* [PATCH 4.9 000/251] 4.9.337-rc1 review
@ 2023-01-05 12:52 Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 001/251] mm/khugepaged: fix GUP-fast interaction by sending IPI Greg Kroah-Hartman
` (256 more replies)
0 siblings, 257 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow
-------------------------------------------
NOTE:
This is going to be the LAST 4.9.y release to be made by the stable/LTS
kernel maintainers. After this release, it will be end-of-life and you
should not use it at all. You should have moved to a newer kernel
branch by now (as seen on the https://kernel.org/category/releases.html
page), but if NOT, and this is going to be a real hardship, please
contact me directly.
-------------------------------------------
This is the start of the stable review cycle for the 4.9.337 release.
There are 251 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Sat, 07 Jan 2023 12:52:55 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.337-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 4.9.337-rc1
Jan Kara <jack@suse.cz>
ext4: initialize quota before expanding inode in setproject ioctl
Jan Kara <jack@suse.cz>
ext4: avoid BUG_ON when creating xattrs
Luís Henriques <lhenriques@suse.de>
ext4: fix error code return to user-space in ext4_get_branch()
Ye Bin <yebin10@huawei.com>
ext4: init quota for 'old.inode' in 'ext4_rename'
Baokun Li <libaokun1@huawei.com>
ext4: fix bug_on in __es_tree_search caused by bad boot loader inode
Gaosheng Cui <cuigaosheng1@huawei.com>
ext4: fix undefined behavior in bit shift for ext4_check_flag_values
Baokun Li <libaokun1@huawei.com>
ext4: add inode table check in __ext4_get_inode_loc to aovid possible infinite loop
Zack Rusin <zackr@vmware.com>
drm/vmwgfx: Validate the box size for the snooped cursor
Simon Ser <contact@emersion.fr>
drm/connector: send hotplug uevent on connector cleanup
Wang Weiyang <wangweiyang2@huawei.com>
device_cgroup: Roll back to original exceptions after copy failure
Shang XiaoJing <shangxiaojing@huawei.com>
parisc: led: Fix potential null-ptr-deref in start_task()
Kim Phillips <kim.phillips@amd.com>
iommu/amd: Fix ivrs_acpihid cmdline parsing code
Corentin Labbe <clabbe@baylibre.com>
crypto: n2 - add missing hash statesize
Sascha Hauer <s.hauer@pengutronix.de>
PCI/sysfs: Fix double free in error path
Paulo Alcantara <pc@cjr.nz>
cifs: fix confusing debug message
Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>
media: dvb-core: Fix double free in dvb_register_device()
Nick Desaulniers <ndesaulniers@google.com>
ARM: 9256/1: NWFPE: avoid compiler-generated __aeabi_uldivmod
Yang Jihong <yangjihong1@huawei.com>
tracing: Fix infinite loop in tracing_read_pipe on overflowed print_trace_line
Mike Snitzer <snitzer@kernel.org>
dm cache: set needs_check flag after aborting metadata
Luo Meng <luomeng12@huawei.com>
dm cache: Fix UAF in destroy()
Luo Meng <luomeng12@huawei.com>
dm thin: Fix UAF in run_timer_softirq()
Zhihao Cheng <chengzhihao1@huawei.com>
dm thin: Use last transaction's pmd->root when commit failed
Mike Snitzer <snitzer@kernel.org>
dm cache: Fix ABBA deadlock between shrink_slab and dm_cache_metadata_abort
Jason A. Donenfeld <Jason@zx2c4.com>
ARM: ux500: do not directly dereference __iomem
Steven Rostedt <rostedt@goodmis.org>
ktest.pl minconfig: Unset configs instead of just removing them
Jason A. Donenfeld <Jason@zx2c4.com>
media: stv0288: use explicitly signed char
Deren Wu <deren.wu@mediatek.com>
mmc: vub300: fix warning - do not call blocking ops when !TASK_RUNNING
Mikulas Patocka <mpatocka@redhat.com>
md: fix a crash in mempool_free
Christian Brauner <brauner@kernel.org>
pnode: terminate at peers of source
Artem Egorkine <arteme@gmail.com>
ALSA: line6: fix stack overflow in line6_midi_transmit
Artem Egorkine <arteme@gmail.com>
ALSA: line6: correct midi status byte when receiving data from podxt
Aditya Garg <gargaditya08@live.com>
hfsplus: fix bug causing custom uid and gid being unable to be assigned with mount
Terry Junge <linuxhid@cosmicgizmosystems.com>
HID: plantronics: Additional PIDs for double volume key presses quirk
Nathan Lynch <nathanl@linux.ibm.com>
powerpc/rtas: avoid scheduling in rtas_os_term()
Rickard x Andersson <rickaran@axis.com>
gcov: add support for checksum field
Nuno Sá <nuno.sa@analog.com>
iio: adc: ad_sigma_delta: do not use internal iio_dev lock
Roberto Sassu <roberto.sassu@huawei.com>
reiserfs: Add missing calls to reiserfs_security_free()
Jason Gerecke <killertofu@gmail.com>
HID: wacom: Ensure bootloader PID is usable in hidraw mode
Hans de Goede <hdegoede@redhat.com>
ASoC: rt5670: Remove unbalanced pm_runtime_put()
Wang Jingjin <wangjingjin1@huawei.com>
ASoC: rockchip: spdif: Add missing clk_disable_unprepare() in rk_spdif_runtime_resume()
Marek Szyprowski <m.szyprowski@samsung.com>
ASoC: wm8994: Fix potential deadlock
Wang Yufen <wangyufen@huawei.com>
ASoC: mediatek: mt8173-rt5650-rt5514: fix refcount leak in mt8173_rt5650_rt5514_dev_probe()
Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string()
Nathan Chancellor <nathan@kernel.org>
drm/sti: Fix return type of sti_{dvo,hda,hdmi}_connector_mode_valid()
Nathan Chancellor <nathan@kernel.org>
drm/fsl-dcu: Fix return type of fsl_dcu_drm_connector_mode_valid()
Xiu Jianfeng <xiujianfeng@huawei.com>
clk: st: Fix memory leak in st_of_quadfs_setup()
Shigeru Yoshida <syoshida@redhat.com>
media: si470x: Fix use-after-free in si470x_int_in_callback()
Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
mmc: f-sdh30: Add quirks for broken timeout clock capability
Ye Bin <yebin10@huawei.com>
blk-mq: fix possible memleak when register 'hctx' failed
Mazin Al Haddad <mazinalhaddad05@gmail.com>
media: dvb-usb: fix memory leak in dvb_usb_adapter_init()
Yan Lei <yan_lei@dahuatech.com>
media: dvb-frontends: fix leak of memory fw
Stanislav Fomichev <sdf@google.com>
ppp: associate skb with a device at tx
Schspa Shi <schspa@gmail.com>
mrp: introduce active flags to prevent UAF when applicant uninit
Jiang Li <jiang.li@ugreen.com>
md/raid1: stop mdx_raid1 thread when raid1 array run failed
Ville Syrjälä <ville.syrjala@linux.intel.com>
drm/sti: Use drm_mode_copy()
Nathan Chancellor <nathan@kernel.org>
s390/lcs: Fix return type of lcs_start_xmit()
Nathan Chancellor <nathan@kernel.org>
s390/netiucv: Fix return type of netiucv_tx()
Nathan Chancellor <nathan@kernel.org>
s390/ctcm: Fix return type of ctc{mp,}m_tx()
Kees Cook <keescook@chromium.org>
igb: Do not free q_vector unless new one was allocated
Minsuk Kang <linuxlovemin@yonsei.ac.kr>
wifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request()
Nathan Chancellor <nathan@kernel.org>
hamradio: baycom_epp: Fix return type of baycom_send_packet()
Nathan Chancellor <nathan@kernel.org>
net: ethernet: ti: Fix return type of netcp_ndo_start_xmit()
Zhang Yuchen <zhangyuchen.lcr@bytedance.com>
ipmi: fix memleak when unload ipmi driver
Shigeru Yoshida <syoshida@redhat.com>
wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out
Fedor Pchelkin <pchelkin@ispras.ru>
wifi: ath9k: verify the expected usb_endpoints are present
ZhangPeng <zhangpeng362@huawei.com>
hfs: fix OOB Read in __hfs_brec_find
Zheng Yejian <zhengyejian1@huawei.com>
acct: fix potential integer overflow in encode_comp_t()
Ryusuke Konishi <konishi.ryusuke@gmail.com>
nilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset()
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
ACPICA: Fix error code path in acpi_ds_call_control_method()
Hoi Pok Wu <wuhoipok@gmail.com>
fs: jfs: fix shift-out-of-bounds in dbDiscardAG
Shigeru Yoshida <syoshida@redhat.com>
udf: Avoid double brelse() in udf_rename()
Dongliang Mu <mudongliangabcd@gmail.com>
fs: jfs: fix shift-out-of-bounds in dbAllocAG
Liu Shixin <liushixin2@huawei.com>
binfmt_misc: fix shift-out-of-bounds in check_special_flags
Eric Dumazet <edumazet@google.com>
net: stream: purge sk_error_queue in sk_stream_kill_queues()
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
myri10ge: Fix an error handling path in myri10ge_probe()
Cong Wang <cong.wang@bytedance.com>
net_sched: reject TCF_EM_SIMPLE case for complex ematch module
Subash Abhinov Kasiviswanathan <quic_subashab@quicinc.com>
skbuff: Account for tail adjustment during pull operations
Eelco Chaudron <echaudro@redhat.com>
openvswitch: Fix flow lookup to use unmasked key
Li Zetao <lizetao1@huawei.com>
r6040: Fix kmemleak in probe and remove
Minsuk Kang <linuxlovemin@yonsei.ac.kr>
nfc: pn533: Clear nfc_target before being used
Yang Yingliang <yangyingliang@huawei.com>
mISDN: hfcmulti: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave()
Yang Yingliang <yangyingliang@huawei.com>
mISDN: hfcpci: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave()
Yang Yingliang <yangyingliang@huawei.com>
mISDN: hfcsusb: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave()
Dan Aloni <dan.aloni@vastdata.com>
nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure
Gaosheng Cui <cuigaosheng1@huawei.com>
rtc: st-lpc: Add missing clk_disable_unprepare in st_rtc_probe()
Miaoqian Lin <linmq006@gmail.com>
selftests/powerpc: Fix resource leaks
Kajol Jain <kjain@linux.ibm.com>
powerpc/hv-gpci: Fix hv_gpci event list
Yang Yingliang <yangyingliang@huawei.com>
powerpc/83xx/mpc832x_rdb: call platform_device_put() in error case in of_fsl_spi_probe()
Nicholas Piggin <npiggin@gmail.com>
powerpc/perf: callchain validate kernel stack pointer bounds
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
powerpc/52xx: Fix a resource leak in an error handling path
Xie Shaowen <studentxswpy@163.com>
macintosh/macio-adb: check the return value of ioremap()
Yang Yingliang <yangyingliang@huawei.com>
macintosh: fix possible memory leak in macio_add_one_device()
Yuan Can <yuancan@huawei.com>
iommu/fsl_pamu: Fix resource leak in fsl_pamu_probe()
Stefan Eichenberger <stefan.eichenberger@toradex.com>
rtc: snvs: Allow a time difference on clock register read
Matt Redfearn <matt.redfearn@mips.com>
include/uapi/linux/swab: Fix potentially missing __always_inline
Yuan Can <yuancan@huawei.com>
HSI: omap_ssi_core: Fix error handling in ssi_init()
Zeng Heng <zengheng4@huawei.com>
power: supply: fix residue sysfs file in error handle route of __power_supply_register()
Yang Yingliang <yangyingliang@huawei.com>
HSI: omap_ssi_core: fix possible memory leak in ssi_probe()
Yang Yingliang <yangyingliang@huawei.com>
HSI: omap_ssi_core: fix unbalanced pm_runtime_disable()
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
fbdev: uvesafb: Fixes an error handling path in uvesafb_probe()
Xiongfeng Wang <wangxiongfeng2@huawei.com>
fbdev: vermilion: decrease reference count in error path
Shang XiaoJing <shangxiaojing@huawei.com>
fbdev: via: Fix error in via_core_init()
Yang Yingliang <yangyingliang@huawei.com>
fbdev: pm2fb: fix missing pci_disable_device()
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
fbdev: ssd1307fb: Drop optional dependency
Jiasheng Jiang <jiasheng@iscas.ac.cn>
usb: storage: Add check for kcalloc
Zheyu Ma <zheyuma97@gmail.com>
i2c: ismt: Fix an out-of-bounds bug in ismt_access()
Chen Zhongjin <chenzhongjin@huawei.com>
vme: Fix error not catched in fake_init()
YueHaibing <yuehaibing@huawei.com>
staging: rtl8192e: Fix potential use-after-free in rtllib_rx_Monitor()
Dan Carpenter <error27@gmail.com>
staging: rtl8192u: Fix use after free in ieee80211_rx()
Hui Tang <tanghui20@huawei.com>
i2c: pxa-pci: fix missing pci_disable_device() on error in ce4100_i2c_probe
Yang Yingliang <yangyingliang@huawei.com>
chardev: fix error handling in cdev_device_add()
Yang Yingliang <yangyingliang@huawei.com>
mcb: mcb-parse: fix error handing in chameleon_parse_gdd()
Zhengchao Shao <shaozhengchao@huawei.com>
drivers: mcb: fix resource leak in mcb_probe()
Yang Yingliang <yangyingliang@huawei.com>
cxl: fix possible null-ptr-deref in cxl_pci_init_afu|adapter()
Yang Yingliang <yangyingliang@huawei.com>
cxl: fix possible null-ptr-deref in cxl_guest_init_afu|adapter()
Zheng Wang <zyytlz.wz@163.com>
misc: sgi-gru: fix use-after-free error in gru_set_context_option, gru_fault and gru_handle_user_call_os
ruanjinjie <ruanjinjie@huawei.com>
misc: tifm: fix possible memory leak in tifm_7xx1_switch_media()
Yuan Can <yuancan@huawei.com>
serial: sunsab: Fix error handling in sunsab_init()
Xiongfeng Wang <wangxiongfeng2@huawei.com>
serial: pch: Fix PCI device refcount leak in pch_request_dma()
Jiamei Xie <jiamei.xie@arm.com>
serial: amba-pl011: avoid SBSA UART accessing DMACR register
Gaosheng Cui <cuigaosheng1@huawei.com>
staging: vme_user: Fix possible UAF in tsi148_dma_list_add
Linus Walleij <linus.walleij@linaro.org>
usb: fotg210-udc: Fix ages old endianness issues
Rafael Mendonca <rafaelmendsr@gmail.com>
uio: uio_dmem_genirq: Fix deadlock between irq config and handling
Rafael Mendonca <rafaelmendsr@gmail.com>
uio: uio_dmem_genirq: Fix missing unlock in irq configuration
Rafael Mendonca <rafaelmendsr@gmail.com>
vfio: platform: Do not pass return buffer to ACPI _RST method
Yang Yingliang <yangyingliang@huawei.com>
drivers: dio: fix possible memory leak in dio_init()
Dragos Tatulea <dtatulea@nvidia.com>
IB/IPoIB: Fix queue count inconsistency for PKEY child interfaces
Xiongfeng Wang <wangxiongfeng2@huawei.com>
hwrng: geode - Fix PCI device refcount leak
Xiongfeng Wang <wangxiongfeng2@huawei.com>
hwrng: amd - Fix PCI device refcount leak
Gaosheng Cui <cuigaosheng1@huawei.com>
crypto: img-hash - Fix variable dereferenced before check 'hdev->req'
Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
orangefs: Fix sysfs not cleanup when dev init failed
Gaosheng Cui <cuigaosheng1@huawei.com>
scsi: snic: Fix possible UAF in snic_tgt_create()
Chen Zhongjin <chenzhongjin@huawei.com>
scsi: fcoe: Fix transport not deattached when fcoe_if_init() fails
Shang XiaoJing <shangxiaojing@huawei.com>
scsi: ipr: Fix WARNING in ipr_init()
Yang Yingliang <yangyingliang@huawei.com>
scsi: fcoe: Fix possible name leak when device_register() fails
Yang Yingliang <yangyingliang@huawei.com>
scsi: hpsa: Fix possible memory leak in hpsa_add_sas_device()
Yang Yingliang <yangyingliang@huawei.com>
scsi: hpsa: Fix error handling in hpsa_add_sas_host()
Piergiorgio Beruto <piergiorgio.beruto@gmail.com>
stmmac: fix potential division by 0
Yang Yingliang <yangyingliang@huawei.com>
Bluetooth: hci_core: don't call kfree_skb() under spin_lock_irqsave()
Yang Yingliang <yangyingliang@huawei.com>
Bluetooth: hci_bcsp: don't call kfree_skb() under spin_lock_irqsave()
Yang Yingliang <yangyingliang@huawei.com>
Bluetooth: hci_h5: don't call kfree_skb() under spin_lock_irqsave()
Yang Yingliang <yangyingliang@huawei.com>
Bluetooth: hci_qca: don't call kfree_skb() under spin_lock_irqsave()
Yang Yingliang <yangyingliang@huawei.com>
Bluetooth: btusb: don't call kfree_skb() under spin_lock_irqsave()
Eric Pilmore <epilmore@gigaio.com>
ntb_netdev: Use dev_kfree_skb_any() in interrupt context
Yang Yingliang <yangyingliang@huawei.com>
net: amd: lance: don't call dev_kfree_skb() under spin_lock_irqsave()
Yang Yingliang <yangyingliang@huawei.com>
hamradio: don't call dev_kfree_skb() under spin_lock_irqsave()
Yang Yingliang <yangyingliang@huawei.com>
net: ethernet: dnet: don't call dev_kfree_skb() under spin_lock_irqsave()
Yang Yingliang <yangyingliang@huawei.com>
net: emaclite: don't call dev_kfree_skb() under spin_lock_irqsave()
Yang Yingliang <yangyingliang@huawei.com>
net: apple: bmac: don't call dev_kfree_skb() under spin_lock_irqsave()
Yang Yingliang <yangyingliang@huawei.com>
net: apple: mace: don't call dev_kfree_skb() under spin_lock_irqsave()
Hangbin Liu <liuhangbin@gmail.com>
net/tunnel: wait until all sk_user_data reader finish before releasing the sock
Li Zetao <lizetao1@huawei.com>
net: farsync: Fix kmemleak when rmmods farsync
Yang Yingliang <yangyingliang@huawei.com>
ethernet: s2io: don't call dev_kfree_skb() under spin_lock_irqsave()
Yuan Can <yuancan@huawei.com>
drivers: net: qlcnic: Fix potential memory leak in qlcnic_sriov_init()
Yongqiang Liu <liuyongqiang13@huawei.com>
net: defxx: Fix missing err handling in dfx_init()
Artem Chernyshev <artem.chernyshev@red-soft.ru>
net: vmw_vsock: vmci: Check memcpy_from_msg()
Yang Jihong <yangjihong1@huawei.com>
blktrace: Fix output non-blktrace event when blk_classic option enabled
Wang Yufen <wangyufen@huawei.com>
wifi: brcmfmac: Fix error return code in brcmf_sdio_download_firmware()
Bitterblue Smith <rtl8821cerfe2@gmail.com>
wifi: rtl8xxxu: Add __packed to struct rtl8723bu_c2h
Jiasheng Jiang <jiasheng@iscas.ac.cn>
media: coda: Add check for kmalloc
Jiasheng Jiang <jiasheng@iscas.ac.cn>
media: coda: Add check for dcoda_iram_alloc
Liang He <windhl@126.com>
media: c8sectpfe: Add of_node_put() when breaking out of loop
Yang Yingliang <yangyingliang@huawei.com>
mmc: mmci: fix return value check of mmc_add_host()
Yang Yingliang <yangyingliang@huawei.com>
mmc: wbsd: fix return value check of mmc_add_host()
Yang Yingliang <yangyingliang@huawei.com>
mmc: via-sdmmc: fix return value check of mmc_add_host()
Yang Yingliang <yangyingliang@huawei.com>
mmc: vub300: fix return value check of mmc_add_host()
Yang Yingliang <yangyingliang@huawei.com>
mmc: toshsd: fix return value check of mmc_add_host()
Yang Yingliang <yangyingliang@huawei.com>
mmc: rtsx_usb_sdmmc: fix return value check of mmc_add_host()
Yang Yingliang <yangyingliang@huawei.com>
mmc: mxcmmc: fix return value check of mmc_add_host()
Yang Yingliang <yangyingliang@huawei.com>
mmc: moxart: fix return value check of mmc_add_host()
Wang ShaoBo <bobo.shaobowang@huawei.com>
SUNRPC: Fix missing release socket in rpc_sockname()
Gaosheng Cui <cuigaosheng1@huawei.com>
ALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt
Liu Shixin <liushixin2@huawei.com>
media: saa7164: fix missing pci_disable_device()
Yang Yingliang <yangyingliang@huawei.com>
regulator: core: fix module refcount leak in set_supply()
Dan Carpenter <error27@gmail.com>
bonding: uninitialized variable in bond_miimon_inspect()
Zhang Qilong <zhangqilong3@huawei.com>
ASoC: pcm512x: Fix PM disable depth imbalance in pcm512x_probe
Xiongfeng Wang <wangxiongfeng2@huawei.com>
drm/amdgpu: Fix PCI device refcount leak in amdgpu_atrm_get_bios()
Xiongfeng Wang <wangxiongfeng2@huawei.com>
drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios()
Liu Shixin <liushixin2@huawei.com>
ALSA: asihpi: fix missing pci_disable_device()
Trond Myklebust <trond.myklebust@hammerspace.com>
NFSv4: Fix a deadlock between nfs4_open_recover_helper() and delegreturn
Trond Myklebust <trond.myklebust@hammerspace.com>
NFSv4.2: Fix a memory stomp in decode_attr_security_label
Baisong Zhong <zhongbaisong@huawei.com>
media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()
ZhangPeng <zhangpeng362@huawei.com>
pinctrl: pinconf-generic: add missing of_node_put()
Gautam Menghani <gautammenghani201@gmail.com>
media: imon: fix a race condition in send_packet()
Zheng Yongjun <zhengyongjun3@huawei.com>
mtd: maps: pxa2xx-flash: fix memory leak in probe
Xiu Jianfeng <xiujianfeng@huawei.com>
clk: rockchip: Fix memory leak in rockchip_clk_register_pll()
Baisong Zhong <zhongbaisong@huawei.com>
ALSA: seq: fix undefined behavior in bit shift for SNDRV_SEQ_FILTER_USE_EVENT
Marcus Folkesson <marcus.folkesson@gmail.com>
HID: hid-sensor-custom: set fixed size for custom attributes
Yuan Can <yuancan@huawei.com>
media: platform: exynos4-is: Fix error handling in fimc_md_init()
Yang Yingliang <yangyingliang@huawei.com>
media: solo6x10: fix possible memory leak in solo_sysfs_init()
Douglas Anderson <dianders@chromium.org>
Input: elants_i2c - properly handle the reset GPIO when power is off
Hui Tang <tanghui20@huawei.com>
mtd: lpddr2_nvm: Fix possible null-ptr-deref
Xiu Jianfeng <xiujianfeng@huawei.com>
wifi: ath10k: Fix return value in ath10k_pci_init()
Xiu Jianfeng <xiujianfeng@huawei.com>
ima: Fix misuse of dereference of pointer in template_desc_init_fields()
Yang Yingliang <yangyingliang@huawei.com>
regulator: core: fix unbalanced of node refcount in regulator_dev_lookup()
Zeng Heng <zengheng4@huawei.com>
ASoC: pxa: fix null-pointer dereference in filter()
Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
mtd: Fix device name leak when register device failed in add_mtd_device()
Liu Shixin <liushixin2@huawei.com>
media: vivid: fix compose size exceed boundary
Ricardo Ribalda <ribalda@chromium.org>
media: i2c: ad5820: Fix error path
Fedor Pchelkin <pchelkin@ispras.ru>
wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb()
Fedor Pchelkin <pchelkin@ispras.ru>
wifi: ath9k: hif_usb: fix memory leak of urbs in ath9k_hif_usb_dealloc_tx_urbs()
Cai Xinchen <caixinchen1@huawei.com>
rapidio: devices: fix missing put_device in mport_cdev_open
ZhangPeng <zhangpeng362@huawei.com>
hfs: Fix OOB Write in hfs_asc2mac
Zhang Qilong <zhangqilong3@huawei.com>
eventfd: change int to __u64 in eventfd_signal() ifndef CONFIG_EVENTFD
Wang Weiyang <wangweiyang2@huawei.com>
rapidio: fix possible UAF when kfifo_alloc() fails
Chen Zhongjin <chenzhongjin@huawei.com>
fs: sysv: Fix sysv_nblocks() returns wrong value
Anastasia Belova <abelova@astralinux.ru>
MIPS: BCM63xx: Add check for NULL for clk in clk_enable
Xiu Jianfeng <xiujianfeng@huawei.com>
x86/xen: Fix memory leak in xen_init_lock_cpu()
Oleg Nesterov <oleg@redhat.com>
uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix
Li Zetao <lizetao1@huawei.com>
ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage()
Yang Yingliang <yangyingliang@huawei.com>
rapidio: rio: fix possible name leak in rio_register_mport()
Yang Yingliang <yangyingliang@huawei.com>
rapidio: fix possible name leaks when rio_add_device() fails
Akinobu Mita <akinobu.mita@gmail.com>
lib/notifier-error-inject: fix error when writing -errno to debugfs file
Akinobu Mita <akinobu.mita@gmail.com>
libfs: add DEFINE_SIMPLE_ATTRIBUTE_SIGNED for signed value
Shang XiaoJing <shangxiaojing@huawei.com>
irqchip: gic-pm: Use pm_runtime_resume_and_get() in gic_probe()
Yang Yingliang <yangyingliang@huawei.com>
PNP: fix name memory leak in pnp_alloc_dev()
Yang Yingliang <yangyingliang@huawei.com>
MIPS: vpe-cmp: fix possible memory leak while module exiting
Yang Yingliang <yangyingliang@huawei.com>
MIPS: vpe-mt: fix possible memory leak while module exiting
Shang XiaoJing <shangxiaojing@huawei.com>
ocfs2: fix memory leak in ocfs2_stack_glue_init()
Barnabás Pőcze <pobrn@protonmail.com>
timerqueue: Use rb_entry_safe() in timerqueue_getnext()
Chen Zhongjin <chenzhongjin@huawei.com>
perf: Fix possible memleak in pmu_dev_alloc()
Ondrej Mosnacek <omosnace@redhat.com>
fs: don't audit the capability check in simple_xattr_list()
xiongxin <xiongxin@kylinos.cn>
PM: hibernate: Fix mistake in kerneldoc comment
Al Viro <viro@zeniv.linux.org.uk>
alpha: fix syscall entry in !AUDUT_SYSCALL case
Ulf Hansson <ulf.hansson@linaro.org>
cpuidle: dt: Return the correct numbers of parsed idle states
Stephen Boyd <swboyd@chromium.org>
pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP
Doug Brown <doug@schmorgal.com>
ARM: mmp: fix timer_read delay
Pali Rohár <pali@kernel.org>
ARM: dts: armada-39x: Fix assigned-addresses for every PCIe Root Port
Pali Rohár <pali@kernel.org>
ARM: dts: armada-38x: Fix assigned-addresses for every PCIe Root Port
Pali Rohár <pali@kernel.org>
ARM: dts: armada-375: Fix assigned-addresses for every PCIe Root Port
Pali Rohár <pali@kernel.org>
ARM: dts: armada-xp: Fix assigned-addresses for every PCIe Root Port
Pali Rohár <pali@kernel.org>
ARM: dts: armada-370: Fix assigned-addresses for every PCIe Root Port
Pali Rohár <pali@kernel.org>
ARM: dts: dove: Fix assigned-addresses for every PCIe Root Port
Zhang Qilong <zhangqilong3@huawei.com>
soc: ti: smartreflex: Fix PM disable depth imbalance in omap_sr_probe
Kory Maincent <kory.maincent@bootlin.com>
arm: dts: spear600: Fix clcd interrupt
Chen Jiahao <chenjiahao16@huawei.com>
drivers: soc: ti: knav_qmss_queue: Mark knav_acc_firmwares as static
Rasmus Villemoes <linux@rasmusvillemoes.dk>
net: loopback: use NET_NAME_PREDICTABLE for name_assign_type
Sungwoo Kim <iam@sung-woo.kim>
Bluetooth: L2CAP: Fix u8 overflow
Bruno Thomsen <bruno.thomsen@gmail.com>
USB: serial: cp210x: add Kamstrup RF sniffer PIDs
Szymon Heidrich <szymon.heidrich@gmail.com>
usb: gadget: uvc: Prevent buffer overflow in setup handler
Jan Kara <jack@suse.cz>
udf: Fix extending file within last block
Jan Kara <jack@suse.cz>
udf: Do not bother looking for prealloc extents if i_lenExtents matches i_size
Jan Kara <jack@suse.cz>
udf: Fix preallocation discarding at indirect extent boundary
Jan Kara <jack@suse.cz>
udf: Drop unused arguments of udf_delete_aext()
Jan Kara <jack@suse.cz>
udf: Discard preallocation before extending file with a hole
Charles Keepax <ckeepax@opensource.cirrus.com>
ASoC: ops: Correct bounds check for second channel on SX controls
Heiko Schocher <hs@denx.de>
can: sja1000: fix size of OCR_MODE_MASK define
Mark Brown <broonie@kernel.org>
ASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx()
Ming Lei <ming.lei@redhat.com>
block: unhash blkdev part inode when the part is deleted
Jann Horn <jannh@google.com>
mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths
Jann Horn <jannh@google.com>
mm/khugepaged: fix GUP-fast interaction by sending IPI
-------------
Diffstat:
Makefile | 4 +-
arch/alpha/kernel/entry.S | 4 +-
arch/arm/boot/dts/armada-370.dtsi | 2 +-
arch/arm/boot/dts/armada-375.dtsi | 2 +-
arch/arm/boot/dts/armada-380.dtsi | 4 +-
arch/arm/boot/dts/armada-385.dtsi | 6 +-
arch/arm/boot/dts/armada-39x.dtsi | 6 +-
arch/arm/boot/dts/armada-xp-mv78230.dtsi | 8 +--
arch/arm/boot/dts/armada-xp-mv78260.dtsi | 16 ++---
arch/arm/boot/dts/dove.dtsi | 2 +-
arch/arm/boot/dts/spear600.dtsi | 2 +-
arch/arm/mach-mmp/time.c | 11 +--
arch/arm/nwfpe/Makefile | 6 ++
arch/mips/bcm63xx/clk.c | 2 +
arch/mips/kernel/vpe-cmp.c | 4 +-
arch/mips/kernel/vpe-mt.c | 4 +-
arch/powerpc/kernel/rtas.c | 7 +-
arch/powerpc/perf/callchain.c | 1 +
arch/powerpc/perf/hv-gpci-requests.h | 4 ++
arch/powerpc/perf/hv-gpci.c | 33 ++++++++-
arch/powerpc/perf/hv-gpci.h | 1 +
arch/powerpc/perf/req-gen/perf.h | 20 ++++++
arch/powerpc/platforms/52xx/mpc52xx_lpbfifo.c | 1 +
arch/powerpc/platforms/83xx/mpc832x_rdb.c | 2 +-
arch/x86/kernel/uprobes.c | 4 +-
arch/x86/xen/spinlock.c | 6 +-
block/blk-mq-sysfs.c | 11 ++-
block/partition-generic.c | 6 ++
drivers/acpi/acpica/dsmethod.c | 10 ++-
drivers/acpi/acpica/utcopy.c | 7 --
drivers/bluetooth/btusb.c | 6 +-
drivers/bluetooth/hci_bcsp.c | 2 +-
drivers/bluetooth/hci_h5.c | 2 +-
drivers/bluetooth/hci_qca.c | 2 +-
drivers/char/hw_random/amd-rng.c | 18 +++--
drivers/char/hw_random/geode-rng.c | 36 +++++++---
drivers/char/ipmi/ipmi_msghandler.c | 8 ++-
drivers/clk/rockchip/clk-pll.c | 1 +
drivers/clk/st/clkgen-fsyn.c | 5 +-
drivers/cpuidle/dt_idle_states.c | 2 +-
drivers/crypto/img-hash.c | 8 ++-
drivers/crypto/n2_core.c | 6 ++
drivers/dio/dio.c | 8 +++
drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c | 1 +
drivers/gpu/drm/drm_connector.c | 3 +
drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_rgb.c | 5 +-
drivers/gpu/drm/radeon/radeon_bios.c | 1 +
drivers/gpu/drm/sti/sti_dvo.c | 7 +-
drivers/gpu/drm/sti/sti_hda.c | 7 +-
drivers/gpu/drm/sti/sti_hdmi.c | 7 +-
drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 3 +-
drivers/hid/hid-ids.h | 3 +
drivers/hid/hid-plantronics.c | 9 +++
drivers/hid/hid-sensor-custom.c | 2 +-
drivers/hid/wacom_sys.c | 8 +++
drivers/hid/wacom_wac.c | 4 ++
drivers/hid/wacom_wac.h | 1 +
drivers/hsi/controllers/omap_ssi_core.c | 14 +++-
drivers/i2c/busses/i2c-ismt.c | 3 +
drivers/i2c/busses/i2c-pxa-pci.c | 10 +--
drivers/iio/adc/ad_sigma_delta.c | 8 +--
drivers/infiniband/ulp/ipoib/ipoib_netlink.c | 7 ++
drivers/input/touchscreen/elants_i2c.c | 9 +--
drivers/iommu/amd_iommu_init.c | 7 ++
drivers/iommu/fsl_pamu.c | 2 +-
drivers/irqchip/irq-gic-pm.c | 2 +-
drivers/isdn/hardware/mISDN/hfcmulti.c | 19 +++--
drivers/isdn/hardware/mISDN/hfcpci.c | 13 ++--
drivers/isdn/hardware/mISDN/hfcsusb.c | 12 ++--
drivers/macintosh/macio-adb.c | 4 ++
drivers/macintosh/macio_asic.c | 2 +-
drivers/mcb/mcb-core.c | 4 +-
drivers/mcb/mcb-parse.c | 2 +-
drivers/md/dm-cache-metadata.c | 55 ++++++++++++--
drivers/md/dm-cache-target.c | 11 +--
drivers/md/dm-thin-metadata.c | 9 +++
drivers/md/dm-thin.c | 2 +
drivers/md/md.c | 9 ++-
drivers/md/raid1.c | 1 +
drivers/media/dvb-core/dvbdev.c | 1 +
drivers/media/dvb-frontends/bcm3510.c | 1 +
drivers/media/dvb-frontends/stv0288.c | 5 +-
drivers/media/i2c/ad5820.c | 10 +--
drivers/media/pci/saa7164/saa7164-core.c | 4 +-
drivers/media/pci/solo6x10/solo6x10-core.c | 1 +
drivers/media/platform/coda/coda-bit.c | 14 ++--
drivers/media/platform/exynos4-is/fimc-core.c | 2 +-
drivers/media/platform/exynos4-is/media-dev.c | 6 +-
.../media/platform/sti/c8sectpfe/c8sectpfe-core.c | 1 +
drivers/media/platform/vivid/vivid-vid-cap.c | 1 +
drivers/media/radio/si470x/radio-si470x-usb.c | 4 +-
drivers/media/rc/imon.c | 6 +-
drivers/media/usb/dvb-usb/az6027.c | 4 ++
drivers/media/usb/dvb-usb/dvb-usb-init.c | 4 +-
drivers/misc/cxl/guest.c | 24 ++++---
drivers/misc/cxl/pci.c | 20 +++---
drivers/misc/sgi-gru/grufault.c | 13 +++-
drivers/misc/sgi-gru/grumain.c | 22 ++++--
drivers/misc/sgi-gru/grutables.h | 2 +-
drivers/misc/tifm_7xx1.c | 2 +-
drivers/mmc/host/mmci.c | 4 +-
drivers/mmc/host/moxart-mmc.c | 4 +-
drivers/mmc/host/mxcmmc.c | 4 +-
drivers/mmc/host/rtsx_usb_sdmmc.c | 11 ++-
drivers/mmc/host/sdhci_f_sdh30.c | 3 +
drivers/mmc/host/toshsd.c | 6 +-
drivers/mmc/host/via-sdmmc.c | 4 +-
drivers/mmc/host/vub300.c | 13 +++-
drivers/mmc/host/wbsd.c | 12 +++-
drivers/mtd/lpddr/lpddr2_nvm.c | 2 +
drivers/mtd/maps/pxa2xx-flash.c | 2 +
drivers/mtd/mtdcore.c | 4 +-
drivers/net/bonding/bond_main.c | 2 +-
drivers/net/ethernet/amd/atarilance.c | 2 +-
drivers/net/ethernet/amd/lance.c | 2 +-
drivers/net/ethernet/apple/bmac.c | 2 +-
drivers/net/ethernet/apple/mace.c | 2 +-
drivers/net/ethernet/dnet.c | 4 +-
drivers/net/ethernet/intel/igb/igb_main.c | 8 ++-
drivers/net/ethernet/myricom/myri10ge/myri10ge.c | 1 +
drivers/net/ethernet/neterion/s2io.c | 2 +-
.../ethernet/qlogic/qlcnic/qlcnic_sriov_common.c | 2 +
drivers/net/ethernet/rdc/r6040.c | 5 +-
.../net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c | 3 +-
drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.h | 2 +-
drivers/net/ethernet/ti/netcp_core.c | 2 +-
drivers/net/ethernet/xilinx/xilinx_emaclite.c | 2 +-
drivers/net/fddi/defxx.c | 22 ++++--
drivers/net/hamradio/baycom_epp.c | 2 +-
drivers/net/hamradio/scc.c | 6 +-
drivers/net/loopback.c | 2 +-
drivers/net/ntb_netdev.c | 4 +-
drivers/net/ppp/ppp_generic.c | 2 +
drivers/net/wan/farsync.c | 2 +
drivers/net/wireless/ath/ar5523/ar5523.c | 6 ++
drivers/net/wireless/ath/ath10k/pci.c | 20 +++---
drivers/net/wireless/ath/ath9k/hif_usb.c | 46 +++++++-----
.../broadcom/brcm80211/brcmfmac/firmware.c | 5 ++
.../wireless/broadcom/brcm80211/brcmfmac/pcie.c | 2 +-
.../wireless/broadcom/brcm80211/brcmfmac/sdio.c | 1 +
drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h | 2 +-
drivers/nfc/pn533/pn533.c | 4 ++
drivers/parisc/led.c | 3 +
drivers/pci/pci-sysfs.c | 13 ++--
drivers/pinctrl/pinconf-generic.c | 4 +-
drivers/pnp/core.c | 4 +-
drivers/power/avs/smartreflex.c | 1 +
drivers/power/supply/power_supply_core.c | 2 +-
drivers/rapidio/devices/rio_mport_cdev.c | 15 ++--
drivers/rapidio/rio-scan.c | 8 ++-
drivers/rapidio/rio.c | 9 ++-
drivers/regulator/core.c | 2 +
drivers/rtc/rtc-snvs.c | 16 ++++-
drivers/rtc/rtc-st-lpc.c | 1 +
drivers/s390/net/ctcm_main.c | 11 +--
drivers/s390/net/lcs.c | 8 +--
drivers/s390/net/netiucv.c | 9 +--
drivers/scsi/fcoe/fcoe.c | 1 +
drivers/scsi/fcoe/fcoe_sysfs.c | 19 ++---
drivers/scsi/hpsa.c | 7 +-
drivers/scsi/ipr.c | 10 ++-
drivers/scsi/snic/snic_disc.c | 3 +
drivers/soc/ti/knav_qmss_queue.c | 2 +-
drivers/soc/ux500/ux500-soc-id.c | 10 ++-
drivers/staging/rtl8192e/rtllib_rx.c | 2 +-
drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c | 4 +-
drivers/tty/serial/amba-pl011.c | 3 +
drivers/tty/serial/pch_uart.c | 4 ++
drivers/tty/serial/sunsab.c | 8 ++-
drivers/uio/uio_dmem_genirq.c | 13 ++--
drivers/usb/gadget/function/f_uvc.c | 5 +-
drivers/usb/gadget/udc/fotg210-udc.c | 12 ++--
drivers/usb/serial/cp210x.c | 2 +
drivers/usb/storage/alauda.c | 2 +
drivers/vfio/platform/vfio_platform_common.c | 3 +-
drivers/video/fbdev/Kconfig | 1 -
drivers/video/fbdev/pm2fb.c | 9 ++-
drivers/video/fbdev/uvesafb.c | 1 +
drivers/video/fbdev/vermilion/vermilion.c | 4 +-
drivers/video/fbdev/via/via-core.c | 9 ++-
drivers/vme/bridges/vme_fake.c | 2 +
drivers/vme/bridges/vme_tsi148.c | 1 +
fs/binfmt_misc.c | 8 +--
fs/char_dev.c | 2 +-
fs/cifs/connect.c | 4 +-
fs/ext4/ext4.h | 2 +-
fs/ext4/indirect.c | 9 ++-
fs/ext4/inode.c | 10 ++-
fs/ext4/ioctl.c | 10 +--
fs/ext4/namei.c | 3 +
fs/ext4/xattr.c | 8 ---
fs/hfs/inode.c | 2 +
fs/hfs/trans.c | 2 +-
fs/hfsplus/hfsplus_fs.h | 2 +
fs/hfsplus/inode.c | 4 +-
fs/hfsplus/options.c | 4 ++
fs/jfs/jfs_dmap.c | 27 +++++--
fs/libfs.c | 22 +++++-
fs/nfs/nfs4proc.c | 19 +++--
fs/nfs/nfs4xdr.c | 10 ++-
fs/nfsd/nfs4callback.c | 4 +-
fs/nilfs2/the_nilfs.c | 31 ++++++--
fs/ocfs2/stackglue.c | 8 ++-
fs/orangefs/orangefs-debugfs.c | 3 +
fs/orangefs/orangefs-mod.c | 8 +--
fs/pnode.c | 2 +-
fs/pstore/ram_core.c | 6 +-
fs/reiserfs/namei.c | 4 ++
fs/reiserfs/xattr_security.c | 2 +-
fs/sysv/itree.c | 2 +-
fs/udf/balloc.c | 5 +-
fs/udf/inode.c | 84 ++++++++++------------
fs/udf/namei.c | 8 +--
fs/udf/truncate.c | 48 ++++---------
fs/udf/udfdecl.h | 3 +-
fs/xattr.c | 2 +-
include/asm-generic/tlb.h | 6 ++
include/linux/can/platform/sja1000.h | 2 +-
include/linux/eventfd.h | 2 +-
include/linux/fs.h | 12 +++-
include/linux/timerqueue.h | 2 +-
include/net/mrp.h | 1 +
include/uapi/linux/swab.h | 2 +-
include/uapi/sound/asequencer.h | 8 +--
kernel/acct.c | 2 +
kernel/events/core.c | 8 ++-
kernel/gcov/gcc_4_7.c | 5 ++
kernel/power/snapshot.c | 4 +-
kernel/trace/blktrace.c | 3 +-
kernel/trace/trace.c | 15 +++-
lib/notifier-error-inject.c | 2 +-
mm/khugepaged.c | 24 ++++++-
mm/memory.c | 5 ++
net/802/mrp.c | 18 +++--
net/bluetooth/hci_core.c | 2 +-
net/bluetooth/l2cap_core.c | 3 +-
net/core/skbuff.c | 3 +
net/core/stream.c | 6 ++
net/ipv4/udp_tunnel.c | 1 +
net/openvswitch/datapath.c | 25 ++++---
net/sched/ematch.c | 2 +
net/sunrpc/clnt.c | 2 +-
net/vmw_vsock/vmci_transport.c | 6 +-
security/device_cgroup.c | 33 +++++++--
security/integrity/ima/ima_template.c | 4 +-
sound/drivers/mts64.c | 3 +
sound/pci/asihpi/hpioctl.c | 2 +-
sound/soc/codecs/pcm512x.c | 8 +--
sound/soc/codecs/rt5670.c | 2 -
sound/soc/codecs/wm8994.c | 5 ++
sound/soc/mediatek/mt8173/mt8173-rt5650-rt5514.c | 7 +-
sound/soc/pxa/mmp-pcm.c | 2 +-
sound/soc/rockchip/rockchip_spdif.c | 1 +
sound/soc/soc-ops.c | 9 ++-
sound/usb/line6/driver.c | 3 +-
sound/usb/line6/midi.c | 6 +-
sound/usb/line6/midibuf.c | 25 ++++---
sound/usb/line6/midibuf.h | 5 +-
sound/usb/line6/pod.c | 3 +-
tools/testing/ktest/ktest.pl | 3 +-
.../selftests/powerpc/dscr/dscr_sysfs_test.c | 5 +-
261 files changed, 1297 insertions(+), 560 deletions(-)
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 001/251] mm/khugepaged: fix GUP-fast interaction by sending IPI
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 002/251] mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths Greg Kroah-Hartman
` (255 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jann Horn, Yang Shi,
David Hildenbrand, John Hubbard, Peter Xu, Andrew Morton
From: Jann Horn <jannh@google.com>
commit 2ba99c5e08812494bc57f319fb562f527d9bacd8 upstream.
Since commit 70cbc3cc78a99 ("mm: gup: fix the fast GUP race against THP
collapse"), the lockless_pages_from_mm() fastpath rechecks the pmd_t to
ensure that the page table was not removed by khugepaged in between.
However, lockless_pages_from_mm() still requires that the page table is
not concurrently freed. Fix it by sending IPIs (if the architecture uses
semi-RCU-style page table freeing) before freeing/reusing page tables.
Link: https://lkml.kernel.org/r/20221129154730.2274278-2-jannh@google.com
Link: https://lkml.kernel.org/r/20221128180252.1684965-2-jannh@google.com
Link: https://lkml.kernel.org/r/20221125213714.4115729-2-jannh@google.com
Fixes: ba76149f47d8 ("thp: khugepaged")
Signed-off-by: Jann Horn <jannh@google.com>
Reviewed-by: Yang Shi <shy828301@gmail.com>
Acked-by: David Hildenbrand <david@redhat.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Peter Xu <peterx@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
[manual backport: two of the three places in khugepaged that can free
ptes were refactored into a common helper between 5.15 and 6.0;
TLB flushing was refactored between 5.4 and 5.10;
TLB flushing was refactored between 4.19 and 5.4;
pmd collapse for PTE-mapped THP was only added in 5.4;
ugly hack for s390 in <=4.19 and arm]
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/asm-generic/tlb.h | 6 ++++++
mm/khugepaged.c | 15 +++++++++++++++
mm/memory.c | 5 +++++
3 files changed, 26 insertions(+)
--- a/include/asm-generic/tlb.h
+++ b/include/asm-generic/tlb.h
@@ -60,6 +60,12 @@ struct mmu_table_batch {
extern void tlb_table_flush(struct mmu_gather *tlb);
extern void tlb_remove_table(struct mmu_gather *tlb, void *table);
+void tlb_remove_table_sync_one(void);
+
+#else
+
+static inline void tlb_remove_table_sync_one(void) { }
+
#endif
/*
--- a/mm/khugepaged.c
+++ b/mm/khugepaged.c
@@ -20,6 +20,19 @@
#include <asm/pgalloc.h>
#include "internal.h"
+/* gross hack for <=4.19 stable */
+#if defined(CONFIG_S390) || defined(CONFIG_ARM)
+static void tlb_remove_table_smp_sync(void *arg)
+{
+ /* Simply deliver the interrupt */
+}
+
+static void tlb_remove_table_sync_one(void)
+{
+ smp_call_function(tlb_remove_table_smp_sync, NULL, 1);
+}
+#endif
+
enum scan_result {
SCAN_FAIL,
SCAN_SUCCEED,
@@ -1044,6 +1057,7 @@ static void collapse_huge_page(struct mm
_pmd = pmdp_collapse_flush(vma, address, pmd);
spin_unlock(pmd_ptl);
mmu_notifier_invalidate_range_end(mm, mmun_start, mmun_end);
+ tlb_remove_table_sync_one();
spin_lock(pte_ptl);
isolated = __collapse_huge_page_isolate(vma, address, pte);
@@ -1293,6 +1307,7 @@ static void retract_page_tables(struct a
_pmd = pmdp_collapse_flush(vma, addr, pmd);
spin_unlock(ptl);
atomic_long_dec(&mm->nr_ptes);
+ tlb_remove_table_sync_one();
pte_free(mm, pmd_pgtable(_pmd));
}
up_write(&mm->mmap_sem);
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -349,6 +349,11 @@ static void tlb_remove_table_smp_sync(vo
/* Simply deliver the interrupt */
}
+void tlb_remove_table_sync_one(void)
+{
+ smp_call_function(tlb_remove_table_smp_sync, NULL, 1);
+}
+
static void tlb_remove_table_one(void *table)
{
/*
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 002/251] mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 001/251] mm/khugepaged: fix GUP-fast interaction by sending IPI Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 003/251] block: unhash blkdev part inode when the part is deleted Greg Kroah-Hartman
` (254 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jann Horn, David Hildenbrand,
Yang Shi, John Hubbard, Peter Xu, Andrew Morton
From: Jann Horn <jannh@google.com>
commit f268f6cf875f3220afc77bdd0bf1bb136eb54db9 upstream.
Any codepath that zaps page table entries must invoke MMU notifiers to
ensure that secondary MMUs (like KVM) don't keep accessing pages which
aren't mapped anymore. Secondary MMUs don't hold their own references to
pages that are mirrored over, so failing to notify them can lead to page
use-after-free.
I'm marking this as addressing an issue introduced in commit f3f0e1d2150b
("khugepaged: add support of collapse for tmpfs/shmem pages"), but most of
the security impact of this only came in commit 27e1f8273113 ("khugepaged:
enable collapse pmd for pte-mapped THP"), which actually omitted flushes
for the removal of present PTEs, not just for the removal of empty page
tables.
Link: https://lkml.kernel.org/r/20221129154730.2274278-3-jannh@google.com
Link: https://lkml.kernel.org/r/20221128180252.1684965-3-jannh@google.com
Link: https://lkml.kernel.org/r/20221125213714.4115729-3-jannh@google.com
Fixes: f3f0e1d2150b ("khugepaged: add support of collapse for tmpfs/shmem pages")
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Yang Shi <shy828301@gmail.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Peter Xu <peterx@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
[manual backport: this code was refactored from two copies into a common
helper between 5.15 and 6.0;
pmd collapse for PTE-mapped THP was only added in 5.4;
MMU notifier API changed between 4.19 and 5.4]
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/khugepaged.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/mm/khugepaged.c
+++ b/mm/khugepaged.c
@@ -1302,13 +1302,20 @@ static void retract_page_tables(struct a
*/
if (down_write_trylock(&mm->mmap_sem)) {
if (!khugepaged_test_exit(mm)) {
- spinlock_t *ptl = pmd_lock(mm, pmd);
+ spinlock_t *ptl;
+ unsigned long end = addr + HPAGE_PMD_SIZE;
+
+ mmu_notifier_invalidate_range_start(mm, addr,
+ end);
+ ptl = pmd_lock(mm, pmd);
/* assume page table is clear */
_pmd = pmdp_collapse_flush(vma, addr, pmd);
spin_unlock(ptl);
atomic_long_dec(&mm->nr_ptes);
tlb_remove_table_sync_one();
pte_free(mm, pmd_pgtable(_pmd));
+ mmu_notifier_invalidate_range_end(mm, addr,
+ end);
}
up_write(&mm->mmap_sem);
}
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 003/251] block: unhash blkdev part inode when the part is deleted
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 001/251] mm/khugepaged: fix GUP-fast interaction by sending IPI Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 002/251] mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 004/251] ASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx() Greg Kroah-Hartman
` (253 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shiwei Cui, Christoph Hellwig,
Jan Kara, Ming Lei
From: Ming Lei <ming.lei@redhat.com>
v5.11 changes the blkdev lookup mechanism completely since commit
22ae8ce8b892 ("block: simplify bdev/disk lookup in blkdev_get"),
and small part of the change is to unhash part bdev inode when
deleting partition. Turns out this kind of change does fix one
nasty issue in case of BLOCK_EXT_MAJOR:
1) when one partition is deleted & closed, disk_put_part() is always
called before bdput(bdev), see blkdev_put(); so the part's devt can
be freed & re-used before the inode is dropped
2) then new partition with same devt can be created just before the
inode in 1) is dropped, then the old inode/bdev structurein 1) is
re-used for this new partition, this way causes use-after-free and
kernel panic.
It isn't possible to backport the whole big patchset of "merge struct
block_device and struct hd_struct v4" for addressing this issue.
https://lore.kernel.org/linux-block/20201128161510.347752-1-hch@lst.de/
So fixes it by unhashing part bdev in delete_partition(), and this way
is actually aligned with v5.11+'s behavior.
Backported from the following 5.10.y commit:
5f2f77560591 ("block: unhash blkdev part inode when the part is deleted")
Reported-by: Shiwei Cui <cuishw@inspur.com>
Tested-by: Shiwei Cui <cuishw@inspur.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Jan Kara <jack@suse.cz>
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/partition-generic.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/block/partition-generic.c
+++ b/block/partition-generic.c
@@ -254,6 +254,7 @@ void delete_partition(struct gendisk *di
{
struct disk_part_tbl *ptbl = disk->part_tbl;
struct hd_struct *part;
+ struct block_device *bdev;
if (partno >= ptbl->len)
return;
@@ -267,6 +268,11 @@ void delete_partition(struct gendisk *di
kobject_put(part->holder_dir);
device_del(part_to_dev(part));
+ bdev = bdget(part_devt(part));
+ if (bdev) {
+ remove_inode_hash(bdev->bd_inode);
+ bdput(bdev);
+ }
hd_struct_kill(part);
}
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 004/251] ASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 003/251] block: unhash blkdev part inode when the part is deleted Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 005/251] can: sja1000: fix size of OCR_MODE_MASK define Greg Kroah-Hartman
` (252 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mark Brown, Sasha Levin
From: Mark Brown <broonie@kernel.org>
[ Upstream commit 97eea946b93961fffd29448dcda7398d0d51c4b2 ]
The bounds checks in snd_soc_put_volsw_sx() are only being applied to the
first channel, meaning it is possible to write out of bounds values to the
second channel in stereo controls. Add appropriate checks.
Signed-off-by: Mark Brown <broonie@kernel.org>
Link: https://lore.kernel.org/r/20220511134137.169575-2-broonie@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/soc-ops.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/sound/soc/soc-ops.c b/sound/soc/soc-ops.c
index 5479927391d4..8294430aaf9a 100644
--- a/sound/soc/soc-ops.c
+++ b/sound/soc/soc-ops.c
@@ -465,6 +465,12 @@ int snd_soc_put_volsw_sx(struct snd_kcontrol *kcontrol,
if (snd_soc_volsw_is_stereo(mc)) {
val_mask = mask << rshift;
val2 = (ucontrol->value.integer.value[1] + min) & mask;
+
+ if (mc->platform_max && val2 > mc->platform_max)
+ return -EINVAL;
+ if (val2 > max)
+ return -EINVAL;
+
val2 = val2 << rshift;
err = snd_soc_component_update_bits(component, reg2, val_mask,
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 005/251] can: sja1000: fix size of OCR_MODE_MASK define
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 004/251] ASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx() Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 006/251] ASoC: ops: Correct bounds check for second channel on SX controls Greg Kroah-Hartman
` (251 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heiko Schocher, Marc Kleine-Budde,
Sasha Levin
From: Heiko Schocher <hs@denx.de>
[ Upstream commit 26e8f6a75248247982458e8237b98c9fb2ffcf9d ]
bitfield mode in ocr register has only 2 bits not 3, so correct
the OCR_MODE_MASK define.
Signed-off-by: Heiko Schocher <hs@denx.de>
Link: https://lore.kernel.org/all/20221123071636.2407823-1-hs@denx.de
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/can/platform/sja1000.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/linux/can/platform/sja1000.h b/include/linux/can/platform/sja1000.h
index 93570b61ec6c..919f3329d822 100644
--- a/include/linux/can/platform/sja1000.h
+++ b/include/linux/can/platform/sja1000.h
@@ -13,7 +13,7 @@
#define OCR_MODE_TEST 0x01
#define OCR_MODE_NORMAL 0x02
#define OCR_MODE_CLOCK 0x03
-#define OCR_MODE_MASK 0x07
+#define OCR_MODE_MASK 0x03
#define OCR_TX0_INVERT 0x04
#define OCR_TX0_PULLDOWN 0x08
#define OCR_TX0_PULLUP 0x10
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 006/251] ASoC: ops: Correct bounds check for second channel on SX controls
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 005/251] can: sja1000: fix size of OCR_MODE_MASK define Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 007/251] udf: Discard preallocation before extending file with a hole Greg Kroah-Hartman
` (250 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Charles Keepax, Mark Brown
From: Charles Keepax <ckeepax@opensource.cirrus.com>
commit f33bcc506050f89433a52a3052054d4ebd37b1c1 upstream.
Currently the check against the max value for the control is being
applied after the value has had the minimum applied and been masked. But
the max value simply indicates the number of volume levels on an SX
control, and as such should just be applied on the raw value.
Fixes: 97eea946b939 ("ASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx()")
Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Link: https://lore.kernel.org/r/20221125162348.1288005-1-ckeepax@opensource.cirrus.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/soc-ops.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/sound/soc/soc-ops.c
+++ b/sound/soc/soc-ops.c
@@ -463,14 +463,15 @@ int snd_soc_put_volsw_sx(struct snd_kcon
return err;
if (snd_soc_volsw_is_stereo(mc)) {
- val_mask = mask << rshift;
- val2 = (ucontrol->value.integer.value[1] + min) & mask;
+ val2 = ucontrol->value.integer.value[1];
if (mc->platform_max && val2 > mc->platform_max)
return -EINVAL;
if (val2 > max)
return -EINVAL;
+ val_mask = mask << rshift;
+ val2 = (val2 + min) & mask;
val2 = val2 << rshift;
err = snd_soc_component_update_bits(component, reg2, val_mask,
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 007/251] udf: Discard preallocation before extending file with a hole
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 006/251] ASoC: ops: Correct bounds check for second channel on SX controls Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 008/251] udf: Drop unused arguments of udf_delete_aext() Greg Kroah-Hartman
` (249 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jan Kara
From: Jan Kara <jack@suse.cz>
commit 16d0556568148bdcaa45d077cac9f8f7077cf70a upstream.
When extending file with a hole, we tried to preserve existing
preallocation for the file. However that is not very useful and
complicates code because the previous extent may need to be rounded to
block boundary as well (which we forgot to do thus causing data
corruption for sequence like:
xfs_io -f -c "pwrite 0x75e63 11008" -c "truncate 0x7b24b" \
-c "truncate 0xabaa3" -c "pwrite 0xac70b 22954" \
-c "pwrite 0x93a43 11358" -c "pwrite 0xb8e65 52211" file
with 512-byte block size. Just discard preallocation before extending
file to simplify things and also fix this data corruption.
CC: stable@vger.kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/udf/inode.c | 46 ++++++++++++++++++----------------------------
1 file changed, 18 insertions(+), 28 deletions(-)
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -442,6 +442,12 @@ static int udf_get_block(struct inode *i
iinfo->i_next_alloc_goal++;
}
+ /*
+ * Block beyond EOF and prealloc extents? Just discard preallocation
+ * as it is not useful and complicates things.
+ */
+ if (((loff_t)block) << inode->i_blkbits > iinfo->i_lenExtents)
+ udf_discard_prealloc(inode);
udf_clear_extent_cache(inode);
phys = inode_getblk(inode, block, &err, &new);
if (!phys)
@@ -491,8 +497,6 @@ static int udf_do_extend_file(struct ino
uint32_t add;
int count = 0, fake = !(last_ext->extLength & UDF_EXTENT_LENGTH_MASK);
struct super_block *sb = inode->i_sb;
- struct kernel_lb_addr prealloc_loc = {};
- int prealloc_len = 0;
struct udf_inode_info *iinfo;
int err;
@@ -513,19 +517,6 @@ static int udf_do_extend_file(struct ino
~(sb->s_blocksize - 1);
}
- /* Last extent are just preallocated blocks? */
- if ((last_ext->extLength & UDF_EXTENT_FLAG_MASK) ==
- EXT_NOT_RECORDED_ALLOCATED) {
- /* Save the extent so that we can reattach it to the end */
- prealloc_loc = last_ext->extLocation;
- prealloc_len = last_ext->extLength;
- /* Mark the extent as a hole */
- last_ext->extLength = EXT_NOT_RECORDED_NOT_ALLOCATED |
- (last_ext->extLength & UDF_EXTENT_LENGTH_MASK);
- last_ext->extLocation.logicalBlockNum = 0;
- last_ext->extLocation.partitionReferenceNum = 0;
- }
-
/* Can we merge with the previous extent? */
if ((last_ext->extLength & UDF_EXTENT_FLAG_MASK) ==
EXT_NOT_RECORDED_NOT_ALLOCATED) {
@@ -553,7 +544,7 @@ static int udf_do_extend_file(struct ino
* more extents, we may need to enter possible following
* empty indirect extent.
*/
- if (new_block_bytes || prealloc_len)
+ if (new_block_bytes)
udf_next_aext(inode, last_pos, &tmploc, &tmplen, 0);
}
@@ -587,17 +578,6 @@ static int udf_do_extend_file(struct ino
}
out:
- /* Do we have some preallocated blocks saved? */
- if (prealloc_len) {
- err = udf_add_aext(inode, last_pos, &prealloc_loc,
- prealloc_len, 1);
- if (err)
- return err;
- last_ext->extLocation = prealloc_loc;
- last_ext->extLength = prealloc_len;
- count++;
- }
-
/* last_pos should point to the last written extent... */
if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_SHORT)
last_pos->offset -= sizeof(struct short_ad);
@@ -650,8 +630,17 @@ static int udf_extend_file(struct inode
else
BUG();
+ /*
+ * When creating hole in file, just don't bother with preserving
+ * preallocation. It likely won't be very useful anyway.
+ */
+ udf_discard_prealloc(inode);
+
etype = inode_bmap(inode, first_block, &epos, &eloc, &elen, &offset);
within_final_block = (etype != -1);
+ /* We don't expect extents past EOF... */
+ WARN_ON_ONCE(etype != -1 &&
+ elen > ((loff_t)offset + 1) << inode->i_blkbits);
if ((!epos.bh && epos.offset == udf_file_entry_alloc_offset(inode)) ||
(epos.bh && epos.offset == sizeof(struct allocExtDesc))) {
@@ -783,10 +772,11 @@ static sector_t inode_getblk(struct inod
return newblock;
}
- /* Are we beyond EOF? */
+ /* Are we beyond EOF and preallocated extent? */
if (etype == -1) {
int ret;
loff_t hole_len;
+
isBeyondEOF = true;
if (count) {
if (c)
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 008/251] udf: Drop unused arguments of udf_delete_aext()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 007/251] udf: Discard preallocation before extending file with a hole Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 009/251] udf: Fix preallocation discarding at indirect extent boundary Greg Kroah-Hartman
` (248 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jan Kara
From: Jan Kara <jack@suse.cz>
commit 6c1e4d06a3808dc67dbce2d631f4c12574567dd5 upstream.
udf_delete_aext() uses its last two arguments only as local variables.
Drop them.
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/udf/balloc.c | 5 ++---
fs/udf/inode.c | 8 ++++----
fs/udf/udfdecl.h | 3 +--
3 files changed, 7 insertions(+), 9 deletions(-)
--- a/fs/udf/balloc.c
+++ b/fs/udf/balloc.c
@@ -531,8 +531,7 @@ static int udf_table_prealloc_blocks(str
udf_write_aext(table, &epos, &eloc,
(etype << 30) | elen, 1);
} else
- udf_delete_aext(table, epos, eloc,
- (etype << 30) | elen);
+ udf_delete_aext(table, epos);
} else {
alloc_count = 0;
}
@@ -627,7 +626,7 @@ static int udf_table_new_block(struct su
if (goal_elen)
udf_write_aext(table, &goal_epos, &goal_eloc, goal_elen, 1);
else
- udf_delete_aext(table, goal_epos, goal_eloc, goal_elen);
+ udf_delete_aext(table, goal_epos);
brelse(goal_epos.bh);
udf_add_free_space(sb, partition, -1);
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -1190,8 +1190,7 @@ static void udf_update_extents(struct in
if (startnum > endnum) {
for (i = 0; i < (startnum - endnum); i++)
- udf_delete_aext(inode, *epos, laarr[i].extLocation,
- laarr[i].extLength);
+ udf_delete_aext(inode, *epos);
} else if (startnum < endnum) {
for (i = 0; i < (endnum - startnum); i++) {
udf_insert_aext(inode, *epos, laarr[i].extLocation,
@@ -2225,14 +2224,15 @@ static int8_t udf_insert_aext(struct ino
return (nelen >> 30);
}
-int8_t udf_delete_aext(struct inode *inode, struct extent_position epos,
- struct kernel_lb_addr eloc, uint32_t elen)
+int8_t udf_delete_aext(struct inode *inode, struct extent_position epos)
{
struct extent_position oepos;
int adsize;
int8_t etype;
struct allocExtDesc *aed;
struct udf_inode_info *iinfo;
+ struct kernel_lb_addr eloc;
+ uint32_t elen;
if (epos.bh) {
get_bh(epos.bh);
--- a/fs/udf/udfdecl.h
+++ b/fs/udf/udfdecl.h
@@ -160,8 +160,7 @@ extern int udf_add_aext(struct inode *,
struct kernel_lb_addr *, uint32_t, int);
extern void udf_write_aext(struct inode *, struct extent_position *,
struct kernel_lb_addr *, uint32_t, int);
-extern int8_t udf_delete_aext(struct inode *, struct extent_position,
- struct kernel_lb_addr, uint32_t);
+extern int8_t udf_delete_aext(struct inode *, struct extent_position);
extern int8_t udf_next_aext(struct inode *, struct extent_position *,
struct kernel_lb_addr *, uint32_t *, int);
extern int8_t udf_current_aext(struct inode *, struct extent_position *,
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 009/251] udf: Fix preallocation discarding at indirect extent boundary
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 008/251] udf: Drop unused arguments of udf_delete_aext() Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 010/251] udf: Do not bother looking for prealloc extents if i_lenExtents matches i_size Greg Kroah-Hartman
` (247 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jan Kara
From: Jan Kara <jack@suse.cz>
commit cfe4c1b25dd6d2f056afc00b7c98bcb3dd0b1fc3 upstream.
When preallocation extent is the first one in the extent block, the
code would corrupt extent tree header instead. Fix the problem and use
udf_delete_aext() for deleting extent to avoid some code duplication.
CC: stable@vger.kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/udf/truncate.c | 45 +++++++++++++--------------------------------
1 file changed, 13 insertions(+), 32 deletions(-)
--- a/fs/udf/truncate.c
+++ b/fs/udf/truncate.c
@@ -120,60 +120,41 @@ void udf_truncate_tail_extent(struct ino
void udf_discard_prealloc(struct inode *inode)
{
- struct extent_position epos = { NULL, 0, {0, 0} };
+ struct extent_position epos = {};
+ struct extent_position prev_epos = {};
struct kernel_lb_addr eloc;
uint32_t elen;
uint64_t lbcount = 0;
int8_t etype = -1, netype;
- int adsize;
struct udf_inode_info *iinfo = UDF_I(inode);
if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB ||
inode->i_size == iinfo->i_lenExtents)
return;
- if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_SHORT)
- adsize = sizeof(struct short_ad);
- else if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_LONG)
- adsize = sizeof(struct long_ad);
- else
- adsize = 0;
-
epos.block = iinfo->i_location;
/* Find the last extent in the file */
- while ((netype = udf_next_aext(inode, &epos, &eloc, &elen, 1)) != -1) {
- etype = netype;
+ while ((netype = udf_next_aext(inode, &epos, &eloc, &elen, 0)) != -1) {
+ brelse(prev_epos.bh);
+ prev_epos = epos;
+ if (prev_epos.bh)
+ get_bh(prev_epos.bh);
+
+ etype = udf_next_aext(inode, &epos, &eloc, &elen, 1);
lbcount += elen;
}
if (etype == (EXT_NOT_RECORDED_ALLOCATED >> 30)) {
- epos.offset -= adsize;
lbcount -= elen;
- extent_trunc(inode, &epos, &eloc, etype, elen, 0);
- if (!epos.bh) {
- iinfo->i_lenAlloc =
- epos.offset -
- udf_file_entry_alloc_offset(inode);
- mark_inode_dirty(inode);
- } else {
- struct allocExtDesc *aed =
- (struct allocExtDesc *)(epos.bh->b_data);
- aed->lengthAllocDescs =
- cpu_to_le32(epos.offset -
- sizeof(struct allocExtDesc));
- if (!UDF_QUERY_FLAG(inode->i_sb, UDF_FLAG_STRICT) ||
- UDF_SB(inode->i_sb)->s_udfrev >= 0x0201)
- udf_update_tag(epos.bh->b_data, epos.offset);
- else
- udf_update_tag(epos.bh->b_data,
- sizeof(struct allocExtDesc));
- mark_buffer_dirty_inode(epos.bh, inode);
- }
+ udf_delete_aext(inode, prev_epos);
+ udf_free_blocks(inode->i_sb, inode, &eloc, 0,
+ DIV_ROUND_UP(elen, 1 << inode->i_blkbits));
}
/* This inode entry is in-memory only and thus we don't have to mark
* the inode dirty */
iinfo->i_lenExtents = lbcount;
brelse(epos.bh);
+ brelse(prev_epos.bh);
}
static void udf_update_alloc_ext_desc(struct inode *inode,
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 010/251] udf: Do not bother looking for prealloc extents if i_lenExtents matches i_size
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 009/251] udf: Fix preallocation discarding at indirect extent boundary Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 011/251] udf: Fix extending file within last block Greg Kroah-Hartman
` (246 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jan Kara
From: Jan Kara <jack@suse.cz>
commit 6ad53f0f71c52871202a7bf096feb2c59db33fc5 upstream.
If rounded block-rounded i_lenExtents matches block rounded i_size,
there are no preallocation extents. Do not bother walking extent linked
list.
CC: stable@vger.kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/udf/truncate.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/udf/truncate.c
+++ b/fs/udf/truncate.c
@@ -127,9 +127,10 @@ void udf_discard_prealloc(struct inode *
uint64_t lbcount = 0;
int8_t etype = -1, netype;
struct udf_inode_info *iinfo = UDF_I(inode);
+ int bsize = 1 << inode->i_blkbits;
if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB ||
- inode->i_size == iinfo->i_lenExtents)
+ ALIGN(inode->i_size, bsize) == ALIGN(iinfo->i_lenExtents, bsize))
return;
epos.block = iinfo->i_location;
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 011/251] udf: Fix extending file within last block
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 010/251] udf: Do not bother looking for prealloc extents if i_lenExtents matches i_size Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 012/251] usb: gadget: uvc: Prevent buffer overflow in setup handler Greg Kroah-Hartman
` (245 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jan Kara
From: Jan Kara <jack@suse.cz>
commit 1f3868f06855c97a4954c99b36f3fc9eb8f60326 upstream.
When extending file within last block it can happen that the extent is
already rounded to the blocksize and thus contains the offset we want to
grow up to. In such case we would mistakenly expand the last extent and
make it one block longer than it should be, exposing unallocated block
in a file and causing data corruption. Fix the problem by properly
detecting this case and bailing out.
CC: stable@vger.kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/udf/inode.c | 32 +++++++++++++++++---------------
1 file changed, 17 insertions(+), 15 deletions(-)
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -593,13 +593,17 @@ out:
static void udf_do_extend_final_block(struct inode *inode,
struct extent_position *last_pos,
struct kernel_long_ad *last_ext,
- uint32_t final_block_len)
+ uint32_t new_elen)
{
- struct super_block *sb = inode->i_sb;
uint32_t added_bytes;
- added_bytes = final_block_len -
- (last_ext->extLength & (sb->s_blocksize - 1));
+ /*
+ * Extent already large enough? It may be already rounded up to block
+ * size...
+ */
+ if (new_elen <= (last_ext->extLength & UDF_EXTENT_LENGTH_MASK))
+ return;
+ added_bytes = (last_ext->extLength & UDF_EXTENT_LENGTH_MASK) - new_elen;
last_ext->extLength += added_bytes;
UDF_I(inode)->i_lenExtents += added_bytes;
@@ -616,12 +620,12 @@ static int udf_extend_file(struct inode
int8_t etype;
struct super_block *sb = inode->i_sb;
sector_t first_block = newsize >> sb->s_blocksize_bits, offset;
- unsigned long partial_final_block;
+ loff_t new_elen;
int adsize;
struct udf_inode_info *iinfo = UDF_I(inode);
struct kernel_long_ad extent;
int err = 0;
- int within_final_block;
+ bool within_last_ext;
if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_SHORT)
adsize = sizeof(struct short_ad);
@@ -637,9 +641,9 @@ static int udf_extend_file(struct inode
udf_discard_prealloc(inode);
etype = inode_bmap(inode, first_block, &epos, &eloc, &elen, &offset);
- within_final_block = (etype != -1);
+ within_last_ext = (etype != -1);
/* We don't expect extents past EOF... */
- WARN_ON_ONCE(etype != -1 &&
+ WARN_ON_ONCE(within_last_ext &&
elen > ((loff_t)offset + 1) << inode->i_blkbits);
if ((!epos.bh && epos.offset == udf_file_entry_alloc_offset(inode)) ||
@@ -656,19 +660,17 @@ static int udf_extend_file(struct inode
extent.extLength |= etype << 30;
}
- partial_final_block = newsize & (sb->s_blocksize - 1);
+ new_elen = ((loff_t)offset << inode->i_blkbits) |
+ (newsize & (sb->s_blocksize - 1));
/* File has extent covering the new size (could happen when extending
* inside a block)?
*/
- if (within_final_block) {
+ if (within_last_ext) {
/* Extending file within the last file block */
- udf_do_extend_final_block(inode, &epos, &extent,
- partial_final_block);
+ udf_do_extend_final_block(inode, &epos, &extent, new_elen);
} else {
- loff_t add = ((loff_t)offset << sb->s_blocksize_bits) |
- partial_final_block;
- err = udf_do_extend_file(inode, &epos, &extent, add);
+ err = udf_do_extend_file(inode, &epos, &extent, new_elen);
}
if (err < 0)
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 012/251] usb: gadget: uvc: Prevent buffer overflow in setup handler
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 011/251] udf: Fix extending file within last block Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 013/251] USB: serial: cp210x: add Kamstrup RF sniffer PIDs Greg Kroah-Hartman
` (244 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Laurent Pinchart,
Daniel Scally, Szymon Heidrich
From: Szymon Heidrich <szymon.heidrich@gmail.com>
commit 4c92670b16727365699fe4b19ed32013bab2c107 upstream.
Setup function uvc_function_setup permits control transfer
requests with up to 64 bytes of payload (UVC_MAX_REQUEST_SIZE),
data stage handler for OUT transfer uses memcpy to copy req->actual
bytes to uvc_event->data.data array of size 60. This may result
in an overflow of 4 bytes.
Fixes: cdda479f15cd ("USB gadget: video class function driver")
Cc: stable <stable@kernel.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Reviewed-by: Daniel Scally <dan.scally@ideasonboard.com>
Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
Link: https://lore.kernel.org/r/20221206141301.51305-1-szymon.heidrich@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_uvc.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/usb/gadget/function/f_uvc.c
+++ b/drivers/usb/gadget/function/f_uvc.c
@@ -220,8 +220,9 @@ uvc_function_ep0_complete(struct usb_ep
memset(&v4l2_event, 0, sizeof(v4l2_event));
v4l2_event.type = UVC_EVENT_DATA;
- uvc_event->data.length = req->actual;
- memcpy(&uvc_event->data.data, req->buf, req->actual);
+ uvc_event->data.length = min_t(unsigned int, req->actual,
+ sizeof(uvc_event->data.data));
+ memcpy(&uvc_event->data.data, req->buf, uvc_event->data.length);
v4l2_event_queue(&uvc->vdev, &v4l2_event);
}
}
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 013/251] USB: serial: cp210x: add Kamstrup RF sniffer PIDs
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 012/251] usb: gadget: uvc: Prevent buffer overflow in setup handler Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 014/251] Bluetooth: L2CAP: Fix u8 overflow Greg Kroah-Hartman
` (243 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bruno Thomsen, Johan Hovold
From: Bruno Thomsen <bruno.thomsen@gmail.com>
commit e88906b169ebcb8046e8f0ad76edd09ab41cfdfe upstream.
The RF sniffers are based on cp210x where the RF frontends
are based on a different USB stack.
RF sniffers can analyze packets meta data including power level
and perform packet injection.
Can be used to perform RF frontend self-test when connected to
a concentrator, ex. arch/arm/boot/dts/imx7d-flex-concentrator.dts
Signed-off-by: Bruno Thomsen <bruno.thomsen@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/cp210x.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -193,6 +193,8 @@ static const struct usb_device_id id_tab
{ USB_DEVICE(0x16DC, 0x0015) }, /* W-IE-NE-R Plein & Baus GmbH CML Control, Monitoring and Data Logger */
{ USB_DEVICE(0x17A8, 0x0001) }, /* Kamstrup Optical Eye/3-wire */
{ USB_DEVICE(0x17A8, 0x0005) }, /* Kamstrup M-Bus Master MultiPort 250D */
+ { USB_DEVICE(0x17A8, 0x0011) }, /* Kamstrup 444 MHz RF sniffer */
+ { USB_DEVICE(0x17A8, 0x0013) }, /* Kamstrup 870 MHz RF sniffer */
{ USB_DEVICE(0x17A8, 0x0101) }, /* Kamstrup 868 MHz wM-Bus C-Mode Meter Reader (Int Ant) */
{ USB_DEVICE(0x17A8, 0x0102) }, /* Kamstrup 868 MHz wM-Bus C-Mode Meter Reader (Ext Ant) */
{ USB_DEVICE(0x17F4, 0xAAAA) }, /* Wavesense Jazz blood glucose meter */
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 014/251] Bluetooth: L2CAP: Fix u8 overflow
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 013/251] USB: serial: cp210x: add Kamstrup RF sniffer PIDs Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 015/251] net: loopback: use NET_NAME_PREDICTABLE for name_assign_type Greg Kroah-Hartman
` (242 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sungwoo Kim, Luiz Augusto von Dentz,
Sasha Levin
From: Sungwoo Kim <iam@sung-woo.kim>
[ Upstream commit bcd70260ef56e0aee8a4fc6cd214a419900b0765 ]
By keep sending L2CAP_CONF_REQ packets, chan->num_conf_rsp increases
multiple times and eventually it will wrap around the maximum number
(i.e., 255).
This patch prevents this by adding a boundary check with
L2CAP_MAX_CONF_RSP
Btmon log:
Bluetooth monitor ver 5.64
= Note: Linux version 6.1.0-rc2 (x86_64) 0.264594
= Note: Bluetooth subsystem version 2.22 0.264636
@ MGMT Open: btmon (privileged) version 1.22 {0x0001} 0.272191
= New Index: 00:00:00:00:00:00 (Primary,Virtual,hci0) [hci0] 13.877604
@ RAW Open: 9496 (privileged) version 2.22 {0x0002} 13.890741
= Open Index: 00:00:00:00:00:00 [hci0] 13.900426
(...)
> ACL Data RX: Handle 200 flags 0x00 dlen 1033 #32 [hci0] 14.273106
invalid packet size (12 != 1033)
08 00 01 00 02 01 04 00 01 10 ff ff ............
> ACL Data RX: Handle 200 flags 0x00 dlen 1547 #33 [hci0] 14.273561
invalid packet size (14 != 1547)
0a 00 01 00 04 01 06 00 40 00 00 00 00 00 ........@.....
> ACL Data RX: Handle 200 flags 0x00 dlen 2061 #34 [hci0] 14.274390
invalid packet size (16 != 2061)
0c 00 01 00 04 01 08 00 40 00 00 00 00 00 00 04 ........@.......
> ACL Data RX: Handle 200 flags 0x00 dlen 2061 #35 [hci0] 14.274932
invalid packet size (16 != 2061)
0c 00 01 00 04 01 08 00 40 00 00 00 07 00 03 00 ........@.......
= bluetoothd: Bluetooth daemon 5.43 14.401828
> ACL Data RX: Handle 200 flags 0x00 dlen 1033 #36 [hci0] 14.275753
invalid packet size (12 != 1033)
08 00 01 00 04 01 04 00 40 00 00 00 ........@...
Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 5e7fb30b2320..cbf0a9d5aabc 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -4183,7 +4183,8 @@ static inline int l2cap_config_req(struct l2cap_conn *conn,
chan->ident = cmd->ident;
l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
- chan->num_conf_rsp++;
+ if (chan->num_conf_rsp < L2CAP_CONF_MAX_CONF_RSP)
+ chan->num_conf_rsp++;
/* Reset config buffer. */
chan->conf_len = 0;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 015/251] net: loopback: use NET_NAME_PREDICTABLE for name_assign_type
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 014/251] Bluetooth: L2CAP: Fix u8 overflow Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 016/251] drivers: soc: ti: knav_qmss_queue: Mark knav_acc_firmwares as static Greg Kroah-Hartman
` (241 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rasmus Villemoes, Jacob Keller,
David S. Miller, Sasha Levin
From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
[ Upstream commit 31d929de5a112ee1b977a89c57de74710894bbbf ]
When the name_assign_type attribute was introduced (commit
685343fc3ba6, "net: add name_assign_type netdev attribute"), the
loopback device was explicitly mentioned as one which would make use
of NET_NAME_PREDICTABLE:
The name_assign_type attribute gives hints where the interface name of a
given net-device comes from. These values are currently defined:
...
NET_NAME_PREDICTABLE:
The ifname has been assigned by the kernel in a predictable way
that is guaranteed to avoid reuse and always be the same for a
given device. Examples include statically created devices like
the loopback device [...]
Switch to that so that reading /sys/class/net/lo/name_assign_type
produces something sensible instead of returning -EINVAL.
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/loopback.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/loopback.c b/drivers/net/loopback.c
index 1b65f0f975cf..f04f9a87840e 100644
--- a/drivers/net/loopback.c
+++ b/drivers/net/loopback.c
@@ -194,7 +194,7 @@ static __net_init int loopback_net_init(struct net *net)
int err;
err = -ENOMEM;
- dev = alloc_netdev(0, "lo", NET_NAME_UNKNOWN, loopback_setup);
+ dev = alloc_netdev(0, "lo", NET_NAME_PREDICTABLE, loopback_setup);
if (!dev)
goto out;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 016/251] drivers: soc: ti: knav_qmss_queue: Mark knav_acc_firmwares as static
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 015/251] net: loopback: use NET_NAME_PREDICTABLE for name_assign_type Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 017/251] arm: dts: spear600: Fix clcd interrupt Greg Kroah-Hartman
` (240 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen Jiahao, Nishanth Menon, Sasha Levin
From: Chen Jiahao <chenjiahao16@huawei.com>
[ Upstream commit adf85adc2a7199b41e7a4da083bd17274a3d6969 ]
There is a sparse warning shown below:
drivers/soc/ti/knav_qmss_queue.c:70:12: warning: symbol
'knav_acc_firmwares' was not declared. Should it be static?
Since 'knav_acc_firmwares' is only called within knav_qmss_queue.c,
mark it as static to fix the warning.
Fixes: 96ee19becc3b ("soc: ti: add firmware file name as part of the driver")
Signed-off-by: Chen Jiahao <chenjiahao16@huawei.com>
Signed-off-by: Nishanth Menon <nm@ti.com>
Link: https://lore.kernel.org/r/20221019153212.72350-1-chenjiahao16@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/ti/knav_qmss_queue.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/soc/ti/knav_qmss_queue.c b/drivers/soc/ti/knav_qmss_queue.c
index 5248649b0b41..5faafe677341 100644
--- a/drivers/soc/ti/knav_qmss_queue.c
+++ b/drivers/soc/ti/knav_qmss_queue.c
@@ -72,7 +72,7 @@ static DEFINE_MUTEX(knav_dev_lock);
* Newest followed by older ones. Search is done from start of the array
* until a firmware file is found.
*/
-const char *knav_acc_firmwares[] = {"ks2_qmss_pdsp_acc48.bin"};
+static const char * const knav_acc_firmwares[] = {"ks2_qmss_pdsp_acc48.bin"};
/**
* knav_queue_notify: qmss queue notfier call
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 017/251] arm: dts: spear600: Fix clcd interrupt
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 016/251] drivers: soc: ti: knav_qmss_queue: Mark knav_acc_firmwares as static Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 018/251] soc: ti: smartreflex: Fix PM disable depth imbalance in omap_sr_probe Greg Kroah-Hartman
` (239 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kory Maincent, Viresh Kumar,
Arnd Bergmann, Sasha Levin
From: Kory Maincent <kory.maincent@bootlin.com>
[ Upstream commit 0336e2ce34e7a89832b6c214f924eb7bc58940be ]
Interrupt 12 of the Interrupt controller belongs to the SMI controller,
the right one for the display controller is the interrupt 13.
Fixes: 8113ba917dfa ("ARM: SPEAr: DT: Update device nodes")
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/spear600.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/spear600.dtsi b/arch/arm/boot/dts/spear600.dtsi
index bd379034993c..89318273d787 100644
--- a/arch/arm/boot/dts/spear600.dtsi
+++ b/arch/arm/boot/dts/spear600.dtsi
@@ -53,7 +53,7 @@ clcd@fc200000 {
compatible = "arm,pl110", "arm,primecell";
reg = <0xfc200000 0x1000>;
interrupt-parent = <&vic1>;
- interrupts = <12>;
+ interrupts = <13>;
status = "disabled";
};
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 018/251] soc: ti: smartreflex: Fix PM disable depth imbalance in omap_sr_probe
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 017/251] arm: dts: spear600: Fix clcd interrupt Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 019/251] ARM: dts: dove: Fix assigned-addresses for every PCIe Root Port Greg Kroah-Hartman
` (238 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Qilong, Nishanth Menon, Sasha Levin
From: Zhang Qilong <zhangqilong3@huawei.com>
[ Upstream commit 69460e68eb662064ab4188d4e129ff31c1f23ed9 ]
The pm_runtime_enable will increase power disable depth. Thus
a pairing decrement is needed on the error handling path to
keep it balanced according to context.
Fixes: 984aa6dbf4ca ("OMAP3: PM: Adding smartreflex driver support.")
Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
Signed-off-by: Nishanth Menon <nm@ti.com>
Link: https://lore.kernel.org/r/20221108080322.52268-3-zhangqilong3@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/power/avs/smartreflex.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/power/avs/smartreflex.c b/drivers/power/avs/smartreflex.c
index bb7b817cca59..a695c87ae459 100644
--- a/drivers/power/avs/smartreflex.c
+++ b/drivers/power/avs/smartreflex.c
@@ -971,6 +971,7 @@ static int __init omap_sr_probe(struct platform_device *pdev)
err_debugfs:
debugfs_remove_recursive(sr_info->dbg_dir);
err_list_del:
+ pm_runtime_disable(&pdev->dev);
list_del(&sr_info->node);
return ret;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 019/251] ARM: dts: dove: Fix assigned-addresses for every PCIe Root Port
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 018/251] soc: ti: smartreflex: Fix PM disable depth imbalance in omap_sr_probe Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 020/251] ARM: dts: armada-370: " Greg Kroah-Hartman
` (237 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pali Rohár, Gregory CLEMENT,
Sasha Levin
From: Pali Rohár <pali@kernel.org>
[ Upstream commit dcc7d8c72b64a479b8017e4332d99179deb8802d ]
BDF of resource in DT assigned-addresses property of Marvell PCIe Root Port
(PCI-to-PCI bridge) should match BDF in address part in that DT node name
as specified resource belongs to Marvell PCIe Root Port itself.
