enabled for this device
+ * @reset_in_progress: the device is being reset
* @have_langid: whether string_langid is valid
* @authorized: policy has said we can use it;
* (user space) policy determines if we authorize this device to be
@@ -609,6 +610,7 @@ struct usb_device {
unsigned can_submit:1;
unsigned persist_enabled:1;
+ unsigned reset_in_progress:1;
unsigned have_langid:1;
unsigned authorized:1;
unsigned authenticated:1;
^ permalink raw reply [flat|nested] 50+ messages in thread
* [PATCH 4.9 18/42] usb: gadget: mass_storage: Fix cdrom data transfers on MAC-OS
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2022-09-13 14:07 ` [PATCH 4.9 17/42] USB: core: Prevent nested device-reset calls Greg Kroah-Hartman
@ 2022-09-13 14:07 ` Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 19/42] wifi: mac80211: Dont finalize CSA in IBSS mode if state is disconnected Greg Kroah-Hartman
` (28 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:07 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alan Stern, Krishna Kurapati
From: Krishna Kurapati <quic_kriskura@quicinc.com>
commit 9d4dc16ec71bd6368548e9743223e449b4377fc7 upstream.
During cdrom emulation, the response to read_toc command must contain
the cdrom address as the number of sectors (2048 byte sized blocks)
represented either as an absolute value (when MSF bit is '0') or in
terms of PMin/PSec/PFrame (when MSF bit is set to '1'). Incase of
cdrom, the fsg_lun_open call sets the sector size to 2048 bytes.
When MAC OS sends a read_toc request with MSF set to '1', the
store_cdrom_address assumes that the address being provided is the
LUN size represented in 512 byte sized blocks instead of 2048. It
tries to modify the address further to convert it to 2048 byte sized
blocks and store it in MSF format. This results in data transfer
failures as the cdrom address being provided in the read_toc response
is incorrect.
Fixes: 3f565a363cee ("usb: gadget: storage: adapt logic block size to bound block devices")
Cc: stable@vger.kernel.org
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Krishna Kurapati <quic_kriskura@quicinc.com>
Link: https://lore.kernel.org/r/1661570110-19127-1-git-send-email-quic_kriskura@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/storage_common.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/usb/gadget/function/storage_common.c
+++ b/drivers/usb/gadget/function/storage_common.c
@@ -298,8 +298,10 @@ EXPORT_SYMBOL_GPL(fsg_lun_fsync_sub);
void store_cdrom_address(u8 *dest, int msf, u32 addr)
{
if (msf) {
- /* Convert to Minutes-Seconds-Frames */
- addr >>= 2; /* Convert to 2048-byte frames */
+ /*
+ * Convert to Minutes-Seconds-Frames.
+ * Sector size is already set to 2048 bytes.
+ */
addr += 2*75; /* Lead-in occupies 2 seconds */
dest[3] = addr % 75; /* Frames */
addr /= 75;
^ permalink raw reply [flat|nested] 50+ messages in thread
* [PATCH 4.9 19/42] wifi: mac80211: Dont finalize CSA in IBSS mode if state is disconnected
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2022-09-13 14:07 ` [PATCH 4.9 18/42] usb: gadget: mass_storage: Fix cdrom data transfers on MAC-OS Greg Kroah-Hartman
@ 2022-09-13 14:07 ` Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 20/42] net: mac802154: Fix a condition in the receive path Greg Kroah-Hartman
` (27 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:07 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, syzbot+b6c9fe29aefe68e4ad34,
Siddh Raman Pant, Johannes Berg
From: Siddh Raman Pant <code@siddh.me>
commit 15bc8966b6d3a5b9bfe4c9facfa02f2b69b1e5f0 upstream.
When we are not connected to a channel, sending channel "switch"
announcement doesn't make any sense.
The BSS list is empty in that case. This causes the for loop in
cfg80211_get_bss() to be bypassed, so the function returns NULL
(check line 1424 of net/wireless/scan.c), causing the WARN_ON()
in ieee80211_ibss_csa_beacon() to get triggered (check line 500
of net/mac80211/ibss.c), which was consequently reported on the
syzkaller dashboard.
Thus, check if we have an existing connection before generating
the CSA beacon in ieee80211_ibss_finish_csa().
Cc: stable@vger.kernel.org
Fixes: cd7760e62c2a ("mac80211: add support for CSA in IBSS mode")
Link: https://syzkaller.appspot.com/bug?id=05603ef4ae8926761b678d2939a3b2ad28ab9ca6
Reported-by: syzbot+b6c9fe29aefe68e4ad34@syzkaller.appspotmail.com
Signed-off-by: Siddh Raman Pant <code@siddh.me>
Tested-by: syzbot+b6c9fe29aefe68e4ad34@syzkaller.appspotmail.com
Link: https://lore.kernel.org/r/20220814151512.9985-1-code@siddh.me
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mac80211/ibss.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/mac80211/ibss.c
+++ b/net/mac80211/ibss.c
@@ -544,6 +544,10 @@ int ieee80211_ibss_finish_csa(struct iee
sdata_assert_lock(sdata);
+ /* When not connected/joined, sending CSA doesn't make sense. */
+ if (ifibss->state != IEEE80211_IBSS_MLME_JOINED)
+ return -ENOLINK;
+
/* update cfg80211 bss information with the new channel */
if (!is_zero_ether_addr(ifibss->bssid)) {
cbss = cfg80211_get_bss(sdata->local->hw.wiphy,
^ permalink raw reply [flat|nested] 50+ messages in thread
* [PATCH 4.9 20/42] net: mac802154: Fix a condition in the receive path
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2022-09-13 14:07 ` [PATCH 4.9 19/42] wifi: mac80211: Dont finalize CSA in IBSS mode if state is disconnected Greg Kroah-Hartman
@ 2022-09-13 14:07 ` Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 21/42] ALSA: seq: oss: Fix data-race for max_midi_devs access Greg Kroah-Hartman
` (26 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:07 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Miquel Raynal, Stefan Schmidt
From: Miquel Raynal <miquel.raynal@bootlin.com>
commit f0da47118c7e93cdbbc6fb403dd729a5f2c90ee3 upstream.
Upon reception, a packet must be categorized, either it's destination is
the host, or it is another host. A packet with no destination addressing
fields may be valid in two situations:
- the packet has no source field: only ACKs are built like that, we
consider the host as the destination.
- the packet has a valid source field: it is directed to the PAN
coordinator, as for know we don't have this information we consider we
are not the PAN coordinator.
There was likely a copy/paste error made during a previous cleanup
because the if clause is now containing exactly the same condition as in
the switch case, which can never be true. In the past the destination
address was used in the switch and the source address was used in the
if, which matches what the spec says.
Cc: stable@vger.kernel.org
Fixes: ae531b9475f6 ("ieee802154: use ieee802154_addr instead of *_sa variants")
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/r/20220826142954.254853-1-miquel.raynal@bootlin.com
Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mac802154/rx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/mac802154/rx.c
+++ b/net/mac802154/rx.c
@@ -52,7 +52,7 @@ ieee802154_subif_frame(struct ieee802154
switch (mac_cb(skb)->dest.mode) {
case IEEE802154_ADDR_NONE:
- if (mac_cb(skb)->dest.mode != IEEE802154_ADDR_NONE)
+ if (hdr->source.mode != IEEE802154_ADDR_NONE)
/* FIXME: check if we are PAN coordinator */
skb->pkt_type = PACKET_OTHERHOST;
else
^ permalink raw reply [flat|nested] 50+ messages in thread
* [PATCH 4.9 21/42] ALSA: seq: oss: Fix data-race for max_midi_devs access
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2022-09-13 14:07 ` [PATCH 4.9 20/42] net: mac802154: Fix a condition in the receive path Greg Kroah-Hartman
@ 2022-09-13 14:07 ` Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 22/42] ALSA: seq: Fix data-race at module auto-loading Greg Kroah-Hartman
` (25 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:07 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Abhishek Shah, Takashi Iwai
From: Takashi Iwai <tiwai@suse.de>
commit 22dec134dbfa825b963f8a1807ad19b943e46a56 upstream.
ALSA OSS sequencer refers to a global variable max_midi_devs at
creating a new port, storing it to its own field. Meanwhile this
variable may be changed by other sequencer events at
snd_seq_oss_midi_check_exit_port() in parallel, which may cause a data
race.
OTOH, this data race itself is almost harmless, as the access to the
MIDI device is done via get_mdev() and it's protected with a refcount,
hence its presence is guaranteed.
Though, it's sill better to address the data-race from the code sanity
POV, and this patch adds the proper spinlock for the protection.
Reported-by: Abhishek Shah <abhishek.shah@columbia.edu>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/CAEHB2493pZRXs863w58QWnUTtv3HHfg85aYhLn5HJHCwxqtHQg@mail.gmail.com
Link: https://lore.kernel.org/r/20220823072717.1706-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/seq/oss/seq_oss_midi.c | 2 ++
1 file changed, 2 insertions(+)
--- a/sound/core/seq/oss/seq_oss_midi.c
+++ b/sound/core/seq/oss/seq_oss_midi.c
@@ -280,7 +280,9 @@ snd_seq_oss_midi_clear_all(void)
void
snd_seq_oss_midi_setup(struct seq_oss_devinfo *dp)
{
+ spin_lock_irq(®ister_lock);
dp->max_mididev = max_midi_devs;
+ spin_unlock_irq(®ister_lock);
}
/*
^ permalink raw reply [flat|nested] 50+ messages in thread
* [PATCH 4.9 22/42] ALSA: seq: Fix data-race at module auto-loading
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2022-09-13 14:07 ` [PATCH 4.9 21/42] ALSA: seq: oss: Fix data-race for max_midi_devs access Greg Kroah-Hartman
@ 2022-09-13 14:07 ` Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 23/42] fs: only do a memory barrier for the first set_buffer_uptodate() Greg Kroah-Hartman
` (24 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:07 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Abhishek Shah, Takashi Iwai
From: Takashi Iwai <tiwai@suse.de>
commit 3e7e04b747adea36f349715d9f0998eeebf15d72 upstream.
It's been reported that there is a possible data-race accessing to the
global card_requested[] array at ALSA sequencer core, which is used
for determining whether to call request_module() for the card or not.
This data race itself is almost harmless, as it might end up with one
extra request_module() call for the already loaded module at most.
But it's still better to fix.
This patch addresses the possible data race of card_requested[] and
client_requested[] arrays by replacing them with bitmask.
It's an atomic operation and can work without locks.
