* [PATCH 4.4 00/39] 4.4.248-rc1 review
@ 2020-12-10 14:26 Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 01/39] net/af_iucv: set correct sk_protocol for child sockets Greg Kroah-Hartman
` (42 more replies)
0 siblings, 43 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, stable
This is the start of the stable review cycle for the 4.4.248 release.
There are 39 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Sat, 12 Dec 2020 14:25:47 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.248-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 4.4.248-rc1
Masami Hiramatsu <mhiramat@kernel.org>
x86/uprobes: Do not use prefixes.nbytes when looping over prefixes.bytes
Luo Meng <luomeng12@huawei.com>
Input: i8042 - fix error return code in i8042_setup_aux()
Bob Peterson <rpeterso@redhat.com>
gfs2: check for empty rgrp tree in gfs2_ri_update
Gerald Schaefer <gerald.schaefer@linux.ibm.com>
mm/userfaultfd: do not access vma->vm_mm after calling handle_userfault()
Josef Bacik <josef@toxicpanda.com>
btrfs: cleanup cow block on error
Steven Rostedt (VMware) <rostedt@goodmis.org>
tracing: Fix userstacktrace option for instances
Peter Ujfalusi <peter.ujfalusi@ti.com>
spi: bcm2835: Release the DMA channel if probe fails after dma_init
Lukas Wunner <lukas@wunner.de>
spi: bcm2835: Fix use-after-free on unbind
Lukas Wunner <lukas@wunner.de>
spi: Introduce device-managed SPI controller allocation
Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
iommu/amd: Set DTE[IntTabLen] to represent 512 IRTEs
Ard Biesheuvel <ard.biesheuvel@linaro.org>
arm64: assembler: make adr_l work in modules under KASLR
Christian Eggers <ceggers@arri.de>
i2c: imx: Check for I2SR_IAL after every byte
Christian Eggers <ceggers@arri.de>
i2c: imx: Fix reset of I2SR_IAL flag
Paulo Alcantara <pc@cjr.nz>
cifs: fix potential use-after-free in cifs_echo_request()
Jann Horn <jannh@google.com>
tty: Fix ->session locking
Takashi Iwai <tiwai@suse.de>
ALSA: hda/generic: Add option to enforce preferred_dacs pairs
Kailang Yang <kailang@realtek.com>
ALSA: hda/realtek - Add new codec supported for ALC897
Jann Horn <jannh@google.com>
tty: Fix ->pgrp locking in tiocspgrp()
Giacinto Cifelli <gciofono@gmail.com>
USB: serial: option: add support for Thales Cinterion EXS82
Vincent Palatin <vpalatin@chromium.org>
USB: serial: option: add Fibocom NL668 variants
Johan Hovold <johan@kernel.org>
USB: serial: ch341: sort device-id entries
Jan-Niklas Burfeind <kernel@aiyionpri.me>
USB: serial: ch341: add new Product ID for CH341A
Johan Hovold <johan@kernel.org>
USB: serial: kl5kusb105: fix memleak on open
Vamsi Krishna Samavedam <vskrishn@codeaurora.org>
usb: gadget: f_fs: Use local copy of descriptors for userspace copy
Eric Dumazet <edumazet@google.com>
geneve: pull IP header before ECN decapsulation
Toke Høiland-Jørgensen <toke@redhat.com>
vlan: consolidate VLAN parsing code and limit max parsing depth
Josef Bacik <josef@toxicpanda.com>
btrfs: sysfs: init devices outside of the chunk_mutex
Michal Suchanek <msuchanek@suse.de>
powerpc: Stop exporting __clear_user which is now inlined.
Po-Hsu Lin <po-hsu.lin@canonical.com>
Input: i8042 - add ByteSpeed touchpad to noloop table
Sanjay Govind <sanjay.govind9@gmail.com>
Input: xpad - support Ardwiino Controllers
Krzysztof Kozlowski <krzk@kernel.org>
dt-bindings: net: correct interrupt flags in examples
Zhang Changzhong <zhangchangzhong@huawei.com>
net: pasemi: fix error return code in pasemi_mac_open()
Zhang Changzhong <zhangchangzhong@huawei.com>
cxgb3: fix error return code in t3_sge_alloc_qset()
Dan Carpenter <dan.carpenter@oracle.com>
net/x25: prevent a couple of overflows
Antoine Tenart <atenart@kernel.org>
netfilter: bridge: reset skb->pkt_type after NF_INET_POST_ROUTING traversal
Jamie Iles <jamie@nuviainc.com>
bonding: wait for sysfs kobject destruction before freeing struct slave
Yves-Alexis Perez <corsac@corsac.net>
usbnet: ipheth: fix connectivity with iOS 14
Anmol Karn <anmol.karan123@gmail.com>
rose: Fix Null pointer dereference in rose_send_frame()
Julian Wiedmann <jwi@linux.ibm.com>
net/af_iucv: set correct sk_protocol for child sockets
-------------
Diffstat:
.../devicetree/bindings/net/nfc/nxp-nci.txt | 2 +-
.../devicetree/bindings/net/nfc/pn544.txt | 2 +-
Makefile | 4 +-
arch/arm64/include/asm/assembler.h | 36 +++++++++----
arch/arm64/kernel/head.S | 3 +-
arch/powerpc/lib/ppc_ksyms.c | 1 -
arch/x86/include/asm/insn.h | 15 ++++++
arch/x86/kernel/uprobes.c | 10 ++--
drivers/i2c/busses/i2c-imx.c | 30 +++++++++--
drivers/input/joystick/xpad.c | 2 +
drivers/input/serio/i8042-x86ia64io.h | 4 ++
drivers/input/serio/i8042.c | 3 +-
drivers/iommu/amd_iommu.c | 2 +-
drivers/net/bonding/bond_main.c | 61 +++++++++++++++-------
drivers/net/bonding/bond_sysfs_slave.c | 18 +------
drivers/net/ethernet/chelsio/cxgb3/sge.c | 1 +
drivers/net/ethernet/pasemi/pasemi_mac.c | 8 ++-
drivers/net/geneve.c | 18 ++++++-
drivers/net/usb/ipheth.c | 2 +-
drivers/spi/spi-bcm2835.c | 22 ++++----
drivers/spi/spi.c | 54 ++++++++++++++++++-
drivers/tty/tty_io.c | 51 +++++++++++++-----
drivers/usb/gadget/function/f_fs.c | 6 ++-
drivers/usb/serial/ch341.c | 5 +-
drivers/usb/serial/kl5kusb105.c | 10 ++--
drivers/usb/serial/option.c | 5 +-
fs/btrfs/ctree.c | 6 +++
fs/btrfs/volumes.c | 7 +--
fs/cifs/connect.c | 2 +
fs/gfs2/rgrp.c | 4 ++
include/linux/if_vlan.h | 29 +++++++---
include/linux/spi/spi.h | 2 +
include/linux/tty.h | 4 ++
include/net/bonding.h | 8 +++
include/net/inet_ecn.h | 1 +
kernel/trace/trace.c | 9 ++--
kernel/trace/trace.h | 6 ++-
mm/huge_memory.c | 8 ++-
net/bridge/br_netfilter_hooks.c | 7 ++-
net/iucv/af_iucv.c | 4 +-
net/rose/rose_loopback.c | 17 ++++--
net/x25/af_x25.c | 6 ++-
sound/pci/hda/hda_generic.c | 12 +++--
sound/pci/hda/hda_generic.h | 1 +
sound/pci/hda/patch_realtek.c | 2 +
45 files changed, 370 insertions(+), 140 deletions(-)
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH 4.4 01/39] net/af_iucv: set correct sk_protocol for child sockets
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
@ 2020-12-10 14:26 ` Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 02/39] rose: Fix Null pointer dereference in rose_send_frame() Greg Kroah-Hartman
` (41 subsequent siblings)
42 siblings, 0 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Julian Wiedmann, Jakub Kicinski
From: Julian Wiedmann <jwi@linux.ibm.com>
[ Upstream commit c5dab0941fcdc9664eb0ec0d4d51433216d91336 ]
Child sockets erroneously inherit their parent's sk_type (ie. SOCK_*),
instead of the PF_IUCV protocol that the parent was created with in
iucv_sock_create().
We're currently not using sk->sk_protocol ourselves, so this shouldn't
have much impact (except eg. getting the output in skb_dump() right).
Fixes: eac3731bd04c ("[S390]: Add AF_IUCV socket support")
Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
Link: https://lore.kernel.org/r/20201120100657.34407-1-jwi@linux.ibm.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/iucv/af_iucv.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/iucv/af_iucv.c
+++ b/net/iucv/af_iucv.c
@@ -1724,7 +1724,7 @@ static int iucv_callback_connreq(struct
}
/* Create the new socket */
- nsk = iucv_sock_alloc(NULL, sk->sk_type, GFP_ATOMIC, 0);
+ nsk = iucv_sock_alloc(NULL, sk->sk_protocol, GFP_ATOMIC, 0);
if (!nsk) {
err = pr_iucv->path_sever(path, user_data);
iucv_path_free(path);
@@ -1934,7 +1934,7 @@ static int afiucv_hs_callback_syn(struct
goto out;
}
- nsk = iucv_sock_alloc(NULL, sk->sk_type, GFP_ATOMIC, 0);
+ nsk = iucv_sock_alloc(NULL, sk->sk_protocol, GFP_ATOMIC, 0);
bh_lock_sock(sk);
if ((sk->sk_state != IUCV_LISTEN) ||
sk_acceptq_is_full(sk) ||
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH 4.4 02/39] rose: Fix Null pointer dereference in rose_send_frame()
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 01/39] net/af_iucv: set correct sk_protocol for child sockets Greg Kroah-Hartman
@ 2020-12-10 14:26 ` Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 03/39] usbnet: ipheth: fix connectivity with iOS 14 Greg Kroah-Hartman
` (40 subsequent siblings)
42 siblings, 0 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jakub Kicinski,
syzbot+a1c743815982d9496393, Anmol Karn
From: Anmol Karn <anmol.karan123@gmail.com>
[ Upstream commit 3b3fd068c56e3fbea30090859216a368398e39bf ]
rose_send_frame() dereferences `neigh->dev` when called from
rose_transmit_clear_request(), and the first occurrence of the
`neigh` is in rose_loopback_timer() as `rose_loopback_neigh`,
and it is initialized in rose_add_loopback_neigh() as NULL.
i.e when `rose_loopback_neigh` used in rose_loopback_timer()
its `->dev` was still NULL and rose_loopback_timer() was calling
rose_rx_call_request() without checking for NULL.
- net/rose/rose_link.c
This bug seems to get triggered in this line:
rose_call = (ax25_address *)neigh->dev->dev_addr;
Fix it by adding NULL checking for `rose_loopback_neigh->dev`
in rose_loopback_timer().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Suggested-by: Jakub Kicinski <kuba@kernel.org>
Reported-by: syzbot+a1c743815982d9496393@syzkaller.appspotmail.com
Tested-by: syzbot+a1c743815982d9496393@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?id=9d2a7ca8c7f2e4b682c97578dfa3f236258300b3
Signed-off-by: Anmol Karn <anmol.karan123@gmail.com>
Link: https://lore.kernel.org/r/20201119191043.28813-1-anmol.karan123@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rose/rose_loopback.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
--- a/net/rose/rose_loopback.c
+++ b/net/rose/rose_loopback.c
@@ -99,10 +99,19 @@ static void rose_loopback_timer(unsigned
}
if (frametype == ROSE_CALL_REQUEST) {
- if ((dev = rose_dev_get(dest)) != NULL) {
- if (rose_rx_call_request(skb, dev, rose_loopback_neigh, lci_o) == 0)
- kfree_skb(skb);
- } else {
+ if (!rose_loopback_neigh->dev) {
+ kfree_skb(skb);
+ continue;
+ }
+
+ dev = rose_dev_get(dest);
+ if (!dev) {
+ kfree_skb(skb);
+ continue;
+ }
+
+ if (rose_rx_call_request(skb, dev, rose_loopback_neigh, lci_o) == 0) {
+ dev_put(dev);
kfree_skb(skb);
}
} else {
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH 4.4 03/39] usbnet: ipheth: fix connectivity with iOS 14
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 01/39] net/af_iucv: set correct sk_protocol for child sockets Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 02/39] rose: Fix Null pointer dereference in rose_send_frame() Greg Kroah-Hartman
@ 2020-12-10 14:26 ` Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 04/39] bonding: wait for sysfs kobject destruction before freeing struct slave Greg Kroah-Hartman
` (39 subsequent siblings)
42 siblings, 0 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Matti Vuorela, Yves-Alexis Perez,
Jakub Kicinski
From: Yves-Alexis Perez <corsac@corsac.net>
[ Upstream commit f33d9e2b48a34e1558b67a473a1fc1d6e793f93c ]
Starting with iOS 14 released in September 2020, connectivity using the
personal hotspot USB tethering function of iOS devices is broken.
Communication between the host and the device (for example ICMP traffic
or DNS resolution using the DNS service running in the device itself)
works fine, but communication to endpoints further away doesn't work.
Investigation on the matter shows that no UDP and ICMP traffic from the
tethered host is reaching the Internet at all. For TCP traffic there are
exchanges between tethered host and server but packets are modified in
transit leading to impossible communication.
After some trials Matti Vuorela discovered that reducing the URB buffer
size by two bytes restored the previous behavior. While a better
solution might exist to fix the issue, since the protocol is not
publicly documented and considering the small size of the fix, let's do
that.
Tested-by: Matti Vuorela <matti.vuorela@bitfactor.fi>
Signed-off-by: Yves-Alexis Perez <corsac@corsac.net>
Link: https://lore.kernel.org/linux-usb/CAAn0qaXmysJ9vx3ZEMkViv_B19ju-_ExN8Yn_uSefxpjS6g4Lw@mail.gmail.com/
Link: https://github.com/libimobiledevice/libimobiledevice/issues/1038
Link: https://lore.kernel.org/r/20201119172439.94988-1-corsac@corsac.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/ipheth.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/usb/ipheth.c
+++ b/drivers/net/usb/ipheth.c
@@ -70,7 +70,7 @@
#define IPHETH_USBINTF_SUBCLASS 253
#define IPHETH_USBINTF_PROTO 1
-#define IPHETH_BUF_SIZE 1516
+#define IPHETH_BUF_SIZE 1514
#define IPHETH_IP_ALIGN 2 /* padding at front of URB */
#define IPHETH_TX_TIMEOUT (5 * HZ)
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH 4.4 04/39] bonding: wait for sysfs kobject destruction before freeing struct slave
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2020-12-10 14:26 ` [PATCH 4.4 03/39] usbnet: ipheth: fix connectivity with iOS 14 Greg Kroah-Hartman
@ 2020-12-10 14:26 ` Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 05/39] netfilter: bridge: reset skb->pkt_type after NF_INET_POST_ROUTING traversal Greg Kroah-Hartman
` (38 subsequent siblings)
42 siblings, 0 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Qiushi Wu, Jay Vosburgh,
Veaceslav Falico, Andy Gospodarek, Jamie Iles, Jakub Kicinski
From: Jamie Iles <jamie@nuviainc.com>
[ Upstream commit b9ad3e9f5a7a760ab068e33e1f18d240ba32ce92 ]
syzkaller found that with CONFIG_DEBUG_KOBJECT_RELEASE=y, releasing a
struct slave device could result in the following splat:
kobject: 'bonding_slave' (00000000cecdd4fe): kobject_release, parent 0000000074ceb2b2 (delayed 1000)
bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
------------[ cut here ]------------
ODEBUG: free active (active state 0) object type: timer_list hint: workqueue_select_cpu_near kernel/workqueue.c:1549 [inline]
ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x98 kernel/workqueue.c:1600
WARNING: CPU: 1 PID: 842 at lib/debugobjects.c:485 debug_print_object+0x180/0x240 lib/debugobjects.c:485
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 842 Comm: kworker/u4:4 Tainted: G S 5.9.0-rc8+ #96
Hardware name: linux,dummy-virt (DT)
Workqueue: netns cleanup_net
Call trace:
dump_backtrace+0x0/0x4d8 include/linux/bitmap.h:239
show_stack+0x34/0x48 arch/arm64/kernel/traps.c:142
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x174/0x1f8 lib/dump_stack.c:118
panic+0x360/0x7a0 kernel/panic.c:231
__warn+0x244/0x2ec kernel/panic.c:600
report_bug+0x240/0x398 lib/bug.c:198
bug_handler+0x50/0xc0 arch/arm64/kernel/traps.c:974
call_break_hook+0x160/0x1d8 arch/arm64/kernel/debug-monitors.c:322
brk_handler+0x30/0xc0 arch/arm64/kernel/debug-monitors.c:329
do_debug_exception+0x184/0x340 arch/arm64/mm/fault.c:864
el1_dbg+0x48/0xb0 arch/arm64/kernel/entry-common.c:65
el1_sync_handler+0x170/0x1c8 arch/arm64/kernel/entry-common.c:93
el1_sync+0x80/0x100 arch/arm64/kernel/entry.S:594
debug_print_object+0x180/0x240 lib/debugobjects.c:485
__debug_check_no_obj_freed lib/debugobjects.c:967 [inline]
debug_check_no_obj_freed+0x200/0x430 lib/debugobjects.c:998
slab_free_hook mm/slub.c:1536 [inline]
slab_free_freelist_hook+0x190/0x210 mm/slub.c:1577
slab_free mm/slub.c:3138 [inline]
kfree+0x13c/0x460 mm/slub.c:4119
bond_free_slave+0x8c/0xf8 drivers/net/bonding/bond_main.c:1492
__bond_release_one+0xe0c/0xec8 drivers/net/bonding/bond_main.c:2190
bond_slave_netdev_event drivers/net/bonding/bond_main.c:3309 [inline]
bond_netdev_event+0x8f0/0xa70 drivers/net/bonding/bond_main.c:3420
notifier_call_chain+0xf0/0x200 kernel/notifier.c:83
__raw_notifier_call_chain kernel/notifier.c:361 [inline]
raw_notifier_call_chain+0x44/0x58 kernel/notifier.c:368
call_netdevice_notifiers_info+0xbc/0x150 net/core/dev.c:2033
call_netdevice_notifiers_extack net/core/dev.c:2045 [inline]
call_netdevice_notifiers net/core/dev.c:2059 [inline]
rollback_registered_many+0x6a4/0xec0 net/core/dev.c:9347
unregister_netdevice_many.part.0+0x2c/0x1c0 net/core/dev.c:10509
unregister_netdevice_many net/core/dev.c:10508 [inline]
default_device_exit_batch+0x294/0x338 net/core/dev.c:10992
ops_exit_list.isra.0+0xec/0x150 net/core/net_namespace.c:189
cleanup_net+0x44c/0x888 net/core/net_namespace.c:603
process_one_work+0x96c/0x18c0 kernel/workqueue.c:2269
worker_thread+0x3f0/0xc30 kernel/workqueue.c:2415
kthread+0x390/0x498 kernel/kthread.c:292
ret_from_fork+0x10/0x18 arch/arm64/kernel/entry.S:925
This is a potential use-after-free if the sysfs nodes are being accessed
whilst removing the struct slave, so wait for the object destruction to
complete before freeing the struct slave itself.
Fixes: 07699f9a7c8d ("bonding: add sysfs /slave dir for bond slave devices.")
Fixes: a068aab42258 ("bonding: Fix reference count leak in bond_sysfs_slave_add.")