Fixes: 74ecaa403a74 ("ARM: dove: add PCIe controllers to SoC DT")
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/dove.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/dove.dtsi b/arch/arm/boot/dts/dove.dtsi
index 11342aeccb73..278c7321b1b9 100644
--- a/arch/arm/boot/dts/dove.dtsi
+++ b/arch/arm/boot/dts/dove.dtsi
@@ -127,7 +127,7 @@ pcie0: pcie-port@0 {
pcie1: pcie-port@1 {
device_type = "pci";
status = "disabled";
- assigned-addresses = <0x82002800 0 0x80000 0 0x2000>;
+ assigned-addresses = <0x82001000 0 0x80000 0 0x2000>;
reg = <0x1000 0 0 0 0>;
clocks = <&gate_clk 5>;
marvell,pcie-port = <1>;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 020/251] ARM: dts: armada-370: Fix assigned-addresses for every PCIe Root Port
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 019/251] ARM: dts: dove: Fix assigned-addresses for every PCIe Root Port Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 021/251] ARM: dts: armada-xp: " Greg Kroah-Hartman
` (236 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pali Rohár, Gregory CLEMENT,
Sasha Levin
From: Pali Rohár <pali@kernel.org>
[ Upstream commit d9208b0fa2e803d16b28d91bf1d46b7ee9ea13c6 ]
BDF of resource in DT assigned-addresses property of Marvell PCIe Root Port
(PCI-to-PCI bridge) should match BDF in address part in that DT node name
as specified resource belongs to Marvell PCIe Root Port itself.
Fixes: a09a0b7c6ff1 ("arm: mvebu: add PCIe Device Tree informations for Armada 370")
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/armada-370.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/armada-370.dtsi b/arch/arm/boot/dts/armada-370.dtsi
index b4258105e91f..b00e328b54a1 100644
--- a/arch/arm/boot/dts/armada-370.dtsi
+++ b/arch/arm/boot/dts/armada-370.dtsi
@@ -108,7 +108,7 @@ pcie@1,0 {
pcie@2,0 {
device_type = "pci";
- assigned-addresses = <0x82002800 0 0x80000 0 0x2000>;
+ assigned-addresses = <0x82001000 0 0x80000 0 0x2000>;
reg = <0x1000 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 021/251] ARM: dts: armada-xp: Fix assigned-addresses for every PCIe Root Port
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 020/251] ARM: dts: armada-370: " Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 022/251] ARM: dts: armada-375: " Greg Kroah-Hartman
` (235 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pali Rohár, Gregory CLEMENT,
Sasha Levin
From: Pali Rohár <pali@kernel.org>
[ Upstream commit eab276787f456cbea89fabea110fe0728673d308 ]
BDF of resource in DT assigned-addresses property of Marvell PCIe Root Port
(PCI-to-PCI bridge) should match BDF in address part in that DT node name
as specified resource belongs to Marvell PCIe Root Port itself.
Fixes: 9d8f44f02d4a ("arm: mvebu: add PCIe Device Tree informations for Armada XP")
Fixes: 12b69a599745 ("ARM: mvebu: second PCIe unit of Armada XP mv78230 is only x1 capable")
Fixes: 2163e61c92d9 ("ARM: mvebu: fix second and third PCIe unit of Armada XP mv78260")
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/armada-xp-mv78230.dtsi | 8 ++++----
arch/arm/boot/dts/armada-xp-mv78260.dtsi | 16 ++++++++--------
2 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/arch/arm/boot/dts/armada-xp-mv78230.dtsi b/arch/arm/boot/dts/armada-xp-mv78230.dtsi
index 6e6d0f04bf2b..b6e787b994ad 100644
--- a/arch/arm/boot/dts/armada-xp-mv78230.dtsi
+++ b/arch/arm/boot/dts/armada-xp-mv78230.dtsi
@@ -133,7 +133,7 @@ pcie@1,0 {
pcie@2,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x44000 0 0x2000>;
+ assigned-addresses = <0x82001000 0 0x44000 0 0x2000>;
reg = <0x1000 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
@@ -150,7 +150,7 @@ pcie@2,0 {
pcie@3,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x48000 0 0x2000>;
+ assigned-addresses = <0x82001800 0 0x48000 0 0x2000>;
reg = <0x1800 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
@@ -167,7 +167,7 @@ pcie@3,0 {
pcie@4,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x4c000 0 0x2000>;
+ assigned-addresses = <0x82002000 0 0x4c000 0 0x2000>;
reg = <0x2000 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
@@ -184,7 +184,7 @@ pcie@4,0 {
pcie@5,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x80000 0 0x2000>;
+ assigned-addresses = <0x82002800 0 0x80000 0 0x2000>;
reg = <0x2800 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
diff --git a/arch/arm/boot/dts/armada-xp-mv78260.dtsi b/arch/arm/boot/dts/armada-xp-mv78260.dtsi
index c5fdc99f0dbe..a4856b05440a 100644
--- a/arch/arm/boot/dts/armada-xp-mv78260.dtsi
+++ b/arch/arm/boot/dts/armada-xp-mv78260.dtsi
@@ -148,7 +148,7 @@ pcie@1,0 {
pcie@2,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x44000 0 0x2000>;
+ assigned-addresses = <0x82001000 0 0x44000 0 0x2000>;
reg = <0x1000 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
@@ -165,7 +165,7 @@ pcie@2,0 {
pcie@3,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x48000 0 0x2000>;
+ assigned-addresses = <0x82001800 0 0x48000 0 0x2000>;
reg = <0x1800 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
@@ -182,7 +182,7 @@ pcie@3,0 {
pcie@4,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x4c000 0 0x2000>;
+ assigned-addresses = <0x82002000 0 0x4c000 0 0x2000>;
reg = <0x2000 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
@@ -199,7 +199,7 @@ pcie@4,0 {
pcie@5,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x80000 0 0x2000>;
+ assigned-addresses = <0x82002800 0 0x80000 0 0x2000>;
reg = <0x2800 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
@@ -216,7 +216,7 @@ pcie@5,0 {
pcie@6,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x84000 0 0x2000>;
+ assigned-addresses = <0x82003000 0 0x84000 0 0x2000>;
reg = <0x3000 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
@@ -233,7 +233,7 @@ pcie@6,0 {
pcie@7,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x88000 0 0x2000>;
+ assigned-addresses = <0x82003800 0 0x88000 0 0x2000>;
reg = <0x3800 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
@@ -250,7 +250,7 @@ pcie@7,0 {
pcie@8,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x8c000 0 0x2000>;
+ assigned-addresses = <0x82004000 0 0x8c000 0 0x2000>;
reg = <0x4000 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
@@ -267,7 +267,7 @@ pcie@8,0 {
pcie@9,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x42000 0 0x2000>;
+ assigned-addresses = <0x82004800 0 0x42000 0 0x2000>;
reg = <0x4800 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 022/251] ARM: dts: armada-375: Fix assigned-addresses for every PCIe Root Port
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 021/251] ARM: dts: armada-xp: " Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 023/251] ARM: dts: armada-38x: " Greg Kroah-Hartman
` (234 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pali Rohár, Gregory CLEMENT,
Sasha Levin
From: Pali Rohár <pali@kernel.org>
[ Upstream commit 823956d2436f70ced74c0fe8ab99facd8abfc060 ]
BDF of resource in DT assigned-addresses property of Marvell PCIe Root Port
(PCI-to-PCI bridge) should match BDF in address part in that DT node name
as specified resource belongs to Marvell PCIe Root Port itself.
Fixes: 4de59085091f ("ARM: mvebu: add Device Tree description of the Armada 375 SoC")
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/armada-375.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/armada-375.dtsi b/arch/arm/boot/dts/armada-375.dtsi
index 024f1b75b0a3..681c8458c8f2 100644
--- a/arch/arm/boot/dts/armada-375.dtsi
+++ b/arch/arm/boot/dts/armada-375.dtsi
@@ -618,7 +618,7 @@ pcie@1,0 {
pcie@2,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x44000 0 0x2000>;
+ assigned-addresses = <0x82001000 0 0x44000 0 0x2000>;
reg = <0x1000 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 023/251] ARM: dts: armada-38x: Fix assigned-addresses for every PCIe Root Port
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 022/251] ARM: dts: armada-375: " Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 024/251] ARM: dts: armada-39x: " Greg Kroah-Hartman
` (233 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pali Rohár, Gregory CLEMENT,
Sasha Levin
From: Pali Rohár <pali@kernel.org>
[ Upstream commit 44f47b7a8fa4678ce4c38ea74837e4996b9df6d6 ]
BDF of resource in DT assigned-addresses property of Marvell PCIe Root Port
(PCI-to-PCI bridge) should match BDF in address part in that DT node name
as specified resource belongs to Marvell PCIe Root Port itself.
Fixes: 0d3d96ab0059 ("ARM: mvebu: add Device Tree description of the Armada 380/385 SoCs")
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/armada-380.dtsi | 4 ++--
arch/arm/boot/dts/armada-385.dtsi | 6 +++---
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/arch/arm/boot/dts/armada-380.dtsi b/arch/arm/boot/dts/armada-380.dtsi
index 5102d19cc8f4..43477ca6eaa3 100644
--- a/arch/arm/boot/dts/armada-380.dtsi
+++ b/arch/arm/boot/dts/armada-380.dtsi
@@ -115,7 +115,7 @@ pcie@1,0 {
/* x1 port */
pcie@2,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x40000 0 0x2000>;
+ assigned-addresses = <0x82001000 0 0x40000 0 0x2000>;
reg = <0x1000 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
@@ -133,7 +133,7 @@ pcie@2,0 {
/* x1 port */
pcie@3,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x44000 0 0x2000>;
+ assigned-addresses = <0x82001800 0 0x44000 0 0x2000>;
reg = <0x1800 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
diff --git a/arch/arm/boot/dts/armada-385.dtsi b/arch/arm/boot/dts/armada-385.dtsi
index 8e67d2c083dd..0451bc14386c 100644
--- a/arch/arm/boot/dts/armada-385.dtsi
+++ b/arch/arm/boot/dts/armada-385.dtsi
@@ -126,7 +126,7 @@ pcie@1,0 {
/* x1 port */
pcie@2,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x40000 0 0x2000>;
+ assigned-addresses = <0x82001000 0 0x40000 0 0x2000>;
reg = <0x1000 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
@@ -144,7 +144,7 @@ pcie@2,0 {
/* x1 port */
pcie@3,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x44000 0 0x2000>;
+ assigned-addresses = <0x82001800 0 0x44000 0 0x2000>;
reg = <0x1800 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
@@ -165,7 +165,7 @@ pcie@3,0 {
*/
pcie@4,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x48000 0 0x2000>;
+ assigned-addresses = <0x82002000 0 0x48000 0 0x2000>;
reg = <0x2000 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 024/251] ARM: dts: armada-39x: Fix assigned-addresses for every PCIe Root Port
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 023/251] ARM: dts: armada-38x: " Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 025/251] ARM: mmp: fix timer_read delay Greg Kroah-Hartman
` (232 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pali Rohár, Gregory CLEMENT,
Sasha Levin
From: Pali Rohár <pali@kernel.org>
[ Upstream commit 69236d2391b4d7324b11c3252921571577892e7b ]
BDF of resource in DT assigned-addresses property of Marvell PCIe Root Port
(PCI-to-PCI bridge) should match BDF in address part in that DT node name
as specified resource belongs to Marvell PCIe Root Port itself.
Fixes: 538da83ddbea ("ARM: mvebu: add Device Tree files for Armada 39x SoC and board")
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/armada-39x.dtsi | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/arm/boot/dts/armada-39x.dtsi b/arch/arm/boot/dts/armada-39x.dtsi
index aeecfa7e5ea3..3ca83e37112b 100644
--- a/arch/arm/boot/dts/armada-39x.dtsi
+++ b/arch/arm/boot/dts/armada-39x.dtsi
@@ -492,7 +492,7 @@ pcie@1,0 {
/* x1 port */
pcie@2,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x40000 0 0x2000>;
+ assigned-addresses = <0x82001000 0 0x40000 0 0x2000>;
reg = <0x1000 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
@@ -510,7 +510,7 @@ pcie@2,0 {
/* x1 port */
pcie@3,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x44000 0 0x2000>;
+ assigned-addresses = <0x82001800 0 0x44000 0 0x2000>;
reg = <0x1800 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
@@ -531,7 +531,7 @@ pcie@3,0 {
*/
pcie@4,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x48000 0 0x2000>;
+ assigned-addresses = <0x82002000 0 0x48000 0 0x2000>;
reg = <0x2000 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 025/251] ARM: mmp: fix timer_read delay
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 024/251] ARM: dts: armada-39x: " Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 026/251] pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP Greg Kroah-Hartman
` (231 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Doug Brown, Arnd Bergmann, Sasha Levin
From: Doug Brown <doug@schmorgal.com>
[ Upstream commit e348b4014c31041e13ff370669ba3348c4d385e3 ]
timer_read() was using an empty 100-iteration loop to wait for the
TMR_CVWR register to capture the latest timer counter value. The delay
wasn't long enough. This resulted in CPU idle time being extremely
underreported on PXA168 with CONFIG_NO_HZ_IDLE=y.
Switch to the approach used in the vendor kernel, which implements the
capture delay by reading TMR_CVWR a few times instead.
Fixes: 49cbe78637eb ("[ARM] pxa: add base support for Marvell's PXA168 processor line")
Signed-off-by: Doug Brown <doug@schmorgal.com>
Link: https://lore.kernel.org/r/20221204005117.53452-3-doug@schmorgal.com
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/mach-mmp/time.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/arch/arm/mach-mmp/time.c b/arch/arm/mach-mmp/time.c
index 3c2c92aaa0ae..f06220a4b2e2 100644
--- a/arch/arm/mach-mmp/time.c
+++ b/arch/arm/mach-mmp/time.c
@@ -52,18 +52,21 @@
static void __iomem *mmp_timer_base = TIMERS_VIRT_BASE;
/*
- * FIXME: the timer needs some delay to stablize the counter capture
+ * Read the timer through the CVWR register. Delay is required after requesting
+ * a read. The CR register cannot be directly read due to metastability issues
+ * documented in the PXA168 software manual.
*/
static inline uint32_t timer_read(void)
{
- int delay = 100;
+ uint32_t val;
+ int delay = 3;
__raw_writel(1, mmp_timer_base + TMR_CVWR(1));
while (delay--)
- cpu_relax();
+ val = __raw_readl(mmp_timer_base + TMR_CVWR(1));
- return __raw_readl(mmp_timer_base + TMR_CVWR(1));
+ return val;
}
static u64 notrace mmp_read_sched_clock(void)
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 026/251] pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 025/251] ARM: mmp: fix timer_read delay Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 027/251] cpuidle: dt: Return the correct numbers of parsed idle states Greg Kroah-Hartman
` (230 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brian Geffon, Mike Rapoport,
Andrew Morton, Stephen Boyd, Kees Cook, Sasha Levin
From: Stephen Boyd <swboyd@chromium.org>
[ Upstream commit e6b842741b4f39007215fd7e545cb55aa3d358a2 ]
An oops can be induced by running 'cat /proc/kcore > /dev/null' on
devices using pstore with the ram backend because kmap_atomic() assumes
lowmem pages are accessible with __va().
Unable to handle kernel paging request at virtual address ffffff807ff2b000
Mem abort info:
ESR = 0x96000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x06: level 2 translation fault
Data abort info:
ISV = 0, ISS = 0x00000006
CM = 0, WnR = 0
swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000081d87000
[ffffff807ff2b000] pgd=180000017fe18003, p4d=180000017fe18003, pud=180000017fe18003, pmd=0000000000000000
Internal error: Oops: 96000006 [#1] PREEMPT SMP
Modules linked in: dm_integrity
CPU: 7 PID: 21179 Comm: perf Not tainted 5.15.67-10882-ge4eb2eb988cd #1 baa443fb8e8477896a370b31a821eb2009f9bfba
Hardware name: Google Lazor (rev3 - 8) (DT)
pstate: a0400009 (NzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __memcpy+0x110/0x260
lr : vread+0x194/0x294
sp : ffffffc013ee39d0
x29: ffffffc013ee39f0 x28: 0000000000001000 x27: ffffff807ff2b000
x26: 0000000000001000 x25: ffffffc0085a2000 x24: ffffff802d4b3000
x23: ffffff80f8a60000 x22: ffffff802d4b3000 x21: ffffffc0085a2000
x20: ffffff8080b7bc68 x19: 0000000000001000 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000 x15: ffffffd3073f2e60
x14: ffffffffad588000 x13: 0000000000000000 x12: 0000000000000001
x11: 00000000000001a2 x10: 00680000fff2bf0b x9 : 03fffffff807ff2b
x8 : 0000000000000001 x7 : 0000000000000000 x6 : 0000000000000000
x5 : ffffff802d4b4000 x4 : ffffff807ff2c000 x3 : ffffffc013ee3a78
x2 : 0000000000001000 x1 : ffffff807ff2b000 x0 : ffffff802d4b3000
Call trace:
__memcpy+0x110/0x260
read_kcore+0x584/0x778
proc_reg_read+0xb4/0xe4
During early boot, memblock reserves the pages for the ramoops reserved
memory node in DT that would otherwise be part of the direct lowmem
mapping. Pstore's ram backend reuses those reserved pages to change the
memory type (writeback or non-cached) by passing the pages to vmap()
(see pfn_to_page() usage in persistent_ram_vmap() for more details) with
specific flags. When read_kcore() starts iterating over the vmalloc
region, it runs over the virtual address that vmap() returned for
ramoops. In aligned_vread() the virtual address is passed to
vmalloc_to_page() which returns the page struct for the reserved lowmem
area. That lowmem page is passed to kmap_atomic(), which effectively
calls page_to_virt() that assumes a lowmem page struct must be directly
accessible with __va() and friends. These pages are mapped via vmap()
though, and the lowmem mapping was never made, so accessing them via the
lowmem virtual address oopses like above.
Let's side-step this problem by passing VM_IOREMAP to vmap(). This will
tell vread() to not include the ramoops region in the kcore. Instead the
area will look like a bunch of zeros. The alternative is to teach kmap()
about vmalloc areas that intersect with lowmem. Presumably such a change
isn't a one-liner, and there isn't much interest in inspecting the
ramoops region in kcore files anyway, so the most expedient route is
taken for now.
Cc: Brian Geffon <bgeffon@google.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Fixes: 404a6043385d ("staging: android: persistent_ram: handle reserving and mapping memory")
Signed-off-by: Stephen Boyd <swboyd@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20221205233136.3420802-1-swboyd@chromium.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/pstore/ram_core.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/fs/pstore/ram_core.c b/fs/pstore/ram_core.c
index 11e558efd61e..b56cf56ae926 100644
--- a/fs/pstore/ram_core.c
+++ b/fs/pstore/ram_core.c
@@ -418,7 +418,11 @@ static void *persistent_ram_vmap(phys_addr_t start, size_t size,
phys_addr_t addr = page_start + i * PAGE_SIZE;
pages[i] = pfn_to_page(addr >> PAGE_SHIFT);
}
- vaddr = vmap(pages, page_count, VM_MAP, prot);
+ /*
+ * VM_IOREMAP used here to bypass this region during vread()
+ * and kmap_atomic() (i.e. kcore) to avoid __va() failures.
+ */
+ vaddr = vmap(pages, page_count, VM_MAP | VM_IOREMAP, prot);
kfree(pages);
/*
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 027/251] cpuidle: dt: Return the correct numbers of parsed idle states
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 026/251] pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 028/251] alpha: fix syscall entry in !AUDUT_SYSCALL case Greg Kroah-Hartman
` (229 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ulf Hansson, Sudeep Holla,
Rafael J. Wysocki, Sasha Levin
From: Ulf Hansson <ulf.hansson@linaro.org>
[ Upstream commit ee3c2c8ad6ba6785f14a60e4081d7c82e88162a2 ]
While we correctly skips to initialize an idle state from a disabled idle
state node in DT, the returned value from dt_init_idle_driver() don't get
adjusted accordingly. Instead the number of found idle state nodes are
returned, while the callers are expecting the number of successfully
initialized idle states from DT.
This leads to cpuidle drivers unnecessarily continues to initialize their
idle state specific data. Moreover, in the case when all idle states have
been disabled in DT, we would end up registering a cpuidle driver, rather
than relying on the default arch specific idle call.
Fixes: 9f14da345599 ("drivers: cpuidle: implement DT based idle states infrastructure")
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Reviewed-by: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cpuidle/dt_idle_states.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/cpuidle/dt_idle_states.c b/drivers/cpuidle/dt_idle_states.c
index ea11a33e7fff..1a79ac569770 100644
--- a/drivers/cpuidle/dt_idle_states.c
+++ b/drivers/cpuidle/dt_idle_states.c
@@ -218,6 +218,6 @@ int dt_init_idle_driver(struct cpuidle_driver *drv,
* also be 0 on platforms with missing DT idle states or legacy DT
* configuration predating the DT idle states bindings.
*/
- return i;
+ return state_idx - start_idx;
}
EXPORT_SYMBOL_GPL(dt_init_idle_driver);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 028/251] alpha: fix syscall entry in !AUDUT_SYSCALL case
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 027/251] cpuidle: dt: Return the correct numbers of parsed idle states Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 029/251] PM: hibernate: Fix mistake in kerneldoc comment Greg Kroah-Hartman
` (228 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Al Viro, Sasha Levin
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit f7b2431a6d22f7a91c567708e071dfcd6d66db14 ]
We only want to take the slow path if SYSCALL_TRACE or SYSCALL_AUDIT is
set; on !AUDIT_SYSCALL configs the current tree hits it whenever _any_
thread flag (including NEED_RESCHED, NOTIFY_SIGNAL, etc.) happens to
be set.
Fixes: a9302e843944 "alpha: Enable system-call auditing support"
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/alpha/kernel/entry.S | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/arch/alpha/kernel/entry.S b/arch/alpha/kernel/entry.S
index 98703d99b565..d752ccc53b24 100644
--- a/arch/alpha/kernel/entry.S
+++ b/arch/alpha/kernel/entry.S
@@ -468,8 +468,10 @@ entSys:
#ifdef CONFIG_AUDITSYSCALL
lda $6, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT
and $3, $6, $3
-#endif
bne $3, strace
+#else
+ blbs $3, strace /* check for SYSCALL_TRACE in disguise */
+#endif
beq $4, 1f
ldq $27, 0($5)
1: jsr $26, ($27), alpha_ni_syscall
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 029/251] PM: hibernate: Fix mistake in kerneldoc comment
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 028/251] alpha: fix syscall entry in !AUDUT_SYSCALL case Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 030/251] fs: dont audit the capability check in simple_xattr_list() Greg Kroah-Hartman
` (227 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, xiongxin, Rafael J. Wysocki, Sasha Levin
From: xiongxin <xiongxin@kylinos.cn>
[ Upstream commit 6e5d7300cbe7c3541bc31f16db3e9266e6027b4b ]
The actual maximum image size formula in hibernate_preallocate_memory()
is as follows:
max_size = (count - (size + PAGES_FOR_IO)) / 2
- 2 * DIV_ROUND_UP(reserved_size, PAGE_SIZE);
but the one in the kerneldoc comment of the function is different and
incorrect.
Fixes: ddeb64870810 ("PM / Hibernate: Add sysfs knob to control size of memory for drivers")
Signed-off-by: xiongxin <xiongxin@kylinos.cn>
[ rjw: Subject and changelog rewrite ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/power/snapshot.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c
index 5dfac92521fa..b02850cfc8ee 100644
--- a/kernel/power/snapshot.c
+++ b/kernel/power/snapshot.c
@@ -1677,8 +1677,8 @@ static unsigned long minimum_image_size(unsigned long saveable)
* /sys/power/reserved_size, respectively). To make this happen, we compute the
* total number of available page frames and allocate at least
*
- * ([page frames total] + PAGES_FOR_IO + [metadata pages]) / 2
- * + 2 * DIV_ROUND_UP(reserved_size, PAGE_SIZE)
+ * ([page frames total] - PAGES_FOR_IO - [metadata pages]) / 2
+ * - 2 * DIV_ROUND_UP(reserved_size, PAGE_SIZE)
*
* of them, which corresponds to the maximum size of a hibernation image.
*
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 030/251] fs: dont audit the capability check in simple_xattr_list()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 029/251] PM: hibernate: Fix mistake in kerneldoc comment Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 031/251] perf: Fix possible memleak in pmu_dev_alloc() Greg Kroah-Hartman
` (226 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Martin Pitt,
Christian Brauner (Microsoft),
Ondrej Mosnacek, Paul Moore, Sasha Levin
From: Ondrej Mosnacek <omosnace@redhat.com>
[ Upstream commit e7eda157c4071cd1e69f4b1687b0fbe1ae5e6f46 ]
The check being unconditional may lead to unwanted denials reported by
LSMs when a process has the capability granted by DAC, but denied by an
LSM. In the case of SELinux such denials are a problem, since they can't
be effectively filtered out via the policy and when not silenced, they
produce noise that may hide a true problem or an attack.
Checking for the capability only if any trusted xattr is actually
present wouldn't really address the issue, since calling listxattr(2) on
such node on its own doesn't indicate an explicit attempt to see the
trusted xattrs. Additionally, it could potentially leak the presence of
trusted xattrs to an unprivileged user if they can check for the denials
(e.g. through dmesg).
Therefore, it's best (and simplest) to keep the check unconditional and
instead use ns_capable_noaudit() that will silence any associated LSM
denials.
Fixes: 38f38657444d ("xattr: extract simple_xattr code from tmpfs")
Reported-by: Martin Pitt <mpitt@redhat.com>
Suggested-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Reviewed-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/xattr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/xattr.c b/fs/xattr.c
index c0fd99c95aa1..d66983d1e57c 100644
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -1017,7 +1017,7 @@ static int xattr_list_one(char **buffer, ssize_t *remaining_size,
ssize_t simple_xattr_list(struct inode *inode, struct simple_xattrs *xattrs,
char *buffer, size_t size)
{
- bool trusted = capable(CAP_SYS_ADMIN);
+ bool trusted = ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN);
struct simple_xattr *xattr;
ssize_t remaining_size = size;
int err = 0;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 031/251] perf: Fix possible memleak in pmu_dev_alloc()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 030/251] fs: dont audit the capability check in simple_xattr_list() Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 032/251] timerqueue: Use rb_entry_safe() in timerqueue_getnext() Greg Kroah-Hartman
` (225 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen Zhongjin,
Peter Zijlstra (Intel),
Sasha Levin
From: Chen Zhongjin <chenzhongjin@huawei.com>
[ Upstream commit e8d7a90c08ce963c592fb49845f2ccc606a2ac21 ]
In pmu_dev_alloc(), when dev_set_name() failed, it will goto free_dev
and call put_device(pmu->dev) to release it.
However pmu->dev->release is assigned after this, which makes warning
and memleak.
Call dev_set_name() after pmu->dev->release = pmu_dev_release to fix it.
Device '(null)' does not have a release() function...
WARNING: CPU: 2 PID: 441 at drivers/base/core.c:2332 device_release+0x1b9/0x240
...
Call Trace:
<TASK>
kobject_put+0x17f/0x460
put_device+0x20/0x30
pmu_dev_alloc+0x152/0x400
perf_pmu_register+0x96b/0xee0
...
kmemleak: 1 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
unreferenced object 0xffff888014759000 (size 2048):
comm "modprobe", pid 441, jiffies 4294931444 (age 38.332s)
backtrace:
[<0000000005aed3b4>] kmalloc_trace+0x27/0x110
[<000000006b38f9b8>] pmu_dev_alloc+0x50/0x400
[<00000000735f17be>] perf_pmu_register+0x96b/0xee0
[<00000000e38477f1>] 0xffffffffc0ad8603
[<000000004e162216>] do_one_initcall+0xd0/0x4e0
...
Fixes: abe43400579d ("perf: Sysfs enumeration")
Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/20221111103653.91058-1-chenzhongjin@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/events/core.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 58ef731d52c7..a25b5a8182ec 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -8864,13 +8864,15 @@ static int pmu_dev_alloc(struct pmu *pmu)
pmu->dev->groups = pmu->attr_groups;
device_initialize(pmu->dev);
- ret = dev_set_name(pmu->dev, "%s", pmu->name);
- if (ret)
- goto free_dev;
dev_set_drvdata(pmu->dev, pmu);
pmu->dev->bus = &pmu_bus;
pmu->dev->release = pmu_dev_release;
+
+ ret = dev_set_name(pmu->dev, "%s", pmu->name);
+ if (ret)
+ goto free_dev;
+
ret = device_add(pmu->dev);
if (ret)
goto free_dev;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 032/251] timerqueue: Use rb_entry_safe() in timerqueue_getnext()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 031/251] perf: Fix possible memleak in pmu_dev_alloc() Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 033/251] ocfs2: fix memory leak in ocfs2_stack_glue_init() Greg Kroah-Hartman
` (224 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Barnabás Pőcze,
Thomas Gleixner, Sasha Levin
From: Barnabás Pőcze <pobrn@protonmail.com>
[ Upstream commit 2f117484329b233455ee278f2d9b0a4356835060 ]
When `timerqueue_getnext()` is called on an empty timer queue, it will
use `rb_entry()` on a NULL pointer, which is invalid. Fix that by using
`rb_entry_safe()` which handles NULL pointers.
This has not caused any issues so far because the offset of the `rb_node`
member in `timerqueue_node` is 0, so `rb_entry()` is essentially a no-op.
Fixes: 511885d7061e ("lib/timerqueue: Rely on rbtree semantics for next timer")
Signed-off-by: Barnabás Pőcze <pobrn@protonmail.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/r/20221114195421.342929-1-pobrn@protonmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/timerqueue.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/linux/timerqueue.h b/include/linux/timerqueue.h
index 42868a9b4365..df7841c6fdf4 100644
--- a/include/linux/timerqueue.h
+++ b/include/linux/timerqueue.h
@@ -34,7 +34,7 @@ struct timerqueue_node *timerqueue_getnext(struct timerqueue_head *head)
{
struct rb_node *leftmost = rb_first_cached(&head->rb_root);
- return rb_entry(leftmost, struct timerqueue_node, node);
+ return rb_entry_safe(leftmost, struct timerqueue_node, node);
}
static inline void timerqueue_init(struct timerqueue_node *node)
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 033/251] ocfs2: fix memory leak in ocfs2_stack_glue_init()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 032/251] timerqueue: Use rb_entry_safe() in timerqueue_getnext() Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 034/251] MIPS: vpe-mt: fix possible memory leak while module exiting Greg Kroah-Hartman
` (223 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shang XiaoJing, Joseph Qi,
Mark Fasheh, Joel Becker, Junxiao Bi, Changwei Ge, Gang He,
Jun Piao, Andrew Morton, Sasha Levin
From: Shang XiaoJing <shangxiaojing@huawei.com>
[ Upstream commit 13b6269dd022aaa69ca8d1df374ab327504121cf ]
ocfs2_table_header should be free in ocfs2_stack_glue_init() if
ocfs2_sysfs_init() failed, otherwise kmemleak will report memleak.
BUG: memory leak
unreferenced object 0xffff88810eeb5800 (size 128):
comm "modprobe", pid 4507, jiffies 4296182506 (age 55.888s)
hex dump (first 32 bytes):
c0 40 14 a0 ff ff ff ff 00 00 00 00 01 00 00 00 .@..............
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<000000001e59e1cd>] __register_sysctl_table+0xca/0xef0
[<00000000c04f70f7>] 0xffffffffa0050037
[<000000001bd12912>] do_one_initcall+0xdb/0x480
[<0000000064f766c9>] do_init_module+0x1cf/0x680
[<000000002ba52db0>] load_module+0x6441/0x6f20
[<000000009772580d>] __do_sys_finit_module+0x12f/0x1c0
[<00000000380c1f22>] do_syscall_64+0x3f/0x90
[<000000004cf473bc>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
Link: https://lkml.kernel.org/r/41651ca1-432a-db34-eb97-d35744559de1@linux.alibaba.com
Fixes: 3878f110f71a ("ocfs2: Move the hb_ctl_path sysctl into the stack glue.")
Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Gang He <ghe@suse.com>
Cc: Jun Piao <piaojun@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ocfs2/stackglue.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/fs/ocfs2/stackglue.c b/fs/ocfs2/stackglue.c
index 03e1c6cd6f3c..52ee7c90dc5c 100644
--- a/fs/ocfs2/stackglue.c
+++ b/fs/ocfs2/stackglue.c
@@ -715,6 +715,8 @@ static struct ctl_table_header *ocfs2_table_header;
static int __init ocfs2_stack_glue_init(void)
{
+ int ret;
+
strcpy(cluster_stack_name, OCFS2_STACK_PLUGIN_O2CB);
ocfs2_table_header = register_sysctl_table(ocfs2_root_table);
@@ -724,7 +726,11 @@ static int __init ocfs2_stack_glue_init(void)
return -ENOMEM; /* or something. */
}
- return ocfs2_sysfs_init();
+ ret = ocfs2_sysfs_init();
+ if (ret)
+ unregister_sysctl_table(ocfs2_table_header);
+
+ return ret;
}
static void __exit ocfs2_stack_glue_exit(void)
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 034/251] MIPS: vpe-mt: fix possible memory leak while module exiting
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 033/251] ocfs2: fix memory leak in ocfs2_stack_glue_init() Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 035/251] MIPS: vpe-cmp: " Greg Kroah-Hartman
` (222 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Thomas Bogendoerfer,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 5822e8cc84ee37338ab0bdc3124f6eec04dc232d ]
Afer commit 1fa5ae857bb1 ("driver core: get rid of struct device's
bus_id string array"), the name of device is allocated dynamically,
it need be freed when module exiting, call put_device() to give up
reference, so that it can be freed in kobject_cleanup() when the
refcount hit to 0. The vpe_device is static, so remove kfree() from
vpe_device_release().
Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/mips/kernel/vpe-mt.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/mips/kernel/vpe-mt.c b/arch/mips/kernel/vpe-mt.c
index 2e003b11a098..9fd7cd48ea1d 100644
--- a/arch/mips/kernel/vpe-mt.c
+++ b/arch/mips/kernel/vpe-mt.c
@@ -313,7 +313,6 @@ ATTRIBUTE_GROUPS(vpe);
static void vpe_device_release(struct device *cd)
{
- kfree(cd);
}
static struct class vpe_class = {
@@ -497,6 +496,7 @@ int __init vpe_module_init(void)
device_del(&vpe_device);
out_class:
+ put_device(&vpe_device);
class_unregister(&vpe_class);
out_chrdev:
@@ -509,7 +509,7 @@ void __exit vpe_module_exit(void)
{
struct vpe *v, *n;
- device_del(&vpe_device);
+ device_unregister(&vpe_device);
class_unregister(&vpe_class);
unregister_chrdev(major, VPE_MODULE_NAME);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 035/251] MIPS: vpe-cmp: fix possible memory leak while module exiting
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 034/251] MIPS: vpe-mt: fix possible memory leak while module exiting Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 036/251] PNP: fix name memory leak in pnp_alloc_dev() Greg Kroah-Hartman
` (221 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Thomas Bogendoerfer,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit c5ed1fe0801f0c66b0fbce2785239a5664629057 ]
dev_set_name() allocates memory for name, it need be freed
when module exiting, call put_device() to give up reference,
so that it can be freed in kobject_cleanup() when the refcount
hit to 0. The vpe_device is static, so remove kfree() from
vpe_device_release().
Fixes: 17a1d523aa58 ("MIPS: APRP: Add VPE loader support for CMP platforms.")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/mips/kernel/vpe-cmp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/mips/kernel/vpe-cmp.c b/arch/mips/kernel/vpe-cmp.c
index 9268ebc0f61e..903c07bdc92d 100644
--- a/arch/mips/kernel/vpe-cmp.c
+++ b/arch/mips/kernel/vpe-cmp.c
@@ -75,7 +75,6 @@ ATTRIBUTE_GROUPS(vpe);
static void vpe_device_release(struct device *cd)
{
- kfree(cd);
}
static struct class vpe_class = {
@@ -157,6 +156,7 @@ int __init vpe_module_init(void)
device_del(&vpe_device);
out_class:
+ put_device(&vpe_device);
class_unregister(&vpe_class);
out_chrdev:
@@ -169,7 +169,7 @@ void __exit vpe_module_exit(void)
{
struct vpe *v, *n;
- device_del(&vpe_device);
+ device_unregister(&vpe_device);
class_unregister(&vpe_class);
unregister_chrdev(major, VPE_MODULE_NAME);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 036/251] PNP: fix name memory leak in pnp_alloc_dev()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 035/251] MIPS: vpe-cmp: " Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 037/251] irqchip: gic-pm: Use pm_runtime_resume_and_get() in gic_probe() Greg Kroah-Hartman
` (220 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Hanjun Guo,
Rafael J. Wysocki, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 110d7b0325c55ff3620073ba4201845f59e22ebf ]
After commit 1fa5ae857bb1 ("driver core: get rid of struct device's
bus_id string array"), the name of device is allocated dynamically,
move dev_set_name() after pnp_add_id() to avoid memory leak.
Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pnp/core.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/pnp/core.c b/drivers/pnp/core.c
index b54620e53830..3d5865c7694b 100644
--- a/drivers/pnp/core.c
+++ b/drivers/pnp/core.c
@@ -159,14 +159,14 @@ struct pnp_dev *pnp_alloc_dev(struct pnp_protocol *protocol, int id,
dev->dev.coherent_dma_mask = dev->dma_mask;
dev->dev.release = &pnp_release_device;
- dev_set_name(&dev->dev, "%02x:%02x", dev->protocol->number, dev->number);
-
dev_id = pnp_add_id(dev, pnpid);
if (!dev_id) {
kfree(dev);
return NULL;
}
+ dev_set_name(&dev->dev, "%02x:%02x", dev->protocol->number, dev->number);
+
return dev;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 037/251] irqchip: gic-pm: Use pm_runtime_resume_and_get() in gic_probe()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 036/251] PNP: fix name memory leak in pnp_alloc_dev() Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 038/251] libfs: add DEFINE_SIMPLE_ATTRIBUTE_SIGNED for signed value Greg Kroah-Hartman
` (219 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shang XiaoJing, Marc Zyngier, Sasha Levin
From: Shang XiaoJing <shangxiaojing@huawei.com>
[ Upstream commit f9ee20c85b3a3ba0afd3672630ec4f93d339f015 ]
gic_probe() calls pm_runtime_get_sync() and added fail path as
rpm_put to put usage_counter. However, pm_runtime_get_sync()
will increment usage_counter even it failed. Fix it by replacing it with
pm_runtime_resume_and_get() to keep usage counter balanced.
Fixes: 9c8edddfc992 ("irqchip/gic: Add platform driver for non-root GICs that require RPM")
Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20221124065150.22809-1-shangxiaojing@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/irqchip/irq-gic-pm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/irqchip/irq-gic-pm.c b/drivers/irqchip/irq-gic-pm.c
index ecafd295c31c..21c5decfc55b 100644
--- a/drivers/irqchip/irq-gic-pm.c
+++ b/drivers/irqchip/irq-gic-pm.c
@@ -112,7 +112,7 @@ static int gic_probe(struct platform_device *pdev)
pm_runtime_enable(dev);
- ret = pm_runtime_get_sync(dev);
+ ret = pm_runtime_resume_and_get(dev);
if (ret < 0)
goto rpm_disable;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 038/251] libfs: add DEFINE_SIMPLE_ATTRIBUTE_SIGNED for signed value
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 037/251] irqchip: gic-pm: Use pm_runtime_resume_and_get() in gic_probe() Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 039/251] lib/notifier-error-inject: fix error when writing -errno to debugfs file Greg Kroah-Hartman
` (218 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Akinobu Mita, Zhao Gongyi,
David Hildenbrand, Alexander Viro, Jonathan Corbet,
Oscar Salvador, Rafael J. Wysocki, Shuah Khan, Wei Yongjun,
Yicong Yang, Andrew Morton, Sasha Levin
From: Akinobu Mita <akinobu.mita@gmail.com>
[ Upstream commit 2e41f274f9aa71cdcc69dc1f26a3f9304a651804 ]
Patch series "fix error when writing negative value to simple attribute
files".
The simple attribute files do not accept a negative value since the commit
488dac0c9237 ("libfs: fix error cast of negative value in
simple_attr_write()"), but some attribute files want to accept a negative
value.
This patch (of 3):
The simple attribute files do not accept a negative value since the commit
488dac0c9237 ("libfs: fix error cast of negative value in
simple_attr_write()"), so we have to use a 64-bit value to write a
negative value.
This adds DEFINE_SIMPLE_ATTRIBUTE_SIGNED for a signed value.
Link: https://lkml.kernel.org/r/20220919172418.45257-1-akinobu.mita@gmail.com
Link: https://lkml.kernel.org/r/20220919172418.45257-2-akinobu.mita@gmail.com
Fixes: 488dac0c9237 ("libfs: fix error cast of negative value in simple_attr_write()")
Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Reported-by: Zhao Gongyi <zhaogongyi@huawei.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: Rafael J. Wysocki <rafael@kernel.org>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Wei Yongjun <weiyongjun1@huawei.com>
Cc: Yicong Yang <yangyicong@hisilicon.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/libfs.c | 22 +++++++++++++++++++---
include/linux/fs.h | 12 ++++++++++--
2 files changed, 29 insertions(+), 5 deletions(-)
diff --git a/fs/libfs.c b/fs/libfs.c
index 835d25e33509..75eeddc35b57 100644
--- a/fs/libfs.c
+++ b/fs/libfs.c
@@ -861,8 +861,8 @@ ssize_t simple_attr_read(struct file *file, char __user *buf,
EXPORT_SYMBOL_GPL(simple_attr_read);
/* interpret the buffer as a number to call the set function with */
-ssize_t simple_attr_write(struct file *file, const char __user *buf,
- size_t len, loff_t *ppos)
+static ssize_t simple_attr_write_xsigned(struct file *file, const char __user *buf,
+ size_t len, loff_t *ppos, bool is_signed)
{
struct simple_attr *attr;
unsigned long long val;
@@ -883,7 +883,10 @@ ssize_t simple_attr_write(struct file *file, const char __user *buf,
goto out;
attr->set_buf[size] = '\0';
- ret = kstrtoull(attr->set_buf, 0, &val);
+ if (is_signed)
+ ret = kstrtoll(attr->set_buf, 0, &val);
+ else
+ ret = kstrtoull(attr->set_buf, 0, &val);
if (ret)
goto out;
ret = attr->set(attr->data, val);
@@ -893,8 +896,21 @@ ssize_t simple_attr_write(struct file *file, const char __user *buf,
mutex_unlock(&attr->mutex);
return ret;
}
+
+ssize_t simple_attr_write(struct file *file, const char __user *buf,
+ size_t len, loff_t *ppos)
+{
+ return simple_attr_write_xsigned(file, buf, len, ppos, false);
+}
EXPORT_SYMBOL_GPL(simple_attr_write);
+ssize_t simple_attr_write_signed(struct file *file, const char __user *buf,
+ size_t len, loff_t *ppos)
+{
+ return simple_attr_write_xsigned(file, buf, len, ppos, true);
+}
+EXPORT_SYMBOL_GPL(simple_attr_write_signed);
+
/**
* generic_fh_to_dentry - generic helper for the fh_to_dentry export operation
* @sb: filesystem to do the file handle conversion on
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 9e4a75005280..a794954e2c8e 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -3132,7 +3132,7 @@ void simple_transaction_set(struct file *file, size_t n);
* All attributes contain a text representation of a numeric value
* that are accessed with the get() and set() functions.
*/
-#define DEFINE_SIMPLE_ATTRIBUTE(__fops, __get, __set, __fmt) \
+#define DEFINE_SIMPLE_ATTRIBUTE_XSIGNED(__fops, __get, __set, __fmt, __is_signed) \
static int __fops ## _open(struct inode *inode, struct file *file) \
{ \
__simple_attr_check_format(__fmt, 0ull); \
@@ -3143,10 +3143,16 @@ static const struct file_operations __fops = { \
.open = __fops ## _open, \
.release = simple_attr_release, \
.read = simple_attr_read, \
- .write = simple_attr_write, \
+ .write = (__is_signed) ? simple_attr_write_signed : simple_attr_write, \
.llseek = generic_file_llseek, \
}
+#define DEFINE_SIMPLE_ATTRIBUTE(__fops, __get, __set, __fmt) \
+ DEFINE_SIMPLE_ATTRIBUTE_XSIGNED(__fops, __get, __set, __fmt, false)
+
+#define DEFINE_SIMPLE_ATTRIBUTE_SIGNED(__fops, __get, __set, __fmt) \
+ DEFINE_SIMPLE_ATTRIBUTE_XSIGNED(__fops, __get, __set, __fmt, true)
+
static inline __printf(1, 2)
void __simple_attr_check_format(const char *fmt, ...)
{
@@ -3161,6 +3167,8 @@ ssize_t simple_attr_read(struct file *file, char __user *buf,
size_t len, loff_t *ppos);
ssize_t simple_attr_write(struct file *file, const char __user *buf,
size_t len, loff_t *ppos);
+ssize_t simple_attr_write_signed(struct file *file, const char __user *buf,
+ size_t len, loff_t *ppos);
struct ctl_table;
int proc_nr_files(struct ctl_table *table, int write,
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 039/251] lib/notifier-error-inject: fix error when writing -errno to debugfs file
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 038/251] libfs: add DEFINE_SIMPLE_ATTRIBUTE_SIGNED for signed value Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 040/251] rapidio: fix possible name leaks when rio_add_device() fails Greg Kroah-Hartman
` (217 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Akinobu Mita, Zhao Gongyi,
David Hildenbrand, Alexander Viro, Jonathan Corbet,
Oscar Salvador, Rafael J. Wysocki, Shuah Khan, Wei Yongjun,
Yicong Yang, Andrew Morton, Sasha Levin
From: Akinobu Mita <akinobu.mita@gmail.com>
[ Upstream commit f883c3edd2c432a2931ec8773c70a570115a50fe ]
The simple attribute files do not accept a negative value since the commit
488dac0c9237 ("libfs: fix error cast of negative value in
simple_attr_write()").
This restores the previous behaviour by using newly introduced
DEFINE_SIMPLE_ATTRIBUTE_SIGNED instead of DEFINE_SIMPLE_ATTRIBUTE.
Link: https://lkml.kernel.org/r/20220919172418.45257-3-akinobu.mita@gmail.com
Fixes: 488dac0c9237 ("libfs: fix error cast of negative value in simple_attr_write()")
Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Reported-by: Zhao Gongyi <zhaogongyi@huawei.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: Rafael J. Wysocki <rafael@kernel.org>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Wei Yongjun <weiyongjun1@huawei.com>
Cc: Yicong Yang <yangyicong@hisilicon.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
lib/notifier-error-inject.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/notifier-error-inject.c b/lib/notifier-error-inject.c
index eb4a04afea80..125ea8ce23a4 100644
--- a/lib/notifier-error-inject.c
+++ b/lib/notifier-error-inject.c
@@ -14,7 +14,7 @@ static int debugfs_errno_get(void *data, u64 *val)
return 0;
}
-DEFINE_SIMPLE_ATTRIBUTE(fops_errno, debugfs_errno_get, debugfs_errno_set,
+DEFINE_SIMPLE_ATTRIBUTE_SIGNED(fops_errno, debugfs_errno_get, debugfs_errno_set,
"%lld\n");
static struct dentry *debugfs_create_errno(const char *name, umode_t mode,
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 040/251] rapidio: fix possible name leaks when rio_add_device() fails
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 039/251] lib/notifier-error-inject: fix error when writing -errno to debugfs file Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 041/251] rapidio: rio: fix possible name leak in rio_register_mport() Greg Kroah-Hartman
` (216 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Alexandre Bounine,
Matt Porter, Andrew Morton, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit f9574cd48679926e2a569e1957a5a1bcc8a719ac ]
Patch series "rapidio: fix three possible memory leaks".
This patchset fixes three name leaks in error handling.
- patch #1 fixes two name leaks while rio_add_device() fails.
- patch #2 fixes a name leak while rio_register_mport() fails.
This patch (of 2):
If rio_add_device() returns error, the name allocated by dev_set_name()
need be freed. It should use put_device() to give up the reference in the
error path, so that the name can be freed in kobject_cleanup(), and the
'rdev' can be freed in rio_release_dev().
Link: https://lkml.kernel.org/r/20221114152636.2939035-1-yangyingliang@huawei.com
Link: https://lkml.kernel.org/r/20221114152636.2939035-2-yangyingliang@huawei.com
Fixes: e8de370188d0 ("rapidio: add mport char device driver")
Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Cc: Alexandre Bounine <alex.bou9@gmail.com>
Cc: Matt Porter <mporter@kernel.crashing.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rapidio/devices/rio_mport_cdev.c | 7 +++++--
drivers/rapidio/rio-scan.c | 8 ++++++--
2 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c
index c246d3a2fc5f..c0597b6d75ef 100644
--- a/drivers/rapidio/devices/rio_mport_cdev.c
+++ b/drivers/rapidio/devices/rio_mport_cdev.c
@@ -1864,8 +1864,11 @@ static int rio_mport_add_riodev(struct mport_cdev_priv *priv,
rio_init_dbell_res(&rdev->riores[RIO_DOORBELL_RESOURCE],
0, 0xffff);
err = rio_add_device(rdev);
- if (err)
- goto cleanup;
+ if (err) {
+ put_device(&rdev->dev);
+ return err;
+ }
+
rio_dev_get(rdev);
return 0;
diff --git a/drivers/rapidio/rio-scan.c b/drivers/rapidio/rio-scan.c
index 23429bdaca84..26ab8c463dae 100644
--- a/drivers/rapidio/rio-scan.c
+++ b/drivers/rapidio/rio-scan.c
@@ -460,8 +460,12 @@ static struct rio_dev *rio_setup_device(struct rio_net *net,
0, 0xffff);
ret = rio_add_device(rdev);
- if (ret)
- goto cleanup;
+ if (ret) {
+ if (rswitch)
+ kfree(rswitch->route_table);
+ put_device(&rdev->dev);
+ return NULL;
+ }
rio_dev_get(rdev);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 041/251] rapidio: rio: fix possible name leak in rio_register_mport()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 040/251] rapidio: fix possible name leaks when rio_add_device() fails Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 042/251] ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage() Greg Kroah-Hartman
` (215 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Alexandre Bounine,
Matt Porter, Andrew Morton, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit e92a216d16bde65d21a3227e0fb2aa0794576525 ]
If device_register() returns error, the name allocated by dev_set_name()
need be freed. It should use put_device() to give up the reference in the
error path, so that the name can be freed in kobject_cleanup(), and
list_del() is called to delete the port from rio_mports.
Link: https://lkml.kernel.org/r/20221114152636.2939035-3-yangyingliang@huawei.com
Fixes: 2aaf308b95b2 ("rapidio: rework device hierarchy and introduce mport class of devices")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Cc: Alexandre Bounine <alex.bou9@gmail.com>
Cc: Matt Porter <mporter@kernel.crashing.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rapidio/rio.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/rapidio/rio.c b/drivers/rapidio/rio.c
index 37042858c2db..4710286096dc 100644
--- a/drivers/rapidio/rio.c
+++ b/drivers/rapidio/rio.c
@@ -2275,11 +2275,16 @@ int rio_register_mport(struct rio_mport *port)
atomic_set(&port->state, RIO_DEVICE_RUNNING);
res = device_register(&port->dev);
- if (res)
+ if (res) {
dev_err(&port->dev, "RIO: mport%d registration failed ERR=%d\n",
port->id, res);
- else
+ mutex_lock(&rio_mport_list_lock);
+ list_del(&port->node);
+ mutex_unlock(&rio_mport_list_lock);
+ put_device(&port->dev);
+ } else {
dev_dbg(&port->dev, "RIO: registered mport%d\n", port->id);
+ }
return res;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 042/251] ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 041/251] rapidio: rio: fix possible name leak in rio_register_mport() Greg Kroah-Hartman
@ 2023-01-05 12:52 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 043/251] uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix Greg Kroah-Hartman
` (214 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li Zetao, Rafael J. Wysocki, Sasha Levin
From: Li Zetao <lizetao1@huawei.com>
[ Upstream commit 470188b09e92d83c5a997f25f0e8fb8cd2bc3469 ]
There is an use-after-free reported by KASAN:
BUG: KASAN: use-after-free in acpi_ut_remove_reference+0x3b/0x82
Read of size 1 at addr ffff888112afc460 by task modprobe/2111
CPU: 0 PID: 2111 Comm: modprobe Not tainted 6.1.0-rc7-dirty
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
Call Trace:
<TASK>
kasan_report+0xae/0xe0
acpi_ut_remove_reference+0x3b/0x82
acpi_ut_copy_iobject_to_iobject+0x3be/0x3d5
acpi_ds_store_object_to_local+0x15d/0x3a0
acpi_ex_store+0x78d/0x7fd
acpi_ex_opcode_1A_1T_1R+0xbe4/0xf9b
acpi_ps_parse_aml+0x217/0x8d5
...
</TASK>
The root cause of the problem is that the acpi_operand_object
is freed when acpi_ut_walk_package_tree() fails in
acpi_ut_copy_ipackage_to_ipackage(), lead to repeated release in
acpi_ut_copy_iobject_to_iobject(). The problem was introduced
by "8aa5e56eeb61" commit, this commit is to fix memory leak in
acpi_ut_copy_iobject_to_iobject(), repeatedly adding remove
operation, lead to "acpi_operand_object" used after free.
Fix it by removing acpi_ut_remove_reference() in
acpi_ut_copy_ipackage_to_ipackage(). acpi_ut_copy_ipackage_to_ipackage()
is called to copy an internal package object into another internal
package object, when it fails, the memory of acpi_operand_object
should be freed by the caller.
Fixes: 8aa5e56eeb61 ("ACPICA: Utilities: Fix memory leak in acpi_ut_copy_iobject_to_iobject")
Signed-off-by: Li Zetao <lizetao1@huawei.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/acpica/utcopy.c | 7 -------
1 file changed, 7 deletions(-)
diff --git a/drivers/acpi/acpica/utcopy.c b/drivers/acpi/acpica/utcopy.c
index 82f971402d85..646e296e4c13 100644
--- a/drivers/acpi/acpica/utcopy.c
+++ b/drivers/acpi/acpica/utcopy.c
@@ -950,13 +950,6 @@ acpi_ut_copy_ipackage_to_ipackage(union acpi_operand_object *source_obj,
status = acpi_ut_walk_package_tree(source_obj, dest_obj,
acpi_ut_copy_ielement_to_ielement,
walk_state);
- if (ACPI_FAILURE(status)) {
-
- /* On failure, delete the destination package object */
-
- acpi_ut_remove_reference(dest_obj);
- }
-
return_ACPI_STATUS(status);
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 043/251] uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2023-01-05 12:52 ` [PATCH 4.9 042/251] ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage() Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 044/251] x86/xen: Fix memory leak in xen_init_lock_cpu() Greg Kroah-Hartman
` (213 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Seiji Nishikawa, Denys Vlasenko,
Oleg Nesterov, Thomas Gleixner, Masami Hiramatsu (Google),
Sasha Levin
From: Oleg Nesterov <oleg@redhat.com>
[ Upstream commit cefa72129e45313655d53a065b8055aaeb01a0c9 ]
Intel ICC -hotpatch inserts 2-byte "0x66 0x90" NOP at the start of each
function to reserve extra space for hot-patching, and currently it is not
possible to probe these functions because branch_setup_xol_ops() wrongly
rejects NOP with REP prefix as it treats them like word-sized branch
instructions.
Fixes: 250bbd12c2fe ("uprobes/x86: Refuse to attach uprobe to "word-sized" branch insns")
Reported-by: Seiji Nishikawa <snishika@redhat.com>
Suggested-by: Denys Vlasenko <dvlasenk@redhat.com>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Link: https://lore.kernel.org/r/20221204173933.GA31544@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/uprobes.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kernel/uprobes.c b/arch/x86/kernel/uprobes.c
index 52bb7413f352..953ed5b5a218 100644
--- a/arch/x86/kernel/uprobes.c
+++ b/arch/x86/kernel/uprobes.c
@@ -718,8 +718,9 @@ static int branch_setup_xol_ops(struct arch_uprobe *auprobe, struct insn *insn)
switch (opc1) {
case 0xeb: /* jmp 8 */
case 0xe9: /* jmp 32 */
- case 0x90: /* prefix* + nop; same as jmp with .offs = 0 */
break;
+ case 0x90: /* prefix* + nop; same as jmp with .offs = 0 */
+ goto setup;
case 0xe8: /* call relative */
branch_clear_offset(auprobe, insn);
@@ -748,6 +749,7 @@ static int branch_setup_xol_ops(struct arch_uprobe *auprobe, struct insn *insn)
return -ENOTSUPP;
}
+setup:
auprobe->branch.opc1 = opc1;
auprobe->branch.ilen = insn->length;
auprobe->branch.offs = insn->immediate.value;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 044/251] x86/xen: Fix memory leak in xen_init_lock_cpu()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 043/251] uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 045/251] MIPS: BCM63xx: Add check for NULL for clk in clk_enable Greg Kroah-Hartman
` (212 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiu Jianfeng, Juergen Gross, Sasha Levin
From: Xiu Jianfeng <xiujianfeng@huawei.com>
[ Upstream commit ca84ce153d887b1dc8b118029976cc9faf2a9b40 ]
In xen_init_lock_cpu(), the @name has allocated new string by kasprintf(),
if bind_ipi_to_irqhandler() fails, it should be freed, otherwise may lead
to a memory leak issue, fix it.
Fixes: 2d9e1e2f58b5 ("xen: implement Xen-specific spinlocks")
Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Link: https://lore.kernel.org/r/20221123155858.11382-3-xiujianfeng@huawei.com
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/xen/spinlock.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/x86/xen/spinlock.c b/arch/x86/xen/spinlock.c
index 44bf8a22c97b..4e540958ea36 100644
--- a/arch/x86/xen/spinlock.c
+++ b/arch/x86/xen/spinlock.c
@@ -80,6 +80,7 @@ void xen_init_lock_cpu(int cpu)
cpu, per_cpu(lock_kicker_irq, cpu));
name = kasprintf(GFP_KERNEL, "spinlock%d", cpu);
+ per_cpu(irq_name, cpu) = name;
irq = bind_ipi_to_irqhandler(XEN_SPIN_UNLOCK_VECTOR,
cpu,
dummy_handler,
@@ -90,7 +91,6 @@ void xen_init_lock_cpu(int cpu)
if (irq >= 0) {
disable_irq(irq); /* make sure it's never delivered */
per_cpu(lock_kicker_irq, cpu) = irq;
- per_cpu(irq_name, cpu) = name;
}
printk("cpu %d spinlock event irq %d\n", cpu, irq);
@@ -103,6 +103,8 @@ void xen_uninit_lock_cpu(int cpu)
if (!xen_pvspin)
return;
+ kfree(per_cpu(irq_name, cpu));
+ per_cpu(irq_name, cpu) = NULL;
/*
* When booting the kernel with 'mitigations=auto,nosmt', the secondary
* CPUs are not activated, and lock_kicker_irq is not initialized.
@@ -113,8 +115,6 @@ void xen_uninit_lock_cpu(int cpu)
unbind_from_irqhandler(irq, NULL);
per_cpu(lock_kicker_irq, cpu) = -1;
- kfree(per_cpu(irq_name, cpu));
- per_cpu(irq_name, cpu) = NULL;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 045/251] MIPS: BCM63xx: Add check for NULL for clk in clk_enable
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 044/251] x86/xen: Fix memory leak in xen_init_lock_cpu() Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 046/251] fs: sysv: Fix sysv_nblocks() returns wrong value Greg Kroah-Hartman
` (211 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anastasia Belova,
Philippe Mathieu-Daudé,
Florian Fainelli, Thomas Bogendoerfer, Sasha Levin
From: Anastasia Belova <abelova@astralinux.ru>
[ Upstream commit ee9ef11bd2a59c2fefaa0959e5efcdf040d7c654 ]
Check clk for NULL before calling clk_enable_unlocked where clk
is dereferenced. There is such check in other implementations
of clk_enable.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: e7300d04bd08 ("MIPS: BCM63xx: Add support for the Broadcom BCM63xx family of SOCs.")
Signed-off-by: Anastasia Belova <abelova@astralinux.ru>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Acked-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/mips/bcm63xx/clk.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/mips/bcm63xx/clk.c b/arch/mips/bcm63xx/clk.c
index 3be875a45c83..0b718a94656a 100644
--- a/arch/mips/bcm63xx/clk.c
+++ b/arch/mips/bcm63xx/clk.c
@@ -316,6 +316,8 @@ static struct clk clk_periph = {
*/
int clk_enable(struct clk *clk)
{
+ if (!clk)
+ return 0;
mutex_lock(&clocks_mutex);
clk_enable_unlocked(clk);
mutex_unlock(&clocks_mutex);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 046/251] fs: sysv: Fix sysv_nblocks() returns wrong value
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 045/251] MIPS: BCM63xx: Add check for NULL for clk in clk_enable Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 047/251] rapidio: fix possible UAF when kfifo_alloc() fails Greg Kroah-Hartman
` (210 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chen Zhongjin, Al Viro, Sasha Levin
From: Chen Zhongjin <chenzhongjin@huawei.com>
[ Upstream commit e0c49bd2b4d3cd1751491eb2d940bce968ac65e9 ]
sysv_nblocks() returns 'blocks' rather than 'res', which only counting
the number of triple-indirect blocks and causing sysv_getattr() gets a
wrong result.
[AV: this is actually a sysv counterpart of minixfs fix -
0fcd426de9d0 "[PATCH] minix block usage counting fix" in
historical tree; mea culpa, should've thought to check
fs/sysv back then...]
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/sysv/itree.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/sysv/itree.c b/fs/sysv/itree.c
index 08d3e630b49c..f5b0837511cf 100644
--- a/fs/sysv/itree.c
+++ b/fs/sysv/itree.c
@@ -437,7 +437,7 @@ static unsigned sysv_nblocks(struct super_block *s, loff_t size)
res += blocks;
direct = 1;
}
- return blocks;
+ return res;
}
int sysv_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat)
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 047/251] rapidio: fix possible UAF when kfifo_alloc() fails
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 046/251] fs: sysv: Fix sysv_nblocks() returns wrong value Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 048/251] eventfd: change int to __u64 in eventfd_signal() ifndef CONFIG_EVENTFD Greg Kroah-Hartman
` (209 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wang Weiyang, Alexandre Bounine,
Dan Carpenter, Jakob Koschel, John Hubbard, Matt Porter,
Yang Yingliang, Andrew Morton, Sasha Levin
From: Wang Weiyang <wangweiyang2@huawei.com>
[ Upstream commit 02d7d89f816951e0862147d751b1150d67aaebdd ]
If kfifo_alloc() fails in mport_cdev_open(), goto err_fifo and just free
priv. But priv is still in the chdev->file_list, then list traversal
may cause UAF. This fixes the following smatch warning:
drivers/rapidio/devices/rio_mport_cdev.c:1930 mport_cdev_open() warn: '&priv->list' not removed from list
Link: https://lkml.kernel.org/r/20221123095147.52408-1-wangweiyang2@huawei.com
Fixes: e8de370188d0 ("rapidio: add mport char device driver")
Signed-off-by: Wang Weiyang <wangweiyang2@huawei.com>
Cc: Alexandre Bounine <alex.bou9@gmail.com>
Cc: Dan Carpenter <error27@gmail.com>
Cc: Jakob Koschel <jakobkoschel@gmail.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Matt Porter <mporter@kernel.crashing.org>
Cc: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rapidio/devices/rio_mport_cdev.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c
index c0597b6d75ef..381354ef0959 100644
--- a/drivers/rapidio/devices/rio_mport_cdev.c
+++ b/drivers/rapidio/devices/rio_mport_cdev.c
@@ -1964,10 +1964,6 @@ static int mport_cdev_open(struct inode *inode, struct file *filp)
priv->md = chdev;
- mutex_lock(&chdev->file_mutex);
- list_add_tail(&priv->list, &chdev->file_list);
- mutex_unlock(&chdev->file_mutex);
-
INIT_LIST_HEAD(&priv->db_filters);
INIT_LIST_HEAD(&priv->pw_filters);
spin_lock_init(&priv->fifo_lock);
@@ -1987,6 +1983,9 @@ static int mport_cdev_open(struct inode *inode, struct file *filp)
spin_lock_init(&priv->req_lock);
mutex_init(&priv->dma_lock);
#endif
+ mutex_lock(&chdev->file_mutex);
+ list_add_tail(&priv->list, &chdev->file_list);
+ mutex_unlock(&chdev->file_mutex);
filp->private_data = priv;
goto out;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 048/251] eventfd: change int to __u64 in eventfd_signal() ifndef CONFIG_EVENTFD
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 047/251] rapidio: fix possible UAF when kfifo_alloc() fails Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 049/251] hfs: Fix OOB Write in hfs_asc2mac Greg Kroah-Hartman
` (208 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Qilong, Dylan Yudaken,
Jens Axboe, Sha Zhengju, Andrew Morton, Sasha Levin
From: Zhang Qilong <zhangqilong3@huawei.com>
[ Upstream commit fd4e60bf0ef8eb9edcfa12dda39e8b6ee9060492 ]
Commit ee62c6b2dc93 ("eventfd: change int to __u64 in eventfd_signal()")
forgot to change int to __u64 in the CONFIG_EVENTFD=n stub function.
Link: https://lkml.kernel.org/r/20221124140154.104680-1-zhangqilong3@huawei.com
Fixes: ee62c6b2dc93 ("eventfd: change int to __u64 in eventfd_signal()")
Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
Cc: Dylan Yudaken <dylany@fb.com>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Sha Zhengju <handai.szj@taobao.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/eventfd.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/linux/eventfd.h b/include/linux/eventfd.h
index ff0b981f078e..c5a383162c0b 100644
--- a/include/linux/eventfd.h
+++ b/include/linux/eventfd.h
@@ -56,7 +56,7 @@ static inline struct eventfd_ctx *eventfd_ctx_fdget(int fd)
return ERR_PTR(-ENOSYS);
}
-static inline int eventfd_signal(struct eventfd_ctx *ctx, int n)
+static inline int eventfd_signal(struct eventfd_ctx *ctx, __u64 n)
{
return -ENOSYS;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 049/251] hfs: Fix OOB Write in hfs_asc2mac
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 048/251] eventfd: change int to __u64 in eventfd_signal() ifndef CONFIG_EVENTFD Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 050/251] rapidio: devices: fix missing put_device in mport_cdev_open Greg Kroah-Hartman
` (207 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, ZhangPeng, Viacheslav Dubeyko,
syzbot+dc3b1cf9111ab5fe98e7, Andrew Morton, Sasha Levin
From: ZhangPeng <zhangpeng362@huawei.com>
[ Upstream commit c53ed55cb275344086e32a7080a6b19cb183650b ]
Syzbot reported a OOB Write bug:
loop0: detected capacity change from 0 to 64
==================================================================
BUG: KASAN: slab-out-of-bounds in hfs_asc2mac+0x467/0x9a0
fs/hfs/trans.c:133
Write of size 1 at addr ffff88801848314e by task syz-executor391/3632
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106
print_address_description+0x74/0x340 mm/kasan/report.c:284
print_report+0x107/0x1f0 mm/kasan/report.c:395
kasan_report+0xcd/0x100 mm/kasan/report.c:495
hfs_asc2mac+0x467/0x9a0 fs/hfs/trans.c:133
hfs_cat_build_key+0x92/0x170 fs/hfs/catalog.c:28
hfs_lookup+0x1ab/0x2c0 fs/hfs/dir.c:31
lookup_open fs/namei.c:3391 [inline]
open_last_lookups fs/namei.c:3481 [inline]
path_openat+0x10e6/0x2df0 fs/namei.c:3710
do_filp_open+0x264/0x4f0 fs/namei.c:3740
If in->len is much larger than HFS_NAMELEN(31) which is the maximum
length of an HFS filename, a OOB write could occur in hfs_asc2mac(). In
that case, when the dst reaches the boundary, the srclen is still
greater than 0, which causes a OOB write.
Fix this by adding a check on dstlen in while() before writing to dst
address.
Link: https://lkml.kernel.org/r/20221202030038.1391945-1-zhangpeng362@huawei.com
Fixes: 328b92278650 ("[PATCH] hfs: NLS support")
Signed-off-by: ZhangPeng <zhangpeng362@huawei.com>
Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
Reported-by: <syzbot+dc3b1cf9111ab5fe98e7@syzkaller.appspotmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/hfs/trans.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/hfs/trans.c b/fs/hfs/trans.c
index 39f5e343bf4d..fdb0edb8a607 100644
--- a/fs/hfs/trans.c
+++ b/fs/hfs/trans.c
@@ -109,7 +109,7 @@ void hfs_asc2mac(struct super_block *sb, struct hfs_name *out, const struct qstr
if (nls_io) {
wchar_t ch;
- while (srclen > 0) {
+ while (srclen > 0 && dstlen > 0) {
size = nls_io->char2uni(src, srclen, &ch);
if (size < 0) {
ch = '?';
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 050/251] rapidio: devices: fix missing put_device in mport_cdev_open
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 049/251] hfs: Fix OOB Write in hfs_asc2mac Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 051/251] wifi: ath9k: hif_usb: fix memory leak of urbs in ath9k_hif_usb_dealloc_tx_urbs() Greg Kroah-Hartman
` (206 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cai Xinchen, Alexandre Bounine,
Dan Carpenter, Jakob Koschel, John Hubbard, Matt Porter,
Wang Weiyang, Yang Yingliang, Andrew Morton, Sasha Levin
From: Cai Xinchen <caixinchen1@huawei.com>
[ Upstream commit d5b6e6eba3af11cb2a2791fa36a2524990fcde1a ]
When kfifo_alloc fails, the refcount of chdev->dev is left incremental.
We should use put_device(&chdev->dev) to decrease the ref count of
chdev->dev to avoid refcount leak.
Link: https://lkml.kernel.org/r/20221203085721.13146-1-caixinchen1@huawei.com
Fixes: e8de370188d0 ("rapidio: add mport char device driver")
Signed-off-by: Cai Xinchen <caixinchen1@huawei.com>
Cc: Alexandre Bounine <alex.bou9@gmail.com>
Cc: Dan Carpenter <error27@gmail.com>
Cc: Jakob Koschel <jakobkoschel@gmail.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Matt Porter <mporter@kernel.crashing.org>
Cc: Wang Weiyang <wangweiyang2@huawei.com>
Cc: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rapidio/devices/rio_mport_cdev.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c
index 381354ef0959..2c232217fd35 100644
--- a/drivers/rapidio/devices/rio_mport_cdev.c
+++ b/drivers/rapidio/devices/rio_mport_cdev.c
@@ -1972,6 +1972,7 @@ static int mport_cdev_open(struct inode *inode, struct file *filp)
sizeof(struct rio_event) * MPORT_EVENT_DEPTH,
GFP_KERNEL);
if (ret < 0) {
+ put_device(&chdev->dev);
dev_err(&chdev->dev, DRV_NAME ": kfifo_alloc failed\n");
ret = -ENOMEM;
goto err_fifo;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 051/251] wifi: ath9k: hif_usb: fix memory leak of urbs in ath9k_hif_usb_dealloc_tx_urbs()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 050/251] rapidio: devices: fix missing put_device in mport_cdev_open Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 052/251] wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb() Greg Kroah-Hartman
` (205 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fedor Pchelkin, Alexey Khoroshilov,
Toke Høiland-Jørgensen, Kalle Valo, Sasha Levin
From: Fedor Pchelkin <pchelkin@ispras.ru>
[ Upstream commit c2a94de38c74e86f49124ac14f093d6a5c377a90 ]
Syzkaller reports a long-known leak of urbs in
ath9k_hif_usb_dealloc_tx_urbs().
The cause of the leak is that usb_get_urb() is called but usb_free_urb()
(or usb_put_urb()) is not called inside usb_kill_urb() as urb->dev or
urb->ep fields have not been initialized and usb_kill_urb() returns
immediately.
The patch removes trying to kill urbs located in hif_dev->tx.tx_buf
because hif_dev->tx.tx_buf is not supposed to contain urbs which are in
pending state (the pending urbs are stored in hif_dev->tx.tx_pending).
The tx.tx_lock is acquired so there should not be any changes in the list.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Fixes: 03fb92a432ea ("ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs()")
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20220725151359.283704-1-pchelkin@ispras.ru
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath9k/hif_usb.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c
index 33a6be0f21ca..519cc8fd3299 100644
--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
@@ -779,14 +779,10 @@ static void ath9k_hif_usb_dealloc_tx_urbs(struct hif_device_usb *hif_dev)
spin_lock_irqsave(&hif_dev->tx.tx_lock, flags);
list_for_each_entry_safe(tx_buf, tx_buf_tmp,
&hif_dev->tx.tx_buf, list) {
- usb_get_urb(tx_buf->urb);
- spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
- usb_kill_urb(tx_buf->urb);
list_del(&tx_buf->list);
usb_free_urb(tx_buf->urb);
kfree(tx_buf->buf);
kfree(tx_buf);
- spin_lock_irqsave(&hif_dev->tx.tx_lock, flags);
}
spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 052/251] wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 051/251] wifi: ath9k: hif_usb: fix memory leak of urbs in ath9k_hif_usb_dealloc_tx_urbs() Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 053/251] media: i2c: ad5820: Fix error path Greg Kroah-Hartman
` (204 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fedor Pchelkin, Alexey Khoroshilov,
Toke Høiland-Jørgensen, Kalle Valo, Sasha Levin
From: Fedor Pchelkin <pchelkin@ispras.ru>
[ Upstream commit dd95f2239fc846795fc926787c3ae0ca701c9840 ]
It is possible that skb is freed in ath9k_htc_rx_msg(), then
usb_submit_urb() fails and we try to free skb again. It causes
use-after-free bug. Moreover, if alloc_skb() fails, urb->context becomes
NULL but rx_buf is not freed and there can be a memory leak.
The patch removes unnecessary nskb and makes skb processing more clear: it
is supposed that ath9k_htc_rx_msg() either frees old skb or passes its
managing to another callback function.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Fixes: 3deff76095c4 ("ath9k_htc: Increase URB count for REG_IN pipe")
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20221008114917.21404-1-pchelkin@ispras.ru
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath9k/hif_usb.c | 28 +++++++++++++-----------
1 file changed, 15 insertions(+), 13 deletions(-)
diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c
index 519cc8fd3299..719cb53d8b4d 100644
--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
@@ -707,14 +707,13 @@ static void ath9k_hif_usb_reg_in_cb(struct urb *urb)
struct rx_buf *rx_buf = (struct rx_buf *)urb->context;
struct hif_device_usb *hif_dev = rx_buf->hif_dev;
struct sk_buff *skb = rx_buf->skb;
- struct sk_buff *nskb;
int ret;
if (!skb)
return;
if (!hif_dev)
- goto free;
+ goto free_skb;
switch (urb->status) {
case 0:
@@ -723,7 +722,7 @@ static void ath9k_hif_usb_reg_in_cb(struct urb *urb)
case -ECONNRESET:
case -ENODEV:
case -ESHUTDOWN:
- goto free;
+ goto free_skb;
default:
skb_reset_tail_pointer(skb);
skb_trim(skb, 0);
@@ -734,25 +733,27 @@ static void ath9k_hif_usb_reg_in_cb(struct urb *urb)
if (likely(urb->actual_length != 0)) {
skb_put(skb, urb->actual_length);
- /* Process the command first */
+ /*
+ * Process the command first.
+ * skb is either freed here or passed to be
+ * managed to another callback function.
+ */
ath9k_htc_rx_msg(hif_dev->htc_handle, skb,
skb->len, USB_REG_IN_PIPE);
-
- nskb = alloc_skb(MAX_REG_IN_BUF_SIZE, GFP_ATOMIC);
- if (!nskb) {
+ skb = alloc_skb(MAX_REG_IN_BUF_SIZE, GFP_ATOMIC);
+ if (!skb) {
dev_err(&hif_dev->udev->dev,
"ath9k_htc: REG_IN memory allocation failure\n");
- urb->context = NULL;
- return;
+ goto free_rx_buf;
}
- rx_buf->skb = nskb;
+ rx_buf->skb = skb;
usb_fill_int_urb(urb, hif_dev->udev,
usb_rcvintpipe(hif_dev->udev,
USB_REG_IN_PIPE),
- nskb->data, MAX_REG_IN_BUF_SIZE,
+ skb->data, MAX_REG_IN_BUF_SIZE,
ath9k_hif_usb_reg_in_cb, rx_buf, 1);
}
@@ -761,12 +762,13 @@ static void ath9k_hif_usb_reg_in_cb(struct urb *urb)
ret = usb_submit_urb(urb, GFP_ATOMIC);
if (ret) {
usb_unanchor_urb(urb);
- goto free;
+ goto free_skb;
}
return;
-free:
+free_skb:
kfree_skb(skb);
+free_rx_buf:
kfree(rx_buf);
urb->context = NULL;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 053/251] media: i2c: ad5820: Fix error path
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 052/251] wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb() Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 054/251] media: vivid: fix compose size exceed boundary Greg Kroah-Hartman
` (203 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ricardo Ribalda, Sakari Ailus, Sasha Levin
From: Ricardo Ribalda <ribalda@chromium.org>
[ Upstream commit 9fce241660f37d9e95e93c0ae6fba8cfefa5797b ]
Error path seems to be swaped. Fix the order and provide some meaningful
names.
Fixes: bee3d5115611 ("[media] ad5820: Add driver for auto-focus coil")
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/i2c/ad5820.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/media/i2c/ad5820.c b/drivers/media/i2c/ad5820.c
index beab2f381b81..84e378cbc726 100644
--- a/drivers/media/i2c/ad5820.c
+++ b/drivers/media/i2c/ad5820.c
@@ -320,18 +320,18 @@ static int ad5820_probe(struct i2c_client *client,
ret = media_entity_pads_init(&coil->subdev.entity, 0, NULL);
if (ret < 0)
- goto cleanup2;
+ goto clean_mutex;
ret = v4l2_async_register_subdev(&coil->subdev);
if (ret < 0)
- goto cleanup;
+ goto clean_entity;
return ret;
-cleanup2:
- mutex_destroy(&coil->power_lock);
-cleanup:
+clean_entity:
media_entity_cleanup(&coil->subdev.entity);
+clean_mutex:
+ mutex_destroy(&coil->power_lock);
return ret;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 054/251] media: vivid: fix compose size exceed boundary
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 053/251] media: i2c: ad5820: Fix error path Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 055/251] mtd: Fix device name leak when register device failed in add_mtd_device() Greg Kroah-Hartman
` (202 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Liu Shixin, Hans Verkuil, Sasha Levin
From: Liu Shixin <liushixin2@huawei.com>
[ Upstream commit 94a7ad9283464b75b12516c5512541d467cefcf8 ]
syzkaller found a bug:
BUG: unable to handle page fault for address: ffffc9000a3b1000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 100000067 P4D 100000067 PUD 10015f067 PMD 1121ca067 PTE 0
Oops: 0002 [#1] PREEMPT SMP
CPU: 0 PID: 23489 Comm: vivid-000-vid-c Not tainted 6.1.0-rc1+ #512
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:memcpy_erms+0x6/0x10
[...]
Call Trace:
<TASK>
? tpg_fill_plane_buffer+0x856/0x15b0
vivid_fillbuff+0x8ac/0x1110
vivid_thread_vid_cap_tick+0x361/0xc90
vivid_thread_vid_cap+0x21a/0x3a0
kthread+0x143/0x180
ret_from_fork+0x1f/0x30
</TASK>
This is because we forget to check boundary after adjust compose->height
int V4L2_SEL_TGT_CROP case. Add v4l2_rect_map_inside() to fix this problem
for this case.
Fixes: ef834f7836ec ("[media] vivid: add the video capture and output parts")
Signed-off-by: Liu Shixin <liushixin2@huawei.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/vivid/vivid-vid-cap.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/media/platform/vivid/vivid-vid-cap.c b/drivers/media/platform/vivid/vivid-vid-cap.c
index 198b26687b57..b7bda691fa57 100644
--- a/drivers/media/platform/vivid/vivid-vid-cap.c
+++ b/drivers/media/platform/vivid/vivid-vid-cap.c
@@ -915,6 +915,7 @@ int vivid_vid_cap_s_selection(struct file *file, void *fh, struct v4l2_selection
if (dev->has_compose_cap) {
v4l2_rect_set_min_size(compose, &min_rect);
v4l2_rect_set_max_size(compose, &max_rect);
+ v4l2_rect_map_inside(compose, &fmt);
}
dev->fmt_cap_rect = fmt;
tpg_s_buf_height(&dev->tpg, fmt.height);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 055/251] mtd: Fix device name leak when register device failed in add_mtd_device()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 054/251] media: vivid: fix compose size exceed boundary Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 056/251] ASoC: pxa: fix null-pointer dereference in filter() Greg Kroah-Hartman
` (201 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Xiaoxu, Miquel Raynal, Sasha Levin
From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
[ Upstream commit 895d68a39481a75c680aa421546931fb11942fa6 ]
There is a kmemleak when register device failed:
unreferenced object 0xffff888101aab550 (size 8):
comm "insmod", pid 3922, jiffies 4295277753 (age 925.408s)
hex dump (first 8 bytes):
6d 74 64 30 00 88 ff ff mtd0....
backtrace:
[<00000000bde26724>] __kmalloc_node_track_caller+0x4e/0x150
[<000000003c32b416>] kvasprintf+0xb0/0x130
[<000000001f7a8f15>] kobject_set_name_vargs+0x2f/0xb0
[<000000006e781163>] dev_set_name+0xab/0xe0
[<00000000e30d0c78>] add_mtd_device+0x4bb/0x700
[<00000000f3d34de7>] mtd_device_parse_register+0x2ac/0x3f0
[<00000000c0d88488>] 0xffffffffa0238457
[<00000000b40d0922>] 0xffffffffa02a008f
[<0000000023d17b9d>] do_one_initcall+0x87/0x2a0
[<00000000770f6ca6>] do_init_module+0xdf/0x320
[<000000007b6768fe>] load_module+0x2f98/0x3330
[<00000000346bed5a>] __do_sys_finit_module+0x113/0x1b0
[<00000000674c2290>] do_syscall_64+0x35/0x80
[<000000004c6a8d97>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
If register device failed, should call put_device() to give up the
reference.
Fixes: 1f24b5a8ecbb ("[MTD] driver model updates")
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20221022121352.2534682-1-zhangxiaoxu5@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/mtdcore.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/mtd/mtdcore.c b/drivers/mtd/mtdcore.c
index d46e4adf6d2b..4cf97cdbdefe 100644
--- a/drivers/mtd/mtdcore.c
+++ b/drivers/mtd/mtdcore.c
@@ -552,8 +552,10 @@ int add_mtd_device(struct mtd_info *mtd)
dev_set_drvdata(&mtd->dev, mtd);
of_node_get(mtd_get_of_node(mtd));
error = device_register(&mtd->dev);
- if (error)
+ if (error) {
+ put_device(&mtd->dev);
goto fail_added;
+ }
device_create(&mtd_class, mtd->dev.parent, MTD_DEVT(i) + 1, NULL,
"mtd%dro", i);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 056/251] ASoC: pxa: fix null-pointer dereference in filter()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 055/251] mtd: Fix device name leak when register device failed in add_mtd_device() Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 057/251] regulator: core: fix unbalanced of node refcount in regulator_dev_lookup() Greg Kroah-Hartman
` (200 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zeng Heng, Mark Brown, Sasha Levin
From: Zeng Heng <zengheng4@huawei.com>
[ Upstream commit ec7bf231aaa1bdbcb69d23bc50c753c80fb22429 ]
kasprintf() would return NULL pointer when kmalloc() fail to allocate.
Need to check the return pointer before calling strcmp().
Fixes: 7a824e214e25 ("ASoC: mmp: add audio dma support")
Signed-off-by: Zeng Heng <zengheng4@huawei.com>
Link: https://lore.kernel.org/r/20221114085629.1910435-1-zengheng4@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/pxa/mmp-pcm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/pxa/mmp-pcm.c b/sound/soc/pxa/mmp-pcm.c
index 96df9b2d8fc4..d32a276e9205 100644
--- a/sound/soc/pxa/mmp-pcm.c
+++ b/sound/soc/pxa/mmp-pcm.c
@@ -88,7 +88,7 @@ static bool filter(struct dma_chan *chan, void *param)
devname = kasprintf(GFP_KERNEL, "%s.%d", dma_data->dma_res->name,
dma_data->ssp_id);
- if ((strcmp(dev_name(chan->device->dev), devname) == 0) &&
+ if (devname && (strcmp(dev_name(chan->device->dev), devname) == 0) &&
(chan->chan_id == dma_data->dma_res->start)) {
found = true;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 057/251] regulator: core: fix unbalanced of node refcount in regulator_dev_lookup()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 056/251] ASoC: pxa: fix null-pointer dereference in filter() Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 058/251] ima: Fix misuse of dereference of pointer in template_desc_init_fields() Greg Kroah-Hartman
` (199 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Mark Brown, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit f2b41b748c19962b82709d9f23c6b2b0ce9d2f91 ]
I got the the following report:
OF: ERROR: memory leak, expected refcount 1 instead of 2,
of_node_get()/of_node_put() unbalanced - destroy cset entry:
attach overlay node /i2c/pmic@62/regulators/exten
In of_get_regulator(), the node is returned from of_parse_phandle()
with refcount incremented, after using it, of_node_put() need be called.
Fixes: 69511a452e6d ("regulator: map consumer regulator based on device tree")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221115091508.900752-1-yangyingliang@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/regulator/core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
index 23323add5b0b..e1f934fec562 100644
--- a/drivers/regulator/core.c
+++ b/drivers/regulator/core.c
@@ -1471,6 +1471,7 @@ static struct regulator_dev *regulator_dev_lookup(struct device *dev,
node = of_get_regulator(dev, supply);
if (node) {
r = of_find_regulator_by_node(node);
+ of_node_put(node);
if (r)
return r;
*ret = -EPROBE_DEFER;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 058/251] ima: Fix misuse of dereference of pointer in template_desc_init_fields()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 057/251] regulator: core: fix unbalanced of node refcount in regulator_dev_lookup() Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 059/251] wifi: ath10k: Fix return value in ath10k_pci_init() Greg Kroah-Hartman
` (198 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiu Jianfeng, Roberto Sassu,
Mimi Zohar, Sasha Levin
From: Xiu Jianfeng <xiujianfeng@huawei.com>
[ Upstream commit 25369175ce84813dd99d6604e710dc2491f68523 ]
The input parameter @fields is type of struct ima_template_field ***, so
when allocates array memory for @fields, the size of element should be
sizeof(**field) instead of sizeof(*field).
Actually the original code would not cause any runtime error, but it's
better to make it logically right.