Reported-by: Abhishek Shah <abhishek.shah@columbia.edu>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/CAEHB24_ay6YzARpA1zgCsE7=H9CSJJzux618E=Ka4h0YdKn=qA@mail.gmail.com
Link: https://lore.kernel.org/r/20220823072717.1706-2-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/seq/seq_clientmgr.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
--- a/sound/core/seq/seq_clientmgr.c
+++ b/sound/core/seq/seq_clientmgr.c
@@ -136,13 +136,13 @@ struct snd_seq_client *snd_seq_client_us
spin_unlock_irqrestore(&clients_lock, flags);
#ifdef CONFIG_MODULES
if (!in_interrupt()) {
- static char client_requested[SNDRV_SEQ_GLOBAL_CLIENTS];
- static char card_requested[SNDRV_CARDS];
+ static DECLARE_BITMAP(client_requested, SNDRV_SEQ_GLOBAL_CLIENTS);
+ static DECLARE_BITMAP(card_requested, SNDRV_CARDS);
+
if (clientid < SNDRV_SEQ_GLOBAL_CLIENTS) {
int idx;
- if (!client_requested[clientid]) {
- client_requested[clientid] = 1;
+ if (!test_and_set_bit(clientid, client_requested)) {
for (idx = 0; idx < 15; idx++) {
if (seq_client_load[idx] < 0)
break;
@@ -157,10 +157,8 @@ struct snd_seq_client *snd_seq_client_us
int card = (clientid - SNDRV_SEQ_GLOBAL_CLIENTS) /
SNDRV_SEQ_CLIENTS_PER_CARD;
if (card < snd_ecards_limit) {
- if (! card_requested[card]) {
- card_requested[card] = 1;
+ if (!test_and_set_bit(card, card_requested))
snd_request_card(card);
- }
snd_seq_device_load_drivers();
}
}
^ permalink raw reply [flat|nested] 50+ messages in thread
* [PATCH 4.9 23/42] fs: only do a memory barrier for the first set_buffer_uptodate()
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2022-09-13 14:07 ` [PATCH 4.9 22/42] ALSA: seq: Fix data-race at module auto-loading Greg Kroah-Hartman
@ 2022-09-13 14:07 ` Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 24/42] Revert "mm: kmemleak: take a full lowmem check in kmemleak_*_phys()" Greg Kroah-Hartman
` (23 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:07 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, kernel test robot, Fengwei Yin,
Mikulas Patocka, Matthew Wilcox (Oracle),
stable, Linus Torvalds
From: Linus Torvalds <torvalds@linux-foundation.org>
commit 2f79cdfe58c13949bbbb65ba5926abfe9561d0ec upstream.
Commit d4252071b97d ("add barriers to buffer_uptodate and
set_buffer_uptodate") added proper memory barriers to the buffer head
BH_Uptodate bit, so that anybody who tests a buffer for being up-to-date
will be guaranteed to actually see initialized state.
However, that commit didn't _just_ add the memory barrier, it also ended
up dropping the "was it already set" logic that the BUFFER_FNS() macro
had.
That's conceptually the right thing for a generic "this is a memory
barrier" operation, but in the case of the buffer contents, we really
only care about the memory barrier for the _first_ time we set the bit,
in that the only memory ordering protection we need is to avoid anybody
seeing uninitialized memory contents.
Any other access ordering wouldn't be about the BH_Uptodate bit anyway,
and would require some other proper lock (typically BH_Lock or the folio
lock). A reader that races with somebody invalidating the buffer head
isn't an issue wrt the memory ordering, it's a serialization issue.
Now, you'd think that the buffer head operations don't matter in this
day and age (and I certainly thought so), but apparently some loads
still end up being heavy users of buffer heads. In particular, the
kernel test robot reported that not having this bit access optimization
in place caused a noticeable direct IO performance regression on ext4:
fxmark.ssd_ext4_no_jnl_DWTL_54_directio.works/sec -26.5% regression
although you presumably need a fast disk and a lot of cores to actually
notice.
Link: https://lore.kernel.org/all/Yw8L7HTZ%2FdE2%2Fo9C@xsang-OptiPlex-9020/
Reported-by: kernel test robot <oliver.sang@intel.com>
Tested-by: Fengwei Yin <fengwei.yin@intel.com>
Cc: Mikulas Patocka <mpatocka@redhat.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/buffer_head.h | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/include/linux/buffer_head.h
+++ b/include/linux/buffer_head.h
@@ -133,6 +133,17 @@ BUFFER_FNS(Defer_Completion, defer_compl
static __always_inline void set_buffer_uptodate(struct buffer_head *bh)
{
/*
+ * If somebody else already set this uptodate, they will
+ * have done the memory barrier, and a reader will thus
+ * see *some* valid buffer state.
+ *
+ * Any other serialization (with IO errors or whatever that
+ * might clear the bit) has to come from other state (eg BH_Lock).
+ */
+ if (test_bit(BH_Uptodate, &bh->b_state))
+ return;
+
+ /*
* make it consistent with folio_mark_uptodate
* pairs with smp_load_acquire in buffer_uptodate
*/
^ permalink raw reply [flat|nested] 50+ messages in thread
* [PATCH 4.9 24/42] Revert "mm: kmemleak: take a full lowmem check in kmemleak_*_phys()"
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2022-09-13 14:07 ` [PATCH 4.9 23/42] fs: only do a memory barrier for the first set_buffer_uptodate() Greg Kroah-Hartman
@ 2022-09-13 14:07 ` Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 25/42] drm/radeon: add a force flush to delay work when radeon Greg Kroah-Hartman
` (22 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:07 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Yee Lee
From: Yee Lee <yee.lee@mediatek.com>
This reverts commit 23c2d497de21f25898fbea70aeb292ab8acc8c94.
Commit 23c2d497de21 ("mm: kmemleak: take a full lowmem check in
kmemleak_*_phys()") brought false leak alarms on some archs like arm64
that does not init pfn boundary in early booting. The final solution
lands on linux-6.0: commit 0c24e061196c ("mm: kmemleak: add rbtree and
store physical address for objects allocated with PA").
Revert this commit before linux-6.0. The original issue of invalid PA
can be mitigated by additional check in devicetree.
The false alarm report is as following: Kmemleak output: (Qemu/arm64)
unreferenced object 0xffff0000c0170a00 (size 128):
comm "swapper/0", pid 1, jiffies 4294892404 (age 126.208s)
hex dump (first 32 bytes):
62 61 73 65 00 00 00 00 00 00 00 00 00 00 00 00 base............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<(____ptrval____)>] __kmalloc_track_caller+0x1b0/0x2e4
[<(____ptrval____)>] kstrdup_const+0x8c/0xc4
[<(____ptrval____)>] kvasprintf_const+0xbc/0xec
[<(____ptrval____)>] kobject_set_name_vargs+0x58/0xe4
[<(____ptrval____)>] kobject_add+0x84/0x100
[<(____ptrval____)>] __of_attach_node_sysfs+0x78/0xec
[<(____ptrval____)>] of_core_init+0x68/0x104
[<(____ptrval____)>] driver_init+0x28/0x48
[<(____ptrval____)>] do_basic_setup+0x14/0x28
[<(____ptrval____)>] kernel_init_freeable+0x110/0x178
[<(____ptrval____)>] kernel_init+0x20/0x1a0
[<(____ptrval____)>] ret_from_fork+0x10/0x20
This pacth is also applicable to linux-5.17.y/linux-5.18.y/linux-5.19.y
Cc: <stable@vger.kernel.org>
Signed-off-by: Yee Lee <yee.lee@mediatek.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/kmemleak.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/mm/kmemleak.c
+++ b/mm/kmemleak.c
@@ -1130,7 +1130,7 @@ EXPORT_SYMBOL(kmemleak_no_scan);
void __ref kmemleak_alloc_phys(phys_addr_t phys, size_t size, int min_count,
gfp_t gfp)
{
- if (PHYS_PFN(phys) >= min_low_pfn && PHYS_PFN(phys) < max_low_pfn)
+ if (!IS_ENABLED(CONFIG_HIGHMEM) || PHYS_PFN(phys) < max_low_pfn)
kmemleak_alloc(__va(phys), size, min_count, gfp);
}
EXPORT_SYMBOL(kmemleak_alloc_phys);
@@ -1141,7 +1141,7 @@ EXPORT_SYMBOL(kmemleak_alloc_phys);
*/
void __ref kmemleak_free_part_phys(phys_addr_t phys, size_t size)
{
- if (PHYS_PFN(phys) >= min_low_pfn && PHYS_PFN(phys) < max_low_pfn)
+ if (!IS_ENABLED(CONFIG_HIGHMEM) || PHYS_PFN(phys) < max_low_pfn)
kmemleak_free_part(__va(phys), size);
}
EXPORT_SYMBOL(kmemleak_free_part_phys);
@@ -1152,7 +1152,7 @@ EXPORT_SYMBOL(kmemleak_free_part_phys);
*/
void __ref kmemleak_not_leak_phys(phys_addr_t phys)
{
- if (PHYS_PFN(phys) >= min_low_pfn && PHYS_PFN(phys) < max_low_pfn)
+ if (!IS_ENABLED(CONFIG_HIGHMEM) || PHYS_PFN(phys) < max_low_pfn)
kmemleak_not_leak(__va(phys));
}
EXPORT_SYMBOL(kmemleak_not_leak_phys);
@@ -1163,7 +1163,7 @@ EXPORT_SYMBOL(kmemleak_not_leak_phys);
*/
void __ref kmemleak_ignore_phys(phys_addr_t phys)
{
- if (PHYS_PFN(phys) >= min_low_pfn && PHYS_PFN(phys) < max_low_pfn)
+ if (!IS_ENABLED(CONFIG_HIGHMEM) || PHYS_PFN(phys) < max_low_pfn)
kmemleak_ignore(__va(phys));
}
EXPORT_SYMBOL(kmemleak_ignore_phys);
^ permalink raw reply [flat|nested] 50+ messages in thread
* [PATCH 4.9 25/42] drm/radeon: add a force flush to delay work when radeon
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2022-09-13 14:07 ` [PATCH 4.9 24/42] Revert "mm: kmemleak: take a full lowmem check in kmemleak_*_phys()" Greg Kroah-Hartman
@ 2022-09-13 14:07 ` Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 26/42] parisc: ccio-dma: Handle kmalloc failure in ccio_init_resources() Greg Kroah-Hartman
` (21 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:07 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Christian König, Zhenneng Li,
Alex Deucher, Sasha Levin
From: Zhenneng Li <lizhenneng@kylinos.cn>
[ Upstream commit f461950fdc374a3ada5a63c669d997de4600dffe ]
Although radeon card fence and wait for gpu to finish processing current batch rings,
there is still a corner case that radeon lockup work queue may not be fully flushed,
and meanwhile the radeon_suspend_kms() function has called pci_set_power_state() to
put device in D3hot state.
Per PCI spec rev 4.0 on 5.3.1.4.1 D3hot State.
> Configuration and Message requests are the only TLPs accepted by a Function in
> the D3hot state. All other received Requests must be handled as Unsupported Requests,
> and all received Completions may optionally be handled as Unexpected Completions.