Cc: Qiushi Wu <wu000273@umn.edu>
Cc: Jay Vosburgh <j.vosburgh@gmail.com>
Cc: Veaceslav Falico <vfalico@gmail.com>
Cc: Andy Gospodarek <andy@greyhouse.net>
Signed-off-by: Jamie Iles <jamie@nuviainc.com>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://lore.kernel.org/r/20201120142827.879226-1-jamie@nuviainc.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/bonding/bond_main.c | 61 +++++++++++++++++++++++----------
drivers/net/bonding/bond_sysfs_slave.c | 18 ---------
include/net/bonding.h | 8 ++++
3 files changed, 52 insertions(+), 35 deletions(-)
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -1225,7 +1225,39 @@ static void bond_upper_dev_unlink(struct
rtmsg_ifinfo(RTM_NEWLINK, slave_dev, IFF_SLAVE, GFP_KERNEL);
}
-static struct slave *bond_alloc_slave(struct bonding *bond)
+static void slave_kobj_release(struct kobject *kobj)
+{
+ struct slave *slave = to_slave(kobj);
+ struct bonding *bond = bond_get_bond_by_slave(slave);
+
+ cancel_delayed_work_sync(&slave->notify_work);
+ if (BOND_MODE(bond) == BOND_MODE_8023AD)
+ kfree(SLAVE_AD_INFO(slave));
+
+ kfree(slave);
+}
+
+static struct kobj_type slave_ktype = {
+ .release = slave_kobj_release,
+#ifdef CONFIG_SYSFS
+ .sysfs_ops = &slave_sysfs_ops,
+#endif
+};
+
+static int bond_kobj_init(struct slave *slave)
+{
+ int err;
+
+ err = kobject_init_and_add(&slave->kobj, &slave_ktype,
+ &(slave->dev->dev.kobj), "bonding_slave");
+ if (err)
+ kobject_put(&slave->kobj);
+
+ return err;
+}
+
+static struct slave *bond_alloc_slave(struct bonding *bond,
+ struct net_device *slave_dev)
{
struct slave *slave = NULL;
@@ -1233,11 +1265,17 @@ static struct slave *bond_alloc_slave(st
if (!slave)
return NULL;
+ slave->bond = bond;
+ slave->dev = slave_dev;
+
+ if (bond_kobj_init(slave))
+ return NULL;
+
if (BOND_MODE(bond) == BOND_MODE_8023AD) {
SLAVE_AD_INFO(slave) = kzalloc(sizeof(struct ad_slave_info),
GFP_KERNEL);
if (!SLAVE_AD_INFO(slave)) {
- kfree(slave);
+ kobject_put(&slave->kobj);
return NULL;
}
}
@@ -1246,17 +1284,6 @@ static struct slave *bond_alloc_slave(st
return slave;
}
-static void bond_free_slave(struct slave *slave)
-{
- struct bonding *bond = bond_get_bond_by_slave(slave);
-
- cancel_delayed_work_sync(&slave->notify_work);
- if (BOND_MODE(bond) == BOND_MODE_8023AD)
- kfree(SLAVE_AD_INFO(slave));
-
- kfree(slave);
-}
-
static void bond_fill_ifbond(struct bonding *bond, struct ifbond *info)
{
info->bond_mode = BOND_MODE(bond);
@@ -1420,14 +1447,12 @@ int bond_enslave(struct net_device *bond
bond->dev->addr_assign_type == NET_ADDR_RANDOM)
bond_set_dev_addr(bond->dev, slave_dev);
- new_slave = bond_alloc_slave(bond);
+ new_slave = bond_alloc_slave(bond, slave_dev);
if (!new_slave) {
res = -ENOMEM;
goto err_undo_flags;
}
- new_slave->bond = bond;
- new_slave->dev = slave_dev;
/* Set the new_slave's queue_id to be zero. Queue ID mapping
* is set via sysfs or module option if desired.
*/
@@ -1741,7 +1766,7 @@ err_restore_mtu:
dev_set_mtu(slave_dev, new_slave->original_mtu);
err_free:
- bond_free_slave(new_slave);
+ kobject_put(&new_slave->kobj);
err_undo_flags:
/* Enslave of first slave has failed and we need to fix master's mac */
@@ -1920,7 +1945,7 @@ static int __bond_release_one(struct net
if (!netif_is_bond_master(slave_dev))
slave_dev->priv_flags &= ~IFF_BONDING;
- bond_free_slave(slave);
+ kobject_put(&slave->kobj);
return 0;
}
--- a/drivers/net/bonding/bond_sysfs_slave.c
+++ b/drivers/net/bonding/bond_sysfs_slave.c
@@ -125,7 +125,6 @@ static const struct slave_attribute *sla
};
#define to_slave_attr(_at) container_of(_at, struct slave_attribute, attr)
-#define to_slave(obj) container_of(obj, struct slave, kobj)
static ssize_t slave_show(struct kobject *kobj,
struct attribute *attr, char *buf)
@@ -136,28 +135,15 @@ static ssize_t slave_show(struct kobject
return slave_attr->show(slave, buf);
}
-static const struct sysfs_ops slave_sysfs_ops = {
+const struct sysfs_ops slave_sysfs_ops = {
.show = slave_show,
};
-static struct kobj_type slave_ktype = {
-#ifdef CONFIG_SYSFS
- .sysfs_ops = &slave_sysfs_ops,
-#endif
-};
-
int bond_sysfs_slave_add(struct slave *slave)
{
const struct slave_attribute **a;
int err;
- err = kobject_init_and_add(&slave->kobj, &slave_ktype,
- &(slave->dev->dev.kobj), "bonding_slave");
- if (err) {
- kobject_put(&slave->kobj);
- return err;
- }
-
for (a = slave_attrs; *a; ++a) {
err = sysfs_create_file(&slave->kobj, &((*a)->attr));
if (err) {
@@ -175,6 +161,4 @@ void bond_sysfs_slave_del(struct slave *
for (a = slave_attrs; *a; ++a)
sysfs_remove_file(&slave->kobj, &((*a)->attr));
-
- kobject_put(&slave->kobj);
}
--- a/include/net/bonding.h
+++ b/include/net/bonding.h
@@ -181,6 +181,11 @@ struct slave {
struct rtnl_link_stats64 slave_stats;
};
+static inline struct slave *to_slave(struct kobject *kobj)
+{
+ return container_of(kobj, struct slave, kobj);
+}
+
struct bond_up_slave {
unsigned int count;
struct rcu_head rcu;
@@ -667,6 +672,9 @@ extern struct bond_parm_tbl ad_select_tb
/* exported from bond_netlink.c */
extern struct rtnl_link_ops bond_link_ops;
+/* exported from bond_sysfs_slave.c */
+extern const struct sysfs_ops slave_sysfs_ops;
+
static inline void bond_tx_drop(struct net_device *dev, struct sk_buff *skb)
{
atomic_long_inc(&dev->tx_dropped);
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH 4.4 05/39] netfilter: bridge: reset skb->pkt_type after NF_INET_POST_ROUTING traversal
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2020-12-10 14:26 ` [PATCH 4.4 04/39] bonding: wait for sysfs kobject destruction before freeing struct slave Greg Kroah-Hartman
@ 2020-12-10 14:26 ` Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 06/39] net/x25: prevent a couple of overflows Greg Kroah-Hartman
` (37 subsequent siblings)
42 siblings, 0 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Antoine Tenart, Florian Westphal,
Jakub Kicinski
From: Antoine Tenart <atenart@kernel.org>
[ Upstream commit 44f64f23bae2f0fad25503bc7ab86cd08d04cd47 ]
Netfilter changes PACKET_OTHERHOST to PACKET_HOST before invoking the
hooks as, while it's an expected value for a bridge, routing expects
PACKET_HOST. The change is undone later on after hook traversal. This
can be seen with pairs of functions updating skb>pkt_type and then
reverting it to its original value:
For hook NF_INET_PRE_ROUTING:
setup_pre_routing / br_nf_pre_routing_finish
For hook NF_INET_FORWARD:
br_nf_forward_ip / br_nf_forward_finish
But the third case where netfilter does this, for hook
NF_INET_POST_ROUTING, the packet type is changed in br_nf_post_routing
but never reverted. A comment says:
/* We assume any code from br_dev_queue_push_xmit onwards doesn't care
* about the value of skb->pkt_type. */
But when having a tunnel (say vxlan) attached to a bridge we have the
following call trace:
br_nf_pre_routing
br_nf_pre_routing_ipv6
br_nf_pre_routing_finish
br_nf_forward_ip
br_nf_forward_finish
br_nf_post_routing <- pkt_type is updated to PACKET_HOST
br_nf_dev_queue_xmit <- but not reverted to its original value
vxlan_xmit
vxlan_xmit_one
skb_tunnel_check_pmtu <- a check on pkt_type is performed
In this specific case, this creates issues such as when an ICMPv6 PTB
should be sent back. When CONFIG_BRIDGE_NETFILTER is enabled, the PTB
isn't sent (as skb_tunnel_check_pmtu checks if pkt_type is PACKET_HOST
and returns early).
If the comment is right and no one cares about the value of
skb->pkt_type after br_dev_queue_push_xmit (which isn't true), resetting
it to its original value should be safe.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Antoine Tenart <atenart@kernel.org>
Reviewed-by: Florian Westphal <fw@strlen.de>
Link: https://lore.kernel.org/r/20201123174902.622102-1-atenart@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bridge/br_netfilter_hooks.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -711,6 +711,11 @@ static int br_nf_dev_queue_xmit(struct n
mtu_reserved = nf_bridge_mtu_reduction(skb);
mtu = skb->dev->mtu;
+ if (nf_bridge->pkt_otherhost) {
+ skb->pkt_type = PACKET_OTHERHOST;
+ nf_bridge->pkt_otherhost = false;
+ }
+
if (nf_bridge->frag_max_size && nf_bridge->frag_max_size < mtu)
mtu = nf_bridge->frag_max_size;
@@ -804,8 +809,6 @@ static unsigned int br_nf_post_routing(v
else
return NF_ACCEPT;
- /* We assume any code from br_dev_queue_push_xmit onwards doesn't care
- * about the value of skb->pkt_type. */
if (skb->pkt_type == PACKET_OTHERHOST) {
skb->pkt_type = PACKET_HOST;
nf_bridge->pkt_otherhost = true;
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH 4.4 06/39] net/x25: prevent a couple of overflows
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2020-12-10 14:26 ` [PATCH 4.4 05/39] netfilter: bridge: reset skb->pkt_type after NF_INET_POST_ROUTING traversal Greg Kroah-Hartman
@ 2020-12-10 14:26 ` Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 07/39] cxgb3: fix error return code in t3_sge_alloc_qset() Greg Kroah-Hartman
` (36 subsequent siblings)
42 siblings, 0 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, kiyin ,
Dan Carpenter, Martin Schiller, Jakub Kicinski
From: Dan Carpenter <dan.carpenter@oracle.com>
[ Upstream commit 6ee50c8e262a0f0693dad264c3c99e30e6442a56 ]
The .x25_addr[] address comes from the user and is not necessarily
NUL terminated. This leads to a couple problems. The first problem is
that the strlen() in x25_bind() can read beyond the end of the buffer.
The second problem is more subtle and could result in memory corruption.
The call tree is:
x25_connect()
--> x25_write_internal()
--> x25_addr_aton()
The .x25_addr[] buffers are copied to the "addresses" buffer from
x25_write_internal() so it will lead to stack corruption.
Verify that the strings are NUL terminated and return -EINVAL if they
are not.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Fixes: a9288525d2ae ("X25: Dont let x25_bind use addresses containing characters")
Reported-by: "kiyin(尹亮)" <kiyin@tencent.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Martin Schiller <ms@dev.tdt.de>
Link: https://lore.kernel.org/r/X8ZeAKm8FnFpN//B@mwanda
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/x25/af_x25.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/net/x25/af_x25.c
+++ b/net/x25/af_x25.c
@@ -679,7 +679,8 @@ static int x25_bind(struct socket *sock,
int len, i, rc = 0;
if (addr_len != sizeof(struct sockaddr_x25) ||
- addr->sx25_family != AF_X25) {
+ addr->sx25_family != AF_X25 ||
+ strnlen(addr->sx25_addr.x25_addr, X25_ADDR_LEN) == X25_ADDR_LEN) {
rc = -EINVAL;
goto out;
}
@@ -773,7 +774,8 @@ static int x25_connect(struct socket *so
rc = -EINVAL;
if (addr_len != sizeof(struct sockaddr_x25) ||
- addr->sx25_family != AF_X25)
+ addr->sx25_family != AF_X25 ||
+ strnlen(addr->sx25_addr.x25_addr, X25_ADDR_LEN) == X25_ADDR_LEN)
goto out;
rc = -ENETUNREACH;
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH 4.4 07/39] cxgb3: fix error return code in t3_sge_alloc_qset()
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2020-12-10 14:26 ` [PATCH 4.4 06/39] net/x25: prevent a couple of overflows Greg Kroah-Hartman
@ 2020-12-10 14:26 ` Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 08/39] net: pasemi: fix error return code in pasemi_mac_open() Greg Kroah-Hartman
` (35 subsequent siblings)
42 siblings, 0 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hulk Robot, Zhang Changzhong,
Raju Rangoju, Jakub Kicinski
From: Zhang Changzhong <zhangchangzhong@huawei.com>
[ Upstream commit ff9924897f8bfed82e61894b373ab9d2dfea5b10 ]
Fix to return a negative error code from the error handling
case instead of 0, as done elsewhere in this function.
Fixes: b1fb1f280d09 ("cxgb3 - Fix dma mapping error path")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
Acked-by: Raju Rangoju <rajur@chelsio.com>
Link: https://lore.kernel.org/r/1606902965-1646-1-git-send-email-zhangchangzhong@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/chelsio/cxgb3/sge.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/net/ethernet/chelsio/cxgb3/sge.c
+++ b/drivers/net/ethernet/chelsio/cxgb3/sge.c
@@ -3111,6 +3111,7 @@ int t3_sge_alloc_qset(struct adapter *ad
GFP_KERNEL | __GFP_COMP);
if (!avail) {
CH_ALERT(adapter, "free list queue 0 initialization failed\n");
+ ret = -ENOMEM;
goto err;
}
if (avail < q->fl[0].size)
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH 4.4 08/39] net: pasemi: fix error return code in pasemi_mac_open()
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2020-12-10 14:26 ` [PATCH 4.4 07/39] cxgb3: fix error return code in t3_sge_alloc_qset() Greg Kroah-Hartman
@ 2020-12-10 14:26 ` Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 09/39] dt-bindings: net: correct interrupt flags in examples Greg Kroah-Hartman
` (34 subsequent siblings)
42 siblings, 0 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hulk Robot, Zhang Changzhong, Jakub Kicinski
From: Zhang Changzhong <zhangchangzhong@huawei.com>
[ Upstream commit aba84871bd4f52c4dfcf3ad5d4501a6c9d2de90e ]
Fix to return a negative error code from the error handling
case instead of 0, as done elsewhere in this function.
Fixes: 72b05b9940f0 ("pasemi_mac: RX/TX ring management cleanup")
Fixes: 8d636d8bc5ff ("pasemi_mac: jumbo frame support")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
Link: https://lore.kernel.org/r/1606903035-1838-1-git-send-email-zhangchangzhong@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/pasemi/pasemi_mac.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/net/ethernet/pasemi/pasemi_mac.c
+++ b/drivers/net/ethernet/pasemi/pasemi_mac.c
@@ -1129,16 +1129,20 @@ static int pasemi_mac_open(struct net_de
mac->tx = pasemi_mac_setup_tx_resources(dev);
- if (!mac->tx)
+ if (!mac->tx) {
+ ret = -ENOMEM;
goto out_tx_ring;
+ }
/* We might already have allocated rings in case mtu was changed
* before interface was brought up.
*/
if (dev->mtu > 1500 && !mac->num_cs) {
pasemi_mac_setup_csrings(mac);
- if (!mac->num_cs)
+ if (!mac->num_cs) {
+ ret = -ENOMEM;
goto out_tx_ring;
+ }
}
/* Zero out rmon counters */
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH 4.4 09/39] dt-bindings: net: correct interrupt flags in examples
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2020-12-10 14:26 ` [PATCH 4.4 08/39] net: pasemi: fix error return code in pasemi_mac_open() Greg Kroah-Hartman
@ 2020-12-10 14:26 ` Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 10/39] Input: xpad - support Ardwiino Controllers Greg Kroah-Hartman
` (33 subsequent siblings)
42 siblings, 0 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Krzysztof Kozlowski, Rob Herring,
Jakub Kicinski, Marc Kleine-Budde
From: Krzysztof Kozlowski <krzk@kernel.org>
[ Upstream commit 4d521943f76bd0d1e68ea5e02df7aadd30b2838a ]
GPIO_ACTIVE_x flags are not correct in the context of interrupt flags.
These are simple defines so they could be used in DTS but they will not
have the same meaning:
1. GPIO_ACTIVE_HIGH = 0 = IRQ_TYPE_NONE
2. GPIO_ACTIVE_LOW = 1 = IRQ_TYPE_EDGE_RISING
Correct the interrupt flags, assuming the author of the code wanted same
logical behavior behind the name "ACTIVE_xxx", this is:
ACTIVE_LOW => IRQ_TYPE_LEVEL_LOW
ACTIVE_HIGH => IRQ_TYPE_LEVEL_HIGH
Fixes: a1a8b4594f8d ("NFC: pn544: i2c: Add DTS Documentation")
Fixes: 6be88670fc59 ("NFC: nxp-nci_i2c: Add I2C support to NXP NCI driver")
Fixes: e3b329221567 ("dt-bindings: can: tcan4x5x: Update binding to use interrupt property")
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Acked-by: Rob Herring <robh@kernel.org>
Acked-by: Marc Kleine-Budde <mkl@pengutronix.de> # for tcan4x5x.txt
Link: https://lore.kernel.org/r/20201026153620.89268-1-krzk@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/devicetree/bindings/net/nfc/nxp-nci.txt | 2 +-
Documentation/devicetree/bindings/net/nfc/pn544.txt | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/Documentation/devicetree/bindings/net/nfc/nxp-nci.txt
+++ b/Documentation/devicetree/bindings/net/nfc/nxp-nci.txt
@@ -27,7 +27,7 @@ Example (for ARM-based BeagleBone with N
clock-frequency = <100000>;
interrupt-parent = <&gpio1>;
- interrupts = <29 GPIO_ACTIVE_HIGH>;
+ interrupts = <29 IRQ_TYPE_LEVEL_HIGH>;
enable-gpios = <&gpio0 30 GPIO_ACTIVE_HIGH>;
firmware-gpios = <&gpio0 31 GPIO_ACTIVE_HIGH>;
--- a/Documentation/devicetree/bindings/net/nfc/pn544.txt
+++ b/Documentation/devicetree/bindings/net/nfc/pn544.txt
@@ -27,7 +27,7 @@ Example (for ARM-based BeagleBone with P
clock-frequency = <400000>;
interrupt-parent = <&gpio1>;
- interrupts = <17 GPIO_ACTIVE_HIGH>;
+ interrupts = <17 IRQ_TYPE_LEVEL_HIGH>;
enable-gpios = <&gpio3 21 GPIO_ACTIVE_HIGH>;
firmware-gpios = <&gpio3 19 GPIO_ACTIVE_HIGH>;
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH 4.4 10/39] Input: xpad - support Ardwiino Controllers
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2020-12-10 14:26 ` [PATCH 4.4 09/39] dt-bindings: net: correct interrupt flags in examples Greg Kroah-Hartman
@ 2020-12-10 14:26 ` Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 11/39] Input: i8042 - add ByteSpeed touchpad to noloop table Greg Kroah-Hartman
` (32 subsequent siblings)
42 siblings, 0 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Sanjay Govind, Dmitry Torokhov
From: Sanjay Govind <sanjay.govind9@gmail.com>
commit 2aab1561439032be2e98811dd0ddbeb5b2ae4c61 upstream.