Fixes: adf53a778a0a ("ima: new templates management mechanism")
Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/integrity/ima/ima_template.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
index febd12ed9b55..fdba86fa90ee 100644
--- a/security/integrity/ima/ima_template.c
+++ b/security/integrity/ima/ima_template.c
@@ -171,11 +171,11 @@ static int template_desc_init_fields(const char *template_fmt,
}
if (fields && num_fields) {
- *fields = kmalloc_array(i, sizeof(*fields), GFP_KERNEL);
+ *fields = kmalloc_array(i, sizeof(**fields), GFP_KERNEL);
if (*fields == NULL)
return -ENOMEM;
- memcpy(*fields, found_fields, i * sizeof(*fields));
+ memcpy(*fields, found_fields, i * sizeof(**fields));
*num_fields = i;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 059/251] wifi: ath10k: Fix return value in ath10k_pci_init()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 058/251] ima: Fix misuse of dereference of pointer in template_desc_init_fields() Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 060/251] mtd: lpddr2_nvm: Fix possible null-ptr-deref Greg Kroah-Hartman
` (197 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiu Jianfeng, Jeff Johnson,
Kalle Valo, Sasha Levin
From: Xiu Jianfeng <xiujianfeng@huawei.com>
[ Upstream commit 2af7749047d8d6ad43feff69f555a13a6a6c2831 ]
This driver is attempting to register to support two different buses.
if either of these is successful then ath10k_pci_init() should return 0
so that hardware attached to the successful bus can be probed and
supported. only if both of these are unsuccessful should ath10k_pci_init()
return an errno.
Fixes: 0b523ced9a3c ("ath10k: add basic skeleton to support ahb")
Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Reviewed-by: Jeff Johnson <quic_jjohnson@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20221110061926.18163-1-xiujianfeng@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath10k/pci.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c
index d96e062647fd..450eb7b31256 100644
--- a/drivers/net/wireless/ath/ath10k/pci.c
+++ b/drivers/net/wireless/ath/ath10k/pci.c
@@ -3381,18 +3381,22 @@ static struct pci_driver ath10k_pci_driver = {
static int __init ath10k_pci_init(void)
{
- int ret;
+ int ret1, ret2;
- ret = pci_register_driver(&ath10k_pci_driver);
- if (ret)
+ ret1 = pci_register_driver(&ath10k_pci_driver);
+ if (ret1)
printk(KERN_ERR "failed to register ath10k pci driver: %d\n",
- ret);
+ ret1);
- ret = ath10k_ahb_init();
- if (ret)
- printk(KERN_ERR "ahb init failed: %d\n", ret);
+ ret2 = ath10k_ahb_init();
+ if (ret2)
+ printk(KERN_ERR "ahb init failed: %d\n", ret2);
- return ret;
+ if (ret1 && ret2)
+ return ret1;
+
+ /* registered to at least one bus */
+ return 0;
}
module_init(ath10k_pci_init);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 060/251] mtd: lpddr2_nvm: Fix possible null-ptr-deref
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 059/251] wifi: ath10k: Fix return value in ath10k_pci_init() Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 061/251] Input: elants_i2c - properly handle the reset GPIO when power is off Greg Kroah-Hartman
` (196 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hui Tang, Uwe Kleine-König,
Miquel Raynal, Sasha Levin
From: Hui Tang <tanghui20@huawei.com>
[ Upstream commit 6bdd45d795adf9e73b38ced5e7f750cd199499ff ]
It will cause null-ptr-deref when resource_size(add_range) invoked,
if platform_get_resource() returns NULL.
Fixes: 96ba9dd65788 ("mtd: lpddr: add driver for LPDDR2-NVM PCM memories")
Signed-off-by: Hui Tang <tanghui20@huawei.com>
Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20221114090240.244172-1-tanghui20@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/lpddr/lpddr2_nvm.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/mtd/lpddr/lpddr2_nvm.c b/drivers/mtd/lpddr/lpddr2_nvm.c
index 5e36366d9b36..19b00225c7ef 100644
--- a/drivers/mtd/lpddr/lpddr2_nvm.c
+++ b/drivers/mtd/lpddr/lpddr2_nvm.c
@@ -448,6 +448,8 @@ static int lpddr2_nvm_probe(struct platform_device *pdev)
/* lpddr2_nvm address range */
add_range = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ if (!add_range)
+ return -ENODEV;
/* Populate map_info data structure */
*map = (struct map_info) {
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 061/251] Input: elants_i2c - properly handle the reset GPIO when power is off
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 060/251] mtd: lpddr2_nvm: Fix possible null-ptr-deref Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 062/251] media: solo6x10: fix possible memory leak in solo_sysfs_init() Greg Kroah-Hartman
` (195 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Douglas Anderson, Dmitry Torokhov,
Sasha Levin
From: Douglas Anderson <dianders@chromium.org>
[ Upstream commit a85fbd6498441694475716a4d5c65f9d3e073faf ]
As can be seen in elants_i2c_power_off(), we want the reset GPIO
asserted when power is off. The reset GPIO is active low so we need
the reset line logic low when power is off to avoid leakage.
We have a problem, though, at probe time. At probe time we haven't
powered the regulators on yet but we have:
devm_gpiod_get(&client->dev, "reset", GPIOD_OUT_LOW);
While that _looks_ right, it turns out that it's not. The
GPIOD_OUT_LOW doesn't mean to init the GPIO to low. It means init the
GPIO to "not asserted". Since this is an active low GPIO that inits it
to be high.
Let's fix this to properly init the GPIO. Now after both probe and
power off the state of the GPIO is consistent (it's "asserted" or
level low).
Once we fix this, we can see that at power on time we no longer to
assert the reset GPIO as the first thing. The reset GPIO is _always_
asserted before powering on. Let's fix powering on to account for
this.
Fixes: afe10358e47a ("Input: elants_i2c - wire up regulator support")
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Link: https://lore.kernel.org/r/20221117123805.1.I9959ac561dd6e1e8e1ce7085e4de6167b27c574f@changeid
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/input/touchscreen/elants_i2c.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/drivers/input/touchscreen/elants_i2c.c b/drivers/input/touchscreen/elants_i2c.c
index 3e6003d32e56..184310a2ba69 100644
--- a/drivers/input/touchscreen/elants_i2c.c
+++ b/drivers/input/touchscreen/elants_i2c.c
@@ -1088,14 +1088,12 @@ static int elants_i2c_power_on(struct elants_data *ts)
if (IS_ERR_OR_NULL(ts->reset_gpio))
return 0;
- gpiod_set_value_cansleep(ts->reset_gpio, 1);
-
error = regulator_enable(ts->vcc33);
if (error) {
dev_err(&ts->client->dev,
"failed to enable vcc33 regulator: %d\n",
error);
- goto release_reset_gpio;
+ return error;
}
error = regulator_enable(ts->vccio);
@@ -1104,7 +1102,7 @@ static int elants_i2c_power_on(struct elants_data *ts)
"failed to enable vccio regulator: %d\n",
error);
regulator_disable(ts->vcc33);
- goto release_reset_gpio;
+ return error;
}
/*
@@ -1113,7 +1111,6 @@ static int elants_i2c_power_on(struct elants_data *ts)
*/
udelay(ELAN_POWERON_DELAY_USEC);
-release_reset_gpio:
gpiod_set_value_cansleep(ts->reset_gpio, 0);
if (error)
return error;
@@ -1182,7 +1179,7 @@ static int elants_i2c_probe(struct i2c_client *client,
return error;
}
- ts->reset_gpio = devm_gpiod_get(&client->dev, "reset", GPIOD_OUT_LOW);
+ ts->reset_gpio = devm_gpiod_get(&client->dev, "reset", GPIOD_OUT_HIGH);
if (IS_ERR(ts->reset_gpio)) {
error = PTR_ERR(ts->reset_gpio);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 062/251] media: solo6x10: fix possible memory leak in solo_sysfs_init()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 061/251] Input: elants_i2c - properly handle the reset GPIO when power is off Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 063/251] media: platform: exynos4-is: Fix error handling in fimc_md_init() Greg Kroah-Hartman
` (194 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Hans Verkuil, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 7f5866dd96d95b74e439f6ee17b8abd8195179fb ]
If device_register() returns error in solo_sysfs_init(), the
name allocated by dev_set_name() need be freed. As comment of
device_register() says, it should use put_device() to give up
the reference in the error path. So fix this by calling
put_device(), then the name can be freed in kobject_cleanup().
Fixes: dcae5dacbce5 ("[media] solo6x10: sync to latest code from Bluecherry's git repo")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/pci/solo6x10/solo6x10-core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/media/pci/solo6x10/solo6x10-core.c b/drivers/media/pci/solo6x10/solo6x10-core.c
index f50d07229236..fc45d4aeb77e 100644
--- a/drivers/media/pci/solo6x10/solo6x10-core.c
+++ b/drivers/media/pci/solo6x10/solo6x10-core.c
@@ -428,6 +428,7 @@ static int solo_sysfs_init(struct solo_dev *solo_dev)
solo_dev->nr_chans);
if (device_register(dev)) {
+ put_device(dev);
dev->parent = NULL;
return -ENOMEM;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 063/251] media: platform: exynos4-is: Fix error handling in fimc_md_init()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 062/251] media: solo6x10: fix possible memory leak in solo_sysfs_init() Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 064/251] HID: hid-sensor-custom: set fixed size for custom attributes Greg Kroah-Hartman
` (193 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuan Can, Hans Verkuil, Sasha Levin
From: Yuan Can <yuancan@huawei.com>
[ Upstream commit b434422c45282a0573d8123239abc41fa72665d4 ]
A problem about modprobe s5p_fimc failed is triggered with the
following log given:
[ 272.075275] Error: Driver 'exynos4-fimc' is already registered, aborting...
modprobe: ERROR: could not insert 's5p_fimc': Device or resource busy
The reason is that fimc_md_init() returns platform_driver_register()
directly without checking its return value, if platform_driver_register()
failed, it returns without unregister fimc_driver, resulting the
s5p_fimc can never be installed later.
A simple call graph is shown as below:
fimc_md_init()
fimc_register_driver() # register fimc_driver
platform_driver_register()
platform_driver_register()
driver_register()
bus_add_driver()
dev = kzalloc(...) # OOM happened
# return without unregister fimc_driver
Fix by unregister fimc_driver when platform_driver_register() returns
error.
Fixes: d3953223b090 ("[media] s5p-fimc: Add the media device driver")
Signed-off-by: Yuan Can <yuancan@huawei.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/exynos4-is/fimc-core.c | 2 +-
drivers/media/platform/exynos4-is/media-dev.c | 6 +++++-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/media/platform/exynos4-is/fimc-core.c b/drivers/media/platform/exynos4-is/fimc-core.c
index 8f89ca21b631..b86d6f724618 100644
--- a/drivers/media/platform/exynos4-is/fimc-core.c
+++ b/drivers/media/platform/exynos4-is/fimc-core.c
@@ -1245,7 +1245,7 @@ int __init fimc_register_driver(void)
return platform_driver_register(&fimc_driver);
}
-void __exit fimc_unregister_driver(void)
+void fimc_unregister_driver(void)
{
platform_driver_unregister(&fimc_driver);
}
diff --git a/drivers/media/platform/exynos4-is/media-dev.c b/drivers/media/platform/exynos4-is/media-dev.c
index a1599659b88b..75f6f7acc46b 100644
--- a/drivers/media/platform/exynos4-is/media-dev.c
+++ b/drivers/media/platform/exynos4-is/media-dev.c
@@ -1559,7 +1559,11 @@ static int __init fimc_md_init(void)
if (ret)
return ret;
- return platform_driver_register(&fimc_md_driver);
+ ret = platform_driver_register(&fimc_md_driver);
+ if (ret)
+ fimc_unregister_driver();
+
+ return ret;
}
static void __exit fimc_md_exit(void)
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 064/251] HID: hid-sensor-custom: set fixed size for custom attributes
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 063/251] media: platform: exynos4-is: Fix error handling in fimc_md_init() Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 065/251] ALSA: seq: fix undefined behavior in bit shift for SNDRV_SEQ_FILTER_USE_EVENT Greg Kroah-Hartman
` (192 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marcus Folkesson, Jonathan Cameron,
Jiri Kosina, Sasha Levin
From: Marcus Folkesson <marcus.folkesson@gmail.com>
[ Upstream commit 9d013910df22de91333a0acc81d1dbb115bd76f6 ]
This is no bugfix (so no Fixes: tag is necessary) as it is
taken care of in hid_sensor_custom_add_attributes().
The motivation for this patch is that:
hid_sensor_custom_field.attr_name and
hid_sensor_custom_field.attrs
has the size of HID_CUSTOM_TOTAL_ATTRS and used in same context.
We compare against HID_CUSTOM_TOTAL_ATTRS when
looping through hid_custom_attrs.
We will silent the smatch error:
hid_sensor_custom_add_attributes() error: buffer overflow
'hid_custom_attrs' 8 <= 10
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
Acked-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-sensor-custom.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hid/hid-sensor-custom.c b/drivers/hid/hid-sensor-custom.c
index 3a84aaf1418b..683bfcb41926 100644
--- a/drivers/hid/hid-sensor-custom.c
+++ b/drivers/hid/hid-sensor-custom.c
@@ -67,7 +67,7 @@ struct hid_sensor_sample {
u32 raw_len;
} __packed;
-static struct attribute hid_custom_attrs[] = {
+static struct attribute hid_custom_attrs[HID_CUSTOM_TOTAL_ATTRS] = {
{.name = "name", .mode = S_IRUGO},
{.name = "units", .mode = S_IRUGO},
{.name = "unit-expo", .mode = S_IRUGO},
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 065/251] ALSA: seq: fix undefined behavior in bit shift for SNDRV_SEQ_FILTER_USE_EVENT
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 064/251] HID: hid-sensor-custom: set fixed size for custom attributes Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 066/251] clk: rockchip: Fix memory leak in rockchip_clk_register_pll() Greg Kroah-Hartman
` (191 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baisong Zhong, Takashi Iwai, Sasha Levin
From: Baisong Zhong <zhongbaisong@huawei.com>
[ Upstream commit cf59e1e4c79bf741905484cdb13c130b53576a16 ]
Shifting signed 32-bit value by 31 bits is undefined, so changing
significant bit to unsigned. The UBSAN warning calltrace like below:
UBSAN: shift-out-of-bounds in sound/core/seq/seq_clientmgr.c:509:22
left shift of 1 by 31 places cannot be represented in type 'int'
...
Call Trace:
<TASK>
dump_stack_lvl+0x8d/0xcf
ubsan_epilogue+0xa/0x44
__ubsan_handle_shift_out_of_bounds+0x1e7/0x208
snd_seq_deliver_single_event.constprop.21+0x191/0x2f0
snd_seq_deliver_event+0x1a2/0x350
snd_seq_kernel_client_dispatch+0x8b/0xb0
snd_seq_client_notify_subscription+0x72/0xa0
snd_seq_ioctl_subscribe_port+0x128/0x160
snd_seq_kernel_client_ctl+0xce/0xf0
snd_seq_oss_create_client+0x109/0x15b
alsa_seq_oss_init+0x11c/0x1aa
do_one_initcall+0x80/0x440
kernel_init_freeable+0x370/0x3c3
kernel_init+0x1b/0x190
ret_from_fork+0x1f/0x30
</TASK>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Baisong Zhong <zhongbaisong@huawei.com>
Link: https://lore.kernel.org/r/20221121111630.3119259-1-zhongbaisong@huawei.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/uapi/sound/asequencer.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/include/uapi/sound/asequencer.h b/include/uapi/sound/asequencer.h
index 7b7659a79ac4..98c8f6b56dff 100644
--- a/include/uapi/sound/asequencer.h
+++ b/include/uapi/sound/asequencer.h
@@ -343,10 +343,10 @@ typedef int __bitwise snd_seq_client_type_t;
#define KERNEL_CLIENT ((__force snd_seq_client_type_t) 2)
/* event filter flags */
-#define SNDRV_SEQ_FILTER_BROADCAST (1<<0) /* accept broadcast messages */
-#define SNDRV_SEQ_FILTER_MULTICAST (1<<1) /* accept multicast messages */
-#define SNDRV_SEQ_FILTER_BOUNCE (1<<2) /* accept bounce event in error */
-#define SNDRV_SEQ_FILTER_USE_EVENT (1<<31) /* use event filter */
+#define SNDRV_SEQ_FILTER_BROADCAST (1U<<0) /* accept broadcast messages */
+#define SNDRV_SEQ_FILTER_MULTICAST (1U<<1) /* accept multicast messages */
+#define SNDRV_SEQ_FILTER_BOUNCE (1U<<2) /* accept bounce event in error */
+#define SNDRV_SEQ_FILTER_USE_EVENT (1U<<31) /* use event filter */
struct snd_seq_client_info {
int client; /* client number to inquire */
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 066/251] clk: rockchip: Fix memory leak in rockchip_clk_register_pll()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 065/251] ALSA: seq: fix undefined behavior in bit shift for SNDRV_SEQ_FILTER_USE_EVENT Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 067/251] mtd: maps: pxa2xx-flash: fix memory leak in probe Greg Kroah-Hartman
` (190 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiu Jianfeng, Heiko Stuebner, Sasha Levin
From: Xiu Jianfeng <xiujianfeng@huawei.com>
[ Upstream commit 739a6a6bbdb793bd57938cb24aa5a6df89983546 ]
If clk_register() fails, @pll->rate_table may have allocated memory by
kmemdup(), so it needs to be freed, otherwise will cause memory leak
issue, this patch fixes it.
Fixes: 90c590254051 ("clk: rockchip: add clock type for pll clocks and pll used on rk3066")
Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Link: https://lore.kernel.org/r/20221123091201.199819-1-xiujianfeng@huawei.com
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/rockchip/clk-pll.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/clk/rockchip/clk-pll.c b/drivers/clk/rockchip/clk-pll.c
index 9c1373e81683..347d659c8f34 100644
--- a/drivers/clk/rockchip/clk-pll.c
+++ b/drivers/clk/rockchip/clk-pll.c
@@ -957,6 +957,7 @@ struct clk *rockchip_clk_register_pll(struct rockchip_clk_provider *ctx,
return mux_clk;
err_pll:
+ kfree(pll->rate_table);
clk_unregister(mux_clk);
mux_clk = pll_clk;
err_mux:
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 067/251] mtd: maps: pxa2xx-flash: fix memory leak in probe
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 066/251] clk: rockchip: Fix memory leak in rockchip_clk_register_pll() Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 068/251] media: imon: fix a race condition in send_packet() Greg Kroah-Hartman
` (189 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zheng Yongjun, Miquel Raynal, Sasha Levin
From: Zheng Yongjun <zhengyongjun3@huawei.com>
[ Upstream commit 2399401feee27c639addc5b7e6ba519d3ca341bf ]
Free 'info' upon remapping error to avoid a memory leak.
Fixes: e644f7d62894 ("[MTD] MAPS: Merge Lubbock and Mainstone drivers into common PXA2xx driver")
Signed-off-by: Zheng Yongjun <zhengyongjun3@huawei.com>
[<miquel.raynal@bootlin.com>: Reword the commit log]
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20221119073307.22929-1-zhengyongjun3@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/maps/pxa2xx-flash.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/mtd/maps/pxa2xx-flash.c b/drivers/mtd/maps/pxa2xx-flash.c
index 2cde28ed95c9..59d2fe1f46e1 100644
--- a/drivers/mtd/maps/pxa2xx-flash.c
+++ b/drivers/mtd/maps/pxa2xx-flash.c
@@ -69,6 +69,7 @@ static int pxa2xx_flash_probe(struct platform_device *pdev)
if (!info->map.virt) {
printk(KERN_WARNING "Failed to ioremap %s\n",
info->map.name);
+ kfree(info);
return -ENOMEM;
}
info->map.cached =
@@ -91,6 +92,7 @@ static int pxa2xx_flash_probe(struct platform_device *pdev)
iounmap((void *)info->map.virt);
if (info->map.cached)
iounmap(info->map.cached);
+ kfree(info);
return -EIO;
}
info->mtd->dev.parent = &pdev->dev;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 068/251] media: imon: fix a race condition in send_packet()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 067/251] mtd: maps: pxa2xx-flash: fix memory leak in probe Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 069/251] pinctrl: pinconf-generic: add missing of_node_put() Greg Kroah-Hartman
` (188 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+0c3cb6dc05fbbdc3ad66,
Gautam Menghani, Sean Young, Mauro Carvalho Chehab, Sasha Levin
From: Gautam Menghani <gautammenghani201@gmail.com>
[ Upstream commit 813ceef062b53d68f296aa3cb944b21a091fabdb ]
The function send_packet() has a race condition as follows:
func send_packet()
{
// do work
call usb_submit_urb()
mutex_unlock()
wait_for_event_interruptible() <-- lock gone
mutex_lock()
}
func vfd_write()
{
mutex_lock()
call send_packet() <- prev call is not completed
mutex_unlock()
}
When the mutex is unlocked and the function send_packet() waits for the
call to complete, vfd_write() can start another call, which leads to the
"URB submitted while active" warning in usb_submit_urb().
Fix this by removing the mutex_unlock() call in send_packet() and using
mutex_lock_interruptible().
Link: https://syzkaller.appspot.com/bug?id=e378e6a51fbe6c5cc43e34f131cc9a315ef0337e
Fixes: 21677cfc562a ("V4L/DVB: ir-core: add imon driver")
Reported-by: syzbot+0c3cb6dc05fbbdc3ad66@syzkaller.appspotmail.com
Signed-off-by: Gautam Menghani <gautammenghani201@gmail.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/rc/imon.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c
index 0b386fd518cc..9c644b4fb22d 100644
--- a/drivers/media/rc/imon.c
+++ b/drivers/media/rc/imon.c
@@ -622,15 +622,14 @@ static int send_packet(struct imon_context *ictx)
pr_err_ratelimited("error submitting urb(%d)\n", retval);
} else {
/* Wait for transmission to complete (or abort) */
- mutex_unlock(&ictx->lock);
retval = wait_for_completion_interruptible(
&ictx->tx.finished);
if (retval) {
usb_kill_urb(ictx->tx_urb);
pr_err_ratelimited("task interrupted\n");
}
- mutex_lock(&ictx->lock);
+ ictx->tx.busy = false;
retval = ictx->tx.status;
if (retval)
pr_err_ratelimited("packet tx failed (%d)\n", retval);
@@ -939,7 +938,8 @@ static ssize_t vfd_write(struct file *file, const char __user *buf,
return -ENODEV;
}
- mutex_lock(&ictx->lock);
+ if (mutex_lock_interruptible(&ictx->lock))
+ return -ERESTARTSYS;
if (!ictx->dev_present_intf0) {
pr_err_ratelimited("no iMON device present\n");
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 069/251] pinctrl: pinconf-generic: add missing of_node_put()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 068/251] media: imon: fix a race condition in send_packet() Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 070/251] media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer() Greg Kroah-Hartman
` (187 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, ZhangPeng, Linus Walleij, Sasha Levin
From: ZhangPeng <zhangpeng362@huawei.com>
[ Upstream commit 5ead93289815a075d43c415e35c8beafafb801c9 ]
of_node_put() needs to be called when jumping out of the loop, since
for_each_available_child_of_node() will increase the refcount of node.
Fixes: c7289500e29d ("pinctrl: pinconf-generic: scan also referenced phandle node")
Signed-off-by: ZhangPeng <zhangpeng362@huawei.com>
Link: https://lore.kernel.org/r/20221125070156.3535855-1-zhangpeng362@huawei.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/pinconf-generic.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/pinctrl/pinconf-generic.c b/drivers/pinctrl/pinconf-generic.c
index 074a7e044e25..b0e41fb3623d 100644
--- a/drivers/pinctrl/pinconf-generic.c
+++ b/drivers/pinctrl/pinconf-generic.c
@@ -384,8 +384,10 @@ int pinconf_generic_dt_node_to_map(struct pinctrl_dev *pctldev,
for_each_child_of_node(np_config, np) {
ret = pinconf_generic_dt_subnode_to_map(pctldev, np, map,
&reserved_maps, num_maps, type);
- if (ret < 0)
+ if (ret < 0) {
+ of_node_put(np);
goto exit;
+ }
}
return 0;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 070/251] media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 069/251] pinctrl: pinconf-generic: add missing of_node_put() Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 071/251] NFSv4.2: Fix a memory stomp in decode_attr_security_label Greg Kroah-Hartman
` (186 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wei Chen, Baisong Zhong,
Mauro Carvalho Chehab, Sasha Levin
From: Baisong Zhong <zhongbaisong@huawei.com>
[ Upstream commit 0ed554fd769a19ea8464bb83e9ac201002ef74ad ]
Wei Chen reports a kernel bug as blew:
general protection fault, probably for non-canonical address
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
...
Call Trace:
<TASK>
__i2c_transfer+0x77e/0x1930 drivers/i2c/i2c-core-base.c:2109
i2c_transfer+0x1d5/0x3d0 drivers/i2c/i2c-core-base.c:2170
i2cdev_ioctl_rdwr+0x393/0x660 drivers/i2c/i2c-dev.c:297
i2cdev_ioctl+0x75d/0x9f0 drivers/i2c/i2c-dev.c:458
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl+0xfb/0x170 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fd834a8bded
In az6027_i2c_xfer(), if msg[i].addr is 0x99,
a null-ptr-deref will caused when accessing msg[i].buf.
For msg[i].len is 0 and msg[i].buf is null.
Fix this by checking msg[i].len in az6027_i2c_xfer().
Link: https://lore.kernel.org/lkml/CAO4mrfcPHB5aQJO=mpqV+p8mPLNg-Fok0gw8gZ=zemAfMGTzMg@mail.gmail.com/
Link: https://lore.kernel.org/linux-media/20221120065918.2160782-1-zhongbaisong@huawei.com
Fixes: 76f9a820c867 ("V4L/DVB: AZ6027: Initial import of the driver")
Reported-by: Wei Chen <harperchen1110@gmail.com>
Signed-off-by: Baisong Zhong <zhongbaisong@huawei.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/usb/dvb-usb/az6027.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/media/usb/dvb-usb/az6027.c b/drivers/media/usb/dvb-usb/az6027.c
index 382c8075ef52..f2b5ba1d2809 100644
--- a/drivers/media/usb/dvb-usb/az6027.c
+++ b/drivers/media/usb/dvb-usb/az6027.c
@@ -978,6 +978,10 @@ static int az6027_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int n
if (msg[i].addr == 0x99) {
req = 0xBE;
index = 0;
+ if (msg[i].len < 1) {
+ i = -EOPNOTSUPP;
+ break;
+ }
value = msg[i].buf[0] & 0x00ff;
length = 1;
az6027_usb_out_op(d, req, value, index, data, length);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 071/251] NFSv4.2: Fix a memory stomp in decode_attr_security_label
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 070/251] media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer() Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 072/251] NFSv4: Fix a deadlock between nfs4_open_recover_helper() and delegreturn Greg Kroah-Hartman
` (185 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Trond Myklebust, Sasha Levin
From: Trond Myklebust <trond.myklebust@hammerspace.com>
[ Upstream commit 43c1031f7110967c240cb6e922adcfc4b8899183 ]
We must not change the value of label->len if it is zero, since that
indicates we stored a label.
Fixes: b4487b935452 ("nfs: Fix getxattr kernel panic and memory overflow")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/nfs4xdr.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
index b50c97c6aecb..fc5583531fc0 100644
--- a/fs/nfs/nfs4xdr.c
+++ b/fs/nfs/nfs4xdr.c
@@ -4160,12 +4160,10 @@ static int decode_attr_security_label(struct xdr_stream *xdr, uint32_t *bitmap,
if (unlikely(!p))
goto out_overflow;
if (len < NFS4_MAXLABELLEN) {
- if (label) {
- if (label->len) {
- if (label->len < len)
- return -ERANGE;
- memcpy(label->label, p, len);
- }
+ if (label && label->len) {
+ if (label->len < len)
+ return -ERANGE;
+ memcpy(label->label, p, len);
label->len = len;
label->pi = pi;
label->lfs = lfs;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 072/251] NFSv4: Fix a deadlock between nfs4_open_recover_helper() and delegreturn
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 071/251] NFSv4.2: Fix a memory stomp in decode_attr_security_label Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 073/251] ALSA: asihpi: fix missing pci_disable_device() Greg Kroah-Hartman
` (184 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Trond Myklebust, Sasha Levin
From: Trond Myklebust <trond.myklebust@hammerspace.com>
[ Upstream commit 51069e4aef6257b0454057359faed0ab0c9af083 ]
If we're asked to recover open state while a delegation return is
outstanding, then the state manager thread cannot use a cached open, so
if the server returns a delegation, we can end up deadlocked behind the
pending delegreturn.
To avoid this problem, let's just ask the server not to give us a
delegation unless we're explicitly reclaiming one.
Fixes: be36e185bd26 ("NFSv4: nfs4_open_recover_helper() must set share access")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/nfs4proc.c | 19 ++++++++++++-------
1 file changed, 12 insertions(+), 7 deletions(-)
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 5baf6ed7732d..4771fc16d7d1 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -1822,18 +1822,18 @@ static struct nfs4_opendata *nfs4_open_recoverdata_alloc(struct nfs_open_context
}
static int nfs4_open_recover_helper(struct nfs4_opendata *opendata,
- fmode_t fmode)
+ fmode_t fmode)
{
struct nfs4_state *newstate;
+ struct nfs_server *server = NFS_SB(opendata->dentry->d_sb);
+ int openflags = opendata->o_arg.open_flags;
int ret;
if (!nfs4_mode_match_open_stateid(opendata->state, fmode))
return 0;
- opendata->o_arg.open_flags = 0;
opendata->o_arg.fmode = fmode;
- opendata->o_arg.share_access = nfs4_map_atomic_open_share(
- NFS_SB(opendata->dentry->d_sb),
- fmode, 0);
+ opendata->o_arg.share_access =
+ nfs4_map_atomic_open_share(server, fmode, openflags);
memset(&opendata->o_res, 0, sizeof(opendata->o_res));
memset(&opendata->c_res, 0, sizeof(opendata->c_res));
nfs4_init_opendata_res(opendata);
@@ -2411,10 +2411,15 @@ static int _nfs4_open_expired(struct nfs_open_context *ctx, struct nfs4_state *s
struct nfs4_opendata *opendata;
int ret;
- opendata = nfs4_open_recoverdata_alloc(ctx, state,
- NFS4_OPEN_CLAIM_FH);
+ opendata = nfs4_open_recoverdata_alloc(ctx, state, NFS4_OPEN_CLAIM_FH);
if (IS_ERR(opendata))
return PTR_ERR(opendata);
+ /*
+ * We're not recovering a delegation, so ask for no delegation.
+ * Otherwise the recovery thread could deadlock with an outstanding
+ * delegation return.
+ */
+ opendata->o_arg.open_flags = O_DIRECT;
ret = nfs4_open_recover(opendata, state);
if (ret == -ESTALE)
d_drop(ctx->dentry);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 073/251] ALSA: asihpi: fix missing pci_disable_device()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 072/251] NFSv4: Fix a deadlock between nfs4_open_recover_helper() and delegreturn Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 074/251] drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios() Greg Kroah-Hartman
` (183 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Liu Shixin, Takashi Iwai, Sasha Levin
From: Liu Shixin <liushixin2@huawei.com>
[ Upstream commit 9d86515c3d4c0564a0c31a2df87d735353a1971e ]
pci_disable_device() need be called while module exiting, switch to use
pcim_enable(), pci_disable_device() will be called in pcim_release().
Fixes: 3285ea10e9b0 ("ALSA: asihpi - Interrelated HPI tidy up.")
Signed-off-by: Liu Shixin <liushixin2@huawei.com>
Link: https://lore.kernel.org/r/20221126021429.3029562-1-liushixin2@huawei.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/asihpi/hpioctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c
index 0d5ff00cdabc..90245f9d6c36 100644
--- a/sound/pci/asihpi/hpioctl.c
+++ b/sound/pci/asihpi/hpioctl.c
@@ -355,7 +355,7 @@ int asihpi_adapter_probe(struct pci_dev *pci_dev,
pci_dev->device, pci_dev->subsystem_vendor,
pci_dev->subsystem_device, pci_dev->devfn);
- if (pci_enable_device(pci_dev) < 0) {
+ if (pcim_enable_device(pci_dev) < 0) {
dev_err(&pci_dev->dev,
"pci_enable_device failed, disabling device\n");
return -EIO;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 074/251] drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 073/251] ALSA: asihpi: fix missing pci_disable_device() Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 075/251] drm/amdgpu: Fix PCI device refcount leak in amdgpu_atrm_get_bios() Greg Kroah-Hartman
` (182 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiongfeng Wang, Alex Deucher, Sasha Levin
From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
[ Upstream commit 725a521a18734f65de05b8d353b5bd0d3ca4c37a ]
As comment of pci_get_class() says, it returns a pci_device with its
refcount increased and decreased the refcount for the input parameter
@from if it is not NULL.
If we break the loop in radeon_atrm_get_bios() with 'pdev' not NULL, we
need to call pci_dev_put() to decrease the refcount. Add the missing
pci_dev_put() to avoid refcount leak.
Fixes: d8ade3526b2a ("drm/radeon: handle non-VGA class pci devices with ATRM")
Fixes: c61e2775873f ("drm/radeon: split ATRM support out from the ATPX handler (v3)")
Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/radeon/radeon_bios.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/radeon/radeon_bios.c b/drivers/gpu/drm/radeon/radeon_bios.c
index 21b6732425c5..82ea78fce748 100644
--- a/drivers/gpu/drm/radeon/radeon_bios.c
+++ b/drivers/gpu/drm/radeon/radeon_bios.c
@@ -215,6 +215,7 @@ static bool radeon_atrm_get_bios(struct radeon_device *rdev)
if (!found)
return false;
+ pci_dev_put(pdev);
rdev->bios = kmalloc(size, GFP_KERNEL);
if (!rdev->bios) {
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 075/251] drm/amdgpu: Fix PCI device refcount leak in amdgpu_atrm_get_bios()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 074/251] drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios() Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 076/251] ASoC: pcm512x: Fix PM disable depth imbalance in pcm512x_probe Greg Kroah-Hartman
` (181 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiongfeng Wang, Alex Deucher, Sasha Levin
From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
[ Upstream commit ca54639c7752edf1304d92ff4d0c049d4efc9ba0 ]
As comment of pci_get_class() says, it returns a pci_device with its
refcount increased and decreased the refcount for the input parameter
@from if it is not NULL.
If we break the loop in amdgpu_atrm_get_bios() with 'pdev' not NULL, we
need to call pci_dev_put() to decrease the refcount. Add the missing
pci_dev_put() to avoid refcount leak.
Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)")
Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c
index 2b6afe123f3d..d6ecce5fe1a6 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c
@@ -253,6 +253,7 @@ static bool amdgpu_atrm_get_bios(struct amdgpu_device *adev)
if (!found)
return false;
+ pci_dev_put(pdev);
adev->bios = kmalloc(size, GFP_KERNEL);
if (!adev->bios) {
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 076/251] ASoC: pcm512x: Fix PM disable depth imbalance in pcm512x_probe
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 075/251] drm/amdgpu: Fix PCI device refcount leak in amdgpu_atrm_get_bios() Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 077/251] bonding: uninitialized variable in bond_miimon_inspect() Greg Kroah-Hartman
` (180 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhang Qilong, Mark Brown, Sasha Levin
From: Zhang Qilong <zhangqilong3@huawei.com>
[ Upstream commit 97b801be6f8e53676b9f2b105f54e35c745c1b22 ]
The pm_runtime_enable will increase power disable depth. Thus
a pairing decrement is needed on the error handling path to
keep it balanced according to context. We fix it by going to
err_pm instead of err_clk.
Fixes:f086ba9d5389c ("ASoC: pcm512x: Support mastering BCLK/LRCLK using the PLL")
Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
Link: https://lore.kernel.org/r/20220928160402.126140-1-zhangqilong3@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/pcm512x.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/sound/soc/codecs/pcm512x.c b/sound/soc/codecs/pcm512x.c
index c0807b82399a..614d39258e40 100644
--- a/sound/soc/codecs/pcm512x.c
+++ b/sound/soc/codecs/pcm512x.c
@@ -1475,7 +1475,7 @@ int pcm512x_probe(struct device *dev, struct regmap *regmap)
if (val > 6) {
dev_err(dev, "Invalid pll-in\n");
ret = -EINVAL;
- goto err_clk;
+ goto err_pm;
}
pcm512x->pll_in = val;
}
@@ -1484,7 +1484,7 @@ int pcm512x_probe(struct device *dev, struct regmap *regmap)
if (val > 6) {
dev_err(dev, "Invalid pll-out\n");
ret = -EINVAL;
- goto err_clk;
+ goto err_pm;
}
pcm512x->pll_out = val;
}
@@ -1493,12 +1493,12 @@ int pcm512x_probe(struct device *dev, struct regmap *regmap)
dev_err(dev,
"Error: both pll-in and pll-out, or none\n");
ret = -EINVAL;
- goto err_clk;
+ goto err_pm;
}
if (pcm512x->pll_in && pcm512x->pll_in == pcm512x->pll_out) {
dev_err(dev, "Error: pll-in == pll-out\n");
ret = -EINVAL;
- goto err_clk;
+ goto err_pm;
}
}
#endif
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 077/251] bonding: uninitialized variable in bond_miimon_inspect()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 076/251] ASoC: pcm512x: Fix PM disable depth imbalance in pcm512x_probe Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 078/251] regulator: core: fix module refcount leak in set_supply() Greg Kroah-Hartman
` (179 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Pavan Chebbi,
Jay Vosburgh, Paolo Abeni, Sasha Levin
From: Dan Carpenter <error27@gmail.com>
[ Upstream commit e5214f363dabca240446272dac54d404501ad5e5 ]
The "ignore_updelay" variable needs to be initialized to false.
Fixes: f8a65ab2f3ff ("bonding: fix link recovery in mode 2 when updelay is nonzero")
Signed-off-by: Dan Carpenter <error27@gmail.com>
Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
Link: https://lore.kernel.org/r/Y4SWJlh3ohJ6EPTL@kili
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 33843b89ab04..d606e0a6b335 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -2052,10 +2052,10 @@ static int bond_slave_info_query(struct net_device *bond_dev, struct ifslave *in
/* called with rcu_read_lock() */
static int bond_miimon_inspect(struct bonding *bond)
{
+ bool ignore_updelay = false;
int link_state, commit = 0;
struct list_head *iter;
struct slave *slave;
- bool ignore_updelay;
ignore_updelay = !rcu_dereference(bond->curr_active_slave);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 078/251] regulator: core: fix module refcount leak in set_supply()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 077/251] bonding: uninitialized variable in bond_miimon_inspect() Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 079/251] media: saa7164: fix missing pci_disable_device() Greg Kroah-Hartman
` (178 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Mark Brown, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit da46ee19cbd8344d6860816b4827a7ce95764867 ]
If create_regulator() fails in set_supply(), the module refcount
needs be put to keep refcount balanced.
Fixes: e2c09ae7a74d ("regulator: core: Increase refcount for regulator supply's module")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221201122706.4055992-2-yangyingliang@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/regulator/core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
index e1f934fec562..cbc3397258f6 100644
--- a/drivers/regulator/core.c
+++ b/drivers/regulator/core.c
@@ -1157,6 +1157,7 @@ static int set_supply(struct regulator_dev *rdev,
rdev->supply = create_regulator(supply_rdev, &rdev->dev, "SUPPLY");
if (rdev->supply == NULL) {
+ module_put(supply_rdev->owner);
err = -ENOMEM;
return err;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 079/251] media: saa7164: fix missing pci_disable_device()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 078/251] regulator: core: fix module refcount leak in set_supply() Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 080/251] ALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt Greg Kroah-Hartman
` (177 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Liu Shixin, Hans Verkuil,
Mauro Carvalho Chehab, Sasha Levin
From: Liu Shixin <liushixin2@huawei.com>
[ Upstream commit 57fb35d7542384cac8f198cd1c927540ad38b61a ]
Add missing pci_disable_device() in the error path in saa7164_initdev().
Fixes: 443c1228d505 ("V4L/DVB (12923): SAA7164: Add support for the NXP SAA7164 silicon")
Signed-off-by: Liu Shixin <liushixin2@huawei.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/pci/saa7164/saa7164-core.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/media/pci/saa7164/saa7164-core.c b/drivers/media/pci/saa7164/saa7164-core.c
index 8bbd092fbe1d..d0ad0f5ba035 100644
--- a/drivers/media/pci/saa7164/saa7164-core.c
+++ b/drivers/media/pci/saa7164/saa7164-core.c
@@ -1250,7 +1250,7 @@ static int saa7164_initdev(struct pci_dev *pci_dev,
if (saa7164_dev_setup(dev) < 0) {
err = -EINVAL;
- goto fail_free;
+ goto fail_dev;
}
/* print pci info */
@@ -1422,6 +1422,8 @@ static int saa7164_initdev(struct pci_dev *pci_dev,
fail_irq:
saa7164_dev_unregister(dev);
+fail_dev:
+ pci_disable_device(pci_dev);
fail_free:
v4l2_device_unregister(&dev->v4l2_dev);
kfree(dev);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 080/251] ALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 079/251] media: saa7164: fix missing pci_disable_device() Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 081/251] SUNRPC: Fix missing release socket in rpc_sockname() Greg Kroah-Hartman
` (176 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gaosheng Cui, Takashi Iwai, Sasha Levin
From: Gaosheng Cui <cuigaosheng1@huawei.com>
[ Upstream commit cf2ea3c86ad90d63d1c572b43e1ca9276b0357ad ]
I got a null-ptr-defer error report when I do the following tests
on the qemu platform:
make defconfig and CONFIG_PARPORT=m, CONFIG_PARPORT_PC=m,
CONFIG_SND_MTS64=m
Then making test scripts:
cat>test_mod1.sh<<EOF
modprobe snd-mts64
modprobe snd-mts64
EOF
Executing the script, perhaps several times, we will get a null-ptr-defer
report, as follow:
syzkaller:~# ./test_mod.sh
snd_mts64: probe of snd_mts64.0 failed with error -5
modprobe: ERROR: could not insert 'snd_mts64': No such device
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 0 P4D 0
Oops: 0002 [#1] PREEMPT SMP PTI
CPU: 0 PID: 205 Comm: modprobe Not tainted 6.1.0-rc8-00588-g76dcd734eca2 #6
Call Trace:
<IRQ>
snd_mts64_interrupt+0x24/0xa0 [snd_mts64]
parport_irq_handler+0x37/0x50 [parport]
__handle_irq_event_percpu+0x39/0x190
handle_irq_event_percpu+0xa/0x30
handle_irq_event+0x2f/0x50
handle_edge_irq+0x99/0x1b0
__common_interrupt+0x5d/0x100
common_interrupt+0xa0/0xc0
</IRQ>
<TASK>
asm_common_interrupt+0x22/0x40
RIP: 0010:_raw_write_unlock_irqrestore+0x11/0x30
parport_claim+0xbd/0x230 [parport]
snd_mts64_probe+0x14a/0x465 [snd_mts64]
platform_probe+0x3f/0xa0
really_probe+0x129/0x2c0
__driver_probe_device+0x6d/0xc0
driver_probe_device+0x1a/0xa0
__device_attach_driver+0x7a/0xb0
bus_for_each_drv+0x62/0xb0
__device_attach+0xe4/0x180
bus_probe_device+0x82/0xa0
device_add+0x550/0x920
platform_device_add+0x106/0x220
snd_mts64_attach+0x2e/0x80 [snd_mts64]
port_check+0x14/0x20 [parport]
bus_for_each_dev+0x6e/0xc0
__parport_register_driver+0x7c/0xb0 [parport]
snd_mts64_module_init+0x31/0x1000 [snd_mts64]
do_one_initcall+0x3c/0x1f0
do_init_module+0x46/0x1c6
load_module+0x1d8d/0x1e10
__do_sys_finit_module+0xa2/0xf0
do_syscall_64+0x37/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
</TASK>
Kernel panic - not syncing: Fatal exception in interrupt
Rebooting in 1 seconds..
The mts wa not initialized during interrupt, we add check for
mts to fix this bug.
Fixes: 68ab801e32bb ("[ALSA] Add snd-mts64 driver for ESI Miditerminal 4140")
Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
Link: https://lore.kernel.org/r/20221206061004.1222966-1-cuigaosheng1@huawei.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/drivers/mts64.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sound/drivers/mts64.c b/sound/drivers/mts64.c
index fd4d18df84d3..03b1b49c1afe 100644
--- a/sound/drivers/mts64.c
+++ b/sound/drivers/mts64.c
@@ -830,6 +830,9 @@ static void snd_mts64_interrupt(void *private)
u8 status, data;
struct snd_rawmidi_substream *substream;
+ if (!mts)
+ return;
+
spin_lock(&mts->lock);
ret = mts64_read(mts->pardev->port);
data = ret & 0x00ff;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 081/251] SUNRPC: Fix missing release socket in rpc_sockname()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 080/251] ALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 082/251] mmc: moxart: fix return value check of mmc_add_host() Greg Kroah-Hartman
` (175 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wang ShaoBo, Trond Myklebust, Sasha Levin
From: Wang ShaoBo <bobo.shaobowang@huawei.com>
[ Upstream commit 50fa355bc0d75911fe9d5072a5ba52cdb803aff7 ]
socket dynamically created is not released when getting an unintended
address family type in rpc_sockname(), direct to out_release for calling
sock_release().
Fixes: 2e738fdce22f ("SUNRPC: Add API to acquire source address")
Signed-off-by: Wang ShaoBo <bobo.shaobowang@huawei.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sunrpc/clnt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
index eef2f732fbe3..9447670b5a63 100644
--- a/net/sunrpc/clnt.c
+++ b/net/sunrpc/clnt.c
@@ -1275,7 +1275,7 @@ static int rpc_sockname(struct net *net, struct sockaddr *sap, size_t salen,
break;
default:
err = -EAFNOSUPPORT;
- goto out;
+ goto out_release;
}
if (err < 0) {
dprintk("RPC: can't bind UDP socket (%d)\n", err);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 082/251] mmc: moxart: fix return value check of mmc_add_host()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 081/251] SUNRPC: Fix missing release socket in rpc_sockname() Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 083/251] mmc: mxcmmc: " Greg Kroah-Hartman
` (174 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Ulf Hansson, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 0ca18d09c744fb030ae9bc5836c3e357e0237dea ]
mmc_add_host() may return error, if we ignore its return value, the memory
that allocated in mmc_alloc_host() will be leaked and it will lead a kernel
crash because of deleting not added device in the remove path.
So fix this by checking the return value and goto error path which will call
mmc_free_host().
Fixes: 1b66e94e6b99 ("mmc: moxart: Add MOXA ART SD/MMC driver")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221101063023.1664968-3-yangyingliang@huawei.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/moxart-mmc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/mmc/host/moxart-mmc.c b/drivers/mmc/host/moxart-mmc.c
index 4f8588c3bf53..48645b736ba5 100644
--- a/drivers/mmc/host/moxart-mmc.c
+++ b/drivers/mmc/host/moxart-mmc.c
@@ -662,7 +662,9 @@ static int moxart_probe(struct platform_device *pdev)
goto out;
dev_set_drvdata(dev, mmc);
- mmc_add_host(mmc);
+ ret = mmc_add_host(mmc);
+ if (ret)
+ goto out;
dev_dbg(dev, "IRQ=%d, FIFO is %d bytes\n", irq, host->fifo_width);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 083/251] mmc: mxcmmc: fix return value check of mmc_add_host()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 082/251] mmc: moxart: fix return value check of mmc_add_host() Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 084/251] mmc: rtsx_usb_sdmmc: " Greg Kroah-Hartman
` (173 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Ulf Hansson, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit cde600af7b413c9fe03e85c58c4279df90e91d13 ]
mmc_add_host() may return error, if we ignore its return value, the memory
that allocated in mmc_alloc_host() will be leaked and it will lead a kernel
crash because of deleting not added device in the remove path.
So fix this by checking the return value and goto error path which will call
mmc_free_host().
Fixes: d96be879ff46 ("mmc: Add a MX2/MX3 specific SDHC driver")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221101063023.1664968-4-yangyingliang@huawei.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/mxcmmc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/mmc/host/mxcmmc.c b/drivers/mmc/host/mxcmmc.c
index fb3ca8296273..2c57cccb0fa1 100644
--- a/drivers/mmc/host/mxcmmc.c
+++ b/drivers/mmc/host/mxcmmc.c
@@ -1159,7 +1159,9 @@ static int mxcmci_probe(struct platform_device *pdev)
host->watchdog.function = &mxcmci_watchdog;
host->watchdog.data = (unsigned long)mmc;
- mmc_add_host(mmc);
+ ret = mmc_add_host(mmc);
+ if (ret)
+ goto out_free_dma;
return 0;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 084/251] mmc: rtsx_usb_sdmmc: fix return value check of mmc_add_host()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 083/251] mmc: mxcmmc: " Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 085/251] mmc: toshsd: " Greg Kroah-Hartman
` (172 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Ulf Hansson, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit fc38a5a10e9e5a75eb9189854abeb8405b214cc9 ]
mmc_add_host() may return error, if we ignore its return value, the memory
that allocated in mmc_alloc_host() will be leaked and it will lead a kernel
crash because of deleting not added device in the remove path.
So fix this by checking the return value and calling mmc_free_host() in the
error path, besides, led_classdev_unregister() and pm_runtime_disable() also
need be called.
Fixes: c7f6558d84af ("mmc: Add realtek USB sdmmc host driver")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221101063023.1664968-7-yangyingliang@huawei.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/rtsx_usb_sdmmc.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/drivers/mmc/host/rtsx_usb_sdmmc.c b/drivers/mmc/host/rtsx_usb_sdmmc.c
index 6e9c0f8fddb1..817fbf510d1e 100644
--- a/drivers/mmc/host/rtsx_usb_sdmmc.c
+++ b/drivers/mmc/host/rtsx_usb_sdmmc.c
@@ -1355,6 +1355,7 @@ static int rtsx_usb_sdmmc_drv_probe(struct platform_device *pdev)
#ifdef RTSX_USB_USE_LEDS_CLASS
int err;
#endif
+ int ret;
ucr = usb_get_intfdata(to_usb_interface(pdev->dev.parent));
if (!ucr)
@@ -1391,7 +1392,15 @@ static int rtsx_usb_sdmmc_drv_probe(struct platform_device *pdev)
INIT_WORK(&host->led_work, rtsx_usb_update_led);
#endif
- mmc_add_host(mmc);
+ ret = mmc_add_host(mmc);
+ if (ret) {
+#ifdef RTSX_USB_USE_LEDS_CLASS
+ led_classdev_unregister(&host->led);
+#endif
+ mmc_free_host(mmc);
+ pm_runtime_disable(&pdev->dev);
+ return ret;
+ }
return 0;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 085/251] mmc: toshsd: fix return value check of mmc_add_host()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 084/251] mmc: rtsx_usb_sdmmc: " Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 086/251] mmc: vub300: " Greg Kroah-Hartman
` (171 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Ulf Hansson, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit f670744a316ea983113a65313dcd387b5a992444 ]
mmc_add_host() may return error, if we ignore its return value, the memory
that allocated in mmc_alloc_host() will be leaked and it will lead a kernel
crash because of deleting not added device in the remove path.
So fix this by checking the return value and goto error path which will call
mmc_free_host(), besides, free_irq() also needs be called.
Fixes: a5eb8bbd66cc ("mmc: add Toshiba PCI SD controller driver")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221101063023.1664968-8-yangyingliang@huawei.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/toshsd.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/mmc/host/toshsd.c b/drivers/mmc/host/toshsd.c
index 553ef41bb806..c0d3b289d8d4 100644
--- a/drivers/mmc/host/toshsd.c
+++ b/drivers/mmc/host/toshsd.c
@@ -655,7 +655,9 @@ static int toshsd_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
if (ret)
goto unmap;
- mmc_add_host(mmc);
+ ret = mmc_add_host(mmc);
+ if (ret)
+ goto free_irq;
base = pci_resource_start(pdev, 0);
dev_dbg(&pdev->dev, "MMIO %pa, IRQ %d\n", &base, pdev->irq);
@@ -664,6 +666,8 @@ static int toshsd_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
return 0;
+free_irq:
+ free_irq(pdev->irq, host);
unmap:
pci_iounmap(pdev, host->ioaddr);
release:
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 086/251] mmc: vub300: fix return value check of mmc_add_host()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 085/251] mmc: toshsd: " Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 087/251] mmc: via-sdmmc: " Greg Kroah-Hartman
` (170 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Ulf Hansson, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 0613ad2401f88bdeae5594c30afe318e93b14676 ]
mmc_add_host() may return error, if we ignore its return value, the memory
that allocated in mmc_alloc_host() will be leaked and it will lead a kernel
crash because of deleting not added device in the remove path.
So fix this by checking the return value and goto error path which will call
mmc_free_host(), besides, the timer added before mmc_add_host() needs be del.
And this patch fixes another missing call mmc_free_host() if usb_control_msg()
fails.
Fixes: 88095e7b473a ("mmc: Add new VUB300 USB-to-SD/SDIO/MMC driver")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221101063023.1664968-9-yangyingliang@huawei.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/vub300.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/drivers/mmc/host/vub300.c b/drivers/mmc/host/vub300.c
index 875e438ab973..d962e88572a1 100644
--- a/drivers/mmc/host/vub300.c
+++ b/drivers/mmc/host/vub300.c
@@ -2312,14 +2312,14 @@ static int vub300_probe(struct usb_interface *interface,
0x0000, 0x0000, &vub300->system_port_status,
sizeof(vub300->system_port_status), 1000);
if (retval < 0) {
- goto error4;
+ goto error5;
} else if (sizeof(vub300->system_port_status) == retval) {
vub300->card_present =
(0x0001 & vub300->system_port_status.port_flags) ? 1 : 0;
vub300->read_only =
(0x0010 & vub300->system_port_status.port_flags) ? 1 : 0;
} else {
- goto error4;
+ goto error5;
}
usb_set_intfdata(interface, vub300);
INIT_DELAYED_WORK(&vub300->pollwork, vub300_pollwork_thread);
@@ -2345,8 +2345,13 @@ static int vub300_probe(struct usb_interface *interface,
"USB vub300 remote SDIO host controller[%d]"
"connected with no SD/SDIO card inserted\n",
interface_to_InterfaceNumber(interface));
- mmc_add_host(mmc);
+ retval = mmc_add_host(mmc);
+ if (retval)
+ goto error6;
+
return 0;
+error6:
+ del_timer_sync(&vub300->inactivity_timer);
error5:
mmc_free_host(mmc);
/*
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 087/251] mmc: via-sdmmc: fix return value check of mmc_add_host()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 086/251] mmc: vub300: " Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 088/251] mmc: wbsd: " Greg Kroah-Hartman
` (169 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Ulf Hansson, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit e4e46fb61e3bb4628170810d3f2b996b709b90d9 ]
mmc_add_host() may return error, if we ignore its return value,
it will lead two issues:
1. The memory that allocated in mmc_alloc_host() is leaked.
2. In the remove() path, mmc_remove_host() will be called to
delete device, but it's not added yet, it will lead a kernel
crash because of null-ptr-deref in device_del().
Fix this by checking the return value and goto error path which
will call mmc_free_host().
Fixes: f0bf7f61b840 ("mmc: Add new via-sdmmc host controller driver")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221108130949.1067699-1-yangyingliang@huawei.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/via-sdmmc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/mmc/host/via-sdmmc.c b/drivers/mmc/host/via-sdmmc.c
index a3472127bea3..74ac1ac55f42 100644
--- a/drivers/mmc/host/via-sdmmc.c
+++ b/drivers/mmc/host/via-sdmmc.c
@@ -1162,7 +1162,9 @@ static int via_sd_probe(struct pci_dev *pcidev,
pcidev->subsystem_device == 0x3891)
sdhost->quirks = VIA_CRDR_QUIRK_300MS_PWRDELAY;
- mmc_add_host(mmc);
+ ret = mmc_add_host(mmc);
+ if (ret)
+ goto unmap;
return 0;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 088/251] mmc: wbsd: fix return value check of mmc_add_host()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 087/251] mmc: via-sdmmc: " Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 089/251] mmc: mmci: " Greg Kroah-Hartman
` (168 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Ulf Hansson, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit dc5b9b50fc9d1334407e316e6e29a5097ef833bd ]
mmc_add_host() may return error, if we ignore its return value,
it will lead two issues:
1. The memory that allocated in mmc_alloc_host() is leaked.
2. In the remove() path, mmc_remove_host() will be called to
delete device, but it's not added yet, it will lead a kernel
crash because of null-ptr-deref in device_del().
So fix this by checking the return value and goto error path which
will call mmc_free_host(), besides, other resources also need be
released.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221109133237.3273558-1-yangyingliang@huawei.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/wbsd.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/drivers/mmc/host/wbsd.c b/drivers/mmc/host/wbsd.c
index c3fd16d997ca..402b044c9a0b 100644
--- a/drivers/mmc/host/wbsd.c
+++ b/drivers/mmc/host/wbsd.c
@@ -1712,7 +1712,17 @@ static int wbsd_init(struct device *dev, int base, int irq, int dma,
*/
wbsd_init_device(host);
- mmc_add_host(mmc);
+ ret = mmc_add_host(mmc);
+ if (ret) {
+ if (!pnp)
+ wbsd_chip_poweroff(host);
+
+ wbsd_release_resources(host);
+ wbsd_free_mmc(dev);
+
+ mmc_free_host(mmc);
+ return ret;
+ }
pr_info("%s: W83L51xD", mmc_hostname(mmc));
if (host->chip_id != 0)
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 089/251] mmc: mmci: fix return value check of mmc_add_host()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 088/251] mmc: wbsd: " Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 090/251] media: c8sectpfe: Add of_node_put() when breaking out of loop Greg Kroah-Hartman
` (167 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Ulf Hansson, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit b38a20f29a49ae04d23750d104b25400b792b98c ]
mmc_add_host() may return error, if we ignore its return value,
it will lead two issues:
1. The memory that allocated in mmc_alloc_host() is leaked.
2. In the remove() path, mmc_remove_host() will be called to
delete device, but it's not added yet, it will lead a kernel
crash because of null-ptr-deref in device_del().
So fix this by checking the return value and goto error path which
will call mmc_free_host().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221109133539.3275664-1-yangyingliang@huawei.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/mmci.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/mmc/host/mmci.c b/drivers/mmc/host/mmci.c
index df990bb8c873..347dffaea105 100644
--- a/drivers/mmc/host/mmci.c
+++ b/drivers/mmc/host/mmci.c
@@ -1718,7 +1718,9 @@ static int mmci_probe(struct amba_device *dev,
pm_runtime_set_autosuspend_delay(&dev->dev, 50);
pm_runtime_use_autosuspend(&dev->dev);
- mmc_add_host(mmc);
+ ret = mmc_add_host(mmc);
+ if (ret)
+ goto clk_disable;
pm_runtime_put(&dev->dev);
return 0;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 090/251] media: c8sectpfe: Add of_node_put() when breaking out of loop
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 089/251] mmc: mmci: " Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 091/251] media: coda: Add check for dcoda_iram_alloc Greg Kroah-Hartman
` (166 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Liang He, Hans Verkuil, Sasha Levin
From: Liang He <windhl@126.com>
[ Upstream commit 63ff05a1ad242a5a0f897921c87b70d601bda59c ]
In configure_channels(), we should call of_node_put() when breaking
out of for_each_child_of_node() which will automatically increase
and decrease the refcount.
Fixes: c5f5d0f99794 ("[media] c8sectpfe: STiH407/10 Linux DVB demux support")
Signed-off-by: Liang He <windhl@126.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c b/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c
index 06e2cfd09855..c79dcc497e13 100644
--- a/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c
+++ b/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c
@@ -953,6 +953,7 @@ static int configure_channels(struct c8sectpfei *fei)
if (ret) {
dev_err(fei->dev,
"configure_memdma_and_inputblock failed\n");
+ of_node_put(child);
goto err_unmap;
}
index++;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 091/251] media: coda: Add check for dcoda_iram_alloc
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 090/251] media: c8sectpfe: Add of_node_put() when breaking out of loop Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 092/251] media: coda: Add check for kmalloc Greg Kroah-Hartman
` (165 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiasheng Jiang, Hans Verkuil, Sasha Levin
From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
[ Upstream commit 6b8082238fb8bb20f67e46388123e67a5bbc558d ]
As the coda_iram_alloc may return NULL pointer,
it should be better to check the return value
in order to avoid NULL poineter dereference,
same as the others.
Fixes: b313bcc9a467 ("[media] coda: simplify IRAM setup")
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/coda/coda-bit.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/media/platform/coda/coda-bit.c b/drivers/media/platform/coda/coda-bit.c
index 7b4c93619c3d..b62c7098fc8c 100644
--- a/drivers/media/platform/coda/coda-bit.c
+++ b/drivers/media/platform/coda/coda-bit.c
@@ -595,7 +595,7 @@ static void coda_setup_iram(struct coda_ctx *ctx)
/* Only H.264BP and H.263P3 are considered */
iram_info->buf_dbk_y_use = coda_iram_alloc(iram_info, w64);
iram_info->buf_dbk_c_use = coda_iram_alloc(iram_info, w64);
- if (!iram_info->buf_dbk_c_use)
+ if (!iram_info->buf_dbk_y_use || !iram_info->buf_dbk_c_use)
goto out;
iram_info->axi_sram_use |= dbk_bits;
@@ -619,7 +619,7 @@ static void coda_setup_iram(struct coda_ctx *ctx)
iram_info->buf_dbk_y_use = coda_iram_alloc(iram_info, w128);
iram_info->buf_dbk_c_use = coda_iram_alloc(iram_info, w128);
- if (!iram_info->buf_dbk_c_use)
+ if (!iram_info->buf_dbk_y_use || !iram_info->buf_dbk_c_use)
goto out;
iram_info->axi_sram_use |= dbk_bits;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 092/251] media: coda: Add check for kmalloc
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 091/251] media: coda: Add check for dcoda_iram_alloc Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 093/251] wifi: rtl8xxxu: Add __packed to struct rtl8723bu_c2h Greg Kroah-Hartman
` (164 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiasheng Jiang, Hans Verkuil, Sasha Levin
From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
[ Upstream commit 6e5e5defdb8b0186312c2f855ace175aee6daf9b ]
As the kmalloc may return NULL pointer,
it should be better to check the return value
in order to avoid NULL poineter dereference,
same as the others.
Fixes: cb1d3a336371 ("[media] coda: add CODA7541 JPEG support")
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/coda/coda-bit.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/media/platform/coda/coda-bit.c b/drivers/media/platform/coda/coda-bit.c
index b62c7098fc8c..a933c0cb24de 100644
--- a/drivers/media/platform/coda/coda-bit.c
+++ b/drivers/media/platform/coda/coda-bit.c
@@ -821,10 +821,16 @@ static int coda_start_encoding(struct coda_ctx *ctx)
}
if (dst_fourcc == V4L2_PIX_FMT_JPEG) {
- if (!ctx->params.jpeg_qmat_tab[0])
+ if (!ctx->params.jpeg_qmat_tab[0]) {
ctx->params.jpeg_qmat_tab[0] = kmalloc(64, GFP_KERNEL);
- if (!ctx->params.jpeg_qmat_tab[1])
+ if (!ctx->params.jpeg_qmat_tab[0])
+ return -ENOMEM;
+ }
+ if (!ctx->params.jpeg_qmat_tab[1]) {
ctx->params.jpeg_qmat_tab[1] = kmalloc(64, GFP_KERNEL);
+ if (!ctx->params.jpeg_qmat_tab[1])
+ return -ENOMEM;
+ }
coda_set_jpeg_compression_quality(ctx, ctx->params.jpeg_quality);
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 093/251] wifi: rtl8xxxu: Add __packed to struct rtl8723bu_c2h
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 092/251] media: coda: Add check for kmalloc Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 094/251] wifi: brcmfmac: Fix error return code in brcmf_sdio_download_firmware() Greg Kroah-Hartman
` (163 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bitterblue Smith, Ping-Ke Shih,
Kalle Valo, Sasha Levin
From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
[ Upstream commit dd469a754afdb782ba3033cee102147493dc39f4 ]
This struct is used to access a sequence of bytes received from the
wifi chip. It must not have any padding bytes between the members.
This doesn't change anything on my system, possibly because currently
none of the members need more than byte alignment.
Fixes: b2b43b7837ba ("rtl8xxxu: Initial functionality to handle C2H events for 8723bu")
Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
Reviewed-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/1a270918-da22-ff5f-29fc-7855f740c5ba@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h
index 9143b173935d..c2c0e5635795 100644
--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h
+++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h
@@ -1191,7 +1191,7 @@ struct rtl8723bu_c2h {
u8 dummy3_0;
} __packed ra_report;
};
-};
+} __packed;
struct rtl8xxxu_fileops;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 094/251] wifi: brcmfmac: Fix error return code in brcmf_sdio_download_firmware()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 093/251] wifi: rtl8xxxu: Add __packed to struct rtl8723bu_c2h Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 095/251] blktrace: Fix output non-blktrace event when blk_classic option enabled Greg Kroah-Hartman
` (162 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wang Yufen, Arend van Spriel,
Kalle Valo, Sasha Levin
From: Wang Yufen <wangyufen@huawei.com>
[ Upstream commit c2f2924bc7f9ea75ef8d95863e710168f8196256 ]
Fix to return a negative error code instead of 0 when
brcmf_chip_set_active() fails. In addition, change the return
value for brcmf_pcie_exit_download_state() to keep consistent.
Fixes: d380ebc9b6fb ("brcmfmac: rename chip download functions")
Signed-off-by: Wang Yufen <wangyufen@huawei.com>
Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/1669959342-27144-1-git-send-email-wangyufen@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 2 +-
drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
index 9e90737f4d49..45464bcd0960 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
@@ -578,7 +578,7 @@ static int brcmf_pcie_exit_download_state(struct brcmf_pciedev_info *devinfo,
}
if (!brcmf_chip_set_active(devinfo->ci, resetintr))
- return -EINVAL;
+ return -EIO;
return 0;
}
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
index d8f34883c096..d80aee2f5802 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
@@ -3310,6 +3310,7 @@ static int brcmf_sdio_download_firmware(struct brcmf_sdio *bus,
/* Take arm out of reset */
if (!brcmf_chip_set_active(bus->ci, rstvec)) {
brcmf_err("error getting out of ARM core reset\n");
+ bcmerror = -EIO;
goto err;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 095/251] blktrace: Fix output non-blktrace event when blk_classic option enabled
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 094/251] wifi: brcmfmac: Fix error return code in brcmf_sdio_download_firmware() Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 096/251] net: vmw_vsock: vmci: Check memcpy_from_msg() Greg Kroah-Hartman
` (161 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yang Jihong, Jens Axboe, Sasha Levin
From: Yang Jihong <yangjihong1@huawei.com>
[ Upstream commit f596da3efaf4130ff61cd029558845808df9bf99 ]
When the blk_classic option is enabled, non-blktrace events must be
filtered out. Otherwise, events of other types are output in the blktrace
classic format, which is unexpected.
The problem can be triggered in the following ways:
# echo 1 > /sys/kernel/debug/tracing/options/blk_classic
# echo 1 > /sys/kernel/debug/tracing/events/enable
# echo blk > /sys/kernel/debug/tracing/current_tracer
# cat /sys/kernel/debug/tracing/trace_pipe
Fixes: c71a89615411 ("blktrace: add ftrace plugin")
Signed-off-by: Yang Jihong <yangjihong1@huawei.com>
Link: https://lore.kernel.org/r/20221122040410.85113-1-yangjihong1@huawei.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/blktrace.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
index 056107787f4a..c6b58ff8ea72 100644
--- a/kernel/trace/blktrace.c
+++ b/kernel/trace/blktrace.c
@@ -1517,7 +1517,8 @@ blk_trace_event_print_binary(struct trace_iterator *iter, int flags,
static enum print_line_t blk_tracer_print_line(struct trace_iterator *iter)
{
- if (!(blk_tracer_flags.val & TRACE_BLK_OPT_CLASSIC))
+ if ((iter->ent->type != TRACE_BLK) ||
+ !(blk_tracer_flags.val & TRACE_BLK_OPT_CLASSIC))
return TRACE_TYPE_UNHANDLED;
return print_one_line(iter, true);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 096/251] net: vmw_vsock: vmci: Check memcpy_from_msg()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 095/251] blktrace: Fix output non-blktrace event when blk_classic option enabled Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 097/251] net: defxx: Fix missing err handling in dfx_init() Greg Kroah-Hartman
` (160 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Artem Chernyshev,
Stefano Garzarella, Vishnu Dasa, David S. Miller, Sasha Levin
From: Artem Chernyshev <artem.chernyshev@red-soft.ru>
[ Upstream commit 44aa5a6dba8283bfda28b1517af4de711c5652a4 ]
vmci_transport_dgram_enqueue() does not check the return value
of memcpy_from_msg(). If memcpy_from_msg() fails, it is possible that
uninitialized memory contents are sent unintentionally instead of user's
message in the datagram to the destination. Return with an error if
memcpy_from_msg() fails.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 0f7db23a07af ("vmci_transport: switch ->enqeue_dgram, ->enqueue_stream and ->dequeue_stream to msghdr")
Signed-off-by: Artem Chernyshev <artem.chernyshev@red-soft.ru>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Vishnu Dasa <vdasa@vmware.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/vmw_vsock/vmci_transport.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
index c09efcdf72d2..d096ef9d1c89 100644
--- a/net/vmw_vsock/vmci_transport.c
+++ b/net/vmw_vsock/vmci_transport.c
@@ -1738,7 +1738,11 @@ static int vmci_transport_dgram_enqueue(
if (!dg)
return -ENOMEM;
- memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len);
+ err = memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len);
+ if (err) {
+ kfree(dg);
+ return err;
+ }
dg->dst = vmci_make_handle(remote_addr->svm_cid,
remote_addr->svm_port);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 097/251] net: defxx: Fix missing err handling in dfx_init()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 096/251] net: vmw_vsock: vmci: Check memcpy_from_msg() Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 098/251] drivers: net: qlcnic: Fix potential memory leak in qlcnic_sriov_init() Greg Kroah-Hartman
` (159 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yongqiang Liu, Jiri Pirko,
David S. Miller, Sasha Levin
From: Yongqiang Liu <liuyongqiang13@huawei.com>
[ Upstream commit ae18dcdff0f8d7e84cd3fd9f496518b5e72d185d ]
When eisa_driver_register() or tc_register_driver() failed,
the modprobe defxx would fail with some err log as follows:
Error: Driver 'defxx' is already registered, aborting...
Fix this issue by adding err hanling in dfx_init().
Fixes: e89a2cfb7d7b5 ("[TC] defxx: TURBOchannel support")
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/fddi/defxx.c | 22 ++++++++++++++++++----
1 file changed, 18 insertions(+), 4 deletions(-)
diff --git a/drivers/net/fddi/defxx.c b/drivers/net/fddi/defxx.c
index bdcf4aa34566..bb3c7781cdfa 100644
--- a/drivers/net/fddi/defxx.c
+++ b/drivers/net/fddi/defxx.c
@@ -3844,10 +3844,24 @@ static int dfx_init(void)
int status;
status = pci_register_driver(&dfx_pci_driver);
- if (!status)
- status = eisa_driver_register(&dfx_eisa_driver);
- if (!status)
- status = tc_register_driver(&dfx_tc_driver);
+ if (status)
+ goto err_pci_register;
+
+ status = eisa_driver_register(&dfx_eisa_driver);
+ if (status)
+ goto err_eisa_register;
+
+ status = tc_register_driver(&dfx_tc_driver);
+ if (status)
+ goto err_tc_register;
+
+ return 0;
+
+err_tc_register:
+ eisa_driver_unregister(&dfx_eisa_driver);
+err_eisa_register:
+ pci_unregister_driver(&dfx_pci_driver);
+err_pci_register:
return status;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 098/251] drivers: net: qlcnic: Fix potential memory leak in qlcnic_sriov_init()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 097/251] net: defxx: Fix missing err handling in dfx_init() Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 099/251] ethernet: s2io: dont call dev_kfree_skb() under spin_lock_irqsave() Greg Kroah-Hartman
` (158 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuan Can, Leon Romanovsky,
David S. Miller, Sasha Levin
From: Yuan Can <yuancan@huawei.com>
[ Upstream commit 01de1123322e4fe1bbd0fcdf0982511b55519c03 ]
If vp alloc failed in qlcnic_sriov_init(), all previously allocated vp
needs to be freed.
Fixes: f197a7aa6288 ("qlcnic: VF-PF communication channel implementation")
Signed-off-by: Yuan Can <yuancan@huawei.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c
index 44caa7c2077e..d89d9247b7b9 100644
--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c
+++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c
@@ -222,6 +222,8 @@ int qlcnic_sriov_init(struct qlcnic_adapter *adapter, int num_vfs)
return 0;
qlcnic_destroy_async_wq:
+ while (i--)
+ kfree(sriov->vf_info[i].vp);
destroy_workqueue(bc->bc_async_wq);
qlcnic_destroy_trans_wq:
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 099/251] ethernet: s2io: dont call dev_kfree_skb() under spin_lock_irqsave()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 098/251] drivers: net: qlcnic: Fix potential memory leak in qlcnic_sriov_init() Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 100/251] net: farsync: Fix kmemleak when rmmods farsync Greg Kroah-Hartman
` (157 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, David S. Miller,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 6cee96e09df54ae17784c0f38a49e0ed8229b825 ]
It is not allowed to call kfree_skb() or consume_skb() from hardware
interrupt context or with hardware interrupts being disabled.
It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead.
The difference between them is free reason, dev_kfree_skb_irq() means
the SKB is dropped in error and dev_consume_skb_irq() means the SKB
is consumed in normal.
In this case, dev_kfree_skb() is called in free_tx_buffers() to drop
the SKBs in tx buffers, when the card is down, so replace it with
dev_kfree_skb_irq() here.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/neterion/s2io.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/neterion/s2io.c b/drivers/net/ethernet/neterion/s2io.c
index a66f4b867e3a..a66b797cdbbe 100644
--- a/drivers/net/ethernet/neterion/s2io.c
+++ b/drivers/net/ethernet/neterion/s2io.c
@@ -2384,7 +2384,7 @@ static void free_tx_buffers(struct s2io_nic *nic)
skb = s2io_txdl_getskb(&mac_control->fifos[i], txdp, j);
if (skb) {
swstats->mem_freed += skb->truesize;
- dev_kfree_skb(skb);
+ dev_kfree_skb_irq(skb);
cnt++;
}
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 100/251] net: farsync: Fix kmemleak when rmmods farsync
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 099/251] ethernet: s2io: dont call dev_kfree_skb() under spin_lock_irqsave() Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 101/251] net/tunnel: wait until all sk_user_data reader finish before releasing the sock Greg Kroah-Hartman
` (156 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li Zetao, Jiri Pirko,
David S. Miller, Sasha Levin
From: Li Zetao <lizetao1@huawei.com>
[ Upstream commit 2f623aaf9f31de968dea6169849706a2f9be444c ]
There are two memory leaks reported by kmemleak:
unreferenced object 0xffff888114b20200 (size 128):
comm "modprobe", pid 4846, jiffies 4295146524 (age 401.345s)
hex dump (first 32 bytes):
e0 62 57 09 81 88 ff ff e0 62 57 09 81 88 ff ff .bW......bW.....
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff815bcd82>] kmalloc_trace+0x22/0x60
[<ffffffff83d35c78>] __hw_addr_add_ex+0x198/0x6c0
[<ffffffff83d3989d>] dev_addr_init+0x13d/0x230
[<ffffffff83d1063d>] alloc_netdev_mqs+0x10d/0xe50
[<ffffffff82b4a06e>] alloc_hdlcdev+0x2e/0x80
[<ffffffffa016a741>] fst_add_one+0x601/0x10e0 [farsync]
...
unreferenced object 0xffff88810b85b000 (size 1024):
comm "modprobe", pid 4846, jiffies 4295146523 (age 401.346s)
hex dump (first 32 bytes):
00 00 b0 02 00 c9 ff ff 00 70 0a 00 00 c9 ff ff .........p......
00 00 00 f2 00 00 00 f3 0a 00 00 00 02 00 00 00 ................
backtrace:
[<ffffffff815bcd82>] kmalloc_trace+0x22/0x60
[<ffffffffa016a294>] fst_add_one+0x154/0x10e0 [farsync]
[<ffffffff82060e83>] local_pci_probe+0xd3/0x170
...
The root cause is traced to the netdev and fst_card_info are not freed
when removes one fst in fst_remove_one(), which may trigger oom if
repeated insmod and rmmod module.
Fix it by adding free_netdev() and kfree() in fst_remove_one(), just as
the operations on the error handling path in fst_add_one().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Li Zetao <lizetao1@huawei.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wan/farsync.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/wan/farsync.c b/drivers/net/wan/farsync.c
index 3c9cbf908ec7..e8522014a67a 100644
--- a/drivers/net/wan/farsync.c
+++ b/drivers/net/wan/farsync.c
@@ -2620,6 +2620,7 @@ fst_remove_one(struct pci_dev *pdev)
for (i = 0; i < card->nports; i++) {
struct net_device *dev = port_to_dev(&card->ports[i]);
unregister_hdlc_device(dev);
+ free_netdev(dev);
}
fst_disable_intr(card);
@@ -2640,6 +2641,7 @@ fst_remove_one(struct pci_dev *pdev)
card->tx_dma_handle_card);
}
fst_card_array[card->card_no] = NULL;
+ kfree(card);
}
static struct pci_driver fst_driver = {
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 101/251] net/tunnel: wait until all sk_user_data reader finish before releasing the sock
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 100/251] net: farsync: Fix kmemleak when rmmods farsync Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 102/251] net: apple: mace: dont call dev_kfree_skb() under spin_lock_irqsave() Greg Kroah-Hartman
` (155 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jianlin Shi, Jakub Sitnicki,
Hangbin Liu, Jiri Pirko, David S. Miller, Sasha Levin
From: Hangbin Liu <liuhangbin@gmail.com>
[ Upstream commit 3cf7203ca620682165706f70a1b12b5194607dce ]
There is a race condition in vxlan that when deleting a vxlan device
during receiving packets, there is a possibility that the sock is
released after getting vxlan_sock vs from sk_user_data. Then in
later vxlan_ecn_decapsulate(), vxlan_get_sk_family() we will got
NULL pointer dereference. e.g.
#0 [ffffa25ec6978a38] machine_kexec at ffffffff8c669757
#1 [ffffa25ec6978a90] __crash_kexec at ffffffff8c7c0a4d
#2 [ffffa25ec6978b58] crash_kexec at ffffffff8c7c1c48
#3 [ffffa25ec6978b60] oops_end at ffffffff8c627f2b
#4 [ffffa25ec6978b80] page_fault_oops at ffffffff8c678fcb
#5 [ffffa25ec6978bd8] exc_page_fault at ffffffff8d109542
#6 [ffffa25ec6978c00] asm_exc_page_fault at ffffffff8d200b62
[exception RIP: vxlan_ecn_decapsulate+0x3b]
RIP: ffffffffc1014e7b RSP: ffffa25ec6978cb0 RFLAGS: 00010246
RAX: 0000000000000008 RBX: ffff8aa000888000 RCX: 0000000000000000
RDX: 000000000000000e RSI: ffff8a9fc7ab803e RDI: ffff8a9fd1168700
RBP: ffff8a9fc7ab803e R8: 0000000000700000 R9: 00000000000010ae
R10: ffff8a9fcb748980 R11: 0000000000000000 R12: ffff8a9fd1168700
R13: ffff8aa000888000 R14: 00000000002a0000 R15: 00000000000010ae
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
#7 [ffffa25ec6978ce8] vxlan_rcv at ffffffffc10189cd [vxlan]
#8 [ffffa25ec6978d90] udp_queue_rcv_one_skb at ffffffff8cfb6507
#9 [ffffa25ec6978dc0] udp_unicast_rcv_skb at ffffffff8cfb6e45
#10 [ffffa25ec6978dc8] __udp4_lib_rcv at ffffffff8cfb8807
#11 [ffffa25ec6978e20] ip_protocol_deliver_rcu at ffffffff8cf76951
#12 [ffffa25ec6978e48] ip_local_deliver at ffffffff8cf76bde
#13 [ffffa25ec6978ea0] __netif_receive_skb_one_core at ffffffff8cecde9b
#14 [ffffa25ec6978ec8] process_backlog at ffffffff8cece139
#15 [ffffa25ec6978f00] __napi_poll at ffffffff8ceced1a
#16 [ffffa25ec6978f28] net_rx_action at ffffffff8cecf1f3
#17 [ffffa25ec6978fa0] __softirqentry_text_start at ffffffff8d4000ca
#18 [ffffa25ec6978ff0] do_softirq at ffffffff8c6fbdc3
Reproducer: https://github.com/Mellanox/ovs-tests/blob/master/test-ovs-vxlan-remove-tunnel-during-traffic.sh
Fix this by waiting for all sk_user_data reader to finish before
releasing the sock.
Reported-by: Jianlin Shi <jishi@redhat.com>
Suggested-by: Jakub Sitnicki <jakub@cloudflare.com>
Fixes: 6a93cc905274 ("udp-tunnel: Add a few more UDP tunnel APIs")
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/udp_tunnel.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/ipv4/udp_tunnel.c b/net/ipv4/udp_tunnel.c
index 58bd39fb14b4..1f530a9b0357 100644
--- a/net/ipv4/udp_tunnel.c
+++ b/net/ipv4/udp_tunnel.c
@@ -163,6 +163,7 @@ EXPORT_SYMBOL_GPL(udp_tunnel_xmit_skb);
void udp_tunnel_sock_release(struct socket *sock)
{
rcu_assign_sk_user_data(sock->sk, NULL);
+ synchronize_rcu();
kernel_sock_shutdown(sock, SHUT_RDWR);
sock_release(sock);
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 102/251] net: apple: mace: dont call dev_kfree_skb() under spin_lock_irqsave()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 101/251] net/tunnel: wait until all sk_user_data reader finish before releasing the sock Greg Kroah-Hartman
@ 2023-01-05 12:53 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 103/251] net: apple: bmac: " Greg Kroah-Hartman
` (154 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, David S. Miller,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 3dfe3486c1cd4f82b466b7d307f23777137b8acc ]
It is not allowed to call kfree_skb() or consume_skb() from hardware
interrupt context or with hardware interrupts being disabled.
It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead.
The difference between them is free reason, dev_kfree_skb_irq() means
the SKB is dropped in error and dev_consume_skb_irq() means the SKB
is consumed in normal.
In this case, dev_kfree_skb() is called in mace_tx_timeout() to drop
the SKB, when tx timeout, so replace it with dev_kfree_skb_irq().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/apple/mace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/apple/mace.c b/drivers/net/ethernet/apple/mace.c
index e58a7c73766e..ea6199425b67 100644
--- a/drivers/net/ethernet/apple/mace.c
+++ b/drivers/net/ethernet/apple/mace.c
@@ -843,7 +843,7 @@ static void mace_tx_timeout(unsigned long data)
if (mp->tx_bad_runt) {
mp->tx_bad_runt = 0;
} else if (i != mp->tx_fill) {
- dev_kfree_skb(mp->tx_bufs[i]);
+ dev_kfree_skb_irq(mp->tx_bufs[i]);
if (++i >= N_TX_RING)
i = 0;
mp->tx_empty = i;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 103/251] net: apple: bmac: dont call dev_kfree_skb() under spin_lock_irqsave()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2023-01-05 12:53 ` [PATCH 4.9 102/251] net: apple: mace: dont call dev_kfree_skb() under spin_lock_irqsave() Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 104/251] net: emaclite: " Greg Kroah-Hartman
` (153 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, David S. Miller,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 5fe02e046e6422c4adfdbc50206ec7186077da24 ]
It is not allowed to call kfree_skb() or consume_skb() from hardware
interrupt context or with hardware interrupts being disabled.
It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead.
The difference between them is free reason, dev_kfree_skb_irq() means
the SKB is dropped in error and dev_consume_skb_irq() means the SKB
is consumed in normal.
In this case, dev_kfree_skb() is called in bmac_tx_timeout() to drop
the SKB, when tx timeout, so replace it with dev_kfree_skb_irq().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/apple/bmac.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/apple/bmac.c b/drivers/net/ethernet/apple/bmac.c
index ffa7e7e6d18d..01874e1dbb8b 100644
--- a/drivers/net/ethernet/apple/bmac.c
+++ b/drivers/net/ethernet/apple/bmac.c
@@ -1518,7 +1518,7 @@ static void bmac_tx_timeout(unsigned long data)
i = bp->tx_empty;
++dev->stats.tx_errors;
if (i != bp->tx_fill) {
- dev_kfree_skb(bp->tx_bufs[i]);
+ dev_kfree_skb_irq(bp->tx_bufs[i]);
bp->tx_bufs[i] = NULL;
if (++i >= N_TX_RING) i = 0;
bp->tx_empty = i;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 104/251] net: emaclite: dont call dev_kfree_skb() under spin_lock_irqsave()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 103/251] net: apple: bmac: " Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 105/251] net: ethernet: dnet: " Greg Kroah-Hartman
` (152 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, David S. Miller,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit d1678bf45f21fa5ae4a456f821858679556ea5f8 ]
It is not allowed to call kfree_skb() or consume_skb() from hardware
interrupt context or with hardware interrupts being disabled.
It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead.
The difference between them is free reason, dev_kfree_skb_irq() means
the SKB is dropped in error and dev_consume_skb_irq() means the SKB
is consumed in normal.
In this case, dev_kfree_skb() is called in xemaclite_tx_timeout() to
drop the SKB, when tx timeout, so replace it with dev_kfree_skb_irq().
Fixes: bb81b2ddfa19 ("net: add Xilinx emac lite device driver")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/xilinx/xilinx_emaclite.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/xilinx/xilinx_emaclite.c b/drivers/net/ethernet/xilinx/xilinx_emaclite.c
index cdcc86060749..99c7872504fe 100644
--- a/drivers/net/ethernet/xilinx/xilinx_emaclite.c
+++ b/drivers/net/ethernet/xilinx/xilinx_emaclite.c
@@ -537,7 +537,7 @@ static void xemaclite_tx_timeout(struct net_device *dev)
xemaclite_enable_interrupts(lp);
if (lp->deferred_skb) {
- dev_kfree_skb(lp->deferred_skb);
+ dev_kfree_skb_irq(lp->deferred_skb);
lp->deferred_skb = NULL;
dev->stats.tx_errors++;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 105/251] net: ethernet: dnet: dont call dev_kfree_skb() under spin_lock_irqsave()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 104/251] net: emaclite: " Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 106/251] hamradio: " Greg Kroah-Hartman
` (151 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, David S. Miller,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit f07fadcbee2a5e84caa67c7c445424200bffb60b ]
It is not allowed to call kfree_skb() or consume_skb() from hardware
interrupt context or with hardware interrupts being disabled.
In this case, the lock is used to protected 'bp', so we can move
dev_kfree_skb() after the spin_unlock_irqrestore().
Fixes: 4796417417a6 ("dnet: Dave DNET ethernet controller driver (updated)")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/dnet.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/dnet.c b/drivers/net/ethernet/dnet.c
index c3b64cdd0dec..62fcedd6f732 100644
--- a/drivers/net/ethernet/dnet.c
+++ b/drivers/net/ethernet/dnet.c
@@ -558,11 +558,11 @@ static netdev_tx_t dnet_start_xmit(struct sk_buff *skb, struct net_device *dev)
skb_tx_timestamp(skb);
+ spin_unlock_irqrestore(&bp->lock, flags);
+
/* free the buffer */
dev_kfree_skb(skb);
- spin_unlock_irqrestore(&bp->lock, flags);
-
return NETDEV_TX_OK;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 106/251] hamradio: dont call dev_kfree_skb() under spin_lock_irqsave()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 105/251] net: ethernet: dnet: " Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 107/251] net: amd: lance: " Greg Kroah-Hartman
` (150 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, David S. Miller,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 3727f742915f04f6fc550b80cf406999bd4e90d0 ]
It is not allowed to call kfree_skb() or consume_skb() from hardware
interrupt context or with hardware interrupts being disabled.