This issue will happen in following logs:
Unable to handle kernel paging request at virtual address 00008800e0008010
CPU 0 kworker/0:3(131): Oops 0
pc = [<ffffffff811bea5c>] ra = [<ffffffff81240844>] ps = 0000 Tainted: G W
pc is at si_gpu_check_soft_reset+0x3c/0x240
ra is at si_dma_is_lockup+0x34/0xd0
v0 = 0000000000000000 t0 = fff08800e0008010 t1 = 0000000000010000
t2 = 0000000000008010 t3 = fff00007e3c00000 t4 = fff00007e3c00258
t5 = 000000000000ffff t6 = 0000000000000001 t7 = fff00007ef078000
s0 = fff00007e3c016e8 s1 = fff00007e3c00000 s2 = fff00007e3c00018
s3 = fff00007e3c00000 s4 = fff00007fff59d80 s5 = 0000000000000000
s6 = fff00007ef07bd98
a0 = fff00007e3c00000 a1 = fff00007e3c016e8 a2 = 0000000000000008
a3 = 0000000000000001 a4 = 8f5c28f5c28f5c29 a5 = ffffffff810f4338
t8 = 0000000000000275 t9 = ffffffff809b66f8 t10 = ff6769c5d964b800
t11= 000000000000b886 pv = ffffffff811bea20 at = 0000000000000000
gp = ffffffff81d89690 sp = 00000000aa814126
Disabling lock debugging due to kernel taint
Trace:
[<ffffffff81240844>] si_dma_is_lockup+0x34/0xd0
[<ffffffff81119610>] radeon_fence_check_lockup+0xd0/0x290
[<ffffffff80977010>] process_one_work+0x280/0x550
[<ffffffff80977350>] worker_thread+0x70/0x7c0
[<ffffffff80977410>] worker_thread+0x130/0x7c0
[<ffffffff80982040>] kthread+0x200/0x210
[<ffffffff809772e0>] worker_thread+0x0/0x7c0
[<ffffffff80981f8c>] kthread+0x14c/0x210
[<ffffffff80911658>] ret_from_kernel_thread+0x18/0x20
[<ffffffff80981e40>] kthread+0x0/0x210
Code: ad3e0008 43f0074a ad7e0018 ad9e0020 8c3001e8 40230101
<88210000> 4821ed21
So force lockup work queue flush to fix this problem.
Acked-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Zhenneng Li <lizhenneng@kylinos.cn>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/radeon/radeon_device.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c
index 82b01123c3868..227c4733de2ea 100644
--- a/drivers/gpu/drm/radeon/radeon_device.c
+++ b/drivers/gpu/drm/radeon/radeon_device.c
@@ -1661,6 +1661,9 @@ int radeon_suspend_kms(struct drm_device *dev, bool suspend,
if (r) {
/* delay GPU reset to resume */
radeon_fence_driver_force_completion(rdev, i);
+ } else {
+ /* finish executing delayed work */
+ flush_delayed_work(&rdev->fence_drv[i].lockup_work);
}
}
--
2.35.1
^ permalink raw reply related [flat|nested] 50+ messages in thread
* [PATCH 4.9 26/42] parisc: ccio-dma: Handle kmalloc failure in ccio_init_resources()
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2022-09-13 14:07 ` [PATCH 4.9 25/42] drm/radeon: add a force flush to delay work when radeon Greg Kroah-Hartman
@ 2022-09-13 14:07 ` Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 27/42] parisc: Add runtime check to prevent PA2.0 kernels on PA1.x machines Greg Kroah-Hartman
` (20 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:07 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Li Qiong, Helge Deller, Sasha Levin
From: Li Qiong <liqiong@nfschina.com>
[ Upstream commit d46c742f827fa2326ab1f4faa1cccadb56912341 ]
As the possible failure of the kmalloc(), it should be better
to fix this error path, check and return '-ENOMEM' error code.
Signed-off-by: Li Qiong <liqiong@nfschina.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/parisc/ccio-dma.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/drivers/parisc/ccio-dma.c b/drivers/parisc/ccio-dma.c
index f6ef5952e94b3..633762f8d7755 100644
--- a/drivers/parisc/ccio-dma.c
+++ b/drivers/parisc/ccio-dma.c
@@ -1408,15 +1408,17 @@ ccio_init_resource(struct resource *res, char *name, void __iomem *ioaddr)
}
}
-static void __init ccio_init_resources(struct ioc *ioc)
+static int __init ccio_init_resources(struct ioc *ioc)
{
struct resource *res = ioc->mmio_region;
char *name = kmalloc(14, GFP_KERNEL);
-
+ if (unlikely(!name))
+ return -ENOMEM;
snprintf(name, 14, "GSC Bus [%d/]", ioc->hw_path);
ccio_init_resource(res, name, &ioc->ioc_regs->io_io_low);
ccio_init_resource(res + 1, name, &ioc->ioc_regs->io_io_low_hv);
+ return 0;
}
static int new_ioc_area(struct resource *res, unsigned long size,
@@ -1566,7 +1568,10 @@ static int __init ccio_probe(struct parisc_device *dev)
ioc->hw_path = dev->hw_path;
ioc->ioc_regs = ioremap_nocache(dev->hpa.start, 4096);
ccio_ioc_init(ioc);
- ccio_init_resources(ioc);
+ if (ccio_init_resources(ioc)) {
+ kfree(ioc);
+ return -ENOMEM;
+ }
hppa_dma_ops = &ccio_ops;
dev->dev.platform_data = kzalloc(sizeof(struct pci_hba_data), GFP_KERNEL);
--
2.35.1
^ permalink raw reply related [flat|nested] 50+ messages in thread
* [PATCH 4.9 27/42] parisc: Add runtime check to prevent PA2.0 kernels on PA1.x machines
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2022-09-13 14:07 ` [PATCH 4.9 26/42] parisc: ccio-dma: Handle kmalloc failure in ccio_init_resources() Greg Kroah-Hartman
@ 2022-09-13 14:07 ` Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 28/42] fbdev: chipsfb: Add missing pci_disable_device() in chipsfb_pci_init() Greg Kroah-Hartman
` (19 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:07 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Helge Deller, Sasha Levin
From: Helge Deller <deller@gmx.de>
[ Upstream commit 591d2108f3abc4db9f9073cae37cf3591fd250d6 ]
If a 32-bit kernel was compiled for PA2.0 CPUs, it won't be able to run
on machines with PA1.x CPUs. Add a check and bail out early if a PA1.x
machine is detected.
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/parisc/kernel/head.S | 43 ++++++++++++++++++++++++++++++++++++++-
1 file changed, 42 insertions(+), 1 deletion(-)
diff --git a/arch/parisc/kernel/head.S b/arch/parisc/kernel/head.S
index 9b99eb0712ad1..2f570a5205866 100644
--- a/arch/parisc/kernel/head.S
+++ b/arch/parisc/kernel/head.S
@@ -22,7 +22,7 @@
#include <linux/linkage.h>
#include <linux/init.h>
- .level PA_ASM_LEVEL
+ .level 1.1
__INITDATA
ENTRY(boot_args)
@@ -69,6 +69,47 @@ $bss_loop:
stw,ma %arg2,4(%r1)
stw,ma %arg3,4(%r1)
+#if !defined(CONFIG_64BIT) && defined(CONFIG_PA20)
+ /* This 32-bit kernel was compiled for PA2.0 CPUs. Check current CPU
+ * and halt kernel if we detect a PA1.x CPU. */
+ ldi 32,%r10
+ mtctl %r10,%cr11
+ .level 2.0
+ mfctl,w %cr11,%r10
+ .level 1.1
+ comib,<>,n 0,%r10,$cpu_ok
+
+ load32 PA(msg1),%arg0
+ ldi msg1_end-msg1,%arg1
+$iodc_panic:
+ copy %arg0, %r10
+ copy %arg1, %r11
+ load32 PA(init_stack),%sp
+#define MEM_CONS 0x3A0
+ ldw MEM_CONS+32(%r0),%arg0 // HPA
+ ldi ENTRY_IO_COUT,%arg1
+ ldw MEM_CONS+36(%r0),%arg2 // SPA
+ ldw MEM_CONS+8(%r0),%arg3 // layers
+ load32 PA(__bss_start),%r1
+ stw %r1,-52(%sp) // arg4
+ stw %r0,-56(%sp) // arg5
+ stw %r10,-60(%sp) // arg6 = ptr to text
+ stw %r11,-64(%sp) // arg7 = len
+ stw %r0,-68(%sp) // arg8
+ load32 PA(.iodc_panic_ret), %rp
+ ldw MEM_CONS+40(%r0),%r1 // ENTRY_IODC
+ bv,n (%r1)
+.iodc_panic_ret:
+ b . /* wait endless with ... */
+ or %r10,%r10,%r10 /* qemu idle sleep */
+msg1: .ascii "Can't boot kernel which was built for PA8x00 CPUs on this machine.\r\n"
+msg1_end:
+
+$cpu_ok:
+#endif
+
+ .level PA_ASM_LEVEL
+
/* Initialize startup VM. Just map first 16/32 MB of memory */
load32 PA(swapper_pg_dir),%r4
mtctl %r4,%cr24 /* Initialize kernel root pointer */
--
2.35.1
^ permalink raw reply related [flat|nested] 50+ messages in thread
* [PATCH 4.9 28/42] fbdev: chipsfb: Add missing pci_disable_device() in chipsfb_pci_init()
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2022-09-13 14:07 ` [PATCH 4.9 27/42] parisc: Add runtime check to prevent PA2.0 kernels on PA1.x machines Greg Kroah-Hartman
@ 2022-09-13 14:07 ` Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 29/42] ALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc() Greg Kroah-Hartman
` (18 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:07 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Yang Yingliang, Helge Deller, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 07c55c9803dea748d17a054000cbf1913ce06399 ]
Add missing pci_disable_device() in error path in chipsfb_pci_init().
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/chipsfb.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/video/fbdev/chipsfb.c b/drivers/video/fbdev/chipsfb.c
index 84a3778552eba..ec1f8af165e9e 100644
--- a/drivers/video/fbdev/chipsfb.c
+++ b/drivers/video/fbdev/chipsfb.c
@@ -432,6 +432,7 @@ static int chipsfb_pci_init(struct pci_dev *dp, const struct pci_device_id *ent)
err_release_fb:
framebuffer_release(p);
err_disable:
+ pci_disable_device(dp);
err_out:
return rc;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 50+ messages in thread
* [PATCH 4.9 29/42] ALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc()
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2022-09-13 14:07 ` [PATCH 4.9 28/42] fbdev: chipsfb: Add missing pci_disable_device() in chipsfb_pci_init() Greg Kroah-Hartman
@ 2022-09-13 14:08 ` Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 30/42] ALSA: aloop: Fix random zeros in capture data when using jiffies timer Greg Kroah-Hartman
` (17 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:08 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Tasos Sahanidis, Takashi Iwai
From: Tasos Sahanidis <tasos@tasossah.com>
commit d29f59051d3a07b81281b2df2b8c9dfe4716067f upstream.
The voice allocator sometimes begins allocating from near the end of the
array and then wraps around, however snd_emu10k1_pcm_channel_alloc()
accesses the newly allocated voices as if it never wrapped around.
This results in out of bounds access if the first voice has a high enough
index so that first_voice + requested_voice_count > NUM_G (64).
The more voices are requested, the more likely it is for this to occur.