This commit adds support for Ardwiino Controllers
Signed-off-by: Sanjay Govind <sanjay.govind9@gmail.com>
Link: https://lore.kernel.org/r/20201201071922.131666-1-sanjay.govind9@gmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/joystick/xpad.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/input/joystick/xpad.c
+++ b/drivers/input/joystick/xpad.c
@@ -258,6 +258,7 @@ static const struct xpad_device {
{ 0x1038, 0x1430, "SteelSeries Stratus Duo", 0, XTYPE_XBOX360 },
{ 0x1038, 0x1431, "SteelSeries Stratus Duo", 0, XTYPE_XBOX360 },
{ 0x11c9, 0x55f0, "Nacon GC-100XF", 0, XTYPE_XBOX360 },
+ { 0x1209, 0x2882, "Ardwiino Controller", 0, XTYPE_XBOX360 },
{ 0x12ab, 0x0004, "Honey Bee Xbox360 dancepad", MAP_DPAD_TO_BUTTONS, XTYPE_XBOX360 },
{ 0x12ab, 0x0301, "PDP AFTERGLOW AX.1", 0, XTYPE_XBOX360 },
{ 0x12ab, 0x0303, "Mortal Kombat Klassic FightStick", MAP_TRIGGERS_TO_BUTTONS, XTYPE_XBOX360 },
@@ -435,6 +436,7 @@ static const struct usb_device_id xpad_t
XPAD_XBOXONE_VENDOR(0x0f0d), /* Hori Controllers */
XPAD_XBOX360_VENDOR(0x1038), /* SteelSeries Controllers */
XPAD_XBOX360_VENDOR(0x11c9), /* Nacon GC100XF */
+ XPAD_XBOX360_VENDOR(0x1209), /* Ardwiino Controllers */
XPAD_XBOX360_VENDOR(0x12ab), /* X-Box 360 dance pads */
XPAD_XBOX360_VENDOR(0x1430), /* RedOctane X-Box 360 controllers */
XPAD_XBOX360_VENDOR(0x146b), /* BigBen Interactive Controllers */
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH 4.4 11/39] Input: i8042 - add ByteSpeed touchpad to noloop table
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2020-12-10 14:26 ` [PATCH 4.4 10/39] Input: xpad - support Ardwiino Controllers Greg Kroah-Hartman
@ 2020-12-10 14:26 ` Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 12/39] powerpc: Stop exporting __clear_user which is now inlined Greg Kroah-Hartman
` (31 subsequent siblings)
42 siblings, 0 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Po-Hsu Lin, Dmitry Torokhov
From: Po-Hsu Lin <po-hsu.lin@canonical.com>
commit a48491c65b513e5cdc3e7a886a4db915f848a5f5 upstream.
It looks like the C15B laptop got another vendor: ByteSpeed LLC.
Avoid AUX loopback on this touchpad as well, thus input subsystem will
be able to recognize a Synaptics touchpad in the AUX port.
BugLink: https://bugs.launchpad.net/bugs/1906128
Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
Link: https://lore.kernel.org/r/20201201054723.5939-1-po-hsu.lin@canonical.com
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/serio/i8042-x86ia64io.h | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/input/serio/i8042-x86ia64io.h
+++ b/drivers/input/serio/i8042-x86ia64io.h
@@ -223,6 +223,10 @@ static const struct dmi_system_id __init
DMI_MATCH(DMI_SYS_VENDOR, "PEGATRON CORPORATION"),
DMI_MATCH(DMI_PRODUCT_NAME, "C15B"),
},
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "ByteSpeed LLC"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "ByteSpeed Laptop C15B"),
+ },
},
{ }
};
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH 4.4 12/39] powerpc: Stop exporting __clear_user which is now inlined.
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2020-12-10 14:26 ` [PATCH 4.4 11/39] Input: i8042 - add ByteSpeed touchpad to noloop table Greg Kroah-Hartman
@ 2020-12-10 14:26 ` Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 13/39] btrfs: sysfs: init devices outside of the chunk_mutex Greg Kroah-Hartman
` (30 subsequent siblings)
42 siblings, 0 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Greg Kroah-Hartman, Michal Suchanek, Michael Ellerman
From: Michal Suchanek <msuchanek@suse.de>
Stable commit 452e2a83ea23 ("powerpc: Fix __clear_user() with KUAP
enabled") redefines __clear_user as inline function but does not remove
the export.
Fixes: 452e2a83ea23 ("powerpc: Fix __clear_user() with KUAP enabled")
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
Acked-by: Michael Ellerman <mpe@ellerman.id.au>
---
arch/powerpc/lib/ppc_ksyms.c | 1 -
1 file changed, 1 deletion(-)
--- a/arch/powerpc/lib/ppc_ksyms.c
+++ b/arch/powerpc/lib/ppc_ksyms.c
@@ -24,7 +24,6 @@ EXPORT_SYMBOL(csum_tcpudp_magic);
#endif
EXPORT_SYMBOL(__copy_tofrom_user);
-EXPORT_SYMBOL(__clear_user);
EXPORT_SYMBOL(copy_page);
#ifdef CONFIG_PPC64
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH 4.4 13/39] btrfs: sysfs: init devices outside of the chunk_mutex
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2020-12-10 14:26 ` [PATCH 4.4 12/39] powerpc: Stop exporting __clear_user which is now inlined Greg Kroah-Hartman
@ 2020-12-10 14:26 ` Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 14/39] vlan: consolidate VLAN parsing code and limit max parsing depth Greg Kroah-Hartman
` (29 subsequent siblings)
42 siblings, 0 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, David Sterba, Josef Bacik,
Sudip Mukherjee, Sasha Levin
From: Josef Bacik <josef@toxicpanda.com>
commit ca10845a56856fff4de3804c85e6424d0f6d0cde upstream
While running btrfs/061, btrfs/073, btrfs/078, or btrfs/178 we hit the
following lockdep splat:
======================================================
WARNING: possible circular locking dependency detected
5.9.0-rc3+ #4 Not tainted
------------------------------------------------------
kswapd0/100 is trying to acquire lock:
ffff96ecc22ef4a0 (&delayed_node->mutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node.part.0+0x3f/0x330
but task is already holding lock:
ffffffff8dd74700 (fs_reclaim){+.+.}-{0:0}, at: __fs_reclaim_acquire+0x5/0x30
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #3 (fs_reclaim){+.+.}-{0:0}:
fs_reclaim_acquire+0x65/0x80
slab_pre_alloc_hook.constprop.0+0x20/0x200
kmem_cache_alloc+0x37/0x270
alloc_inode+0x82/0xb0
iget_locked+0x10d/0x2c0
kernfs_get_inode+0x1b/0x130
kernfs_get_tree+0x136/0x240
sysfs_get_tree+0x16/0x40
vfs_get_tree+0x28/0xc0
path_mount+0x434/0xc00
__x64_sys_mount+0xe3/0x120
do_syscall_64+0x33/0x40
entry_SYSCALL_64_after_hwframe+0x44/0xa9
-> #2 (kernfs_mutex){+.+.}-{3:3}:
__mutex_lock+0x7e/0x7e0
kernfs_add_one+0x23/0x150
kernfs_create_link+0x63/0xa0
sysfs_do_create_link_sd+0x5e/0xd0
btrfs_sysfs_add_devices_dir+0x81/0x130
btrfs_init_new_device+0x67f/0x1250
btrfs_ioctl+0x1ef/0x2e20
__x64_sys_ioctl+0x83/0xb0
do_syscall_64+0x33/0x40
entry_SYSCALL_64_after_hwframe+0x44/0xa9
-> #1 (&fs_info->chunk_mutex){+.+.}-{3:3}:
__mutex_lock+0x7e/0x7e0
btrfs_chunk_alloc+0x125/0x3a0
find_free_extent+0xdf6/0x1210
btrfs_reserve_extent+0xb3/0x1b0
btrfs_alloc_tree_block+0xb0/0x310
alloc_tree_block_no_bg_flush+0x4a/0x60
__btrfs_cow_block+0x11a/0x530
btrfs_cow_block+0x104/0x220
btrfs_search_slot+0x52e/0x9d0
btrfs_insert_empty_items+0x64/0xb0
btrfs_insert_delayed_items+0x90/0x4f0
btrfs_commit_inode_delayed_items+0x93/0x140
btrfs_log_inode+0x5de/0x2020
btrfs_log_inode_parent+0x429/0xc90
btrfs_log_new_name+0x95/0x9b
btrfs_rename2+0xbb9/0x1800
vfs_rename+0x64f/0x9f0
do_renameat2+0x320/0x4e0
__x64_sys_rename+0x1f/0x30
do_syscall_64+0x33/0x40
entry_SYSCALL_64_after_hwframe+0x44/0xa9
-> #0 (&delayed_node->mutex){+.+.}-{3:3}:
__lock_acquire+0x119c/0x1fc0
lock_acquire+0xa7/0x3d0
__mutex_lock+0x7e/0x7e0
__btrfs_release_delayed_node.part.0+0x3f/0x330
btrfs_evict_inode+0x24c/0x500
evict+0xcf/0x1f0
dispose_list+0x48/0x70
prune_icache_sb+0x44/0x50
super_cache_scan+0x161/0x1e0
do_shrink_slab+0x178/0x3c0
shrink_slab+0x17c/0x290
shrink_node+0x2b2/0x6d0
balance_pgdat+0x30a/0x670
kswapd+0x213/0x4c0
kthread+0x138/0x160
ret_from_fork+0x1f/0x30
other info that might help us debug this:
Chain exists of:
&delayed_node->mutex --> kernfs_mutex --> fs_reclaim
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(fs_reclaim);
lock(kernfs_mutex);
lock(fs_reclaim);
lock(&delayed_node->mutex);
*** DEADLOCK ***
3 locks held by kswapd0/100:
#0: ffffffff8dd74700 (fs_reclaim){+.+.}-{0:0}, at: __fs_reclaim_acquire+0x5/0x30
#1: ffffffff8dd65c50 (shrinker_rwsem){++++}-{3:3}, at: shrink_slab+0x115/0x290
#2: ffff96ed2ade30e0 (&type->s_umount_key#36){++++}-{3:3}, at: super_cache_scan+0x38/0x1e0
stack backtrace:
CPU: 0 PID: 100 Comm: kswapd0 Not tainted 5.9.0-rc3+ #4
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014
Call Trace:
dump_stack+0x8b/0xb8
check_noncircular+0x12d/0x150
__lock_acquire+0x119c/0x1fc0
lock_acquire+0xa7/0x3d0
? __btrfs_release_delayed_node.part.0+0x3f/0x330
__mutex_lock+0x7e/0x7e0
? __btrfs_release_delayed_node.part.0+0x3f/0x330
? __btrfs_release_delayed_node.part.0+0x3f/0x330
? lock_acquire+0xa7/0x3d0
? find_held_lock+0x2b/0x80
__btrfs_release_delayed_node.part.0+0x3f/0x330
btrfs_evict_inode+0x24c/0x500
evict+0xcf/0x1f0
dispose_list+0x48/0x70
prune_icache_sb+0x44/0x50
super_cache_scan+0x161/0x1e0
do_shrink_slab+0x178/0x3c0
shrink_slab+0x17c/0x290
shrink_node+0x2b2/0x6d0
balance_pgdat+0x30a/0x670
kswapd+0x213/0x4c0
? _raw_spin_unlock_irqrestore+0x41/0x50
? add_wait_queue_exclusive+0x70/0x70
? balance_pgdat+0x670/0x670
kthread+0x138/0x160
? kthread_create_worker_on_cpu+0x40/0x40
ret_from_fork+0x1f/0x30
This happens because we are holding the chunk_mutex at the time of
adding in a new device. However we only need to hold the
device_list_mutex, as we're going to iterate over the fs_devices
devices. Move the sysfs init stuff outside of the chunk_mutex to get
rid of this lockdep splat.
CC: stable@vger.kernel.org # 4.4.x: f3cd2c58110dad14e: btrfs: sysfs, rename device_link add/remove functions
CC: stable@vger.kernel.org # 4.4.x
Reported-by: David Sterba <dsterba@suse.com>
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[sudip: adjust context]
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/volumes.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
index cd1e9411f9269..d6383d362e271 100644
--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -2357,9 +2357,6 @@ int btrfs_init_new_device(struct btrfs_root *root, char *device_path)
btrfs_set_super_num_devices(root->fs_info->super_copy,
tmp + 1);
- /* add sysfs device entry */
- btrfs_sysfs_add_device_link(root->fs_info->fs_devices, device);
-
/*
* we've got more storage, clear any full flags on the space
* infos
@@ -2367,6 +2364,10 @@ int btrfs_init_new_device(struct btrfs_root *root, char *device_path)
btrfs_clear_space_info_full(root->fs_info);
unlock_chunks(root);
+
+ /* add sysfs device entry */
+ btrfs_sysfs_add_device_link(root->fs_info->fs_devices, device);
+
mutex_unlock(&root->fs_info->fs_devices->device_list_mutex);
if (seeding_dev) {
--
2.27.0
^ permalink raw reply related [flat|nested] 49+ messages in thread
* [PATCH 4.4 14/39] vlan: consolidate VLAN parsing code and limit max parsing depth
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2020-12-10 14:26 ` [PATCH 4.4 13/39] btrfs: sysfs: init devices outside of the chunk_mutex Greg Kroah-Hartman
@ 2020-12-10 14:26 ` Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 15/39] geneve: pull IP header before ECN decapsulation Greg Kroah-Hartman
` (28 subsequent siblings)
42 siblings, 0 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Toshiaki Makita, Daniel Borkmann,
Toke Høiland-Jørgensen, David S. Miller, Sasha Levin
From: Toke Høiland-Jørgensen <toke@redhat.com>
[ Upstream commit 469aceddfa3ed16e17ee30533fae45e90f62efd8 ]
Toshiaki pointed out that we now have two very similar functions to extract
the L3 protocol number in the presence of VLAN tags. And Daniel pointed out
that the unbounded parsing loop makes it possible for maliciously crafted
packets to loop through potentially hundreds of tags.
Fix both of these issues by consolidating the two parsing functions and
limiting the VLAN tag parsing to a max depth of 8 tags. As part of this,
switch over __vlan_get_protocol() to use skb_header_pointer() instead of
pskb_may_pull(), to avoid the possible side effects of the latter and keep
the skb pointer 'const' through all the parsing functions.
v2:
- Use limit of 8 tags instead of 32 (matching XMIT_RECURSION_LIMIT)
Reported-by: Toshiaki Makita <toshiaki.makita1@gmail.com>
Reported-by: Daniel Borkmann <daniel@iogearbox.net>
Fixes: d7bf2ebebc2b ("sched: consistently handle layer3 header accesses in the presence of VLANs")
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/if_vlan.h | 29 ++++++++++++++++++++++-------
include/net/inet_ecn.h | 1 +
2 files changed, 23 insertions(+), 7 deletions(-)
diff --git a/include/linux/if_vlan.h b/include/linux/if_vlan.h
index dd676ba758ee7..40429b818b457 100644
--- a/include/linux/if_vlan.h
+++ b/include/linux/if_vlan.h
@@ -30,6 +30,8 @@
#define VLAN_ETH_DATA_LEN 1500 /* Max. octets in payload */
#define VLAN_ETH_FRAME_LEN 1518 /* Max. octets in frame sans FCS */
+#define VLAN_MAX_DEPTH 8 /* Max. number of nested VLAN tags parsed */
+
/*
* struct vlan_hdr - vlan header
* @h_vlan_TCI: priority and VLAN ID
@@ -478,10 +480,10 @@ static inline int vlan_get_tag(const struct sk_buff *skb, u16 *vlan_tci)
* Returns the EtherType of the packet, regardless of whether it is
* vlan encapsulated (normal or hardware accelerated) or not.
*/
-static inline __be16 __vlan_get_protocol(struct sk_buff *skb, __be16 type,
+static inline __be16 __vlan_get_protocol(const struct sk_buff *skb, __be16 type,
int *depth)
{
- unsigned int vlan_depth = skb->mac_len;
+ unsigned int vlan_depth = skb->mac_len, parse_depth = VLAN_MAX_DEPTH;
/* if type is 802.1Q/AD then the header should already be
* present at mac_len - VLAN_HLEN (if mac_len > 0), or at
@@ -496,13 +498,12 @@ static inline __be16 __vlan_get_protocol(struct sk_buff *skb, __be16 type,
vlan_depth = ETH_HLEN;
}
do {
- struct vlan_hdr *vh;
+ struct vlan_hdr vhdr, *vh;
- if (unlikely(!pskb_may_pull(skb,
- vlan_depth + VLAN_HLEN)))
+ vh = skb_header_pointer(skb, vlan_depth, sizeof(vhdr), &vhdr);
+ if (unlikely(!vh || !--parse_depth))
return 0;
- vh = (struct vlan_hdr *)(skb->data + vlan_depth);
type = vh->h_vlan_encapsulated_proto;
vlan_depth += VLAN_HLEN;
} while (type == htons(ETH_P_8021Q) ||
@@ -522,11 +523,25 @@ static inline __be16 __vlan_get_protocol(struct sk_buff *skb, __be16 type,
* Returns the EtherType of the packet, regardless of whether it is
* vlan encapsulated (normal or hardware accelerated) or not.
*/
-static inline __be16 vlan_get_protocol(struct sk_buff *skb)
+static inline __be16 vlan_get_protocol(const struct sk_buff *skb)
{
return __vlan_get_protocol(skb, skb->protocol, NULL);
}
+/* A getter for the SKB protocol field which will handle VLAN tags consistently
+ * whether VLAN acceleration is enabled or not.
+ */
+static inline __be16 skb_protocol(const struct sk_buff *skb, bool skip_vlan)
+{
+ if (!skip_vlan)
+ /* VLAN acceleration strips the VLAN header from the skb and
+ * moves it to skb->vlan_proto
+ */
+ return skb_vlan_tag_present(skb) ? skb->vlan_proto : skb->protocol;
+
+ return vlan_get_protocol(skb);
+}
+
static inline void vlan_set_encap_proto(struct sk_buff *skb,
struct vlan_hdr *vhdr)
{
diff --git a/include/net/inet_ecn.h b/include/net/inet_ecn.h
index dce2d586d9cec..245d999c0eac8 100644
--- a/include/net/inet_ecn.h
+++ b/include/net/inet_ecn.h
@@ -3,6 +3,7 @@
#include <linux/ip.h>
#include <linux/skbuff.h>
+#include <linux/if_vlan.h>
#include <net/inet_sock.h>
#include <net/dsfield.h>
--
2.27.0
^ permalink raw reply related [flat|nested] 49+ messages in thread
* [PATCH 4.4 15/39] geneve: pull IP header before ECN decapsulation
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2020-12-10 14:26 ` [PATCH 4.4 14/39] vlan: consolidate VLAN parsing code and limit max parsing depth Greg Kroah-Hartman
@ 2020-12-10 14:26 ` Greg Kroah-Hartman
2020-12-10 14:32 ` Eric Dumazet
2020-12-10 14:26 ` [PATCH 4.4 16/39] usb: gadget: f_fs: Use local copy of descriptors for userspace copy Greg Kroah-Hartman
` (27 subsequent siblings)
42 siblings, 1 reply; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Eric Dumazet, syzbot, Jakub Kicinski
From: Eric Dumazet <edumazet@google.com>
IP_ECN_decapsulate() and IP6_ECN_decapsulate() assume
IP header is already pulled.
geneve does not ensure this yet.