It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead.
The difference between them is free reason, dev_kfree_skb_irq() means
the SKB is dropped in error and dev_consume_skb_irq() means the SKB
is consumed in normal.
In scc_discard_buffers(), dev_kfree_skb() is called to discard the SKBs,
so replace it with dev_kfree_skb_irq().
In scc_net_tx(), dev_kfree_skb() is called to drop the SKB that exceed
queue length, so replace it with dev_kfree_skb_irq().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/hamradio/scc.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/hamradio/scc.c b/drivers/net/hamradio/scc.c
index b8083161ef46..9b9daf45adad 100644
--- a/drivers/net/hamradio/scc.c
+++ b/drivers/net/hamradio/scc.c
@@ -299,12 +299,12 @@ static inline void scc_discard_buffers(struct scc_channel *scc)
spin_lock_irqsave(&scc->lock, flags);
if (scc->tx_buff != NULL)
{
- dev_kfree_skb(scc->tx_buff);
+ dev_kfree_skb_irq(scc->tx_buff);
scc->tx_buff = NULL;
}
while (!skb_queue_empty(&scc->tx_queue))
- dev_kfree_skb(skb_dequeue(&scc->tx_queue));
+ dev_kfree_skb_irq(skb_dequeue(&scc->tx_queue));
spin_unlock_irqrestore(&scc->lock, flags);
}
@@ -1666,7 +1666,7 @@ static netdev_tx_t scc_net_tx(struct sk_buff *skb, struct net_device *dev)
if (skb_queue_len(&scc->tx_queue) > scc->dev->tx_queue_len) {
struct sk_buff *skb_del;
skb_del = skb_dequeue(&scc->tx_queue);
- dev_kfree_skb(skb_del);
+ dev_kfree_skb_irq(skb_del);
}
skb_queue_tail(&scc->tx_queue, skb);
netif_trans_update(dev);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 107/251] net: amd: lance: dont call dev_kfree_skb() under spin_lock_irqsave()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 106/251] hamradio: " Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 108/251] ntb_netdev: Use dev_kfree_skb_any() in interrupt context Greg Kroah-Hartman
` (149 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, David S. Miller,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 6151d105dfce8c23edf30eed35e97f3d9b96a35c ]
It is not allowed to call kfree_skb() or consume_skb() from hardware
interrupt context or with hardware interrupts being disabled.
It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead.
The difference between them is free reason, dev_kfree_skb_irq() means
the SKB is dropped in error and dev_consume_skb_irq() means the SKB
is consumed in normal.
In these two cases, dev_kfree_skb() is called consume the xmited SKB,
so replace it with dev_consume_skb_irq().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/amd/atarilance.c | 2 +-
drivers/net/ethernet/amd/lance.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/amd/atarilance.c b/drivers/net/ethernet/amd/atarilance.c
index 35a9f252ceb6..421e47f8b54a 100644
--- a/drivers/net/ethernet/amd/atarilance.c
+++ b/drivers/net/ethernet/amd/atarilance.c
@@ -826,7 +826,7 @@ lance_start_xmit(struct sk_buff *skb, struct net_device *dev)
lp->memcpy_f( PKTBUF_ADDR(head), (void *)skb->data, skb->len );
head->flag = TMD1_OWN_CHIP | TMD1_ENP | TMD1_STP;
dev->stats.tx_bytes += skb->len;
- dev_kfree_skb( skb );
+ dev_consume_skb_irq(skb);
lp->cur_tx++;
while( lp->cur_tx >= TX_RING_SIZE && lp->dirty_tx >= TX_RING_SIZE ) {
lp->cur_tx -= TX_RING_SIZE;
diff --git a/drivers/net/ethernet/amd/lance.c b/drivers/net/ethernet/amd/lance.c
index abb1ba228b26..3495e0b4d3ef 100644
--- a/drivers/net/ethernet/amd/lance.c
+++ b/drivers/net/ethernet/amd/lance.c
@@ -998,7 +998,7 @@ static netdev_tx_t lance_start_xmit(struct sk_buff *skb,
skb_copy_from_linear_data(skb, &lp->tx_bounce_buffs[entry], skb->len);
lp->tx_ring[entry].base =
((u32)isa_virt_to_bus((lp->tx_bounce_buffs + entry)) & 0xffffff) | 0x83000000;
- dev_kfree_skb(skb);
+ dev_consume_skb_irq(skb);
} else {
lp->tx_skbuff[entry] = skb;
lp->tx_ring[entry].base = ((u32)isa_virt_to_bus(skb->data) & 0xffffff) | 0x83000000;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 108/251] ntb_netdev: Use dev_kfree_skb_any() in interrupt context
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 107/251] net: amd: lance: " Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 109/251] Bluetooth: btusb: dont call kfree_skb() under spin_lock_irqsave() Greg Kroah-Hartman
` (148 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Pilmore, Dave Jiang,
Jakub Kicinski, Sasha Levin
From: Eric Pilmore <epilmore@gigaio.com>
[ Upstream commit 5f7d78b2b12a9d561f48fa00bab29b40f4616dad ]
TX/RX callback handlers (ntb_netdev_tx_handler(),
ntb_netdev_rx_handler()) can be called in interrupt
context via the DMA framework when the respective
DMA operations have completed. As such, any calls
by these routines to free skb's, should use the
interrupt context safe dev_kfree_skb_any() function.
Previously, these callback handlers would call the
interrupt unsafe version of dev_kfree_skb(). This has
not presented an issue on Intel IOAT DMA engines as
that driver utilizes tasklets rather than a hard
interrupt handler, like the AMD PTDMA DMA driver.
On AMD systems, a kernel WARNING message is
encountered, which is being issued from
skb_release_head_state() due to in_hardirq()
being true.
Besides the user visible WARNING from the kernel,
the other symptom of this bug was that TCP/IP performance
across the ntb_netdev interface was very poor, i.e.
approximately an order of magnitude below what was
expected. With the repair to use dev_kfree_skb_any(),
kernel WARNINGs from skb_release_head_state() ceased
and TCP/IP performance, as measured by iperf, was on
par with expected results, approximately 20 Gb/s on
AMD Milan based server. Note that this performance
is comparable with Intel based servers.
Fixes: 765ccc7bc3d91 ("ntb_netdev: correct skb leak")
Fixes: 548c237c0a997 ("net: Add support for NTB virtual ethernet device")
Signed-off-by: Eric Pilmore <epilmore@gigaio.com>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Link: https://lore.kernel.org/r/20221209000659.8318-1-epilmore@gigaio.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ntb_netdev.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ntb_netdev.c b/drivers/net/ntb_netdev.c
index bd6c19ceab30..c4a3143cef25 100644
--- a/drivers/net/ntb_netdev.c
+++ b/drivers/net/ntb_netdev.c
@@ -140,7 +140,7 @@ static void ntb_netdev_rx_handler(struct ntb_transport_qp *qp, void *qp_data,
enqueue_again:
rc = ntb_transport_rx_enqueue(qp, skb, skb->data, ndev->mtu + ETH_HLEN);
if (rc) {
- dev_kfree_skb(skb);
+ dev_kfree_skb_any(skb);
ndev->stats.rx_errors++;
ndev->stats.rx_fifo_errors++;
}
@@ -195,7 +195,7 @@ static void ntb_netdev_tx_handler(struct ntb_transport_qp *qp, void *qp_data,
ndev->stats.tx_aborted_errors++;
}
- dev_kfree_skb(skb);
+ dev_kfree_skb_any(skb);
if (ntb_transport_tx_free_entry(dev->qp) >= tx_start) {
/* Make sure anybody stopping the queue after this sees the new
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 109/251] Bluetooth: btusb: dont call kfree_skb() under spin_lock_irqsave()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 108/251] ntb_netdev: Use dev_kfree_skb_any() in interrupt context Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 110/251] Bluetooth: hci_qca: " Greg Kroah-Hartman
` (147 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang,
Luiz Augusto von Dentz, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit b15a6bd3c80c77faec8317319b97f976b1a08332 ]
It is not allowed to call kfree_skb() from hardware interrupt
context or with interrupts being disabled. So replace kfree_skb()
with dev_kfree_skb_irq() under spin_lock_irqsave().
Fixes: 803b58367ffb ("Bluetooth: btusb: Implement driver internal packet reassembly")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btusb.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 2069080191ee..532e492f92e0 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -440,13 +440,13 @@ static inline void btusb_free_frags(struct btusb_data *data)
spin_lock_irqsave(&data->rxlock, flags);
- kfree_skb(data->evt_skb);
+ dev_kfree_skb_irq(data->evt_skb);
data->evt_skb = NULL;
- kfree_skb(data->acl_skb);
+ dev_kfree_skb_irq(data->acl_skb);
data->acl_skb = NULL;
- kfree_skb(data->sco_skb);
+ dev_kfree_skb_irq(data->sco_skb);
data->sco_skb = NULL;
spin_unlock_irqrestore(&data->rxlock, flags);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 110/251] Bluetooth: hci_qca: dont call kfree_skb() under spin_lock_irqsave()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 109/251] Bluetooth: btusb: dont call kfree_skb() under spin_lock_irqsave() Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 111/251] Bluetooth: hci_h5: " Greg Kroah-Hartman
` (146 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang,
Luiz Augusto von Dentz, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit df4cfc91208e0a98f078223793f5871b1a82cc54 ]
It is not allowed to call kfree_skb() from hardware interrupt
context or with interrupts being disabled. So replace kfree_skb()
with dev_kfree_skb_irq() under spin_lock_irqsave().
Fixes: 0ff252c1976d ("Bluetooth: hciuart: Add support QCA chipset for UART")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/hci_qca.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
index 0986c324459f..af407cd8425f 100644
--- a/drivers/bluetooth/hci_qca.c
+++ b/drivers/bluetooth/hci_qca.c
@@ -718,7 +718,7 @@ static int qca_enqueue(struct hci_uart *hu, struct sk_buff *skb)
default:
BT_ERR("Illegal tx state: %d (losing packet)",
qca->tx_ibs_state);
- kfree_skb(skb);
+ dev_kfree_skb_irq(skb);
break;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 111/251] Bluetooth: hci_h5: dont call kfree_skb() under spin_lock_irqsave()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 110/251] Bluetooth: hci_qca: " Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 112/251] Bluetooth: hci_bcsp: " Greg Kroah-Hartman
` (145 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang,
Luiz Augusto von Dentz, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 383630cc6758d619874c2e8bb2f68a61f3f9ef6e ]
It is not allowed to call kfree_skb() from hardware interrupt
context or with interrupts being disabled. So replace kfree_skb()
with dev_kfree_skb_irq() under spin_lock_irqsave().
Fixes: 43eb12d78960 ("Bluetooth: Fix/implement Three-wire reliable packet sending")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/hci_h5.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/bluetooth/hci_h5.c b/drivers/bluetooth/hci_h5.c
index 0879d64b1caf..a947e3c0af18 100644
--- a/drivers/bluetooth/hci_h5.c
+++ b/drivers/bluetooth/hci_h5.c
@@ -266,7 +266,7 @@ static void h5_pkt_cull(struct h5 *h5)
break;
__skb_unlink(skb, &h5->unack);
- kfree_skb(skb);
+ dev_kfree_skb_irq(skb);
}
if (skb_queue_empty(&h5->unack))
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 112/251] Bluetooth: hci_bcsp: dont call kfree_skb() under spin_lock_irqsave()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 111/251] Bluetooth: hci_h5: " Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 113/251] Bluetooth: hci_core: " Greg Kroah-Hartman
` (144 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang,
Luiz Augusto von Dentz, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 7b503e339c1a80bf0051ec2d19c3bc777014ac61 ]
It is not allowed to call kfree_skb() from hardware interrupt
context or with interrupts being disabled. So replace kfree_skb()
with dev_kfree_skb_irq() under spin_lock_irqsave().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/hci_bcsp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/bluetooth/hci_bcsp.c b/drivers/bluetooth/hci_bcsp.c
index 26f9982bab26..2056d5c01afa 100644
--- a/drivers/bluetooth/hci_bcsp.c
+++ b/drivers/bluetooth/hci_bcsp.c
@@ -392,7 +392,7 @@ static void bcsp_pkt_cull(struct bcsp_struct *bcsp)
i++;
__skb_unlink(skb, &bcsp->unack);
- kfree_skb(skb);
+ dev_kfree_skb_irq(skb);
}
if (skb_queue_empty(&bcsp->unack))
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 113/251] Bluetooth: hci_core: dont call kfree_skb() under spin_lock_irqsave()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 112/251] Bluetooth: hci_bcsp: " Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 114/251] stmmac: fix potential division by 0 Greg Kroah-Hartman
` (143 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang,
Luiz Augusto von Dentz, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 39c1eb6fcbae8ce9bb71b2ac5cb609355a2b181b ]
It is not allowed to call kfree_skb() from hardware interrupt
context or with interrupts being disabled. So replace kfree_skb()
with dev_kfree_skb_irq() under spin_lock_irqsave().
Fixes: 9238f36a5a50 ("Bluetooth: Add request cmd_complete and cmd_status functions")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 6f99da11d207..61ffa0f12925 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -4181,7 +4181,7 @@ void hci_req_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 status,
*req_complete_skb = bt_cb(skb)->hci.req_complete_skb;
else
*req_complete = bt_cb(skb)->hci.req_complete;
- kfree_skb(skb);
+ dev_kfree_skb_irq(skb);
}
spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 114/251] stmmac: fix potential division by 0
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 113/251] Bluetooth: hci_core: " Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 115/251] scsi: hpsa: Fix error handling in hpsa_add_sas_host() Greg Kroah-Hartman
` (142 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Piergiorgio Beruto, Andrew Lunn,
Jakub Kicinski, Sasha Levin
From: Piergiorgio Beruto <piergiorgio.beruto@gmail.com>
[ Upstream commit ede5a389852d3640a28e7187fb32b7f204380901 ]
When the MAC is connected to a 10 Mb/s PHY and the PTP clock is derived
from the MAC reference clock (default), the clk_ptp_rate becomes too
small and the calculated sub second increment becomes 0 when computed by
the stmmac_config_sub_second_increment() function within
stmmac_init_tstamp_counter().
Therefore, the subsequent div_u64 in stmmac_init_tstamp_counter()
operation triggers a divide by 0 exception as shown below.
[ 95.062067] socfpga-dwmac ff700000.ethernet eth0: Register MEM_TYPE_PAGE_POOL RxQ-0
[ 95.076440] socfpga-dwmac ff700000.ethernet eth0: PHY [stmmac-0:08] driver [NCN26000] (irq=49)
[ 95.095964] dwmac1000: Master AXI performs any burst length
[ 95.101588] socfpga-dwmac ff700000.ethernet eth0: No Safety Features support found
[ 95.109428] Division by zero in kernel.
[ 95.113447] CPU: 0 PID: 239 Comm: ifconfig Not tainted 6.1.0-rc7-centurion3-1.0.3.0-01574-gb624218205b7-dirty #77
[ 95.123686] Hardware name: Altera SOCFPGA
[ 95.127695] unwind_backtrace from show_stack+0x10/0x14
[ 95.132938] show_stack from dump_stack_lvl+0x40/0x4c
[ 95.137992] dump_stack_lvl from Ldiv0+0x8/0x10
[ 95.142527] Ldiv0 from __aeabi_uidivmod+0x8/0x18
[ 95.147232] __aeabi_uidivmod from div_u64_rem+0x1c/0x40
[ 95.152552] div_u64_rem from stmmac_init_tstamp_counter+0xd0/0x164
[ 95.158826] stmmac_init_tstamp_counter from stmmac_hw_setup+0x430/0xf00
[ 95.165533] stmmac_hw_setup from __stmmac_open+0x214/0x2d4
[ 95.171117] __stmmac_open from stmmac_open+0x30/0x44
[ 95.176182] stmmac_open from __dev_open+0x11c/0x134
[ 95.181172] __dev_open from __dev_change_flags+0x168/0x17c
[ 95.186750] __dev_change_flags from dev_change_flags+0x14/0x50
[ 95.192662] dev_change_flags from devinet_ioctl+0x2b4/0x604
[ 95.198321] devinet_ioctl from inet_ioctl+0x1ec/0x214
[ 95.203462] inet_ioctl from sock_ioctl+0x14c/0x3c4
[ 95.208354] sock_ioctl from vfs_ioctl+0x20/0x38
[ 95.212984] vfs_ioctl from sys_ioctl+0x250/0x844
[ 95.217691] sys_ioctl from ret_fast_syscall+0x0/0x4c
[ 95.222743] Exception stack(0xd0ee1fa8 to 0xd0ee1ff0)
[ 95.227790] 1fa0: 00574c4f be9aeca4 00000003 00008914 be9aeca4 be9aec50
[ 95.235945] 1fc0: 00574c4f be9aeca4 0059f078 00000036 be9aee8c be9aef7a 00000015 00000000
[ 95.244096] 1fe0: 005a01f0 be9aec38 004d7484 b6e67d74
Signed-off-by: Piergiorgio Beruto <piergiorgio.beruto@gmail.com>
Fixes: 91a2559c1dc5 ("net: stmmac: Fix sub-second increment")
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://lore.kernel.org/r/de4c64ccac9084952c56a06a8171d738604c4770.1670678513.git.piergiorgio.beruto@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c | 3 ++-
drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.h | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c
index 5b91a95476de..c925a8fb1993 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c
@@ -57,7 +57,8 @@ static u32 stmmac_config_sub_second_increment(void __iomem *ioaddr,
if (!(value & PTP_TCR_TSCTRLSSR))
data = (data * 1000) / 465;
- data &= PTP_SSIR_SSINC_MASK;
+ if (data > PTP_SSIR_SSINC_MAX)
+ data = PTP_SSIR_SSINC_MAX;
reg_value = data;
if (gmac4)
diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.h b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.h
index 174777cd888e..06fd27fc9a08 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.h
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.h
@@ -69,7 +69,7 @@
#define PTP_TCR_TSENMACADDR BIT(18)
/* SSIR defines */
-#define PTP_SSIR_SSINC_MASK 0xff
+#define PTP_SSIR_SSINC_MAX 0xff
#define GMAC4_PTP_SSIR_SSINC_SHIFT 16
#endif /* __STMMAC_PTP_H__ */
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 115/251] scsi: hpsa: Fix error handling in hpsa_add_sas_host()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 114/251] stmmac: fix potential division by 0 Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 116/251] scsi: hpsa: Fix possible memory leak in hpsa_add_sas_device() Greg Kroah-Hartman
` (141 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Martin K. Petersen,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 4ef174a3ad9b5d73c1b6573e244ebba2b0d86eac ]
hpsa_sas_port_add_phy() does:
...
sas_phy_add() -> may return error here
sas_port_add_phy()
...
Whereas hpsa_free_sas_phy() does:
...
sas_port_delete_phy()
sas_phy_delete()
...
If hpsa_sas_port_add_phy() returns an error, hpsa_free_sas_phy() can not be
called to free the memory because the port and the phy have not been added
yet.
Replace hpsa_free_sas_phy() with sas_phy_free() and kfree() to avoid kernel
crash in this case.
Fixes: d04e62b9d63a ("hpsa: add in sas transport class")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221110151129.394389-1-yangyingliang@huawei.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/hpsa.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
index 7f1d6d52d48b..5e11500eae19 100644
--- a/drivers/scsi/hpsa.c
+++ b/drivers/scsi/hpsa.c
@@ -9837,7 +9837,8 @@ static int hpsa_add_sas_host(struct ctlr_info *h)
return 0;
free_sas_phy:
- hpsa_free_sas_phy(hpsa_sas_phy);
+ sas_phy_free(hpsa_sas_phy->phy);
+ kfree(hpsa_sas_phy);
free_sas_port:
hpsa_free_sas_port(hpsa_sas_port);
free_sas_node:
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 116/251] scsi: hpsa: Fix possible memory leak in hpsa_add_sas_device()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 115/251] scsi: hpsa: Fix error handling in hpsa_add_sas_host() Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 117/251] scsi: fcoe: Fix possible name leak when device_register() fails Greg Kroah-Hartman
` (140 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Martin K. Petersen,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit fda34a5d304d0b98cc967e8763b52221b66dc202 ]
If hpsa_sas_port_add_rphy() returns an error, the 'rphy' allocated in
sas_end_device_alloc() needs to be freed. Address this by calling
sas_rphy_free() in the error path.
Fixes: d04e62b9d63a ("hpsa: add in sas transport class")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221111043012.1074466-1-yangyingliang@huawei.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/hpsa.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
index 5e11500eae19..aa1e388e86f2 100644
--- a/drivers/scsi/hpsa.c
+++ b/drivers/scsi/hpsa.c
@@ -9874,10 +9874,12 @@ static int hpsa_add_sas_device(struct hpsa_sas_node *hpsa_sas_node,
rc = hpsa_sas_port_add_rphy(hpsa_sas_port, rphy);
if (rc)
- goto free_sas_port;
+ goto free_sas_rphy;
return 0;
+free_sas_rphy:
+ sas_rphy_free(rphy);
free_sas_port:
hpsa_free_sas_port(hpsa_sas_port);
device->sas_port = NULL;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 117/251] scsi: fcoe: Fix possible name leak when device_register() fails
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 116/251] scsi: hpsa: Fix possible memory leak in hpsa_add_sas_device() Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 118/251] scsi: ipr: Fix WARNING in ipr_init() Greg Kroah-Hartman
` (139 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Martin K. Petersen,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 47b6a122c7b69a876c7ee2fc064a26b09627de9d ]
If device_register() returns an error, the name allocated by dev_set_name()
needs to be freed. As the comment of device_register() says, one should use
put_device() to give up the reference in the error path. Fix this by
calling put_device(), then the name can be freed in kobject_cleanup().
The 'fcf' is freed in fcoe_fcf_device_release(), so the kfree() in the
error path can be removed.
The 'ctlr' is freed in fcoe_ctlr_device_release(), so don't use the error
label, just return NULL after calling put_device().
Fixes: 9a74e884ee71 ("[SCSI] libfcoe: Add fcoe_sysfs")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221112094310.3633291-1-yangyingliang@huawei.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/fcoe/fcoe_sysfs.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/drivers/scsi/fcoe/fcoe_sysfs.c b/drivers/scsi/fcoe/fcoe_sysfs.c
index 0675fd128734..17a45131a379 100644
--- a/drivers/scsi/fcoe/fcoe_sysfs.c
+++ b/drivers/scsi/fcoe/fcoe_sysfs.c
@@ -752,14 +752,15 @@ struct fcoe_ctlr_device *fcoe_ctlr_device_add(struct device *parent,
dev_set_name(&ctlr->dev, "ctlr_%d", ctlr->id);
error = device_register(&ctlr->dev);
- if (error)
- goto out_del_q2;
+ if (error) {
+ destroy_workqueue(ctlr->devloss_work_q);
+ destroy_workqueue(ctlr->work_q);
+ put_device(&ctlr->dev);
+ return NULL;
+ }
return ctlr;
-out_del_q2:
- destroy_workqueue(ctlr->devloss_work_q);
- ctlr->devloss_work_q = NULL;
out_del_q:
destroy_workqueue(ctlr->work_q);
ctlr->work_q = NULL;
@@ -958,16 +959,16 @@ struct fcoe_fcf_device *fcoe_fcf_device_add(struct fcoe_ctlr_device *ctlr,
fcf->selected = new_fcf->selected;
error = device_register(&fcf->dev);
- if (error)
- goto out_del;
+ if (error) {
+ put_device(&fcf->dev);
+ goto out;
+ }
fcf->state = FCOE_FCF_STATE_CONNECTED;
list_add_tail(&fcf->peers, &ctlr->fcfs);
return fcf;
-out_del:
- kfree(fcf);
out:
return NULL;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 118/251] scsi: ipr: Fix WARNING in ipr_init()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 117/251] scsi: fcoe: Fix possible name leak when device_register() fails Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 119/251] scsi: fcoe: Fix transport not deattached when fcoe_if_init() fails Greg Kroah-Hartman
` (138 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shang XiaoJing, Martin K. Petersen,
Sasha Levin
From: Shang XiaoJing <shangxiaojing@huawei.com>
[ Upstream commit e6f108bffc3708ddcff72324f7d40dfcd0204894 ]
ipr_init() will not call unregister_reboot_notifier() when
pci_register_driver() fails, which causes a WARNING. Call
unregister_reboot_notifier() when pci_register_driver() fails.
notifier callback ipr_halt [ipr] already registered
WARNING: CPU: 3 PID: 299 at kernel/notifier.c:29
notifier_chain_register+0x16d/0x230
Modules linked in: ipr(+) xhci_pci_renesas xhci_hcd ehci_hcd usbcore
led_class gpu_sched drm_buddy video wmi drm_ttm_helper ttm
drm_display_helper drm_kms_helper drm drm_panel_orientation_quirks
agpgart cfbft
CPU: 3 PID: 299 Comm: modprobe Tainted: G W
6.1.0-rc1-00190-g39508d23b672-dirty #332
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014
RIP: 0010:notifier_chain_register+0x16d/0x230
Call Trace:
<TASK>
__blocking_notifier_chain_register+0x73/0xb0
ipr_init+0x30/0x1000 [ipr]
do_one_initcall+0xdb/0x480
do_init_module+0x1cf/0x680
load_module+0x6a50/0x70a0
__do_sys_finit_module+0x12f/0x1c0
do_syscall_64+0x3f/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Fixes: f72919ec2bbb ("[SCSI] ipr: implement shutdown changes and remove obsolete write cache parameter")
Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
Link: https://lore.kernel.org/r/20221113064513.14028-1-shangxiaojing@huawei.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/ipr.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c
index 7760b9a1e0ae..96c45cc091a6 100644
--- a/drivers/scsi/ipr.c
+++ b/drivers/scsi/ipr.c
@@ -10772,11 +10772,19 @@ static struct notifier_block ipr_notifier = {
**/
static int __init ipr_init(void)
{
+ int rc;
+
ipr_info("IBM Power RAID SCSI Device Driver version: %s %s\n",
IPR_DRIVER_VERSION, IPR_DRIVER_DATE);
register_reboot_notifier(&ipr_notifier);
- return pci_register_driver(&ipr_driver);
+ rc = pci_register_driver(&ipr_driver);
+ if (rc) {
+ unregister_reboot_notifier(&ipr_notifier);
+ return rc;
+ }
+
+ return 0;
}
/**
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 119/251] scsi: fcoe: Fix transport not deattached when fcoe_if_init() fails
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 118/251] scsi: ipr: Fix WARNING in ipr_init() Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 120/251] scsi: snic: Fix possible UAF in snic_tgt_create() Greg Kroah-Hartman
` (137 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen Zhongjin, Martin K. Petersen,
Sasha Levin
From: Chen Zhongjin <chenzhongjin@huawei.com>
[ Upstream commit 4155658cee394b22b24c6d64e49247bf26d95b92 ]
fcoe_init() calls fcoe_transport_attach(&fcoe_sw_transport), but when
fcoe_if_init() fails, &fcoe_sw_transport is not detached and leaves freed
&fcoe_sw_transport on fcoe_transports list. This causes panic when
reinserting module.
BUG: unable to handle page fault for address: fffffbfff82e2213
RIP: 0010:fcoe_transport_attach+0xe1/0x230 [libfcoe]
Call Trace:
<TASK>
do_one_initcall+0xd0/0x4e0
load_module+0x5eee/0x7210
...
Fixes: 78a582463c1e ("[SCSI] fcoe: convert fcoe.ko to become an fcoe transport provider driver")
Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
Link: https://lore.kernel.org/r/20221115092442.133088-1-chenzhongjin@huawei.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/fcoe/fcoe.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/scsi/fcoe/fcoe.c b/drivers/scsi/fcoe/fcoe.c
index 9bd41a35a78a..42b00b9f4be8 100644
--- a/drivers/scsi/fcoe/fcoe.c
+++ b/drivers/scsi/fcoe/fcoe.c
@@ -2518,6 +2518,7 @@ static int __init fcoe_init(void)
out_free:
mutex_unlock(&fcoe_config_mutex);
+ fcoe_transport_detach(&fcoe_sw_transport);
out_destroy:
destroy_workqueue(fcoe_wq);
return rc;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 120/251] scsi: snic: Fix possible UAF in snic_tgt_create()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 119/251] scsi: fcoe: Fix transport not deattached when fcoe_if_init() fails Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 121/251] orangefs: Fix sysfs not cleanup when dev init failed Greg Kroah-Hartman
` (136 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gaosheng Cui, Narsimhulu Musini,
Martin K. Petersen, Sasha Levin
From: Gaosheng Cui <cuigaosheng1@huawei.com>
[ Upstream commit e118df492320176af94deec000ae034cc92be754 ]
Smatch reports a warning as follows:
drivers/scsi/snic/snic_disc.c:307 snic_tgt_create() warn:
'&tgt->list' not removed from list
If device_add() fails in snic_tgt_create(), tgt will be freed, but
tgt->list will not be removed from snic->disc.tgt_list, then list traversal
may cause UAF.
Remove from snic->disc.tgt_list before free().
Fixes: c8806b6c9e82 ("snic: driver for Cisco SCSI HBA")
Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
Link: https://lore.kernel.org/r/20221117035100.2944812-1-cuigaosheng1@huawei.com
Acked-by: Narsimhulu Musini <nmusini@cisco.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/snic/snic_disc.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/scsi/snic/snic_disc.c b/drivers/scsi/snic/snic_disc.c
index b106596cc0cf..69c5e26a9d5b 100644
--- a/drivers/scsi/snic/snic_disc.c
+++ b/drivers/scsi/snic/snic_disc.c
@@ -317,6 +317,9 @@ snic_tgt_create(struct snic *snic, struct snic_tgt_id *tgtid)
ret);
put_device(&snic->shost->shost_gendev);
+ spin_lock_irqsave(snic->shost->host_lock, flags);
+ list_del(&tgt->list);
+ spin_unlock_irqrestore(snic->shost->host_lock, flags);
kfree(tgt);
tgt = NULL;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 121/251] orangefs: Fix sysfs not cleanup when dev init failed
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 120/251] scsi: snic: Fix possible UAF in snic_tgt_create() Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 122/251] crypto: img-hash - Fix variable dereferenced before check hdev->req Greg Kroah-Hartman
` (135 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Xiaoxu, Mike Marshall, Sasha Levin
From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
[ Upstream commit ea60a4ad0cf88b411cde6888b8c890935686ecd7 ]
When the dev init failed, should cleanup the sysfs, otherwise, the
module will never be loaded since can not create duplicate sysfs
directory:
sysfs: cannot create duplicate filename '/fs/orangefs'
CPU: 1 PID: 6549 Comm: insmod Tainted: G W 6.0.0+ #44
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x34/0x44
sysfs_warn_dup.cold+0x17/0x24
sysfs_create_dir_ns+0x16d/0x180
kobject_add_internal+0x156/0x3a0
kobject_init_and_add+0xcf/0x120
orangefs_sysfs_init+0x7e/0x3a0 [orangefs]
orangefs_init+0xfe/0x1000 [orangefs]
do_one_initcall+0x87/0x2a0
do_init_module+0xdf/0x320
load_module+0x2f98/0x3330
__do_sys_finit_module+0x113/0x1b0
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
kobject_add_internal failed for orangefs with -EEXIST, don't try to register things with the same name in the same directory.
Fixes: 2f83ace37181 ("orangefs: put register_chrdev immediately before register_filesystem")
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Mike Marshall <hubcap@omnibond.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/orangefs/orangefs-mod.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/fs/orangefs/orangefs-mod.c b/fs/orangefs/orangefs-mod.c
index 4113eb0495bf..74b8ee19e167 100644
--- a/fs/orangefs/orangefs-mod.c
+++ b/fs/orangefs/orangefs-mod.c
@@ -147,7 +147,7 @@ static int __init orangefs_init(void)
gossip_err("%s: could not initialize device subsystem %d!\n",
__func__,
ret);
- goto cleanup_device;
+ goto cleanup_sysfs;
}
ret = register_filesystem(&orangefs_fs_type);
@@ -159,11 +159,11 @@ static int __init orangefs_init(void)
goto out;
}
- orangefs_sysfs_exit();
-
-cleanup_device:
orangefs_dev_cleanup();
+cleanup_sysfs:
+ orangefs_sysfs_exit();
+
sysfs_init_failed:
debugfs_init_failed:
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 122/251] crypto: img-hash - Fix variable dereferenced before check hdev->req
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 121/251] orangefs: Fix sysfs not cleanup when dev init failed Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 123/251] hwrng: amd - Fix PCI device refcount leak Greg Kroah-Hartman
` (134 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gaosheng Cui, Herbert Xu, Sasha Levin
From: Gaosheng Cui <cuigaosheng1@huawei.com>
[ Upstream commit 04ba54e5af8f8f0137b08cb51a0b3a2e1ea46c94 ]
Smatch report warning as follows:
drivers/crypto/img-hash.c:366 img_hash_dma_task() warn: variable
dereferenced before check 'hdev->req'
Variable dereferenced should be done after check 'hdev->req',
fix it.
Fixes: d358f1abbf71 ("crypto: img-hash - Add Imagination Technologies hw hash accelerator")
Fixes: 10badea259fa ("crypto: img-hash - Fix null pointer exception")
Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/img-hash.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/img-hash.c b/drivers/crypto/img-hash.c
index a2e77b87485b..157c8f5c879c 100644
--- a/drivers/crypto/img-hash.c
+++ b/drivers/crypto/img-hash.c
@@ -359,12 +359,16 @@ static int img_hash_dma_init(struct img_hash_dev *hdev)
static void img_hash_dma_task(unsigned long d)
{
struct img_hash_dev *hdev = (struct img_hash_dev *)d;
- struct img_hash_request_ctx *ctx = ahash_request_ctx(hdev->req);
+ struct img_hash_request_ctx *ctx;
u8 *addr;
size_t nbytes, bleft, wsend, len, tbc;
struct scatterlist tsg;
- if (!hdev->req || !ctx->sg)
+ if (!hdev->req)
+ return;
+
+ ctx = ahash_request_ctx(hdev->req);
+ if (!ctx->sg)
return;
addr = sg_virt(ctx->sg);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 123/251] hwrng: amd - Fix PCI device refcount leak
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 122/251] crypto: img-hash - Fix variable dereferenced before check hdev->req Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 124/251] hwrng: geode " Greg Kroah-Hartman
` (133 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiongfeng Wang, Herbert Xu, Sasha Levin
From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
[ Upstream commit ecadb5b0111ea19fc7c240bb25d424a94471eb7d ]
for_each_pci_dev() is implemented by pci_get_device(). The comment of
pci_get_device() says that it will increase the reference count for the
returned pci_dev and also decrease the reference count for the input
pci_dev @from if it is not NULL.
If we break for_each_pci_dev() loop with pdev not NULL, we need to call
pci_dev_put() to decrease the reference count. Add the missing
pci_dev_put() for the normal and error path.
Fixes: 96d63c0297cc ("[PATCH] Add AMD HW RNG driver")
Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/hw_random/amd-rng.c | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/drivers/char/hw_random/amd-rng.c b/drivers/char/hw_random/amd-rng.c
index 9959c762da2f..db3dd467194c 100644
--- a/drivers/char/hw_random/amd-rng.c
+++ b/drivers/char/hw_random/amd-rng.c
@@ -143,15 +143,19 @@ static int __init mod_init(void)
found:
err = pci_read_config_dword(pdev, 0x58, &pmbase);
if (err)
- return err;
+ goto put_dev;
pmbase &= 0x0000FF00;
- if (pmbase == 0)
- return -EIO;
+ if (pmbase == 0) {
+ err = -EIO;
+ goto put_dev;
+ }
priv = kzalloc(sizeof(*priv), GFP_KERNEL);
- if (!priv)
- return -ENOMEM;
+ if (!priv) {
+ err = -ENOMEM;
+ goto put_dev;
+ }
if (!request_region(pmbase + PMBASE_OFFSET, PMBASE_SIZE, DRV_NAME)) {
dev_err(&pdev->dev, DRV_NAME " region 0x%x already in use!\n",
@@ -185,6 +189,8 @@ static int __init mod_init(void)
release_region(pmbase + PMBASE_OFFSET, PMBASE_SIZE);
out:
kfree(priv);
+put_dev:
+ pci_dev_put(pdev);
return err;
}
@@ -200,6 +206,8 @@ static void __exit mod_exit(void)
release_region(priv->pmbase + PMBASE_OFFSET, PMBASE_SIZE);
+ pci_dev_put(priv->pcidev);
+
kfree(priv);
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 124/251] hwrng: geode - Fix PCI device refcount leak
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 123/251] hwrng: amd - Fix PCI device refcount leak Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 125/251] IB/IPoIB: Fix queue count inconsistency for PKEY child interfaces Greg Kroah-Hartman
` (132 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiongfeng Wang, Herbert Xu, Sasha Levin
From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
[ Upstream commit 9f6ec8dc574efb7f4f3d7ee9cd59ae307e78f445 ]
for_each_pci_dev() is implemented by pci_get_device(). The comment of
pci_get_device() says that it will increase the reference count for the
returned pci_dev and also decrease the reference count for the input
pci_dev @from if it is not NULL.
If we break for_each_pci_dev() loop with pdev not NULL, we need to call
pci_dev_put() to decrease the reference count. We add a new struct
'amd_geode_priv' to record pointer of the pci_dev and membase, and then
add missing pci_dev_put() for the normal and error path.
Fixes: ef5d862734b8 ("[PATCH] Add Geode HW RNG driver")
Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/hw_random/geode-rng.c | 36 +++++++++++++++++++++++-------
1 file changed, 28 insertions(+), 8 deletions(-)
diff --git a/drivers/char/hw_random/geode-rng.c b/drivers/char/hw_random/geode-rng.c
index e1d421a36a13..207272979f23 100644
--- a/drivers/char/hw_random/geode-rng.c
+++ b/drivers/char/hw_random/geode-rng.c
@@ -51,6 +51,10 @@ static const struct pci_device_id pci_tbl[] = {
};
MODULE_DEVICE_TABLE(pci, pci_tbl);
+struct amd_geode_priv {
+ struct pci_dev *pcidev;
+ void __iomem *membase;
+};
static int geode_rng_data_read(struct hwrng *rng, u32 *data)
{
@@ -90,6 +94,7 @@ static int __init mod_init(void)
const struct pci_device_id *ent;
void __iomem *mem;
unsigned long rng_base;
+ struct amd_geode_priv *priv;
for_each_pci_dev(pdev) {
ent = pci_match_id(pci_tbl, pdev);
@@ -97,17 +102,26 @@ static int __init mod_init(void)
goto found;
}
/* Device not found. */
- goto out;
+ return err;
found:
+ priv = kzalloc(sizeof(*priv), GFP_KERNEL);
+ if (!priv) {
+ err = -ENOMEM;
+ goto put_dev;
+ }
+
rng_base = pci_resource_start(pdev, 0);
if (rng_base == 0)
- goto out;
+ goto free_priv;
err = -ENOMEM;
mem = ioremap(rng_base, 0x58);
if (!mem)
- goto out;
- geode_rng.priv = (unsigned long)mem;
+ goto free_priv;
+
+ geode_rng.priv = (unsigned long)priv;
+ priv->membase = mem;
+ priv->pcidev = pdev;
pr_info("AMD Geode RNG detected\n");
err = hwrng_register(&geode_rng);
@@ -116,20 +130,26 @@ static int __init mod_init(void)
err);
goto err_unmap;
}
-out:
return err;
err_unmap:
iounmap(mem);
- goto out;
+free_priv:
+ kfree(priv);
+put_dev:
+ pci_dev_put(pdev);
+ return err;
}
static void __exit mod_exit(void)
{
- void __iomem *mem = (void __iomem *)geode_rng.priv;
+ struct amd_geode_priv *priv;
+ priv = (struct amd_geode_priv *)geode_rng.priv;
hwrng_unregister(&geode_rng);
- iounmap(mem);
+ iounmap(priv->membase);
+ pci_dev_put(priv->pcidev);
+ kfree(priv);
}
module_init(mod_init);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 125/251] IB/IPoIB: Fix queue count inconsistency for PKEY child interfaces
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 124/251] hwrng: geode " Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 126/251] drivers: dio: fix possible memory leak in dio_init() Greg Kroah-Hartman
` (131 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dragos Tatulea, Leon Romanovsky,
Sasha Levin
From: Dragos Tatulea <dtatulea@nvidia.com>
[ Upstream commit dbc94a0fb81771a38733c0e8f2ea8c4fa6934dc1 ]
There are 2 ways to create IPoIB PKEY child interfaces:
1) Writing a PKEY to /sys/class/net/<ib parent interface>/create_child.
2) Using netlink with iproute.
While with sysfs the child interface has the same number of tx and
rx queues as the parent, with netlink there will always be 1 tx
and 1 rx queue for the child interface. That's because the
get_num_tx/rx_queues() netlink ops are missing and the default value
of 1 is taken for the number of queues (in rtnl_create_link()).
This change adds the get_num_tx/rx_queues() ops which allows for
interfaces with multiple queues to be created over netlink. This
constant only represents the max number of tx and rx queues on that
net device.
Fixes: 9baa0b036410 ("IB/ipoib: Add rtnl_link_ops support")
Signed-off-by: Dragos Tatulea <dtatulea@nvidia.com>
Link: https://lore.kernel.org/r/f4a42c8aa43c02d5ae5559a60c3e5e0f18c82531.1670485816.git.leonro@nvidia.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/ulp/ipoib/ipoib_netlink.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/infiniband/ulp/ipoib/ipoib_netlink.c b/drivers/infiniband/ulp/ipoib/ipoib_netlink.c
index cdc7df4fdb8a..20a6d1071014 100644
--- a/drivers/infiniband/ulp/ipoib/ipoib_netlink.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_netlink.c
@@ -42,6 +42,11 @@ static const struct nla_policy ipoib_policy[IFLA_IPOIB_MAX + 1] = {
[IFLA_IPOIB_UMCAST] = { .type = NLA_U16 },
};
+static unsigned int ipoib_get_max_num_queues(void)
+{
+ return min_t(unsigned int, num_possible_cpus(), 128);
+}
+
static int ipoib_fill_info(struct sk_buff *skb, const struct net_device *dev)
{
struct ipoib_dev_priv *priv = netdev_priv(dev);
@@ -167,6 +172,8 @@ static struct rtnl_link_ops ipoib_link_ops __read_mostly = {
.dellink = ipoib_unregister_child_dev,
.get_size = ipoib_get_size,
.fill_info = ipoib_fill_info,
+ .get_num_rx_queues = ipoib_get_max_num_queues,
+ .get_num_tx_queues = ipoib_get_max_num_queues,
};
int __init ipoib_netlink_init(void)
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 126/251] drivers: dio: fix possible memory leak in dio_init()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 125/251] IB/IPoIB: Fix queue count inconsistency for PKEY child interfaces Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 127/251] vfio: platform: Do not pass return buffer to ACPI _RST method Greg Kroah-Hartman
` (130 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit e63e99397b2613d50a5f4f02ed07307e67a190f1 ]
If device_register() returns error, the 'dev' and name needs be
freed. Add a release function, and then call put_device() in the
error path, so the name is freed in kobject_cleanup() and to the
'dev' is freed in release function.
Fixes: 2e4c77bea3d8 ("m68k: dio - Kill warn_unused_result warnings")
Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221109064036.1835346-1-yangyingliang@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dio/dio.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/dio/dio.c b/drivers/dio/dio.c
index 55dd88d82d6d..e85895fc258d 100644
--- a/drivers/dio/dio.c
+++ b/drivers/dio/dio.c
@@ -109,6 +109,12 @@ static char dio_no_name[] = { 0 };
#endif /* CONFIG_DIO_CONSTANTS */
+static void dio_dev_release(struct device *dev)
+{
+ struct dio_dev *ddev = container_of(dev, typeof(struct dio_dev), dev);
+ kfree(ddev);
+}
+
int __init dio_find(int deviceid)
{
/* Called to find a DIO device before the full bus scan has run.
@@ -234,6 +240,7 @@ static int __init dio_init(void)
dev->bus = &dio_bus;
dev->dev.parent = &dio_bus.dev;
dev->dev.bus = &dio_bus_type;
+ dev->dev.release = dio_dev_release;
dev->scode = scode;
dev->resource.start = pa;
dev->resource.end = pa + DIO_SIZE(scode, va);
@@ -261,6 +268,7 @@ static int __init dio_init(void)
if (error) {
pr_err("DIO: Error registering device %s\n",
dev->name);
+ put_device(&dev->dev);
continue;
}
error = dio_create_sysfs_dev_files(dev);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 127/251] vfio: platform: Do not pass return buffer to ACPI _RST method
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 126/251] drivers: dio: fix possible memory leak in dio_init() Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 128/251] uio: uio_dmem_genirq: Fix missing unlock in irq configuration Greg Kroah-Hartman
` (129 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael Mendonca, Eric Auger,
Alex Williamson, Sasha Levin
From: Rafael Mendonca <rafaelmendsr@gmail.com>
[ Upstream commit e67e070632a665c932d534b8b800477bb3111449 ]
The ACPI _RST method has no return value, there's no need to pass a return
buffer to acpi_evaluate_object().
Fixes: d30daa33ec1d ("vfio: platform: call _RST method when using ACPI")
Signed-off-by: Rafael Mendonca <rafaelmendsr@gmail.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Link: https://lore.kernel.org/r/20221018152825.891032-1-rafaelmendsr@gmail.com
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vfio/platform/vfio_platform_common.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/vfio/platform/vfio_platform_common.c b/drivers/vfio/platform/vfio_platform_common.c
index 9b1b6c1e218d..d5b15630050b 100644
--- a/drivers/vfio/platform/vfio_platform_common.c
+++ b/drivers/vfio/platform/vfio_platform_common.c
@@ -77,12 +77,11 @@ static int vfio_platform_acpi_call_reset(struct vfio_platform_device *vdev,
const char **extra_dbg)
{
#ifdef CONFIG_ACPI
- struct acpi_buffer buffer = { ACPI_ALLOCATE_BUFFER, NULL };
struct device *dev = vdev->device;
acpi_handle handle = ACPI_HANDLE(dev);
acpi_status acpi_ret;
- acpi_ret = acpi_evaluate_object(handle, "_RST", NULL, &buffer);
+ acpi_ret = acpi_evaluate_object(handle, "_RST", NULL, NULL);
if (ACPI_FAILURE(acpi_ret)) {
if (extra_dbg)
*extra_dbg = acpi_format_exception(acpi_ret);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 128/251] uio: uio_dmem_genirq: Fix missing unlock in irq configuration
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 127/251] vfio: platform: Do not pass return buffer to ACPI _RST method Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 129/251] uio: uio_dmem_genirq: Fix deadlock between irq config and handling Greg Kroah-Hartman
` (128 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rafael Mendonca, Sasha Levin
From: Rafael Mendonca <rafaelmendsr@gmail.com>
[ Upstream commit 9de255c461d1b3f0242b3ad1450c3323a3e00b34 ]
Commit b74351287d4b ("uio: fix a sleep-in-atomic-context bug in
uio_dmem_genirq_irqcontrol()") started calling disable_irq() without
holding the spinlock because it can sleep. However, that fix introduced
another bug: if interrupt is already disabled and a new disable request
comes in, then the spinlock is not unlocked:
root@localhost:~# printf '\x00\x00\x00\x00' > /dev/uio0
root@localhost:~# printf '\x00\x00\x00\x00' > /dev/uio0
root@localhost:~# [ 14.851538] BUG: scheduling while atomic: bash/223/0x00000002
[ 14.851991] Modules linked in: uio_dmem_genirq uio myfpga(OE) bochs drm_vram_helper drm_ttm_helper ttm drm_kms_helper drm snd_pcm ppdev joydev psmouse snd_timer snd e1000fb_sys_fops syscopyarea parport sysfillrect soundcore sysimgblt input_leds pcspkr i2c_piix4 serio_raw floppy evbug qemu_fw_cfg mac_hid pata_acpi ip_tables x_tables autofs4 [last unloaded: parport_pc]
[ 14.854206] CPU: 0 PID: 223 Comm: bash Tainted: G OE 6.0.0-rc7 #21
[ 14.854786] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
[ 14.855664] Call Trace:
[ 14.855861] <TASK>
[ 14.856025] dump_stack_lvl+0x4d/0x67
[ 14.856325] dump_stack+0x14/0x1a
[ 14.856583] __schedule_bug.cold+0x4b/0x5c
[ 14.856915] __schedule+0xe81/0x13d0
[ 14.857199] ? idr_find+0x13/0x20
[ 14.857456] ? get_work_pool+0x2d/0x50
[ 14.857756] ? __flush_work+0x233/0x280
[ 14.858068] ? __schedule+0xa95/0x13d0
[ 14.858307] ? idr_find+0x13/0x20
[ 14.858519] ? get_work_pool+0x2d/0x50
[ 14.858798] schedule+0x6c/0x100
[ 14.859009] schedule_hrtimeout_range_clock+0xff/0x110
[ 14.859335] ? tty_write_room+0x1f/0x30
[ 14.859598] ? n_tty_poll+0x1ec/0x220
[ 14.859830] ? tty_ldisc_deref+0x1a/0x20
[ 14.860090] schedule_hrtimeout_range+0x17/0x20
[ 14.860373] do_select+0x596/0x840
[ 14.860627] ? __kernel_text_address+0x16/0x50
[ 14.860954] ? poll_freewait+0xb0/0xb0
[ 14.861235] ? poll_freewait+0xb0/0xb0
[ 14.861517] ? rpm_resume+0x49d/0x780
[ 14.861798] ? common_interrupt+0x59/0xa0
[ 14.862127] ? asm_common_interrupt+0x2b/0x40
[ 14.862511] ? __uart_start.isra.0+0x61/0x70
[ 14.862902] ? __check_object_size+0x61/0x280
[ 14.863255] core_sys_select+0x1c6/0x400
[ 14.863575] ? vfs_write+0x1c9/0x3d0
[ 14.863853] ? vfs_write+0x1c9/0x3d0
[ 14.864121] ? _copy_from_user+0x45/0x70
[ 14.864526] do_pselect.constprop.0+0xb3/0xf0
[ 14.864893] ? do_syscall_64+0x6d/0x90
[ 14.865228] ? do_syscall_64+0x6d/0x90
[ 14.865556] __x64_sys_pselect6+0x76/0xa0
[ 14.865906] do_syscall_64+0x60/0x90
[ 14.866214] ? syscall_exit_to_user_mode+0x2a/0x50
[ 14.866640] ? do_syscall_64+0x6d/0x90
[ 14.866972] ? do_syscall_64+0x6d/0x90
[ 14.867286] ? do_syscall_64+0x6d/0x90
[ 14.867626] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[...] stripped
[ 14.872959] </TASK>
('myfpga' is a simple 'uio_dmem_genirq' driver I wrote to test this)
The implementation of "uio_dmem_genirq" was based on "uio_pdrv_genirq" and
it is used in a similar manner to the "uio_pdrv_genirq" driver with respect
to interrupt configuration and handling. At the time "uio_dmem_genirq" was
introduced, both had the same implementation of the 'uio_info' handlers
irqcontrol() and handler(). Then commit 34cb27528398 ("UIO: Fix concurrency
issue"), which was only applied to "uio_pdrv_genirq", ended up making them
a little different. That commit, among other things, changed disable_irq()
to disable_irq_nosync() in the implementation of irqcontrol(). The
motivation there was to avoid a deadlock between irqcontrol() and
handler(), since it added a spinlock in the irq handler, and disable_irq()
waits for the completion of the irq handler.
By changing disable_irq() to disable_irq_nosync() in irqcontrol(), we also
avoid the sleeping-while-atomic bug that commit b74351287d4b ("uio: fix a
sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol()") was trying to
fix. Thus, this fixes the missing unlock in irqcontrol() by importing the
implementation of irqcontrol() handler from the "uio_pdrv_genirq" driver.
In the end, it reverts commit b74351287d4b ("uio: fix a
sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol()") and change
disable_irq() to disable_irq_nosync().
It is worth noting that this still does not address the concurrency issue
fixed by commit 34cb27528398 ("UIO: Fix concurrency issue"). It will be
addressed separately in the next commits.
Split out from commit 34cb27528398 ("UIO: Fix concurrency issue").
Fixes: b74351287d4b ("uio: fix a sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol()")
Signed-off-by: Rafael Mendonca <rafaelmendsr@gmail.com>
Link: https://lore.kernel.org/r/20220930224100.816175-2-rafaelmendsr@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/uio/uio_dmem_genirq.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/drivers/uio/uio_dmem_genirq.c b/drivers/uio/uio_dmem_genirq.c
index a00b4aee6c79..c25a6bcb2d21 100644
--- a/drivers/uio/uio_dmem_genirq.c
+++ b/drivers/uio/uio_dmem_genirq.c
@@ -135,13 +135,11 @@ static int uio_dmem_genirq_irqcontrol(struct uio_info *dev_info, s32 irq_on)
if (irq_on) {
if (test_and_clear_bit(0, &priv->flags))
enable_irq(dev_info->irq);
- spin_unlock_irqrestore(&priv->lock, flags);
} else {
- if (!test_and_set_bit(0, &priv->flags)) {
- spin_unlock_irqrestore(&priv->lock, flags);
- disable_irq(dev_info->irq);
- }
+ if (!test_and_set_bit(0, &priv->flags))
+ disable_irq_nosync(dev_info->irq);
}
+ spin_unlock_irqrestore(&priv->lock, flags);
return 0;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 129/251] uio: uio_dmem_genirq: Fix deadlock between irq config and handling
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 128/251] uio: uio_dmem_genirq: Fix missing unlock in irq configuration Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 130/251] usb: fotg210-udc: Fix ages old endianness issues Greg Kroah-Hartman
` (127 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rafael Mendonca, Sasha Levin
From: Rafael Mendonca <rafaelmendsr@gmail.com>
[ Upstream commit 118b918018175d9fcd8db667f905012e986cc2c9 ]
This fixes a concurrency issue addressed in commit 34cb27528398 ("UIO: Fix
concurrency issue"):
"In a SMP case there was a race condition issue between
Uio_pdrv_genirq_irqcontrol() running on one CPU and irq handler on
another CPU. Fix it by spin_locking shared resources access inside irq
handler."
The implementation of "uio_dmem_genirq" was based on "uio_pdrv_genirq" and
it is used in a similar manner to the "uio_pdrv_genirq" driver with respect
to interrupt configuration and handling. At the time "uio_dmem_genirq" was
merged, both had the same implementation of the 'uio_info' handlers
irqcontrol() and handler(), thus, both had the same concurrency issue
mentioned by the above commit. However, the above patch was only applied to
the "uio_pdrv_genirq" driver.
Split out from commit 34cb27528398 ("UIO: Fix concurrency issue").
Fixes: 0a0c3b5a24bd ("Add new uio device for dynamic memory allocation")
Signed-off-by: Rafael Mendonca <rafaelmendsr@gmail.com>
Link: https://lore.kernel.org/r/20220930224100.816175-3-rafaelmendsr@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/uio/uio_dmem_genirq.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/uio/uio_dmem_genirq.c b/drivers/uio/uio_dmem_genirq.c
index c25a6bcb2d21..b4b7fa05b29b 100644
--- a/drivers/uio/uio_dmem_genirq.c
+++ b/drivers/uio/uio_dmem_genirq.c
@@ -113,8 +113,10 @@ static irqreturn_t uio_dmem_genirq_handler(int irq, struct uio_info *dev_info)
* remember the state so we can allow user space to enable it later.
*/
+ spin_lock(&priv->lock);
if (!test_and_set_bit(0, &priv->flags))
disable_irq_nosync(irq);
+ spin_unlock(&priv->lock);
return IRQ_HANDLED;
}
@@ -128,7 +130,8 @@ static int uio_dmem_genirq_irqcontrol(struct uio_info *dev_info, s32 irq_on)
* in the interrupt controller, but keep track of the
* state to prevent per-irq depth damage.
*
- * Serialize this operation to support multiple tasks.
+ * Serialize this operation to support multiple tasks and concurrency
+ * with irq handler on SMP systems.
*/
spin_lock_irqsave(&priv->lock, flags);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 130/251] usb: fotg210-udc: Fix ages old endianness issues
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 129/251] uio: uio_dmem_genirq: Fix deadlock between irq config and handling Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 131/251] staging: vme_user: Fix possible UAF in tsi148_dma_list_add Greg Kroah-Hartman
` (126 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Linus Walleij,
Sasha Levin
From: Linus Walleij <linus.walleij@linaro.org>
[ Upstream commit 46ed6026ca2181c917c8334a82e3eaf40a6234dd ]
The code in the FOTG210 driver isn't entirely endianness-agnostic
as reported by the kernel robot sparse testing. This came to
the surface while moving the files around.
The driver is only used on little-endian systems, so this causes
no real-world regression, but it is nice to be strict and have
some compile coverage also on big endian machines, so fix it
up with the right LE accessors.
Fixes: b84a8dee23fd ("usb: gadget: add Faraday fotg210_udc driver")
Reported-by: kernel test robot <lkp@intel.com>
Link: https://lore.kernel.org/linux-usb/202211110910.0dJ7nZCn-lkp@intel.com/
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Link: https://lore.kernel.org/r/20221111090317.94228-1-linus.walleij@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/gadget/udc/fotg210-udc.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/usb/gadget/udc/fotg210-udc.c b/drivers/usb/gadget/udc/fotg210-udc.c
index 9e102ba9cf66..88415a3a9b43 100644
--- a/drivers/usb/gadget/udc/fotg210-udc.c
+++ b/drivers/usb/gadget/udc/fotg210-udc.c
@@ -636,10 +636,10 @@ static void fotg210_request_error(struct fotg210_udc *fotg210)
static void fotg210_set_address(struct fotg210_udc *fotg210,
struct usb_ctrlrequest *ctrl)
{
- if (ctrl->wValue >= 0x0100) {
+ if (le16_to_cpu(ctrl->wValue) >= 0x0100) {
fotg210_request_error(fotg210);
} else {
- fotg210_set_dev_addr(fotg210, ctrl->wValue);
+ fotg210_set_dev_addr(fotg210, le16_to_cpu(ctrl->wValue));
fotg210_set_cxdone(fotg210);
}
}
@@ -720,17 +720,17 @@ static void fotg210_get_status(struct fotg210_udc *fotg210,
switch (ctrl->bRequestType & USB_RECIP_MASK) {
case USB_RECIP_DEVICE:
- fotg210->ep0_data = 1 << USB_DEVICE_SELF_POWERED;
+ fotg210->ep0_data = cpu_to_le16(1 << USB_DEVICE_SELF_POWERED);
break;
case USB_RECIP_INTERFACE:
- fotg210->ep0_data = 0;
+ fotg210->ep0_data = cpu_to_le16(0);
break;
case USB_RECIP_ENDPOINT:
epnum = ctrl->wIndex & USB_ENDPOINT_NUMBER_MASK;
if (epnum)
fotg210->ep0_data =
- fotg210_is_epnstall(fotg210->ep[epnum])
- << USB_ENDPOINT_HALT;
+ cpu_to_le16(fotg210_is_epnstall(fotg210->ep[epnum])
+ << USB_ENDPOINT_HALT);
else
fotg210_request_error(fotg210);
break;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 131/251] staging: vme_user: Fix possible UAF in tsi148_dma_list_add
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 130/251] usb: fotg210-udc: Fix ages old endianness issues Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 132/251] serial: amba-pl011: avoid SBSA UART accessing DMACR register Greg Kroah-Hartman
` (125 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gaosheng Cui, Sasha Levin
From: Gaosheng Cui <cuigaosheng1@huawei.com>
[ Upstream commit 357057ee55d3c99a5de5abe8150f7bca04f8e53b ]
Smatch report warning as follows:
drivers/staging/vme_user/vme_tsi148.c:1757 tsi148_dma_list_add() warn:
'&entry->list' not removed from list
In tsi148_dma_list_add(), the error path "goto err_dma" will not
remove entry->list from list->entries, but entry will be freed,
then list traversal may cause UAF.
Fix by removeing it from list->entries before free().
Fixes: b2383c90a9d6 ("vme: tsi148: fix first DMA item mapping")
Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
Link: https://lore.kernel.org/r/20221117035914.2954454-1-cuigaosheng1@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vme/bridges/vme_tsi148.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/vme/bridges/vme_tsi148.c b/drivers/vme/bridges/vme_tsi148.c
index fc1b634b969a..2058403f8806 100644
--- a/drivers/vme/bridges/vme_tsi148.c
+++ b/drivers/vme/bridges/vme_tsi148.c
@@ -1778,6 +1778,7 @@ static int tsi148_dma_list_add(struct vme_dma_list *list,
return 0;
err_dma:
+ list_del(&entry->list);
err_dest:
err_source:
err_align:
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 132/251] serial: amba-pl011: avoid SBSA UART accessing DMACR register
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 131/251] staging: vme_user: Fix possible UAF in tsi148_dma_list_add Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 133/251] serial: pch: Fix PCI device refcount leak in pch_request_dma() Greg Kroah-Hartman
` (124 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiamei Xie, Andre Przywara, Sasha Levin
From: Jiamei Xie <jiamei.xie@arm.com>
[ Upstream commit 94cdb9f33698478b0e7062586633c42c6158a786 ]
Chapter "B Generic UART" in "ARM Server Base System Architecture" [1]
documentation describes a generic UART interface. Such generic UART
does not support DMA. In current code, sbsa_uart_pops and
amba_pl011_pops share the same stop_rx operation, which will invoke
pl011_dma_rx_stop, leading to an access of the DMACR register. This
commit adds a using_rx_dma check in pl011_dma_rx_stop to avoid the
access to DMACR register for SBSA UARTs which does not support DMA.
When the kernel enables DMA engine with "CONFIG_DMA_ENGINE=y", Linux
SBSA PL011 driver will access PL011 DMACR register in some functions.
For most real SBSA Pl011 hardware implementations, the DMACR write
behaviour will be ignored. So these DMACR operations will not cause
obvious problems. But for some virtual SBSA PL011 hardware, like Xen
virtual SBSA PL011 (vpl011) device, the behaviour might be different.
Xen vpl011 emulation will inject a data abort to guest, when guest is
accessing an unimplemented UART register. As Xen VPL011 is SBSA
compatible, it will not implement DMACR register. So when Linux SBSA
PL011 driver access DMACR register, it will get an unhandled data abort
fault and the application will get a segmentation fault:
Unhandled fault at 0xffffffc00944d048
Mem abort info:
ESR = 0x96000000
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x00: ttbr address size fault
Data abort info:
ISV = 0, ISS = 0x00000000
CM = 0, WnR = 0
swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000020e2e000
[ffffffc00944d048] pgd=100000003ffff803, p4d=100000003ffff803, pud=100000003ffff803, pmd=100000003fffa803, pte=006800009c090f13
Internal error: ttbr address size fault: 96000000 [#1] PREEMPT SMP
...
Call trace:
pl011_stop_rx+0x70/0x80
tty_port_shutdown+0x7c/0xb4
tty_port_close+0x60/0xcc
uart_close+0x34/0x8c
tty_release+0x144/0x4c0
__fput+0x78/0x220
____fput+0x1c/0x30
task_work_run+0x88/0xc0
do_notify_resume+0x8d0/0x123c
el0_svc+0xa8/0xc0
el0t_64_sync_handler+0xa4/0x130
el0t_64_sync+0x1a0/0x1a4
Code: b9000083 b901f001 794038a0 8b000042 (b9000041)
---[ end trace 83dd93df15c3216f ]---
note: bootlogd[132] exited with preempt_count 1
/etc/rcS.d/S07bootlogd: line 47: 132 Segmentation fault start-stop-daemon
This has been discussed in the Xen community, and we think it should fix
this in Linux. See [2] for more information.
[1] https://developer.arm.com/documentation/den0094/c/?lang=en
[2] https://lists.xenproject.org/archives/html/xen-devel/2022-11/msg00543.html
Fixes: 0dd1e247fd39 (drivers: PL011: add support for the ARM SBSA generic UART)
Signed-off-by: Jiamei Xie <jiamei.xie@arm.com>
Reviewed-by: Andre Przywara <andre.przywara@arm.com>
Link: https://lore.kernel.org/r/20221117103237.86856-1-jiamei.xie@arm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/amba-pl011.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/tty/serial/amba-pl011.c b/drivers/tty/serial/amba-pl011.c
index ad1d665e9962..59092f1d2856 100644
--- a/drivers/tty/serial/amba-pl011.c
+++ b/drivers/tty/serial/amba-pl011.c
@@ -1048,6 +1048,9 @@ static void pl011_dma_rx_callback(void *data)
*/
static inline void pl011_dma_rx_stop(struct uart_amba_port *uap)
{
+ if (!uap->using_rx_dma)
+ return;
+
/* FIXME. Just disable the DMA enable */
uap->dmacr &= ~UART011_RXDMAE;
pl011_write(uap->dmacr, uap, REG_DMACR);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 133/251] serial: pch: Fix PCI device refcount leak in pch_request_dma()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 132/251] serial: amba-pl011: avoid SBSA UART accessing DMACR register Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 134/251] serial: sunsab: Fix error handling in sunsab_init() Greg Kroah-Hartman
` (123 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xiongfeng Wang, Sasha Levin
From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
[ Upstream commit 8be3a7bf773700534a6e8f87f6ed2ed111254be5 ]
As comment of pci_get_slot() says, it returns a pci_device with its
refcount increased. The caller must decrement the reference count by
calling pci_dev_put().
Since 'dma_dev' is only used to filter the channel in filter(), we can
call pci_dev_put() before exiting from pch_request_dma(). Add the
missing pci_dev_put() for the normal and error path.
Fixes: 3c6a483275f4 ("Serial: EG20T: add PCH_UART driver")
Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
Link: https://lore.kernel.org/r/20221122114559.27692-1-wangxiongfeng2@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/pch_uart.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/tty/serial/pch_uart.c b/drivers/tty/serial/pch_uart.c
index 30b577384a1d..e8d450fdbb04 100644
--- a/drivers/tty/serial/pch_uart.c
+++ b/drivers/tty/serial/pch_uart.c
@@ -753,6 +753,7 @@ static void pch_request_dma(struct uart_port *port)
if (!chan) {
dev_err(priv->port.dev, "%s:dma_request_channel FAILS(Tx)\n",
__func__);
+ pci_dev_put(dma_dev);
return;
}
priv->chan_tx = chan;
@@ -769,6 +770,7 @@ static void pch_request_dma(struct uart_port *port)
__func__);
dma_release_channel(priv->chan_tx);
priv->chan_tx = NULL;
+ pci_dev_put(dma_dev);
return;
}
@@ -776,6 +778,8 @@ static void pch_request_dma(struct uart_port *port)
priv->rx_buf_virt = dma_alloc_coherent(port->dev, port->fifosize,
&priv->rx_buf_dma, GFP_KERNEL);
priv->chan_rx = chan;
+
+ pci_dev_put(dma_dev);
}
static void pch_dma_rx_complete(void *arg)
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 134/251] serial: sunsab: Fix error handling in sunsab_init()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 133/251] serial: pch: Fix PCI device refcount leak in pch_request_dma() Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 135/251] misc: tifm: fix possible memory leak in tifm_7xx1_switch_media() Greg Kroah-Hartman
` (122 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuan Can, Sasha Levin
From: Yuan Can <yuancan@huawei.com>
[ Upstream commit 1a6ec673fb627c26e2267ca0a03849f91dbd9b40 ]
The sunsab_init() returns the platform_driver_register() directly without
checking its return value, if platform_driver_register() failed, the
allocated sunsab_ports is leaked.
Fix by free sunsab_ports and set it to NULL when platform_driver_register()
failed.
Fixes: c4d37215a824 ("[SERIAL] sunsab: Convert to of_driver framework.")
Signed-off-by: Yuan Can <yuancan@huawei.com>
Link: https://lore.kernel.org/r/20221123061212.52593-1-yuancan@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/sunsab.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/tty/serial/sunsab.c b/drivers/tty/serial/sunsab.c
index b5e3195b3697..60fc4ed3f042 100644
--- a/drivers/tty/serial/sunsab.c
+++ b/drivers/tty/serial/sunsab.c
@@ -1138,7 +1138,13 @@ static int __init sunsab_init(void)
}
}
- return platform_driver_register(&sab_driver);
+ err = platform_driver_register(&sab_driver);
+ if (err) {
+ kfree(sunsab_ports);
+ sunsab_ports = NULL;
+ }
+
+ return err;
}
static void __exit sunsab_exit(void)
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 135/251] misc: tifm: fix possible memory leak in tifm_7xx1_switch_media()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 134/251] serial: sunsab: Fix error handling in sunsab_init() Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 136/251] misc: sgi-gru: fix use-after-free error in gru_set_context_option, gru_fault and gru_handle_user_call_os Greg Kroah-Hartman
` (121 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, ruanjinjie, Sasha Levin
From: ruanjinjie <ruanjinjie@huawei.com>
[ Upstream commit fd2c930cf6a5b9176382c15f9acb1996e76e25ad ]
If device_register() returns error in tifm_7xx1_switch_media(),
name of kobject which is allocated in dev_set_name() called in device_add()
is leaked.
Never directly free @dev after calling device_register(), even
if it returned an error! Always use put_device() to give up the
reference initialized.
Fixes: 2428a8fe2261 ("tifm: move common device management tasks from tifm_7xx1 to tifm_core")
Signed-off-by: ruanjinjie <ruanjinjie@huawei.com>
Link: https://lore.kernel.org/r/20221117064725.3478402-1-ruanjinjie@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/misc/tifm_7xx1.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/misc/tifm_7xx1.c b/drivers/misc/tifm_7xx1.c
index a37a42f67088..8498282d1212 100644
--- a/drivers/misc/tifm_7xx1.c
+++ b/drivers/misc/tifm_7xx1.c
@@ -194,7 +194,7 @@ static void tifm_7xx1_switch_media(struct work_struct *work)
spin_unlock_irqrestore(&fm->lock, flags);
}
if (sock)
- tifm_free_device(&sock->dev);
+ put_device(&sock->dev);
}
spin_lock_irqsave(&fm->lock, flags);
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 136/251] misc: sgi-gru: fix use-after-free error in gru_set_context_option, gru_fault and gru_handle_user_call_os
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 135/251] misc: tifm: fix possible memory leak in tifm_7xx1_switch_media() Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 137/251] cxl: fix possible null-ptr-deref in cxl_guest_init_afu|adapter() Greg Kroah-Hartman
` (120 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zheng Wang, Dimitri Sivanich, Sasha Levin
From: Zheng Wang <zyytlz.wz@163.com>
[ Upstream commit 643a16a0eb1d6ac23744bb6e90a00fc21148a9dc ]
In some bad situation, the gts may be freed gru_check_chiplet_assignment.
The call chain can be gru_unload_context->gru_free_gru_context->gts_drop
and kfree finally. However, the caller didn't know if the gts is freed
or not and use it afterwards. This will trigger a Use after Free bug.
Fix it by introducing a return value to see if it's in error path or not.
Free the gts in caller if gru_check_chiplet_assignment check failed.
Fixes: 55484c45dbec ("gru: allow users to specify gru chiplet 2")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Acked-by: Dimitri Sivanich <sivanich@hpe.com>
Link: https://lore.kernel.org/r/20221110035033.19498-1-zyytlz.wz@163.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/misc/sgi-gru/grufault.c | 13 +++++++++++--
drivers/misc/sgi-gru/grumain.c | 22 ++++++++++++++++++----
drivers/misc/sgi-gru/grutables.h | 2 +-
3 files changed, 30 insertions(+), 7 deletions(-)
diff --git a/drivers/misc/sgi-gru/grufault.c b/drivers/misc/sgi-gru/grufault.c
index 6fb773dbcd0c..a43a496ca9b9 100644
--- a/drivers/misc/sgi-gru/grufault.c
+++ b/drivers/misc/sgi-gru/grufault.c
@@ -656,6 +656,7 @@ int gru_handle_user_call_os(unsigned long cb)
if ((cb & (GRU_HANDLE_STRIDE - 1)) || ucbnum >= GRU_NUM_CB)
return -EINVAL;
+again:
gts = gru_find_lock_gts(cb);
if (!gts)
return -EINVAL;
@@ -664,7 +665,11 @@ int gru_handle_user_call_os(unsigned long cb)
if (ucbnum >= gts->ts_cbr_au_count * GRU_CBR_AU_SIZE)
goto exit;
- gru_check_context_placement(gts);
+ if (gru_check_context_placement(gts)) {
+ gru_unlock_gts(gts);
+ gru_unload_context(gts, 1);
+ goto again;
+ }
/*
* CCH may contain stale data if ts_force_cch_reload is set.
@@ -882,7 +887,11 @@ int gru_set_context_option(unsigned long arg)
} else {
gts->ts_user_blade_id = req.val1;
gts->ts_user_chiplet_id = req.val0;
- gru_check_context_placement(gts);
+ if (gru_check_context_placement(gts)) {
+ gru_unlock_gts(gts);
+ gru_unload_context(gts, 1);
+ return ret;
+ }
}
break;
case sco_gseg_owner:
diff --git a/drivers/misc/sgi-gru/grumain.c b/drivers/misc/sgi-gru/grumain.c
index 33741ad4a74a..bc2d5233660c 100644
--- a/drivers/misc/sgi-gru/grumain.c
+++ b/drivers/misc/sgi-gru/grumain.c
@@ -729,9 +729,10 @@ static int gru_check_chiplet_assignment(struct gru_state *gru,
* chiplet. Misassignment can occur if the process migrates to a different
* blade or if the user changes the selected blade/chiplet.
*/
-void gru_check_context_placement(struct gru_thread_state *gts)
+int gru_check_context_placement(struct gru_thread_state *gts)
{
struct gru_state *gru;
+ int ret = 0;
/*
* If the current task is the context owner, verify that the
@@ -739,15 +740,23 @@ void gru_check_context_placement(struct gru_thread_state *gts)
* references. Pthread apps use non-owner references to the CBRs.
*/
gru = gts->ts_gru;
+ /*
+ * If gru or gts->ts_tgid_owner isn't initialized properly, return
+ * success to indicate that the caller does not need to unload the
+ * gru context.The caller is responsible for their inspection and
+ * reinitialization if needed.
+ */
if (!gru || gts->ts_tgid_owner != current->tgid)
- return;
+ return ret;
if (!gru_check_chiplet_assignment(gru, gts)) {
STAT(check_context_unload);
- gru_unload_context(gts, 1);
+ ret = -EINVAL;
} else if (gru_retarget_intr(gts)) {
STAT(check_context_retarget_intr);
}
+
+ return ret;
}
@@ -946,7 +955,12 @@ int gru_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
mutex_lock(>s->ts_ctxlock);
preempt_disable();
- gru_check_context_placement(gts);
+ if (gru_check_context_placement(gts)) {
+ preempt_enable();
+ mutex_unlock(>s->ts_ctxlock);
+ gru_unload_context(gts, 1);
+ return VM_FAULT_NOPAGE;
+ }
if (!gts->ts_gru) {
STAT(load_user_context);
diff --git a/drivers/misc/sgi-gru/grutables.h b/drivers/misc/sgi-gru/grutables.h
index 5c3ce2459675..a1dfca557fc3 100644
--- a/drivers/misc/sgi-gru/grutables.h
+++ b/drivers/misc/sgi-gru/grutables.h
@@ -651,7 +651,7 @@ extern int gru_user_flush_tlb(unsigned long arg);
extern int gru_user_unload_context(unsigned long arg);
extern int gru_get_exception_detail(unsigned long arg);
extern int gru_set_context_option(unsigned long address);
-extern void gru_check_context_placement(struct gru_thread_state *gts);
+extern int gru_check_context_placement(struct gru_thread_state *gts);
extern int gru_cpu_fault_map_id(void);
extern struct vm_area_struct *gru_find_vma(unsigned long vaddr);
extern void gru_flush_all_tlb(struct gru_state *gru);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 137/251] cxl: fix possible null-ptr-deref in cxl_guest_init_afu|adapter()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 136/251] misc: sgi-gru: fix use-after-free error in gru_set_context_option, gru_fault and gru_handle_user_call_os Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 138/251] cxl: fix possible null-ptr-deref in cxl_pci_init_afu|adapter() Greg Kroah-Hartman
` (119 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Andrew Donnellan,
Frederic Barrat, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 61c80d1c3833e196256fb060382db94f24d3d9a7 ]
If device_register() fails in cxl_register_afu|adapter(), the device
is not added, device_unregister() can not be called in the error path,
otherwise it will cause a null-ptr-deref because of removing not added
device.
As comment of device_register() says, it should use put_device() to give
up the reference in the error path. So split device_unregister() into
device_del() and put_device(), then goes to put dev when register fails.
Fixes: 14baf4d9c739 ("cxl: Add guest-specific code")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Acked-by: Andrew Donnellan <ajd@linux.ibm.com>
Acked-by: Frederic Barrat <fbarrat@linux.ibm.com>
Link: https://lore.kernel.org/r/20221111145440.2426970-1-yangyingliang@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/misc/cxl/guest.c | 24 ++++++++++++++----------
1 file changed, 14 insertions(+), 10 deletions(-)
diff --git a/drivers/misc/cxl/guest.c b/drivers/misc/cxl/guest.c
index d08509cd978a..2cefe1f3ce7e 100644
--- a/drivers/misc/cxl/guest.c
+++ b/drivers/misc/cxl/guest.c
@@ -969,10 +969,10 @@ int cxl_guest_init_afu(struct cxl *adapter, int slice, struct device_node *afu_n
* if it returns an error!
*/
if ((rc = cxl_register_afu(afu)))
- goto err_put1;
+ goto err_put_dev;
if ((rc = cxl_sysfs_afu_add(afu)))
- goto err_put1;
+ goto err_del_dev;
/*
* pHyp doesn't expose the programming models supported by the
@@ -988,7 +988,7 @@ int cxl_guest_init_afu(struct cxl *adapter, int slice, struct device_node *afu_n
afu->modes_supported = CXL_MODE_DIRECTED;
if ((rc = cxl_afu_select_best_mode(afu)))
- goto err_put2;
+ goto err_remove_sysfs;
adapter->afu[afu->slice] = afu;
@@ -1008,10 +1008,12 @@ int cxl_guest_init_afu(struct cxl *adapter, int slice, struct device_node *afu_n
return 0;
-err_put2:
+err_remove_sysfs:
cxl_sysfs_afu_remove(afu);
-err_put1:
- device_unregister(&afu->dev);
+err_del_dev:
+ device_del(&afu->dev);
+err_put_dev:
+ put_device(&afu->dev);
free = false;
guest_release_serr_irq(afu);
err2:
@@ -1145,18 +1147,20 @@ struct cxl *cxl_guest_init_adapter(struct device_node *np, struct platform_devic
* even if it returns an error!
*/
if ((rc = cxl_register_adapter(adapter)))
- goto err_put1;
+ goto err_put_dev;
if ((rc = cxl_sysfs_adapter_add(adapter)))
- goto err_put1;
+ goto err_del_dev;
/* release the context lock as the adapter is configured */
cxl_adapter_context_unlock(adapter);
return adapter;
-err_put1:
- device_unregister(&adapter->dev);
+err_del_dev:
+ device_del(&adapter->dev);
+err_put_dev:
+ put_device(&adapter->dev);
free = false;
cxl_guest_remove_chardev(adapter);
err1:
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 138/251] cxl: fix possible null-ptr-deref in cxl_pci_init_afu|adapter()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 137/251] cxl: fix possible null-ptr-deref in cxl_guest_init_afu|adapter() Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 139/251] drivers: mcb: fix resource leak in mcb_probe() Greg Kroah-Hartman
` (118 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Frederic Barrat,
Andrew Donnellan, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 02cd3032b154fa02fdf90e7467abaeed889330b2 ]
If device_register() fails in cxl_pci_afu|adapter(), the device
is not added, device_unregister() can not be called in the error
path, otherwise it will cause a null-ptr-deref because of removing
not added device.
As comment of device_register() says, it should use put_device() to give
up the reference in the error path. So split device_unregister() into
device_del() and put_device(), then goes to put dev when register fails.
Fixes: f204e0b8cedd ("cxl: Driver code for powernv PCIe based cards for userspace access")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Acked-by: Frederic Barrat <fbarrat@linux.ibm.com>
Acked-by: Andrew Donnellan <ajd@linux.ibm.com>
Link: https://lore.kernel.org/r/20221111145440.2426970-2-yangyingliang@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/misc/cxl/pci.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
diff --git a/drivers/misc/cxl/pci.c b/drivers/misc/cxl/pci.c
index a5422f483ad5..f7417033a7a8 100644
--- a/drivers/misc/cxl/pci.c
+++ b/drivers/misc/cxl/pci.c
@@ -1187,10 +1187,10 @@ static int pci_init_afu(struct cxl *adapter, int slice, struct pci_dev *dev)
* if it returns an error!
*/
if ((rc = cxl_register_afu(afu)))
- goto err_put1;
+ goto err_put_dev;
if ((rc = cxl_sysfs_afu_add(afu)))
- goto err_put1;
+ goto err_del_dev;
adapter->afu[afu->slice] = afu;
@@ -1199,10 +1199,12 @@ static int pci_init_afu(struct cxl *adapter, int slice, struct pci_dev *dev)
return 0;
-err_put1:
+err_del_dev:
+ device_del(&afu->dev);
+err_put_dev:
pci_deconfigure_afu(afu);
cxl_debugfs_afu_remove(afu);
- device_unregister(&afu->dev);
+ put_device(&afu->dev);
return rc;
err_free_native:
@@ -1589,23 +1591,25 @@ static struct cxl *cxl_pci_init_adapter(struct pci_dev *dev)
* even if it returns an error!
*/
if ((rc = cxl_register_adapter(adapter)))
- goto err_put1;
+ goto err_put_dev;
if ((rc = cxl_sysfs_adapter_add(adapter)))
- goto err_put1;
+ goto err_del_dev;
/* Release the context lock as adapter is configured */
cxl_adapter_context_unlock(adapter);
return adapter;
-err_put1:
+err_del_dev:
+ device_del(&adapter->dev);
+err_put_dev:
/* This should mirror cxl_remove_adapter, except without the
* sysfs parts
*/
cxl_debugfs_adapter_remove(adapter);
cxl_deconfigure_adapter(adapter);
- device_unregister(&adapter->dev);
+ put_device(&adapter->dev);
return ERR_PTR(rc);
err_release:
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 139/251] drivers: mcb: fix resource leak in mcb_probe()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 138/251] cxl: fix possible null-ptr-deref in cxl_pci_init_afu|adapter() Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 140/251] mcb: mcb-parse: fix error handing in chameleon_parse_gdd() Greg Kroah-Hartman
` (117 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhengchao Shao, Johannes Thumshirn,
Sasha Levin
From: Zhengchao Shao <shaozhengchao@huawei.com>
[ Upstream commit d7237462561fcd224fa687c56ccb68629f50fc0d ]
When probe hook function failed in mcb_probe(), it doesn't put the device.
Compiled test only.
Fixes: 7bc364097a89 ("mcb: Acquire reference to device in probe")
Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
Signed-off-by: Johannes Thumshirn <jth@kernel.org>
Link: https://lore.kernel.org/r/9f87de36bfb85158b506cb78c6fc9db3f6a3bad1.1669624063.git.johannes.thumshirn@wdc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mcb/mcb-core.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/mcb/mcb-core.c b/drivers/mcb/mcb-core.c
index 96801137a144..80e70d9fd402 100644
--- a/drivers/mcb/mcb-core.c
+++ b/drivers/mcb/mcb-core.c
@@ -74,8 +74,10 @@ static int mcb_probe(struct device *dev)
get_device(dev);
ret = mdrv->probe(mdev, found_id);
- if (ret)
+ if (ret) {
module_put(carrier_mod);
+ put_device(dev);
+ }
return ret;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 140/251] mcb: mcb-parse: fix error handing in chameleon_parse_gdd()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 139/251] drivers: mcb: fix resource leak in mcb_probe() Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 141/251] chardev: fix error handling in cdev_device_add() Greg Kroah-Hartman
` (116 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johannes Thumshirn, Yang Yingliang,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 728ac3389296caf68638628c987aeae6c8851e2d ]
If mcb_device_register() returns error in chameleon_parse_gdd(), the refcount
of bus and device name are leaked. Fix this by calling put_device() to give up
the reference, so they can be released in mcb_release_dev() and kobject_cleanup().
Fixes: 3764e82e5150 ("drivers: Introduce MEN Chameleon Bus")
Reviewed-by: Johannes Thumshirn <jth@kernel.org>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Johannes Thumshirn <jth@kernel.org>
Link: https://lore.kernel.org/r/ebfb06e39b19272f0197fa9136b5e4b6f34ad732.1669624063.git.johannes.thumshirn@wdc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mcb/mcb-parse.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mcb/mcb-parse.c b/drivers/mcb/mcb-parse.c
index 4ca2739b4fad..fdc35341ff6c 100644
--- a/drivers/mcb/mcb-parse.c
+++ b/drivers/mcb/mcb-parse.c
@@ -107,7 +107,7 @@ static int chameleon_parse_gdd(struct mcb_bus *bus,
return 0;
err:
- mcb_free_dev(mdev);
+ put_device(&mdev->dev);
return ret;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 141/251] chardev: fix error handling in cdev_device_add()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 140/251] mcb: mcb-parse: fix error handing in chameleon_parse_gdd() Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 142/251] i2c: pxa-pci: fix missing pci_disable_device() on error in ce4100_i2c_probe Greg Kroah-Hartman
` (115 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 11fa7fefe3d8fac7da56bc9aa3dd5fb3081ca797 ]
While doing fault injection test, I got the following report:
------------[ cut here ]------------
kobject: '(null)' (0000000039956980): is not initialized, yet kobject_put() is being called.
WARNING: CPU: 3 PID: 6306 at kobject_put+0x23d/0x4e0
CPU: 3 PID: 6306 Comm: 283 Tainted: G W 6.1.0-rc2-00005-g307c1086d7c9 #1253
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:kobject_put+0x23d/0x4e0
Call Trace:
<TASK>
cdev_device_add+0x15e/0x1b0
__iio_device_register+0x13b4/0x1af0 [industrialio]
__devm_iio_device_register+0x22/0x90 [industrialio]
max517_probe+0x3d8/0x6b4 [max517]
i2c_device_probe+0xa81/0xc00
When device_add() is injected fault and returns error, if dev->devt is not set,
cdev_add() is not called, cdev_del() is not needed. Fix this by checking dev->devt
in error path.
Fixes: 233ed09d7fda ("chardev: add helper function to register char devs with a struct device")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221202030237.520280-1-yangyingliang@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/char_dev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/char_dev.c b/fs/char_dev.c
index 1bbb966c0783..9f79fd345e79 100644
--- a/fs/char_dev.c
+++ b/fs/char_dev.c
@@ -528,7 +528,7 @@ int cdev_device_add(struct cdev *cdev, struct device *dev)
}
rc = device_add(dev);
- if (rc)
+ if (rc && dev->devt)
cdev_del(cdev);
return rc;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 142/251] i2c: pxa-pci: fix missing pci_disable_device() on error in ce4100_i2c_probe
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 141/251] chardev: fix error handling in cdev_device_add() Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 143/251] staging: rtl8192u: Fix use after free in ieee80211_rx() Greg Kroah-Hartman
` (114 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hui Tang, Wolfram Sang, Sasha Levin
From: Hui Tang <tanghui20@huawei.com>
[ Upstream commit d78a167332e1ca8113268ed922c1212fd71b73ad ]
Using pcim_enable_device() to avoid missing pci_disable_device().