This was initially discovered using PipeWire, however it can be reproduced
by calling aplay multiple times with 16 channels:
aplay -r 48000 -D plughw:CARD=Live,DEV=3 -c 16 /dev/zero
UBSAN: array-index-out-of-bounds in sound/pci/emu10k1/emupcm.c:127:40
index 65 is out of range for type 'snd_emu10k1_voice [64]'
CPU: 1 PID: 31977 Comm: aplay Tainted: G W IOE 6.0.0-rc2-emu10k1+ #7
Hardware name: ASUSTEK COMPUTER INC P5W DH Deluxe/P5W DH Deluxe, BIOS 3002 07/22/2010
Call Trace:
<TASK>
dump_stack_lvl+0x49/0x63
dump_stack+0x10/0x16
ubsan_epilogue+0x9/0x3f
__ubsan_handle_out_of_bounds.cold+0x44/0x49
snd_emu10k1_playback_hw_params+0x3bc/0x420 [snd_emu10k1]
snd_pcm_hw_params+0x29f/0x600 [snd_pcm]
snd_pcm_common_ioctl+0x188/0x1410 [snd_pcm]
? exit_to_user_mode_prepare+0x35/0x170
? do_syscall_64+0x69/0x90
? syscall_exit_to_user_mode+0x26/0x50
? do_syscall_64+0x69/0x90
? exit_to_user_mode_prepare+0x35/0x170
snd_pcm_ioctl+0x27/0x40 [snd_pcm]
__x64_sys_ioctl+0x95/0xd0
do_syscall_64+0x5c/0x90
? do_syscall_64+0x69/0x90
? do_syscall_64+0x69/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Signed-off-by: Tasos Sahanidis <tasos@tasossah.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/3707dcab-320a-62ff-63c0-73fc201ef756@tasossah.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/emu10k1/emupcm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/pci/emu10k1/emupcm.c
+++ b/sound/pci/emu10k1/emupcm.c
@@ -137,7 +137,7 @@ static int snd_emu10k1_pcm_channel_alloc
epcm->voices[0]->epcm = epcm;
if (voices > 1) {
for (i = 1; i < voices; i++) {
- epcm->voices[i] = &epcm->emu->voices[epcm->voices[0]->number + i];
+ epcm->voices[i] = &epcm->emu->voices[(epcm->voices[0]->number + i) % NUM_G];
epcm->voices[i]->epcm = epcm;
}
}
^ permalink raw reply [flat|nested] 50+ messages in thread
* [PATCH 4.9 30/42] ALSA: aloop: Fix random zeros in capture data when using jiffies timer
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2022-09-13 14:08 ` [PATCH 4.9 29/42] ALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc() Greg Kroah-Hartman
@ 2022-09-13 14:08 ` Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 31/42] ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface() Greg Kroah-Hartman
` (16 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:08 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pattara Teerapong, Takashi Iwai
From: Pattara Teerapong <pteerapong@chromium.org>
commit 3e48940abee88b8dbbeeaf8a07e7b2b6be1271b3 upstream.
In loopback_jiffies_timer_pos_update(), we are getting jiffies twice.
First time for playback, second time for capture. Jiffies can be updated
between these two calls and if the capture jiffies is larger, extra zeros
will be filled in the capture buffer.
Change to get jiffies once and use it for both playback and capture.
Signed-off-by: Pattara Teerapong <pteerapong@chromium.org>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20220901144036.4049060-1-pteerapong@chromium.org
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/drivers/aloop.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/sound/drivers/aloop.c
+++ b/sound/drivers/aloop.c
@@ -477,17 +477,18 @@ static unsigned int loopback_pos_update(
cable->streams[SNDRV_PCM_STREAM_PLAYBACK];
struct loopback_pcm *dpcm_capt =
cable->streams[SNDRV_PCM_STREAM_CAPTURE];
- unsigned long delta_play = 0, delta_capt = 0;
+ unsigned long delta_play = 0, delta_capt = 0, cur_jiffies;
unsigned int running, count1, count2;
+ cur_jiffies = jiffies;
running = cable->running ^ cable->pause;
if (running & (1 << SNDRV_PCM_STREAM_PLAYBACK)) {
- delta_play = jiffies - dpcm_play->last_jiffies;
+ delta_play = cur_jiffies - dpcm_play->last_jiffies;
dpcm_play->last_jiffies += delta_play;
}
if (running & (1 << SNDRV_PCM_STREAM_CAPTURE)) {
- delta_capt = jiffies - dpcm_capt->last_jiffies;
+ delta_capt = cur_jiffies - dpcm_capt->last_jiffies;
dpcm_capt->last_jiffies += delta_capt;
}
^ permalink raw reply [flat|nested] 50+ messages in thread
* [PATCH 4.9 31/42] ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface()
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2022-09-13 14:08 ` [PATCH 4.9 30/42] ALSA: aloop: Fix random zeros in capture data when using jiffies timer Greg Kroah-Hartman
@ 2022-09-13 14:08 ` Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 32/42] scsi: mpt3sas: Fix use-after-free warning Greg Kroah-Hartman
` (15 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:08 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dongxiang Ke, Takashi Iwai
From: Dongxiang Ke <kdx.glider@gmail.com>
commit e53f47f6c1a56d2af728909f1cb894da6b43d9bf upstream.
There may be a bad USB audio device with a USB ID of (0x04fa, 0x4201) and
the number of it's interfaces less than 4, an out-of-bounds read bug occurs
when parsing the interface descriptor for this device.
Fix this by checking the number of interfaces.
Signed-off-by: Dongxiang Ke <kdx.glider@gmail.com>
Link: https://lore.kernel.org/r/20220906024928.10951-1-kdx.glider@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/stream.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -502,7 +502,7 @@ int snd_usb_parse_audio_interface(struct
* Dallas DS4201 workaround: It presents 5 altsettings, but the last
* one misses syncpipe, and does not produce any sound.
*/
- if (chip->usb_id == USB_ID(0x04fa, 0x4201))
+ if (chip->usb_id == USB_ID(0x04fa, 0x4201) && num >= 4)
num = 4;
for (i = 0; i < num; i++) {
^ permalink raw reply [flat|nested] 50+ messages in thread
* [PATCH 4.9 32/42] scsi: mpt3sas: Fix use-after-free warning
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2022-09-13 14:08 ` [PATCH 4.9 31/42] ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface() Greg Kroah-Hartman
@ 2022-09-13 14:08 ` Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 33/42] driver core: Dont probe devices after bus_type.match() probe deferral Greg Kroah-Hartman
` (14 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:08 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sreekanth Reddy, Martin K. Petersen
From: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
commit 991df3dd5144f2e6b1c38b8d20ed3d4d21e20b34 upstream.
Fix the following use-after-free warning which is observed during
controller reset:
refcount_t: underflow; use-after-free.
WARNING: CPU: 23 PID: 5399 at lib/refcount.c:28 refcount_warn_saturate+0xa6/0xf0
Link: https://lore.kernel.org/r/20220906134908.1039-2-sreekanth.reddy@broadcom.com
Signed-off-by: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/mpt3sas/mpt3sas_scsih.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
@@ -2776,6 +2776,7 @@ static struct fw_event_work *dequeue_nex
fw_event = list_first_entry(&ioc->fw_event_list,
struct fw_event_work, list);
list_del_init(&fw_event->list);
+ fw_event_work_put(fw_event);
}
spin_unlock_irqrestore(&ioc->fw_event_lock, flags);
@@ -2812,7 +2813,6 @@ _scsih_fw_event_cleanup_queue(struct MPT
if (cancel_work_sync(&fw_event->work))
fw_event_work_put(fw_event);
- fw_event_work_put(fw_event);
}
}
^ permalink raw reply [flat|nested] 50+ messages in thread
* [PATCH 4.9 33/42] driver core: Dont probe devices after bus_type.match() probe deferral
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2022-09-13 14:08 ` [PATCH 4.9 32/42] scsi: mpt3sas: Fix use-after-free warning Greg Kroah-Hartman
@ 2022-09-13 14:08 ` Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 34/42] netfilter: br_netfilter: Drop dst references before setting Greg Kroah-Hartman
` (13 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:08 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Saravana Kannan, Guenter Roeck,
Linus Walleij, Isaac J. Manjarres
From: Isaac J. Manjarres <isaacmanjarres@google.com>
commit 25e9fbf0fd38868a429feabc38abebfc6dbf6542 upstream.
Both __device_attach_driver() and __driver_attach() check the return
code of the bus_type.match() function to see if the device needs to be
added to the deferred probe list. After adding the device to the list,
the logic attempts to bind the device to the driver anyway, as if the
device had matched with the driver, which is not correct.
If __device_attach_driver() detects that the device in question is not
ready to match with a driver on the bus, then it doesn't make sense for
the device to attempt to bind with the current driver or continue
attempting to match with any of the other drivers on the bus. So, update
the logic in __device_attach_driver() to reflect this.
If __driver_attach() detects that a driver tried to match with a device
that is not ready to match yet, then the driver should not attempt to bind
with the device. However, the driver can still attempt to match and bind
with other devices on the bus, as drivers can be bound to multiple
devices. So, update the logic in __driver_attach() to reflect this.
Fixes: 656b8035b0ee ("ARM: 8524/1: driver cohandle -EPROBE_DEFER from bus_type.match()")
Cc: stable@vger.kernel.org
Cc: Saravana Kannan <saravanak@google.com>
Reported-by: Guenter Roeck <linux@roeck-us.net>
Tested-by: Guenter Roeck <linux@roeck-us.net>
Tested-by: Linus Walleij <linus.walleij@linaro.org>
Reviewed-by: Saravana Kannan <saravanak@google.com>
Signed-off-by: Isaac J. Manjarres <isaacmanjarres@google.com>
Link: https://lore.kernel.org/r/20220817184026.3468620-1-isaacmanjarres@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/base/dd.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/drivers/base/dd.c
+++ b/drivers/base/dd.c
@@ -590,6 +590,11 @@ static int __device_attach_driver(struct
} else if (ret == -EPROBE_DEFER) {
dev_dbg(dev, "Device match requests probe deferral\n");
driver_deferred_probe_add(dev);
+ /*
+ * Device can't match with a driver right now, so don't attempt
+ * to match or bind with other drivers on the bus.
+ */
+ return ret;
} else if (ret < 0) {
dev_dbg(dev, "Bus failed to match device: %d", ret);
return ret;
@@ -732,6 +737,11 @@ static int __driver_attach(struct device
} else if (ret == -EPROBE_DEFER) {
dev_dbg(dev, "Device match requests probe deferral\n");
driver_deferred_probe_add(dev);
+ /*
+ * Driver could not match with device, but may match with
+ * another device on the bus.
+ */
+ return 0;
} else if (ret < 0) {
dev_dbg(dev, "Bus failed to match device: %d", ret);
return ret;
^ permalink raw reply [flat|nested] 50+ messages in thread
* [PATCH 4.9 34/42] netfilter: br_netfilter: Drop dst references before setting.