Fixing this generically in IP_ECN_decapsulate() and
IP6_ECN_decapsulate() is not possible, since callers
pass a pointer that might be freed by pskb_may_pull()
syzbot reported :
BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:238 [inline]
BUG: KMSAN: uninit-value in INET_ECN_decapsulate+0x345/0x1db0 include/net/inet_ecn.h:260
CPU: 1 PID: 8941 Comm: syz-executor.0 Not tainted 5.10.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x21c/0x280 lib/dump_stack.c:118
kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
__msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197
__INET_ECN_decapsulate include/net/inet_ecn.h:238 [inline]
INET_ECN_decapsulate+0x345/0x1db0 include/net/inet_ecn.h:260
geneve_rx+0x2103/0x2980 include/net/inet_ecn.h:306
geneve_udp_encap_recv+0x105c/0x1340 drivers/net/geneve.c:377
udp_queue_rcv_one_skb+0x193a/0x1af0 net/ipv4/udp.c:2093
udp_queue_rcv_skb+0x282/0x1050 net/ipv4/udp.c:2167
udp_unicast_rcv_skb net/ipv4/udp.c:2325 [inline]
__udp4_lib_rcv+0x399d/0x5880 net/ipv4/udp.c:2394
udp_rcv+0x5c/0x70 net/ipv4/udp.c:2564
ip_protocol_deliver_rcu+0x572/0xc50 net/ipv4/ip_input.c:204
ip_local_deliver_finish net/ipv4/ip_input.c:231 [inline]
NF_HOOK include/linux/netfilter.h:301 [inline]
ip_local_deliver+0x583/0x8d0 net/ipv4/ip_input.c:252
dst_input include/net/dst.h:449 [inline]
ip_rcv_finish net/ipv4/ip_input.c:428 [inline]
NF_HOOK include/linux/netfilter.h:301 [inline]
ip_rcv+0x5c3/0x840 net/ipv4/ip_input.c:539
__netif_receive_skb_one_core net/core/dev.c:5315 [inline]
__netif_receive_skb+0x1ec/0x640 net/core/dev.c:5429
process_backlog+0x523/0xc10 net/core/dev.c:6319
napi_poll+0x420/0x1010 net/core/dev.c:6763
net_rx_action+0x35c/0xd40 net/core/dev.c:6833
__do_softirq+0x1a9/0x6fa kernel/softirq.c:298
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x6e/0x90 arch/x86/kernel/irq_64.c:77
do_softirq kernel/softirq.c:343 [inline]
__local_bh_enable_ip+0x184/0x1d0 kernel/softirq.c:195
local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32
rcu_read_unlock_bh include/linux/rcupdate.h:730 [inline]
__dev_queue_xmit+0x3a9b/0x4520 net/core/dev.c:4167
dev_queue_xmit+0x4b/0x60 net/core/dev.c:4173
packet_snd net/packet/af_packet.c:2992 [inline]
packet_sendmsg+0x86f9/0x99d0 net/packet/af_packet.c:3017
sock_sendmsg_nosec net/socket.c:651 [inline]
sock_sendmsg net/socket.c:671 [inline]
__sys_sendto+0x9dc/0xc80 net/socket.c:1992
__do_sys_sendto net/socket.c:2004 [inline]
__se_sys_sendto+0x107/0x130 net/socket.c:2000
__x64_sys_sendto+0x6e/0x90 net/socket.c:2000
do_syscall_64+0x9f/0x140 arch/x86/entry/common.c:48
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Fixes: 2d07dc79fe04 ("geneve: add initial netdev driver for GENEVE tunnels")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Link: https://lore.kernel.org/r/20201201090507.4137906-1-eric.dumazet@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
---
drivers/net/geneve.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c
index ee38299f9c578..e0384609fb84a 100644
--- a/drivers/net/geneve.c
+++ b/drivers/net/geneve.c
@@ -231,8 +231,20 @@ static void geneve_rx(struct geneve_sock *gs, struct sk_buff *skb)
/* Ignore packet loops (and multicast echo) */
if (ether_addr_equal(eth_hdr(skb)->h_source, geneve->dev->dev_addr))
- goto drop;
-
+ goto rx_error;
+
+ switch (skb_protocol(skb, true)) {
+ case htons(ETH_P_IP):
+ if (pskb_may_pull(skb, sizeof(struct iphdr)))
+ goto rx_error;
+ break;
+ case htons(ETH_P_IPV6):
+ if (pskb_may_pull(skb, sizeof(struct ipv6hdr)))
+ goto rx_error;
+ break;
+ default:
+ goto rx_error;
+ }
skb_reset_network_header(skb);
if (iph)
@@ -269,6 +281,8 @@ static void geneve_rx(struct geneve_sock *gs, struct sk_buff *skb)
gro_cells_receive(&geneve->gro_cells, skb);
return;
+rx_error:
+ geneve->dev->stats.rx_errors++;
drop:
/* Consume bad packet */
kfree_skb(skb);
--
2.27.0
^ permalink raw reply related [flat|nested] 49+ messages in thread
* [PATCH 4.4 16/39] usb: gadget: f_fs: Use local copy of descriptors for userspace copy
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2020-12-10 14:26 ` [PATCH 4.4 15/39] geneve: pull IP header before ECN decapsulation Greg Kroah-Hartman
@ 2020-12-10 14:26 ` Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 17/39] USB: serial: kl5kusb105: fix memleak on open Greg Kroah-Hartman
` (26 subsequent siblings)
42 siblings, 0 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Peter Chen, Vamsi Krishna Samavedam,
Jack Pham
From: Vamsi Krishna Samavedam <vskrishn@codeaurora.org>
commit a4b98a7512f18534ce33a7e98e49115af59ffa00 upstream.
The function may be unbound causing the ffs_ep and its descriptors
to be freed while userspace is in the middle of an ioctl requesting
the same descriptors. Avoid dangling pointer reference by first
making a local copy of desctiptors before releasing the spinlock.
Fixes: c559a3534109 ("usb: gadget: f_fs: add ioctl returning ep descriptor")
Reviewed-by: Peter Chen <peter.chen@nxp.com>
Signed-off-by: Vamsi Krishna Samavedam <vskrishn@codeaurora.org>
Signed-off-by: Jack Pham <jackp@codeaurora.org>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20201130203453.28154-1-jackp@codeaurora.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_fs.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -1034,7 +1034,7 @@ static long ffs_epfile_ioctl(struct file
case FUNCTIONFS_ENDPOINT_DESC:
{
int desc_idx;
- struct usb_endpoint_descriptor *desc;
+ struct usb_endpoint_descriptor desc1, *desc;
switch (epfile->ffs->gadget->speed) {
case USB_SPEED_SUPER:
@@ -1046,10 +1046,12 @@ static long ffs_epfile_ioctl(struct file
default:
desc_idx = 0;
}
+
desc = epfile->ep->descs[desc_idx];
+ memcpy(&desc1, desc, desc->bLength);
spin_unlock_irq(&epfile->ffs->eps_lock);
- ret = copy_to_user((void *)value, desc, sizeof(*desc));
+ ret = copy_to_user((void *)value, &desc1, desc1.bLength);
if (ret)
ret = -EFAULT;
return ret;
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH 4.4 17/39] USB: serial: kl5kusb105: fix memleak on open
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2020-12-10 14:26 ` [PATCH 4.4 16/39] usb: gadget: f_fs: Use local copy of descriptors for userspace copy Greg Kroah-Hartman
@ 2020-12-10 14:26 ` Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 18/39] USB: serial: ch341: add new Product ID for CH341A Greg Kroah-Hartman
` (25 subsequent siblings)
42 siblings, 0 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold
From: Johan Hovold <johan@kernel.org>
commit 3f203f057edfcf6bd02c6b942799262bfcf31f73 upstream.
Fix memory leak of control-message transfer buffer on successful open().
Fixes: 6774d5f53271 ("USB: serial: kl5kusb105: fix open error path")
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/kl5kusb105.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
--- a/drivers/usb/serial/kl5kusb105.c
+++ b/drivers/usb/serial/kl5kusb105.c
@@ -293,12 +293,12 @@ static int klsi_105_open(struct tty_str
priv->cfg.unknown2 = cfg->unknown2;
spin_unlock_irqrestore(&priv->lock, flags);
+ kfree(cfg);
+
/* READ_ON and urb submission */
rc = usb_serial_generic_open(tty, port);
- if (rc) {
- retval = rc;
- goto err_free_cfg;
- }
+ if (rc)
+ return rc;
rc = usb_control_msg(port->serial->dev,
usb_sndctrlpipe(port->serial->dev, 0),
@@ -341,8 +341,6 @@ err_disable_read:
KLSI_TIMEOUT);
err_generic_close:
usb_serial_generic_close(port);
-err_free_cfg:
- kfree(cfg);
return retval;
}
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH 4.4 18/39] USB: serial: ch341: add new Product ID for CH341A
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2020-12-10 14:26 ` [PATCH 4.4 17/39] USB: serial: kl5kusb105: fix memleak on open Greg Kroah-Hartman
@ 2020-12-10 14:26 ` Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 19/39] USB: serial: ch341: sort device-id entries Greg Kroah-Hartman
` (24 subsequent siblings)
42 siblings, 0 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jan-Niklas Burfeind, Johan Hovold
From: Jan-Niklas Burfeind <kernel@aiyionpri.me>
commit 46ee4abb10a07bd8f8ce910ee6b4ae6a947d7f63 upstream.
Add PID for CH340 that's found on a ch341 based Programmer made by keeyees.
The specific device that contains the serial converter is described
here: http://www.keeyees.com/a/Products/ej/36.html
The driver works flawlessly as soon as the new PID (0x5512) is added to
it.
Signed-off-by: Jan-Niklas Burfeind <kernel@aiyionpri.me>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/ch341.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/serial/ch341.c
+++ b/drivers/usb/serial/ch341.c
@@ -73,6 +73,7 @@ static const struct usb_device_id id_tab
{ USB_DEVICE(0x4348, 0x5523) },
{ USB_DEVICE(0x1a86, 0x7522) },
{ USB_DEVICE(0x1a86, 0x7523) },
+ { USB_DEVICE(0x1a86, 0x5512) },
{ USB_DEVICE(0x1a86, 0x5523) },
{ },
};
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH 4.4 19/39] USB: serial: ch341: sort device-id entries
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2020-12-10 14:26 ` [PATCH 4.4 18/39] USB: serial: ch341: add new Product ID for CH341A Greg Kroah-Hartman
@ 2020-12-10 14:26 ` Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 20/39] USB: serial: option: add Fibocom NL668 variants Greg Kroah-Hartman
` (23 subsequent siblings)
42 siblings, 0 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold
From: Johan Hovold <johan@kernel.org>
commit bf193bfc12dbc3754fc8a6e0e1e3702f1af2f772 upstream.
Keep the device-id entries sorted to make it easier to add new ones in
the right spot.
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/ch341.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/usb/serial/ch341.c
+++ b/drivers/usb/serial/ch341.c
@@ -70,11 +70,11 @@
static const struct usb_device_id id_table[] = {
- { USB_DEVICE(0x4348, 0x5523) },
- { USB_DEVICE(0x1a86, 0x7522) },
- { USB_DEVICE(0x1a86, 0x7523) },
{ USB_DEVICE(0x1a86, 0x5512) },
{ USB_DEVICE(0x1a86, 0x5523) },
+ { USB_DEVICE(0x1a86, 0x7522) },
+ { USB_DEVICE(0x1a86, 0x7523) },
+ { USB_DEVICE(0x4348, 0x5523) },
{ },
};
MODULE_DEVICE_TABLE(usb, id_table);
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH 4.4 20/39] USB: serial: option: add Fibocom NL668 variants
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2020-12-10 14:26 ` [PATCH 4.4 19/39] USB: serial: ch341: sort device-id entries Greg Kroah-Hartman
@ 2020-12-10 14:26 ` Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 21/39] USB: serial: option: add support for Thales Cinterion EXS82 Greg Kroah-Hartman
` (22 subsequent siblings)
42 siblings, 0 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Vincent Palatin, Johan Hovold
From: Vincent Palatin <vpalatin@chromium.org>
commit 5e4d659b10fde14403adb2e215df4a3168fe8465 upstream.
Update the USB serial option driver support for the Fibocom NL668 Cat.4
LTE modules as there are actually several different variants.
Got clarifications from Fibocom, there are distinct products:
- VID:PID 1508:1001, NL668 for IOT (no MBIM interface)
- VID:PID 2cb7:01a0, NL668-AM and NL652-EU are laptop M.2 cards (with
MBIM interfaces for Windows/Linux/Chrome OS), respectively for Americas
and Europe.
usb-devices output for the laptop M.2 cards:
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 4 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=ef(misc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=2cb7 ProdID=01a0 Rev=03.18
S: Manufacturer=Fibocom Wireless Inc.
S: Product=Fibocom NL652-EU Modem
S: SerialNumber=0123456789ABCDEF
C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
Signed-off-by: Vincent Palatin <vpalatin@chromium.org>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -2031,12 +2031,13 @@ static const struct usb_device_id option
.driver_info = RSVD(0) | RSVD(1) | RSVD(6) },
{ USB_DEVICE(0x0489, 0xe0b5), /* Foxconn T77W968 ESIM */
.driver_info = RSVD(0) | RSVD(1) | RSVD(6) },
- { USB_DEVICE(0x1508, 0x1001), /* Fibocom NL668 */
+ { USB_DEVICE(0x1508, 0x1001), /* Fibocom NL668 (IOT version) */
.driver_info = RSVD(4) | RSVD(5) | RSVD(6) },
{ USB_DEVICE(0x2cb7, 0x0104), /* Fibocom NL678 series */
.driver_info = RSVD(4) | RSVD(5) },
{ USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x0105, 0xff), /* Fibocom NL678 series */
.driver_info = RSVD(6) },
+ { USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x01a0, 0xff) }, /* Fibocom NL668-AM/NL652-EU (laptop MBIM) */
{ USB_DEVICE_INTERFACE_CLASS(0x305a, 0x1404, 0xff) }, /* GosunCn GM500 RNDIS */
{ USB_DEVICE_INTERFACE_CLASS(0x305a, 0x1405, 0xff) }, /* GosunCn GM500 MBIM */
{ USB_DEVICE_INTERFACE_CLASS(0x305a, 0x1406, 0xff) }, /* GosunCn GM500 ECM/NCM */
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH 4.4 21/39] USB: serial: option: add support for Thales Cinterion EXS82
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2020-12-10 14:26 ` [PATCH 4.4 20/39] USB: serial: option: add Fibocom NL668 variants Greg Kroah-Hartman
@ 2020-12-10 14:26 ` Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 22/39] tty: Fix ->pgrp locking in tiocspgrp() Greg Kroah-Hartman
` (21 subsequent siblings)
42 siblings, 0 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Giacinto Cifelli, Johan Hovold
From: Giacinto Cifelli <gciofono@gmail.com>
commit 6d6556c04ebaeaf4e7fa8b791c97e2a7c41b38a3 upstream.
There is a single option port in this modem, and it is used as debug port.
lsusb -v for this device:
Bus 001 Device 002: ID 1e2d:006c
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 239 Miscellaneous Device
bDeviceSubClass 2 ?
bDeviceProtocol 1 Interface Association
bMaxPacketSize0 64
idVendor 0x1e2d
idProduct 0x006c
bcdDevice 0.00
iManufacturer 4
iProduct 3
iSerial 5
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 243
bNumInterfaces 7
bConfigurationValue 1
iConfiguration 2
bmAttributes 0xe0
Self Powered
Remote Wakeup
MaxPower 500mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 255 Vendor Specific Class
bInterfaceSubClass 255 Vendor Specific Subclass
bInterfaceProtocol 255 Vendor Specific Protocol
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x01 EP 1 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Interface Association:
bLength 8
bDescriptorType 11
bFirstInterface 1
bInterfaceCount 2
bFunctionClass 2 Communications
bFunctionSubClass 2 Abstract (modem)
bFunctionProtocol 1 AT-commands (v.25ter)
iFunction 0
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 1
bAlternateSetting 0
bNumEndpoints 1
bInterfaceClass 2 Communications
bInterfaceSubClass 2 Abstract (modem)
bInterfaceProtocol 1 AT-commands (v.25ter)
iInterface 0
CDC Header:
bcdCDC 1.10
CDC ACM:
bmCapabilities 0x02
line coding and serial state
CDC Call Management:
bmCapabilities 0x03
call management
use DataInterface
bDataInterface 2
CDC Union:
bMasterInterface 1
bSlaveInterface 2
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x82 EP 2 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 5
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 2
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 10 CDC Data
bInterfaceSubClass 0 Unused
bInterfaceProtocol 0
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x83 EP 3 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x02 EP 2 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Interface Association:
bLength 8
bDescriptorType 11
bFirstInterface 3
bInterfaceCount 2
bFunctionClass 2 Communications
bFunctionSubClass 2 Abstract (modem)
bFunctionProtocol 1 AT-commands (v.25ter)
iFunction 0
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 3
bAlternateSetting 0
bNumEndpoints 1
bInterfaceClass 2 Communications
bInterfaceSubClass 2 Abstract (modem)
bInterfaceProtocol 1 AT-commands (v.25ter)
iInterface 0
CDC Header:
bcdCDC 1.10
CDC ACM:
bmCapabilities 0x02
line coding and serial state
CDC Call Management:
bmCapabilities 0x03
call management
use DataInterface
bDataInterface 4
CDC Union:
bMasterInterface 3
bSlaveInterface 4
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x84 EP 4 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 5
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 4
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 10 CDC Data
bInterfaceSubClass 0 Unused
bInterfaceProtocol 0
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x85 EP 5 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x03 EP 3 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Interface Association:
bLength 8
bDescriptorType 11
bFirstInterface 5
bInterfaceCount 2
bFunctionClass 2 Communications
bFunctionSubClass 2 Abstract (modem)
bFunctionProtocol 1 AT-commands (v.25ter)
iFunction 0
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 5
bAlternateSetting 0
bNumEndpoints 1
bInterfaceClass 2 Communications
bInterfaceSubClass 6 Ethernet Networking
bInterfaceProtocol 0
iInterface 0
CDC Header:
bcdCDC 1.10
CDC Ethernet:
iMacAddress 1 (??)
bmEthernetStatistics 0x00000000
wMaxSegmentSize 16384
wNumberMCFilters 0x0001
bNumberPowerFilters 0
CDC Union:
bMasterInterface 5
bSlaveInterface 6
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x86 EP 6 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 5
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 6
bAlternateSetting 0
bNumEndpoints 0
bInterfaceClass 10 CDC Data
bInterfaceSubClass 0 Unused
bInterfaceProtocol 0
iInterface 0
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 6
bAlternateSetting 1
bNumEndpoints 2
bInterfaceClass 10 CDC Data
bInterfaceSubClass 0 Unused
bInterfaceProtocol 0
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x87 EP 7 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x04 EP 4 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Signed-off-by: Giacinto Cifelli <gciofono@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -419,6 +419,7 @@ static void option_instat_callback(struc
#define CINTERION_PRODUCT_PH8 0x0053
#define CINTERION_PRODUCT_AHXX 0x0055
#define CINTERION_PRODUCT_PLXX 0x0060
+#define CINTERION_PRODUCT_EXS82 0x006c
#define CINTERION_PRODUCT_PH8_2RMNET 0x0082
#define CINTERION_PRODUCT_PH8_AUDIO 0x0083
#define CINTERION_PRODUCT_AHXX_2RMNET 0x0084
@@ -1885,6 +1886,7 @@ static const struct usb_device_id option
{ USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_AHXX_AUDIO, 0xff) },
{ USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_CLS8, 0xff),
.driver_info = RSVD(0) | RSVD(4) },
+ { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_EXS82, 0xff) },
{ USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_HC28_MDM) },
{ USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_HC28_MDMNET) },
{ USB_DEVICE(SIEMENS_VENDOR_ID, CINTERION_PRODUCT_HC25_MDM) },
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH 4.4 22/39] tty: Fix ->pgrp locking in tiocspgrp()
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2020-12-10 14:26 ` [PATCH 4.4 21/39] USB: serial: option: add support for Thales Cinterion EXS82 Greg Kroah-Hartman
@ 2020-12-10 14:26 ` Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 23/39] ALSA: hda/realtek - Add new codec supported for ALC897 Greg Kroah-Hartman
` (20 subsequent siblings)
42 siblings, 0 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, stable, Jann Horn, Jiri Slaby
From: Jann Horn <jannh@google.com>
commit 54ffccbf053b5b6ca4f6e45094b942fab92a25fc upstream.
tiocspgrp() takes two tty_struct pointers: One to the tty that userspace
passed to ioctl() (`tty`) and one to the TTY being changed (`real_tty`).
These pointers are different when ioctl() is called with a master fd.
To properly lock real_tty->pgrp, we must take real_tty->ctrl_lock.