Fixes: 7e94dd154e93 ("i2c-pxa2xx: Add PCI support for PXA I2C controller")
Signed-off-by: Hui Tang <tanghui20@huawei.com>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/busses/i2c-pxa-pci.c | 10 +++-------
1 file changed, 3 insertions(+), 7 deletions(-)
diff --git a/drivers/i2c/busses/i2c-pxa-pci.c b/drivers/i2c/busses/i2c-pxa-pci.c
index 417464e9ea2a..3113b06b4fc1 100644
--- a/drivers/i2c/busses/i2c-pxa-pci.c
+++ b/drivers/i2c/busses/i2c-pxa-pci.c
@@ -101,7 +101,7 @@ static int ce4100_i2c_probe(struct pci_dev *dev,
int i;
struct ce4100_devices *sds;
- ret = pci_enable_device_mem(dev);
+ ret = pcim_enable_device(dev);
if (ret)
return ret;
@@ -110,10 +110,8 @@ static int ce4100_i2c_probe(struct pci_dev *dev,
return -EINVAL;
}
sds = kzalloc(sizeof(*sds), GFP_KERNEL);
- if (!sds) {
- ret = -ENOMEM;
- goto err_mem;
- }
+ if (!sds)
+ return -ENOMEM;
for (i = 0; i < ARRAY_SIZE(sds->pdev); i++) {
sds->pdev[i] = add_i2c_device(dev, i);
@@ -129,8 +127,6 @@ static int ce4100_i2c_probe(struct pci_dev *dev,
err_dev_add:
kfree(sds);
-err_mem:
- pci_disable_device(dev);
return ret;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 143/251] staging: rtl8192u: Fix use after free in ieee80211_rx()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 142/251] i2c: pxa-pci: fix missing pci_disable_device() on error in ce4100_i2c_probe Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 144/251] staging: rtl8192e: Fix potential use-after-free in rtllib_rx_Monitor() Greg Kroah-Hartman
` (113 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Sasha Levin
From: Dan Carpenter <error27@gmail.com>
[ Upstream commit bcc5e2dcf09089b337b76fc1a589f6ff95ca19ac ]
We cannot dereference the "skb" pointer after calling
ieee80211_monitor_rx(), because it is a use after free.
Fixes: 8fc8598e61f6 ("Staging: Added Realtek rtl8192u driver to staging")
Signed-off-by: Dan Carpenter <error27@gmail.com>
Link: https://lore.kernel.org/r/Y33BArx3k/aw6yv/@kili
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c b/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c
index 89cbc077a48d..085cc86e7c32 100644
--- a/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c
+++ b/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c
@@ -965,9 +965,11 @@ int ieee80211_rx(struct ieee80211_device *ieee, struct sk_buff *skb,
#endif
if (ieee->iw_mode == IW_MODE_MONITOR) {
+ unsigned int len = skb->len;
+
ieee80211_monitor_rx(ieee, skb, rx_stats);
stats->rx_packets++;
- stats->rx_bytes += skb->len;
+ stats->rx_bytes += len;
return 1;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 144/251] staging: rtl8192e: Fix potential use-after-free in rtllib_rx_Monitor()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 143/251] staging: rtl8192u: Fix use after free in ieee80211_rx() Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 145/251] vme: Fix error not catched in fake_init() Greg Kroah-Hartman
` (112 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, YueHaibing, Sasha Levin
From: YueHaibing <yuehaibing@huawei.com>
[ Upstream commit d30f4436f364b4ad915ca2c09be07cd0f93ceb44 ]
The skb is delivered to netif_rx() in rtllib_monitor_rx(), which may free it,
after calling this, dereferencing skb may trigger use-after-free.
Found by Smatch.
Fixes: 94a799425eee ("From: wlanfae <wlanfae@realtek.com> [PATCH 1/8] rtl8192e: Import new version of driver from realtek")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Link: https://lore.kernel.org/r/20221123081253.22296-1-yuehaibing@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/staging/rtl8192e/rtllib_rx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/rtl8192e/rtllib_rx.c b/drivers/staging/rtl8192e/rtllib_rx.c
index 247475aa522e..23c917342943 100644
--- a/drivers/staging/rtl8192e/rtllib_rx.c
+++ b/drivers/staging/rtl8192e/rtllib_rx.c
@@ -1508,9 +1508,9 @@ static int rtllib_rx_Monitor(struct rtllib_device *ieee, struct sk_buff *skb,
hdrlen += 4;
}
- rtllib_monitor_rx(ieee, skb, rx_stats, hdrlen);
ieee->stats.rx_packets++;
ieee->stats.rx_bytes += skb->len;
+ rtllib_monitor_rx(ieee, skb, rx_stats, hdrlen);
return 1;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 145/251] vme: Fix error not catched in fake_init()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 144/251] staging: rtl8192e: Fix potential use-after-free in rtllib_rx_Monitor() Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 146/251] i2c: ismt: Fix an out-of-bounds bug in ismt_access() Greg Kroah-Hartman
` (111 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chen Zhongjin, Sasha Levin
From: Chen Zhongjin <chenzhongjin@huawei.com>
[ Upstream commit 7bef797d707f1744f71156b21d41e3b8c946631f ]
In fake_init(), __root_device_register() is possible to fail but it's
ignored, which can cause unregistering vme_root fail when exit.
general protection fault,
probably for non-canonical address 0xdffffc000000008c
KASAN: null-ptr-deref in range [0x0000000000000460-0x0000000000000467]
RIP: 0010:root_device_unregister+0x26/0x60
Call Trace:
<TASK>
__x64_sys_delete_module+0x34f/0x540
do_syscall_64+0x38/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Return error when __root_device_register() fails.
Fixes: 658bcdae9c67 ("vme: Adding Fake VME driver")
Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
Link: https://lore.kernel.org/r/20221205084805.147436-1-chenzhongjin@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vme/bridges/vme_fake.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/vme/bridges/vme_fake.c b/drivers/vme/bridges/vme_fake.c
index e81ec763b555..150ee8b3507f 100644
--- a/drivers/vme/bridges/vme_fake.c
+++ b/drivers/vme/bridges/vme_fake.c
@@ -1077,6 +1077,8 @@ static int __init fake_init(void)
/* We need a fake parent device */
vme_root = __root_device_register("vme", THIS_MODULE);
+ if (IS_ERR(vme_root))
+ return PTR_ERR(vme_root);
/* If we want to support more than one bridge at some point, we need to
* dynamically allocate this so we get one per device.
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 146/251] i2c: ismt: Fix an out-of-bounds bug in ismt_access()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 145/251] vme: Fix error not catched in fake_init() Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 147/251] usb: storage: Add check for kcalloc Greg Kroah-Hartman
` (110 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zheyu Ma, Wolfram Sang, Sasha Levin
From: Zheyu Ma <zheyuma97@gmail.com>
[ Upstream commit 39244cc754829bf707dccd12e2ce37510f5b1f8d ]
When the driver does not check the data from the user, the variable
'data->block[0]' may be very large to cause an out-of-bounds bug.
The following log can reveal it:
[ 33.995542] i2c i2c-1: ioctl, cmd=0x720, arg=0x7ffcb3dc3a20
[ 33.995978] ismt_smbus 0000:00:05.0: I2C_SMBUS_BLOCK_DATA: WRITE
[ 33.996475] ==================================================================
[ 33.996995] BUG: KASAN: out-of-bounds in ismt_access.cold+0x374/0x214b
[ 33.997473] Read of size 18446744073709551615 at addr ffff88810efcfdb1 by task ismt_poc/485
[ 33.999450] Call Trace:
[ 34.001849] memcpy+0x20/0x60
[ 34.002077] ismt_access.cold+0x374/0x214b
[ 34.003382] __i2c_smbus_xfer+0x44f/0xfb0
[ 34.004007] i2c_smbus_xfer+0x10a/0x390
[ 34.004291] i2cdev_ioctl_smbus+0x2c8/0x710
[ 34.005196] i2cdev_ioctl+0x5ec/0x74c
Fix this bug by checking the size of 'data->block[0]' first.
Fixes: 13f35ac14cd0 ("i2c: Adding support for Intel iSMT SMBus 2.0 host controller")
Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/busses/i2c-ismt.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/i2c/busses/i2c-ismt.c b/drivers/i2c/busses/i2c-ismt.c
index b51adffa4841..e689c7acea62 100644
--- a/drivers/i2c/busses/i2c-ismt.c
+++ b/drivers/i2c/busses/i2c-ismt.c
@@ -495,6 +495,9 @@ static int ismt_access(struct i2c_adapter *adap, u16 addr,
if (read_write == I2C_SMBUS_WRITE) {
/* Block Write */
dev_dbg(dev, "I2C_SMBUS_BLOCK_DATA: WRITE\n");
+ if (data->block[0] < 1 || data->block[0] > I2C_SMBUS_BLOCK_MAX)
+ return -EINVAL;
+
dma_size = data->block[0] + 1;
dma_direction = DMA_TO_DEVICE;
desc->wr_len_cmd = dma_size;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 147/251] usb: storage: Add check for kcalloc
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 146/251] i2c: ismt: Fix an out-of-bounds bug in ismt_access() Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 148/251] fbdev: ssd1307fb: Drop optional dependency Greg Kroah-Hartman
` (109 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alan Stern, Jiasheng Jiang, Sasha Levin
From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
[ Upstream commit c35ca10f53c51eeb610d3f8fbc6dd6d511b58a58 ]
As kcalloc may return NULL pointer, the return value should
be checked and return error if fails as same as the ones in
alauda_read_map.
Fixes: e80b0fade09e ("[PATCH] USB Storage: add alauda support")
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Link: https://lore.kernel.org/r/20221208110058.12983-1-jiasheng@iscas.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/storage/alauda.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/usb/storage/alauda.c b/drivers/usb/storage/alauda.c
index 878b4b8761f5..3dbd60540372 100644
--- a/drivers/usb/storage/alauda.c
+++ b/drivers/usb/storage/alauda.c
@@ -450,6 +450,8 @@ static int alauda_init_media(struct us_data *us)
+ MEDIA_INFO(us).blockshift + MEDIA_INFO(us).pageshift);
MEDIA_INFO(us).pba_to_lba = kcalloc(num_zones, sizeof(u16*), GFP_NOIO);
MEDIA_INFO(us).lba_to_pba = kcalloc(num_zones, sizeof(u16*), GFP_NOIO);
+ if (MEDIA_INFO(us).pba_to_lba == NULL || MEDIA_INFO(us).lba_to_pba == NULL)
+ return USB_STOR_TRANSPORT_ERROR;
if (alauda_reset_media(us) != USB_STOR_XFER_GOOD)
return USB_STOR_TRANSPORT_ERROR;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 148/251] fbdev: ssd1307fb: Drop optional dependency
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 147/251] usb: storage: Add check for kcalloc Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 149/251] fbdev: pm2fb: fix missing pci_disable_device() Greg Kroah-Hartman
` (108 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Helge Deller, Sasha Levin
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit 025e3b507a3a8e1ee96a3112bb67495c77d6cdb6 ]
Only a single out of three devices need a PWM, so from driver it's
optional. Moreover it's a single driver in the entire kernel that
currently selects PWM. Unfortunately this selection is a root cause
of the circular dependencies when we want to enable optional PWM
for some other drivers that select GPIOLIB.
Fixes: a2ed00da5047 ("drivers/video: add support for the Solomon SSD1307 OLED Controller")
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/Kconfig | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/video/fbdev/Kconfig b/drivers/video/fbdev/Kconfig
index c0d4e645f3b5..e2c51e2ffc80 100644
--- a/drivers/video/fbdev/Kconfig
+++ b/drivers/video/fbdev/Kconfig
@@ -2471,7 +2471,6 @@ config FB_SSD1307
select FB_SYS_COPYAREA
select FB_SYS_IMAGEBLIT
select FB_DEFERRED_IO
- select PWM
select FB_BACKLIGHT
help
This driver implements support for the Solomon SSD1307
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 149/251] fbdev: pm2fb: fix missing pci_disable_device()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 148/251] fbdev: ssd1307fb: Drop optional dependency Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 150/251] fbdev: via: Fix error in via_core_init() Greg Kroah-Hartman
` (107 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Helge Deller, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit ed359a464846b48f76ea6cc5cd8257e545ac97f4 ]
Add missing pci_disable_device() in error path of probe() and remove() path.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/pm2fb.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/video/fbdev/pm2fb.c b/drivers/video/fbdev/pm2fb.c
index 9b32b9fc44a5..6e8bd281ee0f 100644
--- a/drivers/video/fbdev/pm2fb.c
+++ b/drivers/video/fbdev/pm2fb.c
@@ -1527,8 +1527,10 @@ static int pm2fb_probe(struct pci_dev *pdev, const struct pci_device_id *id)
}
info = framebuffer_alloc(sizeof(struct pm2fb_par), &pdev->dev);
- if (!info)
- return -ENOMEM;
+ if (!info) {
+ err = -ENOMEM;
+ goto err_exit_disable;
+ }
default_par = info->par;
switch (pdev->device) {
@@ -1709,6 +1711,8 @@ static int pm2fb_probe(struct pci_dev *pdev, const struct pci_device_id *id)
release_mem_region(pm2fb_fix.mmio_start, pm2fb_fix.mmio_len);
err_exit_neither:
framebuffer_release(info);
+ err_exit_disable:
+ pci_disable_device(pdev);
return retval;
}
@@ -1735,6 +1739,7 @@ static void pm2fb_remove(struct pci_dev *pdev)
fb_dealloc_cmap(&info->cmap);
kfree(info->pixmap.addr);
framebuffer_release(info);
+ pci_disable_device(pdev);
}
static struct pci_device_id pm2fb_id_table[] = {
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 150/251] fbdev: via: Fix error in via_core_init()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 149/251] fbdev: pm2fb: fix missing pci_disable_device() Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 151/251] fbdev: vermilion: decrease reference count in error path Greg Kroah-Hartman
` (106 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shang XiaoJing, Helge Deller, Sasha Levin
From: Shang XiaoJing <shangxiaojing@huawei.com>
[ Upstream commit 5886b130de953cfb8826f7771ec8640a79934a7f ]
via_core_init() won't exit the driver when pci_register_driver() failed.
Exit the viafb-i2c and the viafb-gpio in failed path to prevent error.
VIA Graphics Integration Chipset framebuffer 2.4 initializing
Error: Driver 'viafb-i2c' is already registered, aborting...
Error: Driver 'viafb-gpio' is already registered, aborting...
Fixes: 7582eb9be85f ("viafb: Turn GPIO and i2c into proper platform devices")
Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/via/via-core.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/via/via-core.c b/drivers/video/fbdev/via/via-core.c
index 1d28e16888e9..84f7835956a9 100644
--- a/drivers/video/fbdev/via/via-core.c
+++ b/drivers/video/fbdev/via/via-core.c
@@ -775,7 +775,14 @@ static int __init via_core_init(void)
return ret;
viafb_i2c_init();
viafb_gpio_init();
- return pci_register_driver(&via_driver);
+ ret = pci_register_driver(&via_driver);
+ if (ret) {
+ viafb_gpio_exit();
+ viafb_i2c_exit();
+ return ret;
+ }
+
+ return 0;
}
static void __exit via_core_exit(void)
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 151/251] fbdev: vermilion: decrease reference count in error path
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 150/251] fbdev: via: Fix error in via_core_init() Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 152/251] fbdev: uvesafb: Fixes an error handling path in uvesafb_probe() Greg Kroah-Hartman
` (105 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiongfeng Wang, Helge Deller, Sasha Levin
From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
[ Upstream commit 001f2cdb952a9566c77fb4b5470cc361db5601bb ]
pci_get_device() will increase the reference count for the returned
pci_dev. For the error path, we need to use pci_dev_put() to decrease
the reference count.
Fixes: dbe7e429fedb ("vmlfb: framebuffer driver for Intel Vermilion Range")
Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/vermilion/vermilion.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/vermilion/vermilion.c b/drivers/video/fbdev/vermilion/vermilion.c
index 1c1e95a0b8fa..9774e9513ad0 100644
--- a/drivers/video/fbdev/vermilion/vermilion.c
+++ b/drivers/video/fbdev/vermilion/vermilion.c
@@ -291,8 +291,10 @@ static int vmlfb_get_gpu(struct vml_par *par)
mutex_unlock(&vml_mutex);
- if (pci_enable_device(par->gpu) < 0)
+ if (pci_enable_device(par->gpu) < 0) {
+ pci_dev_put(par->gpu);
return -ENODEV;
+ }
return 0;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 152/251] fbdev: uvesafb: Fixes an error handling path in uvesafb_probe()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 151/251] fbdev: vermilion: decrease reference count in error path Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 153/251] HSI: omap_ssi_core: fix unbalanced pm_runtime_disable() Greg Kroah-Hartman
` (104 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe JAILLET, Helge Deller,
Sasha Levin
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ Upstream commit a94371040712031ba129c7e9d8ff04a06a2f8207 ]
If an error occurs after a successful uvesafb_init_mtrr() call, it must be
undone by a corresponding arch_phys_wc_del() call, as already done in the
remove function.
This has been added in the remove function in commit 63e28a7a5ffc
("uvesafb: Clean up MTRR code")
Fixes: 8bdb3a2d7df4 ("uvesafb: the driver core")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/uvesafb.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/video/fbdev/uvesafb.c b/drivers/video/fbdev/uvesafb.c
index 9fe0d0bcdf62..01a3d9931348 100644
--- a/drivers/video/fbdev/uvesafb.c
+++ b/drivers/video/fbdev/uvesafb.c
@@ -1776,6 +1776,7 @@ static int uvesafb_probe(struct platform_device *dev)
out_unmap:
iounmap(info->screen_base);
out_mem:
+ arch_phys_wc_del(par->mtrr_handle);
release_mem_region(info->fix.smem_start, info->fix.smem_len);
out_reg:
release_region(0x3c0, 32);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 153/251] HSI: omap_ssi_core: fix unbalanced pm_runtime_disable()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 152/251] fbdev: uvesafb: Fixes an error handling path in uvesafb_probe() Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 154/251] HSI: omap_ssi_core: fix possible memory leak in ssi_probe() Greg Kroah-Hartman
` (103 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Sebastian Reichel,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit f5181c35ed7ba0ceb6e42872aad1334d994b0175 ]
In error label 'out1' path in ssi_probe(), the pm_runtime_enable()
has not been called yet, so pm_runtime_disable() is not needed.
Fixes: b209e047bc74 ("HSI: Introduce OMAP SSI driver")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hsi/controllers/omap_ssi_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hsi/controllers/omap_ssi_core.c b/drivers/hsi/controllers/omap_ssi_core.c
index 56de30c25063..db9328c05492 100644
--- a/drivers/hsi/controllers/omap_ssi_core.c
+++ b/drivers/hsi/controllers/omap_ssi_core.c
@@ -574,9 +574,9 @@ static int ssi_probe(struct platform_device *pd)
device_for_each_child(&pd->dev, NULL, ssi_remove_ports);
out2:
ssi_remove_controller(ssi);
+ pm_runtime_disable(&pd->dev);
out1:
platform_set_drvdata(pd, NULL);
- pm_runtime_disable(&pd->dev);
return err;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 154/251] HSI: omap_ssi_core: fix possible memory leak in ssi_probe()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 153/251] HSI: omap_ssi_core: fix unbalanced pm_runtime_disable() Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 155/251] power: supply: fix residue sysfs file in error handle route of __power_supply_register() Greg Kroah-Hartman
` (102 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Sebastian Reichel,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 1aff514e1d2bd47854dbbdf867970b9d463d4c57 ]
If ssi_add_controller() returns error, it should call hsi_put_controller()
to give up the reference that was set in hsi_alloc_controller(), so that
it can call hsi_controller_release() to free controller and ports that
allocated in hsi_alloc_controller().
Fixes: b209e047bc74 ("HSI: Introduce OMAP SSI driver")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hsi/controllers/omap_ssi_core.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/hsi/controllers/omap_ssi_core.c b/drivers/hsi/controllers/omap_ssi_core.c
index db9328c05492..9e82f9f8f0a3 100644
--- a/drivers/hsi/controllers/omap_ssi_core.c
+++ b/drivers/hsi/controllers/omap_ssi_core.c
@@ -540,8 +540,10 @@ static int ssi_probe(struct platform_device *pd)
platform_set_drvdata(pd, ssi);
err = ssi_add_controller(ssi, pd);
- if (err < 0)
+ if (err < 0) {
+ hsi_put_controller(ssi);
goto out1;
+ }
pm_runtime_enable(&pd->dev);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 155/251] power: supply: fix residue sysfs file in error handle route of __power_supply_register()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 154/251] HSI: omap_ssi_core: fix possible memory leak in ssi_probe() Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 156/251] HSI: omap_ssi_core: Fix error handling in ssi_init() Greg Kroah-Hartman
` (101 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zeng Heng, Sebastian Reichel, Sasha Levin
From: Zeng Heng <zengheng4@huawei.com>
[ Upstream commit 5b79480ce1978864ac3f06f2134dfa3b6691fe74 ]
If device_add() succeeds, we should call device_del() when want to
get rid of it, so move it into proper jump symbol.
Otherwise, when __power_supply_register() returns fail and goto
wakeup_init_failed to exit, there is still residue device file in sysfs.
When attempt to probe device again, sysfs would complain as below:
sysfs: cannot create duplicate filename '/devices/platform/i2c/i2c-0/0-001c/power_supply/adp5061'
Call Trace:
dump_stack_lvl+0x68/0x85
sysfs_warn_dup.cold+0x1c/0x29
sysfs_create_dir_ns+0x1b1/0x1d0
kobject_add_internal+0x143/0x390
kobject_add+0x108/0x170
Fixes: 80c6463e2fa3 ("power_supply: Fix Oops from NULL pointer dereference from wakeup_source_activate")
Signed-off-by: Zeng Heng <zengheng4@huawei.com>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/power/supply/power_supply_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/power/supply/power_supply_core.c b/drivers/power/supply/power_supply_core.c
index cb0b3d3d132f..af156b7f346f 100644
--- a/drivers/power/supply/power_supply_core.c
+++ b/drivers/power/supply/power_supply_core.c
@@ -807,8 +807,8 @@ __power_supply_register(struct device *parent,
register_cooler_failed:
psy_unregister_thermal(psy);
register_thermal_failed:
- device_del(dev);
wakeup_init_failed:
+ device_del(dev);
device_add_failed:
check_supplies_failed:
dev_set_name_failed:
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 156/251] HSI: omap_ssi_core: Fix error handling in ssi_init()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 155/251] power: supply: fix residue sysfs file in error handle route of __power_supply_register() Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 157/251] include/uapi/linux/swab: Fix potentially missing __always_inline Greg Kroah-Hartman
` (100 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuan Can, Sebastian Reichel, Sasha Levin
From: Yuan Can <yuancan@huawei.com>
[ Upstream commit 3ffa9f713c39a213a08d9ff13ab983a8aa5d8b5d ]
The ssi_init() returns the platform_driver_register() directly without
checking its return value, if platform_driver_register() failed, the
ssi_pdriver is not unregistered.
Fix by unregister ssi_pdriver when the last platform_driver_register()
failed.
Fixes: 0fae198988b8 ("HSI: omap_ssi: built omap_ssi and omap_ssi_port into one module")
Signed-off-by: Yuan Can <yuancan@huawei.com>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hsi/controllers/omap_ssi_core.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/hsi/controllers/omap_ssi_core.c b/drivers/hsi/controllers/omap_ssi_core.c
index 9e82f9f8f0a3..c885c3bc2e85 100644
--- a/drivers/hsi/controllers/omap_ssi_core.c
+++ b/drivers/hsi/controllers/omap_ssi_core.c
@@ -669,7 +669,13 @@ static int __init ssi_init(void) {
if (ret)
return ret;
- return platform_driver_register(&ssi_port_pdriver);
+ ret = platform_driver_register(&ssi_port_pdriver);
+ if (ret) {
+ platform_driver_unregister(&ssi_pdriver);
+ return ret;
+ }
+
+ return 0;
}
module_init(ssi_init);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 157/251] include/uapi/linux/swab: Fix potentially missing __always_inline
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 156/251] HSI: omap_ssi_core: Fix error handling in ssi_init() Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 158/251] rtc: snvs: Allow a time difference on clock register read Greg Kroah-Hartman
` (99 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matt Redfearn, Florian Fainelli,
Arnd Bergmann, Nathan Chancellor, Petr Vaněk, Sasha Levin
From: Matt Redfearn <matt.redfearn@mips.com>
[ Upstream commit defbab270d45e32b068e7e73c3567232d745c60f ]
Commit bc27fb68aaad ("include/uapi/linux/byteorder, swab: force inlining
of some byteswap operations") added __always_inline to swab functions
and commit 283d75737837 ("uapi/linux/stddef.h: Provide __always_inline to
userspace headers") added a definition of __always_inline for use in
exported headers when the kernel's compiler.h is not available.
However, since swab.h does not include stddef.h, if the header soup does
not indirectly include it, the definition of __always_inline is missing,
resulting in a compilation failure, which was observed compiling the
perf tool using exported headers containing this commit:
In file included from /usr/include/linux/byteorder/little_endian.h:12:0,
from /usr/include/asm/byteorder.h:14,
from tools/include/uapi/linux/perf_event.h:20,
from perf.h:8,
from builtin-bench.c:18:
/usr/include/linux/swab.h:160:8: error: unknown type name `__always_inline'
static __always_inline __u16 __swab16p(const __u16 *p)
Fix this by replacing the inclusion of linux/compiler.h with
linux/stddef.h to ensure that we pick up that definition if required,
without relying on it's indirect inclusion. compiler.h is then included
indirectly, via stddef.h.
Fixes: 283d75737837 ("uapi/linux/stddef.h: Provide __always_inline to userspace headers")
Signed-off-by: Matt Redfearn <matt.redfearn@mips.com>
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Tested-by: Nathan Chancellor <nathan@kernel.org>
Reviewed-by: Petr Vaněk <arkamar@atlas.cz>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/uapi/linux/swab.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/uapi/linux/swab.h b/include/uapi/linux/swab.h
index 51502eabdb05..0915a8781eae 100644
--- a/include/uapi/linux/swab.h
+++ b/include/uapi/linux/swab.h
@@ -2,7 +2,7 @@
#define _UAPI_LINUX_SWAB_H
#include <linux/types.h>
-#include <linux/compiler.h>
+#include <linux/stddef.h>
#include <asm/bitsperlong.h>
#include <asm/swab.h>
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 158/251] rtc: snvs: Allow a time difference on clock register read
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 157/251] include/uapi/linux/swab: Fix potentially missing __always_inline Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 159/251] iommu/fsl_pamu: Fix resource leak in fsl_pamu_probe() Greg Kroah-Hartman
` (98 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Francesco Dolcini,
Stefan Eichenberger, Francesco Dolcini, Alexandre Belloni,
Sasha Levin
From: Stefan Eichenberger <stefan.eichenberger@toradex.com>
[ Upstream commit 0462681e207ccc44778a77b3297af728b1cf5b9f ]
On an iMX6ULL the following message appears when a wakealarm is set:
echo 0 > /sys/class/rtc/rtc1/wakealarm
rtc rtc1: Timeout trying to get valid LPSRT Counter read
This does not always happen but is reproducible quite often (7 out of 10
times). The problem appears because the iMX6ULL is not able to read the
registers within one 32kHz clock cycle which is the base clock of the
RTC. Therefore, this patch allows a difference of up to 320 cycles
(10ms). 10ms was chosen to be big enough even on systems with less cpu
power (e.g. iMX6ULL). According to the reference manual a difference is
fine:
- If the two consecutive reads are similar, the value is correct.
The values have to be similar, not equal.
Fixes: cd7f3a249dbe ("rtc: snvs: Add timeouts to avoid kernel lockups")
Reviewed-by: Francesco Dolcini <francesco.dolcini@toradex.com>
Signed-off-by: Stefan Eichenberger <stefan.eichenberger@toradex.com>
Signed-off-by: Francesco Dolcini <francesco@dolcini.it>
Link: https://lore.kernel.org/r/20221106115915.7930-1-francesco@dolcini.it
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-snvs.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/drivers/rtc/rtc-snvs.c b/drivers/rtc/rtc-snvs.c
index 71eee39520f0..792089ffc274 100644
--- a/drivers/rtc/rtc-snvs.c
+++ b/drivers/rtc/rtc-snvs.c
@@ -39,6 +39,14 @@
#define SNVS_LPPGDR_INIT 0x41736166
#define CNTR_TO_SECS_SH 15
+/* The maximum RTC clock cycles that are allowed to pass between two
+ * consecutive clock counter register reads. If the values are corrupted a
+ * bigger difference is expected. The RTC frequency is 32kHz. With 320 cycles
+ * we end at 10ms which should be enough for most cases. If it once takes
+ * longer than expected we do a retry.
+ */
+#define MAX_RTC_READ_DIFF_CYCLES 320
+
struct snvs_rtc_data {
struct rtc_device *rtc;
struct regmap *regmap;
@@ -63,6 +71,7 @@ static u64 rtc_read_lpsrt(struct snvs_rtc_data *data)
static u32 rtc_read_lp_counter(struct snvs_rtc_data *data)
{
u64 read1, read2;
+ s64 diff;
unsigned int timeout = 100;
/* As expected, the registers might update between the read of the LSB
@@ -73,7 +82,8 @@ static u32 rtc_read_lp_counter(struct snvs_rtc_data *data)
do {
read2 = read1;
read1 = rtc_read_lpsrt(data);
- } while (read1 != read2 && --timeout);
+ diff = read1 - read2;
+ } while (((diff < 0) || (diff > MAX_RTC_READ_DIFF_CYCLES)) && --timeout);
if (!timeout)
dev_err(&data->rtc->dev, "Timeout trying to get valid LPSRT Counter read\n");
@@ -85,13 +95,15 @@ static u32 rtc_read_lp_counter(struct snvs_rtc_data *data)
static int rtc_read_lp_counter_lsb(struct snvs_rtc_data *data, u32 *lsb)
{
u32 count1, count2;
+ s32 diff;
unsigned int timeout = 100;
regmap_read(data->regmap, data->offset + SNVS_LPSRTCLR, &count1);
do {
count2 = count1;
regmap_read(data->regmap, data->offset + SNVS_LPSRTCLR, &count1);
- } while (count1 != count2 && --timeout);
+ diff = count1 - count2;
+ } while (((diff < 0) || (diff > MAX_RTC_READ_DIFF_CYCLES)) && --timeout);
if (!timeout) {
dev_err(&data->rtc->dev, "Timeout trying to get valid LPSRT Counter read\n");
return -ETIMEDOUT;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 159/251] iommu/fsl_pamu: Fix resource leak in fsl_pamu_probe()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 158/251] rtc: snvs: Allow a time difference on clock register read Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 160/251] macintosh: fix possible memory leak in macio_add_one_device() Greg Kroah-Hartman
` (97 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuan Can, Joerg Roedel, Sasha Levin
From: Yuan Can <yuancan@huawei.com>
[ Upstream commit 73f5fc5f884ad0c5f7d57f66303af64f9f002526 ]
The fsl_pamu_probe() returns directly when create_csd() failed, leaving
irq and memories unreleased.
Fix by jumping to error if create_csd() returns error.
Fixes: 695093e38c3e ("iommu/fsl: Freescale PAMU driver and iommu implementation.")
Signed-off-by: Yuan Can <yuancan@huawei.com>
Link: https://lore.kernel.org/r/20221121082022.19091-1-yuancan@huawei.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/fsl_pamu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iommu/fsl_pamu.c b/drivers/iommu/fsl_pamu.c
index a34355fca37a..4d6bdc465dde 100644
--- a/drivers/iommu/fsl_pamu.c
+++ b/drivers/iommu/fsl_pamu.c
@@ -1131,7 +1131,7 @@ static int fsl_pamu_probe(struct platform_device *pdev)
ret = create_csd(ppaact_phys, mem_size, csd_port_id);
if (ret) {
dev_err(dev, "could not create coherence subdomain\n");
- return ret;
+ goto error;
}
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 160/251] macintosh: fix possible memory leak in macio_add_one_device()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 159/251] iommu/fsl_pamu: Fix resource leak in fsl_pamu_probe() Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 161/251] macintosh/macio-adb: check the return value of ioremap() Greg Kroah-Hartman
` (96 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Michael Ellerman,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 5ca86eae55a2f006e6c1edd2029b2cacb6979515 ]
Afer commit 1fa5ae857bb1 ("driver core: get rid of struct device's
bus_id string array"), the name of device is allocated dynamically. It
needs to be freed when of_device_register() fails. Call put_device() to
give up the reference that's taken in device_initialize(), so that it
can be freed in kobject_cleanup() when the refcount hits 0.
macio device is freed in macio_release_dev(), so the kfree() can be
removed.
Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20221104032551.1075335-1-yangyingliang@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/macintosh/macio_asic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/macintosh/macio_asic.c b/drivers/macintosh/macio_asic.c
index 3f041b187033..04da09af5531 100644
--- a/drivers/macintosh/macio_asic.c
+++ b/drivers/macintosh/macio_asic.c
@@ -425,7 +425,7 @@ static struct macio_dev * macio_add_one_device(struct macio_chip *chip,
if (of_device_register(&dev->ofdev) != 0) {
printk(KERN_DEBUG"macio: device registration error for %s!\n",
dev_name(&dev->ofdev.dev));
- kfree(dev);
+ put_device(&dev->ofdev.dev);
return NULL;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 161/251] macintosh/macio-adb: check the return value of ioremap()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 160/251] macintosh: fix possible memory leak in macio_add_one_device() Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 162/251] powerpc/52xx: Fix a resource leak in an error handling path Greg Kroah-Hartman
` (95 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hacash Robot, Xie Shaowen,
Michael Ellerman, Sasha Levin
From: Xie Shaowen <studentxswpy@163.com>
[ Upstream commit dbaa3105736d4d73063ea0a3b01cd7fafce924e6 ]
The function ioremap() in macio_init() can fail, so its return value
should be checked.
Fixes: 36874579dbf4c ("[PATCH] powerpc: macio-adb build fix")
Reported-by: Hacash Robot <hacashRobot@santino.com>
Signed-off-by: Xie Shaowen <studentxswpy@163.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20220802074148.3213659-1-studentxswpy@163.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/macintosh/macio-adb.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/macintosh/macio-adb.c b/drivers/macintosh/macio-adb.c
index 87de8d9bcfad..e620c50768cd 100644
--- a/drivers/macintosh/macio-adb.c
+++ b/drivers/macintosh/macio-adb.c
@@ -106,6 +106,10 @@ int macio_init(void)
return -ENXIO;
}
adb = ioremap(r.start, sizeof(struct adb_regs));
+ if (!adb) {
+ of_node_put(adbs);
+ return -ENOMEM;
+ }
out_8(&adb->ctrl.r, 0);
out_8(&adb->intr.r, 0);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 162/251] powerpc/52xx: Fix a resource leak in an error handling path
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 161/251] macintosh/macio-adb: check the return value of ioremap() Greg Kroah-Hartman
@ 2023-01-05 12:54 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 163/251] powerpc/perf: callchain validate kernel stack pointer bounds Greg Kroah-Hartman
` (94 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe JAILLET,
Michael Ellerman, Sasha Levin
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ Upstream commit 5836947613ef33d311b4eff6a32d019580a214f5 ]
The error handling path of mpc52xx_lpbfifo_probe() has a request_irq()
that is not balanced by a corresponding free_irq().
Add the missing call, as already done in the remove function.
Fixes: 3c9059d79f5e ("powerpc/5200: add LocalPlus bus FIFO device driver")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/dec1496d46ccd5311d0f6e9f9ca4238be11bf6a6.1643440531.git.christophe.jaillet@wanadoo.fr
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/platforms/52xx/mpc52xx_lpbfifo.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/powerpc/platforms/52xx/mpc52xx_lpbfifo.c b/arch/powerpc/platforms/52xx/mpc52xx_lpbfifo.c
index 7bb42a0100de..caaaaf2bea52 100644
--- a/arch/powerpc/platforms/52xx/mpc52xx_lpbfifo.c
+++ b/arch/powerpc/platforms/52xx/mpc52xx_lpbfifo.c
@@ -531,6 +531,7 @@ static int mpc52xx_lpbfifo_probe(struct platform_device *op)
err_bcom_rx_irq:
bcom_gen_bd_rx_release(lpbfifo.bcom_rx_task);
err_bcom_rx:
+ free_irq(lpbfifo.irq, &lpbfifo);
err_irq:
iounmap(lpbfifo.regs);
lpbfifo.regs = NULL;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 163/251] powerpc/perf: callchain validate kernel stack pointer bounds
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2023-01-05 12:54 ` [PATCH 4.9 162/251] powerpc/52xx: Fix a resource leak in an error handling path Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 164/251] powerpc/83xx/mpc832x_rdb: call platform_device_put() in error case in of_fsl_spi_probe() Greg Kroah-Hartman
` (93 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicholas Piggin, Michael Ellerman,
Sasha Levin
From: Nicholas Piggin <npiggin@gmail.com>
[ Upstream commit 32c5209214bd8d4f8c4e9d9b630ef4c671f58e79 ]
The interrupt frame detection and loads from the hypothetical pt_regs
are not bounds-checked. The next-frame validation only bounds-checks
STACK_FRAME_OVERHEAD, which does not include the pt_regs. Add another
test for this.
The user could set r1 to be equal to the address matching the first
interrupt frame - STACK_INT_FRAME_SIZE, which is in the previous page
due to the kernel redzone, and induce the kernel to load the marker from
there. Possibly this could cause a crash at least. If the user could
induce the previous page to contain a valid marker, then it might be
able to direct perf to read specific memory addresses in a way that
could be transmitted back to the user in the perf data.
Fixes: 20002ded4d93 ("perf_counter: powerpc: Add callchain support")
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20221127124942.1665522-4-npiggin@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/perf/callchain.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/powerpc/perf/callchain.c b/arch/powerpc/perf/callchain.c
index 0fc26714780a..a4c4685096f8 100644
--- a/arch/powerpc/perf/callchain.c
+++ b/arch/powerpc/perf/callchain.c
@@ -67,6 +67,7 @@ perf_callchain_kernel(struct perf_callchain_entry_ctx *entry, struct pt_regs *re
next_sp = fp[0];
if (next_sp == sp + STACK_INT_FRAME_SIZE &&
+ validate_sp(sp, current, STACK_INT_FRAME_SIZE) &&
fp[STACK_FRAME_MARKER] == STACK_FRAME_REGS_MARKER) {
/*
* This looks like an interrupt frame for an
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 164/251] powerpc/83xx/mpc832x_rdb: call platform_device_put() in error case in of_fsl_spi_probe()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 163/251] powerpc/perf: callchain validate kernel stack pointer bounds Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 165/251] powerpc/hv-gpci: Fix hv_gpci event list Greg Kroah-Hartman
` (92 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Michael Ellerman,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 4d0eea415216fe3791da2f65eb41399e70c7bedf ]
If platform_device_add() is not called or failed, it can not call
platform_device_del() to clean up memory, it should call
platform_device_put() in error case.
Fixes: 26f6cb999366 ("[POWERPC] fsl_soc: add support for fsl_spi")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20221029111626.429971-1-yangyingliang@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/platforms/83xx/mpc832x_rdb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/powerpc/platforms/83xx/mpc832x_rdb.c b/arch/powerpc/platforms/83xx/mpc832x_rdb.c
index d7c9b186954d..3e5e51de9a0d 100644
--- a/arch/powerpc/platforms/83xx/mpc832x_rdb.c
+++ b/arch/powerpc/platforms/83xx/mpc832x_rdb.c
@@ -111,7 +111,7 @@ static int __init of_fsl_spi_probe(char *type, char *compatible, u32 sysclk,
goto next;
unreg:
- platform_device_del(pdev);
+ platform_device_put(pdev);
err:
pr_err("%s: registration failed\n", np->full_name);
next:
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 165/251] powerpc/hv-gpci: Fix hv_gpci event list
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 164/251] powerpc/83xx/mpc832x_rdb: call platform_device_put() in error case in of_fsl_spi_probe() Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 166/251] selftests/powerpc: Fix resource leaks Greg Kroah-Hartman
` (91 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kajol Jain, Madhavan Srinivasan,
Athira Rajeev, Michael Ellerman, Sasha Levin
From: Kajol Jain <kjain@linux.ibm.com>
[ Upstream commit 03f7c1d2a49acd30e38789cd809d3300721e9b0e ]
Based on getPerfCountInfo v1.018 documentation, some of the
hv_gpci events were deprecated for platform firmware that
supports counter_info_version 0x8 or above.
Fix the hv_gpci event list by adding a new attribute group
called "hv_gpci_event_attrs_v6" and a "ENABLE_EVENTS_COUNTERINFO_V6"
macro to enable these events for platform firmware
that supports counter_info_version 0x6 or below. And assigning
the hv_gpci event list based on output counter info version
of underlying plaform.
Fixes: 97bf2640184f ("powerpc/perf/hv-gpci: add the remaining gpci requests")
Signed-off-by: Kajol Jain <kjain@linux.ibm.com>
Reviewed-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Reviewed-by: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20221130174513.87501-1-kjain@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/perf/hv-gpci-requests.h | 4 ++++
arch/powerpc/perf/hv-gpci.c | 33 +++++++++++++++++++++++++++-
arch/powerpc/perf/hv-gpci.h | 1 +
arch/powerpc/perf/req-gen/perf.h | 20 +++++++++++++++++
4 files changed, 57 insertions(+), 1 deletion(-)
diff --git a/arch/powerpc/perf/hv-gpci-requests.h b/arch/powerpc/perf/hv-gpci-requests.h
index 5ea24d16a74a..2530dd0c3788 100644
--- a/arch/powerpc/perf/hv-gpci-requests.h
+++ b/arch/powerpc/perf/hv-gpci-requests.h
@@ -78,6 +78,7 @@ REQUEST(__field(0, 8, partition_id)
)
#include I(REQUEST_END)
+#ifdef ENABLE_EVENTS_COUNTERINFO_V6
/*
* Not available for counter_info_version >= 0x8, use
* run_instruction_cycles_by_partition(0x100) instead.
@@ -91,6 +92,7 @@ REQUEST(__field(0, 8, partition_id)
__count(0x10, 8, cycles)
)
#include I(REQUEST_END)
+#endif
#define REQUEST_NAME system_performance_capabilities
#define REQUEST_NUM 0x40
@@ -102,6 +104,7 @@ REQUEST(__field(0, 1, perf_collect_privileged)
)
#include I(REQUEST_END)
+#ifdef ENABLE_EVENTS_COUNTERINFO_V6
#define REQUEST_NAME processor_bus_utilization_abc_links
#define REQUEST_NUM 0x50
#define REQUEST_IDX_KIND "hw_chip_id=?"
@@ -193,6 +196,7 @@ REQUEST(__field(0, 4, phys_processor_idx)
__count(0x28, 8, instructions_completed)
)
#include I(REQUEST_END)
+#endif
/* Processor_core_power_mode (0x95) skipped, no counters */
/* Affinity_domain_information_by_virtual_processor (0xA0) skipped,
diff --git a/arch/powerpc/perf/hv-gpci.c b/arch/powerpc/perf/hv-gpci.c
index 160b86d9d819..126409bb5626 100644
--- a/arch/powerpc/perf/hv-gpci.c
+++ b/arch/powerpc/perf/hv-gpci.c
@@ -74,7 +74,7 @@ static struct attribute_group format_group = {
static struct attribute_group event_group = {
.name = "events",
- .attrs = hv_gpci_event_attrs,
+ /* .attrs is set in init */
};
#define HV_CAPS_ATTR(_name, _format) \
@@ -292,6 +292,7 @@ static int hv_gpci_init(void)
int r;
unsigned long hret;
struct hv_perf_caps caps;
+ struct hv_gpci_request_buffer *arg;
hv_gpci_assert_offsets_correct();
@@ -310,6 +311,36 @@ static int hv_gpci_init(void)
/* sampling not supported */
h_gpci_pmu.capabilities |= PERF_PMU_CAP_NO_INTERRUPT;
+ arg = (void *)get_cpu_var(hv_gpci_reqb);
+ memset(arg, 0, HGPCI_REQ_BUFFER_SIZE);
+
+ /*
+ * hcall H_GET_PERF_COUNTER_INFO populates the output
+ * counter_info_version value based on the system hypervisor.
+ * Pass the counter request 0x10 corresponds to request type
+ * 'Dispatch_timebase_by_processor', to get the supported
+ * counter_info_version.
+ */
+ arg->params.counter_request = cpu_to_be32(0x10);
+
+ r = plpar_hcall_norets(H_GET_PERF_COUNTER_INFO,
+ virt_to_phys(arg), HGPCI_REQ_BUFFER_SIZE);
+ if (r) {
+ pr_devel("hcall failed, can't get supported counter_info_version: 0x%x\n", r);
+ arg->params.counter_info_version_out = 0x8;
+ }
+
+ /*
+ * Use counter_info_version_out value to assign
+ * required hv-gpci event list.
+ */
+ if (arg->params.counter_info_version_out >= 0x8)
+ event_group.attrs = hv_gpci_event_attrs;
+ else
+ event_group.attrs = hv_gpci_event_attrs_v6;
+
+ put_cpu_var(hv_gpci_reqb);
+
r = perf_pmu_register(&h_gpci_pmu, h_gpci_pmu.name, -1);
if (r)
return r;
diff --git a/arch/powerpc/perf/hv-gpci.h b/arch/powerpc/perf/hv-gpci.h
index 86ede8275961..83300e73c398 100644
--- a/arch/powerpc/perf/hv-gpci.h
+++ b/arch/powerpc/perf/hv-gpci.h
@@ -52,6 +52,7 @@ enum {
#define REQUEST_FILE "../hv-gpci-requests.h"
#define NAME_LOWER hv_gpci
#define NAME_UPPER HV_GPCI
+#define ENABLE_EVENTS_COUNTERINFO_V6
#include "req-gen/perf.h"
#undef REQUEST_FILE
#undef NAME_LOWER
diff --git a/arch/powerpc/perf/req-gen/perf.h b/arch/powerpc/perf/req-gen/perf.h
index 1b122469323d..9628b57a8635 100644
--- a/arch/powerpc/perf/req-gen/perf.h
+++ b/arch/powerpc/perf/req-gen/perf.h
@@ -137,6 +137,26 @@ PMU_EVENT_ATTR_STRING( \
#define REQUEST_(r_name, r_value, r_idx_1, r_fields) \
r_fields
+/* Generate event list for platforms with counter_info_version 0x6 or below */
+static __maybe_unused struct attribute *hv_gpci_event_attrs_v6[] = {
+#include REQUEST_FILE
+ NULL
+};
+
+/*
+ * Based on getPerfCountInfo v1.018 documentation, some of the hv-gpci
+ * events were deprecated for platform firmware that supports
+ * counter_info_version 0x8 or above.
+ * Those deprecated events are still part of platform firmware that
+ * support counter_info_version 0x6 and below. As per the getPerfCountInfo
+ * v1.018 documentation there is no counter_info_version 0x7.
+ * Undefining macro ENABLE_EVENTS_COUNTERINFO_V6, to disable the addition of
+ * deprecated events in "hv_gpci_event_attrs" attribute group, for platforms
+ * that supports counter_info_version 0x8 or above.
+ */
+#undef ENABLE_EVENTS_COUNTERINFO_V6
+
+/* Generate event list for platforms with counter_info_version 0x8 or above*/
static __maybe_unused struct attribute *hv_gpci_event_attrs[] = {
#include REQUEST_FILE
NULL
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 166/251] selftests/powerpc: Fix resource leaks
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 165/251] powerpc/hv-gpci: Fix hv_gpci event list Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 167/251] rtc: st-lpc: Add missing clk_disable_unprepare in st_rtc_probe() Greg Kroah-Hartman
` (90 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miaoqian Lin, Michael Ellerman, Sasha Levin
From: Miaoqian Lin <linmq006@gmail.com>
[ Upstream commit 8f4ab7da904ab7027ccd43ddb4f0094e932a5877 ]
In check_all_cpu_dscr_defaults, opendir() opens the directory stream.
Add missing closedir() in the error path to release it.
In check_cpu_dscr_default, open() creates an open file descriptor.
Add missing close() in the error path to release it.
Fixes: ebd5858c904b ("selftests/powerpc: Add test for all DSCR sysfs interfaces")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20221205084429.570654-1-linmq006@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/powerpc/dscr/dscr_sysfs_test.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/tools/testing/selftests/powerpc/dscr/dscr_sysfs_test.c b/tools/testing/selftests/powerpc/dscr/dscr_sysfs_test.c
index 17fb1b43c320..d6fb6f1125f9 100644
--- a/tools/testing/selftests/powerpc/dscr/dscr_sysfs_test.c
+++ b/tools/testing/selftests/powerpc/dscr/dscr_sysfs_test.c
@@ -27,6 +27,7 @@ static int check_cpu_dscr_default(char *file, unsigned long val)
rc = read(fd, buf, sizeof(buf));
if (rc == -1) {
perror("read() failed");
+ close(fd);
return 1;
}
close(fd);
@@ -64,8 +65,10 @@ static int check_all_cpu_dscr_defaults(unsigned long val)
if (access(file, F_OK))
continue;
- if (check_cpu_dscr_default(file, val))
+ if (check_cpu_dscr_default(file, val)) {
+ closedir(sysfs);
return 1;
+ }
}
closedir(sysfs);
return 0;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 167/251] rtc: st-lpc: Add missing clk_disable_unprepare in st_rtc_probe()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 166/251] selftests/powerpc: Fix resource leaks Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 168/251] nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure Greg Kroah-Hartman
` (89 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gaosheng Cui, Alexandre Belloni,
Sasha Levin
From: Gaosheng Cui <cuigaosheng1@huawei.com>
[ Upstream commit 5fb733d7bd6949e90028efdce8bd528c6ab7cf1e ]
The clk_disable_unprepare() should be called in the error handling
of clk_get_rate(), fix it.
Fixes: b5b2bdfc2893 ("rtc: st: Add new driver for ST's LPC RTC")
Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
Link: https://lore.kernel.org/r/20221123014805.1993052-1-cuigaosheng1@huawei.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-st-lpc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/rtc/rtc-st-lpc.c b/drivers/rtc/rtc-st-lpc.c
index 74c0a336ceea..85756ef63c22 100644
--- a/drivers/rtc/rtc-st-lpc.c
+++ b/drivers/rtc/rtc-st-lpc.c
@@ -249,6 +249,7 @@ static int st_rtc_probe(struct platform_device *pdev)
rtc->clkrate = clk_get_rate(rtc->clk);
if (!rtc->clkrate) {
+ clk_disable_unprepare(rtc->clk);
dev_err(&pdev->dev, "Unable to fetch clock rate\n");
return -EINVAL;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 168/251] nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 167/251] rtc: st-lpc: Add missing clk_disable_unprepare in st_rtc_probe() Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 169/251] mISDN: hfcsusb: dont call dev_kfree_skb/kfree_skb() under spin_lock_irqsave() Greg Kroah-Hartman
` (88 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiyu Yang, J. Bruce Fields,
Dan Aloni, Jeff Layton, Chuck Lever, Sasha Levin
From: Dan Aloni <dan.aloni@vastdata.com>
[ Upstream commit 3bc8edc98bd43540dbe648e4ef91f443d6d20a24 ]
On error situation `clp->cl_cb_conn.cb_xprt` should not be given
a reference to the xprt otherwise both client cleanup and the
error handling path of the caller call to put it. Better to
delay handing over the reference to a later branch.
[ 72.530665] refcount_t: underflow; use-after-free.
[ 72.531933] WARNING: CPU: 0 PID: 173 at lib/refcount.c:28 refcount_warn_saturate+0xcf/0x120
[ 72.533075] Modules linked in: nfsd(OE) nfsv4(OE) nfsv3(OE) nfs(OE) lockd(OE) compat_nfs_ssc(OE) nfs_acl(OE) rpcsec_gss_krb5(OE) auth_rpcgss(OE) rpcrdma(OE) dns_resolver fscache netfs grace rdma_cm iw_cm ib_cm sunrpc(OE) mlx5_ib mlx5_core mlxfw pci_hyperv_intf ib_uverbs ib_core xt_MASQUERADE nf_conntrack_netlink nft_counter xt_addrtype nft_compat br_netfilter bridge stp llc nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set overlay nf_tables nfnetlink crct10dif_pclmul crc32_pclmul ghash_clmulni_intel xfs serio_raw virtio_net virtio_blk net_failover failover fuse [last unloaded: sunrpc]
[ 72.540389] CPU: 0 PID: 173 Comm: kworker/u16:5 Tainted: G OE 5.15.82-dan #1
[ 72.541511] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-3.module+el8.7.0+1084+97b81f61 04/01/2014
[ 72.542717] Workqueue: nfsd4_callbacks nfsd4_run_cb_work [nfsd]
[ 72.543575] RIP: 0010:refcount_warn_saturate+0xcf/0x120
[ 72.544299] Code: 55 00 0f 0b 5d e9 01 50 98 00 80 3d 75 9e 39 08 00 0f 85 74 ff ff ff 48 c7 c7 e8 d1 60 8e c6 05 61 9e 39 08 01 e8 f6 51 55 00 <0f> 0b 5d e9 d9 4f 98 00 80 3d 4b 9e 39 08 00 0f 85 4c ff ff ff 48
[ 72.546666] RSP: 0018:ffffb3f841157cf0 EFLAGS: 00010286
[ 72.547393] RAX: 0000000000000026 RBX: ffff89ac6231d478 RCX: 0000000000000000
[ 72.548324] RDX: ffff89adb7c2c2c0 RSI: ffff89adb7c205c0 RDI: ffff89adb7c205c0
[ 72.549271] RBP: ffffb3f841157cf0 R08: 0000000000000000 R09: c0000000ffefffff
[ 72.550209] R10: 0000000000000001 R11: ffffb3f841157ad0 R12: ffff89ac6231d180
[ 72.551142] R13: ffff89ac6231d478 R14: ffff89ac40c06180 R15: ffff89ac6231d4b0
[ 72.552089] FS: 0000000000000000(0000) GS:ffff89adb7c00000(0000) knlGS:0000000000000000
[ 72.553175] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 72.553934] CR2: 0000563a310506a8 CR3: 0000000109a66000 CR4: 0000000000350ef0
[ 72.554874] Call Trace:
[ 72.555278] <TASK>
[ 72.555614] svc_xprt_put+0xaf/0xe0 [sunrpc]
[ 72.556276] nfsd4_process_cb_update.isra.11+0xb7/0x410 [nfsd]
[ 72.557087] ? update_load_avg+0x82/0x610
[ 72.557652] ? cpuacct_charge+0x60/0x70
[ 72.558212] ? dequeue_entity+0xdb/0x3e0
[ 72.558765] ? queued_spin_unlock+0x9/0x20
[ 72.559358] nfsd4_run_cb_work+0xfc/0x270 [nfsd]
[ 72.560031] process_one_work+0x1df/0x390
[ 72.560600] worker_thread+0x37/0x3b0
[ 72.561644] ? process_one_work+0x390/0x390
[ 72.562247] kthread+0x12f/0x150
[ 72.562710] ? set_kthread_struct+0x50/0x50
[ 72.563309] ret_from_fork+0x22/0x30
[ 72.563818] </TASK>
[ 72.564189] ---[ end trace 031117b1c72ec616 ]---
[ 72.566019] list_add corruption. next->prev should be prev (ffff89ac4977e538), but was ffff89ac4763e018. (next=ffff89ac4763e018).
[ 72.567647] ------------[ cut here ]------------
Fixes: a4abc6b12eb1 ("nfsd: Fix svc_xprt refcnt leak when setup callback client failed")
Cc: Xiyu Yang <xiyuyang19@fudan.edu.cn>
Cc: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Dan Aloni <dan.aloni@vastdata.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfsd/nfs4callback.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c
index 172f697864ab..39d6b5c53131 100644
--- a/fs/nfsd/nfs4callback.c
+++ b/fs/nfsd/nfs4callback.c
@@ -808,7 +808,6 @@ static int setup_callback_client(struct nfs4_client *clp, struct nfs4_cb_conn *c
} else {
if (!conn->cb_xprt)
return -EINVAL;
- clp->cl_cb_conn.cb_xprt = conn->cb_xprt;
clp->cl_cb_session = ses;
args.bc_xprt = conn->cb_xprt;
args.prognumber = clp->cl_cb_session->se_cb_prog;
@@ -828,6 +827,9 @@ static int setup_callback_client(struct nfs4_client *clp, struct nfs4_cb_conn *c
rpc_shutdown_client(client);
return PTR_ERR(cred);
}
+
+ if (clp->cl_minorversion != 0)
+ clp->cl_cb_conn.cb_xprt = conn->cb_xprt;
clp->cl_cb_client = client;
clp->cl_cb_cred = cred;
return 0;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 169/251] mISDN: hfcsusb: dont call dev_kfree_skb/kfree_skb() under spin_lock_irqsave()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 168/251] nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 170/251] mISDN: hfcpci: " Greg Kroah-Hartman
` (87 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Alexander Duyck,
Jakub Kicinski, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit ddc9648db162eee556edd5222d2808fe33730203 ]
It is not allowed to call kfree_skb() or consume_skb() from hardware
interrupt context or with hardware interrupts being disabled.
It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead.
The difference between them is free reason, dev_kfree_skb_irq() means
the SKB is dropped in error and dev_consume_skb_irq() means the SKB
is consumed in normal.
skb_queue_purge() is called under spin_lock_irqsave() in hfcusb_l2l1D(),
kfree_skb() is called in it, to fix this, use skb_queue_splice_init()
to move the dch->squeue to a free queue, also enqueue the tx_skb and
rx_skb, at last calling __skb_queue_purge() to free the SKBs afer unlock.
In tx_iso_complete(), dev_kfree_skb() is called to consume the transmitted
SKB, so replace it with dev_consume_skb_irq().
Fixes: 69f52adb2d53 ("mISDN: Add HFC USB driver")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/isdn/hardware/mISDN/hfcsusb.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c
index 726fba452f5f..4c49ef9fc391 100644
--- a/drivers/isdn/hardware/mISDN/hfcsusb.c
+++ b/drivers/isdn/hardware/mISDN/hfcsusb.c
@@ -337,20 +337,24 @@ hfcusb_l2l1D(struct mISDNchannel *ch, struct sk_buff *skb)
test_and_clear_bit(FLG_L2_ACTIVATED, &dch->Flags);
if (hw->protocol == ISDN_P_NT_S0) {
+ struct sk_buff_head free_queue;
+
+ __skb_queue_head_init(&free_queue);
hfcsusb_ph_command(hw, HFC_L1_DEACTIVATE_NT);
spin_lock_irqsave(&hw->lock, flags);
- skb_queue_purge(&dch->squeue);
+ skb_queue_splice_init(&dch->squeue, &free_queue);
if (dch->tx_skb) {
- dev_kfree_skb(dch->tx_skb);
+ __skb_queue_tail(&free_queue, dch->tx_skb);
dch->tx_skb = NULL;
}
dch->tx_idx = 0;
if (dch->rx_skb) {
- dev_kfree_skb(dch->rx_skb);
+ __skb_queue_tail(&free_queue, dch->rx_skb);
dch->rx_skb = NULL;
}
test_and_clear_bit(FLG_TX_BUSY, &dch->Flags);
spin_unlock_irqrestore(&hw->lock, flags);
+ __skb_queue_purge(&free_queue);
#ifdef FIXME
if (test_and_clear_bit(FLG_L1_BUSY, &dch->Flags))
dchannel_sched_event(&hc->dch, D_CLEARBUSY);
@@ -1340,7 +1344,7 @@ tx_iso_complete(struct urb *urb)
printk("\n");
}
- dev_kfree_skb(tx_skb);
+ dev_consume_skb_irq(tx_skb);
tx_skb = NULL;
if (fifo->dch && get_next_dframe(fifo->dch))
tx_skb = fifo->dch->tx_skb;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 170/251] mISDN: hfcpci: dont call dev_kfree_skb/kfree_skb() under spin_lock_irqsave()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 169/251] mISDN: hfcsusb: dont call dev_kfree_skb/kfree_skb() under spin_lock_irqsave() Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 171/251] mISDN: hfcmulti: " Greg Kroah-Hartman
` (86 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Alexander Duyck,
Jakub Kicinski, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit f0f596bd75a9d573ca9b587abb39cee0b916bb82 ]
It is not allowed to call kfree_skb() or consume_skb() from hardware
interrupt context or with hardware interrupts being disabled.
skb_queue_purge() is called under spin_lock_irqsave() in hfcpci_l2l1D(),
kfree_skb() is called in it, to fix this, use skb_queue_splice_init()
to move the dch->squeue to a free queue, also enqueue the tx_skb and
rx_skb, at last calling __skb_queue_purge() to free the SKBs afer unlock.
Fixes: 1700fe1a10dc ("Add mISDN HFC PCI driver")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/isdn/hardware/mISDN/hfcpci.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/drivers/isdn/hardware/mISDN/hfcpci.c b/drivers/isdn/hardware/mISDN/hfcpci.c
index 89cf1d695a01..e33b58f560bf 100644
--- a/drivers/isdn/hardware/mISDN/hfcpci.c
+++ b/drivers/isdn/hardware/mISDN/hfcpci.c
@@ -1631,16 +1631,19 @@ hfcpci_l2l1D(struct mISDNchannel *ch, struct sk_buff *skb)
test_and_clear_bit(FLG_L2_ACTIVATED, &dch->Flags);
spin_lock_irqsave(&hc->lock, flags);
if (hc->hw.protocol == ISDN_P_NT_S0) {
+ struct sk_buff_head free_queue;
+
+ __skb_queue_head_init(&free_queue);
/* prepare deactivation */
Write_hfc(hc, HFCPCI_STATES, 0x40);
- skb_queue_purge(&dch->squeue);
+ skb_queue_splice_init(&dch->squeue, &free_queue);
if (dch->tx_skb) {
- dev_kfree_skb(dch->tx_skb);
+ __skb_queue_tail(&free_queue, dch->tx_skb);
dch->tx_skb = NULL;
}
dch->tx_idx = 0;
if (dch->rx_skb) {
- dev_kfree_skb(dch->rx_skb);
+ __skb_queue_tail(&free_queue, dch->rx_skb);
dch->rx_skb = NULL;
}
test_and_clear_bit(FLG_TX_BUSY, &dch->Flags);
@@ -1653,10 +1656,12 @@ hfcpci_l2l1D(struct mISDNchannel *ch, struct sk_buff *skb)
hc->hw.mst_m &= ~HFCPCI_MASTER;
Write_hfc(hc, HFCPCI_MST_MODE, hc->hw.mst_m);
ret = 0;
+ spin_unlock_irqrestore(&hc->lock, flags);
+ __skb_queue_purge(&free_queue);
} else {
ret = l1_event(dch->l1, hh->prim);
+ spin_unlock_irqrestore(&hc->lock, flags);
}
- spin_unlock_irqrestore(&hc->lock, flags);
break;
}
if (!ret)
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 171/251] mISDN: hfcmulti: dont call dev_kfree_skb/kfree_skb() under spin_lock_irqsave()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 170/251] mISDN: hfcpci: " Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 172/251] nfc: pn533: Clear nfc_target before being used Greg Kroah-Hartman
` (85 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Alexander Duyck,
Jakub Kicinski, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 1232946cf522b8de9e398828bde325d7c41f29dd ]
It is not allowed to call kfree_skb() or consume_skb() from hardware
interrupt context or with hardware interrupts being disabled.
skb_queue_purge() is called under spin_lock_irqsave() in handle_dmsg()
and hfcm_l1callback(), kfree_skb() is called in them, to fix this, use
skb_queue_splice_init() to move the dch->squeue to a free queue, also
enqueue the tx_skb and rx_skb, at last calling __skb_queue_purge() to
free the SKBs afer unlock.
Fixes: af69fb3a8ffa ("Add mISDN HFC multiport driver")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/isdn/hardware/mISDN/hfcmulti.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
diff --git a/drivers/isdn/hardware/mISDN/hfcmulti.c b/drivers/isdn/hardware/mISDN/hfcmulti.c
index 8feb8e9e29a6..decec530bdf4 100644
--- a/drivers/isdn/hardware/mISDN/hfcmulti.c
+++ b/drivers/isdn/hardware/mISDN/hfcmulti.c
@@ -3234,6 +3234,7 @@ static int
hfcm_l1callback(struct dchannel *dch, u_int cmd)
{
struct hfc_multi *hc = dch->hw;
+ struct sk_buff_head free_queue;
u_long flags;
switch (cmd) {
@@ -3262,6 +3263,7 @@ hfcm_l1callback(struct dchannel *dch, u_int cmd)
l1_event(dch->l1, HW_POWERUP_IND);
break;
case HW_DEACT_REQ:
+ __skb_queue_head_init(&free_queue);
/* start deactivation */
spin_lock_irqsave(&hc->lock, flags);
if (hc->ctype == HFC_TYPE_E1) {
@@ -3281,20 +3283,21 @@ hfcm_l1callback(struct dchannel *dch, u_int cmd)
plxsd_checksync(hc, 0);
}
}
- skb_queue_purge(&dch->squeue);
+ skb_queue_splice_init(&dch->squeue, &free_queue);
if (dch->tx_skb) {
- dev_kfree_skb(dch->tx_skb);
+ __skb_queue_tail(&free_queue, dch->tx_skb);
dch->tx_skb = NULL;
}
dch->tx_idx = 0;
if (dch->rx_skb) {
- dev_kfree_skb(dch->rx_skb);
+ __skb_queue_tail(&free_queue, dch->rx_skb);
dch->rx_skb = NULL;
}
test_and_clear_bit(FLG_TX_BUSY, &dch->Flags);
if (test_and_clear_bit(FLG_BUSY_TIMER, &dch->Flags))
del_timer(&dch->timer);
spin_unlock_irqrestore(&hc->lock, flags);
+ __skb_queue_purge(&free_queue);
break;
case HW_POWERUP_REQ:
spin_lock_irqsave(&hc->lock, flags);
@@ -3401,6 +3404,9 @@ handle_dmsg(struct mISDNchannel *ch, struct sk_buff *skb)
case PH_DEACTIVATE_REQ:
test_and_clear_bit(FLG_L2_ACTIVATED, &dch->Flags);
if (dch->dev.D.protocol != ISDN_P_TE_S0) {
+ struct sk_buff_head free_queue;
+
+ __skb_queue_head_init(&free_queue);
spin_lock_irqsave(&hc->lock, flags);
if (debug & DEBUG_HFCMULTI_MSG)
printk(KERN_DEBUG
@@ -3422,14 +3428,14 @@ handle_dmsg(struct mISDNchannel *ch, struct sk_buff *skb)
/* deactivate */
dch->state = 1;
}
- skb_queue_purge(&dch->squeue);
+ skb_queue_splice_init(&dch->squeue, &free_queue);
if (dch->tx_skb) {
- dev_kfree_skb(dch->tx_skb);
+ __skb_queue_tail(&free_queue, dch->tx_skb);
dch->tx_skb = NULL;
}
dch->tx_idx = 0;
if (dch->rx_skb) {
- dev_kfree_skb(dch->rx_skb);
+ __skb_queue_tail(&free_queue, dch->rx_skb);
dch->rx_skb = NULL;
}
test_and_clear_bit(FLG_TX_BUSY, &dch->Flags);
@@ -3441,6 +3447,7 @@ handle_dmsg(struct mISDNchannel *ch, struct sk_buff *skb)
#endif
ret = 0;
spin_unlock_irqrestore(&hc->lock, flags);
+ __skb_queue_purge(&free_queue);
} else
ret = l1_event(dch->l1, hh->prim);
break;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 172/251] nfc: pn533: Clear nfc_target before being used
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 171/251] mISDN: hfcmulti: " Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 173/251] r6040: Fix kmemleak in probe and remove Greg Kroah-Hartman
` (84 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Minsuk Kang, Krzysztof Kozlowski,
Jakub Kicinski, Sasha Levin
From: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
[ Upstream commit 9f28157778ede0d4f183f7ab3b46995bb400abbe ]
Fix a slab-out-of-bounds read that occurs in nla_put() called from
nfc_genl_send_target() when target->sensb_res_len, which is duplicated
from an nfc_target in pn533, is too large as the nfc_target is not
properly initialized and retains garbage values. Clear nfc_targets with
memset() before they are used.
Found by a modified version of syzkaller.
BUG: KASAN: slab-out-of-bounds in nla_put
Call Trace:
memcpy
nla_put
nfc_genl_dump_targets
genl_lock_dumpit
netlink_dump
__netlink_dump_start
genl_family_rcv_msg_dumpit
genl_rcv_msg
netlink_rcv_skb
genl_rcv
netlink_unicast
netlink_sendmsg
sock_sendmsg
____sys_sendmsg
___sys_sendmsg
__sys_sendmsg
do_syscall_64
Fixes: 673088fb42d0 ("NFC: pn533: Send ATR_REQ directly for active device detection")
Fixes: 361f3cb7f9cf ("NFC: DEP link hook implementation for pn533")
Signed-off-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://lore.kernel.org/r/20221214015139.119673-1-linuxlovemin@yonsei.ac.kr
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nfc/pn533/pn533.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/nfc/pn533/pn533.c b/drivers/nfc/pn533/pn533.c
index 806309ee4165..fe81946a9ab4 100644
--- a/drivers/nfc/pn533/pn533.c
+++ b/drivers/nfc/pn533/pn533.c
@@ -1294,6 +1294,8 @@ static int pn533_poll_dep_complete(struct pn533 *dev, void *arg,
if (IS_ERR(resp))
return PTR_ERR(resp);
+ memset(&nfc_target, 0, sizeof(struct nfc_target));
+
rsp = (struct pn533_cmd_jump_dep_response *)resp->data;
rc = rsp->status & PN533_CMD_RET_MASK;
@@ -1776,6 +1778,8 @@ static int pn533_in_dep_link_up_complete(struct pn533 *dev, void *arg,
dev_dbg(dev->dev, "Creating new target\n");
+ memset(&nfc_target, 0, sizeof(struct nfc_target));
+
nfc_target.supported_protocols = NFC_PROTO_NFC_DEP_MASK;
nfc_target.nfcid1_len = 10;
memcpy(nfc_target.nfcid1, rsp->nfcid3t, nfc_target.nfcid1_len);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 173/251] r6040: Fix kmemleak in probe and remove
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 172/251] nfc: pn533: Clear nfc_target before being used Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 174/251] openvswitch: Fix flow lookup to use unmasked key Greg Kroah-Hartman
` (83 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li Zetao, Leon Romanovsky,
Paolo Abeni, Sasha Levin
From: Li Zetao <lizetao1@huawei.com>
[ Upstream commit 7e43039a49c2da45edc1d9d7c9ede4003ab45a5f ]
There is a memory leaks reported by kmemleak:
unreferenced object 0xffff888116111000 (size 2048):
comm "modprobe", pid 817, jiffies 4294759745 (age 76.502s)
hex dump (first 32 bytes):
00 c4 0a 04 81 88 ff ff 08 10 11 16 81 88 ff ff ................
08 10 11 16 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff815bcd82>] kmalloc_trace+0x22/0x60
[<ffffffff827e20ee>] phy_device_create+0x4e/0x90
[<ffffffff827e6072>] get_phy_device+0xd2/0x220
[<ffffffff827e7844>] mdiobus_scan+0xa4/0x2e0
[<ffffffff827e8be2>] __mdiobus_register+0x482/0x8b0
[<ffffffffa01f5d24>] r6040_init_one+0x714/0xd2c [r6040]
...
The problem occurs in probe process as follows:
r6040_init_one:
mdiobus_register
mdiobus_scan <- alloc and register phy_device,
the reference count of phy_device is 3
r6040_mii_probe
phy_connect <- connect to the first phy_device,
so the reference count of the first
phy_device is 4, others are 3
register_netdev <- fault inject succeeded, goto error handling path
// error handling path
err_out_mdio_unregister:
mdiobus_unregister(lp->mii_bus);
err_out_mdio:
mdiobus_free(lp->mii_bus); <- the reference count of the first
phy_device is 1, it is not released
and other phy_devices are released
// similarly, the remove process also has the same problem
The root cause is traced to the phy_device is not disconnected when
removes one r6040 device in r6040_remove_one() or on error handling path
after r6040_mii probed successfully. In r6040_mii_probe(), a net ethernet
device is connected to the first PHY device of mii_bus, in order to
notify the connected driver when the link status changes, which is the
default behavior of the PHY infrastructure to handle everything.
Therefore the phy_device should be disconnected when removes one r6040
device or on error handling path.
Fix it by adding phy_disconnect() when removes one r6040 device or on
error handling path after r6040_mii probed successfully.
Fixes: 3831861b4ad8 ("r6040: implement phylib")
Signed-off-by: Li Zetao <lizetao1@huawei.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Link: https://lore.kernel.org/r/20221213125614.927754-1-lizetao1@huawei.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/rdc/r6040.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/rdc/r6040.c b/drivers/net/ethernet/rdc/r6040.c
index 065a63123863..4a963b4ec0eb 100644
--- a/drivers/net/ethernet/rdc/r6040.c
+++ b/drivers/net/ethernet/rdc/r6040.c
@@ -1185,10 +1185,12 @@ static int r6040_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
err = register_netdev(dev);
if (err) {
dev_err(&pdev->dev, "Failed to register net device\n");
- goto err_out_mdio_unregister;
+ goto err_out_phy_disconnect;
}
return 0;
+err_out_phy_disconnect:
+ phy_disconnect(dev->phydev);
err_out_mdio_unregister:
mdiobus_unregister(lp->mii_bus);
err_out_mdio:
@@ -1212,6 +1214,7 @@ static void r6040_remove_one(struct pci_dev *pdev)
struct r6040_private *lp = netdev_priv(dev);
unregister_netdev(dev);
+ phy_disconnect(dev->phydev);
mdiobus_unregister(lp->mii_bus);
mdiobus_free(lp->mii_bus);
netif_napi_del(&lp->napi);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 174/251] openvswitch: Fix flow lookup to use unmasked key
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 173/251] r6040: Fix kmemleak in probe and remove Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 175/251] skbuff: Account for tail adjustment during pull operations Greg Kroah-Hartman
` (82 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eelco Chaudron, David S. Miller,
Sasha Levin
From: Eelco Chaudron <echaudro@redhat.com>
[ Upstream commit 68bb10101e6b0a6bb44e9c908ef795fc4af99eae ]
The commit mentioned below causes the ovs_flow_tbl_lookup() function
to be called with the masked key. However, it's supposed to be called
with the unmasked key. This due to the fact that the datapath supports
installing wider flows, and OVS relies on this behavior. For example
if ipv4(src=1.1.1.1/192.0.0.0, dst=1.1.1.2/192.0.0.0) exists, a wider
flow (smaller mask) of ipv4(src=192.1.1.1/128.0.0.0,dst=192.1.1.2/
128.0.0.0) is allowed to be added.
However, if we try to add a wildcard rule, the installation fails:
$ ovs-appctl dpctl/add-flow system@myDP "in_port(1),eth_type(0x0800), \
ipv4(src=1.1.1.1/192.0.0.0,dst=1.1.1.2/192.0.0.0,frag=no)" 2
$ ovs-appctl dpctl/add-flow system@myDP "in_port(1),eth_type(0x0800), \
ipv4(src=192.1.1.1/0.0.0.0,dst=49.1.1.2/0.0.0.0,frag=no)" 2
ovs-vswitchd: updating flow table (File exists)
The reason is that the key used to determine if the flow is already
present in the system uses the original key ANDed with the mask.
This results in the IP address not being part of the (miniflow) key,
i.e., being substituted with an all-zero value. When doing the actual
lookup, this results in the key wrongfully matching the first flow,
and therefore the flow does not get installed.
This change reverses the commit below, but rather than having the key
on the stack, it's allocated.
Fixes: 190aa3e77880 ("openvswitch: Fix Frame-size larger than 1024 bytes warning.")
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/openvswitch/datapath.c | 25 ++++++++++++++++---------
1 file changed, 16 insertions(+), 9 deletions(-)
diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
index 56999d8528a4..e4404f5053ae 100644
--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -944,6 +944,7 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info)
struct sw_flow_mask mask;
struct sk_buff *reply;
struct datapath *dp;
+ struct sw_flow_key *key;
struct sw_flow_actions *acts;
struct sw_flow_match match;
u32 ufid_flags = ovs_nla_get_ufid_flags(a[OVS_FLOW_ATTR_UFID_FLAGS]);
@@ -971,24 +972,26 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info)
}
/* Extract key. */
- ovs_match_init(&match, &new_flow->key, false, &mask);
+ key = kzalloc(sizeof(*key), GFP_KERNEL);
+ if (!key) {
+ error = -ENOMEM;
+ goto err_kfree_key;
+ }
+
+ ovs_match_init(&match, key, false, &mask);
error = ovs_nla_get_match(net, &match, a[OVS_FLOW_ATTR_KEY],
a[OVS_FLOW_ATTR_MASK], log);
if (error)
goto err_kfree_flow;
+ ovs_flow_mask_key(&new_flow->key, key, true, &mask);
+
/* Extract flow identifier. */
error = ovs_nla_get_identifier(&new_flow->id, a[OVS_FLOW_ATTR_UFID],
- &new_flow->key, log);
+ key, log);
if (error)
goto err_kfree_flow;
- /* unmasked key is needed to match when ufid is not used. */
- if (ovs_identifier_is_key(&new_flow->id))
- match.key = new_flow->id.unmasked_key;
-
- ovs_flow_mask_key(&new_flow->key, &new_flow->key, true, &mask);
-
/* Validate actions. */
error = ovs_nla_copy_actions(net, a[OVS_FLOW_ATTR_ACTIONS],
&new_flow->key, &acts, log);
@@ -1015,7 +1018,7 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info)
if (ovs_identifier_is_ufid(&new_flow->id))
flow = ovs_flow_tbl_lookup_ufid(&dp->table, &new_flow->id);
if (!flow)
- flow = ovs_flow_tbl_lookup(&dp->table, &new_flow->key);
+ flow = ovs_flow_tbl_lookup(&dp->table, key);
if (likely(!flow)) {
rcu_assign_pointer(new_flow->sf_acts, acts);
@@ -1085,6 +1088,8 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info)
if (reply)
ovs_notify(&dp_flow_genl_family, reply, info);
+
+ kfree(key);
return 0;
err_unlock_ovs:
@@ -1094,6 +1099,8 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info)
ovs_nla_free_flow_actions(acts);
err_kfree_flow:
ovs_flow_free(new_flow, false);
+err_kfree_key:
+ kfree(key);
error:
return error;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 175/251] skbuff: Account for tail adjustment during pull operations
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 174/251] openvswitch: Fix flow lookup to use unmasked key Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 176/251] net_sched: reject TCF_EM_SIMPLE case for complex ematch module Greg Kroah-Hartman
` (81 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sean Tranchetti,
Subash Abhinov Kasiviswanathan, Alexander Duyck, Jakub Kicinski,
Sasha Levin
From: Subash Abhinov Kasiviswanathan <quic_subashab@quicinc.com>
[ Upstream commit 2d7afdcbc9d32423f177ee12b7c93783aea338fb ]
Extending the tail can have some unexpected side effects if a program uses
a helper like BPF_FUNC_skb_pull_data to read partial content beyond the
head skb headlen when all the skbs in the gso frag_list are linear with no
head_frag -
kernel BUG at net/core/skbuff.c:4219!
pc : skb_segment+0xcf4/0xd2c
lr : skb_segment+0x63c/0xd2c
Call trace:
skb_segment+0xcf4/0xd2c
__udp_gso_segment+0xa4/0x544
udp4_ufo_fragment+0x184/0x1c0
inet_gso_segment+0x16c/0x3a4
skb_mac_gso_segment+0xd4/0x1b0
__skb_gso_segment+0xcc/0x12c
udp_rcv_segment+0x54/0x16c
udp_queue_rcv_skb+0x78/0x144
udp_unicast_rcv_skb+0x8c/0xa4
__udp4_lib_rcv+0x490/0x68c
udp_rcv+0x20/0x30
ip_protocol_deliver_rcu+0x1b0/0x33c
ip_local_deliver+0xd8/0x1f0
ip_rcv+0x98/0x1a4
deliver_ptype_list_skb+0x98/0x1ec
__netif_receive_skb_core+0x978/0xc60
Fix this by marking these skbs as GSO_DODGY so segmentation can handle
the tail updates accordingly.
Fixes: 3dcbdb134f32 ("net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list")
Signed-off-by: Sean Tranchetti <quic_stranche@quicinc.com>
Signed-off-by: Subash Abhinov Kasiviswanathan <quic_subashab@quicinc.com>
Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
Link: https://lore.kernel.org/r/1671084718-24796-1-git-send-email-quic_subashab@quicinc.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/skbuff.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 5dcdbffdee49..0186fbe06281 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -1693,6 +1693,9 @@ unsigned char *__pskb_pull_tail(struct sk_buff *skb, int delta)
insp = list;
} else {
/* Eaten partially. */
+ if (skb_is_gso(skb) && !list->head_frag &&
+ skb_headlen(list))
+ skb_shinfo(skb)->gso_type |= SKB_GSO_DODGY;
if (skb_shared(list)) {
/* Sucks! We need to fork list. :-( */
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 176/251] net_sched: reject TCF_EM_SIMPLE case for complex ematch module
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 175/251] skbuff: Account for tail adjustment during pull operations Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 177/251] myri10ge: Fix an error handling path in myri10ge_probe() Greg Kroah-Hartman
` (80 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jun Nie, Jamal Hadi Salim,
Paolo Abeni, Cong Wang, David S. Miller, Sasha Levin,
syzbot+4caeae4c7103813598ae
From: Cong Wang <cong.wang@bytedance.com>
[ Upstream commit 9cd3fd2054c3b3055163accbf2f31a4426f10317 ]
When TCF_EM_SIMPLE was introduced, it is supposed to be convenient
for ematch implementation:
https://lore.kernel.org/all/20050105110048.GO26856@postel.suug.ch/
"You don't have to, providing a 32bit data chunk without TCF_EM_SIMPLE
set will simply result in allocating & copy. It's an optimization,
nothing more."
So if an ematch module provides ops->datalen that means it wants a
complex data structure (saved in its em->data) instead of a simple u32
value. We should simply reject such a combination, otherwise this u32
could be misinterpreted as a pointer.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-and-tested-by: syzbot+4caeae4c7103813598ae@syzkaller.appspotmail.com
Reported-by: Jun Nie <jun.nie@linaro.org>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
Acked-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/ematch.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/sched/ematch.c b/net/sched/ematch.c
index d4d6f9c91e8c..59340d633253 100644
--- a/net/sched/ematch.c
+++ b/net/sched/ematch.c
@@ -259,6 +259,8 @@ static int tcf_em_validate(struct tcf_proto *tp,
* the value carried.
*/
if (em_hdr->flags & TCF_EM_SIMPLE) {
+ if (em->ops->datalen > 0)
+ goto errout;
if (data_len < sizeof(u32))
goto errout;
em->data = *(u32 *) data;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 177/251] myri10ge: Fix an error handling path in myri10ge_probe()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 176/251] net_sched: reject TCF_EM_SIMPLE case for complex ematch module Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 178/251] net: stream: purge sk_error_queue in sk_stream_kill_queues() Greg Kroah-Hartman
` (79 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe JAILLET, David S. Miller,
Sasha Levin
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ Upstream commit d83b950d44d2982c0e62e3d81b0f35ab09431008 ]
Some memory allocated in myri10ge_probe_slices() is not released in the
error handling path of myri10ge_probe().
Add the corresponding kfree(), as already done in the remove function.
Fixes: 0dcffac1a329 ("myri10ge: add multislices support")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/myricom/myri10ge/myri10ge.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c
index 5eeba263b5f8..d50cee7aae4d 100644
--- a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c
+++ b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c
@@ -4152,6 +4152,7 @@ static int myri10ge_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
myri10ge_free_slices(mgp);
abort_with_firmware:
+ kfree(mgp->msix_vectors);
myri10ge_dummy_rdma(mgp, 0);
abort_with_ioremap:
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 178/251] net: stream: purge sk_error_queue in sk_stream_kill_queues()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 177/251] myri10ge: Fix an error handling path in myri10ge_probe() Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 179/251] binfmt_misc: fix shift-out-of-bounds in check_special_flags Greg Kroah-Hartman
` (78 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Changheon Lee, Eric Dumazet,
David S. Miller, Sasha Levin
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit e0c8bccd40fc1c19e1d246c39bcf79e357e1ada3 ]
Changheon Lee reported TCP socket leaks, with a nice repro.
It seems we leak TCP sockets with the following sequence:
1) SOF_TIMESTAMPING_TX_ACK is enabled on the socket.
Each ACK will cook an skb put in error queue, from __skb_tstamp_tx().
__skb_tstamp_tx() is using skb_clone(), unless
SOF_TIMESTAMPING_OPT_TSONLY was also requested.
2) If the application is also using MSG_ZEROCOPY, then we put in the
error queue cloned skbs that had a struct ubuf_info attached to them.
Whenever an struct ubuf_info is allocated, sock_zerocopy_alloc()
does a sock_hold().
As long as the cloned skbs are still in sk_error_queue,
socket refcount is kept elevated.
3) Application closes the socket, while error queue is not empty.
Since tcp_close() no longer purges the socket error queue,
we might end up with a TCP socket with at least one skb in
error queue keeping the socket alive forever.
This bug can be (ab)used to consume all kernel memory
and freeze the host.
We need to purge the error queue, with proper synchronization
against concurrent writers.
Fixes: 24bcbe1cc69f ("net: stream: don't purge sk_error_queue in sk_stream_kill_queues()")
Reported-by: Changheon Lee <darklight2357@icloud.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/stream.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/core/stream.c b/net/core/stream.c
index 05b63feac7e5..6f5979c6f2b0 100644
--- a/net/core/stream.c
+++ b/net/core/stream.c
@@ -193,6 +193,12 @@ void sk_stream_kill_queues(struct sock *sk)
/* First the read buffer. */
__skb_queue_purge(&sk->sk_receive_queue);
+ /* Next, the error queue.
+ * We need to use queue lock, because other threads might
+ * add packets to the queue without socket lock being held.
+ */
+ skb_queue_purge(&sk->sk_error_queue);
+
/* Next, the write queue. */
WARN_ON(!skb_queue_empty(&sk->sk_write_queue));
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 179/251] binfmt_misc: fix shift-out-of-bounds in check_special_flags
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 178/251] net: stream: purge sk_error_queue in sk_stream_kill_queues() Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 180/251] fs: jfs: fix shift-out-of-bounds in dbAllocAG Greg Kroah-Hartman
` (77 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Liu Shixin, Kees Cook, Sasha Levin
From: Liu Shixin <liushixin2@huawei.com>
[ Upstream commit 6a46bf558803dd2b959ca7435a5c143efe837217 ]
UBSAN reported a shift-out-of-bounds warning:
left shift of 1 by 31 places cannot be represented in type 'int'
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x8d/0xcf lib/dump_stack.c:106
ubsan_epilogue+0xa/0x44 lib/ubsan.c:151
__ubsan_handle_shift_out_of_bounds+0x1e7/0x208 lib/ubsan.c:322
check_special_flags fs/binfmt_misc.c:241 [inline]
create_entry fs/binfmt_misc.c:456 [inline]
bm_register_write+0x9d3/0xa20 fs/binfmt_misc.c:654
vfs_write+0x11e/0x580 fs/read_write.c:582
ksys_write+0xcf/0x120 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x34/0x80 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x4194e1
Since the type of Node's flags is unsigned long, we should define these
macros with same type too.