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2022-09-13 14:08 ` [PATCH 4.9 33/42] driver core: Dont probe devices after bus_type.match() probe deferral Greg Kroah-Hartman
@ 2022-09-13 14:08 ` Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 35/42] netfilter: nf_conntrack_irc: Fix forged IP logic Greg Kroah-Hartman
` (12 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:08 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Harsh Modi, Florian Westphal,
Pablo Neira Ayuso, Sasha Levin
From: Harsh Modi <harshmodi@google.com>
[ Upstream commit d047283a7034140ea5da759a494fd2274affdd46 ]
The IPv6 path already drops dst in the daddr changed case, but the IPv4
path does not. This change makes the two code paths consistent.
Further, it is possible that there is already a metadata_dst allocated from
ingress that might already be attached to skbuff->dst while following
the bridge path. If it is not released before setting a new
metadata_dst, it will be leaked. This is similar to what is done in
bpf_set_tunnel_key() or ip6_route_input().
It is important to note that the memory being leaked is not the dst
being set in the bridge code, but rather memory allocated from some
other code path that is not being freed correctly before the skb dst is
overwritten.
An example of the leakage fixed by this commit found using kmemleak:
unreferenced object 0xffff888010112b00 (size 256):
comm "softirq", pid 0, jiffies 4294762496 (age 32.012s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 80 16 f1 83 ff ff ff ff ................
e1 4e f6 82 ff ff ff ff 00 00 00 00 00 00 00 00 .N..............
backtrace:
[<00000000d79567ea>] metadata_dst_alloc+0x1b/0xe0
[<00000000be113e13>] udp_tun_rx_dst+0x174/0x1f0
[<00000000a36848f4>] geneve_udp_encap_recv+0x350/0x7b0
[<00000000d4afb476>] udp_queue_rcv_one_skb+0x380/0x560
[<00000000ac064aea>] udp_unicast_rcv_skb+0x75/0x90
[<000000009a8ee8c5>] ip_protocol_deliver_rcu+0xd8/0x230
[<00000000ef4980bb>] ip_local_deliver_finish+0x7a/0xa0
[<00000000d7533c8c>] __netif_receive_skb_one_core+0x89/0xa0
[<00000000a879497d>] process_backlog+0x93/0x190
[<00000000e41ade9f>] __napi_poll+0x28/0x170
[<00000000b4c0906b>] net_rx_action+0x14f/0x2a0
[<00000000b20dd5d4>] __do_softirq+0xf4/0x305
[<000000003a7d7e15>] __irq_exit_rcu+0xc3/0x140
[<00000000968d39a2>] sysvec_apic_timer_interrupt+0x9e/0xc0
[<000000009e920794>] asm_sysvec_apic_timer_interrupt+0x16/0x20
[<000000008942add0>] native_safe_halt+0x13/0x20
Florian Westphal says: "Original code was likely fine because nothing
ever did set a skb->dst entry earlier than bridge in those days."
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Harsh Modi <harshmodi@google.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/br_netfilter_hooks.c | 2 ++
net/bridge/br_netfilter_ipv6.c | 1 +
2 files changed, 3 insertions(+)
diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index 11d4d18012fed..560a36c68be20 100644
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -382,6 +382,7 @@ static int br_nf_pre_routing_finish(struct net *net, struct sock *sk, struct sk_
/* - Bridged-and-DNAT'ed traffic doesn't
* require ip_forwarding. */
if (rt->dst.dev == dev) {
+ skb_dst_drop(skb);
skb_dst_set(skb, &rt->dst);
goto bridged_dnat;
}
@@ -411,6 +412,7 @@ static int br_nf_pre_routing_finish(struct net *net, struct sock *sk, struct sk_
kfree_skb(skb);
return 0;
}
+ skb_dst_drop(skb);
skb_dst_set_noref(skb, &rt->dst);
}
diff --git a/net/bridge/br_netfilter_ipv6.c b/net/bridge/br_netfilter_ipv6.c
index 8c08dd07419f6..54dcead37dfd0 100644
--- a/net/bridge/br_netfilter_ipv6.c
+++ b/net/bridge/br_netfilter_ipv6.c
@@ -201,6 +201,7 @@ static int br_nf_pre_routing_finish_ipv6(struct net *net, struct sock *sk, struc
kfree_skb(skb);
return 0;
}
+ skb_dst_drop(skb);
skb_dst_set_noref(skb, &rt->dst);
}
--
2.35.1
^ permalink raw reply related [flat|nested] 50+ messages in thread
* [PATCH 4.9 35/42] netfilter: nf_conntrack_irc: Fix forged IP logic
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2022-09-13 14:08 ` [PATCH 4.9 34/42] netfilter: br_netfilter: Drop dst references before setting Greg Kroah-Hartman
@ 2022-09-13 14:08 ` Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 36/42] sch_sfb: Dont assume the skb is still around after enqueueing to child Greg Kroah-Hartman
` (11 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:08 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, David Leadbeater, Pablo Neira Ayuso,
Sasha Levin
From: David Leadbeater <dgl@dgl.cx>
[ Upstream commit 0efe125cfb99e6773a7434f3463f7c2fa28f3a43 ]
Ensure the match happens in the right direction, previously the
destination used was the server, not the NAT host, as the comment
shows the code intended.
Additionally nf_nat_irc uses port 0 as a signal and there's no valid way
it can appear in a DCC message, so consider port 0 also forged.
Fixes: 869f37d8e48f ("[NETFILTER]: nf_conntrack/nf_nat: add IRC helper port")
Signed-off-by: David Leadbeater <dgl@dgl.cx>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_conntrack_irc.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c
index 1972a149f9583..c6a8bdc3a226d 100644
--- a/net/netfilter/nf_conntrack_irc.c
+++ b/net/netfilter/nf_conntrack_irc.c
@@ -187,8 +187,9 @@ static int help(struct sk_buff *skb, unsigned int protoff,
/* dcc_ip can be the internal OR external (NAT'ed) IP */
tuple = &ct->tuplehash[dir].tuple;
- if (tuple->src.u3.ip != dcc_ip &&
- tuple->dst.u3.ip != dcc_ip) {
+ if ((tuple->src.u3.ip != dcc_ip &&
+ ct->tuplehash[!dir].tuple.dst.u3.ip != dcc_ip) ||
+ dcc_port == 0) {
net_warn_ratelimited("Forged DCC command from %pI4: %pI4:%u\n",
&tuple->src.u3.ip,
&dcc_ip, dcc_port);
--
2.35.1
^ permalink raw reply related [flat|nested] 50+ messages in thread
* [PATCH 4.9 36/42] sch_sfb: Dont assume the skb is still around after enqueueing to child
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2022-09-13 14:08 ` [PATCH 4.9 35/42] netfilter: nf_conntrack_irc: Fix forged IP logic Greg Kroah-Hartman
@ 2022-09-13 14:08 ` Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 37/42] tipc: fix shift wrapping bug in map_get() Greg Kroah-Hartman
` (10 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:08 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Toke Høiland-Jørgensen,
David S. Miller, Sasha Levin, zdi-disclosures
From: Toke Høiland-Jørgensen <toke@toke.dk>
[ Upstream commit 9efd23297cca530bb35e1848665805d3fcdd7889 ]
The sch_sfb enqueue() routine assumes the skb is still alive after it has
been enqueued into a child qdisc, using the data in the skb cb field in the
increment_qlen() routine after enqueue. However, the skb may in fact have
been freed, causing a use-after-free in this case. In particular, this
happens if sch_cake is used as a child of sfb, and the GSO splitting mode
of CAKE is enabled (in which case the skb will be split into segments and
the original skb freed).
Fix this by copying the sfb cb data to the stack before enqueueing the skb,
and using this stack copy in increment_qlen() instead of the skb pointer
itself.
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-18231
Fixes: e13e02a3c68d ("net_sched: SFB flow scheduler")
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_sfb.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/net/sched/sch_sfb.c b/net/sched/sch_sfb.c
index bc176bd48c026..592189427a09f 100644
--- a/net/sched/sch_sfb.c
+++ b/net/sched/sch_sfb.c
@@ -137,15 +137,15 @@ static void increment_one_qlen(u32 sfbhash, u32 slot, struct sfb_sched_data *q)
}
}
-static void increment_qlen(const struct sk_buff *skb, struct sfb_sched_data *q)
+static void increment_qlen(const struct sfb_skb_cb *cb, struct sfb_sched_data *q)
{
u32 sfbhash;
- sfbhash = sfb_hash(skb, 0);
+ sfbhash = cb->hashes[0];
if (sfbhash)
increment_one_qlen(sfbhash, 0, q);
- sfbhash = sfb_hash(skb, 1);
+ sfbhash = cb->hashes[1];
if (sfbhash)
increment_one_qlen(sfbhash, 1, q);
}
@@ -283,6 +283,7 @@ static int sfb_enqueue(struct sk_buff *skb, struct Qdisc *sch,
struct sfb_sched_data *q = qdisc_priv(sch);
struct Qdisc *child = q->qdisc;
struct tcf_proto *fl;
+ struct sfb_skb_cb cb;
int i;
u32 p_min = ~0;
u32 minqlen = ~0;
@@ -399,11 +400,12 @@ static int sfb_enqueue(struct sk_buff *skb, struct Qdisc *sch,
}
enqueue:
+ memcpy(&cb, sfb_skb_cb(skb), sizeof(cb));
ret = qdisc_enqueue(skb, child, to_free);
if (likely(ret == NET_XMIT_SUCCESS)) {
qdisc_qstats_backlog_inc(sch, skb);
sch->q.qlen++;
- increment_qlen(skb, q);
+ increment_qlen(&cb, q);
} else if (net_xmit_drop_count(ret)) {
q->stats.childdrop++;
qdisc_qstats_drop(sch);
--
2.35.1
^ permalink raw reply related [flat|nested] 50+ messages in thread
* [PATCH 4.9 37/42] tipc: fix shift wrapping bug in map_get()
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2022-09-13 14:08 ` [PATCH 4.9 36/42] sch_sfb: Dont assume the skb is still around after enqueueing to child Greg Kroah-Hartman
@ 2022-09-13 14:08 ` Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 38/42] tcp: fix early ETIMEDOUT after spurious non-SACK RTO Greg Kroah-Hartman
` (9 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:08 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Dan Carpenter, David S. Miller, Sasha Levin
From: Dan Carpenter <dan.carpenter@oracle.com>
[ Upstream commit e2b224abd9bf45dcb55750479fc35970725a430b ]
There is a shift wrapping bug in this code so anything thing above
31 will return false.