This bug makes it possible for racing ioctl(TIOCSPGRP, ...) calls on
both sides of a PTY pair to corrupt the refcount of `struct pid`,
leading to use-after-free errors.
Fixes: 47f86834bbd4 ("redo locking of tty->pgrp")
CC: stable@kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/tty_io.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
@@ -2618,10 +2618,10 @@ static int tiocspgrp(struct tty_struct *
if (session_of_pgrp(pgrp) != task_session(current))
goto out_unlock;
retval = 0;
- spin_lock_irq(&tty->ctrl_lock);
+ spin_lock_irq(&real_tty->ctrl_lock);
put_pid(real_tty->pgrp);
real_tty->pgrp = get_pid(pgrp);
- spin_unlock_irq(&tty->ctrl_lock);
+ spin_unlock_irq(&real_tty->ctrl_lock);
out_unlock:
rcu_read_unlock();
return retval;
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH 4.4 23/39] ALSA: hda/realtek - Add new codec supported for ALC897
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2020-12-10 14:26 ` [PATCH 4.4 22/39] tty: Fix ->pgrp locking in tiocspgrp() Greg Kroah-Hartman
@ 2020-12-10 14:26 ` Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 24/39] ALSA: hda/generic: Add option to enforce preferred_dacs pairs Greg Kroah-Hartman
` (19 subsequent siblings)
42 siblings, 0 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kailang Yang, Takashi Iwai
From: Kailang Yang <kailang@realtek.com>
commit e5782a5d5054bf1e03cb7fbd87035037c2a22698 upstream.
Enable new codec supported for ALC897.
Signed-off-by: Kailang Yang <kailang@realtek.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/3b00520f304842aab8291eb8d9191bd8@realtek.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 2 ++
1 file changed, 2 insertions(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -378,6 +378,7 @@ static void alc_fill_eapd_coef(struct hd
alc_update_coef_idx(codec, 0x7, 1<<5, 0);
break;
case 0x10ec0892:
+ case 0x10ec0897:
alc_update_coef_idx(codec, 0x7, 1<<5, 0);
break;
case 0x10ec0899:
@@ -7342,6 +7343,7 @@ static const struct hda_device_id snd_hd
HDA_CODEC_ENTRY(0x10ec0888, "ALC888", patch_alc882),
HDA_CODEC_ENTRY(0x10ec0889, "ALC889", patch_alc882),
HDA_CODEC_ENTRY(0x10ec0892, "ALC892", patch_alc662),
+ HDA_CODEC_ENTRY(0x10ec0897, "ALC897", patch_alc662),
HDA_CODEC_ENTRY(0x10ec0899, "ALC898", patch_alc882),
HDA_CODEC_ENTRY(0x10ec0900, "ALC1150", patch_alc882),
{} /* terminator */
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH 4.4 24/39] ALSA: hda/generic: Add option to enforce preferred_dacs pairs
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2020-12-10 14:26 ` [PATCH 4.4 23/39] ALSA: hda/realtek - Add new codec supported for ALC897 Greg Kroah-Hartman
@ 2020-12-10 14:26 ` Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 25/39] tty: Fix ->session locking Greg Kroah-Hartman
` (18 subsequent siblings)
42 siblings, 0 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai
From: Takashi Iwai <tiwai@suse.de>
commit 242d990c158d5b1dabd166516e21992baef5f26a upstream.
The generic parser accepts the preferred_dacs[] pairs as a hint for
assigning a DAC to each pin, but this hint doesn't work always
effectively. Currently it's merely a secondary choice after the trial
with the path index failed. This made sometimes it difficult to
assign DACs without mimicking the connection list and/or the badness
table.
This patch adds a new flag, obey_preferred_dacs, that changes the
behavior of the parser. As its name stands, the parser obeys the
given preferred_dacs[] pairs by skipping the path index matching and
giving a high penalty if no DAC is assigned by the pairs. This mode
will help for assigning the fixed DACs forcibly from the codec
driver.
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20201127141104.11041-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/hda_generic.c | 12 ++++++++----
sound/pci/hda/hda_generic.h | 1 +
2 files changed, 9 insertions(+), 4 deletions(-)
--- a/sound/pci/hda/hda_generic.c
+++ b/sound/pci/hda/hda_generic.c
@@ -1344,16 +1344,20 @@ static int try_assign_dacs(struct hda_co
struct nid_path *path;
hda_nid_t pin = pins[i];
- path = snd_hda_get_path_from_idx(codec, path_idx[i]);
- if (path) {
- badness += assign_out_path_ctls(codec, path);
- continue;
+ if (!spec->obey_preferred_dacs) {
+ path = snd_hda_get_path_from_idx(codec, path_idx[i]);
+ if (path) {
+ badness += assign_out_path_ctls(codec, path);
+ continue;
+ }
}
dacs[i] = get_preferred_dac(codec, pin);
if (dacs[i]) {
if (is_dac_already_used(codec, dacs[i]))
badness += bad->shared_primary;
+ } else if (spec->obey_preferred_dacs) {
+ badness += BAD_NO_PRIMARY_DAC;
}
if (!dacs[i])
--- a/sound/pci/hda/hda_generic.h
+++ b/sound/pci/hda/hda_generic.h
@@ -229,6 +229,7 @@ struct hda_gen_spec {
unsigned int add_jack_modes:1; /* add i/o jack mode enum ctls */
unsigned int power_down_unused:1; /* power down unused widgets */
unsigned int dac_min_mute:1; /* minimal = mute for DACs */
+ unsigned int obey_preferred_dacs:1; /* obey preferred_dacs assignment */
/* other internal flags */
unsigned int no_analog:1; /* digital I/O only */
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH 4.4 25/39] tty: Fix ->session locking
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2020-12-10 14:26 ` [PATCH 4.4 24/39] ALSA: hda/generic: Add option to enforce preferred_dacs pairs Greg Kroah-Hartman
@ 2020-12-10 14:26 ` Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 26/39] cifs: fix potential use-after-free in cifs_echo_request() Greg Kroah-Hartman
` (17 subsequent siblings)
42 siblings, 0 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, stable, Jann Horn, Jiri Slaby
From: Jann Horn <jannh@google.com>
commit c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9 upstream.
Currently, locking of ->session is very inconsistent; most places
protect it using the legacy tty mutex, but disassociate_ctty(),
__do_SAK(), tiocspgrp() and tiocgsid() don't.
Two of the writers hold the ctrl_lock (because they already need it for
->pgrp), but __proc_set_tty() doesn't do that yet.
On a PREEMPT=y system, an unprivileged user can theoretically abuse
this broken locking to read 4 bytes of freed memory via TIOCGSID if
tiocgsid() is preempted long enough at the right point. (Other things
might also go wrong, especially if root-only ioctls are involved; I'm
not sure about that.)
Change the locking on ->session such that:
- tty_lock() is held by all writers: By making disassociate_ctty()
hold it. This should be fine because the same lock can already be
taken through the call to tty_vhangup_session().
The tricky part is that we need to shorten the area covered by
siglock to be able to take tty_lock() without ugly retry logic; as
far as I can tell, this should be fine, since nothing in the
signal_struct is touched in the `if (tty)` branch.
- ctrl_lock is held by all writers: By changing __proc_set_tty() to
hold the lock a little longer.
- All readers that aren't holding tty_lock() hold ctrl_lock: By
adding locking to tiocgsid() and __do_SAK(), and expanding the area
covered by ctrl_lock in tiocspgrp().
Cc: stable@kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/tty_io.c | 51 +++++++++++++++++++++++++++++++++++++--------------
include/linux/tty.h | 4 ++++
2 files changed, 41 insertions(+), 14 deletions(-)
--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
@@ -537,8 +537,8 @@ static void __proc_set_tty(struct tty_st
put_pid(tty->session);
put_pid(tty->pgrp);
tty->pgrp = get_pid(task_pgrp(current));
- spin_unlock_irqrestore(&tty->ctrl_lock, flags);
tty->session = get_pid(task_session(current));
+ spin_unlock_irqrestore(&tty->ctrl_lock, flags);
if (current->signal->tty) {
tty_debug(tty, "current tty %s not NULL!!\n",
current->signal->tty->name);
@@ -929,21 +929,24 @@ void disassociate_ctty(int on_exit)
spin_lock_irq(¤t->sighand->siglock);
put_pid(current->signal->tty_old_pgrp);
current->signal->tty_old_pgrp = NULL;
-
tty = tty_kref_get(current->signal->tty);
+ spin_unlock_irq(¤t->sighand->siglock);
+
if (tty) {
unsigned long flags;
+
+ tty_lock(tty);
spin_lock_irqsave(&tty->ctrl_lock, flags);
put_pid(tty->session);
put_pid(tty->pgrp);
tty->session = NULL;
tty->pgrp = NULL;
spin_unlock_irqrestore(&tty->ctrl_lock, flags);
+ tty_unlock(tty);
tty_kref_put(tty);
} else
tty_debug_hangup(tty, "no current tty\n");
- spin_unlock_irq(¤t->sighand->siglock);
/* Now clear signal->tty under the lock */
read_lock(&tasklist_lock);
session_clear_tty(task_session(current));
@@ -2601,14 +2604,19 @@ static int tiocspgrp(struct tty_struct *
return -ENOTTY;
if (retval)
return retval;
- if (!current->signal->tty ||
- (current->signal->tty != real_tty) ||
- (real_tty->session != task_session(current)))
- return -ENOTTY;
+
if (get_user(pgrp_nr, p))
return -EFAULT;
if (pgrp_nr < 0)
return -EINVAL;
+
+ spin_lock_irq(&real_tty->ctrl_lock);
+ if (!current->signal->tty ||
+ (current->signal->tty != real_tty) ||
+ (real_tty->session != task_session(current))) {
+ retval = -ENOTTY;
+ goto out_unlock_ctrl;
+ }
rcu_read_lock();
pgrp = find_vpid(pgrp_nr);
retval = -ESRCH;
@@ -2618,12 +2626,12 @@ static int tiocspgrp(struct tty_struct *
if (session_of_pgrp(pgrp) != task_session(current))
goto out_unlock;
retval = 0;
- spin_lock_irq(&real_tty->ctrl_lock);
put_pid(real_tty->pgrp);
real_tty->pgrp = get_pid(pgrp);
- spin_unlock_irq(&real_tty->ctrl_lock);
out_unlock:
rcu_read_unlock();
+out_unlock_ctrl:
+ spin_unlock_irq(&real_tty->ctrl_lock);
return retval;
}
@@ -2635,21 +2643,31 @@ out_unlock:
*
* Obtain the session id of the tty. If there is no session
* return an error.
- *
- * Locking: none. Reference to current->signal->tty is safe.
*/
static int tiocgsid(struct tty_struct *tty, struct tty_struct *real_tty, pid_t __user *p)
{
+ unsigned long flags;
+ pid_t sid;
+
/*
* (tty == real_tty) is a cheap way of
* testing if the tty is NOT a master pty.
*/
if (tty == real_tty && current->signal->tty != real_tty)
return -ENOTTY;
+
+ spin_lock_irqsave(&real_tty->ctrl_lock, flags);
if (!real_tty->session)
- return -ENOTTY;
- return put_user(pid_vnr(real_tty->session), p);
+ goto err;
+ sid = pid_vnr(real_tty->session);
+ spin_unlock_irqrestore(&real_tty->ctrl_lock, flags);
+
+ return put_user(sid, p);
+
+err:
+ spin_unlock_irqrestore(&real_tty->ctrl_lock, flags);
+ return -ENOTTY;
}
/**
@@ -3061,10 +3079,14 @@ void __do_SAK(struct tty_struct *tty)
struct task_struct *g, *p;
struct pid *session;
int i;
+ unsigned long flags;
if (!tty)
return;
- session = tty->session;
+
+ spin_lock_irqsave(&tty->ctrl_lock, flags);
+ session = get_pid(tty->session);
+ spin_unlock_irqrestore(&tty->ctrl_lock, flags);
tty_ldisc_flush(tty);
@@ -3100,6 +3122,7 @@ void __do_SAK(struct tty_struct *tty)
task_unlock(p);
} while_each_thread(g, p);
read_unlock(&tasklist_lock);
+ put_pid(session);
#endif
}
--- a/include/linux/tty.h
+++ b/include/linux/tty.h
@@ -280,6 +280,10 @@ struct tty_struct {
struct termiox *termiox; /* May be NULL for unsupported */
char name[64];
struct pid *pgrp; /* Protected by ctrl lock */
+ /*
+ * Writes protected by both ctrl lock and legacy mutex, readers must use
+ * at least one of them.
+ */
struct pid *session;
unsigned long flags;
int count;
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH 4.4 26/39] cifs: fix potential use-after-free in cifs_echo_request()
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2020-12-10 14:26 ` [PATCH 4.4 25/39] tty: Fix ->session locking Greg Kroah-Hartman
@ 2020-12-10 14:26 ` Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 27/39] i2c: imx: Fix reset of I2SR_IAL flag Greg Kroah-Hartman
` (16 subsequent siblings)
42 siblings, 0 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Paulo Alcantara (SUSE),
Ronnie Sahlberg, Steve French
From: Paulo Alcantara <pc@cjr.nz>
commit 212253367dc7b49ed3fc194ce71b0992eacaecf2 upstream.
This patch fixes a potential use-after-free bug in
cifs_echo_request().
For instance,
thread 1
--------
cifs_demultiplex_thread()
clean_demultiplex_info()
kfree(server)
thread 2 (workqueue)
--------
apic_timer_interrupt()
smp_apic_timer_interrupt()
irq_exit()
__do_softirq()
run_timer_softirq()
call_timer_fn()
cifs_echo_request() <- use-after-free in server ptr
Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
CC: Stable <stable@vger.kernel.org>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/cifs/connect.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -783,6 +783,8 @@ static void clean_demultiplex_info(struc
list_del_init(&server->tcp_ses_list);
spin_unlock(&cifs_tcp_ses_lock);
+ cancel_delayed_work_sync(&server->echo);
+
spin_lock(&GlobalMid_Lock);
server->tcpStatus = CifsExiting;
spin_unlock(&GlobalMid_Lock);
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH 4.4 27/39] i2c: imx: Fix reset of I2SR_IAL flag
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2020-12-10 14:26 ` [PATCH 4.4 26/39] cifs: fix potential use-after-free in cifs_echo_request() Greg Kroah-Hartman
@ 2020-12-10 14:26 ` Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 28/39] i2c: imx: Check for I2SR_IAL after every byte Greg Kroah-Hartman
` (15 subsequent siblings)
42 siblings, 0 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Christian Eggers,
Uwe Kleine-König, Oleksij Rempel, Wolfram Sang
From: Christian Eggers <ceggers@arri.de>
commit 384a9565f70a876c2e78e58c5ca0bbf0547e4f6d upstream.
According to the "VFxxx Controller Reference Manual" (and the comment
block starting at line 97), Vybrid requires writing a one for clearing
an interrupt flag. Syncing the method for clearing I2SR_IIF in
i2c_imx_isr().
Signed-off-by: Christian Eggers <ceggers@arri.de>
Fixes: 4b775022f6fd ("i2c: imx: add struct to hold more configurable quirks")
Reviewed-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
Cc: stable@vger.kernel.org
Signed-off-by: Wolfram Sang <wsa@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-imx.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
--- a/drivers/i2c/busses/i2c-imx.c
+++ b/drivers/i2c/busses/i2c-imx.c
@@ -420,6 +420,19 @@ static void i2c_imx_dma_free(struct imx_
/** Functions for IMX I2C adapter driver ***************************************
*******************************************************************************/
+static void i2c_imx_clear_irq(struct imx_i2c_struct *i2c_imx, unsigned int bits)
+{
+ unsigned int temp;
+
+ /*
+ * i2sr_clr_opcode is the value to clear all interrupts. Here we want to
+ * clear only <bits>, so we write ~i2sr_clr_opcode with just <bits>
+ * toggled. This is required because i.MX needs W0C and Vybrid uses W1C.
+ */
+ temp = ~i2c_imx->hwdata->i2sr_clr_opcode ^ bits;
+ imx_i2c_write_reg(temp, i2c_imx, IMX_I2C_I2SR);
+}
+
static int i2c_imx_bus_busy(struct imx_i2c_struct *i2c_imx, int for_busy)
{
unsigned long orig_jiffies = jiffies;
@@ -432,8 +445,7 @@ static int i2c_imx_bus_busy(struct imx_i
/* check for arbitration lost */
if (temp & I2SR_IAL) {
- temp &= ~I2SR_IAL;
- imx_i2c_write_reg(temp, i2c_imx, IMX_I2C_I2SR);
+ i2c_imx_clear_irq(i2c_imx, I2SR_IAL);
return -EAGAIN;
}
@@ -595,9 +607,7 @@ static irqreturn_t i2c_imx_isr(int irq,
if (temp & I2SR_IIF) {
/* save status register */
i2c_imx->i2csr = temp;
- temp &= ~I2SR_IIF;
- temp |= (i2c_imx->hwdata->i2sr_clr_opcode & I2SR_IIF);
- imx_i2c_write_reg(temp, i2c_imx, IMX_I2C_I2SR);
+ i2c_imx_clear_irq(i2c_imx, I2SR_IIF);
wake_up(&i2c_imx->queue);
return IRQ_HANDLED;
}
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH 4.4 28/39] i2c: imx: Check for I2SR_IAL after every byte
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2020-12-10 14:26 ` [PATCH 4.4 27/39] i2c: imx: Fix reset of I2SR_IAL flag Greg Kroah-Hartman
@ 2020-12-10 14:26 ` Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 29/39] arm64: assembler: make adr_l work in modules under KASLR Greg Kroah-Hartman
` (14 subsequent siblings)
42 siblings, 0 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Christian Eggers,
Krzysztof Kozlowski, Oleksij Rempel, Wolfram Sang
From: Christian Eggers <ceggers@arri.de>
commit 1de67a3dee7a279ebe4d892b359fe3696938ec15 upstream.
Arbitration Lost (IAL) can happen after every single byte transfer. If
arbitration is lost, the I2C hardware will autonomously switch from
master mode to slave. If a transfer is not aborted in this state,
consecutive transfers will not be executed by the hardware and will
timeout.
Signed-off-by: Christian Eggers <ceggers@arri.de>
Tested (not extensively) on Vybrid VF500 (Toradex VF50):
Tested-by: Krzysztof Kozlowski <krzk@kernel.org>
Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
Cc: stable@vger.kernel.org
Signed-off-by: Wolfram Sang <wsa@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-imx.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/drivers/i2c/busses/i2c-imx.c
+++ b/drivers/i2c/busses/i2c-imx.c
@@ -472,6 +472,16 @@ static int i2c_imx_trx_complete(struct i
dev_dbg(&i2c_imx->adapter.dev, "<%s> Timeout\n", __func__);
return -ETIMEDOUT;
}
+
+ /* check for arbitration lost */
+ if (i2c_imx->i2csr & I2SR_IAL) {
+ dev_dbg(&i2c_imx->adapter.dev, "<%s> Arbitration lost\n", __func__);
+ i2c_imx_clear_irq(i2c_imx, I2SR_IAL);
+
+ i2c_imx->i2csr = 0;
+ return -EAGAIN;
+ }
+
dev_dbg(&i2c_imx->adapter.dev, "<%s> TRX complete\n", __func__);
i2c_imx->i2csr = 0;
return 0;
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH 4.4 29/39] arm64: assembler: make adr_l work in modules under KASLR
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2020-12-10 14:26 ` [PATCH 4.4 28/39] i2c: imx: Check for I2SR_IAL after every byte Greg Kroah-Hartman
@ 2020-12-10 14:26 ` Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 30/39] iommu/amd: Set DTE[IntTabLen] to represent 512 IRTEs Greg Kroah-Hartman
` (13 subsequent siblings)
42 siblings, 0 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Mark Rutland, Will Deacon,
Ard Biesheuvel, Catalin Marinas, dann frazier
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
commit 41c066f2c4d436c535616fe182331766c57838f0 upstream
When CONFIG_RANDOMIZE_MODULE_REGION_FULL=y, the offset between loaded
modules and the core kernel may exceed 4 GB, putting symbols exported
by the core kernel out of the reach of the ordinary adrp/add instruction
pairs used to generate relative symbol references. So make the adr_l
macro emit a movz/movk sequence instead when executing in module context.