Signed-off-by: Liu Shixin <liushixin2@huawei.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20221102025123.1117184-1-liushixin2@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/binfmt_misc.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c
index 2bda9245cabe..558e4007131e 100644
--- a/fs/binfmt_misc.c
+++ b/fs/binfmt_misc.c
@@ -42,10 +42,10 @@ static LIST_HEAD(entries);
static int enabled = 1;
enum {Enabled, Magic};
-#define MISC_FMT_PRESERVE_ARGV0 (1 << 31)
-#define MISC_FMT_OPEN_BINARY (1 << 30)
-#define MISC_FMT_CREDENTIALS (1 << 29)
-#define MISC_FMT_OPEN_FILE (1 << 28)
+#define MISC_FMT_PRESERVE_ARGV0 (1UL << 31)
+#define MISC_FMT_OPEN_BINARY (1UL << 30)
+#define MISC_FMT_CREDENTIALS (1UL << 29)
+#define MISC_FMT_OPEN_FILE (1UL << 28)
typedef struct {
struct list_head list;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 180/251] fs: jfs: fix shift-out-of-bounds in dbAllocAG
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 179/251] binfmt_misc: fix shift-out-of-bounds in check_special_flags Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 181/251] udf: Avoid double brelse() in udf_rename() Greg Kroah-Hartman
` (76 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+15342c1aa6a00fb7a438,
Dongliang Mu, Dave Kleikamp, Sasha Levin
From: Dongliang Mu <mudongliangabcd@gmail.com>
[ Upstream commit 898f706695682b9954f280d95e49fa86ffa55d08 ]
Syzbot found a crash : UBSAN: shift-out-of-bounds in dbAllocAG. The
underlying bug is the missing check of bmp->db_agl2size. The field can
be greater than 64 and trigger the shift-out-of-bounds.
Fix this bug by adding a check of bmp->db_agl2size in dbMount since this
field is used in many following functions. The upper bound for this
field is L2MAXL2SIZE - L2MAXAG, thanks for the help of Dave Kleikamp.
Note that, for maintenance, I reorganized error handling code of dbMount.
Reported-by: syzbot+15342c1aa6a00fb7a438@syzkaller.appspotmail.com
Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/jfs_dmap.c | 22 ++++++++++++++++------
1 file changed, 16 insertions(+), 6 deletions(-)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index a07fbb60ac3c..a46fa0f3db57 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -168,7 +168,7 @@ int dbMount(struct inode *ipbmap)
struct bmap *bmp;
struct dbmap_disk *dbmp_le;
struct metapage *mp;
- int i;
+ int i, err;
/*
* allocate/initialize the in-memory bmap descriptor
@@ -183,8 +183,8 @@ int dbMount(struct inode *ipbmap)
BMAPBLKNO << JFS_SBI(ipbmap->i_sb)->l2nbperpage,
PSIZE, 0);
if (mp == NULL) {
- kfree(bmp);
- return -EIO;
+ err = -EIO;
+ goto err_kfree_bmp;
}
/* copy the on-disk bmap descriptor to its in-memory version. */
@@ -194,9 +194,8 @@ int dbMount(struct inode *ipbmap)
bmp->db_l2nbperpage = le32_to_cpu(dbmp_le->dn_l2nbperpage);
bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag);
if (!bmp->db_numag) {
- release_metapage(mp);
- kfree(bmp);
- return -EINVAL;
+ err = -EINVAL;
+ goto err_release_metapage;
}
bmp->db_maxlevel = le32_to_cpu(dbmp_le->dn_maxlevel);
@@ -207,6 +206,11 @@ int dbMount(struct inode *ipbmap)
bmp->db_agwidth = le32_to_cpu(dbmp_le->dn_agwidth);
bmp->db_agstart = le32_to_cpu(dbmp_le->dn_agstart);
bmp->db_agl2size = le32_to_cpu(dbmp_le->dn_agl2size);
+ if (bmp->db_agl2size > L2MAXL2SIZE - L2MAXAG) {
+ err = -EINVAL;
+ goto err_release_metapage;
+ }
+
for (i = 0; i < MAXAG; i++)
bmp->db_agfree[i] = le64_to_cpu(dbmp_le->dn_agfree[i]);
bmp->db_agsize = le64_to_cpu(dbmp_le->dn_agsize);
@@ -227,6 +231,12 @@ int dbMount(struct inode *ipbmap)
BMAP_LOCK_INIT(bmp);
return (0);
+
+err_release_metapage:
+ release_metapage(mp);
+err_kfree_bmp:
+ kfree(bmp);
+ return err;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 181/251] udf: Avoid double brelse() in udf_rename()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 180/251] fs: jfs: fix shift-out-of-bounds in dbAllocAG Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 182/251] fs: jfs: fix shift-out-of-bounds in dbDiscardAG Greg Kroah-Hartman
` (75 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+7902cd7684bc35306224,
Shigeru Yoshida, Jan Kara, Sasha Levin
From: Shigeru Yoshida <syoshida@redhat.com>
[ Upstream commit c791730f2554a9ebb8f18df9368dc27d4ebc38c2 ]
syzbot reported a warning like below [1]:
VFS: brelse: Trying to free free buffer
WARNING: CPU: 2 PID: 7301 at fs/buffer.c:1145 __brelse+0x67/0xa0
...
Call Trace:
<TASK>
invalidate_bh_lru+0x99/0x150
smp_call_function_many_cond+0xe2a/0x10c0
? generic_remap_file_range_prep+0x50/0x50
? __brelse+0xa0/0xa0
? __mutex_lock+0x21c/0x12d0
? smp_call_on_cpu+0x250/0x250
? rcu_read_lock_sched_held+0xb/0x60
? lock_release+0x587/0x810
? __brelse+0xa0/0xa0
? generic_remap_file_range_prep+0x50/0x50
on_each_cpu_cond_mask+0x3c/0x80
blkdev_flush_mapping+0x13a/0x2f0
blkdev_put_whole+0xd3/0xf0
blkdev_put+0x222/0x760
deactivate_locked_super+0x96/0x160
deactivate_super+0xda/0x100
cleanup_mnt+0x222/0x3d0
task_work_run+0x149/0x240
? task_work_cancel+0x30/0x30
do_exit+0xb29/0x2a40
? reacquire_held_locks+0x4a0/0x4a0
? do_raw_spin_lock+0x12a/0x2b0
? mm_update_next_owner+0x7c0/0x7c0
? rwlock_bug.part.0+0x90/0x90
? zap_other_threads+0x234/0x2d0
do_group_exit+0xd0/0x2a0
__x64_sys_exit_group+0x3a/0x50
do_syscall_64+0x34/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The cause of the issue is that brelse() is called on both ofibh.sbh
and ofibh.ebh by udf_find_entry() when it returns NULL. However,
brelse() is called by udf_rename(), too. So, b_count on buffer_head
becomes unbalanced.
This patch fixes the issue by not calling brelse() by udf_rename()
when udf_find_entry() returns NULL.
Link: https://syzkaller.appspot.com/bug?id=8297f45698159c6bca8a1f87dc983667c1a1c851 [1]
Reported-by: syzbot+7902cd7684bc35306224@syzkaller.appspotmail.com
Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20221023095741.271430-1-syoshida@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/udf/namei.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/fs/udf/namei.c b/fs/udf/namei.c
index aefa939176e1..0ab842460ed3 100644
--- a/fs/udf/namei.c
+++ b/fs/udf/namei.c
@@ -1112,8 +1112,9 @@ static int udf_rename(struct inode *old_dir, struct dentry *old_dentry,
return -EINVAL;
ofi = udf_find_entry(old_dir, &old_dentry->d_name, &ofibh, &ocfi);
- if (IS_ERR(ofi)) {
- retval = PTR_ERR(ofi);
+ if (!ofi || IS_ERR(ofi)) {
+ if (IS_ERR(ofi))
+ retval = PTR_ERR(ofi);
goto end_rename;
}
@@ -1122,8 +1123,7 @@ static int udf_rename(struct inode *old_dir, struct dentry *old_dentry,
brelse(ofibh.sbh);
tloc = lelb_to_cpu(ocfi.icb.extLocation);
- if (!ofi || udf_get_lb_pblock(old_dir->i_sb, &tloc, 0)
- != old_inode->i_ino)
+ if (udf_get_lb_pblock(old_dir->i_sb, &tloc, 0) != old_inode->i_ino)
goto end_rename;
nfi = udf_find_entry(new_dir, &new_dentry->d_name, &nfibh, &ncfi);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 182/251] fs: jfs: fix shift-out-of-bounds in dbDiscardAG
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 181/251] udf: Avoid double brelse() in udf_rename() Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 183/251] ACPICA: Fix error code path in acpi_ds_call_control_method() Greg Kroah-Hartman
` (74 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hoi Pok Wu, Dave Kleikamp, Sasha Levin
From: Hoi Pok Wu <wuhoipok@gmail.com>
[ Upstream commit 25e70c6162f207828dd405b432d8f2a98dbf7082 ]
This should be applied to most URSAN bugs found recently by syzbot,
by guarding the dbMount. As syzbot feeding rubbish into the bmap
descriptor.
Signed-off-by: Hoi Pok Wu <wuhoipok@gmail.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/jfs_dmap.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index a46fa0f3db57..0ca1ad2610df 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -211,6 +211,11 @@ int dbMount(struct inode *ipbmap)
goto err_release_metapage;
}
+ if (((bmp->db_mapsize - 1) >> bmp->db_agl2size) > MAXAG) {
+ err = -EINVAL;
+ goto err_release_metapage;
+ }
+
for (i = 0; i < MAXAG; i++)
bmp->db_agfree[i] = le64_to_cpu(dbmp_le->dn_agfree[i]);
bmp->db_agsize = le64_to_cpu(dbmp_le->dn_agsize);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 183/251] ACPICA: Fix error code path in acpi_ds_call_control_method()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 182/251] fs: jfs: fix shift-out-of-bounds in dbDiscardAG Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 184/251] nilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset() Greg Kroah-Hartman
` (73 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen Zhongjin, Rafael J. Wysocki,
Sasha Levin
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit 404ec60438add1afadaffaed34bb5fe4ddcadd40 ]
A use-after-free in acpi_ps_parse_aml() after a failing invocaion of
acpi_ds_call_control_method() is reported by KASAN [1] and code
inspection reveals that next_walk_state pushed to the thread by
acpi_ds_create_walk_state() is freed on errors, but it is not popped
from the thread beforehand. Thus acpi_ds_get_current_walk_state()
called by acpi_ps_parse_aml() subsequently returns it as the new
walk state which is incorrect.
To address this, make acpi_ds_call_control_method() call
acpi_ds_pop_walk_state() to pop next_walk_state from the thread before
returning an error.
Link: https://lore.kernel.org/linux-acpi/20221019073443.248215-1-chenzhongjin@huawei.com/ # [1]
Reported-by: Chen Zhongjin <chenzhongjin@huawei.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Chen Zhongjin <chenzhongjin@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/acpica/dsmethod.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/acpi/acpica/dsmethod.c b/drivers/acpi/acpica/dsmethod.c
index 2b3210f42a46..b77d6b86e3f9 100644
--- a/drivers/acpi/acpica/dsmethod.c
+++ b/drivers/acpi/acpica/dsmethod.c
@@ -547,7 +547,7 @@ acpi_ds_call_control_method(struct acpi_thread_state *thread,
info = ACPI_ALLOCATE_ZEROED(sizeof(struct acpi_evaluate_info));
if (!info) {
status = AE_NO_MEMORY;
- goto cleanup;
+ goto pop_walk_state;
}
info->parameters = &this_walk_state->operands[0];
@@ -559,7 +559,7 @@ acpi_ds_call_control_method(struct acpi_thread_state *thread,
ACPI_FREE(info);
if (ACPI_FAILURE(status)) {
- goto cleanup;
+ goto pop_walk_state;
}
/*
@@ -591,6 +591,12 @@ acpi_ds_call_control_method(struct acpi_thread_state *thread,
return_ACPI_STATUS(status);
+pop_walk_state:
+
+ /* On error, pop the walk state to be deleted from thread */
+
+ acpi_ds_pop_walk_state(thread);
+
cleanup:
/* On error, we must terminate the method properly */
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 184/251] nilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 183/251] ACPICA: Fix error code path in acpi_ds_call_control_method() Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 185/251] acct: fix potential integer overflow in encode_comp_t() Greg Kroah-Hartman
` (72 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ryusuke Konishi,
syzbot+e91619dd4c11c4960706, Andrew Morton, Sasha Levin
From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
[ Upstream commit 610a2a3d7d8be3537458a378ec69396a76c385b6 ]
Patch series "nilfs2: fix UBSAN shift-out-of-bounds warnings on mount
time".
The first patch fixes a bug reported by syzbot, and the second one fixes
the remaining bug of the same kind. Although they are triggered by the
same super block data anomaly, I divided it into the above two because the
details of the issues and how to fix it are different.
Both are required to eliminate the shift-out-of-bounds issues at mount
time.
This patch (of 2):
If the block size exponent information written in an on-disk superblock is
corrupted, nilfs_sb2_bad_offset helper function can trigger
shift-out-of-bounds warning followed by a kernel panic (if panic_on_warn
is set):
shift exponent 38983 is too large for 64-bit type 'unsigned long long'
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:151 [inline]
__ubsan_handle_shift_out_of_bounds+0x33d/0x3b0 lib/ubsan.c:322
nilfs_sb2_bad_offset fs/nilfs2/the_nilfs.c:449 [inline]
nilfs_load_super_block+0xdf5/0xe00 fs/nilfs2/the_nilfs.c:523
init_nilfs+0xb7/0x7d0 fs/nilfs2/the_nilfs.c:577
nilfs_fill_super+0xb1/0x5d0 fs/nilfs2/super.c:1047
nilfs_mount+0x613/0x9b0 fs/nilfs2/super.c:1317
...
In addition, since nilfs_sb2_bad_offset() performs multiplication without
considering the upper bound, the computation may overflow if the disk
layout parameters are not normal.
This fixes these issues by inserting preliminary sanity checks for those
parameters and by converting the comparison from one involving
multiplication and left bit-shifting to one using division and right
bit-shifting.
Link: https://lkml.kernel.org/r/20221027044306.42774-1-konishi.ryusuke@gmail.com
Link: https://lkml.kernel.org/r/20221027044306.42774-2-konishi.ryusuke@gmail.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: syzbot+e91619dd4c11c4960706@syzkaller.appspotmail.com
Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nilfs2/the_nilfs.c | 31 +++++++++++++++++++++++++++----
1 file changed, 27 insertions(+), 4 deletions(-)
diff --git a/fs/nilfs2/the_nilfs.c b/fs/nilfs2/the_nilfs.c
index 9bbdd152c296..3e143c2da06d 100644
--- a/fs/nilfs2/the_nilfs.c
+++ b/fs/nilfs2/the_nilfs.c
@@ -22,6 +22,7 @@
#include <linux/blkdev.h>
#include <linux/backing-dev.h>
#include <linux/random.h>
+#include <linux/log2.h>
#include <linux/crc32.h>
#include "nilfs.h"
#include "segment.h"
@@ -457,11 +458,33 @@ static int nilfs_valid_sb(struct nilfs_super_block *sbp)
return crc == le32_to_cpu(sbp->s_sum);
}
-static int nilfs_sb2_bad_offset(struct nilfs_super_block *sbp, u64 offset)
+/**
+ * nilfs_sb2_bad_offset - check the location of the second superblock
+ * @sbp: superblock raw data buffer
+ * @offset: byte offset of second superblock calculated from device size
+ *
+ * nilfs_sb2_bad_offset() checks if the position on the second
+ * superblock is valid or not based on the filesystem parameters
+ * stored in @sbp. If @offset points to a location within the segment
+ * area, or if the parameters themselves are not normal, it is
+ * determined to be invalid.
+ *
+ * Return Value: true if invalid, false if valid.
+ */
+static bool nilfs_sb2_bad_offset(struct nilfs_super_block *sbp, u64 offset)
{
- return offset < ((le64_to_cpu(sbp->s_nsegments) *
- le32_to_cpu(sbp->s_blocks_per_segment)) <<
- (le32_to_cpu(sbp->s_log_block_size) + 10));
+ unsigned int shift_bits = le32_to_cpu(sbp->s_log_block_size);
+ u32 blocks_per_segment = le32_to_cpu(sbp->s_blocks_per_segment);
+ u64 nsegments = le64_to_cpu(sbp->s_nsegments);
+ u64 index;
+
+ if (blocks_per_segment < NILFS_SEG_MIN_BLOCKS ||
+ shift_bits > ilog2(NILFS_MAX_BLOCK_SIZE) - BLOCK_SIZE_BITS)
+ return true;
+
+ index = offset >> (shift_bits + BLOCK_SIZE_BITS);
+ do_div(index, blocks_per_segment);
+ return index < nsegments;
}
static void nilfs_release_super_block(struct the_nilfs *nilfs)
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 185/251] acct: fix potential integer overflow in encode_comp_t()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 184/251] nilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset() Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 186/251] hfs: fix OOB Read in __hfs_brec_find Greg Kroah-Hartman
` (71 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zheng Yejian, Hanjun Guo,
Randy Dunlap, Vlastimil Babka, Zhang Jinhao, Andrew Morton,
Sasha Levin
From: Zheng Yejian <zhengyejian1@huawei.com>
[ Upstream commit c5f31c655bcc01b6da53b836ac951c1556245305 ]
The integer overflow is descripted with following codes:
> 317 static comp_t encode_comp_t(u64 value)
> 318 {
> 319 int exp, rnd;
......
> 341 exp <<= MANTSIZE;
> 342 exp += value;
> 343 return exp;
> 344 }
Currently comp_t is defined as type of '__u16', but the variable 'exp' is
type of 'int', so overflow would happen when variable 'exp' in line 343 is
greater than 65535.
Link: https://lkml.kernel.org/r/20210515140631.369106-3-zhengyejian1@huawei.com
Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
Cc: Hanjun Guo <guohanjun@huawei.com>
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Zhang Jinhao <zhangjinhao2@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/acct.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/acct.c b/kernel/acct.c
index 37f1dc696fbd..928ed84f50df 100644
--- a/kernel/acct.c
+++ b/kernel/acct.c
@@ -328,6 +328,8 @@ static comp_t encode_comp_t(unsigned long value)
exp++;
}
+ if (exp > (((comp_t) ~0U) >> MANTSIZE))
+ return (comp_t) ~0U;
/*
* Clean it up and polish it off.
*/
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 186/251] hfs: fix OOB Read in __hfs_brec_find
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 185/251] acct: fix potential integer overflow in encode_comp_t() Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 187/251] wifi: ath9k: verify the expected usb_endpoints are present Greg Kroah-Hartman
` (70 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, ZhangPeng,
syzbot+e836ff7133ac02be825f, Damien Le Moal, Ira Weiny,
Jeff Layton, Kefeng Wang, Matthew Wilcox, Nanyong Sun,
Viacheslav Dubeyko, Andrew Morton, Sasha Levin
From: ZhangPeng <zhangpeng362@huawei.com>
[ Upstream commit 8d824e69d9f3fa3121b2dda25053bae71e2460d2 ]
Syzbot reported a OOB read bug:
==================================================================
BUG: KASAN: slab-out-of-bounds in hfs_strcmp+0x117/0x190
fs/hfs/string.c:84
Read of size 1 at addr ffff88807eb62c4e by task kworker/u4:1/11
CPU: 1 PID: 11 Comm: kworker/u4:1 Not tainted
6.1.0-rc6-syzkaller-00308-g644e9524388a #0
Workqueue: writeback wb_workfn (flush-7:0)
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106
print_address_description+0x74/0x340 mm/kasan/report.c:284
print_report+0x107/0x1f0 mm/kasan/report.c:395
kasan_report+0xcd/0x100 mm/kasan/report.c:495
hfs_strcmp+0x117/0x190 fs/hfs/string.c:84
__hfs_brec_find+0x213/0x5c0 fs/hfs/bfind.c:75
hfs_brec_find+0x276/0x520 fs/hfs/bfind.c:138
hfs_write_inode+0x34c/0xb40 fs/hfs/inode.c:462
write_inode fs/fs-writeback.c:1440 [inline]
If the input inode of hfs_write_inode() is incorrect:
struct inode
struct hfs_inode_info
struct hfs_cat_key
struct hfs_name
u8 len # len is greater than HFS_NAMELEN(31) which is the
maximum length of an HFS filename
OOB read occurred:
hfs_write_inode()
hfs_brec_find()
__hfs_brec_find()
hfs_cat_keycmp()
hfs_strcmp() # OOB read occurred due to len is too large
Fix this by adding a Check on len in hfs_write_inode() before calling
hfs_brec_find().
Link: https://lkml.kernel.org/r/20221130065959.2168236-1-zhangpeng362@huawei.com
Signed-off-by: ZhangPeng <zhangpeng362@huawei.com>
Reported-by: <syzbot+e836ff7133ac02be825f@syzkaller.appspotmail.com>
Cc: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Cc: Ira Weiny <ira.weiny@intel.com>
Cc: Jeff Layton <jlayton@kernel.org>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Nanyong Sun <sunnanyong@huawei.com>
Cc: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/hfs/inode.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/hfs/inode.c b/fs/hfs/inode.c
index de0d6d4c46b6..cd4eee5b8358 100644
--- a/fs/hfs/inode.c
+++ b/fs/hfs/inode.c
@@ -452,6 +452,8 @@ int hfs_write_inode(struct inode *inode, struct writeback_control *wbc)
/* panic? */
return -EIO;
+ if (HFS_I(main_inode)->cat_key.CName.len > HFS_NAMELEN)
+ return -EIO;
fd.search_key->cat = HFS_I(main_inode)->cat_key;
if (hfs_brec_find(&fd))
/* panic? */
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 187/251] wifi: ath9k: verify the expected usb_endpoints are present
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 186/251] hfs: fix OOB Read in __hfs_brec_find Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 188/251] wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out Greg Kroah-Hartman
` (69 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alan Stern, Fedor Pchelkin,
Alexey Khoroshilov, Toke Høiland-Jørgensen, Kalle Valo,
Sasha Levin
From: Fedor Pchelkin <pchelkin@ispras.ru>
[ Upstream commit 16ef02bad239f11f322df8425d302be62f0443ce ]
The bug arises when a USB device claims to be an ATH9K but doesn't
have the expected endpoints. (In this case there was an interrupt
endpoint where the driver expected a bulk endpoint.) The kernel
needs to be able to handle such devices without getting an internal error.
usb 1-1: BOGUS urb xfer, pipe 3 != type 1
WARNING: CPU: 3 PID: 500 at drivers/usb/core/urb.c:493 usb_submit_urb+0xce2/0x1430 drivers/usb/core/urb.c:493
Modules linked in:
CPU: 3 PID: 500 Comm: kworker/3:2 Not tainted 5.10.135-syzkaller #0
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Workqueue: events request_firmware_work_func
RIP: 0010:usb_submit_urb+0xce2/0x1430 drivers/usb/core/urb.c:493
Call Trace:
ath9k_hif_usb_alloc_rx_urbs drivers/net/wireless/ath/ath9k/hif_usb.c:908 [inline]
ath9k_hif_usb_alloc_urbs+0x75e/0x1010 drivers/net/wireless/ath/ath9k/hif_usb.c:1019
ath9k_hif_usb_dev_init drivers/net/wireless/ath/ath9k/hif_usb.c:1109 [inline]
ath9k_hif_usb_firmware_cb+0x142/0x530 drivers/net/wireless/ath/ath9k/hif_usb.c:1242
request_firmware_work_func+0x12e/0x240 drivers/base/firmware_loader/main.c:1097
process_one_work+0x9af/0x1600 kernel/workqueue.c:2279
worker_thread+0x61d/0x12f0 kernel/workqueue.c:2425
kthread+0x3b4/0x4a0 kernel/kthread.c:313
ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:299
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Suggested-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20221008211532.74583-1-pchelkin@ispras.ru
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath9k/hif_usb.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c
index 719cb53d8b4d..438323182d07 100644
--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
@@ -1325,10 +1325,24 @@ static int send_eject_command(struct usb_interface *interface)
static int ath9k_hif_usb_probe(struct usb_interface *interface,
const struct usb_device_id *id)
{
+ struct usb_endpoint_descriptor *bulk_in, *bulk_out, *int_in, *int_out;
struct usb_device *udev = interface_to_usbdev(interface);
+ struct usb_host_interface *alt;
struct hif_device_usb *hif_dev;
int ret = 0;
+ /* Verify the expected endpoints are present */
+ alt = interface->cur_altsetting;
+ if (usb_find_common_endpoints(alt, &bulk_in, &bulk_out, &int_in, &int_out) < 0 ||
+ usb_endpoint_num(bulk_in) != USB_WLAN_RX_PIPE ||
+ usb_endpoint_num(bulk_out) != USB_WLAN_TX_PIPE ||
+ usb_endpoint_num(int_in) != USB_REG_IN_PIPE ||
+ usb_endpoint_num(int_out) != USB_REG_OUT_PIPE) {
+ dev_err(&udev->dev,
+ "ath9k_htc: Device endpoint numbers are not the expected ones\n");
+ return -ENODEV;
+ }
+
if (id->driver_info == STORAGE_DEVICE)
return send_eject_command(interface);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 188/251] wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 187/251] wifi: ath9k: verify the expected usb_endpoints are present Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 189/251] ipmi: fix memleak when unload ipmi driver Greg Kroah-Hartman
` (68 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+95001b1fd6dfcc716c29,
Shigeru Yoshida, Kalle Valo, Sasha Levin
From: Shigeru Yoshida <syoshida@redhat.com>
[ Upstream commit b6702a942a069c2a975478d719e98d83cdae1797 ]
syzkaller reported use-after-free with the stack trace like below [1]:
[ 38.960489][ C3] ==================================================================
[ 38.963216][ C3] BUG: KASAN: use-after-free in ar5523_cmd_tx_cb+0x220/0x240
[ 38.964950][ C3] Read of size 8 at addr ffff888048e03450 by task swapper/3/0
[ 38.966363][ C3]
[ 38.967053][ C3] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.0.0-09039-ga6afa4199d3d-dirty #18
[ 38.968464][ C3] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014
[ 38.969959][ C3] Call Trace:
[ 38.970841][ C3] <IRQ>
[ 38.971663][ C3] dump_stack_lvl+0xfc/0x174
[ 38.972620][ C3] print_report.cold+0x2c3/0x752
[ 38.973626][ C3] ? ar5523_cmd_tx_cb+0x220/0x240
[ 38.974644][ C3] kasan_report+0xb1/0x1d0
[ 38.975720][ C3] ? ar5523_cmd_tx_cb+0x220/0x240
[ 38.976831][ C3] ar5523_cmd_tx_cb+0x220/0x240
[ 38.978412][ C3] __usb_hcd_giveback_urb+0x353/0x5b0
[ 38.979755][ C3] usb_hcd_giveback_urb+0x385/0x430
[ 38.981266][ C3] dummy_timer+0x140c/0x34e0
[ 38.982925][ C3] ? notifier_call_chain+0xb5/0x1e0
[ 38.984761][ C3] ? rcu_read_lock_sched_held+0xb/0x60
[ 38.986242][ C3] ? lock_release+0x51c/0x790
[ 38.987323][ C3] ? _raw_read_unlock_irqrestore+0x37/0x70
[ 38.988483][ C3] ? __wake_up_common_lock+0xde/0x130
[ 38.989621][ C3] ? reacquire_held_locks+0x4a0/0x4a0
[ 38.990777][ C3] ? lock_acquire+0x472/0x550
[ 38.991919][ C3] ? rcu_read_lock_sched_held+0xb/0x60
[ 38.993138][ C3] ? lock_acquire+0x472/0x550
[ 38.994890][ C3] ? dummy_urb_enqueue+0x860/0x860
[ 38.996266][ C3] ? do_raw_spin_unlock+0x16f/0x230
[ 38.997670][ C3] ? dummy_urb_enqueue+0x860/0x860
[ 38.999116][ C3] call_timer_fn+0x1a0/0x6a0
[ 39.000668][ C3] ? add_timer_on+0x4a0/0x4a0
[ 39.002137][ C3] ? reacquire_held_locks+0x4a0/0x4a0
[ 39.003809][ C3] ? __next_timer_interrupt+0x226/0x2a0
[ 39.005509][ C3] __run_timers.part.0+0x69a/0xac0
[ 39.007025][ C3] ? dummy_urb_enqueue+0x860/0x860
[ 39.008716][ C3] ? call_timer_fn+0x6a0/0x6a0
[ 39.010254][ C3] ? cpuacct_percpu_seq_show+0x10/0x10
[ 39.011795][ C3] ? kvm_sched_clock_read+0x14/0x40
[ 39.013277][ C3] ? sched_clock_cpu+0x69/0x2b0
[ 39.014724][ C3] run_timer_softirq+0xb6/0x1d0
[ 39.016196][ C3] __do_softirq+0x1d2/0x9be
[ 39.017616][ C3] __irq_exit_rcu+0xeb/0x190
[ 39.019004][ C3] irq_exit_rcu+0x5/0x20
[ 39.020361][ C3] sysvec_apic_timer_interrupt+0x8f/0xb0
[ 39.021965][ C3] </IRQ>
[ 39.023237][ C3] <TASK>
In ar5523_probe(), ar5523_host_available() calls ar5523_cmd() as below
(there are other functions which finally call ar5523_cmd()):
ar5523_probe()
-> ar5523_host_available()
-> ar5523_cmd_read()
-> ar5523_cmd()
If ar5523_cmd() timed out, then ar5523_host_available() failed and
ar5523_probe() freed the device structure. So, ar5523_cmd_tx_cb()
might touch the freed structure.
This patch fixes this issue by canceling in-flight tx cmd if submitted
urb timed out.
Link: https://syzkaller.appspot.com/bug?id=9e12b2d54300842b71bdd18b54971385ff0d0d3a [1]
Reported-by: syzbot+95001b1fd6dfcc716c29@syzkaller.appspotmail.com
Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20221009183223.420015-1-syoshida@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ar5523/ar5523.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/wireless/ath/ar5523/ar5523.c b/drivers/net/wireless/ath/ar5523/ar5523.c
index 0c6b33c464cd..187061a43f7f 100644
--- a/drivers/net/wireless/ath/ar5523/ar5523.c
+++ b/drivers/net/wireless/ath/ar5523/ar5523.c
@@ -241,6 +241,11 @@ static void ar5523_cmd_tx_cb(struct urb *urb)
}
}
+static void ar5523_cancel_tx_cmd(struct ar5523 *ar)
+{
+ usb_kill_urb(ar->tx_cmd.urb_tx);
+}
+
static int ar5523_cmd(struct ar5523 *ar, u32 code, const void *idata,
int ilen, void *odata, int olen, int flags)
{
@@ -280,6 +285,7 @@ static int ar5523_cmd(struct ar5523 *ar, u32 code, const void *idata,
}
if (!wait_for_completion_timeout(&cmd->done, 2 * HZ)) {
+ ar5523_cancel_tx_cmd(ar);
cmd->odata = NULL;
ar5523_err(ar, "timeout waiting for command %02x reply\n",
code);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 189/251] ipmi: fix memleak when unload ipmi driver
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 188/251] wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 190/251] net: ethernet: ti: Fix return type of netcp_ndo_start_xmit() Greg Kroah-Hartman
` (67 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Yuchen, Corey Minyard, Sasha Levin
From: Zhang Yuchen <zhangyuchen.lcr@bytedance.com>
[ Upstream commit 36992eb6b9b83f7f9cdc8e74fb5799d7b52e83e9 ]
After the IPMI disconnect problem, the memory kept rising and we tried
to unload the driver to free the memory. However, only part of the
free memory is recovered after the driver is uninstalled. Using
ebpf to hook free functions, we find that neither ipmi_user nor
ipmi_smi_msg is free, only ipmi_recv_msg is free.
We find that the deliver_smi_err_response call in clean_smi_msgs does
the destroy processing on each message from the xmit_msg queue without
checking the return value and free ipmi_smi_msg.
deliver_smi_err_response is called only at this location. Adding the
free handling has no effect.
To verify, try using ebpf to trace the free function.
$ bpftrace -e 'kretprobe:ipmi_alloc_recv_msg {printf("alloc rcv
%p\n",retval);} kprobe:free_recv_msg {printf("free recv %p\n",
arg0)} kretprobe:ipmi_alloc_smi_msg {printf("alloc smi %p\n",
retval);} kprobe:free_smi_msg {printf("free smi %p\n",arg0)}'
Signed-off-by: Zhang Yuchen <zhangyuchen.lcr@bytedance.com>
Message-Id: <20221007092617.87597-4-zhangyuchen.lcr@bytedance.com>
[Fixed the comment above handle_one_recv_msg().]
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/ipmi/ipmi_msghandler.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c
index 74044b52d2c6..97d3c9d4ebc7 100644
--- a/drivers/char/ipmi/ipmi_msghandler.c
+++ b/drivers/char/ipmi/ipmi_msghandler.c
@@ -2930,12 +2930,16 @@ static void deliver_smi_err_response(ipmi_smi_t intf,
struct ipmi_smi_msg *msg,
unsigned char err)
{
+ int rv;
msg->rsp[0] = msg->data[0] | 4;
msg->rsp[1] = msg->data[1];
msg->rsp[2] = err;
msg->rsp_size = 3;
- /* It's an error, so it will never requeue, no need to check return. */
- handle_one_recv_msg(intf, msg);
+
+ /* This will never requeue, but it may ask us to free the message. */
+ rv = handle_one_recv_msg(intf, msg);
+ if (rv == 0)
+ ipmi_free_smi_msg(msg);
}
static void cleanup_smi_msgs(ipmi_smi_t intf)
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 190/251] net: ethernet: ti: Fix return type of netcp_ndo_start_xmit()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 189/251] ipmi: fix memleak when unload ipmi driver Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 191/251] hamradio: baycom_epp: Fix return type of baycom_send_packet() Greg Kroah-Hartman
` (66 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nathan Chancellor, Kees Cook,
Jakub Kicinski, Sasha Levin
From: Nathan Chancellor <nathan@kernel.org>
[ Upstream commit 63fe6ff674a96cfcfc0fa8df1051a27aa31c70b4 ]
With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
indirect call targets are validated against the expected function
pointer prototype to make sure the call target is valid to help mitigate
ROP attacks. If they are not identical, there is a failure at run time,
which manifests as either a kernel panic or thread getting killed. A
proposed warning in clang aims to catch these at compile time, which
reveals:
drivers/net/ethernet/ti/netcp_core.c:1944:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict]
.ndo_start_xmit = netcp_ndo_start_xmit,
^~~~~~~~~~~~~~~~~~~~
1 error generated.
->ndo_start_xmit() in 'struct net_device_ops' expects a return type of
'netdev_tx_t', not 'int'. Adjust the return type of
netcp_ndo_start_xmit() to match the prototype's to resolve the warning
and CFI failure.
Link: https://github.com/ClangBuiltLinux/linux/issues/1750
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20221102160933.1601260-1-nathan@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/ti/netcp_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/ti/netcp_core.c b/drivers/net/ethernet/ti/netcp_core.c
index c17967b23d3c..957701d48712 100644
--- a/drivers/net/ethernet/ti/netcp_core.c
+++ b/drivers/net/ethernet/ti/netcp_core.c
@@ -1237,7 +1237,7 @@ static int netcp_tx_submit_skb(struct netcp_intf *netcp,
}
/* Submit the packet */
-static int netcp_ndo_start_xmit(struct sk_buff *skb, struct net_device *ndev)
+static netdev_tx_t netcp_ndo_start_xmit(struct sk_buff *skb, struct net_device *ndev)
{
struct netcp_intf *netcp = netdev_priv(ndev);
int subqueue = skb_get_queue_mapping(skb);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 191/251] hamradio: baycom_epp: Fix return type of baycom_send_packet()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 190/251] net: ethernet: ti: Fix return type of netcp_ndo_start_xmit() Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 192/251] wifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request() Greg Kroah-Hartman
` (65 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nathan Chancellor, Kees Cook,
Jakub Kicinski, Sasha Levin
From: Nathan Chancellor <nathan@kernel.org>
[ Upstream commit c5733e5b15d91ab679646ec3149e192996a27d5d ]
With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
indirect call targets are validated against the expected function
pointer prototype to make sure the call target is valid to help mitigate
ROP attacks. If they are not identical, there is a failure at run time,
which manifests as either a kernel panic or thread getting killed. A
proposed warning in clang aims to catch these at compile time, which
reveals:
drivers/net/hamradio/baycom_epp.c:1119:25: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict]
.ndo_start_xmit = baycom_send_packet,
^~~~~~~~~~~~~~~~~~
1 error generated.
->ndo_start_xmit() in 'struct net_device_ops' expects a return type of
'netdev_tx_t', not 'int'. Adjust the return type of baycom_send_packet()
to match the prototype's to resolve the warning and CFI failure.
Link: https://github.com/ClangBuiltLinux/linux/issues/1750
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20221102160610.1186145-1-nathan@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/hamradio/baycom_epp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/hamradio/baycom_epp.c b/drivers/net/hamradio/baycom_epp.c
index 78dbc44540f6..b7831d0fd084 100644
--- a/drivers/net/hamradio/baycom_epp.c
+++ b/drivers/net/hamradio/baycom_epp.c
@@ -768,7 +768,7 @@ static void epp_bh(struct work_struct *work)
* ===================== network driver interface =========================
*/
-static int baycom_send_packet(struct sk_buff *skb, struct net_device *dev)
+static netdev_tx_t baycom_send_packet(struct sk_buff *skb, struct net_device *dev)
{
struct baycom_state *bc = netdev_priv(dev);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 192/251] wifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 191/251] hamradio: baycom_epp: Fix return type of baycom_send_packet() Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [Intel-wired-lan] " Greg Kroah-Hartman
` (64 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dokyung Song, Jisoo Jang,
Minsuk Kang, Kalle Valo, Sasha Levin
From: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
[ Upstream commit 81d17f6f3331f03c8eafdacea68ab773426c1e3c ]
This patch fixes a shift-out-of-bounds in brcmfmac that occurs in
BIT(chiprev) when a 'chiprev' provided by the device is too large.
It should also not be equal to or greater than BITS_PER_TYPE(u32)
as we do bitwise AND with a u32 variable and BIT(chiprev). The patch
adds a check that makes the function return NULL if that is the case.
Note that the NULL case is later handled by the bus-specific caller,
brcmf_usb_probe_cb() or brcmf_usb_reset_resume(), for example.
Found by a modified version of syzkaller.
UBSAN: shift-out-of-bounds in drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
shift exponent 151055786 is too large for 64-bit type 'long unsigned int'
CPU: 0 PID: 1885 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
Workqueue: usb_hub_wq hub_event
Call Trace:
dump_stack_lvl+0x57/0x7d
ubsan_epilogue+0x5/0x40
__ubsan_handle_shift_out_of_bounds.cold+0x53/0xdb
? lock_chain_count+0x20/0x20
brcmf_fw_alloc_request.cold+0x19/0x3ea
? brcmf_fw_get_firmwares+0x250/0x250
? brcmf_usb_ioctl_resp_wait+0x1a7/0x1f0
brcmf_usb_get_fwname+0x114/0x1a0
? brcmf_usb_reset_resume+0x120/0x120
? number+0x6c4/0x9a0
brcmf_c_process_clm_blob+0x168/0x590
? put_dec+0x90/0x90
? enable_ptr_key_workfn+0x20/0x20
? brcmf_common_pd_remove+0x50/0x50
? rcu_read_lock_sched_held+0xa1/0xd0
brcmf_c_preinit_dcmds+0x673/0xc40
? brcmf_c_set_joinpref_default+0x100/0x100
? rcu_read_lock_sched_held+0xa1/0xd0
? rcu_read_lock_bh_held+0xb0/0xb0
? lock_acquire+0x19d/0x4e0
? find_held_lock+0x2d/0x110
? brcmf_usb_deq+0x1cc/0x260
? mark_held_locks+0x9f/0xe0
? lockdep_hardirqs_on_prepare+0x273/0x3e0
? _raw_spin_unlock_irqrestore+0x47/0x50
? trace_hardirqs_on+0x1c/0x120
? brcmf_usb_deq+0x1a7/0x260
? brcmf_usb_rx_fill_all+0x5a/0xf0
brcmf_attach+0x246/0xd40
? wiphy_new_nm+0x1476/0x1d50
? kmemdup+0x30/0x40
brcmf_usb_probe+0x12de/0x1690
? brcmf_usbdev_qinit.constprop.0+0x470/0x470
usb_probe_interface+0x25f/0x710
really_probe+0x1be/0xa90
__driver_probe_device+0x2ab/0x460
? usb_match_id.part.0+0x88/0xc0
driver_probe_device+0x49/0x120
__device_attach_driver+0x18a/0x250
? driver_allows_async_probing+0x120/0x120
bus_for_each_drv+0x123/0x1a0
? bus_rescan_devices+0x20/0x20
? lockdep_hardirqs_on_prepare+0x273/0x3e0
? trace_hardirqs_on+0x1c/0x120
__device_attach+0x207/0x330
? device_bind_driver+0xb0/0xb0
? kobject_uevent_env+0x230/0x12c0
bus_probe_device+0x1a2/0x260
device_add+0xa61/0x1ce0
? __mutex_unlock_slowpath+0xe7/0x660
? __fw_devlink_link_to_suppliers+0x550/0x550
usb_set_configuration+0x984/0x1770
? kernfs_create_link+0x175/0x230
usb_generic_driver_probe+0x69/0x90
usb_probe_device+0x9c/0x220
really_probe+0x1be/0xa90
__driver_probe_device+0x2ab/0x460
driver_probe_device+0x49/0x120
__device_attach_driver+0x18a/0x250
? driver_allows_async_probing+0x120/0x120
bus_for_each_drv+0x123/0x1a0
? bus_rescan_devices+0x20/0x20
? lockdep_hardirqs_on_prepare+0x273/0x3e0
? trace_hardirqs_on+0x1c/0x120
__device_attach+0x207/0x330
? device_bind_driver+0xb0/0xb0
? kobject_uevent_env+0x230/0x12c0
bus_probe_device+0x1a2/0x260
device_add+0xa61/0x1ce0
? __fw_devlink_link_to_suppliers+0x550/0x550
usb_new_device.cold+0x463/0xf66
? hub_disconnect+0x400/0x400
? _raw_spin_unlock_irq+0x24/0x30
hub_event+0x10d5/0x3330
? hub_port_debounce+0x280/0x280
? __lock_acquire+0x1671/0x5790
? wq_calc_node_cpumask+0x170/0x2a0
? lock_release+0x640/0x640
? rcu_read_lock_sched_held+0xa1/0xd0
? rcu_read_lock_bh_held+0xb0/0xb0
? lockdep_hardirqs_on_prepare+0x273/0x3e0
process_one_work+0x873/0x13e0
? lock_release+0x640/0x640
? pwq_dec_nr_in_flight+0x320/0x320
? rwlock_bug.part.0+0x90/0x90
worker_thread+0x8b/0xd10
? __kthread_parkme+0xd9/0x1d0
? process_one_work+0x13e0/0x13e0
kthread+0x379/0x450
? _raw_spin_unlock_irq+0x24/0x30
? set_kthread_struct+0x100/0x100
ret_from_fork+0x1f/0x30
Reported-by: Dokyung Song <dokyungs@yonsei.ac.kr>
Reported-by: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
Reported-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
Signed-off-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20221024071329.504277-1-linuxlovemin@yonsei.ac.kr
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
index 33a7378164b8..6675de16e3b9 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
@@ -572,6 +572,11 @@ int brcmf_fw_map_chip_to_name(u32 chip, u32 chiprev,
u32 i;
char end;
+ if (chiprev >= BITS_PER_TYPE(u32)) {
+ brcmf_err("Invalid chip revision %u\n", chiprev);
+ return NULL;
+ }
+
for (i = 0; i < table_size; i++) {
if (mapping_table[i].chipid == chip &&
mapping_table[i].revmask & BIT(chiprev))
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 193/251] igb: Do not free q_vector unless new one was allocated
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 002/251] mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths Greg Kroah-Hartman
` (255 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jesse Brandeburg, Tony Nguyen,
David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
intel-wired-lan, netdev, Kees Cook, Michael J. Ruhl,
Jacob Keller, Sasha Levin, Gurucharan
From: Kees Cook <keescook@chromium.org>
[ Upstream commit 0668716506ca66f90d395f36ccdaebc3e0e84801 ]
Avoid potential use-after-free condition under memory pressure. If the
kzalloc() fails, q_vector will be freed but left in the original
adapter->q_vector[v_idx] array position.
Cc: Jesse Brandeburg <jesse.brandeburg@intel.com>
Cc: Tony Nguyen <anthony.l.nguyen@intel.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: intel-wired-lan@lists.osuosl.org
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Tested-by: Gurucharan <gurucharanx.g@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/igb/igb_main.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
index 2e713e5f75cd..bbca786f0427 100644
--- a/drivers/net/ethernet/intel/igb/igb_main.c
+++ b/drivers/net/ethernet/intel/igb/igb_main.c
@@ -1219,8 +1219,12 @@ static int igb_alloc_q_vector(struct igb_adapter *adapter,
if (!q_vector) {
q_vector = kzalloc(size, GFP_KERNEL);
} else if (size > ksize(q_vector)) {
- kfree_rcu(q_vector, rcu);
- q_vector = kzalloc(size, GFP_KERNEL);
+ struct igb_q_vector *new_q_vector;
+
+ new_q_vector = kzalloc(size, GFP_KERNEL);
+ if (new_q_vector)
+ kfree_rcu(q_vector, rcu);
+ q_vector = new_q_vector;
} else {
memset(q_vector, 0, size);
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [Intel-wired-lan] [PATCH 4.9 193/251] igb: Do not free q_vector unless new one was allocated
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
0 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Sasha Levin, Kees Cook, Greg Kroah-Hartman, patches,
Jesse Brandeburg, Michael J. Ruhl, Eric Dumazet, netdev,
Tony Nguyen, intel-wired-lan, Jakub Kicinski, Paolo Abeni,
David S. Miller
From: Kees Cook <keescook@chromium.org>
[ Upstream commit 0668716506ca66f90d395f36ccdaebc3e0e84801 ]
Avoid potential use-after-free condition under memory pressure. If the
kzalloc() fails, q_vector will be freed but left in the original
adapter->q_vector[v_idx] array position.
Cc: Jesse Brandeburg <jesse.brandeburg@intel.com>
Cc: Tony Nguyen <anthony.l.nguyen@intel.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: intel-wired-lan@lists.osuosl.org
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Tested-by: Gurucharan <gurucharanx.g@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/igb/igb_main.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
index 2e713e5f75cd..bbca786f0427 100644
--- a/drivers/net/ethernet/intel/igb/igb_main.c
+++ b/drivers/net/ethernet/intel/igb/igb_main.c
@@ -1219,8 +1219,12 @@ static int igb_alloc_q_vector(struct igb_adapter *adapter,
if (!q_vector) {
q_vector = kzalloc(size, GFP_KERNEL);
} else if (size > ksize(q_vector)) {
- kfree_rcu(q_vector, rcu);
- q_vector = kzalloc(size, GFP_KERNEL);
+ struct igb_q_vector *new_q_vector;
+
+ new_q_vector = kzalloc(size, GFP_KERNEL);
+ if (new_q_vector)
+ kfree_rcu(q_vector, rcu);
+ q_vector = new_q_vector;
} else {
memset(q_vector, 0, size);
}
--
2.35.1
_______________________________________________
Intel-wired-lan mailing list
Intel-wired-lan@osuosl.org
https://lists.osuosl.org/mailman/listinfo/intel-wired-lan
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 194/251] s390/ctcm: Fix return type of ctc{mp,}m_tx()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2023-01-05 12:55 ` [Intel-wired-lan] " Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 195/251] s390/netiucv: Fix return type of netiucv_tx() Greg Kroah-Hartman
` (62 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexandra Winter, Kees Cook,
Nathan Chancellor, David S. Miller, Sasha Levin
From: Nathan Chancellor <nathan@kernel.org>
[ Upstream commit aa5bf80c3c067b82b4362cd6e8e2194623bcaca6 ]
With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
indirect call targets are validated against the expected function
pointer prototype to make sure the call target is valid to help mitigate
ROP attacks. If they are not identical, there is a failure at run time,
which manifests as either a kernel panic or thread getting killed. A
proposed warning in clang aims to catch these at compile time, which
reveals:
drivers/s390/net/ctcm_main.c:1064:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict]
.ndo_start_xmit = ctcm_tx,
^~~~~~~
drivers/s390/net/ctcm_main.c:1072:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict]
.ndo_start_xmit = ctcmpc_tx,
^~~~~~~~~
->ndo_start_xmit() in 'struct net_device_ops' expects a return type of
'netdev_tx_t', not 'int'. Adjust the return type of ctc{mp,}m_tx() to
match the prototype's to resolve the warning and potential CFI failure,
should s390 select ARCH_SUPPORTS_CFI_CLANG in the future.
Additionally, while in the area, remove a comment block that is no
longer relevant.
Link: https://github.com/ClangBuiltLinux/linux/issues/1750
Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/s390/net/ctcm_main.c | 11 ++---------
1 file changed, 2 insertions(+), 9 deletions(-)
diff --git a/drivers/s390/net/ctcm_main.c b/drivers/s390/net/ctcm_main.c
index e22b9ac3e564..ab48eef72d4f 100644
--- a/drivers/s390/net/ctcm_main.c
+++ b/drivers/s390/net/ctcm_main.c
@@ -866,16 +866,9 @@ static int ctcmpc_transmit_skb(struct channel *ch, struct sk_buff *skb)
/**
* Start transmission of a packet.
* Called from generic network device layer.
- *
- * skb Pointer to buffer containing the packet.
- * dev Pointer to interface struct.
- *
- * returns 0 if packet consumed, !0 if packet rejected.
- * Note: If we return !0, then the packet is free'd by
- * the generic network layer.
*/
/* first merge version - leaving both functions separated */
-static int ctcm_tx(struct sk_buff *skb, struct net_device *dev)
+static netdev_tx_t ctcm_tx(struct sk_buff *skb, struct net_device *dev)
{
struct ctcm_priv *priv = dev->ml_priv;
@@ -918,7 +911,7 @@ static int ctcm_tx(struct sk_buff *skb, struct net_device *dev)
}
/* unmerged MPC variant of ctcm_tx */
-static int ctcmpc_tx(struct sk_buff *skb, struct net_device *dev)
+static netdev_tx_t ctcmpc_tx(struct sk_buff *skb, struct net_device *dev)
{
int len = 0;
struct ctcm_priv *priv = dev->ml_priv;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 195/251] s390/netiucv: Fix return type of netiucv_tx()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 194/251] s390/ctcm: Fix return type of ctc{mp,}m_tx() Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 196/251] s390/lcs: Fix return type of lcs_start_xmit() Greg Kroah-Hartman
` (61 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexandra Winter, Kees Cook,
Nathan Chancellor, David S. Miller, Sasha Levin
From: Nathan Chancellor <nathan@kernel.org>
[ Upstream commit 88d86d18d7cf7e9137c95f9d212bb9fff8a1b4be ]
With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
indirect call targets are validated against the expected function
pointer prototype to make sure the call target is valid to help mitigate
ROP attacks. If they are not identical, there is a failure at run time,
which manifests as either a kernel panic or thread getting killed. A
proposed warning in clang aims to catch these at compile time, which
reveals:
drivers/s390/net/netiucv.c:1854:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict]
.ndo_start_xmit = netiucv_tx,
^~~~~~~~~~
->ndo_start_xmit() in 'struct net_device_ops' expects a return type of
'netdev_tx_t', not 'int'. Adjust the return type of netiucv_tx() to
match the prototype's to resolve the warning and potential CFI failure,
should s390 select ARCH_SUPPORTS_CFI_CLANG in the future.
Additionally, while in the area, remove a comment block that is no
longer relevant.
Link: https://github.com/ClangBuiltLinux/linux/issues/1750
Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/s390/net/netiucv.c | 9 +--------
1 file changed, 1 insertion(+), 8 deletions(-)
diff --git a/drivers/s390/net/netiucv.c b/drivers/s390/net/netiucv.c
index b0e8ffdf864b..3465ea3d667b 100644
--- a/drivers/s390/net/netiucv.c
+++ b/drivers/s390/net/netiucv.c
@@ -1361,15 +1361,8 @@ static int netiucv_pm_restore_thaw(struct device *dev)
/**
* Start transmission of a packet.
* Called from generic network device layer.
- *
- * @param skb Pointer to buffer containing the packet.
- * @param dev Pointer to interface struct.
- *
- * @return 0 if packet consumed, !0 if packet rejected.
- * Note: If we return !0, then the packet is free'd by
- * the generic network layer.
*/
-static int netiucv_tx(struct sk_buff *skb, struct net_device *dev)
+static netdev_tx_t netiucv_tx(struct sk_buff *skb, struct net_device *dev)
{
struct netiucv_priv *privptr = netdev_priv(dev);
int rc;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 196/251] s390/lcs: Fix return type of lcs_start_xmit()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 195/251] s390/netiucv: Fix return type of netiucv_tx() Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 197/251] drm/sti: Use drm_mode_copy() Greg Kroah-Hartman
` (60 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexandra Winter, Kees Cook,
Nathan Chancellor, David S. Miller, Sasha Levin
From: Nathan Chancellor <nathan@kernel.org>
[ Upstream commit bb16db8393658e0978c3f0d30ae069e878264fa3 ]
With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
indirect call targets are validated against the expected function
pointer prototype to make sure the call target is valid to help mitigate
ROP attacks. If they are not identical, there is a failure at run time,
which manifests as either a kernel panic or thread getting killed. A
proposed warning in clang aims to catch these at compile time, which
reveals:
drivers/s390/net/lcs.c:2090:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict]
.ndo_start_xmit = lcs_start_xmit,
^~~~~~~~~~~~~~
drivers/s390/net/lcs.c:2097:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict]
.ndo_start_xmit = lcs_start_xmit,
^~~~~~~~~~~~~~
->ndo_start_xmit() in 'struct net_device_ops' expects a return type of
'netdev_tx_t', not 'int'. Adjust the return type of lcs_start_xmit() to
match the prototype's to resolve the warning and potential CFI failure,
should s390 select ARCH_SUPPORTS_CFI_CLANG in the future.
Link: https://github.com/ClangBuiltLinux/linux/issues/1750
Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/s390/net/lcs.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/drivers/s390/net/lcs.c b/drivers/s390/net/lcs.c
index 4d3caad7e981..3bd2241c13e8 100644
--- a/drivers/s390/net/lcs.c
+++ b/drivers/s390/net/lcs.c
@@ -1544,9 +1544,8 @@ lcs_txbuffer_cb(struct lcs_channel *channel, struct lcs_buffer *buffer)
/**
* Packet transmit function called by network stack
*/
-static int
-__lcs_start_xmit(struct lcs_card *card, struct sk_buff *skb,
- struct net_device *dev)
+static netdev_tx_t __lcs_start_xmit(struct lcs_card *card, struct sk_buff *skb,
+ struct net_device *dev)
{
struct lcs_header *header;
int rc = NETDEV_TX_OK;
@@ -1607,8 +1606,7 @@ __lcs_start_xmit(struct lcs_card *card, struct sk_buff *skb,
return rc;
}
-static int
-lcs_start_xmit(struct sk_buff *skb, struct net_device *dev)
+static netdev_tx_t lcs_start_xmit(struct sk_buff *skb, struct net_device *dev)
{
struct lcs_card *card;
int rc;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 197/251] drm/sti: Use drm_mode_copy()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 196/251] s390/lcs: Fix return type of lcs_start_xmit() Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 198/251] md/raid1: stop mdx_raid1 thread when raid1 array run failed Greg Kroah-Hartman
` (59 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alain Volmat,
Ville Syrjälä,
Daniel Vetter, Sasha Levin
From: Ville Syrjälä <ville.syrjala@linux.intel.com>
[ Upstream commit 442cf8e22ba25a77cb9092d78733fdbac9844e50 ]
struct drm_display_mode embeds a list head, so overwriting
the full struct with another one will corrupt the list
(if the destination mode is on a list). Use drm_mode_copy()
instead which explicitly preserves the list head of
the destination mode.
Even if we know the destination mode is not on any list
using drm_mode_copy() seems decent as it sets a good
example. Bad examples of not using it might eventually
get copied into code where preserving the list head
actually matters.
Obviously one case not covered here is when the mode
itself is embedded in a larger structure and the whole
structure is copied. But if we are careful when copying
into modes embedded in structures I think we can be a
little more reassured that bogus list heads haven't been
propagated in.
@is_mode_copy@
@@
drm_mode_copy(...)
{
...
}
@depends on !is_mode_copy@
struct drm_display_mode *mode;
expression E, S;
@@
(
- *mode = E
+ drm_mode_copy(mode, &E)
|
- memcpy(mode, E, S)
+ drm_mode_copy(mode, E)
)
@depends on !is_mode_copy@
struct drm_display_mode mode;
expression E;
@@
(
- mode = E
+ drm_mode_copy(&mode, &E)
|
- memcpy(&mode, E, S)
+ drm_mode_copy(&mode, E)
)
@@
struct drm_display_mode *mode;
@@
- &*mode
+ mode
Cc: Alain Volmat <alain.volmat@foss.st.com>
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20221107192545.9896-8-ville.syrjala@linux.intel.com
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/sti/sti_dvo.c | 2 +-
drivers/gpu/drm/sti/sti_hda.c | 2 +-
drivers/gpu/drm/sti/sti_hdmi.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/sti/sti_dvo.c b/drivers/gpu/drm/sti/sti_dvo.c
index e8c1ed08a9f7..4be5b5670599 100644
--- a/drivers/gpu/drm/sti/sti_dvo.c
+++ b/drivers/gpu/drm/sti/sti_dvo.c
@@ -296,7 +296,7 @@ static void sti_dvo_set_mode(struct drm_bridge *bridge,
DRM_DEBUG_DRIVER("\n");
- memcpy(&dvo->mode, mode, sizeof(struct drm_display_mode));
+ drm_mode_copy(&dvo->mode, mode);
/* According to the path used (main or aux), the dvo clocks should
* have a different parent clock. */
diff --git a/drivers/gpu/drm/sti/sti_hda.c b/drivers/gpu/drm/sti/sti_hda.c
index 08808e3701de..cbceea7d4f87 100644
--- a/drivers/gpu/drm/sti/sti_hda.c
+++ b/drivers/gpu/drm/sti/sti_hda.c
@@ -528,7 +528,7 @@ static void sti_hda_set_mode(struct drm_bridge *bridge,
DRM_DEBUG_DRIVER("\n");
- memcpy(&hda->mode, mode, sizeof(struct drm_display_mode));
+ drm_mode_copy(&hda->mode, mode);
if (!hda_get_mode_idx(hda->mode, &mode_idx)) {
DRM_ERROR("Undefined mode\n");
diff --git a/drivers/gpu/drm/sti/sti_hdmi.c b/drivers/gpu/drm/sti/sti_hdmi.c
index a5412a6fbeca..c450668883b5 100644
--- a/drivers/gpu/drm/sti/sti_hdmi.c
+++ b/drivers/gpu/drm/sti/sti_hdmi.c
@@ -848,7 +848,7 @@ static void sti_hdmi_set_mode(struct drm_bridge *bridge,
DRM_DEBUG_DRIVER("\n");
/* Copy the drm display mode in the connector local structure */
- memcpy(&hdmi->mode, mode, sizeof(struct drm_display_mode));
+ drm_mode_copy(&hdmi->mode, mode);
/* Update clock framerate according to the selected mode */
ret = clk_set_rate(hdmi->clk_pix, mode->clock * 1000);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 198/251] md/raid1: stop mdx_raid1 thread when raid1 array run failed
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 197/251] drm/sti: Use drm_mode_copy() Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 199/251] mrp: introduce active flags to prevent UAF when applicant uninit Greg Kroah-Hartman
` (58 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jiang Li, Song Liu, Sasha Levin
From: Jiang Li <jiang.li@ugreen.com>
[ Upstream commit b611ad14006e5be2170d9e8e611bf49dff288911 ]
fail run raid1 array when we assemble array with the inactive disk only,
but the mdx_raid1 thread were not stop, Even if the associated resources
have been released. it will caused a NULL dereference when we do poweroff.
This causes the following Oops:
[ 287.587787] BUG: kernel NULL pointer dereference, address: 0000000000000070
[ 287.594762] #PF: supervisor read access in kernel mode
[ 287.599912] #PF: error_code(0x0000) - not-present page
[ 287.605061] PGD 0 P4D 0
[ 287.607612] Oops: 0000 [#1] SMP NOPTI
[ 287.611287] CPU: 3 PID: 5265 Comm: md0_raid1 Tainted: G U 5.10.146 #0
[ 287.619029] Hardware name: xxxxxxx/To be filled by O.E.M, BIOS 5.19 06/16/2022
[ 287.626775] RIP: 0010:md_check_recovery+0x57/0x500 [md_mod]
[ 287.632357] Code: fe 01 00 00 48 83 bb 10 03 00 00 00 74 08 48 89 ......
[ 287.651118] RSP: 0018:ffffc90000433d78 EFLAGS: 00010202
[ 287.656347] RAX: 0000000000000000 RBX: ffff888105986800 RCX: 0000000000000000
[ 287.663491] RDX: ffffc90000433bb0 RSI: 00000000ffffefff RDI: ffff888105986800
[ 287.670634] RBP: ffffc90000433da0 R08: 0000000000000000 R09: c0000000ffffefff
[ 287.677771] R10: 0000000000000001 R11: ffffc90000433ba8 R12: ffff888105986800
[ 287.684907] R13: 0000000000000000 R14: fffffffffffffe00 R15: ffff888100b6b500
[ 287.692052] FS: 0000000000000000(0000) GS:ffff888277f80000(0000) knlGS:0000000000000000
[ 287.700149] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 287.705897] CR2: 0000000000000070 CR3: 000000000320a000 CR4: 0000000000350ee0
[ 287.713033] Call Trace:
[ 287.715498] raid1d+0x6c/0xbbb [raid1]
[ 287.719256] ? __schedule+0x1ff/0x760
[ 287.722930] ? schedule+0x3b/0xb0
[ 287.726260] ? schedule_timeout+0x1ed/0x290
[ 287.730456] ? __switch_to+0x11f/0x400
[ 287.734219] md_thread+0xe9/0x140 [md_mod]
[ 287.738328] ? md_thread+0xe9/0x140 [md_mod]
[ 287.742601] ? wait_woken+0x80/0x80
[ 287.746097] ? md_register_thread+0xe0/0xe0 [md_mod]
[ 287.751064] kthread+0x11a/0x140
[ 287.754300] ? kthread_park+0x90/0x90
[ 287.757974] ret_from_fork+0x1f/0x30
In fact, when raid1 array run fail, we need to do
md_unregister_thread() before raid1_free().
Signed-off-by: Jiang Li <jiang.li@ugreen.com>
Signed-off-by: Song Liu <song@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/raid1.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
index 8a50da4f148f..26ae749184da 100644
--- a/drivers/md/raid1.c
+++ b/drivers/md/raid1.c
@@ -2964,6 +2964,7 @@ static int raid1_run(struct mddev *mddev)
* RAID1 needs at least one disk in active
*/
if (conf->raid_disks - mddev->degraded < 1) {
+ md_unregister_thread(&conf->thread);
ret = -EINVAL;
goto abort;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 199/251] mrp: introduce active flags to prevent UAF when applicant uninit
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 198/251] md/raid1: stop mdx_raid1 thread when raid1 array run failed Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 200/251] ppp: associate skb with a device at tx Greg Kroah-Hartman
` (57 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+6fd64001c20aa99e34a4,
Schspa Shi, David S. Miller, Sasha Levin
From: Schspa Shi <schspa@gmail.com>
[ Upstream commit ab0377803dafc58f1e22296708c1c28e309414d6 ]
The caller of del_timer_sync must prevent restarting of the timer, If
we have no this synchronization, there is a small probability that the
cancellation will not be successful.
And syzbot report the fellowing crash:
==================================================================
BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:929 [inline]
BUG: KASAN: use-after-free in enqueue_timer+0x18/0xa4 kernel/time/timer.c:605
Write at addr f9ff000024df6058 by task syz-fuzzer/2256
Pointer tag: [f9], memory tag: [fe]
CPU: 1 PID: 2256 Comm: syz-fuzzer Not tainted 6.1.0-rc5-syzkaller-00008-
ge01d50cbd6ee #0
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace.part.0+0xe0/0xf0 arch/arm64/kernel/stacktrace.c:156
dump_backtrace arch/arm64/kernel/stacktrace.c:162 [inline]
show_stack+0x18/0x40 arch/arm64/kernel/stacktrace.c:163
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x68/0x84 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x1a8/0x4a0 mm/kasan/report.c:395
kasan_report+0x94/0xb4 mm/kasan/report.c:495
__do_kernel_fault+0x164/0x1e0 arch/arm64/mm/fault.c:320
do_bad_area arch/arm64/mm/fault.c:473 [inline]
do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:749
do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:825
el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:367
el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:427
el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:576
hlist_add_head include/linux/list.h:929 [inline]
enqueue_timer+0x18/0xa4 kernel/time/timer.c:605
mod_timer+0x14/0x20 kernel/time/timer.c:1161
mrp_periodic_timer_arm net/802/mrp.c:614 [inline]
mrp_periodic_timer+0xa0/0xc0 net/802/mrp.c:627
call_timer_fn.constprop.0+0x24/0x80 kernel/time/timer.c:1474
expire_timers+0x98/0xc4 kernel/time/timer.c:1519
To fix it, we can introduce a new active flags to make sure the timer will
not restart.
Reported-by: syzbot+6fd64001c20aa99e34a4@syzkaller.appspotmail.com
Signed-off-by: Schspa Shi <schspa@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/mrp.h | 1 +
net/802/mrp.c | 18 +++++++++++++-----
2 files changed, 14 insertions(+), 5 deletions(-)
diff --git a/include/net/mrp.h b/include/net/mrp.h
index 31912c3be772..9338d6305159 100644
--- a/include/net/mrp.h
+++ b/include/net/mrp.h
@@ -119,6 +119,7 @@ struct mrp_applicant {
struct sk_buff *pdu;
struct rb_root mad;
struct rcu_head rcu;
+ bool active;
};
struct mrp_port {
diff --git a/net/802/mrp.c b/net/802/mrp.c
index 4ee3af3d400b..ac6b6374a1fc 100644
--- a/net/802/mrp.c
+++ b/net/802/mrp.c
@@ -610,7 +610,10 @@ static void mrp_join_timer(unsigned long data)
spin_unlock(&app->lock);
mrp_queue_xmit(app);
- mrp_join_timer_arm(app);
+ spin_lock(&app->lock);
+ if (likely(app->active))
+ mrp_join_timer_arm(app);
+ spin_unlock(&app->lock);
}
static void mrp_periodic_timer_arm(struct mrp_applicant *app)
@@ -624,11 +627,12 @@ static void mrp_periodic_timer(unsigned long data)
struct mrp_applicant *app = (struct mrp_applicant *)data;
spin_lock(&app->lock);
- mrp_mad_event(app, MRP_EVENT_PERIODIC);
- mrp_pdu_queue(app);
+ if (likely(app->active)) {
+ mrp_mad_event(app, MRP_EVENT_PERIODIC);
+ mrp_pdu_queue(app);
+ mrp_periodic_timer_arm(app);
+ }
spin_unlock(&app->lock);
-
- mrp_periodic_timer_arm(app);
}
static int mrp_pdu_parse_end_mark(struct sk_buff *skb, int *offset)
@@ -876,6 +880,7 @@ int mrp_init_applicant(struct net_device *dev, struct mrp_application *appl)
app->dev = dev;
app->app = appl;
app->mad = RB_ROOT;
+ app->active = true;
spin_lock_init(&app->lock);
skb_queue_head_init(&app->queue);
rcu_assign_pointer(dev->mrp_port->applicants[appl->type], app);
@@ -905,6 +910,9 @@ void mrp_uninit_applicant(struct net_device *dev, struct mrp_application *appl)
RCU_INIT_POINTER(port->applicants[appl->type], NULL);
+ spin_lock_bh(&app->lock);
+ app->active = false;
+ spin_unlock_bh(&app->lock);
/* Delete timer and generate a final TX event to flush out
* all pending messages before the applicant is gone.
*/
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 200/251] ppp: associate skb with a device at tx
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 199/251] mrp: introduce active flags to prevent UAF when applicant uninit Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 201/251] media: dvb-frontends: fix leak of memory fw Greg Kroah-Hartman
` (56 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Mackerras, linux-ppp,
syzbot+41cab52ab62ee99ed24a, Stanislav Fomichev, David S. Miller,
Sasha Levin
From: Stanislav Fomichev <sdf@google.com>
[ Upstream commit 9f225444467b98579cf28d94f4ad053460dfdb84 ]
Syzkaller triggered flow dissector warning with the following:
r0 = openat$ppp(0xffffffffffffff9c, &(0x7f0000000000), 0xc0802, 0x0)
ioctl$PPPIOCNEWUNIT(r0, 0xc004743e, &(0x7f00000000c0))
ioctl$PPPIOCSACTIVE(r0, 0x40107446, &(0x7f0000000240)={0x2, &(0x7f0000000180)=[{0x20, 0x0, 0x0, 0xfffff034}, {0x6}]})
pwritev(r0, &(0x7f0000000040)=[{&(0x7f0000000140)='\x00!', 0x2}], 0x1, 0x0, 0x0)
[ 9.485814] WARNING: CPU: 3 PID: 329 at net/core/flow_dissector.c:1016 __skb_flow_dissect+0x1ee0/0x1fa0
[ 9.485929] skb_get_poff+0x53/0xa0
[ 9.485937] bpf_skb_get_pay_offset+0xe/0x20
[ 9.485944] ? ppp_send_frame+0xc2/0x5b0
[ 9.485949] ? _raw_spin_unlock_irqrestore+0x40/0x60
[ 9.485958] ? __ppp_xmit_process+0x7a/0xe0
[ 9.485968] ? ppp_xmit_process+0x5b/0xb0
[ 9.485974] ? ppp_write+0x12a/0x190
[ 9.485981] ? do_iter_write+0x18e/0x2d0
[ 9.485987] ? __import_iovec+0x30/0x130
[ 9.485997] ? do_pwritev+0x1b6/0x240
[ 9.486016] ? trace_hardirqs_on+0x47/0x50
[ 9.486023] ? __x64_sys_pwritev+0x24/0x30
[ 9.486026] ? do_syscall_64+0x3d/0x80
[ 9.486031] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd
Flow dissector tries to find skb net namespace either via device
or via socket. Neigher is set in ppp_send_frame, so let's manually
use ppp->dev.
Cc: Paul Mackerras <paulus@samba.org>
Cc: linux-ppp@vger.kernel.org
Reported-by: syzbot+41cab52ab62ee99ed24a@syzkaller.appspotmail.com
Signed-off-by: Stanislav Fomichev <sdf@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ppp/ppp_generic.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index 6287d2ad77c6..f6cf25cba16e 100644
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -1541,6 +1541,8 @@ ppp_send_frame(struct ppp *ppp, struct sk_buff *skb)
int len;
unsigned char *cp;
+ skb->dev = ppp->dev;
+
if (proto < 0x8000) {
#ifdef CONFIG_PPP_FILTER
/* check if we should pass this packet */
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 201/251] media: dvb-frontends: fix leak of memory fw
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 200/251] ppp: associate skb with a device at tx Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 202/251] media: dvb-usb: fix memory leak in dvb_usb_adapter_init() Greg Kroah-Hartman
` (55 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yan Lei, Mauro Carvalho Chehab, Sasha Levin
From: Yan Lei <yan_lei@dahuatech.com>
[ Upstream commit a15fe8d9f1bf460a804bcf18a890bfd2cf0d5caa ]
Link: https://lore.kernel.org/linux-media/20220410061925.4107-1-chinayanlei2002@163.com
Signed-off-by: Yan Lei <yan_lei@dahuatech.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/dvb-frontends/bcm3510.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/media/dvb-frontends/bcm3510.c b/drivers/media/dvb-frontends/bcm3510.c
index bb698839e477..fc1dbdfb0cba 100644
--- a/drivers/media/dvb-frontends/bcm3510.c
+++ b/drivers/media/dvb-frontends/bcm3510.c
@@ -648,6 +648,7 @@ static int bcm3510_download_firmware(struct dvb_frontend* fe)
deb_info("firmware chunk, addr: 0x%04x, len: 0x%04x, total length: 0x%04zx\n",addr,len,fw->size);
if ((ret = bcm3510_write_ram(st,addr,&b[i+4],len)) < 0) {
err("firmware download failed: %d\n",ret);
+ release_firmware(fw);
return ret;
}
i += 4 + len;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 202/251] media: dvb-usb: fix memory leak in dvb_usb_adapter_init()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 201/251] media: dvb-frontends: fix leak of memory fw Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 203/251] blk-mq: fix possible memleak when register hctx failed Greg Kroah-Hartman
` (54 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mazin Al Haddad,
Mauro Carvalho Chehab, Sasha Levin, syzbot+f66dd31987e6740657be
From: Mazin Al Haddad <mazinalhaddad05@gmail.com>
[ Upstream commit 94d90fb06b94a90c176270d38861bcba34ce377d ]
Syzbot reports a memory leak in "dvb_usb_adapter_init()".
The leak is due to not accounting for and freeing current iteration's
adapter->priv in case of an error. Currently if an error occurs,
it will exit before incrementing "num_adapters_initalized",
which is used as a reference counter to free all adap->priv
in "dvb_usb_adapter_exit()". There are multiple error paths that
can exit from before incrementing the counter. Including the
error handling paths for "dvb_usb_adapter_stream_init()",
"dvb_usb_adapter_dvb_init()" and "dvb_usb_adapter_frontend_init()"
within "dvb_usb_adapter_init()".
This means that in case of an error in any of these functions the
current iteration is not accounted for and the current iteration's
adap->priv is not freed.
Fix this by freeing the current iteration's adap->priv in the
"stream_init_err:" label in the error path. The rest of the
(accounted for) adap->priv objects are freed in dvb_usb_adapter_exit()
as expected using the num_adapters_initalized variable.
Syzbot report:
BUG: memory leak
unreferenced object 0xffff8881172f1a00 (size 512):
comm "kworker/0:2", pid 139, jiffies 4294994873 (age 10.960s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff844af012>] dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:75 [inline]
[<ffffffff844af012>] dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:184 [inline]
[<ffffffff844af012>] dvb_usb_device_init.cold+0x4e5/0x79e drivers/media/usb/dvb-usb/dvb-usb-init.c:308
[<ffffffff830db21d>] dib0700_probe+0x8d/0x1b0 drivers/media/usb/dvb-usb/dib0700_core.c:883
[<ffffffff82d3fdc7>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396
[<ffffffff8274ab37>] call_driver_probe drivers/base/dd.c:542 [inline]
[<ffffffff8274ab37>] really_probe.part.0+0xe7/0x310 drivers/base/dd.c:621
[<ffffffff8274ae6c>] really_probe drivers/base/dd.c:583 [inline]
[<ffffffff8274ae6c>] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:752
[<ffffffff8274af6a>] driver_probe_device+0x2a/0x120 drivers/base/dd.c:782
[<ffffffff8274b786>] __device_attach_driver+0xf6/0x140 drivers/base/dd.c:899
[<ffffffff82747c87>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427
[<ffffffff8274b352>] __device_attach+0x122/0x260 drivers/base/dd.c:970
[<ffffffff827498f6>] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:487
[<ffffffff82745cdb>] device_add+0x5fb/0xdf0 drivers/base/core.c:3405
[<ffffffff82d3d202>] usb_set_configuration+0x8f2/0xb80 drivers/usb/core/message.c:2170
[<ffffffff82d4dbfc>] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238
[<ffffffff82d3f49c>] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293
[<ffffffff8274ab37>] call_driver_probe drivers/base/dd.c:542 [inline]
[<ffffffff8274ab37>] really_probe.part.0+0xe7/0x310 drivers/base/dd.c:621
[<ffffffff8274ae6c>] really_probe drivers/base/dd.c:583 [inline]
[<ffffffff8274ae6c>] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:752
Link: https://syzkaller.appspot.com/bug?extid=f66dd31987e6740657be
Reported-and-tested-by: syzbot+f66dd31987e6740657be@syzkaller.appspotmail.com
Link: https://lore.kernel.org/linux-media/20220824012152.539788-1-mazinalhaddad05@gmail.com
Signed-off-by: Mazin Al Haddad <mazinalhaddad05@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/usb/dvb-usb/dvb-usb-init.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c
index 690c1e06fbfa..28077f3c9edf 100644
--- a/drivers/media/usb/dvb-usb/dvb-usb-init.c
+++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c
@@ -84,7 +84,7 @@ static int dvb_usb_adapter_init(struct dvb_usb_device *d, short *adapter_nrs)
ret = dvb_usb_adapter_stream_init(adap);
if (ret)
- return ret;
+ goto stream_init_err;
ret = dvb_usb_adapter_dvb_init(adap, adapter_nrs);
if (ret)
@@ -117,6 +117,8 @@ static int dvb_usb_adapter_init(struct dvb_usb_device *d, short *adapter_nrs)
dvb_usb_adapter_dvb_exit(adap);
dvb_init_err:
dvb_usb_adapter_stream_exit(adap);
+stream_init_err:
+ kfree(adap->priv);
return ret;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 203/251] blk-mq: fix possible memleak when register hctx failed
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 202/251] media: dvb-usb: fix memory leak in dvb_usb_adapter_init() Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 204/251] mmc: f-sdh30: Add quirks for broken timeout clock capability Greg Kroah-Hartman
` (53 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ye Bin, Ming Lei, Jens Axboe, Sasha Levin
From: Ye Bin <yebin10@huawei.com>
[ Upstream commit 4b7a21c57b14fbcd0e1729150189e5933f5088e9 ]
There's issue as follows when do fault injection test:
unreferenced object 0xffff888132a9f400 (size 512):
comm "insmod", pid 308021, jiffies 4324277909 (age 509.733s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 08 f4 a9 32 81 88 ff ff ...........2....
08 f4 a9 32 81 88 ff ff 00 00 00 00 00 00 00 00 ...2............
backtrace:
[<00000000e8952bb4>] kmalloc_node_trace+0x22/0xa0
[<00000000f9980e0f>] blk_mq_alloc_and_init_hctx+0x3f1/0x7e0
[<000000002e719efa>] blk_mq_realloc_hw_ctxs+0x1e6/0x230
[<000000004f1fda40>] blk_mq_init_allocated_queue+0x27e/0x910
[<00000000287123ec>] __blk_mq_alloc_disk+0x67/0xf0
[<00000000a2a34657>] 0xffffffffa2ad310f
[<00000000b173f718>] 0xffffffffa2af824a
[<0000000095a1dabb>] do_one_initcall+0x87/0x2a0
[<00000000f32fdf93>] do_init_module+0xdf/0x320
[<00000000cbe8541e>] load_module+0x3006/0x3390
[<0000000069ed1bdb>] __do_sys_finit_module+0x113/0x1b0
[<00000000a1a29ae8>] do_syscall_64+0x35/0x80
[<000000009cd878b0>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
Fault injection context as follows:
kobject_add
blk_mq_register_hctx
blk_mq_sysfs_register
blk_register_queue
device_add_disk
null_add_dev.part.0 [null_blk]
As 'blk_mq_register_hctx' may already add some objects when failed halfway,
but there isn't do fallback, caller don't know which objects add failed.
To solve above issue just do fallback when add objects failed halfway in
'blk_mq_register_hctx'.
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/20221117022940.873959-1-yebin@huaweicloud.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/blk-mq-sysfs.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/block/blk-mq-sysfs.c b/block/blk-mq-sysfs.c
index 5b64d9d7d147..fc9362e0a118 100644
--- a/block/blk-mq-sysfs.c
+++ b/block/blk-mq-sysfs.c
@@ -380,7 +380,7 @@ static int blk_mq_register_hctx(struct blk_mq_hw_ctx *hctx)
{
struct request_queue *q = hctx->queue;
struct blk_mq_ctx *ctx;
- int i, ret;
+ int i, j, ret;
if (!hctx->nr_ctx)
return 0;
@@ -392,9 +392,16 @@ static int blk_mq_register_hctx(struct blk_mq_hw_ctx *hctx)
hctx_for_each_ctx(hctx, ctx, i) {
ret = kobject_add(&ctx->kobj, &hctx->kobj, "cpu%u", ctx->cpu);
if (ret)
- break;
+ goto out;
}
+ return 0;
+out:
+ hctx_for_each_ctx(hctx, ctx, j) {
+ if (j < i)
+ kobject_del(&ctx->kobj);
+ }
+ kobject_del(&hctx->kobj);
return ret;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 204/251] mmc: f-sdh30: Add quirks for broken timeout clock capability
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 203/251] blk-mq: fix possible memleak when register hctx failed Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 205/251] media: si470x: Fix use-after-free in si470x_int_in_callback() Greg Kroah-Hartman
` (52 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kunihiko Hayashi, Jassi Brar,
Ulf Hansson, Sasha Levin
From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
[ Upstream commit aae9d3a440736691b3c1cb09ae2c32c4f1ee2e67 ]
There is a case where the timeout clock is not supplied to the capability.
Add a quirk for that.
Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
Acked-by: Jassi Brar <jaswinder.singh@linaro.org>
Link: https://lore.kernel.org/r/20221111081033.3813-7-hayashi.kunihiko@socionext.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/sdhci_f_sdh30.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/mmc/host/sdhci_f_sdh30.c b/drivers/mmc/host/sdhci_f_sdh30.c
index 111b66f5439b..43e787954293 100644
--- a/drivers/mmc/host/sdhci_f_sdh30.c
+++ b/drivers/mmc/host/sdhci_f_sdh30.c
@@ -180,6 +180,9 @@ static int sdhci_f_sdh30_probe(struct platform_device *pdev)
if (reg & SDHCI_CAN_DO_8BIT)
priv->vendor_hs200 = F_SDH30_EMMC_HS200;
+ if (!(reg & SDHCI_TIMEOUT_CLK_MASK))
+ host->quirks |= SDHCI_QUIRK_DATA_TIMEOUT_USES_SDCLK;
+
ret = sdhci_add_host(host);
if (ret)
goto err_add_host;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 205/251] media: si470x: Fix use-after-free in si470x_int_in_callback()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 204/251] mmc: f-sdh30: Add quirks for broken timeout clock capability Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 206/251] clk: st: Fix memory leak in st_of_quadfs_setup() Greg Kroah-Hartman
` (51 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+9ca7a12fd736d93e0232,
Shigeru Yoshida, Hans Verkuil, Sasha Levin
From: Shigeru Yoshida <syoshida@redhat.com>
[ Upstream commit 7d21e0b1b41b21d628bf2afce777727bd4479aa5 ]
syzbot reported use-after-free in si470x_int_in_callback() [1]. This
indicates that urb->context, which contains struct si470x_device
object, is freed when si470x_int_in_callback() is called.
The cause of this issue is that si470x_int_in_callback() is called for
freed urb.
si470x_usb_driver_probe() calls si470x_start_usb(), which then calls
usb_submit_urb() and si470x_start(). If si470x_start_usb() fails,
si470x_usb_driver_probe() doesn't kill urb, but it just frees struct
si470x_device object, as depicted below:
si470x_usb_driver_probe()
...
si470x_start_usb()
...
usb_submit_urb()
retval = si470x_start()
return retval
if (retval < 0)
free struct si470x_device object, but don't kill urb
This patch fixes this issue by killing urb when si470x_start_usb()
fails and urb is submitted. If si470x_start_usb() fails and urb is
not submitted, i.e. submitting usb fails, it just frees struct
si470x_device object.
Reported-by: syzbot+9ca7a12fd736d93e0232@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?id=94ed6dddd5a55e90fd4bab942aa4bb297741d977 [1]
Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/radio/si470x/radio-si470x-usb.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/media/radio/si470x/radio-si470x-usb.c b/drivers/media/radio/si470x/radio-si470x-usb.c
index a8a0ff9a1f83..6724c5287cc3 100644
--- a/drivers/media/radio/si470x/radio-si470x-usb.c
+++ b/drivers/media/radio/si470x/radio-si470x-usb.c
@@ -741,8 +741,10 @@ static int si470x_usb_driver_probe(struct usb_interface *intf,
/* start radio */
retval = si470x_start_usb(radio);
- if (retval < 0)
+ if (retval < 0 && !radio->int_in_running)
goto err_buf;
+ else if (retval < 0) /* in case of radio->int_in_running == 1 */
+ goto err_all;
/* set initial frequency */
si470x_set_freq(radio, 87.5 * FREQ_MUL); /* available in all regions */
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 206/251] clk: st: Fix memory leak in st_of_quadfs_setup()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 205/251] media: si470x: Fix use-after-free in si470x_int_in_callback() Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 207/251] drm/fsl-dcu: Fix return type of fsl_dcu_drm_connector_mode_valid() Greg Kroah-Hartman
` (50 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiu Jianfeng, Patrice Chotard,
Stephen Boyd, Sasha Levin
From: Xiu Jianfeng <xiujianfeng@huawei.com>
[ Upstream commit cfd3ffb36f0d566846163118651d868e607300ba ]
If st_clk_register_quadfs_pll() fails, @lock should be freed before goto
@err_exit, otherwise will cause meory leak issue, fix it.
Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Link: https://lore.kernel.org/r/20221122133614.184910-1-xiujianfeng@huawei.com
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/st/clkgen-fsyn.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/clk/st/clkgen-fsyn.c b/drivers/clk/st/clkgen-fsyn.c
index 14819d919df1..715c5d3a5cde 100644
--- a/drivers/clk/st/clkgen-fsyn.c
+++ b/drivers/clk/st/clkgen-fsyn.c
@@ -948,9 +948,10 @@ static void __init st_of_quadfs_setup(struct device_node *np,
clk = st_clk_register_quadfs_pll(pll_name, clk_parent_name, data,
reg, lock);
- if (IS_ERR(clk))
+ if (IS_ERR(clk)) {
+ kfree(lock);
goto err_exit;
- else
+ } else
pr_debug("%s: parent %s rate %u\n",
__clk_get_name(clk),
__clk_get_name(clk_get_parent(clk)),
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 207/251] drm/fsl-dcu: Fix return type of fsl_dcu_drm_connector_mode_valid()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 206/251] clk: st: Fix memory leak in st_of_quadfs_setup() Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 208/251] drm/sti: Fix return type of sti_{dvo,hda,hdmi}_connector_mode_valid() Greg Kroah-Hartman
` (49 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sami Tolvanen, Nathan Chancellor,
Kees Cook, Sasha Levin
From: Nathan Chancellor <nathan@kernel.org>
[ Upstream commit 96d845a67b7e406cfed7880a724c8ca6121e022e ]
With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
indirect call targets are validated against the expected function
pointer prototype to make sure the call target is valid to help mitigate
ROP attacks. If they are not identical, there is a failure at run time,
which manifests as either a kernel panic or thread getting killed. A
proposed warning in clang aims to catch these at compile time, which
reveals:
drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_rgb.c:74:16: error: incompatible function pointer types initializing 'enum drm_mode_status (*)(struct drm_connector *, struct drm_display_mode *)' with an expression of type 'int (struct drm_connector *, struct drm_display_mode *)' [-Werror,-Wincompatible-function-pointer-types-strict]
.mode_valid = fsl_dcu_drm_connector_mode_valid,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 error generated.