Fixes: 35c55c9877f8 ("tipc: add neighbor monitoring framework")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tipc/monitor.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/tipc/monitor.c b/net/tipc/monitor.c
index e1f4538b16532..7efcbd11a907a 100644
--- a/net/tipc/monitor.c
+++ b/net/tipc/monitor.c
@@ -130,7 +130,7 @@ static void map_set(u64 *up_map, int i, unsigned int v)
static int map_get(u64 up_map, int i)
{
- return (up_map & (1 << i)) >> i;
+ return (up_map & (1ULL << i)) >> i;
}
static struct tipc_peer *peer_prev(struct tipc_peer *peer)
--
2.35.1
^ permalink raw reply related [flat|nested] 50+ messages in thread
* [PATCH 4.9 38/42] tcp: fix early ETIMEDOUT after spurious non-SACK RTO
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2022-09-13 14:08 ` [PATCH 4.9 37/42] tipc: fix shift wrapping bug in map_get() Greg Kroah-Hartman
@ 2022-09-13 14:08 ` Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 39/42] sch_sfb: Also store skb len before calling child enqueue Greg Kroah-Hartman
` (8 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:08 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Nagaraj Arankal, Neal Cardwell,
Yuchung Cheng, Eric Dumazet, Paolo Abeni, Sasha Levin
From: Neal Cardwell <ncardwell@google.com>
[ Upstream commit 686dc2db2a0fdc1d34b424ec2c0a735becd8d62b ]
Fix a bug reported and analyzed by Nagaraj Arankal, where the handling
of a spurious non-SACK RTO could cause a connection to fail to clear
retrans_stamp, causing a later RTO to very prematurely time out the
connection with ETIMEDOUT.
Here is the buggy scenario, expanding upon Nagaraj Arankal's excellent
report:
(*1) Send one data packet on a non-SACK connection
(*2) Because no ACK packet is received, the packet is retransmitted
and we enter CA_Loss; but this retransmission is spurious.
(*3) The ACK for the original data is received. The transmitted packet
is acknowledged. The TCP timestamp is before the retrans_stamp,
so tcp_may_undo() returns true, and tcp_try_undo_loss() returns
true without changing state to Open (because tcp_is_sack() is
false), and tcp_process_loss() returns without calling
tcp_try_undo_recovery(). Normally after undoing a CA_Loss
episode, tcp_fastretrans_alert() would see that the connection
has returned to CA_Open and fall through and call
tcp_try_to_open(), which would set retrans_stamp to 0. However,
for non-SACK connections we hold the connection in CA_Loss, so do
not fall through to call tcp_try_to_open() and do not set
retrans_stamp to 0. So retrans_stamp is (erroneously) still
non-zero.
At this point the first "retransmission event" has passed and
been recovered from. Any future retransmission is a completely
new "event". However, retrans_stamp is erroneously still
set. (And we are still in CA_Loss, which is correct.)
(*4) After 16 minutes (to correspond with tcp_retries2=15), a new data
packet is sent. Note: No data is transmitted between (*3) and
(*4) and we disabled keep alives.
The socket's timeout SHOULD be calculated from this point in
time, but instead it's calculated from the prior "event" 16
minutes ago (step (*2)).
(*5) Because no ACK packet is received, the packet is retransmitted.
(*6) At the time of the 2nd retransmission, the socket returns
ETIMEDOUT, prematurely, because retrans_stamp is (erroneously)
too far in the past (set at the time of (*2)).
This commit fixes this bug by ensuring that we reuse in
tcp_try_undo_loss() the same careful logic for non-SACK connections
that we have in tcp_try_undo_recovery(). To avoid duplicating logic,
we factor out that logic into a new
tcp_is_non_sack_preventing_reopen() helper and call that helper from
both undo functions.
Fixes: da34ac7626b5 ("tcp: only undo on partial ACKs in CA_Loss")
Reported-by: Nagaraj Arankal <nagaraj.p.arankal@hpe.com>
Link: https://lore.kernel.org/all/SJ0PR84MB1847BE6C24D274C46A1B9B0EB27A9@SJ0PR84MB1847.NAMPRD84.PROD.OUTLOOK.COM/
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20220903121023.866900-1-ncardwell.kernel@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp_input.c | 25 ++++++++++++++++++-------
1 file changed, 18 insertions(+), 7 deletions(-)
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index b12a329ef1873..2029e7a36cbb4 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -2468,6 +2468,21 @@ static inline bool tcp_may_undo(const struct tcp_sock *tp)
return tp->undo_marker && (!tp->undo_retrans || tcp_packet_delayed(tp));
}
+static bool tcp_is_non_sack_preventing_reopen(struct sock *sk)
+{
+ struct tcp_sock *tp = tcp_sk(sk);
+
+ if (tp->snd_una == tp->high_seq && tcp_is_reno(tp)) {
+ /* Hold old state until something *above* high_seq
+ * is ACKed. For Reno it is MUST to prevent false
+ * fast retransmits (RFC2582). SACK TCP is safe. */
+ if (!tcp_any_retrans_done(sk))
+ tp->retrans_stamp = 0;
+ return true;
+ }
+ return false;
+}
+
/* People celebrate: "We love our President!" */
static bool tcp_try_undo_recovery(struct sock *sk)
{
@@ -2488,14 +2503,8 @@ static bool tcp_try_undo_recovery(struct sock *sk)
NET_INC_STATS(sock_net(sk), mib_idx);
}
- if (tp->snd_una == tp->high_seq && tcp_is_reno(tp)) {
- /* Hold old state until something *above* high_seq
- * is ACKed. For Reno it is MUST to prevent false
- * fast retransmits (RFC2582). SACK TCP is safe. */
- if (!tcp_any_retrans_done(sk))
- tp->retrans_stamp = 0;
+ if (tcp_is_non_sack_preventing_reopen(sk))
return true;
- }
tcp_set_ca_state(sk, TCP_CA_Open);
tp->is_sack_reneg = 0;
return false;
@@ -2529,6 +2538,8 @@ static bool tcp_try_undo_loss(struct sock *sk, bool frto_undo)
NET_INC_STATS(sock_net(sk),
LINUX_MIB_TCPSPURIOUSRTOS);
inet_csk(sk)->icsk_retransmits = 0;
+ if (tcp_is_non_sack_preventing_reopen(sk))
+ return true;
if (frto_undo || tcp_is_sack(tp)) {
tcp_set_ca_state(sk, TCP_CA_Open);
tp->is_sack_reneg = 0;
--
2.35.1
^ permalink raw reply related [flat|nested] 50+ messages in thread
* [PATCH 4.9 39/42] sch_sfb: Also store skb len before calling child enqueue
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2022-09-13 14:08 ` [PATCH 4.9 38/42] tcp: fix early ETIMEDOUT after spurious non-SACK RTO Greg Kroah-Hartman
@ 2022-09-13 14:08 ` Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 40/42] usb: dwc3: fix PHY disable sequence Greg Kroah-Hartman
` (7 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:08 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Toke Høiland-Jørgensen,
Cong Wang, Paolo Abeni, Sasha Levin
From: Toke Høiland-Jørgensen <toke@toke.dk>
[ Upstream commit 2f09707d0c972120bf794cfe0f0c67e2c2ddb252 ]
Cong Wang noticed that the previous fix for sch_sfb accessing the queued
skb after enqueueing it to a child qdisc was incomplete: the SFB enqueue
function was also calling qdisc_qstats_backlog_inc() after enqueue, which
reads the pkt len from the skb cb field. Fix this by also storing the skb
len, and using the stored value to increment the backlog after enqueueing.
Fixes: 9efd23297cca ("sch_sfb: Don't assume the skb is still around after enqueueing to child")
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Acked-by: Cong Wang <cong.wang@bytedance.com>
Link: https://lore.kernel.org/r/20220905192137.965549-1-toke@toke.dk
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_sfb.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/sched/sch_sfb.c b/net/sched/sch_sfb.c
index 592189427a09f..2973d82fb21cc 100644
--- a/net/sched/sch_sfb.c
+++ b/net/sched/sch_sfb.c
@@ -281,6 +281,7 @@ static int sfb_enqueue(struct sk_buff *skb, struct Qdisc *sch,
{
struct sfb_sched_data *q = qdisc_priv(sch);
+ unsigned int len = qdisc_pkt_len(skb);
struct Qdisc *child = q->qdisc;
struct tcf_proto *fl;
struct sfb_skb_cb cb;
@@ -403,7 +404,7 @@ static int sfb_enqueue(struct sk_buff *skb, struct Qdisc *sch,
memcpy(&cb, sfb_skb_cb(skb), sizeof(cb));
ret = qdisc_enqueue(skb, child, to_free);
if (likely(ret == NET_XMIT_SUCCESS)) {
- qdisc_qstats_backlog_inc(sch, skb);
+ sch->qstats.backlog += len;
sch->q.qlen++;
increment_qlen(&cb, q);
} else if (net_xmit_drop_count(ret)) {
--
2.35.1
^ permalink raw reply related [flat|nested] 50+ messages in thread
* [PATCH 4.9 40/42] usb: dwc3: fix PHY disable sequence
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2022-09-13 14:08 ` [PATCH 4.9 39/42] sch_sfb: Also store skb len before calling child enqueue Greg Kroah-Hartman
@ 2022-09-13 14:08 ` Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 41/42] MIPS: loongson32: ls1c: Fix hang during startup Greg Kroah-Hartman
` (6 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:08 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Andrew Halaney, Matthias Kaehlcke,
Manivannan Sadhasivam, Johan Hovold
From: Johan Hovold <johan+linaro@kernel.org>
commit d2ac7bef95c9ead307801ccb6cb6dfbeb14247bf upstream.
Generic PHYs must be powered-off before they can be tore down.
Similarly, suspending legacy PHYs after having powered them off makes no
sense.
Fix the dwc3_core_exit() (e.g. called during suspend) and open-coded
dwc3_probe() error-path sequences that got this wrong.
Note that this makes dwc3_core_exit() match the dwc3_core_init() error
path with respect to powering off the PHYs.