While at it, remove the pointless special case for the stack pointer.
Acked-by: Mark Rutland <mark.rutland@arm.com>
Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
[ dannf: backported to v4.4 by replacing the 3-arg adr_l macro in head.S
with it's output, as this commit drops the 3-arg variant ]
Fixes: c042dd600f4e ("crypto: arm64/sha - avoid non-standard inline asm tricks")
Signed-off-by: dann frazier <dann.frazier@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/assembler.h | 36 +++++++++++++++++++++++++++---------
arch/arm64/kernel/head.S | 3 ++-
2 files changed, 29 insertions(+), 10 deletions(-)
--- a/arch/arm64/include/asm/assembler.h
+++ b/arch/arm64/include/asm/assembler.h
@@ -148,22 +148,25 @@ lr .req x30 // link register
/*
* Pseudo-ops for PC-relative adr/ldr/str <reg>, <symbol> where
- * <symbol> is within the range +/- 4 GB of the PC.
+ * <symbol> is within the range +/- 4 GB of the PC when running
+ * in core kernel context. In module context, a movz/movk sequence
+ * is used, since modules may be loaded far away from the kernel
+ * when KASLR is in effect.
*/
/*
* @dst: destination register (64 bit wide)
* @sym: name of the symbol
- * @tmp: optional scratch register to be used if <dst> == sp, which
- * is not allowed in an adrp instruction
*/
- .macro adr_l, dst, sym, tmp=
- .ifb \tmp
+ .macro adr_l, dst, sym
+#ifndef MODULE
adrp \dst, \sym
add \dst, \dst, :lo12:\sym
- .else
- adrp \tmp, \sym
- add \dst, \tmp, :lo12:\sym
- .endif
+#else
+ movz \dst, #:abs_g3:\sym
+ movk \dst, #:abs_g2_nc:\sym
+ movk \dst, #:abs_g1_nc:\sym
+ movk \dst, #:abs_g0_nc:\sym
+#endif
.endm
/*
@@ -174,6 +177,7 @@ lr .req x30 // link register
* the address
*/
.macro ldr_l, dst, sym, tmp=
+#ifndef MODULE
.ifb \tmp
adrp \dst, \sym
ldr \dst, [\dst, :lo12:\sym]
@@ -181,6 +185,15 @@ lr .req x30 // link register
adrp \tmp, \sym
ldr \dst, [\tmp, :lo12:\sym]
.endif
+#else
+ .ifb \tmp
+ adr_l \dst, \sym
+ ldr \dst, [\dst]
+ .else
+ adr_l \tmp, \sym
+ ldr \dst, [\tmp]
+ .endif
+#endif
.endm
/*
@@ -190,8 +203,13 @@ lr .req x30 // link register
* while <src> needs to be preserved.
*/
.macro str_l, src, sym, tmp
+#ifndef MODULE
adrp \tmp, \sym
str \src, [\tmp, :lo12:\sym]
+#else
+ adr_l \tmp, \sym
+ str \src, [\tmp]
+#endif
.endm
/*
--- a/arch/arm64/kernel/head.S
+++ b/arch/arm64/kernel/head.S
@@ -424,7 +424,8 @@ __mmap_switched:
str xzr, [x6], #8 // Clear BSS
b 1b
2:
- adr_l sp, initial_sp, x4
+ adrp x4, initial_sp
+ add sp, x4, :lo12:initial_sp
str_l x21, __fdt_pointer, x5 // Save FDT pointer
str_l x24, memstart_addr, x6 // Save PHYS_OFFSET
mov x29, #0
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH 4.4 30/39] iommu/amd: Set DTE[IntTabLen] to represent 512 IRTEs
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2020-12-10 14:26 ` [PATCH 4.4 29/39] arm64: assembler: make adr_l work in modules under KASLR Greg Kroah-Hartman
@ 2020-12-10 14:26 ` Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 31/39] spi: Introduce device-managed SPI controller allocation Greg Kroah-Hartman
` (12 subsequent siblings)
42 siblings, 0 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jerry Snitselaar,
Suravee Suthikulpanit, Will Deacon
From: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
commit 4165bf015ba9454f45beaad621d16c516d5c5afe upstream.
According to the AMD IOMMU spec, the commit 73db2fc595f3
("iommu/amd: Increase interrupt remapping table limit to 512 entries")
also requires the interrupt table length (IntTabLen) to be set to 9
(power of 2) in the device table mapping entry (DTE).
Fixes: 73db2fc595f3 ("iommu/amd: Increase interrupt remapping table limit to 512 entries")
Reported-by: Jerry Snitselaar <jsnitsel@redhat.com>
Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com>
Link: https://lore.kernel.org/r/20201207091920.3052-1-suravee.suthikulpanit@amd.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/amd_iommu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iommu/amd_iommu.c
+++ b/drivers/iommu/amd_iommu.c
@@ -3625,7 +3625,7 @@ static struct irq_chip amd_ir_chip;
#define DTE_IRQ_PHYS_ADDR_MASK (((1ULL << 45)-1) << 6)
#define DTE_IRQ_REMAP_INTCTL (2ULL << 60)
-#define DTE_IRQ_TABLE_LEN (8ULL << 1)
+#define DTE_IRQ_TABLE_LEN (9ULL << 1)
#define DTE_IRQ_REMAP_ENABLE 1ULL
static void set_dte_irq_entry(u16 devid, struct irq_remap_table *table)
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH 4.4 31/39] spi: Introduce device-managed SPI controller allocation
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2020-12-10 14:26 ` [PATCH 4.4 30/39] iommu/amd: Set DTE[IntTabLen] to represent 512 IRTEs Greg Kroah-Hartman
@ 2020-12-10 14:26 ` Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 32/39] spi: bcm2835: Fix use-after-free on unbind Greg Kroah-Hartman
` (11 subsequent siblings)
42 siblings, 0 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Lukas Wunner, Mark Brown
From: Lukas Wunner <lukas@wunner.de>
[ Upstream commit 5e844cc37a5cbaa460e68f9a989d321d63088a89 ]
SPI driver probing currently comprises two steps, whereas removal
comprises only one step:
spi_alloc_master()
spi_register_master()
spi_unregister_master()
That's because spi_unregister_master() calls device_unregister()
instead of device_del(), thereby releasing the reference on the
spi_master which was obtained by spi_alloc_master().
An SPI driver's private data is contained in the same memory allocation
as the spi_master struct. Thus, once spi_unregister_master() has been
called, the private data is inaccessible. But some drivers need to
access it after spi_unregister_master() to perform further teardown
steps.
Introduce devm_spi_alloc_master(), which releases a reference on the
spi_master struct only after the driver has unbound, thereby keeping the
memory allocation accessible. Change spi_unregister_master() to not
release a reference if the spi_master was allocated by the new devm
function.
The present commit is small enough to be backportable to stable.
It allows fixing drivers which use the private data in their ->remove()
hook after it's been freed. It also allows fixing drivers which neglect
to release a reference on the spi_master in the probe error path.
Long-term, most SPI drivers shall be moved over to the devm function
introduced herein. The few that can't shall be changed in a treewide
commit to explicitly release the last reference on the master.
That commit shall amend spi_unregister_master() to no longer release
a reference, thereby completing the migration.
As a result, the behaviour will be less surprising and more consistent
with subsystems such as IIO, which also includes the private data in the
allocation of the generic iio_dev struct, but calls device_del() in
iio_device_unregister().
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Link: https://lore.kernel.org/r/272bae2ef08abd21388c98e23729886663d19192.1605121038.git.lukas@wunner.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi.c | 54 +++++++++++++++++++++++++++++++++++++++++++++++-
include/linux/spi/spi.h | 2 +
2 files changed, 55 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi.c
+++ b/drivers/spi/spi.c
@@ -1720,6 +1720,46 @@ struct spi_master *spi_alloc_master(stru
}
EXPORT_SYMBOL_GPL(spi_alloc_master);
+static void devm_spi_release_master(struct device *dev, void *master)
+{
+ spi_master_put(*(struct spi_master **)master);
+}
+
+/**
+ * devm_spi_alloc_master - resource-managed spi_alloc_master()
+ * @dev: physical device of SPI master
+ * @size: how much zeroed driver-private data to allocate
+ * Context: can sleep
+ *
+ * Allocate an SPI master and automatically release a reference on it
+ * when @dev is unbound from its driver. Drivers are thus relieved from
+ * having to call spi_master_put().
+ *
+ * The arguments to this function are identical to spi_alloc_master().
+ *
+ * Return: the SPI master structure on success, else NULL.
+ */
+struct spi_master *devm_spi_alloc_master(struct device *dev, unsigned int size)
+{
+ struct spi_master **ptr, *master;
+
+ ptr = devres_alloc(devm_spi_release_master, sizeof(*ptr),
+ GFP_KERNEL);
+ if (!ptr)
+ return NULL;
+
+ master = spi_alloc_master(dev, size);
+ if (master) {
+ *ptr = master;
+ devres_add(dev, ptr);
+ } else {
+ devres_free(ptr);
+ }
+
+ return master;
+}
+EXPORT_SYMBOL_GPL(devm_spi_alloc_master);
+
#ifdef CONFIG_OF
static int of_spi_register_master(struct spi_master *master)
{
@@ -1899,6 +1939,11 @@ int devm_spi_register_master(struct devi
}
EXPORT_SYMBOL_GPL(devm_spi_register_master);
+static int devm_spi_match_master(struct device *dev, void *res, void *master)
+{
+ return *(struct spi_master **)res == master;
+}
+
static int __unregister(struct device *dev, void *null)
{
spi_unregister_device(to_spi_device(dev));
@@ -1928,7 +1973,14 @@ void spi_unregister_master(struct spi_ma
list_del(&master->list);
mutex_unlock(&board_lock);
- device_unregister(&master->dev);
+ device_del(&master->dev);
+
+ /* Release the last reference on the master if its driver
+ * has not yet been converted to devm_spi_alloc_master().
+ */
+ if (!devres_find(master->dev.parent, devm_spi_release_master,
+ devm_spi_match_master, master))
+ put_device(&master->dev);
}
EXPORT_SYMBOL_GPL(spi_unregister_master);
--- a/include/linux/spi/spi.h
+++ b/include/linux/spi/spi.h
@@ -568,6 +568,8 @@ extern void spi_finalize_current_transfe
/* the spi driver core manages memory for the spi_master classdev */
extern struct spi_master *
spi_alloc_master(struct device *host, unsigned size);
+extern struct spi_master *
+devm_spi_alloc_master(struct device *dev, unsigned int size);
extern int spi_register_master(struct spi_master *master);
extern int devm_spi_register_master(struct device *dev,
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH 4.4 32/39] spi: bcm2835: Fix use-after-free on unbind
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2020-12-10 14:26 ` [PATCH 4.4 31/39] spi: Introduce device-managed SPI controller allocation Greg Kroah-Hartman
@ 2020-12-10 14:26 ` Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 33/39] spi: bcm2835: Release the DMA channel if probe fails after dma_init Greg Kroah-Hartman
` (10 subsequent siblings)
42 siblings, 0 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sascha Hauer, Florian Fainelli,
Lukas Wunner, Vladimir Oltean, Mark Brown
From: Lukas Wunner <lukas@wunner.de>
[ Upstream commit e1483ac030fb4c57734289742f1c1d38dca61e22 ]
bcm2835_spi_remove() accesses the driver's private data after calling
spi_unregister_controller() even though that function releases the last
reference on the spi_controller and thereby frees the private data.
Fix by switching over to the new devm_spi_alloc_master() helper which
keeps the private data accessible until the driver has unbound.
Fixes: f8043872e796 ("spi: add driver for BCM2835")
Reported-by: Sascha Hauer <s.hauer@pengutronix.de>
Reported-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Cc: <stable@vger.kernel.org> # v3.10+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation
Cc: <stable@vger.kernel.org> # v3.10+
Cc: Vladimir Oltean <olteanv@gmail.com>
Tested-by: Florian Fainelli <f.fainelli@gmail.com>
Acked-by: Florian Fainelli <f.fainelli@gmail.com>
Link: https://lore.kernel.org/r/ad66e0a0ad96feb848814842ecf5b6a4539ef35c.1605121038.git.lukas@wunner.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-bcm2835.c | 15 +++++----------
1 file changed, 5 insertions(+), 10 deletions(-)
--- a/drivers/spi/spi-bcm2835.c
+++ b/drivers/spi/spi-bcm2835.c
@@ -742,7 +742,7 @@ static int bcm2835_spi_probe(struct plat
struct resource *res;
int err;
- master = spi_alloc_master(&pdev->dev, sizeof(*bs));
+ master = devm_spi_alloc_master(&pdev->dev, sizeof(*bs));
if (!master) {
dev_err(&pdev->dev, "spi_alloc_master() failed\n");
return -ENOMEM;
@@ -764,23 +764,20 @@ static int bcm2835_spi_probe(struct plat
res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
bs->regs = devm_ioremap_resource(&pdev->dev, res);
- if (IS_ERR(bs->regs)) {
- err = PTR_ERR(bs->regs);
- goto out_master_put;
- }
+ if (IS_ERR(bs->regs))
+ return PTR_ERR(bs->regs);
bs->clk = devm_clk_get(&pdev->dev, NULL);
if (IS_ERR(bs->clk)) {
err = PTR_ERR(bs->clk);
dev_err(&pdev->dev, "could not get clk: %d\n", err);
- goto out_master_put;
+ return err;
}
bs->irq = platform_get_irq(pdev, 0);
if (bs->irq <= 0) {
dev_err(&pdev->dev, "could not get IRQ: %d\n", bs->irq);
- err = bs->irq ? bs->irq : -ENODEV;
- goto out_master_put;
+ return bs->irq ? bs->irq : -ENODEV;
}
clk_prepare_enable(bs->clk);
@@ -808,8 +805,6 @@ static int bcm2835_spi_probe(struct plat
out_clk_disable:
clk_disable_unprepare(bs->clk);
-out_master_put:
- spi_master_put(master);
return err;
}
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH 4.4 33/39] spi: bcm2835: Release the DMA channel if probe fails after dma_init
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2020-12-10 14:26 ` [PATCH 4.4 32/39] spi: bcm2835: Fix use-after-free on unbind Greg Kroah-Hartman
@ 2020-12-10 14:26 ` Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 34/39] tracing: Fix userstacktrace option for instances Greg Kroah-Hartman
` (9 subsequent siblings)
42 siblings, 0 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Peter Ujfalusi,
Nicolas Saenz Julienne, Mark Brown, Lukas Wunner
From: Peter Ujfalusi <peter.ujfalusi@ti.com>
[ Upstream commit 666224b43b4bd4612ce3b758c038f9bc5c5e3fcb ]
The DMA channel was not released if either devm_request_irq() or
devm_spi_register_controller() failed.
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
Reviewed-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
Link: https://lore.kernel.org/r/20191212135550.4634-3-peter.ujfalusi@ti.com
Signed-off-by: Mark Brown <broonie@kernel.org>
[lukas: backport to 4.19-stable]
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-bcm2835.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/spi/spi-bcm2835.c
+++ b/drivers/spi/spi-bcm2835.c
@@ -792,18 +792,19 @@ static int bcm2835_spi_probe(struct plat
dev_name(&pdev->dev), master);
if (err) {
dev_err(&pdev->dev, "could not request IRQ: %d\n", err);
- goto out_clk_disable;
+ goto out_dma_release;
}
err = spi_register_master(master);
if (err) {
dev_err(&pdev->dev, "could not register SPI master: %d\n", err);
- goto out_clk_disable;
+ goto out_dma_release;
}
return 0;
-out_clk_disable:
+out_dma_release:
+ bcm2835_dma_release(master);
clk_disable_unprepare(bs->clk);
return err;
}
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH 4.4 34/39] tracing: Fix userstacktrace option for instances
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2020-12-10 14:26 ` [PATCH 4.4 33/39] spi: bcm2835: Release the DMA channel if probe fails after dma_init Greg Kroah-Hartman
@ 2020-12-10 14:26 ` Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 35/39] btrfs: cleanup cow block on error Greg Kroah-Hartman
` (8 subsequent siblings)
42 siblings, 0 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Steven Rostedt (VMware)
From: Steven Rostedt (VMware) <rostedt@goodmis.org>
commit bcee5278958802b40ee8b26679155a6d9231783e upstream.
When the instances were able to use their own options, the userstacktrace
option was left hardcoded for the top level. This made the instance
userstacktrace option bascially into a nop, and will confuse users that set
it, but nothing happens (I was confused when it happened to me!)
Cc: stable@vger.kernel.org
Fixes: 16270145ce6b ("tracing: Add trace options for core options to instances")
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace.c | 9 +++++----
kernel/trace/trace.h | 6 ++++--
2 files changed, 9 insertions(+), 6 deletions(-)
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -1706,7 +1706,7 @@ void trace_buffer_unlock_commit(struct t
__buffer_unlock_commit(buffer, event);
ftrace_trace_stack(tr, buffer, flags, 6, pc, NULL);
- ftrace_trace_userstack(buffer, flags, pc);
+ ftrace_trace_userstack(tr, buffer, flags, pc);
}
EXPORT_SYMBOL_GPL(trace_buffer_unlock_commit);
@@ -1768,7 +1768,7 @@ void trace_buffer_unlock_commit_regs(str
* two. They are that meaningful.
*/
ftrace_trace_stack(tr, buffer, flags, regs ? 0 : 4, pc, regs);
- ftrace_trace_userstack(buffer, flags, pc);
+ ftrace_trace_userstack(tr, buffer, flags, pc);
}
EXPORT_SYMBOL_GPL(trace_buffer_unlock_commit_regs);
@@ -1941,14 +1941,15 @@ void trace_dump_stack(int skip)
static DEFINE_PER_CPU(int, user_stack_count);
void
-ftrace_trace_userstack(struct ring_buffer *buffer, unsigned long flags, int pc)
+ftrace_trace_userstack(struct trace_array *tr,
+ struct ring_buffer *buffer, unsigned long flags, int pc)
{
struct trace_event_call *call = &event_user_stack;
struct ring_buffer_event *event;
struct userstack_entry *entry;
struct stack_trace trace;
- if (!(global_trace.trace_flags & TRACE_ITER_USERSTACKTRACE))
+ if (!(tr->trace_flags & TRACE_ITER_USERSTACKTRACE))
return;
/*
--- a/kernel/trace/trace.h
+++ b/kernel/trace/trace.h
@@ -656,13 +656,15 @@ void update_max_tr_single(struct trace_a
#endif /* CONFIG_TRACER_MAX_TRACE */
#ifdef CONFIG_STACKTRACE
-void ftrace_trace_userstack(struct ring_buffer *buffer, unsigned long flags,
+void ftrace_trace_userstack(struct trace_array *tr,
+ struct ring_buffer *buffer, unsigned long flags,
int pc);
void __trace_stack(struct trace_array *tr, unsigned long flags, int skip,
int pc);
#else
-static inline void ftrace_trace_userstack(struct ring_buffer *buffer,
+static inline void ftrace_trace_userstack(struct trace_array *tr,
+ struct ring_buffer *buffer,
unsigned long flags, int pc)
{
}
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH 4.4 35/39] btrfs: cleanup cow block on error
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2020-12-10 14:26 ` [PATCH 4.4 34/39] tracing: Fix userstacktrace option for instances Greg Kroah-Hartman
@ 2020-12-10 14:26 ` Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 36/39] mm/userfaultfd: do not access vma->vm_mm after calling handle_userfault() Greg Kroah-Hartman
` (7 subsequent siblings)
42 siblings, 0 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Filipe Manana, Josef Bacik,
David Sterba, Sudip Mukherjee
From: Josef Bacik <josef@toxicpanda.com>
commit 572c83acdcdafeb04e70aa46be1fa539310be20c upstream.