->mode_valid() in 'struct drm_connector_helper_funcs' expects a return
type of 'enum drm_mode_status', not 'int'. Adjust the return type of
fsl_dcu_drm_connector_mode_valid() to match the prototype's to resolve
the warning and CFI failure.
Link: https://github.com/ClangBuiltLinux/linux/issues/1750
Reported-by: Sami Tolvanen <samitolvanen@google.com>
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20221102154215.78059-1-nathan@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_rgb.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_rgb.c b/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_rgb.c
index e1dd75b18118..5993d6ac85e6 100644
--- a/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_rgb.c
+++ b/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_rgb.c
@@ -90,8 +90,9 @@ static int fsl_dcu_drm_connector_get_modes(struct drm_connector *connector)
return num_modes;
}
-static int fsl_dcu_drm_connector_mode_valid(struct drm_connector *connector,
- struct drm_display_mode *mode)
+static enum drm_mode_status
+fsl_dcu_drm_connector_mode_valid(struct drm_connector *connector,
+ struct drm_display_mode *mode)
{
if (mode->hdisplay & 0xf)
return MODE_ERROR;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 208/251] drm/sti: Fix return type of sti_{dvo,hda,hdmi}_connector_mode_valid()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 207/251] drm/fsl-dcu: Fix return type of fsl_dcu_drm_connector_mode_valid() Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 209/251] orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string() Greg Kroah-Hartman
` (48 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nathan Chancellor, Kees Cook, Sasha Levin
From: Nathan Chancellor <nathan@kernel.org>
[ Upstream commit 0ad811cc08a937d875cbad0149c1bab17f84ba05 ]
With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
indirect call targets are validated against the expected function
pointer prototype to make sure the call target is valid to help mitigate
ROP attacks. If they are not identical, there is a failure at run time,
which manifests as either a kernel panic or thread getting killed. A
proposed warning in clang aims to catch these at compile time, which
reveals:
drivers/gpu/drm/sti/sti_hda.c:637:16: error: incompatible function pointer types initializing 'enum drm_mode_status (*)(struct drm_connector *, struct drm_display_mode *)' with an expression of type 'int (struct drm_connector *, struct drm_display_mode *)' [-Werror,-Wincompatible-function-pointer-types-strict]
.mode_valid = sti_hda_connector_mode_valid,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/sti/sti_dvo.c:376:16: error: incompatible function pointer types initializing 'enum drm_mode_status (*)(struct drm_connector *, struct drm_display_mode *)' with an expression of type 'int (struct drm_connector *, struct drm_display_mode *)' [-Werror,-Wincompatible-function-pointer-types-strict]
.mode_valid = sti_dvo_connector_mode_valid,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/sti/sti_hdmi.c:1035:16: error: incompatible function pointer types initializing 'enum drm_mode_status (*)(struct drm_connector *, struct drm_display_mode *)' with an expression of type 'int (struct drm_connector *, struct drm_display_mode *)' [-Werror,-Wincompatible-function-pointer-types-strict]
.mode_valid = sti_hdmi_connector_mode_valid,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
->mode_valid() in 'struct drm_connector_helper_funcs' expects a return
type of 'enum drm_mode_status', not 'int'. Adjust the return type of
sti_{dvo,hda,hdmi}_connector_mode_valid() to match the prototype's to
resolve the warning and CFI failure.
Link: https://github.com/ClangBuiltLinux/linux/issues/1750
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20221102155623.3042869-1-nathan@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/sti/sti_dvo.c | 5 +++--
drivers/gpu/drm/sti/sti_hda.c | 5 +++--
drivers/gpu/drm/sti/sti_hdmi.c | 5 +++--
3 files changed, 9 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/sti/sti_dvo.c b/drivers/gpu/drm/sti/sti_dvo.c
index 4be5b5670599..10e33a89b74c 100644
--- a/drivers/gpu/drm/sti/sti_dvo.c
+++ b/drivers/gpu/drm/sti/sti_dvo.c
@@ -354,8 +354,9 @@ static int sti_dvo_connector_get_modes(struct drm_connector *connector)
#define CLK_TOLERANCE_HZ 50
-static int sti_dvo_connector_mode_valid(struct drm_connector *connector,
- struct drm_display_mode *mode)
+static enum drm_mode_status
+sti_dvo_connector_mode_valid(struct drm_connector *connector,
+ struct drm_display_mode *mode)
{
int target = mode->clock * 1000;
int target_min = target - CLK_TOLERANCE_HZ;
diff --git a/drivers/gpu/drm/sti/sti_hda.c b/drivers/gpu/drm/sti/sti_hda.c
index cbceea7d4f87..1c36758660f5 100644
--- a/drivers/gpu/drm/sti/sti_hda.c
+++ b/drivers/gpu/drm/sti/sti_hda.c
@@ -606,8 +606,9 @@ static int sti_hda_connector_get_modes(struct drm_connector *connector)
#define CLK_TOLERANCE_HZ 50
-static int sti_hda_connector_mode_valid(struct drm_connector *connector,
- struct drm_display_mode *mode)
+static enum drm_mode_status
+sti_hda_connector_mode_valid(struct drm_connector *connector,
+ struct drm_display_mode *mode)
{
int target = mode->clock * 1000;
int target_min = target - CLK_TOLERANCE_HZ;
diff --git a/drivers/gpu/drm/sti/sti_hdmi.c b/drivers/gpu/drm/sti/sti_hdmi.c
index c450668883b5..28186bcc8139 100644
--- a/drivers/gpu/drm/sti/sti_hdmi.c
+++ b/drivers/gpu/drm/sti/sti_hdmi.c
@@ -906,8 +906,9 @@ static int sti_hdmi_connector_get_modes(struct drm_connector *connector)
#define CLK_TOLERANCE_HZ 50
-static int sti_hdmi_connector_mode_valid(struct drm_connector *connector,
- struct drm_display_mode *mode)
+static enum drm_mode_status
+sti_hdmi_connector_mode_valid(struct drm_connector *connector,
+ struct drm_display_mode *mode)
{
int target = mode->clock * 1000;
int target_min = target - CLK_TOLERANCE_HZ;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 209/251] orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 208/251] drm/sti: Fix return type of sti_{dvo,hda,hdmi}_connector_mode_valid() Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 210/251] ASoC: mediatek: mt8173-rt5650-rt5514: fix refcount leak in mt8173_rt5650_rt5514_dev_probe() Greg Kroah-Hartman
` (47 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Xiaoxu, Mike Marshall, Sasha Levin
From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
[ Upstream commit d23417a5bf3a3afc55de5442eb46e1e60458b0a1 ]
When insert and remove the orangefs module, then debug_help_string will
be leaked:
unreferenced object 0xffff8881652ba000 (size 4096):
comm "insmod", pid 1701, jiffies 4294893639 (age 13218.530s)
hex dump (first 32 bytes):
43 6c 69 65 6e 74 20 44 65 62 75 67 20 4b 65 79 Client Debug Key
77 6f 72 64 73 20 61 72 65 20 75 6e 6b 6e 6f 77 words are unknow
backtrace:
[<0000000004e6f8e3>] kmalloc_trace+0x27/0xa0
[<0000000006f75d85>] orangefs_prepare_debugfs_help_string+0x5e/0x480 [orangefs]
[<0000000091270a2a>] _sub_I_65535_1+0x57/0xf70 [crc_itu_t]
[<000000004b1ee1a3>] do_one_initcall+0x87/0x2a0
[<000000001d0614ae>] do_init_module+0xdf/0x320
[<00000000efef068c>] load_module+0x2f98/0x3330
[<000000006533b44d>] __do_sys_finit_module+0x113/0x1b0
[<00000000a0da6f99>] do_syscall_64+0x35/0x80
[<000000007790b19b>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
When remove the module, should always free debug_help_string. Should
always free the allocated buffer when change the free_debug_help_string.
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Mike Marshall <hubcap@omnibond.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/orangefs/orangefs-debugfs.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/orangefs/orangefs-debugfs.c b/fs/orangefs/orangefs-debugfs.c
index 7d7df003f9d8..401d70944e49 100644
--- a/fs/orangefs/orangefs-debugfs.c
+++ b/fs/orangefs/orangefs-debugfs.c
@@ -253,6 +253,8 @@ static int orangefs_kernel_debug_init(void)
void orangefs_debugfs_cleanup(void)
{
debugfs_remove_recursive(debug_dir);
+ kfree(debug_help_string);
+ debug_help_string = NULL;
}
/* open ORANGEFS_KMOD_DEBUG_HELP_FILE */
@@ -706,6 +708,7 @@ int orangefs_prepare_debugfs_help_string(int at_boot)
memset(debug_help_string, 0, DEBUG_HELP_STRING_SIZE);
strlcat(debug_help_string, new, string_size);
mutex_unlock(&orangefs_help_file_lock);
+ kfree(new);
}
rc = 0;
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 210/251] ASoC: mediatek: mt8173-rt5650-rt5514: fix refcount leak in mt8173_rt5650_rt5514_dev_probe()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 209/251] orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string() Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 211/251] ASoC: wm8994: Fix potential deadlock Greg Kroah-Hartman
` (46 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wang Yufen, Mark Brown, Sasha Levin
From: Wang Yufen <wangyufen@huawei.com>
[ Upstream commit 3327d721114c109ba0575f86f8fda3b525404054 ]
The node returned by of_parse_phandle() with refcount incremented,
of_node_put() needs be called when finish using it. So add it in the
error path in mt8173_rt5650_rt5514_dev_probe().
Fixes: 0d1d7a664288 ("ASoC: mediatek: Refine mt8173 driver and change config option")
Signed-off-by: Wang Yufen <wangyufen@huawei.com>
Link: https://lore.kernel.org/r/1670234664-24246-1-git-send-email-wangyufen@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/mediatek/mt8173/mt8173-rt5650-rt5514.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5514.c b/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5514.c
index 52fdd766ee82..8fbc59199d58 100644
--- a/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5514.c
+++ b/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5514.c
@@ -209,14 +209,16 @@ static int mt8173_rt5650_rt5514_dev_probe(struct platform_device *pdev)
if (!mt8173_rt5650_rt5514_codecs[0].of_node) {
dev_err(&pdev->dev,
"Property 'audio-codec' missing or invalid\n");
- return -EINVAL;
+ ret = -EINVAL;
+ goto out;
}
mt8173_rt5650_rt5514_codecs[1].of_node =
of_parse_phandle(pdev->dev.of_node, "mediatek,audio-codec", 1);
if (!mt8173_rt5650_rt5514_codecs[1].of_node) {
dev_err(&pdev->dev,
"Property 'audio-codec' missing or invalid\n");
- return -EINVAL;
+ ret = -EINVAL;
+ goto out;
}
mt8173_rt5650_rt5514_codec_conf[0].of_node =
mt8173_rt5650_rt5514_codecs[1].of_node;
@@ -229,6 +231,7 @@ static int mt8173_rt5650_rt5514_dev_probe(struct platform_device *pdev)
dev_err(&pdev->dev, "%s snd_soc_register_card fail %d\n",
__func__, ret);
+out:
of_node_put(platform_node);
return ret;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 211/251] ASoC: wm8994: Fix potential deadlock
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 210/251] ASoC: mediatek: mt8173-rt5650-rt5514: fix refcount leak in mt8173_rt5650_rt5514_dev_probe() Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 212/251] ASoC: rockchip: spdif: Add missing clk_disable_unprepare() in rk_spdif_runtime_resume() Greg Kroah-Hartman
` (45 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Szyprowski, Charles Keepax,
Mark Brown, Sasha Levin
From: Marek Szyprowski <m.szyprowski@samsung.com>
[ Upstream commit 9529dc167ffcdfd201b9f0eda71015f174095f7e ]
Fix this by dropping wm8994->accdet_lock while calling
cancel_delayed_work_sync(&wm8994->mic_work) in wm1811_jackdet_irq().
Fixes: c0cc3f166525 ("ASoC: wm8994: Allow a delay between jack insertion and microphone detect")
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Link: https://lore.kernel.org/r/20221209091657.1183-1-m.szyprowski@samsung.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/wm8994.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/sound/soc/codecs/wm8994.c b/sound/soc/codecs/wm8994.c
index f289762cd676..1feeeed4bfb2 100644
--- a/sound/soc/codecs/wm8994.c
+++ b/sound/soc/codecs/wm8994.c
@@ -3704,7 +3704,12 @@ static irqreturn_t wm1811_jackdet_irq(int irq, void *data)
} else {
dev_dbg(codec->dev, "Jack not detected\n");
+ /* Release wm8994->accdet_lock to avoid deadlock:
+ * cancel_delayed_work_sync() takes wm8994->mic_work internal
+ * lock and wm1811_mic_work takes wm8994->accdet_lock */
+ mutex_unlock(&wm8994->accdet_lock);
cancel_delayed_work_sync(&wm8994->mic_work);
+ mutex_lock(&wm8994->accdet_lock);
snd_soc_update_bits(codec, WM8958_MICBIAS2,
WM8958_MICB2_DISCH, WM8958_MICB2_DISCH);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 212/251] ASoC: rockchip: spdif: Add missing clk_disable_unprepare() in rk_spdif_runtime_resume()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 211/251] ASoC: wm8994: Fix potential deadlock Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 213/251] ASoC: rt5670: Remove unbalanced pm_runtime_put() Greg Kroah-Hartman
` (44 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wang Jingjin, Mark Brown, Sasha Levin
From: Wang Jingjin <wangjingjin1@huawei.com>
[ Upstream commit 6d94d0090527b1763872275a7ccd44df7219b31e ]
rk_spdif_runtime_resume() may have called clk_prepare_enable() before return
from failed branches, add missing clk_disable_unprepare() in this case.
Fixes: f874b80e1571 ("ASoC: rockchip: Add rockchip SPDIF transceiver driver")
Signed-off-by: Wang Jingjin <wangjingjin1@huawei.com>
Link: https://lore.kernel.org/r/20221208063900.4180790-1-wangjingjin1@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/rockchip/rockchip_spdif.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/soc/rockchip/rockchip_spdif.c b/sound/soc/rockchip/rockchip_spdif.c
index f387d7bae3d4..e4073c48faf6 100644
--- a/sound/soc/rockchip/rockchip_spdif.c
+++ b/sound/soc/rockchip/rockchip_spdif.c
@@ -85,6 +85,7 @@ static int __maybe_unused rk_spdif_runtime_resume(struct device *dev)
ret = clk_prepare_enable(spdif->hclk);
if (ret) {
+ clk_disable_unprepare(spdif->mclk);
dev_err(spdif->dev, "hclk clock enable failed %d\n", ret);
return ret;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 213/251] ASoC: rt5670: Remove unbalanced pm_runtime_put()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 212/251] ASoC: rockchip: spdif: Add missing clk_disable_unprepare() in rk_spdif_runtime_resume() Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 214/251] HID: wacom: Ensure bootloader PID is usable in hidraw mode Greg Kroah-Hartman
` (43 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hans de Goede, Mark Brown, Sasha Levin
From: Hans de Goede <hdegoede@redhat.com>
[ Upstream commit 6c900dcc3f7331a67ed29739d74524e428d137fb ]
For some reason rt5670_i2c_probe() does a pm_runtime_put() at the end
of a successful probe. But it has never done a pm_runtime_get() leading
to the following error being logged into dmesg:
rt5670 i2c-10EC5640:00: Runtime PM usage count underflow!
Fix this by removing the unnecessary pm_runtime_put().
Fixes: 64e89e5f5548 ("ASoC: rt5670: Add runtime PM support")
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20221213123319.11285-1-hdegoede@redhat.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/rt5670.c | 2 --
1 file changed, 2 deletions(-)
--- a/sound/soc/codecs/rt5670.c
+++ b/sound/soc/codecs/rt5670.c
@@ -3028,8 +3028,6 @@ static int rt5670_i2c_probe(struct i2c_c
if (ret < 0)
goto err;
- pm_runtime_put(&i2c->dev);
-
return 0;
err:
pm_runtime_disable(&i2c->dev);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 214/251] HID: wacom: Ensure bootloader PID is usable in hidraw mode
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 213/251] ASoC: rt5670: Remove unbalanced pm_runtime_put() Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 215/251] reiserfs: Add missing calls to reiserfs_security_free() Greg Kroah-Hartman
` (42 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Gerecke, Tatsunosuke Tobita,
Jiri Kosina
From: Jason Gerecke <killertofu@gmail.com>
commit 1db1f392591aff13fd643f0ec7c1d5e27391d700 upstream.
Some Wacom devices have a special "bootloader" mode that is used for
firmware flashing. When operating in this mode, the device cannot be
used for input, and the HID descriptor is not able to be processed by
the driver. The driver generates an "Unknown device_type" warning and
then returns an error code from wacom_probe(). This is a problem because
userspace still needs to be able to interact with the device via hidraw
to perform the firmware flash.
This commit adds a non-generic device definition for 056a:0094 which
is used when devices are in "bootloader" mode. It marks the devices
with a special BOOTLOADER type that is recognized by wacom_probe() and
wacom_raw_event(). When we see this type we ensure a hidraw device is
created and otherwise keep our hands off so that userspace is in full
control.
Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
Tested-by: Tatsunosuke Tobita <tatsunosuke.tobita@wacom.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/wacom_sys.c | 8 ++++++++
drivers/hid/wacom_wac.c | 4 ++++
drivers/hid/wacom_wac.h | 1 +
3 files changed, 13 insertions(+)
--- a/drivers/hid/wacom_sys.c
+++ b/drivers/hid/wacom_sys.c
@@ -69,6 +69,9 @@ static int wacom_raw_event(struct hid_de
{
struct wacom *wacom = hid_get_drvdata(hdev);
+ if (wacom->wacom_wac.features.type == BOOTLOADER)
+ return 0;
+
if (size > WACOM_PKGLEN_MAX)
return 1;
@@ -2409,6 +2412,11 @@ static int wacom_probe(struct hid_device
goto fail;
}
+ if (features->type == BOOTLOADER) {
+ hid_warn(hdev, "Using device in hidraw-only mode");
+ return hid_hw_start(hdev, HID_CONNECT_HIDRAW);
+ }
+
error = wacom_parse_and_register(wacom, false);
if (error)
goto fail;
--- a/drivers/hid/wacom_wac.c
+++ b/drivers/hid/wacom_wac.c
@@ -3550,6 +3550,9 @@ static const struct wacom_features wacom
static const struct wacom_features wacom_features_HID_ANY_ID =
{ "Wacom HID", .type = HID_GENERIC, .oVid = HID_ANY_ID, .oPid = HID_ANY_ID };
+static const struct wacom_features wacom_features_0x94 =
+ { "Wacom Bootloader", .type = BOOTLOADER };
+
#define USB_DEVICE_WACOM(prod) \
HID_DEVICE(BUS_USB, HID_GROUP_WACOM, USB_VENDOR_ID_WACOM, prod),\
.driver_data = (kernel_ulong_t)&wacom_features_##prod
@@ -3623,6 +3626,7 @@ const struct hid_device_id wacom_ids[] =
{ USB_DEVICE_WACOM(0x84) },
{ USB_DEVICE_WACOM(0x90) },
{ USB_DEVICE_WACOM(0x93) },
+ { USB_DEVICE_WACOM(0x94) },
{ USB_DEVICE_WACOM(0x97) },
{ USB_DEVICE_WACOM(0x9A) },
{ USB_DEVICE_WACOM(0x9F) },
--- a/drivers/hid/wacom_wac.h
+++ b/drivers/hid/wacom_wac.h
@@ -154,6 +154,7 @@ enum {
MTTPC,
MTTPC_B,
HID_GENERIC,
+ BOOTLOADER,
MAX_TYPE
};
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 215/251] reiserfs: Add missing calls to reiserfs_security_free()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 214/251] HID: wacom: Ensure bootloader PID is usable in hidraw mode Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 216/251] iio: adc: ad_sigma_delta: do not use internal iio_dev lock Greg Kroah-Hartman
` (41 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jeff Mahoney, Tetsuo Handa,
Mimi Zohar, Roberto Sassu, Paul Moore
From: Roberto Sassu <roberto.sassu@huawei.com>
commit 572302af1258459e124437b8f3369357447afac7 upstream.
Commit 57fe60df6241 ("reiserfs: add atomic addition of selinux attributes
during inode creation") defined reiserfs_security_free() to free the name
and value of a security xattr allocated by the active LSM through
security_old_inode_init_security(). However, this function is not called
in the reiserfs code.
Thus, add a call to reiserfs_security_free() whenever
reiserfs_security_init() is called, and initialize value to NULL, to avoid
to call kfree() on an uninitialized pointer.
Finally, remove the kfree() for the xattr name, as it is not allocated
anymore.
Fixes: 57fe60df6241 ("reiserfs: add atomic addition of selinux attributes during inode creation")
Cc: stable@vger.kernel.org
Cc: Jeff Mahoney <jeffm@suse.com>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reported-by: Mimi Zohar <zohar@linux.ibm.com>
Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/reiserfs/namei.c | 4 ++++
fs/reiserfs/xattr_security.c | 2 +-
2 files changed, 5 insertions(+), 1 deletion(-)
--- a/fs/reiserfs/namei.c
+++ b/fs/reiserfs/namei.c
@@ -695,6 +695,7 @@ static int reiserfs_create(struct inode
out_failed:
reiserfs_write_unlock(dir->i_sb);
+ reiserfs_security_free(&security);
return retval;
}
@@ -778,6 +779,7 @@ static int reiserfs_mknod(struct inode *
out_failed:
reiserfs_write_unlock(dir->i_sb);
+ reiserfs_security_free(&security);
return retval;
}
@@ -876,6 +878,7 @@ static int reiserfs_mkdir(struct inode *
retval = journal_end(&th);
out_failed:
reiserfs_write_unlock(dir->i_sb);
+ reiserfs_security_free(&security);
return retval;
}
@@ -1191,6 +1194,7 @@ static int reiserfs_symlink(struct inode
retval = journal_end(&th);
out_failed:
reiserfs_write_unlock(parent_dir->i_sb);
+ reiserfs_security_free(&security);
return retval;
}
--- a/fs/reiserfs/xattr_security.c
+++ b/fs/reiserfs/xattr_security.c
@@ -48,6 +48,7 @@ int reiserfs_security_init(struct inode
int error;
sec->name = NULL;
+ sec->value = NULL;
/* Don't add selinux attributes on xattrs - they'll never get used */
if (IS_PRIVATE(dir))
@@ -93,7 +94,6 @@ int reiserfs_security_write(struct reise
void reiserfs_security_free(struct reiserfs_security_handle *sec)
{
- kfree(sec->name);
kfree(sec->value);
sec->name = NULL;
sec->value = NULL;
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 216/251] iio: adc: ad_sigma_delta: do not use internal iio_dev lock
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 215/251] reiserfs: Add missing calls to reiserfs_security_free() Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 217/251] gcov: add support for checksum field Greg Kroah-Hartman
` (40 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nuno Sá,
Miquel Raynal, Jonathan Cameron, Stable
From: Nuno Sá <nuno.sa@analog.com>
commit 20228a1d5a55e7db0c6720840f2c7d2b48c55f69 upstream.
Drop 'mlock' usage by making use of iio_device_claim_direct_mode().
This change actually makes sure we cannot do a single conversion while
buffering is enable. Note there was a potential race in the previous
code since we were only acquiring the lock after checking if the bus is
enabled.
Fixes: af3008485ea0 ("iio:adc: Add common code for ADI Sigma Delta devices")
Signed-off-by: Nuno Sá <nuno.sa@analog.com>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Cc: <Stable@vger.kernel.org> #No rush as race is very old.
Link: https://lore.kernel.org/r/20220920112821.975359-2-nuno.sa@analog.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/ad_sigma_delta.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/iio/adc/ad_sigma_delta.c
+++ b/drivers/iio/adc/ad_sigma_delta.c
@@ -282,10 +282,10 @@ int ad_sigma_delta_single_conversion(str
unsigned int sample, raw_sample;
int ret = 0;
- if (iio_buffer_enabled(indio_dev))
- return -EBUSY;
+ ret = iio_device_claim_direct_mode(indio_dev);
+ if (ret)
+ return ret;
- mutex_lock(&indio_dev->mlock);
ad_sigma_delta_set_channel(sigma_delta, chan->address);
spi_bus_lock(sigma_delta->spi->master);
@@ -319,7 +319,7 @@ out:
ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE);
sigma_delta->bus_locked = false;
spi_bus_unlock(sigma_delta->spi->master);
- mutex_unlock(&indio_dev->mlock);
+ iio_device_release_direct_mode(indio_dev);
if (ret)
return ret;
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 217/251] gcov: add support for checksum field
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 216/251] iio: adc: ad_sigma_delta: do not use internal iio_dev lock Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 218/251] powerpc/rtas: avoid scheduling in rtas_os_term() Greg Kroah-Hartman
` (39 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rickard x Andersson,
Peter Oberparleiter, Martin Liska, Andrew Morton
From: Rickard x Andersson <rickaran@axis.com>
commit e96b95c2b7a63a454b6498e2df67aac14d046d13 upstream.
In GCC version 12.1 a checksum field was added.
This patch fixes a kernel crash occurring during boot when using
gcov-kernel with GCC version 12.2. The crash occurred on a system running
on i.MX6SX.
Link: https://lkml.kernel.org/r/20221220102318.3418501-1-rickaran@axis.com
Fixes: 977ef30a7d88 ("gcov: support GCC 12.1 and newer compilers")
Signed-off-by: Rickard x Andersson <rickaran@axis.com>
Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com>
Tested-by: Peter Oberparleiter <oberpar@linux.ibm.com>
Reviewed-by: Martin Liska <mliska@suse.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/gcov/gcc_4_7.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/kernel/gcov/gcc_4_7.c
+++ b/kernel/gcov/gcc_4_7.c
@@ -84,6 +84,7 @@ struct gcov_fn_info {
* @version: gcov version magic indicating the gcc version used for compilation
* @next: list head for a singly-linked list
* @stamp: uniquifying time stamp
+ * @checksum: unique object checksum
* @filename: name of the associated gcov data file
* @merge: merge functions (null for unused counter type)
* @n_functions: number of instrumented functions
@@ -96,6 +97,10 @@ struct gcov_info {
unsigned int version;
struct gcov_info *next;
unsigned int stamp;
+ /* Since GCC 12.1 a checksum field is added. */
+#if (__GNUC__ >= 12)
+ unsigned int checksum;
+#endif
const char *filename;
void (*merge[GCOV_COUNTERS])(gcov_type *, unsigned int);
unsigned int n_functions;
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 218/251] powerpc/rtas: avoid scheduling in rtas_os_term()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (216 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 217/251] gcov: add support for checksum field Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 219/251] HID: plantronics: Additional PIDs for double volume key presses quirk Greg Kroah-Hartman
` (38 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nathan Lynch, Nicholas Piggin,
Andrew Donnellan, Michael Ellerman, Sasha Levin
From: Nathan Lynch <nathanl@linux.ibm.com>
[ Upstream commit 6c606e57eecc37d6b36d732b1ff7e55b7dc32dd4 ]
It's unsafe to use rtas_busy_delay() to handle a busy status from
the ibm,os-term RTAS function in rtas_os_term():
Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
BUG: sleeping function called from invalid context at arch/powerpc/kernel/rtas.c:618
in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 1, name: swapper/0
preempt_count: 2, expected: 0
CPU: 7 PID: 1 Comm: swapper/0 Tainted: G D 6.0.0-rc5-02182-gf8553a572277-dirty #9
Call Trace:
[c000000007b8f000] [c000000001337110] dump_stack_lvl+0xb4/0x110 (unreliable)
[c000000007b8f040] [c0000000002440e4] __might_resched+0x394/0x3c0
[c000000007b8f0e0] [c00000000004f680] rtas_busy_delay+0x120/0x1b0
[c000000007b8f100] [c000000000052d04] rtas_os_term+0xb8/0xf4
[c000000007b8f180] [c0000000001150fc] pseries_panic+0x50/0x68
[c000000007b8f1f0] [c000000000036354] ppc_panic_platform_handler+0x34/0x50
[c000000007b8f210] [c0000000002303c4] notifier_call_chain+0xd4/0x1c0
[c000000007b8f2b0] [c0000000002306cc] atomic_notifier_call_chain+0xac/0x1c0
[c000000007b8f2f0] [c0000000001d62b8] panic+0x228/0x4d0
[c000000007b8f390] [c0000000001e573c] do_exit+0x140c/0x1420
[c000000007b8f480] [c0000000001e586c] make_task_dead+0xdc/0x200
Use rtas_busy_delay_time() instead, which signals without side effects
whether to attempt the ibm,os-term RTAS call again.
Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
Reviewed-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Andrew Donnellan <ajd@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20221118150751.469393-5-nathanl@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/kernel/rtas.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c
index 641f3e4c3380..9a77778bd24a 100644
--- a/arch/powerpc/kernel/rtas.c
+++ b/arch/powerpc/kernel/rtas.c
@@ -733,10 +733,15 @@ void rtas_os_term(char *str)
snprintf(rtas_os_term_buf, 2048, "OS panic: %s", str);
+ /*
+ * Keep calling as long as RTAS returns a "try again" status,
+ * but don't use rtas_busy_delay(), which potentially
+ * schedules.
+ */
do {
status = rtas_call(rtas_token("ibm,os-term"), 1, 1, NULL,
__pa(rtas_os_term_buf));
- } while (rtas_busy_delay(status));
+ } while (rtas_busy_delay_time(status));
if (status != 0)
printk(KERN_EMERG "ibm,os-term call failed %d\n", status);
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 219/251] HID: plantronics: Additional PIDs for double volume key presses quirk
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (217 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 218/251] powerpc/rtas: avoid scheduling in rtas_os_term() Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 220/251] hfsplus: fix bug causing custom uid and gid being unable to be assigned with mount Greg Kroah-Hartman
` (37 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Terry Junge, Jiri Kosina, Sasha Levin
From: Terry Junge <linuxhid@cosmicgizmosystems.com>
[ Upstream commit 3d57f36c89d8ba32b2c312f397a37fd1a2dc7cfc ]
I no longer work for Plantronics (aka Poly, aka HP) and do not have
access to the headsets in order to test. However, as noted by Maxim,
the other 32xx models that share the same base code set as the 3220
would need the same quirk. This patch adds the PIDs for the rest of
the Blackwire 32XX product family that require the quirk.
Plantronics Blackwire 3210 Series (047f:c055)
Plantronics Blackwire 3215 Series (047f:c057)
Plantronics Blackwire 3225 Series (047f:c058)
Quote from previous patch by Maxim Mikityanskiy
Plantronics Blackwire 3220 Series (047f:c056) sends HID reports twice
for each volume key press. This patch adds a quirk to hid-plantronics
for this product ID, which will ignore the second volume key press if
it happens within 5 ms from the last one that was handled.
The patch was tested on the mentioned model only, it shouldn't affect
other models, however, this quirk might be needed for them too.
Auto-repeat (when a key is held pressed) is not affected, because the
rate is about 3 times per second, which is far less frequent than once
in 5 ms.
End quote
Signed-off-by: Terry Junge <linuxhid@cosmicgizmosystems.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-ids.h | 3 +++
drivers/hid/hid-plantronics.c | 9 +++++++++
2 files changed, 12 insertions(+)
diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
index 1f641870d860..4d69551dbc52 100644
--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -816,7 +816,10 @@
#define USB_DEVICE_ID_ORTEK_WKB2000 0x2000
#define USB_VENDOR_ID_PLANTRONICS 0x047f
+#define USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3210_SERIES 0xc055
#define USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3220_SERIES 0xc056
+#define USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3215_SERIES 0xc057
+#define USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3225_SERIES 0xc058
#define USB_VENDOR_ID_PANASONIC 0x04da
#define USB_DEVICE_ID_PANABOARD_UBT780 0x1044
diff --git a/drivers/hid/hid-plantronics.c b/drivers/hid/hid-plantronics.c
index 460711c1124a..3b75cadd543f 100644
--- a/drivers/hid/hid-plantronics.c
+++ b/drivers/hid/hid-plantronics.c
@@ -201,9 +201,18 @@ static int plantronics_probe(struct hid_device *hdev,
}
static const struct hid_device_id plantronics_devices[] = {
+ { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS,
+ USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3210_SERIES),
+ .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS },
{ HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS,
USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3220_SERIES),
.driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS },
+ { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS,
+ USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3215_SERIES),
+ .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS },
+ { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS,
+ USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3225_SERIES),
+ .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS },
{ HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, HID_ANY_ID) },
{ }
};
--
2.35.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 4.9 220/251] hfsplus: fix bug causing custom uid and gid being unable to be assigned with mount
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (218 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 219/251] HID: plantronics: Additional PIDs for double volume key presses quirk Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 221/251] ALSA: line6: correct midi status byte when receiving data from podxt Greg Kroah-Hartman
` (36 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aditya Garg, Viacheslav Dubeyko,
Andrew Morton
From: Aditya Garg <gargaditya08@live.com>
commit 9f2b5debc07073e6dfdd774e3594d0224b991927 upstream.
Despite specifying UID and GID in mount command, the specified UID and GID
were not being assigned. This patch fixes this issue.
Link: https://lkml.kernel.org/r/C0264BF5-059C-45CF-B8DA-3A3BD2C803A2@live.com
Signed-off-by: Aditya Garg <gargaditya08@live.com>
Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/hfsplus/hfsplus_fs.h | 2 ++
fs/hfsplus/inode.c | 4 ++--
fs/hfsplus/options.c | 4 ++++
3 files changed, 8 insertions(+), 2 deletions(-)
--- a/fs/hfsplus/hfsplus_fs.h
+++ b/fs/hfsplus/hfsplus_fs.h
@@ -198,6 +198,8 @@ struct hfsplus_sb_info {
#define HFSPLUS_SB_HFSX 3
#define HFSPLUS_SB_CASEFOLD 4
#define HFSPLUS_SB_NOBARRIER 5
+#define HFSPLUS_SB_UID 6
+#define HFSPLUS_SB_GID 7
static inline struct hfsplus_sb_info *HFSPLUS_SB(struct super_block *sb)
{
--- a/fs/hfsplus/inode.c
+++ b/fs/hfsplus/inode.c
@@ -186,11 +186,11 @@ static void hfsplus_get_perms(struct ino
mode = be16_to_cpu(perms->mode);
i_uid_write(inode, be32_to_cpu(perms->owner));
- if (!i_uid_read(inode) && !mode)
+ if ((test_bit(HFSPLUS_SB_UID, &sbi->flags)) || (!i_uid_read(inode) && !mode))
inode->i_uid = sbi->uid;
i_gid_write(inode, be32_to_cpu(perms->group));
- if (!i_gid_read(inode) && !mode)
+ if ((test_bit(HFSPLUS_SB_GID, &sbi->flags)) || (!i_gid_read(inode) && !mode))
inode->i_gid = sbi->gid;
if (dir) {
--- a/fs/hfsplus/options.c
+++ b/fs/hfsplus/options.c
@@ -139,6 +139,8 @@ int hfsplus_parse_options(char *input, s
if (!uid_valid(sbi->uid)) {
pr_err("invalid uid specified\n");
return 0;
+ } else {
+ set_bit(HFSPLUS_SB_UID, &sbi->flags);
}
break;
case opt_gid:
@@ -150,6 +152,8 @@ int hfsplus_parse_options(char *input, s
if (!gid_valid(sbi->gid)) {
pr_err("invalid gid specified\n");
return 0;
+ } else {
+ set_bit(HFSPLUS_SB_GID, &sbi->flags);
}
break;
case opt_part:
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 221/251] ALSA: line6: correct midi status byte when receiving data from podxt
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (219 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 220/251] hfsplus: fix bug causing custom uid and gid being unable to be assigned with mount Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 222/251] ALSA: line6: fix stack overflow in line6_midi_transmit Greg Kroah-Hartman
` (35 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Artem Egorkine, Takashi Iwai
From: Artem Egorkine <arteme@gmail.com>
commit 8508fa2e7472f673edbeedf1b1d2b7a6bb898ecc upstream.
A PODxt device sends 0xb2, 0xc2 or 0xf2 as a status byte for MIDI
messages over USB that should otherwise have a 0xb0, 0xc0 or 0xf0
status byte. This is usually corrected by the driver on other OSes.
This fixes MIDI sysex messages sent by PODxt.
[ tiwai: fixed white spaces ]
Signed-off-by: Artem Egorkine <arteme@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20221225105728.1153989-1-arteme@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/line6/driver.c | 3 ++-
sound/usb/line6/midi.c | 3 ++-
sound/usb/line6/midibuf.c | 25 +++++++++++++++++--------
sound/usb/line6/midibuf.h | 5 ++++-
sound/usb/line6/pod.c | 3 ++-
5 files changed, 27 insertions(+), 12 deletions(-)
--- a/sound/usb/line6/driver.c
+++ b/sound/usb/line6/driver.c
@@ -304,7 +304,8 @@ static void line6_data_received(struct u
for (;;) {
done =
line6_midibuf_read(mb, line6->buffer_message,
- LINE6_MIDI_MESSAGE_MAXLEN);
+ LINE6_MIDI_MESSAGE_MAXLEN,
+ LINE6_MIDIBUF_READ_RX);
if (done <= 0)
break;
--- a/sound/usb/line6/midi.c
+++ b/sound/usb/line6/midi.c
@@ -60,7 +60,8 @@ static void line6_midi_transmit(struct s
for (;;) {
done = line6_midibuf_read(mb, chunk,
- LINE6_FALLBACK_MAXPACKETSIZE);
+ LINE6_FALLBACK_MAXPACKETSIZE,
+ LINE6_MIDIBUF_READ_TX);
if (done == 0)
break;
--- a/sound/usb/line6/midibuf.c
+++ b/sound/usb/line6/midibuf.c
@@ -13,6 +13,7 @@
#include "midibuf.h"
+
static int midibuf_message_length(unsigned char code)
{
int message_length;
@@ -24,12 +25,7 @@ static int midibuf_message_length(unsign
message_length = length[(code >> 4) - 8];
} else {
- /*
- Note that according to the MIDI specification 0xf2 is
- the "Song Position Pointer", but this is used by Line 6
- to send sysex messages to the host.
- */
- static const int length[] = { -1, 2, -1, 2, -1, -1, 1, 1, 1, 1,
+ static const int length[] = { -1, 2, 2, 2, -1, -1, 1, 1, 1, -1,
1, 1, 1, -1, 1, 1
};
message_length = length[code & 0x0f];
@@ -129,7 +125,7 @@ int line6_midibuf_write(struct midi_buff
}
int line6_midibuf_read(struct midi_buffer *this, unsigned char *data,
- int length)
+ int length, int read_type)
{
int bytes_used;
int length1, length2;
@@ -152,9 +148,22 @@ int line6_midibuf_read(struct midi_buffe
length1 = this->size - this->pos_read;
- /* check MIDI command length */
command = this->buf[this->pos_read];
+ /*
+ PODxt always has status byte lower nibble set to 0010,
+ when it means to send 0000, so we correct if here so
+ that control/program changes come on channel 1 and
+ sysex message status byte is correct
+ */
+ if (read_type == LINE6_MIDIBUF_READ_RX) {
+ if (command == 0xb2 || command == 0xc2 || command == 0xf2) {
+ unsigned char fixed = command & 0xf0;
+ this->buf[this->pos_read] = fixed;
+ command = fixed;
+ }
+ }
+ /* check MIDI command length */
if (command & 0x80) {
midi_length = midibuf_message_length(command);
this->command_prev = command;
--- a/sound/usb/line6/midibuf.h
+++ b/sound/usb/line6/midibuf.h
@@ -12,6 +12,9 @@
#ifndef MIDIBUF_H
#define MIDIBUF_H
+#define LINE6_MIDIBUF_READ_TX 0
+#define LINE6_MIDIBUF_READ_RX 1
+
struct midi_buffer {
unsigned char *buf;
int size;
@@ -27,7 +30,7 @@ extern void line6_midibuf_destroy(struct
extern int line6_midibuf_ignore(struct midi_buffer *mb, int length);
extern int line6_midibuf_init(struct midi_buffer *mb, int size, int split);
extern int line6_midibuf_read(struct midi_buffer *mb, unsigned char *data,
- int length);
+ int length, int read_type);
extern void line6_midibuf_reset(struct midi_buffer *mb);
extern int line6_midibuf_write(struct midi_buffer *mb, unsigned char *data,
int length);
--- a/sound/usb/line6/pod.c
+++ b/sound/usb/line6/pod.c
@@ -169,8 +169,9 @@ static struct line6_pcm_properties pod_p
.bytes_per_channel = 3 /* SNDRV_PCM_FMTBIT_S24_3LE */
};
+
static const char pod_version_header[] = {
- 0xf2, 0x7e, 0x7f, 0x06, 0x02
+ 0xf0, 0x7e, 0x7f, 0x06, 0x02
};
/* forward declarations: */
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 222/251] ALSA: line6: fix stack overflow in line6_midi_transmit
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (220 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 221/251] ALSA: line6: correct midi status byte when receiving data from podxt Greg Kroah-Hartman
@ 2023-01-05 12:55 ` Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 223/251] pnode: terminate at peers of source Greg Kroah-Hartman
` (34 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Artem Egorkine, Takashi Iwai
From: Artem Egorkine <arteme@gmail.com>
commit b8800d324abb50160560c636bfafe2c81001b66c upstream.
Correctly calculate available space including the size of the chunk
buffer. This fixes a buffer overflow when multiple MIDI sysex
messages are sent to a PODxt device.
Signed-off-by: Artem Egorkine <arteme@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20221225105728.1153989-2-arteme@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/line6/midi.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/sound/usb/line6/midi.c
+++ b/sound/usb/line6/midi.c
@@ -48,7 +48,8 @@ static void line6_midi_transmit(struct s
int req, done;
for (;;) {
- req = min(line6_midibuf_bytes_free(mb), line6->max_packet_size);
+ req = min3(line6_midibuf_bytes_free(mb), line6->max_packet_size,
+ LINE6_FALLBACK_MAXPACKETSIZE);
done = snd_rawmidi_transmit_peek(substream, chunk, req);
if (done == 0)
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 223/251] pnode: terminate at peers of source
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (221 preceding siblings ...)
2023-01-05 12:55 ` [PATCH 4.9 222/251] ALSA: line6: fix stack overflow in line6_midi_transmit Greg Kroah-Hartman
@ 2023-01-05 12:56 ` Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 224/251] md: fix a crash in mempool_free Greg Kroah-Hartman
` (33 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ditang Chen,
Seth Forshee (Digital Ocean), Christian Brauner (Microsoft)
From: Christian Brauner <brauner@kernel.org>
commit 11933cf1d91d57da9e5c53822a540bbdc2656c16 upstream.
The propagate_mnt() function handles mount propagation when creating
mounts and propagates the source mount tree @source_mnt to all
applicable nodes of the destination propagation mount tree headed by
@dest_mnt.
Unfortunately it contains a bug where it fails to terminate at peers of
@source_mnt when looking up copies of the source mount that become
masters for copies of the source mount tree mounted on top of slaves in
the destination propagation tree causing a NULL dereference.
Once the mechanics of the bug are understood it's easy to trigger.
Because of unprivileged user namespaces it is available to unprivileged
users.
While fixing this bug we've gotten confused multiple times due to
unclear terminology or missing concepts. So let's start this with some
clarifications:
* The terms "master" or "peer" denote a shared mount. A shared mount
belongs to a peer group.
* A peer group is a set of shared mounts that propagate to each other.
They are identified by a peer group id. The peer group id is available
in @shared_mnt->mnt_group_id.
Shared mounts within the same peer group have the same peer group id.
The peers in a peer group can be reached via @shared_mnt->mnt_share.
* The terms "slave mount" or "dependent mount" denote a mount that
receives propagation from a peer in a peer group. IOW, shared mounts
may have slave mounts and slave mounts have shared mounts as their
master. Slave mounts of a given peer in a peer group are listed on
that peers slave list available at @shared_mnt->mnt_slave_list.
* The term "master mount" denotes a mount in a peer group. IOW, it
denotes a shared mount or a peer mount in a peer group. The term
"master mount" - or "master" for short - is mostly used when talking
in the context of slave mounts that receive propagation from a master
mount. A master mount of a slave identifies the closest peer group a
slave mount receives propagation from. The master mount of a slave can
be identified via @slave_mount->mnt_master. Different slaves may point
to different masters in the same peer group.
* Multiple peers in a peer group can have non-empty ->mnt_slave_lists.
Non-empty ->mnt_slave_lists of peers don't intersect. Consequently, to
ensure all slave mounts of a peer group are visited the
->mnt_slave_lists of all peers in a peer group have to be walked.
* Slave mounts point to a peer in the closest peer group they receive
propagation from via @slave_mnt->mnt_master (see above). Together with
these peers they form a propagation group (see below). The closest
peer group can thus be identified through the peer group id
@slave_mnt->mnt_master->mnt_group_id of the peer/master that a slave
mount receives propagation from.
* A shared-slave mount is a slave mount to a peer group pg1 while also
a peer in another peer group pg2. IOW, a peer group may receive
propagation from another peer group.
If a peer group pg1 is a slave to another peer group pg2 then all
peers in peer group pg1 point to the same peer in peer group pg2 via
->mnt_master. IOW, all peers in peer group pg1 appear on the same
->mnt_slave_list. IOW, they cannot be slaves to different peer groups.
* A pure slave mount is a slave mount that is a slave to a peer group
but is not a peer in another peer group.
* A propagation group denotes the set of mounts consisting of a single
peer group pg1 and all slave mounts and shared-slave mounts that point
to a peer in that peer group via ->mnt_master. IOW, all slave mounts
such that @slave_mnt->mnt_master->mnt_group_id is equal to
@shared_mnt->mnt_group_id.
The concept of a propagation group makes it easier to talk about a
single propagation level in a propagation tree.
For example, in propagate_mnt() the immediate peers of @dest_mnt and
all slaves of @dest_mnt's peer group form a propagation group propg1.
So a shared-slave mount that is a slave in propg1 and that is a peer
in another peer group pg2 forms another propagation group propg2
together with all slaves that point to that shared-slave mount in
their ->mnt_master.
* A propagation tree refers to all mounts that receive propagation
starting from a specific shared mount.
For example, for propagate_mnt() @dest_mnt is the start of a
propagation tree. The propagation tree ecompasses all mounts that
receive propagation from @dest_mnt's peer group down to the leafs.
With that out of the way let's get to the actual algorithm.
We know that @dest_mnt is guaranteed to be a pure shared mount or a
shared-slave mount. This is guaranteed by a check in
attach_recursive_mnt(). So propagate_mnt() will first propagate the
source mount tree to all peers in @dest_mnt's peer group:
for (n = next_peer(dest_mnt); n != dest_mnt; n = next_peer(n)) {
ret = propagate_one(n);
if (ret)
goto out;
}
Notice, that the peer propagation loop of propagate_mnt() doesn't
propagate @dest_mnt itself. @dest_mnt is mounted directly in
attach_recursive_mnt() after we propagated to the destination
propagation tree.
The mount that will be mounted on top of @dest_mnt is @source_mnt. This
copy was created earlier even before we entered attach_recursive_mnt()
and doesn't concern us a lot here.
It's just important to notice that when propagate_mnt() is called
@source_mnt will not yet have been mounted on top of @dest_mnt. Thus,
@source_mnt->mnt_parent will either still point to @source_mnt or - in
the case @source_mnt is moved and thus already attached - still to its
former parent.
For each peer @m in @dest_mnt's peer group propagate_one() will create a
new copy of the source mount tree and mount that copy @child on @m such
that @child->mnt_parent points to @m after propagate_one() returns.
propagate_one() will stash the last destination propagation node @m in
@last_dest and the last copy it created for the source mount tree in
@last_source.
Hence, if we call into propagate_one() again for the next destination
propagation node @m, @last_dest will point to the previous destination
propagation node and @last_source will point to the previous copy of the
source mount tree and mounted on @last_dest.
Each new copy of the source mount tree is created from the previous copy
of the source mount tree. This will become important later.
The peer loop in propagate_mnt() is straightforward. We iterate through
the peers copying and updating @last_source and @last_dest as we go
through them and mount each copy of the source mount tree @child on a
peer @m in @dest_mnt's peer group.
After propagate_mnt() handled the peers in @dest_mnt's peer group
propagate_mnt() will propagate the source mount tree down the
propagation tree that @dest_mnt's peer group propagates to:
for (m = next_group(dest_mnt, dest_mnt); m;
m = next_group(m, dest_mnt)) {
/* everything in that slave group */
n = m;
do {
ret = propagate_one(n);
if (ret)
goto out;
n = next_peer(n);
} while (n != m);
}
The next_group() helper will recursively walk the destination
propagation tree, descending into each propagation group of the
propagation tree.
The important part is that it takes care to propagate the source mount
tree to all peers in the peer group of a propagation group before it
propagates to the slaves to those peers in the propagation group. IOW,
it creates and mounts copies of the source mount tree that become
masters before it creates and mounts copies of the source mount tree
that become slaves to these masters.
It is important to remember that propagating the source mount tree to
each mount @m in the destination propagation tree simply means that we
create and mount new copies @child of the source mount tree on @m such
that @child->mnt_parent points to @m.
Since we know that each node @m in the destination propagation tree
headed by @dest_mnt's peer group will be overmounted with a copy of the
source mount tree and since we know that the propagation properties of
each copy of the source mount tree we create and mount at @m will mostly
mirror the propagation properties of @m. We can use that information to
create and mount the copies of the source mount tree that become masters
before their slaves.
The easy case is always when @m and @last_dest are peers in a peer group
of a given propagation group. In that case we know that we can simply
copy @last_source without having to figure out what the master for the
new copy @child of the source mount tree needs to be as we've done that
in a previous call to propagate_one().
The hard case is when we're dealing with a slave mount or a shared-slave
mount @m in a destination propagation group that we need to create and
mount a copy of the source mount tree on.
For each propagation group in the destination propagation tree we
propagate the source mount tree to we want to make sure that the copies
@child of the source mount tree we create and mount on slaves @m pick an
ealier copy of the source mount tree that we mounted on a master @m of
the destination propagation group as their master. This is a mouthful
but as far as we can tell that's the core of it all.
But, if we keep track of the masters in the destination propagation tree
@m we can use the information to find the correct master for each copy
of the source mount tree we create and mount at the slaves in the
destination propagation tree @m.
Let's walk through the base case as that's still fairly easy to grasp.
If we're dealing with the first slave in the propagation group that
@dest_mnt is in then we don't yet have marked any masters in the
destination propagation tree.
We know the master for the first slave to @dest_mnt's peer group is
simple @dest_mnt. So we expect this algorithm to yield a copy of the
source mount tree that was mounted on a peer in @dest_mnt's peer group
as the master for the copy of the source mount tree we want to mount at
the first slave @m:
for (n = m; ; n = p) {
p = n->mnt_master;
if (p == dest_master || IS_MNT_MARKED(p))
break;
}
For the first slave we walk the destination propagation tree all the way
up to a peer in @dest_mnt's peer group. IOW, the propagation hierarchy
can be walked by walking up the @mnt->mnt_master hierarchy of the
destination propagation tree @m. We will ultimately find a peer in
@dest_mnt's peer group and thus ultimately @dest_mnt->mnt_master.
Btw, here the assumption we listed at the beginning becomes important.
Namely, that peers in a peer group pg1 that are slaves in another peer
group pg2 appear on the same ->mnt_slave_list. IOW, all slaves who are
peers in peer group pg1 point to the same peer in peer group pg2 via
their ->mnt_master. Otherwise the termination condition in the code
above would be wrong and next_group() would be broken too.
So the first iteration sets:
n = m;
p = n->mnt_master;
such that @p now points to a peer or @dest_mnt itself. We walk up one
more level since we don't have any marked mounts. So we end up with:
n = dest_mnt;
p = dest_mnt->mnt_master;
If @dest_mnt's peer group is not slave to another peer group then @p is
now NULL. If @dest_mnt's peer group is a slave to another peer group
then @p now points to @dest_mnt->mnt_master points which is a master
outside the propagation tree we're dealing with.
Now we need to figure out the master for the copy of the source mount
tree we're about to create and mount on the first slave of @dest_mnt's
peer group:
do {
struct mount *parent = last_source->mnt_parent;
if (last_source == first_source)
break;
done = parent->mnt_master == p;
if (done && peers(n, parent))
break;
last_source = last_source->mnt_master;
} while (!done);
We know that @last_source->mnt_parent points to @last_dest and
@last_dest is the last peer in @dest_mnt's peer group we propagated to
in the peer loop in propagate_mnt().
Consequently, @last_source is the last copy we created and mount on that
last peer in @dest_mnt's peer group. So @last_source is the master we
want to pick.
We know that @last_source->mnt_parent->mnt_master points to
@last_dest->mnt_master. We also know that @last_dest->mnt_master is
either NULL or points to a master outside of the destination propagation
tree and so does @p. Hence:
done = parent->mnt_master == p;
is trivially true in the base condition.
We also know that for the first slave mount of @dest_mnt's peer group
that @last_dest either points @dest_mnt itself because it was
initialized to:
last_dest = dest_mnt;
at the beginning of propagate_mnt() or it will point to a peer of
@dest_mnt in its peer group. In both cases it is guaranteed that on the
first iteration @n and @parent are peers (Please note the check for
peers here as that's important.):
if (done && peers(n, parent))
break;
So, as we expected, we select @last_source, which referes to the last
copy of the source mount tree we mounted on the last peer in @dest_mnt's
peer group, as the master of the first slave in @dest_mnt's peer group.
The rest is taken care of by clone_mnt(last_source, ...). We'll skip
over that part otherwise this becomes a blogpost.
At the end of propagate_mnt() we now mark @m->mnt_master as the first
master in the destination propagation tree that is distinct from
@dest_mnt->mnt_master. IOW, we mark @dest_mnt itself as a master.
By marking @dest_mnt or one of it's peers we are able to easily find it
again when we later lookup masters for other copies of the source mount
tree we mount copies of the source mount tree on slaves @m to
@dest_mnt's peer group. This, in turn allows us to find the master we
selected for the copies of the source mount tree we mounted on master in
the destination propagation tree again.
The important part is to realize that the code makes use of the fact
that the last copy of the source mount tree stashed in @last_source was
mounted on top of the previous destination propagation node @last_dest.
What this means is that @last_source allows us to walk the destination
propagation hierarchy the same way each destination propagation node @m
does.
If we take @last_source, which is the copy of @source_mnt we have
mounted on @last_dest in the previous iteration of propagate_one(), then
we know @last_source->mnt_parent points to @last_dest but we also know
that as we walk through the destination propagation tree that
@last_source->mnt_master will point to an earlier copy of the source
mount tree we mounted one an earlier destination propagation node @m.
IOW, @last_source->mnt_parent will be our hook into the destination
propagation tree and each consecutive @last_source->mnt_master will lead
us to an earlier propagation node @m via
@last_source->mnt_master->mnt_parent.
Hence, by walking up @last_source->mnt_master, each of which is mounted
on a node that is a master @m in the destination propagation tree we can
also walk up the destination propagation hierarchy.
So, for each new destination propagation node @m we use the previous
copy of @last_source and the fact it's mounted on the previous
propagation node @last_dest via @last_source->mnt_master->mnt_parent to
determine what the master of the new copy of @last_source needs to be.
The goal is to find the _closest_ master that the new copy of the source
mount tree we are about to create and mount on a slave @m in the
destination propagation tree needs to pick. IOW, we want to find a
suitable master in the propagation group.
As the propagation structure of the source mount propagation tree we
create mirrors the propagation structure of the destination propagation
tree we can find @m's closest master - i.e., a marked master - which is
a peer in the closest peer group that @m receives propagation from. We
store that closest master of @m in @p as before and record the slave to
that master in @n
We then search for this master @p via @last_source by walking up the
master hierarchy starting from the last copy of the source mount tree
stored in @last_source that we created and mounted on the previous
destination propagation node @m.
We will try to find the master by walking @last_source->mnt_master and
by comparing @last_source->mnt_master->mnt_parent->mnt_master to @p. If
we find @p then we can figure out what earlier copy of the source mount
tree needs to be the master for the new copy of the source mount tree
we're about to create and mount at the current destination propagation
node @m.
If @last_source->mnt_master->mnt_parent and @n are peers then we know
that the closest master they receive propagation from is
@last_source->mnt_master->mnt_parent->mnt_master. If not then the
closest immediate peer group that they receive propagation from must be
one level higher up.
This builds on the earlier clarification at the beginning that all peers
in a peer group which are slaves of other peer groups all point to the
same ->mnt_master, i.e., appear on the same ->mnt_slave_list, of the
closest peer group that they receive propagation from.
However, terminating the walk has corner cases.
If the closest marked master for a given destination node @m cannot be
found by walking up the master hierarchy via @last_source->mnt_master
then we need to terminate the walk when we encounter @source_mnt again.
This isn't an arbitrary termination. It simply means that the new copy
of the source mount tree we're about to create has a copy of the source
mount tree we created and mounted on a peer in @dest_mnt's peer group as
its master. IOW, @source_mnt is the peer in the closest peer group that
the new copy of the source mount tree receives propagation from.
We absolutely have to stop @source_mnt because @last_source->mnt_master
either points outside the propagation hierarchy we're dealing with or it
is NULL because @source_mnt isn't a shared-slave.
So continuing the walk past @source_mnt would cause a NULL dereference
via @last_source->mnt_master->mnt_parent. And so we have to stop the
walk when we encounter @source_mnt again.
One scenario where this can happen is when we first handled a series of
slaves of @dest_mnt's peer group and then encounter peers in a new peer
group that is a slave to @dest_mnt's peer group. We handle them and then
we encounter another slave mount to @dest_mnt that is a pure slave to
@dest_mnt's peer group. That pure slave will have a peer in @dest_mnt's
peer group as its master. Consequently, the new copy of the source mount
tree will need to have @source_mnt as it's master. So we walk the
propagation hierarchy all the way up to @source_mnt based on
@last_source->mnt_master.
So terminate on @source_mnt, easy peasy. Except, that the check misses
something that the rest of the algorithm already handles.
If @dest_mnt has peers in it's peer group the peer loop in
propagate_mnt():
for (n = next_peer(dest_mnt); n != dest_mnt; n = next_peer(n)) {
ret = propagate_one(n);
if (ret)
goto out;
}
will consecutively update @last_source with each previous copy of the
source mount tree we created and mounted at the previous peer in
@dest_mnt's peer group. So after that loop terminates @last_source will
point to whatever copy of the source mount tree was created and mounted
on the last peer in @dest_mnt's peer group.
Furthermore, if there is even a single additional peer in @dest_mnt's
peer group then @last_source will __not__ point to @source_mnt anymore.
Because, as we mentioned above, @dest_mnt isn't even handled in this
loop but directly in attach_recursive_mnt(). So it can't even accidently
come last in that peer loop.
So the first time we handle a slave mount @m of @dest_mnt's peer group
the copy of the source mount tree we create will make the __last copy of
the source mount tree we created and mounted on the last peer in
@dest_mnt's peer group the master of the new copy of the source mount
tree we create and mount on the first slave of @dest_mnt's peer group__.
But this means that the termination condition that checks for
@source_mnt is wrong. The @source_mnt cannot be found anymore by
propagate_one(). Instead it will find the last copy of the source mount
tree we created and mounted for the last peer of @dest_mnt's peer group
again. And that is a peer of @source_mnt not @source_mnt itself.
IOW, we fail to terminate the loop correctly and ultimately dereference
@last_source->mnt_master->mnt_parent. When @source_mnt's peer group
isn't slave to another peer group then @last_source->mnt_master is NULL
causing the splat below.
For example, assume @dest_mnt is a pure shared mount and has three peers
in its peer group:
===================================================================================
mount-id mount-parent-id peer-group-id
===================================================================================
(@dest_mnt) mnt_master[216] 309 297 shared:216
\
(@source_mnt) mnt_master[218]: 609 609 shared:218
(1) mnt_master[216]: 607 605 shared:216
\
(P1) mnt_master[218]: 624 607 shared:218
(2) mnt_master[216]: 576 574 shared:216
\
(P2) mnt_master[218]: 625 576 shared:218
(3) mnt_master[216]: 545 543 shared:216
\
(P3) mnt_master[218]: 626 545 shared:218
After this sequence has been processed @last_source will point to (P3),
the copy generated for the third peer in @dest_mnt's peer group we
handled. So the copy of the source mount tree (P4) we create and mount
on the first slave of @dest_mnt's peer group:
===================================================================================
mount-id mount-parent-id peer-group-id
===================================================================================
mnt_master[216] 309 297 shared:216
/
/
(S0) mnt_slave 483 481 master:216
\
\ (P3) mnt_master[218] 626 545 shared:218
\ /
\/
(P4) mnt_slave 627 483 master:218
will pick the last copy of the source mount tree (P3) as master, not (S0).
When walking the propagation hierarchy via @last_source's master
hierarchy we encounter (P3) but not (S0), i.e., @source_mnt.
We can fix this in multiple ways:
(1) By setting @last_source to @source_mnt after we processed the peers
in @dest_mnt's peer group right after the peer loop in
propagate_mnt().
(2) By changing the termination condition that relies on finding exactly
@source_mnt to finding a peer of @source_mnt.
(3) By only moving @last_source when we actually venture into a new peer
group or some clever variant thereof.
The first two options are minimally invasive and what we want as a fix.
The third option is more intrusive but something we'd like to explore in
the near future.
This passes all LTP tests and specifically the mount propagation
testsuite part of it. It also holds up against all known reproducers of
this issues.
Final words.
First, this is a clever but __worringly__ underdocumented algorithm.
There isn't a single detailed comment to be found in next_group(),
propagate_one() or anywhere else in that file for that matter. This has
been a giant pain to understand and work through and a bug like this is
insanely difficult to fix without a detailed understanding of what's
happening. Let's not talk about the amount of time that was sunk into
fixing this.
Second, all the cool kids with access to
unshare --mount --user --map-root --propagation=unchanged
are going to have a lot of fun. IOW, triggerable by unprivileged users
while namespace_lock() lock is held.
[ 115.848393] BUG: kernel NULL pointer dereference, address: 0000000000000010
[ 115.848967] #PF: supervisor read access in kernel mode
[ 115.849386] #PF: error_code(0x0000) - not-present page
[ 115.849803] PGD 0 P4D 0
[ 115.850012] Oops: 0000 [#1] PREEMPT SMP PTI
[ 115.850354] CPU: 0 PID: 15591 Comm: mount Not tainted 6.1.0-rc7 #3
[ 115.850851] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS
VirtualBox 12/01/2006
[ 115.851510] RIP: 0010:propagate_one.part.0+0x7f/0x1a0
[ 115.851924] Code: 75 eb 4c 8b 05 c2 25 37 02 4c 89 ca 48 8b 4a 10
49 39 d0 74 1e 48 3b 81 e0 00 00 00 74 26 48 8b 92 e0 00 00 00 be 01
00 00 00 <48> 8b 4a 10 49 39 d0 75 e2 40 84 f6 74 38 4c 89 05 84 25 37
02 4d
[ 115.853441] RSP: 0018:ffffb8d5443d7d50 EFLAGS: 00010282
[ 115.853865] RAX: ffff8e4d87c41c80 RBX: ffff8e4d88ded780 RCX: ffff8e4da4333a00
[ 115.854458] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8e4d88ded780
[ 115.855044] RBP: ffff8e4d88ded780 R08: ffff8e4da4338000 R09: ffff8e4da43388c0
[ 115.855693] R10: 0000000000000002 R11: ffffb8d540158000 R12: ffffb8d5443d7da8
[ 115.856304] R13: ffff8e4d88ded780 R14: 0000000000000000 R15: 0000000000000000
[ 115.856859] FS: 00007f92c90c9800(0000) GS:ffff8e4dfdc00000(0000)
knlGS:0000000000000000
[ 115.857531] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 115.858006] CR2: 0000000000000010 CR3: 0000000022f4c002 CR4: 00000000000706f0
[ 115.858598] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 115.859393] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 115.860099] Call Trace:
[ 115.860358] <TASK>
[ 115.860535] propagate_mnt+0x14d/0x190
[ 115.860848] attach_recursive_mnt+0x274/0x3e0
[ 115.861212] path_mount+0x8c8/0xa60
[ 115.861503] __x64_sys_mount+0xf6/0x140
[ 115.861819] do_syscall_64+0x5b/0x80
[ 115.862117] ? do_faccessat+0x123/0x250
[ 115.862435] ? syscall_exit_to_user_mode+0x17/0x40
[ 115.862826] ? do_syscall_64+0x67/0x80
[ 115.863133] ? syscall_exit_to_user_mode+0x17/0x40
[ 115.863527] ? do_syscall_64+0x67/0x80
[ 115.863835] ? do_syscall_64+0x67/0x80
[ 115.864144] ? do_syscall_64+0x67/0x80
[ 115.864452] ? exc_page_fault+0x70/0x170
[ 115.864775] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 115.865187] RIP: 0033:0x7f92c92b0ebe
[ 115.865480] Code: 48 8b 0d 75 4f 0c 00 f7 d8 64 89 01 48 83 c8 ff
c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00
00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 42 4f 0c 00 f7 d8 64 89
01 48
[ 115.866984] RSP: 002b:00007fff000aa728 EFLAGS: 00000246 ORIG_RAX:
00000000000000a5
[ 115.867607] RAX: ffffffffffffffda RBX: 000055a77888d6b0 RCX: 00007f92c92b0ebe
[ 115.868240] RDX: 000055a77888d8e0 RSI: 000055a77888e6e0 RDI: 000055a77888e620
[ 115.868823] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
[ 115.869403] R10: 0000000000001000 R11: 0000000000000246 R12: 000055a77888e620
[ 115.869994] R13: 000055a77888d8e0 R14: 00000000ffffffff R15: 00007f92c93e4076
[ 115.870581] </TASK>
[ 115.870763] Modules linked in: nft_fib_inet nft_fib_ipv4
nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6
nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6
nf_defrag_ipv4 ip_set rfkill nf_tables nfnetlink qrtr snd_intel8x0
sunrpc snd_ac97_codec ac97_bus snd_pcm snd_timer intel_rapl_msr
intel_rapl_common snd vboxguest intel_powerclamp video rapl joydev
soundcore i2c_piix4 wmi fuse zram xfs vmwgfx crct10dif_pclmul
crc32_pclmul crc32c_intel polyval_clmulni polyval_generic
drm_ttm_helper ttm e1000 ghash_clmulni_intel serio_raw ata_generic
pata_acpi scsi_dh_rdac scsi_dh_emc scsi_dh_alua dm_multipath
[ 115.875288] CR2: 0000000000000010
[ 115.875641] ---[ end trace 0000000000000000 ]---
[ 115.876135] RIP: 0010:propagate_one.part.0+0x7f/0x1a0
[ 115.876551] Code: 75 eb 4c 8b 05 c2 25 37 02 4c 89 ca 48 8b 4a 10
49 39 d0 74 1e 48 3b 81 e0 00 00 00 74 26 48 8b 92 e0 00 00 00 be 01
00 00 00 <48> 8b 4a 10 49 39 d0 75 e2 40 84 f6 74 38 4c 89 05 84 25 37
02 4d
[ 115.878086] RSP: 0018:ffffb8d5443d7d50 EFLAGS: 00010282
[ 115.878511] RAX: ffff8e4d87c41c80 RBX: ffff8e4d88ded780 RCX: ffff8e4da4333a00
[ 115.879128] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8e4d88ded780
[ 115.879715] RBP: ffff8e4d88ded780 R08: ffff8e4da4338000 R09: ffff8e4da43388c0
[ 115.880359] R10: 0000000000000002 R11: ffffb8d540158000 R12: ffffb8d5443d7da8
[ 115.880962] R13: ffff8e4d88ded780 R14: 0000000000000000 R15: 0000000000000000
[ 115.881548] FS: 00007f92c90c9800(0000) GS:ffff8e4dfdc00000(0000)
knlGS:0000000000000000
[ 115.882234] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 115.882713] CR2: 0000000000000010 CR3: 0000000022f4c002 CR4: 00000000000706f0
[ 115.883314] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 115.883966] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Fixes: f2ebb3a921c1 ("smarter propagate_mnt()")
Fixes: 5ec0811d3037 ("propogate_mnt: Handle the first propogated copy being a slave")
Cc: <stable@vger.kernel.org>
Reported-by: Ditang Chen <ditang.c@gmail.com>
Signed-off-by: Seth Forshee (Digital Ocean) <sforshee@kernel.org>
Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
If there are no big objections I'll get this to Linus rather sooner than later.
---
fs/pnode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/pnode.c
+++ b/fs/pnode.c
@@ -247,7 +247,7 @@ static int propagate_one(struct mount *m
}
do {
struct mount *parent = last_source->mnt_parent;
- if (last_source == first_source)
+ if (peers(last_source, first_source))
break;
done = parent->mnt_master == p;
if (done && peers(n, parent))
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 224/251] md: fix a crash in mempool_free
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (222 preceding siblings ...)
2023-01-05 12:56 ` [PATCH 4.9 223/251] pnode: terminate at peers of source Greg Kroah-Hartman
@ 2023-01-05 12:56 ` Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 225/251] mmc: vub300: fix warning - do not call blocking ops when !TASK_RUNNING Greg Kroah-Hartman
` (32 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mikulas Patocka, Song Liu
From: Mikulas Patocka <mpatocka@redhat.com>
commit 341097ee53573e06ab9fc675d96a052385b851fa upstream.
There's a crash in mempool_free when running the lvm test
shell/lvchange-rebuild-raid.sh.
The reason for the crash is this:
* super_written calls atomic_dec_and_test(&mddev->pending_writes) and
wake_up(&mddev->sb_wait). Then it calls rdev_dec_pending(rdev, mddev)
and bio_put(bio).
* so, the process that waited on sb_wait and that is woken up is racing
with bio_put(bio).
* if the process wins the race, it calls bioset_exit before bio_put(bio)
is executed.
* bio_put(bio) attempts to free a bio into a destroyed bio set - causing
a crash in mempool_free.
We fix this bug by moving bio_put before atomic_dec_and_test.
We also move rdev_dec_pending before atomic_dec_and_test as suggested by
Neil Brown.
The function md_end_flush has a similar bug - we must call bio_put before
we decrement the number of in-progress bios.
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 11557f0067 P4D 11557f0067 PUD 0
Oops: 0002 [#1] PREEMPT SMP
CPU: 0 PID: 73 Comm: kworker/0:1 Not tainted 6.1.0-rc3 #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
Workqueue: kdelayd flush_expired_bios [dm_delay]
RIP: 0010:mempool_free+0x47/0x80
Code: 48 89 ef 5b 5d ff e0 f3 c3 48 89 f7 e8 32 45 3f 00 48 63 53 08 48 89 c6 3b 53 04 7d 2d 48 8b 43 10 8d 4a 01 48 89 df 89 4b 08 <48> 89 2c d0 e8 b0 45 3f 00 48 8d 7b 30 5b 5d 31 c9 ba 01 00 00 00
RSP: 0018:ffff88910036bda8 EFLAGS: 00010093
RAX: 0000000000000000 RBX: ffff8891037b65d8 RCX: 0000000000000001
RDX: 0000000000000000 RSI: 0000000000000202 RDI: ffff8891037b65d8
RBP: ffff8891447ba240 R08: 0000000000012908 R09: 00000000003d0900
R10: 0000000000000000 R11: 0000000000173544 R12: ffff889101a14000
R13: ffff8891562ac300 R14: ffff889102b41440 R15: ffffe8ffffa00d05
FS: 0000000000000000(0000) GS:ffff88942fa00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000001102e99000 CR4: 00000000000006b0
Call Trace:
<TASK>
clone_endio+0xf4/0x1c0 [dm_mod]
clone_endio+0xf4/0x1c0 [dm_mod]
__submit_bio+0x76/0x120
submit_bio_noacct_nocheck+0xb6/0x2a0
flush_expired_bios+0x28/0x2f [dm_delay]
process_one_work+0x1b4/0x300
worker_thread+0x45/0x3e0
? rescuer_thread+0x380/0x380
kthread+0xc2/0x100
? kthread_complete_and_exit+0x20/0x20
ret_from_fork+0x1f/0x30
</TASK>
Modules linked in: brd dm_delay dm_raid dm_mod af_packet uvesafb cfbfillrect cfbimgblt cn cfbcopyarea fb font fbdev tun autofs4 binfmt_misc configfs ipv6 virtio_rng virtio_balloon rng_core virtio_net pcspkr net_failover failover qemu_fw_cfg button mousedev raid10 raid456 libcrc32c async_raid6_recov async_memcpy async_pq raid6_pq async_xor xor async_tx raid1 raid0 md_mod sd_mod t10_pi crc64_rocksoft crc64 virtio_scsi scsi_mod evdev psmouse bsg scsi_common [last unloaded: brd]
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Song Liu <song@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/md.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -360,13 +360,14 @@ static void md_end_flush(struct bio *bio
struct md_rdev *rdev = bio->bi_private;
struct mddev *mddev = rdev->mddev;
+ bio_put(bio);
+
rdev_dec_pending(rdev, mddev);
if (atomic_dec_and_test(&mddev->flush_pending)) {
/* The pre-request flush has finished */
queue_work(md_wq, &mddev->flush_work);
}
- bio_put(bio);
}
static void md_submit_flush_data(struct work_struct *ws);
@@ -725,10 +726,12 @@ static void super_written(struct bio *bi
md_error(mddev, rdev);
}
+ bio_put(bio);
+
+ rdev_dec_pending(rdev, mddev);
+
if (atomic_dec_and_test(&mddev->pending_writes))
wake_up(&mddev->sb_wait);
- rdev_dec_pending(rdev, mddev);
- bio_put(bio);
}
void md_super_write(struct mddev *mddev, struct md_rdev *rdev,
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 225/251] mmc: vub300: fix warning - do not call blocking ops when !TASK_RUNNING
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (223 preceding siblings ...)
2023-01-05 12:56 ` [PATCH 4.9 224/251] md: fix a crash in mempool_free Greg Kroah-Hartman
@ 2023-01-05 12:56 ` Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 226/251] media: stv0288: use explicitly signed char Greg Kroah-Hartman
` (31 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Deren Wu, Ulf Hansson
From: Deren Wu <deren.wu@mediatek.com>
commit 4a44cd249604e29e7b90ae796d7692f5773dd348 upstream.
vub300_enable_sdio_irq() works with mutex and need TASK_RUNNING here.
Ensure that we mark current as TASK_RUNNING for sleepable context.
[ 77.554641] do not call blocking ops when !TASK_RUNNING; state=1 set at [<ffffffff92a72c1d>] sdio_irq_thread+0x17d/0x5b0
[ 77.554652] WARNING: CPU: 2 PID: 1983 at kernel/sched/core.c:9813 __might_sleep+0x116/0x160
[ 77.554905] CPU: 2 PID: 1983 Comm: ksdioirqd/mmc1 Tainted: G OE 6.1.0-rc5 #1
[ 77.554910] Hardware name: Intel(R) Client Systems NUC8i7BEH/NUC8BEB, BIOS BECFL357.86A.0081.2020.0504.1834 05/04/2020
[ 77.554912] RIP: 0010:__might_sleep+0x116/0x160
[ 77.554920] RSP: 0018:ffff888107b7fdb8 EFLAGS: 00010282
[ 77.554923] RAX: 0000000000000000 RBX: ffff888118c1b740 RCX: 0000000000000000
[ 77.554926] RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffed1020f6ffa9
[ 77.554928] RBP: ffff888107b7fde0 R08: 0000000000000001 R09: ffffed1043ea60ba
[ 77.554930] R10: ffff88821f5305cb R11: ffffed1043ea60b9 R12: ffffffff93aa3a60
[ 77.554932] R13: 000000000000011b R14: 7fffffffffffffff R15: ffffffffc0558660
[ 77.554934] FS: 0000000000000000(0000) GS:ffff88821f500000(0000) knlGS:0000000000000000
[ 77.554937] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 77.554939] CR2: 00007f8a44010d68 CR3: 000000024421a003 CR4: 00000000003706e0
[ 77.554942] Call Trace:
[ 77.554944] <TASK>
[ 77.554952] mutex_lock+0x78/0xf0
[ 77.554973] vub300_enable_sdio_irq+0x103/0x3c0 [vub300]
[ 77.554981] sdio_irq_thread+0x25c/0x5b0
[ 77.555006] kthread+0x2b8/0x370
[ 77.555017] ret_from_fork+0x1f/0x30
[ 77.555023] </TASK>
[ 77.555025] ---[ end trace 0000000000000000 ]---
Fixes: 88095e7b473a ("mmc: Add new VUB300 USB-to-SD/SDIO/MMC driver")
Signed-off-by: Deren Wu <deren.wu@mediatek.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/87dc45b122d26d63c80532976813c9365d7160b3.1670140888.git.deren.wu@mediatek.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/vub300.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/mmc/host/vub300.c
+++ b/drivers/mmc/host/vub300.c
@@ -2056,6 +2056,7 @@ static void vub300_enable_sdio_irq(struc
return;
kref_get(&vub300->kref);
if (enable) {
+ set_current_state(TASK_RUNNING);
mutex_lock(&vub300->irq_mutex);
if (vub300->irqs_queued) {
vub300->irqs_queued -= 1;
@@ -2071,6 +2072,7 @@ static void vub300_enable_sdio_irq(struc
vub300_queue_poll_work(vub300, 0);
}
mutex_unlock(&vub300->irq_mutex);
+ set_current_state(TASK_INTERRUPTIBLE);
} else {
vub300->irq_enabled = 0;
}
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 226/251] media: stv0288: use explicitly signed char
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (224 preceding siblings ...)
2023-01-05 12:56 ` [PATCH 4.9 225/251] mmc: vub300: fix warning - do not call blocking ops when !TASK_RUNNING Greg Kroah-Hartman
@ 2023-01-05 12:56 ` Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 227/251] ktest.pl minconfig: Unset configs instead of just removing them Greg Kroah-Hartman
` (30 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mauro Carvalho Chehab, linux-media,
Jason A. Donenfeld
From: Jason A. Donenfeld <Jason@zx2c4.com>
commit 7392134428c92a4cb541bd5c8f4f5c8d2e88364d upstream.
With char becoming unsigned by default, and with `char` alone being
ambiguous and based on architecture, signed chars need to be marked
explicitly as such. Use `s8` and `u8` types here, since that's what
surrounding code does. This fixes:
drivers/media/dvb-frontends/stv0288.c:471 stv0288_set_frontend() warn: assigning (-9) to unsigned variable 'tm'
drivers/media/dvb-frontends/stv0288.c:471 stv0288_set_frontend() warn: we never enter this loop
Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
Cc: linux-media@vger.kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/dvb-frontends/stv0288.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/media/dvb-frontends/stv0288.c
+++ b/drivers/media/dvb-frontends/stv0288.c
@@ -452,9 +452,8 @@ static int stv0288_set_frontend(struct d
struct stv0288_state *state = fe->demodulator_priv;
struct dtv_frontend_properties *c = &fe->dtv_property_cache;
- char tm;
- unsigned char tda[3];
- u8 reg, time_out = 0;
+ u8 tda[3], reg, time_out = 0;
+ s8 tm;
dprintk("%s : FE_SET_FRONTEND\n", __func__);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 227/251] ktest.pl minconfig: Unset configs instead of just removing them
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (225 preceding siblings ...)
2023-01-05 12:56 ` [PATCH 4.9 226/251] media: stv0288: use explicitly signed char Greg Kroah-Hartman
@ 2023-01-05 12:56 ` Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 228/251] ARM: ux500: do not directly dereference __iomem Greg Kroah-Hartman
` (29 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Warthog9 Hawley (VMware),
Steven Rostedt (Google)
From: Steven Rostedt <rostedt@goodmis.org>
commit ef784eebb56425eed6e9b16e7d47e5c00dcf9c38 upstream.
After a full run of a make_min_config test, I noticed there were a lot of
CONFIGs still enabled that really should not be. Looking at them, I
noticed they were all defined as "default y". The issue is that the test
simple removes the config and re-runs make oldconfig, which enables it
again because it is set to default 'y'. Instead, explicitly disable the
config with writing "# CONFIG_FOO is not set" to the file to keep it from
being set again.
With this change, one of my box's minconfigs went from 768 configs set,
down to 521 configs set.
Link: https://lkml.kernel.org/r/20221202115936.016fce23@gandalf.local.home
Cc: stable@vger.kernel.org
Fixes: 0a05c769a9de5 ("ktest: Added config_bisect test type")
Reviewed-by: John 'Warthog9' Hawley (VMware) <warthog9@eaglescrag.net>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/ktest/ktest.pl | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/tools/testing/ktest/ktest.pl
+++ b/tools/testing/ktest/ktest.pl
@@ -3751,9 +3751,10 @@ sub test_this_config {
# .config to make sure it is missing the config that
# we had before
my %configs = %min_configs;
- delete $configs{$config};
+ $configs{$config} = "# $config is not set";
make_new_config ((values %configs), (values %keep_configs));
make_oldconfig;
+ delete $configs{$config};
undef %configs;
assign_configs \%configs, $output_config;
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 228/251] ARM: ux500: do not directly dereference __iomem
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (226 preceding siblings ...)
2023-01-05 12:56 ` [PATCH 4.9 227/251] ktest.pl minconfig: Unset configs instead of just removing them Greg Kroah-Hartman
@ 2023-01-05 12:56 ` Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 229/251] dm cache: Fix ABBA deadlock between shrink_slab and dm_cache_metadata_abort Greg Kroah-Hartman
` (28 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Linus Walleij, kernel test robot,
Jason A. Donenfeld
From: Jason A. Donenfeld <Jason@zx2c4.com>
commit 65b0e307a1a9193571db12910f382f84195a3d29 upstream.
Sparse reports that calling add_device_randomness() on `uid` is a
violation of address spaces. And indeed the next usage uses readl()
properly, but that was left out when passing it toadd_device_
randomness(). So instead copy the whole thing to the stack first.
Fixes: 4040d10a3d44 ("ARM: ux500: add DB serial number to entropy pool")
Cc: Linus Walleij <linus.walleij@linaro.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/all/202210230819.loF90KDh-lkp@intel.com/
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Link: https://lore.kernel.org/r/20221108123755.207438-1-Jason@zx2c4.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/soc/ux500/ux500-soc-id.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
--- a/drivers/soc/ux500/ux500-soc-id.c
+++ b/drivers/soc/ux500/ux500-soc-id.c
@@ -159,20 +159,18 @@ static ssize_t ux500_get_process(struct
static const char *db8500_read_soc_id(struct device_node *backupram)
{
void __iomem *base;
- void __iomem *uid;
const char *retstr;
+ u32 uid[5];
base = of_iomap(backupram, 0);
if (!base)
return NULL;
- uid = base + 0x1fc0;
+ memcpy_fromio(uid, base + 0x1fc0, sizeof(uid));
/* Throw these device-specific numbers into the entropy pool */
- add_device_randomness(uid, 0x14);
+ add_device_randomness(uid, sizeof(uid));
retstr = kasprintf(GFP_KERNEL, "%08x%08x%08x%08x%08x",
- readl((u32 *)uid+0),
- readl((u32 *)uid+1), readl((u32 *)uid+2),
- readl((u32 *)uid+3), readl((u32 *)uid+4));
+ uid[0], uid[1], uid[2], uid[3], uid[4]);
iounmap(base);
return retstr;
}
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 229/251] dm cache: Fix ABBA deadlock between shrink_slab and dm_cache_metadata_abort
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (227 preceding siblings ...)
2023-01-05 12:56 ` [PATCH 4.9 228/251] ARM: ux500: do not directly dereference __iomem Greg Kroah-Hartman
@ 2023-01-05 12:56 ` Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 230/251] dm thin: Use last transactions pmd->root when commit failed Greg Kroah-Hartman
` (27 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhihao Cheng, Mike Snitzer
From: Mike Snitzer <snitzer@kernel.org>
commit 352b837a5541690d4f843819028cf2b8be83d424 upstream.
Same ABBA deadlock pattern fixed in commit 4b60f452ec51 ("dm thin: Fix
ABBA deadlock between shrink_slab and dm_pool_abort_metadata") to
DM-cache's metadata.
Reported-by: Zhihao Cheng <chengzhihao1@huawei.com>
Cc: stable@vger.kernel.org
Fixes: 028ae9f76f29 ("dm cache: add fail io mode and needs_check flag")
Signed-off-by: Mike Snitzer <snitzer@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-cache-metadata.c | 55 +++++++++++++++++++++++++++++++++++------
1 file changed, 48 insertions(+), 7 deletions(-)
--- a/drivers/md/dm-cache-metadata.c
+++ b/drivers/md/dm-cache-metadata.c
@@ -522,11 +522,13 @@ static int __create_persistent_data_obje
return r;
}
-static void __destroy_persistent_data_objects(struct dm_cache_metadata *cmd)
+static void __destroy_persistent_data_objects(struct dm_cache_metadata *cmd,
+ bool destroy_bm)
{
dm_sm_destroy(cmd->metadata_sm);
dm_tm_destroy(cmd->tm);
- dm_block_manager_destroy(cmd->bm);
+ if (destroy_bm)
+ dm_block_manager_destroy(cmd->bm);
}
typedef unsigned long (*flags_mutator)(unsigned long);
@@ -780,7 +782,7 @@ static struct dm_cache_metadata *lookup_
cmd2 = lookup(bdev);
if (cmd2) {
mutex_unlock(&table_lock);
- __destroy_persistent_data_objects(cmd);
+ __destroy_persistent_data_objects(cmd, true);
kfree(cmd);
return cmd2;
}
@@ -827,7 +829,7 @@ void dm_cache_metadata_close(struct dm_c
mutex_unlock(&table_lock);
if (!cmd->fail_io)
- __destroy_persistent_data_objects(cmd);
+ __destroy_persistent_data_objects(cmd, true);
kfree(cmd);
}
}
@@ -1551,14 +1553,53 @@ int dm_cache_metadata_needs_check(struct
int dm_cache_metadata_abort(struct dm_cache_metadata *cmd)
{
- int r;
+ int r = -EINVAL;
+ struct dm_block_manager *old_bm = NULL, *new_bm = NULL;
+
+ /* fail_io is double-checked with cmd->root_lock held below */
+ if (unlikely(cmd->fail_io))
+ return r;
+
+ /*
+ * Replacement block manager (new_bm) is created and old_bm destroyed outside of
+ * cmd root_lock to avoid ABBA deadlock that would result (due to life-cycle of
+ * shrinker associated with the block manager's bufio client vs cmd root_lock).