Fixes: 03c1fd622f72 ("usb: dwc3: core: add phy cleanup for probe error handling")
Fixes: c499ff71ff2a ("usb: dwc3: core: re-factor init and exit paths")
Cc: stable@vger.kernel.org # 4.8
Reviewed-by: Andrew Halaney <ahalaney@redhat.com>
Reviewed-by: Matthias Kaehlcke <mka@chromium.org>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Link: https://lore.kernel.org/r/20220804151001.23612-2-johan+linaro@kernel.org
[ johan: adjust context to 4.9 ]
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/core.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
--- a/drivers/usb/dwc3/core.c
+++ b/drivers/usb/dwc3/core.c
@@ -602,15 +602,15 @@ static void dwc3_core_exit(struct dwc3 *
{
dwc3_event_buffers_cleanup(dwc);
- usb_phy_shutdown(dwc->usb2_phy);
- usb_phy_shutdown(dwc->usb3_phy);
- phy_exit(dwc->usb2_generic_phy);
- phy_exit(dwc->usb3_generic_phy);
-
usb_phy_set_suspend(dwc->usb2_phy, 1);
usb_phy_set_suspend(dwc->usb3_phy, 1);
phy_power_off(dwc->usb2_generic_phy);
phy_power_off(dwc->usb3_generic_phy);
+
+ usb_phy_shutdown(dwc->usb2_phy);
+ usb_phy_shutdown(dwc->usb3_phy);
+ phy_exit(dwc->usb2_generic_phy);
+ phy_exit(dwc->usb3_generic_phy);
}
/**
@@ -1149,16 +1149,16 @@ static int dwc3_probe(struct platform_de
err5:
dwc3_event_buffers_cleanup(dwc);
- usb_phy_shutdown(dwc->usb2_phy);
- usb_phy_shutdown(dwc->usb3_phy);
- phy_exit(dwc->usb2_generic_phy);
- phy_exit(dwc->usb3_generic_phy);
-
usb_phy_set_suspend(dwc->usb2_phy, 1);
usb_phy_set_suspend(dwc->usb3_phy, 1);
phy_power_off(dwc->usb2_generic_phy);
phy_power_off(dwc->usb3_generic_phy);
+ usb_phy_shutdown(dwc->usb2_phy);
+ usb_phy_shutdown(dwc->usb3_phy);
+ phy_exit(dwc->usb2_generic_phy);
+ phy_exit(dwc->usb3_generic_phy);
+
dwc3_ulpi_exit(dwc);
err4:
^ permalink raw reply [flat|nested] 50+ messages in thread
* [PATCH 4.9 41/42] MIPS: loongson32: ls1c: Fix hang during startup
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2022-09-13 14:08 ` [PATCH 4.9 40/42] usb: dwc3: fix PHY disable sequence Greg Kroah-Hartman
@ 2022-09-13 14:08 ` Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 42/42] SUNRPC: use _bh spinlocking on ->transport_lock Greg Kroah-Hartman
` (5 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:08 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Yang Ling, Keguang Zhang,
Thomas Bogendoerfer, Sasha Levin
From: Yang Ling <gnaygnil@gmail.com>
[ Upstream commit 35508d2424097f9b6a1a17aac94f702767035616 ]
The RTCCTRL reg of LS1C is obselete.
Writing this reg will cause system hang.
Fixes: 60219c563c9b6 ("MIPS: Add RTC support for Loongson1C board")
Signed-off-by: Yang Ling <gnaygnil@gmail.com>
Tested-by: Keguang Zhang <keguang.zhang@gmail.com>
Acked-by: Keguang Zhang <keguang.zhang@gmail.com>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/mips/loongson32/ls1c/board.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/arch/mips/loongson32/ls1c/board.c b/arch/mips/loongson32/ls1c/board.c
index a96bed5e3ea60..ac1c5e6572d5f 100644
--- a/arch/mips/loongson32/ls1c/board.c
+++ b/arch/mips/loongson32/ls1c/board.c
@@ -18,7 +18,6 @@ static struct platform_device *ls1c_platform_devices[] __initdata = {
static int __init ls1c_platform_init(void)
{
ls1x_serial_set_uartclk(&ls1x_uart_pdev);
- ls1x_rtc_set_extclk(&ls1x_rtc_pdev);
return platform_add_devices(ls1c_platform_devices,
ARRAY_SIZE(ls1c_platform_devices));
--
2.35.1
^ permalink raw reply related [flat|nested] 50+ messages in thread
* [PATCH 4.9 42/42] SUNRPC: use _bh spinlocking on ->transport_lock
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2022-09-13 14:08 ` [PATCH 4.9 41/42] MIPS: loongson32: ls1c: Fix hang during startup Greg Kroah-Hartman
@ 2022-09-13 14:08 ` Greg Kroah-Hartman
2022-09-14 9:50 ` [PATCH 4.9 00/42] 4.9.328-rc1 review Pavel Machek
` (4 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-13 14:08 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, NeilBrown, Eugeniu Rosca
From: "NeilBrown" <neilb@suse.de>
Prior to Linux 5.3, ->transport_lock in sunrpc required the _bh style
spinlocks (when not called from a bottom-half handler).
When upstream 3848e96edf4788f772d83990022fa7023a233d83 was backported to
stable kernels, the spin_lock/unlock calls should have been changed to
the _bh version, but this wasn't noted in the patch and didn't happen.
So convert these lock/unlock calls to the _bh versions.
This patch is required for any stable kernel prior to 5.3 to which the
above mentioned patch was backported. Namely 4.9.y, 4.14.y, 4.19.y.
Signed-off-by: NeilBrown <neilb@suse.de>
Reported-by: Eugeniu Rosca <erosca@de.adit-jv.com>
Reviewed-by: Eugeniu Rosca <erosca@de.adit-jv.com>
Tested-by: Eugeniu Rosca <erosca@de.adit-jv.com>
---
net/sunrpc/xprt.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/sunrpc/xprt.c
+++ b/net/sunrpc/xprt.c
@@ -1451,9 +1451,9 @@ static void xprt_destroy(struct rpc_xprt
* is cleared. We use ->transport_lock to ensure the mod_timer()
* can only run *before* del_time_sync(), never after.
*/
- spin_lock(&xprt->transport_lock);
+ spin_lock_bh(&xprt->transport_lock);
del_timer_sync(&xprt->timer);
- spin_unlock(&xprt->transport_lock);
+ spin_unlock_bh(&xprt->transport_lock);
rpc_xprt_debugfs_unregister(xprt);
rpc_destroy_wait_queue(&xprt->binding);
^ permalink raw reply [flat|nested] 50+ messages in thread
* Re: [PATCH 4.9 00/42] 4.9.328-rc1 review
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2022-09-13 14:08 ` [PATCH 4.9 42/42] SUNRPC: use _bh spinlocking on ->transport_lock Greg Kroah-Hartman
@ 2022-09-14 9:50 ` Pavel Machek
2022-09-14 12:40 ` Naresh Kamboju
` (3 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Pavel Machek @ 2022-09-14 9:50 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: linux-kernel, stable, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
slade
[-- Attachment #1: Type: text/plain, Size: 659 bytes --]
Hi!
> This is the start of the stable review cycle for the 4.9.328 release.
> There are 42 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
CIP testing did not find any problems here:
https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/tree/linux-4.9.y
Tested-by: Pavel Machek (CIP) <pavel@denx.de>
Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 50+ messages in thread
* Re: [PATCH 4.9 00/42] 4.9.328-rc1 review
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2022-09-14 9:50 ` [PATCH 4.9 00/42] 4.9.328-rc1 review Pavel Machek
@ 2022-09-14 12:40 ` Naresh Kamboju
2022-09-14 15:26 ` Jon Hunter
` (2 subsequent siblings)
46 siblings, 0 replies; 50+ messages in thread
From: Naresh Kamboju @ 2022-09-14 12:40 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: linux-kernel, stable, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
slade
On Tue, 13 Sept 2022 at 20:07, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 4.9.328 release.
> There are 42 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 15 Sep 2022 14:03:27 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.328-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Results from Linaro's test farm.
No regressions on arm64, arm, x86_64, and i386.
Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
## Build
* kernel: 4.9.328-rc1
* git: https://gitlab.com/Linaro/lkft/mirrors/stable/linux-stable-rc
* git branch: linux-4.9.y
* git commit: 1573700dfd1f3ba21b839c8189562e7670ecadf4
* git describe: v4.9.327-43-g1573700dfd1f
* test details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-4.9.y/build/v4.9.327-43-g1573700dfd1f
## No test Regressions (compared to v4.9.327)
## No metric Regressions (compared to v4.9.327)
## No test Fixes (compared to v4.9.327)
## No metric Fixes (compared to v4.9.327)
## Test result summary
total: 51324, pass: 44556, fail: 464, skip: 5952, xfail: 352
## Build Summary
* arc: 10 total, 10 passed, 0 failed
* arm: 282 total, 277 passed, 5 failed
* arm64: 53 total, 46 passed, 7 failed
* i386: 29 total, 28 passed, 1 failed
* mips: 41 total, 40 passed, 1 failed
* parisc: 12 total, 0 passed, 12 failed
* powerpc: 45 total, 19 passed, 26 failed
* s390: 15 total, 11 passed, 4 failed
* sh: 24 total, 24 passed, 0 failed
* sparc: 12 total, 12 passed, 0 failed
* x86_64: 48 total, 47 passed, 1 failed
## Test suites summary
* fwts
* igt-gpu-tools
* kunit
* libhugetlbfs
* log-parser-boot
* log-parser-test
* ltp-cap_bounds
* ltp-commands
* ltp-containers
* ltp-controllers
* ltp-cpuhotplug
* ltp-crypto
* ltp-cve
* ltp-dio
* ltp-fcntl-locktests
* ltp-filecaps
* ltp-fs
* ltp-fs_bind
* ltp-fs_perms_simple
* ltp-fsx
* ltp-hugetlb
* ltp-io
* ltp-ipc
* ltp-math
* ltp-mm
* ltp-nptl
* ltp-pty
* ltp-sched
* ltp-securebits
* ltp-syscalls
* ltp-tracing
* network-basic-tests
* packetdrill
* v4l2-compliance
* vdso
--
Linaro LKFT
https://lkft.linaro.org
^ permalink raw reply [flat|nested] 50+ messages in thread
* Re: [PATCH 4.9 00/42] 4.9.328-rc1 review
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2022-09-14 12:40 ` Naresh Kamboju
@ 2022-09-14 15:26 ` Jon Hunter
2022-09-14 17:46 ` Florian Fainelli
2022-09-15 0:16 ` Guenter Roeck
46 siblings, 0 replies; 50+ messages in thread
From: Jon Hunter @ 2022-09-14 15:26 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Greg Kroah-Hartman, stable, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, slade, linux-tegra
On Tue, 13 Sep 2022 16:07:31 +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.9.328 release.
> There are 42 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 15 Sep 2022 14:03:27 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.328-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
All tests passing for Tegra ...
Test results for stable-v4.9:
8 builds: 8 pass, 0 fail
16 boots: 16 pass, 0 fail
32 tests: 32 pass, 0 fail
Linux version: 4.9.328-rc1-g3ed886339090
Boards tested: tegra124-jetson-tk1, tegra20-ventana,
tegra210-p2371-2180, tegra30-cardhu-a04
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Jon
^ permalink raw reply [flat|nested] 50+ messages in thread
* Re: [PATCH 4.9 00/42] 4.9.328-rc1 review
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2022-09-14 15:26 ` Jon Hunter
@ 2022-09-14 17:46 ` Florian Fainelli
2022-09-15 0:16 ` Guenter Roeck
46 siblings, 0 replies; 50+ messages in thread
From: Florian Fainelli @ 2022-09-14 17:46 UTC (permalink / raw)
To: Greg Kroah-Hartman, linux-kernel
Cc: stable, torvalds, akpm, linux, shuah, patches, lkft-triage,
pavel, jonathanh, sudipm.mukherjee, slade
On 9/13/22 07:07, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.9.328 release.