In fstest btrfs/064 a transaction abort in __btrfs_cow_block could lead
to a system lockup. It gets stuck trying to write back inodes, and the
write back thread was trying to lock an extent buffer:
$ cat /proc/2143497/stack
[<0>] __btrfs_tree_lock+0x108/0x250
[<0>] lock_extent_buffer_for_io+0x35e/0x3a0
[<0>] btree_write_cache_pages+0x15a/0x3b0
[<0>] do_writepages+0x28/0xb0
[<0>] __writeback_single_inode+0x54/0x5c0
[<0>] writeback_sb_inodes+0x1e8/0x510
[<0>] wb_writeback+0xcc/0x440
[<0>] wb_workfn+0xd7/0x650
[<0>] process_one_work+0x236/0x560
[<0>] worker_thread+0x55/0x3c0
[<0>] kthread+0x13a/0x150
[<0>] ret_from_fork+0x1f/0x30
This is because we got an error while COWing a block, specifically here
if (test_bit(BTRFS_ROOT_SHAREABLE, &root->state)) {
ret = btrfs_reloc_cow_block(trans, root, buf, cow);
if (ret) {
btrfs_abort_transaction(trans, ret);
return ret;
}
}
[16402.241552] BTRFS: Transaction aborted (error -2)
[16402.242362] WARNING: CPU: 1 PID: 2563188 at fs/btrfs/ctree.c:1074 __btrfs_cow_block+0x376/0x540
[16402.249469] CPU: 1 PID: 2563188 Comm: fsstress Not tainted 5.9.0-rc6+ #8
[16402.249936] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014
[16402.250525] RIP: 0010:__btrfs_cow_block+0x376/0x540
[16402.252417] RSP: 0018:ffff9cca40e578b0 EFLAGS: 00010282
[16402.252787] RAX: 0000000000000025 RBX: 0000000000000002 RCX: ffff9132bbd19388
[16402.253278] RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff9132bbd19380
[16402.254063] RBP: ffff9132b41a49c0 R08: 0000000000000000 R09: 0000000000000000
[16402.254887] R10: 0000000000000000 R11: ffff91324758b080 R12: ffff91326ef17ce0
[16402.255694] R13: ffff91325fc0f000 R14: ffff91326ef176b0 R15: ffff9132815e2000
[16402.256321] FS: 00007f542c6d7b80(0000) GS:ffff9132bbd00000(0000) knlGS:0000000000000000
[16402.256973] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[16402.257374] CR2: 00007f127b83f250 CR3: 0000000133480002 CR4: 0000000000370ee0
[16402.257867] Call Trace:
[16402.258072] btrfs_cow_block+0x109/0x230
[16402.258356] btrfs_search_slot+0x530/0x9d0
[16402.258655] btrfs_lookup_file_extent+0x37/0x40
[16402.259155] __btrfs_drop_extents+0x13c/0xd60
[16402.259628] ? btrfs_block_rsv_migrate+0x4f/0xb0
[16402.259949] btrfs_replace_file_extents+0x190/0x820
[16402.260873] btrfs_clone+0x9ae/0xc00
[16402.261139] btrfs_extent_same_range+0x66/0x90
[16402.261771] btrfs_remap_file_range+0x353/0x3b1
[16402.262333] vfs_dedupe_file_range_one.part.0+0xd5/0x140
[16402.262821] vfs_dedupe_file_range+0x189/0x220
[16402.263150] do_vfs_ioctl+0x552/0x700
[16402.263662] __x64_sys_ioctl+0x62/0xb0
[16402.264023] do_syscall_64+0x33/0x40
[16402.264364] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[16402.264862] RIP: 0033:0x7f542c7d15cb
[16402.266901] RSP: 002b:00007ffd35944ea8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[16402.267627] RAX: ffffffffffffffda RBX: 00000000009d1968 RCX: 00007f542c7d15cb
[16402.268298] RDX: 00000000009d2490 RSI: 00000000c0189436 RDI: 0000000000000003
[16402.268958] RBP: 00000000009d2520 R08: 0000000000000036 R09: 00000000009d2e64
[16402.269726] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
[16402.270659] R13: 000000000001f000 R14: 00000000009d1970 R15: 00000000009d2e80
[16402.271498] irq event stamp: 0
[16402.271846] hardirqs last enabled at (0): [<0000000000000000>] 0x0
[16402.272497] hardirqs last disabled at (0): [<ffffffff910dbf59>] copy_process+0x6b9/0x1ba0
[16402.273343] softirqs last enabled at (0): [<ffffffff910dbf59>] copy_process+0x6b9/0x1ba0
[16402.273905] softirqs last disabled at (0): [<0000000000000000>] 0x0
[16402.274338] ---[ end trace 737874a5a41a8236 ]---
[16402.274669] BTRFS: error (device dm-9) in __btrfs_cow_block:1074: errno=-2 No such entry
[16402.276179] BTRFS info (device dm-9): forced readonly
[16402.277046] BTRFS: error (device dm-9) in btrfs_replace_file_extents:2723: errno=-2 No such entry
[16402.278744] BTRFS: error (device dm-9) in __btrfs_cow_block:1074: errno=-2 No such entry
[16402.279968] BTRFS: error (device dm-9) in __btrfs_cow_block:1074: errno=-2 No such entry
[16402.280582] BTRFS info (device dm-9): balance: ended with status: -30
The problem here is that as soon as we allocate the new block it is
locked and marked dirty in the btree inode. This means that we could
attempt to writeback this block and need to lock the extent buffer.
However we're not unlocking it here and thus we deadlock.
Fix this by unlocking the cow block if we have any errors inside of
__btrfs_cow_block, and also free it so we do not leak it.
CC: stable@vger.kernel.org # 4.4+
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[sudip: use old btrfs_abort_transaction()]
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/ctree.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/fs/btrfs/ctree.c
+++ b/fs/btrfs/ctree.c
@@ -1129,6 +1129,8 @@ static noinline int __btrfs_cow_block(st
ret = update_ref_for_cow(trans, root, buf, cow, &last_ref);
if (ret) {
+ btrfs_tree_unlock(cow);
+ free_extent_buffer(cow);
btrfs_abort_transaction(trans, root, ret);
return ret;
}
@@ -1136,6 +1138,8 @@ static noinline int __btrfs_cow_block(st
if (test_bit(BTRFS_ROOT_REF_COWS, &root->state)) {
ret = btrfs_reloc_cow_block(trans, root, buf, cow);
if (ret) {
+ btrfs_tree_unlock(cow);
+ free_extent_buffer(cow);
btrfs_abort_transaction(trans, root, ret);
return ret;
}
@@ -1174,6 +1178,8 @@ static noinline int __btrfs_cow_block(st
if (last_ref) {
ret = tree_mod_log_free_eb(root->fs_info, buf);
if (ret) {
+ btrfs_tree_unlock(cow);
+ free_extent_buffer(cow);
btrfs_abort_transaction(trans, root, ret);
return ret;
}
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH 4.4 36/39] mm/userfaultfd: do not access vma->vm_mm after calling handle_userfault()
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2020-12-10 14:26 ` [PATCH 4.4 35/39] btrfs: cleanup cow block on error Greg Kroah-Hartman
@ 2020-12-10 14:26 ` Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 37/39] gfs2: check for empty rgrp tree in gfs2_ri_update Greg Kroah-Hartman
` (6 subsequent siblings)
42 siblings, 0 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Alexander Egorenkov, Gerald Schaefer,
Andrew Morton, Andrea Arcangeli, Heiko Carstens, Linus Torvalds
From: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
commit bfe8cc1db02ab243c62780f17fc57f65bde0afe1 upstream.
Alexander reported a syzkaller / KASAN finding on s390, see below for
complete output.
In do_huge_pmd_anonymous_page(), the pre-allocated pagetable will be
freed in some cases. In the case of userfaultfd_missing(), this will
happen after calling handle_userfault(), which might have released the
mmap_lock. Therefore, the following pte_free(vma->vm_mm, pgtable) will
access an unstable vma->vm_mm, which could have been freed or re-used
already.
For all architectures other than s390 this will go w/o any negative
impact, because pte_free() simply frees the page and ignores the
passed-in mm. The implementation for SPARC32 would also access
mm->page_table_lock for pte_free(), but there is no THP support in
SPARC32, so the buggy code path will not be used there.
For s390, the mm->context.pgtable_list is being used to maintain the 2K
pagetable fragments, and operating on an already freed or even re-used
mm could result in various more or less subtle bugs due to list /
pagetable corruption.
Fix this by calling pte_free() before handle_userfault(), similar to how
it is already done in __do_huge_pmd_anonymous_page() for the WRITE /
non-huge_zero_page case.
Commit 6b251fc96cf2c ("userfaultfd: call handle_userfault() for
userfaultfd_missing() faults") actually introduced both, the
do_huge_pmd_anonymous_page() and also __do_huge_pmd_anonymous_page()
changes wrt to calling handle_userfault(), but only in the latter case
it put the pte_free() before calling handle_userfault().
BUG: KASAN: use-after-free in do_huge_pmd_anonymous_page+0xcda/0xd90 mm/huge_memory.c:744
Read of size 8 at addr 00000000962d6988 by task syz-executor.0/9334
CPU: 1 PID: 9334 Comm: syz-executor.0 Not tainted 5.10.0-rc1-syzkaller-07083-g4c9720875573 #0
Hardware name: IBM 3906 M04 701 (KVM/Linux)
Call Trace:
do_huge_pmd_anonymous_page+0xcda/0xd90 mm/huge_memory.c:744
create_huge_pmd mm/memory.c:4256 [inline]
__handle_mm_fault+0xe6e/0x1068 mm/memory.c:4480
handle_mm_fault+0x288/0x748 mm/memory.c:4607
do_exception+0x394/0xae0 arch/s390/mm/fault.c:479
do_dat_exception+0x34/0x80 arch/s390/mm/fault.c:567
pgm_check_handler+0x1da/0x22c arch/s390/kernel/entry.S:706
copy_from_user_mvcos arch/s390/lib/uaccess.c:111 [inline]
raw_copy_from_user+0x3a/0x88 arch/s390/lib/uaccess.c:174
_copy_from_user+0x48/0xa8 lib/usercopy.c:16
copy_from_user include/linux/uaccess.h:192 [inline]
__do_sys_sigaltstack kernel/signal.c:4064 [inline]
__s390x_sys_sigaltstack+0xc8/0x240 kernel/signal.c:4060
system_call+0xe0/0x28c arch/s390/kernel/entry.S:415
Allocated by task 9334:
slab_alloc_node mm/slub.c:2891 [inline]
slab_alloc mm/slub.c:2899 [inline]
kmem_cache_alloc+0x118/0x348 mm/slub.c:2904
vm_area_dup+0x9c/0x2b8 kernel/fork.c:356
__split_vma+0xba/0x560 mm/mmap.c:2742
split_vma+0xca/0x108 mm/mmap.c:2800
mlock_fixup+0x4ae/0x600 mm/mlock.c:550
apply_vma_lock_flags+0x2c6/0x398 mm/mlock.c:619
do_mlock+0x1aa/0x718 mm/mlock.c:711
__do_sys_mlock2 mm/mlock.c:738 [inline]
__s390x_sys_mlock2+0x86/0xa8 mm/mlock.c:728
system_call+0xe0/0x28c arch/s390/kernel/entry.S:415
Freed by task 9333:
slab_free mm/slub.c:3142 [inline]
kmem_cache_free+0x7c/0x4b8 mm/slub.c:3158
__vma_adjust+0x7b2/0x2508 mm/mmap.c:960
vma_merge+0x87e/0xce0 mm/mmap.c:1209
userfaultfd_release+0x412/0x6b8 fs/userfaultfd.c:868
__fput+0x22c/0x7a8 fs/file_table.c:281
task_work_run+0x200/0x320 kernel/task_work.c:151
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
do_notify_resume+0x100/0x148 arch/s390/kernel/signal.c:538
system_call+0xe6/0x28c arch/s390/kernel/entry.S:416
The buggy address belongs to the object at 00000000962d6948 which belongs to the cache vm_area_struct of size 200
The buggy address is located 64 bytes inside of 200-byte region [00000000962d6948, 00000000962d6a10)
The buggy address belongs to the page: page:00000000313a09fe refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x962d6 flags: 0x3ffff00000000200(slab)
raw: 3ffff00000000200 000040000257e080 0000000c0000000c 000000008020ba00
raw: 0000000000000000 000f001e00000000 ffffffff00000001 0000000096959501
page dumped because: kasan: bad access detected
page->mem_cgroup:0000000096959501
Memory state around the buggy address:
00000000962d6880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000000962d6900: 00 fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb
>00000000962d6980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
00000000962d6a00: fb fb fc fc fc fc fc fc fc fc 00 00 00 00 00 00
00000000962d6a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Changes for v4.4 stable:
- Make it apply w/o
* Commit 4cf58924951ef ("mm: treewide: remove unused address argument
from pte_alloc functions")
* Commit 2b7403035459c ("mm: Change return type int to vm_fault_t for
fault handlers")
* Commit 82b0f8c39a386 ("mm: join struct fault_env and vm_fault")
* Commit bae473a423f65 ("mm: introduce fault_env")
* Commit 6fcb52a56ff60 ("thp: reduce usage of huge zero page's atomic counter")
Fixes: 6b251fc96cf2c ("userfaultfd: call handle_userfault() for userfaultfd_missing() faults")
Reported-by: Alexander Egorenkov <egorenar@linux.ibm.com>
Signed-off-by: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Heiko Carstens <hca@linux.ibm.com>
Cc: <stable@vger.kernel.org> [4.3+]
Link: https://lkml.kernel.org/r/20201110190329.11920-1-gerald.schaefer@linux.ibm.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/huge_memory.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -824,7 +824,6 @@ int do_huge_pmd_anonymous_page(struct mm
spinlock_t *ptl;
pgtable_t pgtable;
struct page *zero_page;
- bool set;
int ret;
pgtable = pte_alloc_one(mm, haddr);
if (unlikely(!pgtable))
@@ -837,10 +836,11 @@ int do_huge_pmd_anonymous_page(struct mm
}
ptl = pmd_lock(mm, pmd);
ret = 0;
- set = false;
if (pmd_none(*pmd)) {
if (userfaultfd_missing(vma)) {
spin_unlock(ptl);
+ pte_free(mm, pgtable);
+ put_huge_zero_page();
ret = handle_userfault(vma, address, flags,
VM_UFFD_MISSING);
VM_BUG_ON(ret & VM_FAULT_FALLBACK);
@@ -849,11 +849,9 @@ int do_huge_pmd_anonymous_page(struct mm
haddr, pmd,
zero_page);
spin_unlock(ptl);
- set = true;
}
- } else
+ } else {
spin_unlock(ptl);
- if (!set) {
pte_free(mm, pgtable);
put_huge_zero_page();
}
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH 4.4 37/39] gfs2: check for empty rgrp tree in gfs2_ri_update
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2020-12-10 14:26 ` [PATCH 4.4 36/39] mm/userfaultfd: do not access vma->vm_mm after calling handle_userfault() Greg Kroah-Hartman
@ 2020-12-10 14:26 ` Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 38/39] Input: i8042 - fix error return code in i8042_setup_aux() Greg Kroah-Hartman
` (5 subsequent siblings)
42 siblings, 0 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, syzbot+e3f23ce40269a4c9053a,
Bob Peterson, Andreas Gruenbacher
From: Bob Peterson <rpeterso@redhat.com>
commit 778721510e84209f78e31e2ccb296ae36d623f5e upstream.
If gfs2 tries to mount a (corrupt) file system that has no resource
groups it still tries to set preferences on the first one, which causes
a kernel null pointer dereference. This patch adds a check to function
gfs2_ri_update so this condition is detected and reported back as an
error.
Reported-by: syzbot+e3f23ce40269a4c9053a@syzkaller.appspotmail.com
Signed-off-by: Bob Peterson <rpeterso@redhat.com>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/gfs2/rgrp.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/fs/gfs2/rgrp.c
+++ b/fs/gfs2/rgrp.c
@@ -1017,6 +1017,10 @@ static int gfs2_ri_update(struct gfs2_in
if (error < 0)
return error;
+ if (RB_EMPTY_ROOT(&sdp->sd_rindex_tree)) {
+ fs_err(sdp, "no resource groups found in the file system.\n");
+ return -ENOENT;
+ }
set_rgrp_preferences(sdp);
sdp->sd_rindex_uptodate = 1;
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH 4.4 38/39] Input: i8042 - fix error return code in i8042_setup_aux()
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2020-12-10 14:26 ` [PATCH 4.4 37/39] gfs2: check for empty rgrp tree in gfs2_ri_update Greg Kroah-Hartman
@ 2020-12-10 14:26 ` Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 39/39] x86/uprobes: Do not use prefixes.nbytes when looping over prefixes.bytes Greg Kroah-Hartman
` (4 subsequent siblings)
42 siblings, 0 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hulk Robot, Luo Meng, Hans de Goede,
Dmitry Torokhov
From: Luo Meng <luomeng12@huawei.com>
commit 855b69857830f8d918d715014f05e59a3f7491a0 upstream.
Fix to return a negative error code from the error handling case
instead of 0 in function i8042_setup_aux(), as done elsewhere in this
function.
Fixes: f81134163fc7 ("Input: i8042 - use platform_driver_probe")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Luo Meng <luomeng12@huawei.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20201123133420.4071187-1-luomeng12@huawei.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/serio/i8042.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/input/serio/i8042.c
+++ b/drivers/input/serio/i8042.c
@@ -1456,7 +1456,8 @@ static int __init i8042_setup_aux(void)
if (error)
goto err_free_ports;
- if (aux_enable())
+ error = aux_enable();
+ if (error)
goto err_free_irq;
i8042_aux_irq_registered = true;
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH 4.4 39/39] x86/uprobes: Do not use prefixes.nbytes when looping over prefixes.bytes
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2020-12-10 14:26 ` [PATCH 4.4 38/39] Input: i8042 - fix error return code in i8042_setup_aux() Greg Kroah-Hartman
@ 2020-12-10 14:26 ` Greg Kroah-Hartman
2020-12-10 20:37 ` [PATCH 4.4 00/39] 4.4.248-rc1 review Pavel Machek
` (3 subsequent siblings)
42 siblings, 0 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:26 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, syzbot+9b64b619f10f19d19a7c,
Masami Hiramatsu, Borislav Petkov, Srikar Dronamraju,
Sudip Mukherjee
From: Masami Hiramatsu <mhiramat@kernel.org>
commit 4e9a5ae8df5b3365183150f6df49e49dece80d8c upstream
Since insn.prefixes.nbytes can be bigger than the size of
insn.prefixes.bytes[] when a prefix is repeated, the proper check must
be
insn.prefixes.bytes[i] != 0 and i < 4
instead of using insn.prefixes.nbytes.
Introduce a for_each_insn_prefix() macro for this purpose. Debugged by
Kees Cook <keescook@chromium.org>.
[ bp: Massage commit message, sync with the respective header in tools/
and drop "we". ]
Fixes: 2b1444983508 ("uprobes, mm, x86: Add the ability to install and remove uprobes breakpoints")
Reported-by: syzbot+9b64b619f10f19d19a7c@syzkaller.appspotmail.com
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/160697103739.3146288.7437620795200799020.stgit@devnote2
[sudip: adjust context, drop change of insn.h in tools]
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/asm/insn.h | 15 +++++++++++++++
arch/x86/kernel/uprobes.c | 10 ++++++----
2 files changed, 21 insertions(+), 4 deletions(-)
--- a/arch/x86/include/asm/insn.h
+++ b/arch/x86/include/asm/insn.h
@@ -198,6 +198,21 @@ static inline int insn_offset_immediate(
return insn_offset_displacement(insn) + insn->displacement.nbytes;
}
+/**
+ * for_each_insn_prefix() -- Iterate prefixes in the instruction
+ * @insn: Pointer to struct insn.