+ * - must take shrinker_rwsem without holding cmd->root_lock
+ */
+ new_bm = dm_block_manager_create(cmd->bdev, DM_CACHE_METADATA_BLOCK_SIZE << SECTOR_SHIFT,
+ CACHE_METADATA_CACHE_SIZE,
+ CACHE_MAX_CONCURRENT_LOCKS);
WRITE_LOCK(cmd);
- __destroy_persistent_data_objects(cmd);
- r = __create_persistent_data_objects(cmd, false);
+ if (cmd->fail_io) {
+ WRITE_UNLOCK(cmd);
+ goto out;
+ }
+
+ __destroy_persistent_data_objects(cmd, false);
+ old_bm = cmd->bm;
+ if (IS_ERR(new_bm)) {
+ DMERR("could not create block manager during abort");
+ cmd->bm = NULL;
+ r = PTR_ERR(new_bm);
+ goto out_unlock;
+ }
+
+ cmd->bm = new_bm;
+ r = __open_or_format_metadata(cmd, false);
+ if (r) {
+ cmd->bm = NULL;
+ goto out_unlock;
+ }
+ new_bm = NULL;
+out_unlock:
if (r)
cmd->fail_io = true;
WRITE_UNLOCK(cmd);
+ dm_block_manager_destroy(old_bm);
+out:
+ if (new_bm && !IS_ERR(new_bm))
+ dm_block_manager_destroy(new_bm);
return r;
}
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 230/251] dm thin: Use last transactions pmd->root when commit failed
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (228 preceding siblings ...)
2023-01-05 12:56 ` [PATCH 4.9 229/251] dm cache: Fix ABBA deadlock between shrink_slab and dm_cache_metadata_abort Greg Kroah-Hartman
@ 2023-01-05 12:56 ` Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 231/251] dm thin: Fix UAF in run_timer_softirq() Greg Kroah-Hartman
` (26 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhihao Cheng, Joe Thornber, Mike Snitzer
From: Zhihao Cheng <chengzhihao1@huawei.com>
commit 7991dbff6849f67e823b7cc0c15e5a90b0549b9f upstream.
Recently we found a softlock up problem in dm thin pool btree lookup
code due to corrupted metadata:
Kernel panic - not syncing: softlockup: hung tasks
CPU: 7 PID: 2669225 Comm: kworker/u16:3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
Workqueue: dm-thin do_worker [dm_thin_pool]
Call Trace:
<IRQ>
dump_stack+0x9c/0xd3
panic+0x35d/0x6b9
watchdog_timer_fn.cold+0x16/0x25
__run_hrtimer+0xa2/0x2d0
</IRQ>
RIP: 0010:__relink_lru+0x102/0x220 [dm_bufio]
__bufio_new+0x11f/0x4f0 [dm_bufio]
new_read+0xa3/0x1e0 [dm_bufio]
dm_bm_read_lock+0x33/0xd0 [dm_persistent_data]
ro_step+0x63/0x100 [dm_persistent_data]
btree_lookup_raw.constprop.0+0x44/0x220 [dm_persistent_data]
dm_btree_lookup+0x16f/0x210 [dm_persistent_data]
dm_thin_find_block+0x12c/0x210 [dm_thin_pool]
__process_bio_read_only+0xc5/0x400 [dm_thin_pool]
process_thin_deferred_bios+0x1a4/0x4a0 [dm_thin_pool]
process_one_work+0x3c5/0x730
Following process may generate a broken btree mixed with fresh and
stale btree nodes, which could get dm thin trapped in an infinite loop
while looking up data block:
Transaction 1: pmd->root = A, A->B->C // One path in btree
pmd->root = X, X->Y->Z // Copy-up
Transaction 2: X,Z is updated on disk, Y write failed.
// Commit failed, dm thin becomes read-only.
process_bio_read_only
dm_thin_find_block
__find_block
dm_btree_lookup(pmd->root)
The pmd->root points to a broken btree, Y may contain stale node
pointing to any block, for example X, which gets dm thin trapped into
a dead loop while looking up Z.
Fix this by setting pmd->root in __open_metadata(), so that dm thin
will use the last transaction's pmd->root if commit failed.
Fetch a reproducer in [Link].
Linke: https://bugzilla.kernel.org/show_bug.cgi?id=216790
Cc: stable@vger.kernel.org
Fixes: 991d9fa02da0 ("dm: add thin provisioning target")
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Acked-by: Joe Thornber <ejt@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-thin-metadata.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/md/dm-thin-metadata.c
+++ b/drivers/md/dm-thin-metadata.c
@@ -661,6 +661,15 @@ static int __open_metadata(struct dm_poo
goto bad_cleanup_data_sm;
}
+ /*
+ * For pool metadata opening process, root setting is redundant
+ * because it will be set again in __begin_transaction(). But dm
+ * pool aborting process really needs to get last transaction's
+ * root to avoid accessing broken btree.
+ */
+ pmd->root = le64_to_cpu(disk_super->data_mapping_root);
+ pmd->details_root = le64_to_cpu(disk_super->device_details_root);
+
__setup_btree_details(pmd);
dm_bm_unlock(sblock);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 231/251] dm thin: Fix UAF in run_timer_softirq()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (229 preceding siblings ...)
2023-01-05 12:56 ` [PATCH 4.9 230/251] dm thin: Use last transactions pmd->root when commit failed Greg Kroah-Hartman
@ 2023-01-05 12:56 ` Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 232/251] dm cache: Fix UAF in destroy() Greg Kroah-Hartman
` (25 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luo Meng, Mike Snitzer
From: Luo Meng <luomeng12@huawei.com>
commit 88430ebcbc0ec637b710b947738839848c20feff upstream.
When dm_resume() and dm_destroy() are concurrent, it will
lead to UAF, as follows:
BUG: KASAN: use-after-free in __run_timers+0x173/0x710
Write of size 8 at addr ffff88816d9490f0 by task swapper/0/0
<snip>
Call Trace:
<IRQ>
dump_stack_lvl+0x73/0x9f
print_report.cold+0x132/0xaa2
_raw_spin_lock_irqsave+0xcd/0x160
__run_timers+0x173/0x710
kasan_report+0xad/0x110
__run_timers+0x173/0x710
__asan_store8+0x9c/0x140
__run_timers+0x173/0x710
call_timer_fn+0x310/0x310
pvclock_clocksource_read+0xfa/0x250
kvm_clock_read+0x2c/0x70
kvm_clock_get_cycles+0xd/0x20
ktime_get+0x5c/0x110
lapic_next_event+0x38/0x50
clockevents_program_event+0xf1/0x1e0
run_timer_softirq+0x49/0x90
__do_softirq+0x16e/0x62c
__irq_exit_rcu+0x1fa/0x270
irq_exit_rcu+0x12/0x20
sysvec_apic_timer_interrupt+0x8e/0xc0
One of the concurrency UAF can be shown as below:
use free
do_resume |
__find_device_hash_cell |
dm_get |
atomic_inc(&md->holders) |
| dm_destroy
| __dm_destroy
| if (!dm_suspended_md(md))
| atomic_read(&md->holders)
| msleep(1)
dm_resume |
__dm_resume |
dm_table_resume_targets |
pool_resume |
do_waker #add delay work |
dm_put |
atomic_dec(&md->holders) |
| dm_table_destroy
| pool_dtr
| __pool_dec
| __pool_destroy
| destroy_workqueue
| kfree(pool) # free pool
time out
__do_softirq
run_timer_softirq # pool has already been freed
This can be easily reproduced using:
1. create thin-pool
2. dmsetup suspend pool
3. dmsetup resume pool
4. dmsetup remove_all # Concurrent with 3
The root cause of this UAF bug is that dm_resume() adds timer after
dm_destroy() skips cancelling the timer because of suspend status.
After timeout, it will call run_timer_softirq(), however pool has
already been freed. The concurrency UAF bug will happen.
Therefore, cancelling timer again in __pool_destroy().
Cc: stable@vger.kernel.org
Fixes: 991d9fa02da0d ("dm: add thin provisioning target")
Signed-off-by: Luo Meng <luomeng12@huawei.com>
Signed-off-by: Mike Snitzer <snitzer@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-thin.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/md/dm-thin.c
+++ b/drivers/md/dm-thin.c
@@ -2935,6 +2935,8 @@ static void __pool_destroy(struct pool *
dm_bio_prison_destroy(pool->prison);
dm_kcopyd_client_destroy(pool->copier);
+ cancel_delayed_work_sync(&pool->waker);
+ cancel_delayed_work_sync(&pool->no_space_timeout);
if (pool->wq)
destroy_workqueue(pool->wq);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 232/251] dm cache: Fix UAF in destroy()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (230 preceding siblings ...)
2023-01-05 12:56 ` [PATCH 4.9 231/251] dm thin: Fix UAF in run_timer_softirq() Greg Kroah-Hartman
@ 2023-01-05 12:56 ` Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 233/251] dm cache: set needs_check flag after aborting metadata Greg Kroah-Hartman
` (24 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luo Meng, Mike Snitzer
From: Luo Meng <luomeng12@huawei.com>
commit 6a459d8edbdbe7b24db42a5a9f21e6aa9e00c2aa upstream.
Dm_cache also has the same UAF problem when dm_resume()
and dm_destroy() are concurrent.
Therefore, cancelling timer again in destroy().
Cc: stable@vger.kernel.org
Fixes: c6b4fcbad044e ("dm: add cache target")
Signed-off-by: Luo Meng <luomeng12@huawei.com>
Signed-off-by: Mike Snitzer <snitzer@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-cache-target.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/md/dm-cache-target.c
+++ b/drivers/md/dm-cache-target.c
@@ -2321,6 +2321,7 @@ static void destroy(struct cache *cache)
if (cache->prison)
dm_bio_prison_destroy(cache->prison);
+ cancel_delayed_work_sync(&cache->waker);
if (cache->wq)
destroy_workqueue(cache->wq);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 233/251] dm cache: set needs_check flag after aborting metadata
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (231 preceding siblings ...)
2023-01-05 12:56 ` [PATCH 4.9 232/251] dm cache: Fix UAF in destroy() Greg Kroah-Hartman
@ 2023-01-05 12:56 ` Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 234/251] tracing: Fix infinite loop in tracing_read_pipe on overflowed print_trace_line Greg Kroah-Hartman
` (23 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mike Snitzer
From: Mike Snitzer <snitzer@kernel.org>
commit 6b9973861cb2e96dcd0bb0f1baddc5c034207c5c upstream.
Otherwise the commit that will be aborted will be associated with the
metadata objects that will be torn down. Must write needs_check flag
to metadata with a reset block manager.
Found through code-inspection (and compared against dm-thin.c).
Cc: stable@vger.kernel.org
Fixes: 028ae9f76f29 ("dm cache: add fail io mode and needs_check flag")
Signed-off-by: Mike Snitzer <snitzer@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-cache-target.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/drivers/md/dm-cache-target.c
+++ b/drivers/md/dm-cache-target.c
@@ -1030,16 +1030,16 @@ static void abort_transaction(struct cac
if (get_cache_mode(cache) >= CM_READ_ONLY)
return;
- if (dm_cache_metadata_set_needs_check(cache->cmd)) {
- DMERR("%s: failed to set 'needs_check' flag in metadata", dev_name);
- set_cache_mode(cache, CM_FAIL);
- }
-
DMERR_LIMIT("%s: aborting current metadata transaction", dev_name);
if (dm_cache_metadata_abort(cache->cmd)) {
DMERR("%s: failed to abort metadata transaction", dev_name);
set_cache_mode(cache, CM_FAIL);
}
+
+ if (dm_cache_metadata_set_needs_check(cache->cmd)) {
+ DMERR("%s: failed to set 'needs_check' flag in metadata", dev_name);
+ set_cache_mode(cache, CM_FAIL);
+ }
}
static void metadata_operation_failed(struct cache *cache, const char *op, int r)
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 234/251] tracing: Fix infinite loop in tracing_read_pipe on overflowed print_trace_line
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (232 preceding siblings ...)
2023-01-05 12:56 ` [PATCH 4.9 233/251] dm cache: set needs_check flag after aborting metadata Greg Kroah-Hartman
@ 2023-01-05 12:56 ` Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 235/251] ARM: 9256/1: NWFPE: avoid compiler-generated __aeabi_uldivmod Greg Kroah-Hartman
` (22 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Yang Jihong,
Steven Rostedt (Google)
From: Yang Jihong <yangjihong1@huawei.com>
commit c1ac03af6ed45d05786c219d102f37eb44880f28 upstream.
print_trace_line may overflow seq_file buffer. If the event is not
consumed, the while loop keeps peeking this event, causing a infinite loop.
Link: https://lkml.kernel.org/r/20221129113009.182425-1-yangjihong1@huawei.com
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: stable@vger.kernel.org
Fixes: 088b1e427dbba ("ftrace: pipe fixes")
Signed-off-by: Yang Jihong <yangjihong1@huawei.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -5226,7 +5226,20 @@ waitagain:
ret = print_trace_line(iter);
if (ret == TRACE_TYPE_PARTIAL_LINE) {
- /* don't print partial lines */
+ /*
+ * If one print_trace_line() fills entire trace_seq in one shot,
+ * trace_seq_to_user() will returns -EBUSY because save_len == 0,
+ * In this case, we need to consume it, otherwise, loop will peek
+ * this event next time, resulting in an infinite loop.
+ */
+ if (save_len == 0) {
+ iter->seq.full = 0;
+ trace_seq_puts(&iter->seq, "[LINE TOO BIG]\n");
+ trace_consume(iter);
+ break;
+ }
+
+ /* In other cases, don't print partial lines */
iter->seq.seq.len = save_len;
break;
}
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 235/251] ARM: 9256/1: NWFPE: avoid compiler-generated __aeabi_uldivmod
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (233 preceding siblings ...)
2023-01-05 12:56 ` [PATCH 4.9 234/251] tracing: Fix infinite loop in tracing_read_pipe on overflowed print_trace_line Greg Kroah-Hartman
@ 2023-01-05 12:56 ` Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 236/251] media: dvb-core: Fix double free in dvb_register_device() Greg Kroah-Hartman
` (21 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nathan Chancellor, Arnd Bergmann,
Nick Desaulniers, Russell King (Oracle)
From: Nick Desaulniers <ndesaulniers@google.com>
commit 3220022038b9a3845eea762af85f1c5694b9f861 upstream.
clang-15's ability to elide loops completely became more aggressive when
it can deduce how a variable is being updated in a loop. Counting down
one variable by an increment of another can be replaced by a modulo
operation.
For 64b variables on 32b ARM EABI targets, this can result in the
compiler generating calls to __aeabi_uldivmod, which it does for a do
while loop in float64_rem().
For the kernel, we'd generally prefer that developers not open code 64b
division via binary / operators and instead use the more explicit
helpers from div64.h. On arm-linux-gnuabi targets, failure to do so can
result in linkage failures due to undefined references to
__aeabi_uldivmod().
While developers can avoid open coding divisions on 64b variables, the
compiler doesn't know that the Linux kernel has a partial implementation
of a compiler runtime (--rtlib) to enforce this convention.
It's also undecidable for the compiler whether the code in question
would be faster to execute the loop vs elide it and do the 64b division.
While I actively avoid using the internal -mllvm command line flags, I
think we get better code than using barrier() here, which will force
reloads+spills in the loop for all toolchains.
Link: https://github.com/ClangBuiltLinux/linux/issues/1666
Reported-by: Nathan Chancellor <nathan@kernel.org>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
Tested-by: Nathan Chancellor <nathan@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/nwfpe/Makefile | 6 ++++++
1 file changed, 6 insertions(+)
--- a/arch/arm/nwfpe/Makefile
+++ b/arch/arm/nwfpe/Makefile
@@ -10,3 +10,9 @@ nwfpe-y += fpa11.o fpa11_cpdo.o fpa11
entry.o
nwfpe-$(CONFIG_FPE_NWFPE_XP) += extended_cpdo.o
+
+# Try really hard to avoid generating calls to __aeabi_uldivmod() from
+# float64_rem() due to loop elision.
+ifdef CONFIG_CC_IS_CLANG
+CFLAGS_softfloat.o += -mllvm -replexitval=never
+endif
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 236/251] media: dvb-core: Fix double free in dvb_register_device()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (234 preceding siblings ...)
2023-01-05 12:56 ` [PATCH 4.9 235/251] ARM: 9256/1: NWFPE: avoid compiler-generated __aeabi_uldivmod Greg Kroah-Hartman
@ 2023-01-05 12:56 ` Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 237/251] cifs: fix confusing debug message Greg Kroah-Hartman
` (20 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wenwen Wang, Keita Suzuki,
Mauro Carvalho Chehab
From: Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>
commit 6b0d0477fce747d4137aa65856318b55fba72198 upstream.
In function dvb_register_device() -> dvb_register_media_device() ->
dvb_create_media_entity(), dvb->entity is allocated and initialized. If
the initialization fails, it frees the dvb->entity, and return an error
code. The caller takes the error code and handles the error by calling
dvb_media_device_free(), which unregisters the entity and frees the
field again if it is not NULL. As dvb->entity may not NULLed in
dvb_create_media_entity() when the allocation of dvbdev->pad fails, a
double free may occur. This may also cause an Use After free in
media_device_unregister_entity().
Fix this by storing NULL to dvb->entity when it is freed.
Link: https://lore.kernel.org/linux-media/20220426052921.2088416-1-keitasuzuki.park@sslab.ics.keio.ac.jp
Fixes: fcd5ce4b3936 ("media: dvb-core: fix a memory leak bug")
Cc: stable@vger.kernel.org
Cc: Wenwen Wang <wenwen@cs.uga.edu>
Signed-off-by: Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/dvb-core/dvbdev.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/media/dvb-core/dvbdev.c
+++ b/drivers/media/dvb-core/dvbdev.c
@@ -317,6 +317,7 @@ static int dvb_create_media_entity(struc
GFP_KERNEL);
if (!dvbdev->pads) {
kfree(dvbdev->entity);
+ dvbdev->entity = NULL;
return -ENOMEM;
}
}
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 237/251] cifs: fix confusing debug message
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (235 preceding siblings ...)
2023-01-05 12:56 ` [PATCH 4.9 236/251] media: dvb-core: Fix double free in dvb_register_device() Greg Kroah-Hartman
@ 2023-01-05 12:56 ` Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 238/251] PCI/sysfs: Fix double free in error path Greg Kroah-Hartman
` (19 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Paulo Alcantara (SUSE), Steve French
From: Paulo Alcantara <pc@cjr.nz>
commit a85ceafd41927e41a4103d228a993df7edd8823b upstream.
Since rc was initialised to -ENOMEM in cifs_get_smb_ses(), when an
existing smb session was found, free_xid() would be called and then
print
CIFS: fs/cifs/connect.c: Existing tcp session with server found
CIFS: fs/cifs/connect.c: VFS: in cifs_get_smb_ses as Xid: 44 with uid: 0
CIFS: fs/cifs/connect.c: Existing smb sess found (status=1)
CIFS: fs/cifs/connect.c: VFS: leaving cifs_get_smb_ses (xid = 44) rc = -12
Fix this by initialising rc to 0 and then let free_xid() print this
instead
CIFS: fs/cifs/connect.c: Existing tcp session with server found
CIFS: fs/cifs/connect.c: VFS: in cifs_get_smb_ses as Xid: 14 with uid: 0
CIFS: fs/cifs/connect.c: Existing smb sess found (status=1)
CIFS: fs/cifs/connect.c: VFS: leaving cifs_get_smb_ses (xid = 14) rc = 0
Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Cc: stable@vger.kernel.org
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/cifs/connect.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -2599,7 +2599,7 @@ cifs_set_cifscreds(struct smb_vol *vol _
static struct cifs_ses *
cifs_get_smb_ses(struct TCP_Server_Info *server, struct smb_vol *volume_info)
{
- int rc = -ENOMEM;
+ int rc = 0;
unsigned int xid;
struct cifs_ses *ses;
struct sockaddr_in *addr = (struct sockaddr_in *)&server->dstaddr;
@@ -2641,6 +2641,8 @@ cifs_get_smb_ses(struct TCP_Server_Info
return ses;
}
+ rc = -ENOMEM;
+
cifs_dbg(FYI, "Existing smb sess not found\n");
ses = sesInfoAlloc();
if (ses == NULL)
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 238/251] PCI/sysfs: Fix double free in error path
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (236 preceding siblings ...)
2023-01-05 12:56 ` [PATCH 4.9 237/251] cifs: fix confusing debug message Greg Kroah-Hartman
@ 2023-01-05 12:56 ` Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 239/251] crypto: n2 - add missing hash statesize Greg Kroah-Hartman
` (18 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sascha Hauer, Bjorn Helgaas
From: Sascha Hauer <s.hauer@pengutronix.de>
commit aa382ffa705bea9931ec92b6f3c70e1fdb372195 upstream.
When pci_create_attr() fails, pci_remove_resource_files() is called which
will iterate over the res_attr[_wc] arrays and frees every non NULL entry.
To avoid a double free here set the array entry only after it's clear we
successfully initialized it.
Fixes: b562ec8f74e4 ("PCI: Don't leak memory if sysfs_create_bin_file() fails")
Link: https://lore.kernel.org/r/20221007070735.GX986@pengutronix.de/
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/pci-sysfs.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- a/drivers/pci/pci-sysfs.c
+++ b/drivers/pci/pci-sysfs.c
@@ -1167,11 +1167,9 @@ static int pci_create_attr(struct pci_de
sysfs_bin_attr_init(res_attr);
if (write_combine) {
- pdev->res_attr_wc[num] = res_attr;
sprintf(res_attr_name, "resource%d_wc", num);
res_attr->mmap = pci_mmap_resource_wc;
} else {
- pdev->res_attr[num] = res_attr;
sprintf(res_attr_name, "resource%d", num);
res_attr->mmap = pci_mmap_resource_uc;
}
@@ -1184,10 +1182,17 @@ static int pci_create_attr(struct pci_de
res_attr->size = pci_resource_len(pdev, num);
res_attr->private = &pdev->resource[num];
retval = sysfs_create_bin_file(&pdev->dev.kobj, res_attr);
- if (retval)
+ if (retval) {
kfree(res_attr);
+ return retval;
+ }
+
+ if (write_combine)
+ pdev->res_attr_wc[num] = res_attr;
+ else
+ pdev->res_attr[num] = res_attr;
- return retval;
+ return 0;
}
/**
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 239/251] crypto: n2 - add missing hash statesize
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (237 preceding siblings ...)
2023-01-05 12:56 ` [PATCH 4.9 238/251] PCI/sysfs: Fix double free in error path Greg Kroah-Hartman
@ 2023-01-05 12:56 ` Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 240/251] iommu/amd: Fix ivrs_acpihid cmdline parsing code Greg Kroah-Hartman
` (17 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rolf Eike Beer, Corentin Labbe,
Herbert Xu, stable
From: Corentin Labbe <clabbe@baylibre.com>
commit 76a4e874593543a2dff91d249c95bac728df2774 upstream.
Add missing statesize to hash templates.
This is mandatory otherwise no algorithms can be registered as the core
requires statesize to be set.
CC: stable@kernel.org # 4.3+
Reported-by: Rolf Eike Beer <eike-kernel@sf-tec.de>
Tested-by: Rolf Eike Beer <eike-kernel@sf-tec.de>
Fixes: 0a625fd2abaa ("crypto: n2 - Add Niagara2 crypto driver")
Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/n2_core.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/crypto/n2_core.c
+++ b/drivers/crypto/n2_core.c
@@ -1271,6 +1271,7 @@ struct n2_hash_tmpl {
const u32 *hash_init;
u8 hw_op_hashsz;
u8 digest_size;
+ u8 statesize;
u8 block_size;
u8 auth_type;
u8 hmac_type;
@@ -1302,6 +1303,7 @@ static const struct n2_hash_tmpl hash_tm
.hmac_type = AUTH_TYPE_HMAC_MD5,
.hw_op_hashsz = MD5_DIGEST_SIZE,
.digest_size = MD5_DIGEST_SIZE,
+ .statesize = sizeof(struct md5_state),
.block_size = MD5_HMAC_BLOCK_SIZE },
{ .name = "sha1",
.hash_zero = sha1_zero_message_hash,
@@ -1310,6 +1312,7 @@ static const struct n2_hash_tmpl hash_tm
.hmac_type = AUTH_TYPE_HMAC_SHA1,
.hw_op_hashsz = SHA1_DIGEST_SIZE,
.digest_size = SHA1_DIGEST_SIZE,
+ .statesize = sizeof(struct sha1_state),
.block_size = SHA1_BLOCK_SIZE },
{ .name = "sha256",
.hash_zero = sha256_zero_message_hash,
@@ -1318,6 +1321,7 @@ static const struct n2_hash_tmpl hash_tm
.hmac_type = AUTH_TYPE_HMAC_SHA256,
.hw_op_hashsz = SHA256_DIGEST_SIZE,
.digest_size = SHA256_DIGEST_SIZE,
+ .statesize = sizeof(struct sha256_state),
.block_size = SHA256_BLOCK_SIZE },
{ .name = "sha224",
.hash_zero = sha224_zero_message_hash,
@@ -1326,6 +1330,7 @@ static const struct n2_hash_tmpl hash_tm
.hmac_type = AUTH_TYPE_RESERVED,
.hw_op_hashsz = SHA256_DIGEST_SIZE,
.digest_size = SHA224_DIGEST_SIZE,
+ .statesize = sizeof(struct sha256_state),
.block_size = SHA224_BLOCK_SIZE },
};
#define NUM_HASH_TMPLS ARRAY_SIZE(hash_tmpls)
@@ -1465,6 +1470,7 @@ static int __n2_register_one_ahash(const
halg = &ahash->halg;
halg->digestsize = tmpl->digest_size;
+ halg->statesize = tmpl->statesize;
base = &halg->base;
snprintf(base->cra_name, CRYPTO_MAX_ALG_NAME, "%s", tmpl->name);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 240/251] iommu/amd: Fix ivrs_acpihid cmdline parsing code
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (238 preceding siblings ...)
2023-01-05 12:56 ` [PATCH 4.9 239/251] crypto: n2 - add missing hash statesize Greg Kroah-Hartman
@ 2023-01-05 12:56 ` Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 241/251] parisc: led: Fix potential null-ptr-deref in start_task() Greg Kroah-Hartman
` (16 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kim Phillips, Suravee Suthikulpanit,
Joerg Roedel
From: Kim Phillips <kim.phillips@amd.com>
commit 5f18e9f8868c6d4eae71678e7ebd4977b7d8c8cf upstream.
The second (UID) strcmp in acpi_dev_hid_uid_match considers
"0" and "00" different, which can prevent device registration.
Have the AMD IOMMU driver's ivrs_acpihid parsing code remove
any leading zeroes to make the UID strcmp succeed. Now users
can safely specify "AMDxxxxx:00" or "AMDxxxxx:0" and expect
the same behaviour.
Fixes: ca3bf5d47cec ("iommu/amd: Introduces ivrs_acpihid kernel parameter")
Signed-off-by: Kim Phillips <kim.phillips@amd.com>
Cc: stable@vger.kernel.org
Cc: Suravee Suthikulpanit <Suravee.Suthikulpanit@amd.com>
Cc: Joerg Roedel <jroedel@suse.de>
Link: https://lore.kernel.org/r/20220919155638.391481-1-kim.phillips@amd.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/amd_iommu_init.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/iommu/amd_iommu_init.c
+++ b/drivers/iommu/amd_iommu_init.c
@@ -2684,6 +2684,13 @@ static int __init parse_ivrs_acpihid(cha
return 1;
}
+ /*
+ * Ignore leading zeroes after ':', so e.g., AMDI0095:00
+ * will match AMDI0095:0 in the second strcmp in acpi_dev_hid_uid_match
+ */
+ while (*uid == '0' && *(uid + 1))
+ uid++;
+
i = early_acpihid_map_size++;
memcpy(early_acpihid_map[i].hid, hid, strlen(hid));
memcpy(early_acpihid_map[i].uid, uid, strlen(uid));
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 241/251] parisc: led: Fix potential null-ptr-deref in start_task()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (239 preceding siblings ...)
2023-01-05 12:56 ` [PATCH 4.9 240/251] iommu/amd: Fix ivrs_acpihid cmdline parsing code Greg Kroah-Hartman
@ 2023-01-05 12:56 ` Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 242/251] device_cgroup: Roll back to original exceptions after copy failure Greg Kroah-Hartman
` (15 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shang XiaoJing, Helge Deller
From: Shang XiaoJing <shangxiaojing@huawei.com>
commit 41f563ab3c33698bdfc3403c7c2e6c94e73681e4 upstream.
start_task() calls create_singlethread_workqueue() and not checked the
ret value, which may return NULL. And a null-ptr-deref may happen:
start_task()
create_singlethread_workqueue() # failed, led_wq is NULL
queue_delayed_work()
queue_delayed_work_on()
__queue_delayed_work() # warning here, but continue
__queue_work() # access wq->flags, null-ptr-deref
Check the ret value and return -ENOMEM if it is NULL.
Fixes: 3499495205a6 ("[PARISC] Use work queue in LED/LCD driver instead of tasklet.")
Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/parisc/led.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/parisc/led.c
+++ b/drivers/parisc/led.c
@@ -141,6 +141,9 @@ static int start_task(void)
/* Create the work queue and queue the LED task */
led_wq = create_singlethread_workqueue("led_wq");
+ if (!led_wq)
+ return -ENOMEM;
+
queue_delayed_work(led_wq, &led_task, 0);
return 0;
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 242/251] device_cgroup: Roll back to original exceptions after copy failure
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (240 preceding siblings ...)
2023-01-05 12:56 ` [PATCH 4.9 241/251] parisc: led: Fix potential null-ptr-deref in start_task() Greg Kroah-Hartman
@ 2023-01-05 12:56 ` Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 243/251] drm/connector: send hotplug uevent on connector cleanup Greg Kroah-Hartman
` (14 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wang Weiyang, Aristeu Rozanski, Paul Moore
From: Wang Weiyang <wangweiyang2@huawei.com>
commit e68bfbd3b3c3a0ec3cf8c230996ad8cabe90322f upstream.
When add the 'a *:* rwm' entry to devcgroup A's whitelist, at first A's
exceptions will be cleaned and A's behavior is changed to
DEVCG_DEFAULT_ALLOW. Then parent's exceptions will be copyed to A's
whitelist. If copy failure occurs, just return leaving A to grant
permissions to all devices. And A may grant more permissions than
parent.
Backup A's whitelist and recover original exceptions after copy
failure.
Cc: stable@vger.kernel.org
Fixes: 4cef7299b478 ("device_cgroup: add proper checking when changing default behavior")
Signed-off-by: Wang Weiyang <wangweiyang2@huawei.com>
Reviewed-by: Aristeu Rozanski <aris@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/device_cgroup.c | 33 +++++++++++++++++++++++++++++----
1 file changed, 29 insertions(+), 4 deletions(-)
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -87,6 +87,17 @@ free_and_exit:
return -ENOMEM;
}
+static void dev_exceptions_move(struct list_head *dest, struct list_head *orig)
+{
+ struct dev_exception_item *ex, *tmp;
+
+ lockdep_assert_held(&devcgroup_mutex);
+
+ list_for_each_entry_safe(ex, tmp, orig, list) {
+ list_move_tail(&ex->list, dest);
+ }
+}
+
/*
* called under devcgroup_mutex
*/
@@ -608,11 +619,13 @@ static int devcgroup_update_access(struc
int count, rc = 0;
struct dev_exception_item ex;
struct dev_cgroup *parent = css_to_devcgroup(devcgroup->css.parent);
+ struct dev_cgroup tmp_devcgrp;
if (!capable(CAP_SYS_ADMIN))
return -EPERM;
memset(&ex, 0, sizeof(ex));
+ memset(&tmp_devcgrp, 0, sizeof(tmp_devcgrp));
b = buffer;
switch (*b) {
@@ -624,15 +637,27 @@ static int devcgroup_update_access(struc
if (!may_allow_all(parent))
return -EPERM;
- dev_exception_clean(devcgroup);
- devcgroup->behavior = DEVCG_DEFAULT_ALLOW;
- if (!parent)
+ if (!parent) {
+ devcgroup->behavior = DEVCG_DEFAULT_ALLOW;
+ dev_exception_clean(devcgroup);
break;
+ }
+ INIT_LIST_HEAD(&tmp_devcgrp.exceptions);
+ rc = dev_exceptions_copy(&tmp_devcgrp.exceptions,
+ &devcgroup->exceptions);
+ if (rc)
+ return rc;
+ dev_exception_clean(devcgroup);
rc = dev_exceptions_copy(&devcgroup->exceptions,
&parent->exceptions);
- if (rc)
+ if (rc) {
+ dev_exceptions_move(&devcgroup->exceptions,
+ &tmp_devcgrp.exceptions);
return rc;
+ }
+ devcgroup->behavior = DEVCG_DEFAULT_ALLOW;
+ dev_exception_clean(&tmp_devcgrp);
break;
case DEVCG_DENY:
if (css_has_online_children(&devcgroup->css))
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 243/251] drm/connector: send hotplug uevent on connector cleanup
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (241 preceding siblings ...)
2023-01-05 12:56 ` [PATCH 4.9 242/251] device_cgroup: Roll back to original exceptions after copy failure Greg Kroah-Hartman
@ 2023-01-05 12:56 ` Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 244/251] drm/vmwgfx: Validate the box size for the snooped cursor Greg Kroah-Hartman
` (13 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simon Ser, Daniel Vetter,
Lyude Paul, Jonas Ådahl
From: Simon Ser <contact@emersion.fr>
commit 6fdc2d490ea1369d17afd7e6eb66fecc5b7209bc upstream.
A typical DP-MST unplug removes a KMS connector. However care must
be taken to properly synchronize with user-space. The expected
sequence of events is the following:
1. The kernel notices that the DP-MST port is gone.
2. The kernel marks the connector as disconnected, then sends a
uevent to make user-space re-scan the connector list.
3. User-space notices the connector goes from connected to disconnected,
disables it.
4. Kernel handles the IOCTL disabling the connector. On success,
the very last reference to the struct drm_connector is dropped and
drm_connector_cleanup() is called.
5. The connector is removed from the list, and a uevent is sent to tell
user-space that the connector disappeared.
The very last step was missing. As a result, user-space thought the
connector still existed and could try to disable it again. Since the
kernel no longer knows about the connector, that would end up with
EINVAL and confused user-space.
Fix this by sending a hotplug uevent from drm_connector_cleanup().
Signed-off-by: Simon Ser <contact@emersion.fr>
Cc: stable@vger.kernel.org
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Lyude Paul <lyude@redhat.com>
Cc: Jonas Ådahl <jadahl@redhat.com>
Tested-by: Jonas Ådahl <jadahl@redhat.com>
Reviewed-by: Lyude Paul <lyude@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20221017153150.60675-2-contact@emersion.fr
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/drm_connector.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/gpu/drm/drm_connector.c
+++ b/drivers/gpu/drm/drm_connector.c
@@ -363,6 +363,9 @@ void drm_connector_cleanup(struct drm_co
mutex_destroy(&connector->mutex);
memset(connector, 0, sizeof(*connector));
+
+ if (dev->registered)
+ drm_sysfs_hotplug_event(dev);
}
EXPORT_SYMBOL(drm_connector_cleanup);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 244/251] drm/vmwgfx: Validate the box size for the snooped cursor
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (242 preceding siblings ...)
2023-01-05 12:56 ` [PATCH 4.9 243/251] drm/connector: send hotplug uevent on connector cleanup Greg Kroah-Hartman
@ 2023-01-05 12:56 ` Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 245/251] ext4: add inode table check in __ext4_get_inode_loc to aovid possible infinite loop Greg Kroah-Hartman
` (12 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zack Rusin, Michael Banack, Martin Krastev
From: Zack Rusin <zackr@vmware.com>
commit 4cf949c7fafe21e085a4ee386bb2dade9067316e upstream.
Invalid userspace dma surface copies could potentially overflow
the memcpy from the surface to the snooped image leading to crashes.
To fix it the dimensions of the copybox have to be validated
against the expected size of the snooped cursor.
Signed-off-by: Zack Rusin <zackr@vmware.com>
Fixes: 2ac863719e51 ("vmwgfx: Snoop DMA transfers with non-covering sizes")
Cc: <stable@vger.kernel.org> # v3.2+
Reviewed-by: Michael Banack <banackm@vmware.com>
Reviewed-by: Martin Krastev <krastevm@vmware.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20221026031936.1004280-1-zack@kde.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
@@ -301,7 +301,8 @@ void vmw_kms_cursor_snoop(struct vmw_sur
if (cmd->dma.guest.ptr.offset % PAGE_SIZE ||
box->x != 0 || box->y != 0 || box->z != 0 ||
box->srcx != 0 || box->srcy != 0 || box->srcz != 0 ||
- box->d != 1 || box_count != 1) {
+ box->d != 1 || box_count != 1 ||
+ box->w > 64 || box->h > 64) {
/* TODO handle none page aligned offsets */
/* TODO handle more dst & src != 0 */
/* TODO handle more then one copy */
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 245/251] ext4: add inode table check in __ext4_get_inode_loc to aovid possible infinite loop
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (243 preceding siblings ...)
2023-01-05 12:56 ` [PATCH 4.9 244/251] drm/vmwgfx: Validate the box size for the snooped cursor Greg Kroah-Hartman
@ 2023-01-05 12:56 ` Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 246/251] ext4: fix undefined behavior in bit shift for ext4_check_flag_values Greg Kroah-Hartman
` (11 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Baokun Li,
Ritesh Harjani (IBM),
Theodore Tso
From: Baokun Li <libaokun1@huawei.com>
commit eee22187b53611e173161e38f61de1c7ecbeb876 upstream.
In do_writepages, if the value returned by ext4_writepages is "-ENOMEM"
and "wbc->sync_mode == WB_SYNC_ALL", retry until the condition is not met.
In __ext4_get_inode_loc, if the bh returned by sb_getblk is NULL,
the function returns -ENOMEM.
In __getblk_slow, if the return value of grow_buffers is less than 0,
the function returns NULL.
When the three processes are connected in series like the following stack,
an infinite loop may occur:
do_writepages <--- keep retrying
ext4_writepages
mpage_map_and_submit_extent
mpage_map_one_extent
ext4_map_blocks
ext4_ext_map_blocks
ext4_ext_handle_unwritten_extents
ext4_ext_convert_to_initialized
ext4_split_extent
ext4_split_extent_at
__ext4_ext_dirty
__ext4_mark_inode_dirty
ext4_reserve_inode_write
ext4_get_inode_loc
__ext4_get_inode_loc <--- return -ENOMEM
sb_getblk
__getblk_gfp
__getblk_slow <--- return NULL
grow_buffers
grow_dev_page <--- return -ENXIO
ret = (block < end_block) ? 1 : -ENXIO;
In this issue, bg_inode_table_hi is overwritten as an incorrect value.
As a result, `block < end_block` cannot be met in grow_dev_page.
Therefore, __ext4_get_inode_loc always returns '-ENOMEM' and do_writepages
keeps retrying. As a result, the writeback process is in the D state due
to an infinite loop.
Add a check on inode table block in the __ext4_get_inode_loc function by
referring to ext4_read_inode_bitmap to avoid this infinite loop.
Cc: stable@kernel.org
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Link: https://lore.kernel.org/r/20220817132701.3015912-3-libaokun1@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/inode.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4321,9 +4321,17 @@ static int __ext4_get_inode_loc(struct i
inodes_per_block = EXT4_SB(sb)->s_inodes_per_block;
inode_offset = ((inode->i_ino - 1) %
EXT4_INODES_PER_GROUP(sb));
- block = ext4_inode_table(sb, gdp) + (inode_offset / inodes_per_block);
iloc->offset = (inode_offset % inodes_per_block) * EXT4_INODE_SIZE(sb);
+ block = ext4_inode_table(sb, gdp);
+ if ((block <= le32_to_cpu(EXT4_SB(sb)->s_es->s_first_data_block)) ||
+ (block >= ext4_blocks_count(EXT4_SB(sb)->s_es))) {
+ ext4_error(sb, "Invalid inode table block %llu in "
+ "block_group %u", block, iloc->block_group);
+ return -EFSCORRUPTED;
+ }
+ block += (inode_offset / inodes_per_block);
+
bh = sb_getblk(sb, block);
if (unlikely(!bh))
return -ENOMEM;
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 246/251] ext4: fix undefined behavior in bit shift for ext4_check_flag_values
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (244 preceding siblings ...)
2023-01-05 12:56 ` [PATCH 4.9 245/251] ext4: add inode table check in __ext4_get_inode_loc to aovid possible infinite loop Greg Kroah-Hartman
@ 2023-01-05 12:56 ` Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 247/251] ext4: fix bug_on in __es_tree_search caused by bad boot loader inode Greg Kroah-Hartman
` (10 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gaosheng Cui, Theodore Tso, stable
From: Gaosheng Cui <cuigaosheng1@huawei.com>
commit 3bf678a0f9c017c9ba7c581541dbc8453452a7ae upstream.
Shifting signed 32-bit value by 31 bits is undefined, so changing
significant bit to unsigned. The UBSAN warning calltrace like below:
UBSAN: shift-out-of-bounds in fs/ext4/ext4.h:591:2
left shift of 1 by 31 places cannot be represented in type 'int'
Call Trace:
<TASK>
dump_stack_lvl+0x7d/0xa5
dump_stack+0x15/0x1b
ubsan_epilogue+0xe/0x4e
__ubsan_handle_shift_out_of_bounds+0x1e7/0x20c
ext4_init_fs+0x5a/0x277
do_one_initcall+0x76/0x430
kernel_init_freeable+0x3b3/0x422
kernel_init+0x24/0x1e0
ret_from_fork+0x1f/0x30
</TASK>
Fixes: 9a4c80194713 ("ext4: ensure Inode flags consistency are checked at build time")
Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
Link: https://lore.kernel.org/r/20221031055833.3966222-1-cuigaosheng1@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/ext4.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -476,7 +476,7 @@ enum {
*
* It's not paranoia if the Murphy's Law really *is* out to get you. :-)
*/
-#define TEST_FLAG_VALUE(FLAG) (EXT4_##FLAG##_FL == (1 << EXT4_INODE_##FLAG))
+#define TEST_FLAG_VALUE(FLAG) (EXT4_##FLAG##_FL == (1U << EXT4_INODE_##FLAG))
#define CHECK_FLAG_VALUE(FLAG) BUILD_BUG_ON(!TEST_FLAG_VALUE(FLAG))
static inline void ext4_check_flag_values(void)
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 247/251] ext4: fix bug_on in __es_tree_search caused by bad boot loader inode
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (245 preceding siblings ...)
2023-01-05 12:56 ` [PATCH 4.9 246/251] ext4: fix undefined behavior in bit shift for ext4_check_flag_values Greg Kroah-Hartman
@ 2023-01-05 12:56 ` Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 248/251] ext4: init quota for old.inode in ext4_rename Greg Kroah-Hartman
` (9 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baokun Li, Jason Yan, Jan Kara,
Theodore Tso, stable
From: Baokun Li <libaokun1@huawei.com>
commit 991ed014de0840c5dc405b679168924afb2952ac upstream.
We got a issue as fllows:
==================================================================
kernel BUG at fs/ext4/extents_status.c:203!
invalid opcode: 0000 [#1] PREEMPT SMP
CPU: 1 PID: 945 Comm: cat Not tainted 6.0.0-next-20221007-dirty #349
RIP: 0010:ext4_es_end.isra.0+0x34/0x42
RSP: 0018:ffffc9000143b768 EFLAGS: 00010203
RAX: 0000000000000000 RBX: ffff8881769cd0b8 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8fc27cf7 RDI: 00000000ffffffff
RBP: ffff8881769cd0bc R08: 0000000000000000 R09: ffffc9000143b5f8
R10: 0000000000000001 R11: 0000000000000001 R12: ffff8881769cd0a0
R13: ffff8881768e5668 R14: 00000000768e52f0 R15: 0000000000000000
FS: 00007f359f7f05c0(0000)GS:ffff88842fd00000(0000)knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f359f5a2000 CR3: 000000017130c000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__es_tree_search.isra.0+0x6d/0xf5
ext4_es_cache_extent+0xfa/0x230
ext4_cache_extents+0xd2/0x110
ext4_find_extent+0x5d5/0x8c0
ext4_ext_map_blocks+0x9c/0x1d30
ext4_map_blocks+0x431/0xa50
ext4_mpage_readpages+0x48e/0xe40
ext4_readahead+0x47/0x50
read_pages+0x82/0x530
page_cache_ra_unbounded+0x199/0x2a0
do_page_cache_ra+0x47/0x70
page_cache_ra_order+0x242/0x400
ondemand_readahead+0x1e8/0x4b0
page_cache_sync_ra+0xf4/0x110
filemap_get_pages+0x131/0xb20
filemap_read+0xda/0x4b0
generic_file_read_iter+0x13a/0x250
ext4_file_read_iter+0x59/0x1d0
vfs_read+0x28f/0x460
ksys_read+0x73/0x160
__x64_sys_read+0x1e/0x30
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
</TASK>
==================================================================
In the above issue, ioctl invokes the swap_inode_boot_loader function to
swap inode<5> and inode<12>. However, inode<5> contain incorrect imode and
disordered extents, and i_nlink is set to 1. The extents check for inode in
the ext4_iget function can be bypassed bacause 5 is EXT4_BOOT_LOADER_INO.
While links_count is set to 1, the extents are not initialized in
swap_inode_boot_loader. After the ioctl command is executed successfully,
the extents are swapped to inode<12>, in this case, run the `cat` command
to view inode<12>. And Bug_ON is triggered due to the incorrect extents.
When the boot loader inode is not initialized, its imode can be one of the
following:
1) the imode is a bad type, which is marked as bad_inode in ext4_iget and
set to S_IFREG.
2) the imode is good type but not S_IFREG.
3) the imode is S_IFREG.
The BUG_ON may be triggered by bypassing the check in cases 1 and 2.
Therefore, when the boot loader inode is bad_inode or its imode is not
S_IFREG, initialize the inode to avoid triggering the BUG.
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20221026042310.3839669-5-libaokun1@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/ioctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/ext4/ioctl.c
+++ b/fs/ext4/ioctl.c
@@ -134,7 +134,7 @@ static long swap_inode_boot_loader(struc
/* Protect extent tree against block allocations via delalloc */
ext4_double_down_write_data_sem(inode, inode_bl);
- if (inode_bl->i_nlink == 0) {
+ if (is_bad_inode(inode_bl) || !S_ISREG(inode_bl->i_mode)) {
/* this inode has never been used as a BOOT_LOADER */
set_nlink(inode_bl, 1);
i_uid_write(inode_bl, 0);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 248/251] ext4: init quota for old.inode in ext4_rename
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (246 preceding siblings ...)
2023-01-05 12:56 ` [PATCH 4.9 247/251] ext4: fix bug_on in __es_tree_search caused by bad boot loader inode Greg Kroah-Hartman
@ 2023-01-05 12:56 ` Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 249/251] ext4: fix error code return to user-space in ext4_get_branch() Greg Kroah-Hartman
` (8 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+98346927678ac3059c77, Ye Bin,
Jan Kara, Theodore Tso, stable
From: Ye Bin <yebin10@huawei.com>
commit fae381a3d79bb94aa2eb752170d47458d778b797 upstream.
Syzbot found the following issue:
ext4_parse_param: s_want_extra_isize=128
ext4_inode_info_init: s_want_extra_isize=32
ext4_rename: old.inode=ffff88823869a2c8 old.dir=ffff888238699828 new.inode=ffff88823869d7e8 new.dir=ffff888238699828
__ext4_mark_inode_dirty: inode=ffff888238699828 ea_isize=32 want_ea_size=128
__ext4_mark_inode_dirty: inode=ffff88823869a2c8 ea_isize=32 want_ea_size=128
ext4_xattr_block_set: inode=ffff88823869a2c8
------------[ cut here ]------------
WARNING: CPU: 13 PID: 2234 at fs/ext4/xattr.c:2070 ext4_xattr_block_set.cold+0x22/0x980
Modules linked in:
RIP: 0010:ext4_xattr_block_set.cold+0x22/0x980
RSP: 0018:ffff888227d3f3b0 EFLAGS: 00010202
RAX: 0000000000000001 RBX: ffff88823007a000 RCX: 0000000000000000
RDX: 0000000000000a03 RSI: 0000000000000040 RDI: ffff888230078178
RBP: 0000000000000000 R08: 000000000000002c R09: ffffed1075c7df8e
R10: ffff8883ae3efc6b R11: ffffed1075c7df8d R12: 0000000000000000
R13: ffff88823869a2c8 R14: ffff8881012e0460 R15: dffffc0000000000
FS: 00007f350ac1f740(0000) GS:ffff8883ae200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f350a6ed6a0 CR3: 0000000237456000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
? ext4_xattr_set_entry+0x3b7/0x2320
? ext4_xattr_block_set+0x0/0x2020
? ext4_xattr_set_entry+0x0/0x2320
? ext4_xattr_check_entries+0x77/0x310
? ext4_xattr_ibody_set+0x23b/0x340
ext4_xattr_move_to_block+0x594/0x720
ext4_expand_extra_isize_ea+0x59a/0x10f0
__ext4_expand_extra_isize+0x278/0x3f0
__ext4_mark_inode_dirty.cold+0x347/0x410
ext4_rename+0xed3/0x174f
vfs_rename+0x13a7/0x2510
do_renameat2+0x55d/0x920
__x64_sys_rename+0x7d/0xb0
do_syscall_64+0x3b/0xa0
entry_SYSCALL_64_after_hwframe+0x72/0xdc
As 'ext4_rename' will modify 'old.inode' ctime and mark inode dirty,
which may trigger expand 'extra_isize' and allocate block. If inode
didn't init quota will lead to warning. To solve above issue, init
'old.inode' firstly in 'ext4_rename'.
Reported-by: syzbot+98346927678ac3059c77@syzkaller.appspotmail.com
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20221107015335.2524319-1-yebin@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/namei.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -3864,6 +3864,9 @@ static int ext4_cross_rename(struct inod
retval = dquot_initialize(old.dir);
if (retval)
return retval;
+ retval = dquot_initialize(old.inode);
+ if (retval)
+ return retval;
retval = dquot_initialize(new.dir);
if (retval)
return retval;
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 249/251] ext4: fix error code return to user-space in ext4_get_branch()
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (247 preceding siblings ...)
2023-01-05 12:56 ` [PATCH 4.9 248/251] ext4: init quota for old.inode in ext4_rename Greg Kroah-Hartman
@ 2023-01-05 12:56 ` Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 250/251] ext4: avoid BUG_ON when creating xattrs Greg Kroah-Hartman
` (7 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luís Henriques, Theodore Tso, stable
From: Luís Henriques <lhenriques@suse.de>
commit 26d75a16af285a70863ba6a81f85d81e7e65da50 upstream.
If a block is out of range in ext4_get_branch(), -ENOMEM will be returned
to user-space. Obviously, this error code isn't really useful. This
patch fixes it by making sure the right error code (-EFSCORRUPTED) is
propagated to user-space. EUCLEAN is more informative than ENOMEM.
Signed-off-by: Luís Henriques <lhenriques@suse.de>
Link: https://lore.kernel.org/r/20221109181445.17843-1-lhenriques@suse.de
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/indirect.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/fs/ext4/indirect.c
+++ b/fs/ext4/indirect.c
@@ -147,6 +147,7 @@ static Indirect *ext4_get_branch(struct
struct super_block *sb = inode->i_sb;
Indirect *p = chain;
struct buffer_head *bh;
+ unsigned int key;
int ret = -EIO;
*err = 0;
@@ -155,7 +156,13 @@ static Indirect *ext4_get_branch(struct
if (!p->key)
goto no_block;
while (--depth) {
- bh = sb_getblk(sb, le32_to_cpu(p->key));
+ key = le32_to_cpu(p->key);
+ if (key > ext4_blocks_count(EXT4_SB(sb)->s_es)) {
+ /* the block was out of range */
+ ret = -EFSCORRUPTED;
+ goto failure;
+ }
+ bh = sb_getblk(sb, key);
if (unlikely(!bh)) {
ret = -ENOMEM;
goto failure;
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 250/251] ext4: avoid BUG_ON when creating xattrs
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (248 preceding siblings ...)
2023-01-05 12:56 ` [PATCH 4.9 249/251] ext4: fix error code return to user-space in ext4_get_branch() Greg Kroah-Hartman
@ 2023-01-05 12:56 ` Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 251/251] ext4: initialize quota before expanding inode in setproject ioctl Greg Kroah-Hartman
` (6 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Sandeen, Jan Kara,
Theodore Tso, stable
From: Jan Kara <jack@suse.cz>
commit b40ebaf63851b3a401b0dc9263843538f64f5ce6 upstream.
Commit fb0a387dcdcd ("ext4: limit block allocations for indirect-block
files to < 2^32") added code to try to allocate xattr block with 32-bit
block number for indirect block based files on the grounds that these
files cannot use larger block numbers. It also added BUG_ON when
allocated block could not fit into 32 bits. This is however bogus
reasoning because xattr block is stored in inode->i_file_acl and
inode->i_file_acl_hi and as such even indirect block based files can
happily use full 48 bits for xattr block number. The proper handling
seems to be there basically since 64-bit block number support was added.
So remove the bogus limitation and BUG_ON.
Cc: Eric Sandeen <sandeen@redhat.com>
Fixes: fb0a387dcdcd ("ext4: limit block allocations for indirect-block files to < 2^32")
Signed-off-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20221121130929.32031-1-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/xattr.c | 8 --------
1 file changed, 8 deletions(-)
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -974,19 +974,11 @@ inserted:
goal = ext4_group_first_block_no(sb,
EXT4_I(inode)->i_block_group);
-
- /* non-extent files can't have physical blocks past 2^32 */
- if (!(ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS)))
- goal = goal & EXT4_MAX_BLOCK_FILE_PHYS;
-
block = ext4_new_meta_blocks(handle, inode, goal, 0,
NULL, &error);
if (error)
goto cleanup;
- if (!(ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS)))
- BUG_ON(block > EXT4_MAX_BLOCK_FILE_PHYS);
-
ea_idebug(inode, "creating block %llu",
(unsigned long long)block);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 4.9 251/251] ext4: initialize quota before expanding inode in setproject ioctl
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (249 preceding siblings ...)
2023-01-05 12:56 ` [PATCH 4.9 250/251] ext4: avoid BUG_ON when creating xattrs Greg Kroah-Hartman
@ 2023-01-05 12:56 ` Greg Kroah-Hartman
2023-01-05 16:36 ` [PATCH 4.9 000/251] 4.9.337-rc1 review Shuah Khan
` (5 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-05 12:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jan Kara, stable, Theodore Tso
From: Jan Kara <jack@suse.cz>
commit 1485f726c6dec1a1f85438f2962feaa3d585526f upstream.
Make sure we initialize quotas before possibly expanding inode space
(and thus maybe needing to allocate external xattr block) in
ext4_ioctl_setproject(). This prevents not accounting the necessary
block allocation.
Signed-off-by: Jan Kara <jack@suse.cz>
Cc: stable@kernel.org
Link: https://lore.kernel.org/r/20221207115937.26601-1-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/ioctl.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/fs/ext4/ioctl.c
+++ b/fs/ext4/ioctl.c
@@ -333,6 +333,10 @@ static int ext4_ioctl_setproject(struct
if (IS_NOQUOTA(inode))
goto out_unlock;
+ err = dquot_initialize(inode);
+ if (err)
+ return err;
+
err = ext4_get_inode_loc(inode, &iloc);
if (err)
goto out_unlock;
@@ -345,10 +349,6 @@ static int ext4_ioctl_setproject(struct
}
brelse(iloc.bh);
- err = dquot_initialize(inode);
- if (err)
- return err;
-
handle = ext4_journal_start(inode, EXT4_HT_QUOTA,
EXT4_QUOTA_INIT_BLOCKS(sb) +
EXT4_QUOTA_DEL_BLOCKS(sb) + 3);
^ permalink raw reply [flat|nested] 260+ messages in thread
* Re: [PATCH 4.9 000/251] 4.9.337-rc1 review
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (250 preceding siblings ...)
2023-01-05 12:56 ` [PATCH 4.9 251/251] ext4: initialize quota before expanding inode in setproject ioctl Greg Kroah-Hartman
@ 2023-01-05 16:36 ` Shuah Khan
2023-01-05 19:13 ` Guenter Roeck
` (4 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Shuah Khan @ 2023-01-05 16:36 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, Shuah Khan
On 1/5/23 05:52, Greg Kroah-Hartman wrote:
> -------------------------------------------
> NOTE:
>
> This is going to be the LAST 4.9.y release to be made by the stable/LTS
> kernel maintainers. After this release, it will be end-of-life and you
> should not use it at all. You should have moved to a newer kernel
> branch by now (as seen on the https://kernel.org/category/releases.html
> page), but if NOT, and this is going to be a real hardship, please
> contact me directly.
> -------------------------------------------
>
> This is the start of the stable review cycle for the 4.9.337 release.
> There are 251 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 07 Jan 2023 12:52:55 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.337-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Compiled and booted on my test system. No dmesg regressions.
Tested-by: Shuah Khan <skhan@linuxfoundation.org>
thanks,
-- Shuah
^ permalink raw reply [flat|nested] 260+ messages in thread
* Re: [PATCH 4.9 000/251] 4.9.337-rc1 review
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (251 preceding siblings ...)
2023-01-05 16:36 ` [PATCH 4.9 000/251] 4.9.337-rc1 review Shuah Khan
@ 2023-01-05 19:13 ` Guenter Roeck
2023-01-05 19:17 ` Pavel Machek
` (3 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Guenter Roeck @ 2023-01-05 19:13 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow
On Thu, Jan 05, 2023 at 01:52:17PM +0100, Greg Kroah-Hartman wrote:
> -------------------------------------------
> NOTE:
>
> This is going to be the LAST 4.9.y release to be made by the stable/LTS
> kernel maintainers. After this release, it will be end-of-life and you
> should not use it at all. You should have moved to a newer kernel
> branch by now (as seen on the https://kernel.org/category/releases.html
> page), but if NOT, and this is going to be a real hardship, please
> contact me directly.
> -------------------------------------------
>
> This is the start of the stable review cycle for the 4.9.337 release.
> There are 251 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 07 Jan 2023 12:52:55 +0000.
> Anything received after that time might be too late.
>
Build results:
total: 162 pass: 162 fail: 0
Qemu test results:
total: 395 pass: 395 fail: 0
Tested-by: Guenter Roeck <linux@roeck-us.net>
Guenter
^ permalink raw reply [flat|nested] 260+ messages in thread
* Re: [PATCH 4.9 000/251] 4.9.337-rc1 review
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (252 preceding siblings ...)
2023-01-05 19:13 ` Guenter Roeck
@ 2023-01-05 19:17 ` Pavel Machek
2023-01-05 19:28 ` Florian Fainelli
` (2 subsequent siblings)
256 siblings, 0 replies; 260+ messages in thread
From: Pavel Machek @ 2023-01-05 19:17 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow
[-- Attachment #1: Type: text/plain, Size: 1415 bytes --]
Hi!
> -------------------------------------------
> NOTE:
>
> This is going to be the LAST 4.9.y release to be made by the stable/LTS
> kernel maintainers. After this release, it will be end-of-life and you
> should not use it at all. You should have moved to a newer kernel
> branch by now (as seen on the https://kernel.org/category/releases.html
> page), but if NOT, and this is going to be a real hardship, please
> contact me directly.
> -------------------------------------------
CIP project is still maintaining 4.4-st, 4.4-cip and -rt releases, and
is commited to do so for few more years. 4.9.y makes that job easier
than it would be without them. If there's a way to keep 4.9 maintained
a while longer, we might be interested.
> This is the start of the stable review cycle for the 4.9.337 release.
> There are 251 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
CIP testing did not find any problems here:
https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/tree/linux-4.9.y
Tested-by: Pavel Machek (CIP) <pavel@denx.de>
Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 260+ messages in thread
* Re: [PATCH 4.9 000/251] 4.9.337-rc1 review
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (253 preceding siblings ...)
2023-01-05 19:17 ` Pavel Machek
@ 2023-01-05 19:28 ` Florian Fainelli
2023-01-05 19:47 ` Pavel Machek
2023-01-06 10:12 ` Naresh Kamboju
256 siblings, 0 replies; 260+ messages in thread
From: Florian Fainelli @ 2023-01-05 19:28 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, sudipm.mukherjee, srw, rwarsow
On 1/5/23 04:52, Greg Kroah-Hartman wrote:
> -------------------------------------------
> NOTE:
>
> This is going to be the LAST 4.9.y release to be made by the stable/LTS
> kernel maintainers. After this release, it will be end-of-life and you
> should not use it at all. You should have moved to a newer kernel
> branch by now (as seen on the https://kernel.org/category/releases.html
> page), but if NOT, and this is going to be a real hardship, please
> contact me directly.
> -------------------------------------------
>
> This is the start of the stable review cycle for the 4.9.337 release.
> There are 251 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 07 Jan 2023 12:52:55 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.337-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
On ARCH_BRCMSTB using 32-bit and 64-bit ARM kernels, build tested on
BMIPS_GENERIC:
Tested-by: Florian Fainelli <f.fainelli@gmail.com>
--
Florian
^ permalink raw reply [flat|nested] 260+ messages in thread
* Re: [PATCH 4.9 000/251] 4.9.337-rc1 review
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (254 preceding siblings ...)
2023-01-05 19:28 ` Florian Fainelli
@ 2023-01-05 19:47 ` Pavel Machek
2023-01-07 10:27 ` Greg Kroah-Hartman
2023-01-06 10:12 ` Naresh Kamboju
256 siblings, 1 reply; 260+ messages in thread
From: Pavel Machek @ 2023-01-05 19:47 UTC (permalink / raw)
To: Greg Kroah-Hartman, nathan, marcus.folkesson, cuigaosheng1,
andriy.shevchenko, m.szyprowski, jack
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow
[-- Attachment #1: Type: text/plain, Size: 2210 bytes --]
Hi!
> This is the start of the stable review cycle for the 4.9.337 release.
> There are 251 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
These are kCFI fixes, we don't really need them in 4.9:
> Nathan Chancellor <nathan@kernel.org>
> net: ethernet: ti: Fix return type of netcp_ndo_start_xmit()
> Nathan Chancellor <nathan@kernel.org>
> hamradio: baycom_epp: Fix return type of baycom_send_packet()
> Nathan Chancellor <nathan@kernel.org>
> drm/fsl-dcu: Fix return type of fsl_dcu_drm_connector_mode_valid()
> Nathan Chancellor <nathan@kernel.org>
> drm/sti: Fix return type of sti_{dvo,hda,hdmi}_connector_mode_valid()
This is marked as not-for-stable, and does not fix anything really
bad, just smatch warning:
> Marcus Folkesson <marcus.folkesson@gmail.com>
> HID: hid-sensor-custom: set fixed size for custom attributes
This is quite wrong. Real bug is registering the interrupt before the
device is set up -- it should be fixed by reordering the init code,
not by checking for NULL.
> Gaosheng Cui <cuigaosheng1@huawei.com>
> ALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt
This may turn working config into non-working for someone, as people
now need to enable PWM manually to get fully working driver. I don't
think we want it in stable.
> Andy Shevchenko <andriy.shevchenko@linux.intel.com>
> fbdev: ssd1307fb: Drop optional dependency
This claims to fix a deadlock, but in turn it calls
cancel_delayed_work_sync from interrupt handler. I don't think that is
good idea.
> Marek Szyprowski <m.szyprowski@samsung.com>
> ASoC: wm8994: Fix potential deadlock
This one is okay in mainline, but contains wrong error handling in the
4.9 backport. 4.19 seems okay. It needs to "goto out_unlock", not
return directly.
> Jan Kara <jack@suse.cz>
> ext4: initialize quota before expanding inode in setproject ioctl
Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 260+ messages in thread
* Re: [PATCH 4.9 000/251] 4.9.337-rc1 review
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
` (255 preceding siblings ...)
2023-01-05 19:47 ` Pavel Machek
@ 2023-01-06 10:12 ` Naresh Kamboju
256 siblings, 0 replies; 260+ messages in thread
From: Naresh Kamboju @ 2023-01-06 10:12 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow
On Thu, 5 Jan 2023 at 18:28, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> -------------------------------------------
> NOTE:
>
> This is going to be the LAST 4.9.y release to be made by the stable/LTS
> kernel maintainers. After this release, it will be end-of-life and you
> should not use it at all. You should have moved to a newer kernel
> branch by now (as seen on the https://kernel.org/category/releases.html
> page), but if NOT, and this is going to be a real hardship, please
> contact me directly.
> -------------------------------------------
>
> This is the start of the stable review cycle for the 4.9.337 release.
> There are 251 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 07 Jan 2023 12:52:55 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.337-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.
Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
## Build
* kernel: 4.9.337-rc1
* git: https://gitlab.com/Linaro/lkft/mirrors/stable/linux-stable-rc
* git branch: linux-4.9.y
* git commit: e5be668a53e8317a07f6b4a6b3e0b17b232cb6a1
* git describe: v4.9.336-252-ge5be668a53e8
* test details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-4.9.y/build/v4.9.336-252-ge5be668a53e8
## Test Regressions (compared to v4.9.336)
## Metric Regressions (compared to v4.9.336)
## Test Fixes (compared to v4.9.336)
## Metric Fixes (compared to v4.9.336)
## Test result summary
total: 77532, pass: 66466, fail: 2409, skip: 8290, xfail: 367
## Build Summary
* arc: 10 total, 10 passed, 0 failed
* arm: 284 total, 278 passed, 6 failed
* arm64: 55 total, 48 passed, 7 failed
* i386: 31 total, 30 passed, 1 failed
* mips: 43 total, 40 passed, 3 failed
* parisc: 2 total, 0 passed, 2 failed
* powerpc: 27 total, 21 passed, 6 failed
* s390: 17 total, 12 passed, 5 failed
* sh: 26 total, 24 passed, 2 failed
* sparc: 14 total, 14 passed, 0 failed
* x86_64: 52 total, 49 passed, 3 failed
## Test suites summary
* boot
* fwts
* igt-gpu-tools
* kselftest-android
* kselftest-arm64
* kselftest-breakpoints
* kselftest-capabilities
* kselftest-cgroup
* kselftest-clone3
* kselftest-core
* kselftest-cpu-hotplug
* kselftest-cpufreq
* kselftest-drivers-dma-buf
* kselftest-efivarfs
* kselftest-filesystems
* kselftest-filesystems-binderfs
* kselftest-firmware
* kselftest-fpu
* kselftest-futex
* kselftest-gpio
* kselftest-intel_pstate
* kselftest-ipc
* kselftest-ir
* kselftest-kcmp
* kselftest-kexec
* kselftest-kvm
* kselftest-lib
* kselftest-livepatch
* kselftest-membarrier
* kselftest-net-forwarding
* kselftest-net-mptcp
* kselftest-netfilter
* kselftest-nsfs
* kselftest-openat2
* kselftest-pid_namespace
* kselftest-pidfd
* kselftest-proc
* kselftest-pstore
* kselftest-ptrace
* kselftest-seccomp
* kselftest-sigaltstack
* kselftest-size
* kselftest-splice
* kselftest-static_keys
* kselftest-sync
* kselftest-sysctl
* kselftest-tc-testing
* kselftest-timens
* kselftest-timers
* kselftest-tmpfs
* kselftest-tpm2
* kselftest-user
* kselftest-vm
* kselftest-x86
* kselftest-zram
* kunit
* kvm-unit-tests
* libhugetlbfs
* log-parser-boot
* log-parser-test
* ltp-cap_bounds
* ltp-commands
* ltp-containers
* ltp-controllers
* ltp-cpuhotplug
* ltp-crypto
* ltp-cve
* ltp-dio
* ltp-fcntl-locktests
* ltp-filecaps
* ltp-fs
* ltp-fs_bind
* ltp-fs_perms_simple
* ltp-fsx
* ltp-hugetlb
* ltp-io
* ltp-ipc
* ltp-math
* ltp-mm
* ltp-nptl
* ltp-open-posix-tests
* ltp-pty
* ltp-sched
* ltp-securebits
* ltp-smoke
* ltp-syscalls
* ltp-tracing
* network-basic-tests
* packetdrill
* rcutorture
* v4l2-compliance
* vdso
--
Linaro LKFT
https://lkft.linaro.org
^ permalink raw reply [flat|nested] 260+ messages in thread
* Re: [PATCH 4.9 000/251] 4.9.337-rc1 review
2023-01-05 19:47 ` Pavel Machek
@ 2023-01-07 10:27 ` Greg Kroah-Hartman
0 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-07 10:27 UTC (permalink / raw)
To: Pavel Machek
Cc: nathan, marcus.folkesson, cuigaosheng1, andriy.shevchenko,
m.szyprowski, jack, stable, patches, linux-kernel, torvalds,
akpm, linux, shuah, patches, lkft-triage, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow
On Thu, Jan 05, 2023 at 08:47:36PM +0100, Pavel Machek wrote:
> This one is okay in mainline, but contains wrong error handling in the
> 4.9 backport. 4.19 seems okay. It needs to "goto out_unlock", not
> return directly.
>
> > Jan Kara <jack@suse.cz>
> > ext4: initialize quota before expanding inode in setproject ioctl
I've fixed this up, good catch. The rest I've left as they seem
reasonable to be in the tree as-is.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 260+ messages in thread
end of thread, other threads:[~2023-01-07 10:27 UTC | newest]
Thread overview: 260+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-01-05 12:52 [PATCH 4.9 000/251] 4.9.337-rc1 review Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 001/251] mm/khugepaged: fix GUP-fast interaction by sending IPI Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 002/251] mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 003/251] block: unhash blkdev part inode when the part is deleted Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 004/251] ASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx() Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 005/251] can: sja1000: fix size of OCR_MODE_MASK define Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 006/251] ASoC: ops: Correct bounds check for second channel on SX controls Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 007/251] udf: Discard preallocation before extending file with a hole Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 008/251] udf: Drop unused arguments of udf_delete_aext() Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 009/251] udf: Fix preallocation discarding at indirect extent boundary Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 010/251] udf: Do not bother looking for prealloc extents if i_lenExtents matches i_size Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 011/251] udf: Fix extending file within last block Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 012/251] usb: gadget: uvc: Prevent buffer overflow in setup handler Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 013/251] USB: serial: cp210x: add Kamstrup RF sniffer PIDs Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 014/251] Bluetooth: L2CAP: Fix u8 overflow Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 015/251] net: loopback: use NET_NAME_PREDICTABLE for name_assign_type Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 016/251] drivers: soc: ti: knav_qmss_queue: Mark knav_acc_firmwares as static Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 017/251] arm: dts: spear600: Fix clcd interrupt Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 018/251] soc: ti: smartreflex: Fix PM disable depth imbalance in omap_sr_probe Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 019/251] ARM: dts: dove: Fix assigned-addresses for every PCIe Root Port Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 020/251] ARM: dts: armada-370: " Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 021/251] ARM: dts: armada-xp: " Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 022/251] ARM: dts: armada-375: " Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 023/251] ARM: dts: armada-38x: " Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 024/251] ARM: dts: armada-39x: " Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 025/251] ARM: mmp: fix timer_read delay Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 026/251] pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 027/251] cpuidle: dt: Return the correct numbers of parsed idle states Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 028/251] alpha: fix syscall entry in !AUDUT_SYSCALL case Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 029/251] PM: hibernate: Fix mistake in kerneldoc comment Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 030/251] fs: dont audit the capability check in simple_xattr_list() Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 031/251] perf: Fix possible memleak in pmu_dev_alloc() Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 032/251] timerqueue: Use rb_entry_safe() in timerqueue_getnext() Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 033/251] ocfs2: fix memory leak in ocfs2_stack_glue_init() Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 034/251] MIPS: vpe-mt: fix possible memory leak while module exiting Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 035/251] MIPS: vpe-cmp: " Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 036/251] PNP: fix name memory leak in pnp_alloc_dev() Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 037/251] irqchip: gic-pm: Use pm_runtime_resume_and_get() in gic_probe() Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 038/251] libfs: add DEFINE_SIMPLE_ATTRIBUTE_SIGNED for signed value Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 039/251] lib/notifier-error-inject: fix error when writing -errno to debugfs file Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 040/251] rapidio: fix possible name leaks when rio_add_device() fails Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 041/251] rapidio: rio: fix possible name leak in rio_register_mport() Greg Kroah-Hartman
2023-01-05 12:52 ` [PATCH 4.9 042/251] ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage() Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 043/251] uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 044/251] x86/xen: Fix memory leak in xen_init_lock_cpu() Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 045/251] MIPS: BCM63xx: Add check for NULL for clk in clk_enable Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 046/251] fs: sysv: Fix sysv_nblocks() returns wrong value Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 047/251] rapidio: fix possible UAF when kfifo_alloc() fails Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 048/251] eventfd: change int to __u64 in eventfd_signal() ifndef CONFIG_EVENTFD Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 049/251] hfs: Fix OOB Write in hfs_asc2mac Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 050/251] rapidio: devices: fix missing put_device in mport_cdev_open Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 051/251] wifi: ath9k: hif_usb: fix memory leak of urbs in ath9k_hif_usb_dealloc_tx_urbs() Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 052/251] wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb() Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 053/251] media: i2c: ad5820: Fix error path Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 054/251] media: vivid: fix compose size exceed boundary Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 055/251] mtd: Fix device name leak when register device failed in add_mtd_device() Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 056/251] ASoC: pxa: fix null-pointer dereference in filter() Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 057/251] regulator: core: fix unbalanced of node refcount in regulator_dev_lookup() Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 058/251] ima: Fix misuse of dereference of pointer in template_desc_init_fields() Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 059/251] wifi: ath10k: Fix return value in ath10k_pci_init() Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 060/251] mtd: lpddr2_nvm: Fix possible null-ptr-deref Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 061/251] Input: elants_i2c - properly handle the reset GPIO when power is off Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 062/251] media: solo6x10: fix possible memory leak in solo_sysfs_init() Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 063/251] media: platform: exynos4-is: Fix error handling in fimc_md_init() Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 064/251] HID: hid-sensor-custom: set fixed size for custom attributes Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 065/251] ALSA: seq: fix undefined behavior in bit shift for SNDRV_SEQ_FILTER_USE_EVENT Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 066/251] clk: rockchip: Fix memory leak in rockchip_clk_register_pll() Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 067/251] mtd: maps: pxa2xx-flash: fix memory leak in probe Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 068/251] media: imon: fix a race condition in send_packet() Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 069/251] pinctrl: pinconf-generic: add missing of_node_put() Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 070/251] media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer() Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 071/251] NFSv4.2: Fix a memory stomp in decode_attr_security_label Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 072/251] NFSv4: Fix a deadlock between nfs4_open_recover_helper() and delegreturn Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 073/251] ALSA: asihpi: fix missing pci_disable_device() Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 074/251] drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios() Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 075/251] drm/amdgpu: Fix PCI device refcount leak in amdgpu_atrm_get_bios() Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 076/251] ASoC: pcm512x: Fix PM disable depth imbalance in pcm512x_probe Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 077/251] bonding: uninitialized variable in bond_miimon_inspect() Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 078/251] regulator: core: fix module refcount leak in set_supply() Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 079/251] media: saa7164: fix missing pci_disable_device() Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 080/251] ALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 081/251] SUNRPC: Fix missing release socket in rpc_sockname() Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 082/251] mmc: moxart: fix return value check of mmc_add_host() Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 083/251] mmc: mxcmmc: " Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 084/251] mmc: rtsx_usb_sdmmc: " Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 085/251] mmc: toshsd: " Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 086/251] mmc: vub300: " Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 087/251] mmc: via-sdmmc: " Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 088/251] mmc: wbsd: " Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 089/251] mmc: mmci: " Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 090/251] media: c8sectpfe: Add of_node_put() when breaking out of loop Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 091/251] media: coda: Add check for dcoda_iram_alloc Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 092/251] media: coda: Add check for kmalloc Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 093/251] wifi: rtl8xxxu: Add __packed to struct rtl8723bu_c2h Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 094/251] wifi: brcmfmac: Fix error return code in brcmf_sdio_download_firmware() Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 095/251] blktrace: Fix output non-blktrace event when blk_classic option enabled Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 096/251] net: vmw_vsock: vmci: Check memcpy_from_msg() Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 097/251] net: defxx: Fix missing err handling in dfx_init() Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 098/251] drivers: net: qlcnic: Fix potential memory leak in qlcnic_sriov_init() Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 099/251] ethernet: s2io: dont call dev_kfree_skb() under spin_lock_irqsave() Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 100/251] net: farsync: Fix kmemleak when rmmods farsync Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 101/251] net/tunnel: wait until all sk_user_data reader finish before releasing the sock Greg Kroah-Hartman
2023-01-05 12:53 ` [PATCH 4.9 102/251] net: apple: mace: dont call dev_kfree_skb() under spin_lock_irqsave() Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 103/251] net: apple: bmac: " Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 104/251] net: emaclite: " Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 105/251] net: ethernet: dnet: " Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 106/251] hamradio: " Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 107/251] net: amd: lance: " Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 108/251] ntb_netdev: Use dev_kfree_skb_any() in interrupt context Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 109/251] Bluetooth: btusb: dont call kfree_skb() under spin_lock_irqsave() Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 110/251] Bluetooth: hci_qca: " Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 111/251] Bluetooth: hci_h5: " Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 112/251] Bluetooth: hci_bcsp: " Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 113/251] Bluetooth: hci_core: " Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 114/251] stmmac: fix potential division by 0 Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 115/251] scsi: hpsa: Fix error handling in hpsa_add_sas_host() Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 116/251] scsi: hpsa: Fix possible memory leak in hpsa_add_sas_device() Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 117/251] scsi: fcoe: Fix possible name leak when device_register() fails Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 118/251] scsi: ipr: Fix WARNING in ipr_init() Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 119/251] scsi: fcoe: Fix transport not deattached when fcoe_if_init() fails Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 120/251] scsi: snic: Fix possible UAF in snic_tgt_create() Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 121/251] orangefs: Fix sysfs not cleanup when dev init failed Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 122/251] crypto: img-hash - Fix variable dereferenced before check hdev->req Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 123/251] hwrng: amd - Fix PCI device refcount leak Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 124/251] hwrng: geode " Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 125/251] IB/IPoIB: Fix queue count inconsistency for PKEY child interfaces Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 126/251] drivers: dio: fix possible memory leak in dio_init() Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 127/251] vfio: platform: Do not pass return buffer to ACPI _RST method Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 128/251] uio: uio_dmem_genirq: Fix missing unlock in irq configuration Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 129/251] uio: uio_dmem_genirq: Fix deadlock between irq config and handling Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 130/251] usb: fotg210-udc: Fix ages old endianness issues Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 131/251] staging: vme_user: Fix possible UAF in tsi148_dma_list_add Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 132/251] serial: amba-pl011: avoid SBSA UART accessing DMACR register Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 133/251] serial: pch: Fix PCI device refcount leak in pch_request_dma() Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 134/251] serial: sunsab: Fix error handling in sunsab_init() Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 135/251] misc: tifm: fix possible memory leak in tifm_7xx1_switch_media() Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 136/251] misc: sgi-gru: fix use-after-free error in gru_set_context_option, gru_fault and gru_handle_user_call_os Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 137/251] cxl: fix possible null-ptr-deref in cxl_guest_init_afu|adapter() Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 138/251] cxl: fix possible null-ptr-deref in cxl_pci_init_afu|adapter() Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 139/251] drivers: mcb: fix resource leak in mcb_probe() Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 140/251] mcb: mcb-parse: fix error handing in chameleon_parse_gdd() Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 141/251] chardev: fix error handling in cdev_device_add() Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 142/251] i2c: pxa-pci: fix missing pci_disable_device() on error in ce4100_i2c_probe Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 143/251] staging: rtl8192u: Fix use after free in ieee80211_rx() Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 144/251] staging: rtl8192e: Fix potential use-after-free in rtllib_rx_Monitor() Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 145/251] vme: Fix error not catched in fake_init() Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 146/251] i2c: ismt: Fix an out-of-bounds bug in ismt_access() Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 147/251] usb: storage: Add check for kcalloc Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 148/251] fbdev: ssd1307fb: Drop optional dependency Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 149/251] fbdev: pm2fb: fix missing pci_disable_device() Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 150/251] fbdev: via: Fix error in via_core_init() Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 151/251] fbdev: vermilion: decrease reference count in error path Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 152/251] fbdev: uvesafb: Fixes an error handling path in uvesafb_probe() Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 153/251] HSI: omap_ssi_core: fix unbalanced pm_runtime_disable() Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 154/251] HSI: omap_ssi_core: fix possible memory leak in ssi_probe() Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 155/251] power: supply: fix residue sysfs file in error handle route of __power_supply_register() Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 156/251] HSI: omap_ssi_core: Fix error handling in ssi_init() Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 157/251] include/uapi/linux/swab: Fix potentially missing __always_inline Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 158/251] rtc: snvs: Allow a time difference on clock register read Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 159/251] iommu/fsl_pamu: Fix resource leak in fsl_pamu_probe() Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 160/251] macintosh: fix possible memory leak in macio_add_one_device() Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 161/251] macintosh/macio-adb: check the return value of ioremap() Greg Kroah-Hartman
2023-01-05 12:54 ` [PATCH 4.9 162/251] powerpc/52xx: Fix a resource leak in an error handling path Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 163/251] powerpc/perf: callchain validate kernel stack pointer bounds Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 164/251] powerpc/83xx/mpc832x_rdb: call platform_device_put() in error case in of_fsl_spi_probe() Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 165/251] powerpc/hv-gpci: Fix hv_gpci event list Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 166/251] selftests/powerpc: Fix resource leaks Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 167/251] rtc: st-lpc: Add missing clk_disable_unprepare in st_rtc_probe() Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 168/251] nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 169/251] mISDN: hfcsusb: dont call dev_kfree_skb/kfree_skb() under spin_lock_irqsave() Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 170/251] mISDN: hfcpci: " Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 171/251] mISDN: hfcmulti: " Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 172/251] nfc: pn533: Clear nfc_target before being used Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 173/251] r6040: Fix kmemleak in probe and remove Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 174/251] openvswitch: Fix flow lookup to use unmasked key Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 175/251] skbuff: Account for tail adjustment during pull operations Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 176/251] net_sched: reject TCF_EM_SIMPLE case for complex ematch module Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 177/251] myri10ge: Fix an error handling path in myri10ge_probe() Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 178/251] net: stream: purge sk_error_queue in sk_stream_kill_queues() Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 179/251] binfmt_misc: fix shift-out-of-bounds in check_special_flags Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 180/251] fs: jfs: fix shift-out-of-bounds in dbAllocAG Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 181/251] udf: Avoid double brelse() in udf_rename() Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 182/251] fs: jfs: fix shift-out-of-bounds in dbDiscardAG Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 183/251] ACPICA: Fix error code path in acpi_ds_call_control_method() Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 184/251] nilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset() Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 185/251] acct: fix potential integer overflow in encode_comp_t() Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 186/251] hfs: fix OOB Read in __hfs_brec_find Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 187/251] wifi: ath9k: verify the expected usb_endpoints are present Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 188/251] wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 189/251] ipmi: fix memleak when unload ipmi driver Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 190/251] net: ethernet: ti: Fix return type of netcp_ndo_start_xmit() Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 191/251] hamradio: baycom_epp: Fix return type of baycom_send_packet() Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 192/251] wifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request() Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 193/251] igb: Do not free q_vector unless new one was allocated Greg Kroah-Hartman
2023-01-05 12:55 ` [Intel-wired-lan] " Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 194/251] s390/ctcm: Fix return type of ctc{mp,}m_tx() Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 195/251] s390/netiucv: Fix return type of netiucv_tx() Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 196/251] s390/lcs: Fix return type of lcs_start_xmit() Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 197/251] drm/sti: Use drm_mode_copy() Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 198/251] md/raid1: stop mdx_raid1 thread when raid1 array run failed Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 199/251] mrp: introduce active flags to prevent UAF when applicant uninit Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 200/251] ppp: associate skb with a device at tx Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 201/251] media: dvb-frontends: fix leak of memory fw Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 202/251] media: dvb-usb: fix memory leak in dvb_usb_adapter_init() Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 203/251] blk-mq: fix possible memleak when register hctx failed Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 204/251] mmc: f-sdh30: Add quirks for broken timeout clock capability Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 205/251] media: si470x: Fix use-after-free in si470x_int_in_callback() Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 206/251] clk: st: Fix memory leak in st_of_quadfs_setup() Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 207/251] drm/fsl-dcu: Fix return type of fsl_dcu_drm_connector_mode_valid() Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 208/251] drm/sti: Fix return type of sti_{dvo,hda,hdmi}_connector_mode_valid() Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 209/251] orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string() Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 210/251] ASoC: mediatek: mt8173-rt5650-rt5514: fix refcount leak in mt8173_rt5650_rt5514_dev_probe() Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 211/251] ASoC: wm8994: Fix potential deadlock Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 212/251] ASoC: rockchip: spdif: Add missing clk_disable_unprepare() in rk_spdif_runtime_resume() Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 213/251] ASoC: rt5670: Remove unbalanced pm_runtime_put() Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 214/251] HID: wacom: Ensure bootloader PID is usable in hidraw mode Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 215/251] reiserfs: Add missing calls to reiserfs_security_free() Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 216/251] iio: adc: ad_sigma_delta: do not use internal iio_dev lock Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 217/251] gcov: add support for checksum field Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 218/251] powerpc/rtas: avoid scheduling in rtas_os_term() Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 219/251] HID: plantronics: Additional PIDs for double volume key presses quirk Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 220/251] hfsplus: fix bug causing custom uid and gid being unable to be assigned with mount Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 221/251] ALSA: line6: correct midi status byte when receiving data from podxt Greg Kroah-Hartman
2023-01-05 12:55 ` [PATCH 4.9 222/251] ALSA: line6: fix stack overflow in line6_midi_transmit Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 223/251] pnode: terminate at peers of source Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 224/251] md: fix a crash in mempool_free Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 225/251] mmc: vub300: fix warning - do not call blocking ops when !TASK_RUNNING Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 226/251] media: stv0288: use explicitly signed char Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 227/251] ktest.pl minconfig: Unset configs instead of just removing them Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 228/251] ARM: ux500: do not directly dereference __iomem Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 229/251] dm cache: Fix ABBA deadlock between shrink_slab and dm_cache_metadata_abort Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 230/251] dm thin: Use last transactions pmd->root when commit failed Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 231/251] dm thin: Fix UAF in run_timer_softirq() Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 232/251] dm cache: Fix UAF in destroy() Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 233/251] dm cache: set needs_check flag after aborting metadata Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 234/251] tracing: Fix infinite loop in tracing_read_pipe on overflowed print_trace_line Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 235/251] ARM: 9256/1: NWFPE: avoid compiler-generated __aeabi_uldivmod Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 236/251] media: dvb-core: Fix double free in dvb_register_device() Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 237/251] cifs: fix confusing debug message Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 238/251] PCI/sysfs: Fix double free in error path Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 239/251] crypto: n2 - add missing hash statesize Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 240/251] iommu/amd: Fix ivrs_acpihid cmdline parsing code Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 241/251] parisc: led: Fix potential null-ptr-deref in start_task() Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 242/251] device_cgroup: Roll back to original exceptions after copy failure Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 243/251] drm/connector: send hotplug uevent on connector cleanup Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 244/251] drm/vmwgfx: Validate the box size for the snooped cursor Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 245/251] ext4: add inode table check in __ext4_get_inode_loc to aovid possible infinite loop Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 246/251] ext4: fix undefined behavior in bit shift for ext4_check_flag_values Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 247/251] ext4: fix bug_on in __es_tree_search caused by bad boot loader inode Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 248/251] ext4: init quota for old.inode in ext4_rename Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 249/251] ext4: fix error code return to user-space in ext4_get_branch() Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 250/251] ext4: avoid BUG_ON when creating xattrs Greg Kroah-Hartman
2023-01-05 12:56 ` [PATCH 4.9 251/251] ext4: initialize quota before expanding inode in setproject ioctl Greg Kroah-Hartman
2023-01-05 16:36 ` [PATCH 4.9 000/251] 4.9.337-rc1 review Shuah Khan
2023-01-05 19:13 ` Guenter Roeck
2023-01-05 19:17 ` Pavel Machek
2023-01-05 19:28 ` Florian Fainelli
2023-01-05 19:47 ` Pavel Machek
2023-01-07 10:27 ` Greg Kroah-Hartman
2023-01-06 10:12 ` Naresh Kamboju
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.