> There are 42 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 15 Sep 2022 14:03:27 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.328-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
On ARCH_BRCMSTB using 32-bit and 64-bit ARM kernels, build tested on
BMIPS_GENERIC:
Tested-by: Florian Fainelli <f.fainelli@gmail.com>
--
Florian
^ permalink raw reply [flat|nested] 50+ messages in thread
* Re: [PATCH 4.9 00/42] 4.9.328-rc1 review
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2022-09-14 17:46 ` Florian Fainelli
@ 2022-09-15 0:16 ` Guenter Roeck
46 siblings, 0 replies; 50+ messages in thread
From: Guenter Roeck @ 2022-09-15 0:16 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: linux-kernel, stable, torvalds, akpm, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
slade
On Tue, Sep 13, 2022 at 04:07:31PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.9.328 release.
> There are 42 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 15 Sep 2022 14:03:27 +0000.
> Anything received after that time might be too late.
>
Build results:
total: 164 pass: 164 fail: 0
Qemu test results:
total: 395 pass: 395 fail: 0
Tested-by: Guenter Roeck <linux@roeck-us.net>
Guenter
^ permalink raw reply [flat|nested] 50+ messages in thread
* Re: [PATCH 4.9 01/42] fbdev: fb_pm2fb: Avoid potential divide by zero error
2022-09-13 14:07 ` [PATCH 4.9 01/42] fbdev: fb_pm2fb: Avoid potential divide by zero error Greg Kroah-Hartman
@ 2022-11-23 6:34 ` Ulrich Hecht
2022-11-30 16:41 ` Greg Kroah-Hartman
0 siblings, 1 reply; 50+ messages in thread
From: Ulrich Hecht @ 2022-11-23 6:34 UTC (permalink / raw)
To: Greg Kroah-Hartman, linux-kernel
Cc: stable, Zheyu Ma, Letu Ren, Helge Deller, Sasha Levin, pavel
> On 09/13/2022 4:07 PM CEST Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
>
>
> From: Letu Ren <fantasquex@gmail.com>
>
> commit 19f953e7435644b81332dd632ba1b2d80b1e37af upstream.
>
> In `do_fb_ioctl()` of fbmem.c, if cmd is FBIOPUT_VSCREENINFO, var will be
> copied from user, then go through `fb_set_var()` and
> `info->fbops->fb_check_var()` which could may be `pm2fb_check_var()`.
> Along the path, `var->pixclock` won't be modified. This function checks
> whether reciprocal of `var->pixclock` is too high. If `var->pixclock` is
> zero, there will be a divide by zero error. So, it is necessary to check
> whether denominator is zero to avoid crash. As this bug is found by
> Syzkaller, logs are listed below.
>
> divide error in pm2fb_check_var
> Call Trace:
> <TASK>
> fb_set_var+0x367/0xeb0 drivers/video/fbdev/core/fbmem.c:1015
> do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1110
> fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1189
>
> Reported-by: Zheyu Ma <zheyuma97@gmail.com>
> Signed-off-by: Letu Ren <fantasquex@gmail.com>
> Signed-off-by: Helge Deller <deller@gmx.de>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> ---
> drivers/video/fbdev/pm2fb.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/drivers/video/fbdev/pm2fb.c b/drivers/video/fbdev/pm2fb.c
> index 9b32b9fc44a5c..50b569d047b10 100644
> --- a/drivers/video/fbdev/pm2fb.c
> +++ b/drivers/video/fbdev/pm2fb.c
> @@ -619,6 +619,11 @@ static int pm2fb_check_var(struct fb_var_screeninfo *var, struct fb_info *info)
> return -EINVAL;
> }
>
> + if (!var->pixclock) {
> + DPRINTK("pixclock is zero\n");
> + return -EINVAL;
> + }
> +
> if (PICOS2KHZ(var->pixclock) > PM2_MAX_PIXCLOCK) {
> DPRINTK("pixclock too high (%ldKHz)\n",
> PICOS2KHZ(var->pixclock));
> --
> 2.35.1
This is a duplicate, the same patch has already been applied in 4.9.327 (0f1174f4972ea9fad6becf8881d71adca8e9ca91), so the above snippet of code is now in there twice.
Doesn't make a difference in functionality in this case, I just happened to notice it when reviewing backports from 4.9 for the CIP 4.4-stable tree.
CU
Uli
^ permalink raw reply [flat|nested] 50+ messages in thread
* Re: [PATCH 4.9 01/42] fbdev: fb_pm2fb: Avoid potential divide by zero error
2022-11-23 6:34 ` Ulrich Hecht
@ 2022-11-30 16:41 ` Greg Kroah-Hartman
0 siblings, 0 replies; 50+ messages in thread
From: Greg Kroah-Hartman @ 2022-11-30 16:41 UTC (permalink / raw)
To: Ulrich Hecht
Cc: linux-kernel, stable, Zheyu Ma, Letu Ren, Helge Deller,
Sasha Levin, pavel
On Wed, Nov 23, 2022 at 07:34:39AM +0100, Ulrich Hecht wrote:
>
> > On 09/13/2022 4:07 PM CEST Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
> >
> >
> > From: Letu Ren <fantasquex@gmail.com>
> >
> > commit 19f953e7435644b81332dd632ba1b2d80b1e37af upstream.
> >
> > In `do_fb_ioctl()` of fbmem.c, if cmd is FBIOPUT_VSCREENINFO, var will be
> > copied from user, then go through `fb_set_var()` and
> > `info->fbops->fb_check_var()` which could may be `pm2fb_check_var()`.
> > Along the path, `var->pixclock` won't be modified. This function checks
> > whether reciprocal of `var->pixclock` is too high. If `var->pixclock` is
> > zero, there will be a divide by zero error. So, it is necessary to check
> > whether denominator is zero to avoid crash. As this bug is found by
> > Syzkaller, logs are listed below.
> >
> > divide error in pm2fb_check_var
> > Call Trace:
> > <TASK>
> > fb_set_var+0x367/0xeb0 drivers/video/fbdev/core/fbmem.c:1015
> > do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1110
> > fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1189
> >
> > Reported-by: Zheyu Ma <zheyuma97@gmail.com>
> > Signed-off-by: Letu Ren <fantasquex@gmail.com>
> > Signed-off-by: Helge Deller <deller@gmx.de>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > Signed-off-by: Sasha Levin <sashal@kernel.org>
> > ---
> > drivers/video/fbdev/pm2fb.c | 5 +++++
> > 1 file changed, 5 insertions(+)
> >
> > diff --git a/drivers/video/fbdev/pm2fb.c b/drivers/video/fbdev/pm2fb.c
> > index 9b32b9fc44a5c..50b569d047b10 100644
> > --- a/drivers/video/fbdev/pm2fb.c
> > +++ b/drivers/video/fbdev/pm2fb.c
> > @@ -619,6 +619,11 @@ static int pm2fb_check_var(struct fb_var_screeninfo *var, struct fb_info *info)
> > return -EINVAL;
> > }
> >
> > + if (!var->pixclock) {
> > + DPRINTK("pixclock is zero\n");
> > + return -EINVAL;
> > + }
> > +
> > if (PICOS2KHZ(var->pixclock) > PM2_MAX_PIXCLOCK) {
> > DPRINTK("pixclock too high (%ldKHz)\n",
> > PICOS2KHZ(var->pixclock));
> > --
> > 2.35.1
>
> This is a duplicate, the same patch has already been applied in 4.9.327 (0f1174f4972ea9fad6becf8881d71adca8e9ca91), so the above snippet of code is now in there twice.
>
> Doesn't make a difference in functionality in this case, I just happened to notice it when reviewing backports from 4.9 for the CIP 4.4-stable tree.
Good catch, want to send a revert for this to fix it up?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 50+ messages in thread
end of thread, other threads:[~2022-11-30 16:41 UTC | newest]
Thread overview: 50+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 01/42] fbdev: fb_pm2fb: Avoid potential divide by zero error Greg Kroah-Hartman
2022-11-23 6:34 ` Ulrich Hecht
2022-11-30 16:41 ` Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 02/42] platform/x86: pmc_atom: Fix SLP_TYPx bitfield mask Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 03/42] wifi: cfg80211: debugfs: fix return type in ht40allow_map_read() Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 04/42] serial: fsl_lpuart: RS485 RTS polariy is inverse Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 05/42] staging: rtl8712: fix use after free bugs Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 06/42] vt: Clear selection before changing the font Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 07/42] USB: serial: ftdi_sio: add Omron CS1W-CIF31 device id Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 08/42] hwmon: (gpio-fan) Fix array out of bounds access Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 09/42] xhci: Add grace period after xHC start to prevent premature runtime suspend Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 10/42] USB: serial: cp210x: add Decagon UCA device id Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 11/42] USB: serial: option: add support for OPPO R11 diag port Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 12/42] USB: serial: option: add support for Cinterion MV32-WA/WB RmNet mode Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 13/42] USB: cdc-acm: Add Icom PMR F3400 support (0c26:0020) Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 14/42] usb-storage: Add ignore-residue quirk for NXP PN7462AU Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 15/42] s390/hugetlb: fix prepare_hugepage_range() check for 2 GB hugepages Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 16/42] s390: fix nospec table alignments Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 17/42] USB: core: Prevent nested device-reset calls Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 18/42] usb: gadget: mass_storage: Fix cdrom data transfers on MAC-OS Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 19/42] wifi: mac80211: Dont finalize CSA in IBSS mode if state is disconnected Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 20/42] net: mac802154: Fix a condition in the receive path Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 21/42] ALSA: seq: oss: Fix data-race for max_midi_devs access Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 22/42] ALSA: seq: Fix data-race at module auto-loading Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 23/42] fs: only do a memory barrier for the first set_buffer_uptodate() Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 24/42] Revert "mm: kmemleak: take a full lowmem check in kmemleak_*_phys()" Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 25/42] drm/radeon: add a force flush to delay work when radeon Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 26/42] parisc: ccio-dma: Handle kmalloc failure in ccio_init_resources() Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 27/42] parisc: Add runtime check to prevent PA2.0 kernels on PA1.x machines Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 28/42] fbdev: chipsfb: Add missing pci_disable_device() in chipsfb_pci_init() Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 29/42] ALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc() Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 30/42] ALSA: aloop: Fix random zeros in capture data when using jiffies timer Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 31/42] ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface() Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 32/42] scsi: mpt3sas: Fix use-after-free warning Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 33/42] driver core: Dont probe devices after bus_type.match() probe deferral Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 34/42] netfilter: br_netfilter: Drop dst references before setting Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 35/42] netfilter: nf_conntrack_irc: Fix forged IP logic Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 36/42] sch_sfb: Dont assume the skb is still around after enqueueing to child Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 37/42] tipc: fix shift wrapping bug in map_get() Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 38/42] tcp: fix early ETIMEDOUT after spurious non-SACK RTO Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 39/42] sch_sfb: Also store skb len before calling child enqueue Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 40/42] usb: dwc3: fix PHY disable sequence Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 41/42] MIPS: loongson32: ls1c: Fix hang during startup Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 42/42] SUNRPC: use _bh spinlocking on ->transport_lock Greg Kroah-Hartman
2022-09-14 9:50 ` [PATCH 4.9 00/42] 4.9.328-rc1 review Pavel Machek
2022-09-14 12:40 ` Naresh Kamboju
2022-09-14 15:26 ` Jon Hunter
2022-09-14 17:46 ` Florian Fainelli
2022-09-15 0:16 ` Guenter Roeck
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.