+ * @idx: Index storage.
+ * @prefix: Prefix byte.
+ *
+ * Iterate prefix bytes of given @insn. Each prefix byte is stored in @prefix
+ * and the index is stored in @idx (note that this @idx is just for a cursor,
+ * do not change it.)
+ * Since prefixes.nbytes can be bigger than 4 if some prefixes
+ * are repeated, it cannot be used for looping over the prefixes.
+ */
+#define for_each_insn_prefix(insn, idx, prefix) \
+ for (idx = 0; idx < ARRAY_SIZE(insn->prefixes.bytes) && (prefix = insn->prefixes.bytes[idx]) != 0; idx++)
+
#define POP_SS_OPCODE 0x1f
#define MOV_SREG_OPCODE 0x8e
--- a/arch/x86/kernel/uprobes.c
+++ b/arch/x86/kernel/uprobes.c
@@ -268,10 +268,11 @@ static volatile u32 good_2byte_insns[256
static bool is_prefix_bad(struct insn *insn)
{
+ insn_byte_t p;
int i;
- for (i = 0; i < insn->prefixes.nbytes; i++) {
- switch (insn->prefixes.bytes[i]) {
+ for_each_insn_prefix(insn, i, p) {
+ switch (p) {
case 0x26: /* INAT_PFX_ES */
case 0x2E: /* INAT_PFX_CS */
case 0x36: /* INAT_PFX_DS */
@@ -711,6 +712,7 @@ static struct uprobe_xol_ops branch_xol_
static int branch_setup_xol_ops(struct arch_uprobe *auprobe, struct insn *insn)
{
u8 opc1 = OPCODE1(insn);
+ insn_byte_t p;
int i;
switch (opc1) {
@@ -741,8 +743,8 @@ static int branch_setup_xol_ops(struct a
* Intel and AMD behavior differ in 64-bit mode: Intel ignores 66 prefix.
* No one uses these insns, reject any branch insns with such prefix.
*/
- for (i = 0; i < insn->prefixes.nbytes; i++) {
- if (insn->prefixes.bytes[i] == 0x66)
+ for_each_insn_prefix(insn, i, p) {
+ if (p == 0x66)
return -ENOTSUPP;
}
^ permalink raw reply [flat|nested] 49+ messages in thread
* Re: [PATCH 4.4 15/39] geneve: pull IP header before ECN decapsulation
2020-12-10 14:26 ` [PATCH 4.4 15/39] geneve: pull IP header before ECN decapsulation Greg Kroah-Hartman
@ 2020-12-10 14:32 ` Eric Dumazet
2020-12-10 14:38 ` Greg Kroah-Hartman
0 siblings, 1 reply; 49+ messages in thread
From: Eric Dumazet @ 2020-12-10 14:32 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: LKML, stable, syzbot, Jakub Kicinski
On Thu, Dec 10, 2020 at 3:26 PM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> From: Eric Dumazet <edumazet@google.com>
>
> IP_ECN_decapsulate() and IP6_ECN_decapsulate() assume
> IP header is already pulled.
>
> geneve does not ensure this yet.
>
> Fixing this generically in IP_ECN_decapsulate() and
> IP6_ECN_decapsulate() is not possible, since callers
> pass a pointer that might be freed by pskb_may_pull()
>
> syzbot reported :
>
Note that we had to revert this patch, so you can either scratp this
backport, or make sure to backport the revert.
Thanks !
^ permalink raw reply [flat|nested] 49+ messages in thread
* Re: [PATCH 4.4 15/39] geneve: pull IP header before ECN decapsulation
2020-12-10 14:32 ` Eric Dumazet
@ 2020-12-10 14:38 ` Greg Kroah-Hartman
2020-12-10 14:40 ` Greg Kroah-Hartman
0 siblings, 1 reply; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:38 UTC (permalink / raw)
To: Eric Dumazet; +Cc: LKML, stable, syzbot, Jakub Kicinski
On Thu, Dec 10, 2020 at 03:32:12PM +0100, Eric Dumazet wrote:
> On Thu, Dec 10, 2020 at 3:26 PM Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
> >
> > From: Eric Dumazet <edumazet@google.com>
> >
> > IP_ECN_decapsulate() and IP6_ECN_decapsulate() assume
> > IP header is already pulled.
> >
> > geneve does not ensure this yet.
> >
> > Fixing this generically in IP_ECN_decapsulate() and
> > IP6_ECN_decapsulate() is not possible, since callers
> > pass a pointer that might be freed by pskb_may_pull()
> >
> > syzbot reported :
> >
>
> Note that we had to revert this patch, so you can either scratp this
> backport, or make sure to backport the revert.
I'll drop it thanks. Odd I lost the upstream git id on this patch, let
me check what went wrong...
greg k-h
^ permalink raw reply [flat|nested] 49+ messages in thread
* Re: [PATCH 4.4 15/39] geneve: pull IP header before ECN decapsulation
2020-12-10 14:38 ` Greg Kroah-Hartman
@ 2020-12-10 14:40 ` Greg Kroah-Hartman
2020-12-10 14:53 ` Eric Dumazet
0 siblings, 1 reply; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 14:40 UTC (permalink / raw)
To: Eric Dumazet; +Cc: LKML, stable, syzbot, Jakub Kicinski
On Thu, Dec 10, 2020 at 03:38:44PM +0100, Greg Kroah-Hartman wrote:
> On Thu, Dec 10, 2020 at 03:32:12PM +0100, Eric Dumazet wrote:
> > On Thu, Dec 10, 2020 at 3:26 PM Greg Kroah-Hartman
> > <gregkh@linuxfoundation.org> wrote:
> > >
> > > From: Eric Dumazet <edumazet@google.com>
> > >
> > > IP_ECN_decapsulate() and IP6_ECN_decapsulate() assume
> > > IP header is already pulled.
> > >
> > > geneve does not ensure this yet.
> > >
> > > Fixing this generically in IP_ECN_decapsulate() and
> > > IP6_ECN_decapsulate() is not possible, since callers
> > > pass a pointer that might be freed by pskb_may_pull()
> > >
> > > syzbot reported :
> > >
> >
> > Note that we had to revert this patch, so you can either scratp this
> > backport, or make sure to backport the revert.
>
> I'll drop it thanks. Odd I lost the upstream git id on this patch, let
> me check what went wrong...
What is the git id of the revert? This ended up already in 4.19.y,
5.4.y, and 5.9.y so needs to be reverted there.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 49+ messages in thread
* Re: [PATCH 4.4 15/39] geneve: pull IP header before ECN decapsulation
2020-12-10 14:40 ` Greg Kroah-Hartman
@ 2020-12-10 14:53 ` Eric Dumazet
2020-12-10 15:36 ` Greg Kroah-Hartman
0 siblings, 1 reply; 49+ messages in thread
From: Eric Dumazet @ 2020-12-10 14:53 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: LKML, stable, syzbot, Jakub Kicinski
On Thu, Dec 10, 2020 at 3:40 PM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> On Thu, Dec 10, 2020 at 03:38:44PM +0100, Greg Kroah-Hartman wrote:
> > On Thu, Dec 10, 2020 at 03:32:12PM +0100, Eric Dumazet wrote:
> > > On Thu, Dec 10, 2020 at 3:26 PM Greg Kroah-Hartman
> > > <gregkh@linuxfoundation.org> wrote:
> > > >
> > > > From: Eric Dumazet <edumazet@google.com>
> > > >
> > > > IP_ECN_decapsulate() and IP6_ECN_decapsulate() assume
> > > > IP header is already pulled.
> > > >
> > > > geneve does not ensure this yet.
> > > >
> > > > Fixing this generically in IP_ECN_decapsulate() and
> > > > IP6_ECN_decapsulate() is not possible, since callers
> > > > pass a pointer that might be freed by pskb_may_pull()
> > > >
> > > > syzbot reported :
> > > >
> > >
> > > Note that we had to revert this patch, so you can either scratp this
> > > backport, or make sure to backport the revert.
> >
> > I'll drop it thanks. Odd I lost the upstream git id on this patch, let
> > me check what went wrong...
>
> What is the git id of the revert? This ended up already in 4.19.y,
> 5.4.y, and 5.9.y so needs to be reverted there.
>
https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=c02bd115b1d25931159f89c7d9bf47a30f5d4b41
Thanks !
> thanks,
>
> greg k-h
^ permalink raw reply [flat|nested] 49+ messages in thread
* Re: [PATCH 4.4 15/39] geneve: pull IP header before ECN decapsulation
2020-12-10 14:53 ` Eric Dumazet
@ 2020-12-10 15:36 ` Greg Kroah-Hartman
0 siblings, 0 replies; 49+ messages in thread
From: Greg Kroah-Hartman @ 2020-12-10 15:36 UTC (permalink / raw)
To: Eric Dumazet; +Cc: LKML, stable, syzbot, Jakub Kicinski
On Thu, Dec 10, 2020 at 03:53:09PM +0100, Eric Dumazet wrote:
> On Thu, Dec 10, 2020 at 3:40 PM Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
> >
> > On Thu, Dec 10, 2020 at 03:38:44PM +0100, Greg Kroah-Hartman wrote:
> > > On Thu, Dec 10, 2020 at 03:32:12PM +0100, Eric Dumazet wrote:
> > > > On Thu, Dec 10, 2020 at 3:26 PM Greg Kroah-Hartman
> > > > <gregkh@linuxfoundation.org> wrote:
> > > > >
> > > > > From: Eric Dumazet <edumazet@google.com>
> > > > >
> > > > > IP_ECN_decapsulate() and IP6_ECN_decapsulate() assume
> > > > > IP header is already pulled.
> > > > >
> > > > > geneve does not ensure this yet.
> > > > >
> > > > > Fixing this generically in IP_ECN_decapsulate() and
> > > > > IP6_ECN_decapsulate() is not possible, since callers
> > > > > pass a pointer that might be freed by pskb_may_pull()
> > > > >
> > > > > syzbot reported :
> > > > >
> > > >
> > > > Note that we had to revert this patch, so you can either scratp this
> > > > backport, or make sure to backport the revert.
> > >
> > > I'll drop it thanks. Odd I lost the upstream git id on this patch, let
> > > me check what went wrong...
> >
> > What is the git id of the revert? This ended up already in 4.19.y,
> > 5.4.y, and 5.9.y so needs to be reverted there.
> >
>
> https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=c02bd115b1d25931159f89c7d9bf47a30f5d4b41
Thanks, I'll drop the patch from 4.4, 4.9, and 4.14, and queue up this
revert for the other trees now.
greg k-h
^ permalink raw reply [flat|nested] 49+ messages in thread
* Re: [PATCH 4.4 00/39] 4.4.248-rc1 review
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2020-12-10 14:26 ` [PATCH 4.4 39/39] x86/uprobes: Do not use prefixes.nbytes when looping over prefixes.bytes Greg Kroah-Hartman
@ 2020-12-10 20:37 ` Pavel Machek
2020-12-10 21:24 ` Shuah Khan
` (2 subsequent siblings)
42 siblings, 0 replies; 49+ messages in thread
From: Pavel Machek @ 2020-12-10 20:37 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: linux-kernel, torvalds, akpm, linux, shuah, patches, lkft-triage,
pavel, stable
[-- Attachment #1: Type: text/plain, Size: 1009 bytes --]
Hi!
> This is the start of the stable review cycle for the 4.4.248 release.
> There are 39 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 12 Dec 2020 14:25:47 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.248-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
> and the diffstat can be found below.
CIP testing did not find any problems here.
Tested-by: Pavel Machek (CIP) <pavel@denx.de>
Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]
^ permalink raw reply [flat|nested] 49+ messages in thread
* Re: [PATCH 4.4 00/39] 4.4.248-rc1 review
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2020-12-10 20:37 ` [PATCH 4.4 00/39] 4.4.248-rc1 review Pavel Machek
@ 2020-12-10 21:24 ` Shuah Khan
2020-12-11 0:05 ` Guenter Roeck
2020-12-11 12:06 ` Naresh Kamboju
42 siblings, 0 replies; 49+ messages in thread
From: Shuah Khan @ 2020-12-10 21:24 UTC (permalink / raw)
To: Greg Kroah-Hartman, linux-kernel
Cc: torvalds, akpm, linux, shuah, patches, lkft-triage, pavel,
stable, Shuah Khan
On 12/10/20 7:26 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.4.248 release.
> There are 39 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 12 Dec 2020 14:25:47 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.248-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Compiled and booted on my test system. No dmesg regressions.
Tested-by: Shuah Khan <skhan@linuxfoundation.org>
thanks,
-- Shuah
^ permalink raw reply [flat|nested] 49+ messages in thread
* Re: [PATCH 4.4 00/39] 4.4.248-rc1 review
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2020-12-10 21:24 ` Shuah Khan
@ 2020-12-11 0:05 ` Guenter Roeck
2020-12-11 12:06 ` Naresh Kamboju
42 siblings, 0 replies; 49+ messages in thread
From: Guenter Roeck @ 2020-12-11 0:05 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: linux-kernel, torvalds, akpm, shuah, patches, lkft-triage, pavel, stable
On Thu, Dec 10, 2020 at 03:26:11PM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.4.248 release.
> There are 39 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 12 Dec 2020 14:25:47 +0000.
> Anything received after that time might be too late.
>
Build results:
total: 165 pass: 165 fail: 0
Qemu test results:
total: 328 pass: 328 fail: 0
Tested-by: Guenter Roeck <linux@roeck-us.net>
Guenter
^ permalink raw reply [flat|nested] 49+ messages in thread
* Re: [PATCH 4.4 00/39] 4.4.248-rc1 review
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2020-12-11 0:05 ` Guenter Roeck
@ 2020-12-11 12:06 ` Naresh Kamboju
42 siblings, 0 replies; 49+ messages in thread
From: Naresh Kamboju @ 2020-12-11 12:06 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: open list, Shuah Khan, patches, lkft-triage, linux-stable, pavel,
Andrew Morton, Linus Torvalds, Guenter Roeck
On Thu, 10 Dec 2020 at 19:58, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 4.4.248 release.
> There are 39 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 12 Dec 2020 14:25:47 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.248-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.
Summary
------------------------------------------------------------------------
kernel: 4.4.248-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-4.4.y
git commit: 6564de77497b736985693950cf537add679bfa21
git describe: v4.4.247-39-g6564de77497b
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-4.4.y/build/v4.4.247-39-g6564de77497b
No regressions (compared to build v4.4.247)
No fixes (compared to build v4.4.247)
Ran 12094 total tests in the following environments and test suites.
Environments
--------------
- arm
- arm64
- i386
- juno-r2 - arm64
- mips
- qemu-arm64-kasan
- qemu-x86_64-kasan
- qemu_arm
- qemu_arm64
- qemu_arm64-compat
- qemu_i386
- qemu_x86_64
- qemu_x86_64-compat
- sparc
- x15 - arm
- x86_64
Test Suites
-----------
* build
* linux-log-parser
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-cpuhotplug-tests
* ltp-crypto-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* ltp-controllers-tests
* ltp-tracing-tests
* libhugetlbfs
* v4l2-compliance
* install-android-platform-tools-r2600
* network-basic-tests
Summary
------------------------------------------------------------------------
kernel: 4.4.248-rc1
git repo: https://git.linaro.org/lkft/arm64-stable-rc.git
git branch: 4.4.248-rc1-hikey-20201210-875
git commit: 16dc859ce8a7a0d97f1a9f71ecb185b4d5cf574b
git describe: 4.4.248-rc1-hikey-20201210-875
Test details: https://qa-reports.linaro.org/lkft/linaro-hikey-stable-rc-4.4-oe/build/4.4.248-rc1-hikey-20201210-875
No regressions (compared to build 4.4.248-rc1-hikey-20201209-872)
No fixes (compared to build 4.4.248-rc1-hikey-20201209-872)
Ran 433 total tests in the following environments and test suites.
Environments
--------------
- hi6220-hikey - arm64
Test Suites
-----------
* build
* install-android-platform-tools-r2600
* linux-log-parser
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-cpuhotplug-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-pty-tests
* ltp-securebits-tests
* spectre-meltdown-checker-test
--
Linaro LKFT
https://lkft.linaro.org
^ permalink raw reply [flat|nested] 49+ messages in thread
end of thread, other threads:[~2020-12-11 12:08 UTC | newest]
Thread overview: 49+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-10 14:26 [PATCH 4.4 00/39] 4.4.248-rc1 review Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 01/39] net/af_iucv: set correct sk_protocol for child sockets Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 02/39] rose: Fix Null pointer dereference in rose_send_frame() Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 03/39] usbnet: ipheth: fix connectivity with iOS 14 Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 04/39] bonding: wait for sysfs kobject destruction before freeing struct slave Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 05/39] netfilter: bridge: reset skb->pkt_type after NF_INET_POST_ROUTING traversal Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 06/39] net/x25: prevent a couple of overflows Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 07/39] cxgb3: fix error return code in t3_sge_alloc_qset() Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 08/39] net: pasemi: fix error return code in pasemi_mac_open() Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 09/39] dt-bindings: net: correct interrupt flags in examples Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 10/39] Input: xpad - support Ardwiino Controllers Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 11/39] Input: i8042 - add ByteSpeed touchpad to noloop table Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 12/39] powerpc: Stop exporting __clear_user which is now inlined Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 13/39] btrfs: sysfs: init devices outside of the chunk_mutex Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 14/39] vlan: consolidate VLAN parsing code and limit max parsing depth Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 15/39] geneve: pull IP header before ECN decapsulation Greg Kroah-Hartman
2020-12-10 14:32 ` Eric Dumazet
2020-12-10 14:38 ` Greg Kroah-Hartman
2020-12-10 14:40 ` Greg Kroah-Hartman
2020-12-10 14:53 ` Eric Dumazet
2020-12-10 15:36 ` Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 16/39] usb: gadget: f_fs: Use local copy of descriptors for userspace copy Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 17/39] USB: serial: kl5kusb105: fix memleak on open Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 18/39] USB: serial: ch341: add new Product ID for CH341A Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 19/39] USB: serial: ch341: sort device-id entries Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 20/39] USB: serial: option: add Fibocom NL668 variants Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 21/39] USB: serial: option: add support for Thales Cinterion EXS82 Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 22/39] tty: Fix ->pgrp locking in tiocspgrp() Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 23/39] ALSA: hda/realtek - Add new codec supported for ALC897 Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 24/39] ALSA: hda/generic: Add option to enforce preferred_dacs pairs Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 25/39] tty: Fix ->session locking Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 26/39] cifs: fix potential use-after-free in cifs_echo_request() Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 27/39] i2c: imx: Fix reset of I2SR_IAL flag Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 28/39] i2c: imx: Check for I2SR_IAL after every byte Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 29/39] arm64: assembler: make adr_l work in modules under KASLR Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 30/39] iommu/amd: Set DTE[IntTabLen] to represent 512 IRTEs Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 31/39] spi: Introduce device-managed SPI controller allocation Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 32/39] spi: bcm2835: Fix use-after-free on unbind Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 33/39] spi: bcm2835: Release the DMA channel if probe fails after dma_init Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 34/39] tracing: Fix userstacktrace option for instances Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 35/39] btrfs: cleanup cow block on error Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 36/39] mm/userfaultfd: do not access vma->vm_mm after calling handle_userfault() Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 37/39] gfs2: check for empty rgrp tree in gfs2_ri_update Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 38/39] Input: i8042 - fix error return code in i8042_setup_aux() Greg Kroah-Hartman
2020-12-10 14:26 ` [PATCH 4.4 39/39] x86/uprobes: Do not use prefixes.nbytes when looping over prefixes.bytes Greg Kroah-Hartman
2020-12-10 20:37 ` [PATCH 4.4 00/39] 4.4.248-rc1 review Pavel Machek
2020-12-10 21:24 ` Shuah Khan
2020-12-11 0:05 ` Guenter Roeck
2020-12-11 12:06 ` Naresh Kamboju
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).