- 27 Jul, 2022 11 commits
-
-
Alan Stern authored
The syzbot fuzzer found a race between uevent callbacks and gadget driver unregistration that can cause a use-after-free bug: --------------------------------------------------------------- BUG: KASAN: use-after-free in usb_udc_uevent+0x11f/0x130 drivers/usb/gadget/udc/core.c:1732 Read of size 8 at addr ffff888078ce2050 by task udevd/2968 CPU: 1 PID: 2968 Comm: udevd Not tainted 5.19.0-rc4-next-20220628-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x719 mm/kasan/report.c:433 kasan_report+0xbe/0x1f0 mm/kasan/report.c:495 usb_udc_uevent+0x11f/0x130 drivers/usb/gadget/udc/core.c:1732 dev_uevent+0x290/0x770 drivers/base/core.c:2424 --------------------------------------------------------------- The bug occurs because usb_udc_uevent() dereferences udc->driver but does so without acquiring the udc_lock mutex, which protects this field. If the gadget driver is unbound from the udc concurrently with uevent processing, the driver structure may be accessed after it has been deallocated. To prevent the race, we make sure that the routine holds the mutex around the racing accesses. Link: <https://lore.kernel.org/all/0000000000004de90405a719c951@google.com> CC: stable@vger.kernel.org # fc274c1e Reported-and-tested-by: syzbot+b0de012ceb1e2a97891b@syzkaller.appspotmail.com Signed-off-by:
Alan Stern <stern@rowland.harvard.edu> Link: https://lore.kernel.org/r/YtlrnhHyrHsSky9m@rowland.harvard.eduSigned-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
Weitao Wang authored
Usb core introduce the mechanism of giveback of URB in tasklet context to reduce hardware interrupt handling time. On some test situation(such as FIO with 4KB block size), when tasklet callback function called to giveback URB, interrupt handler add URB node to the bh->head list also. If check bh->head list again after finish all URB giveback of local_list, then it may introduce a "dynamic balance" between giveback URB and add URB to bh->head list. This tasklet callback function may not exit for a long time, which will cause other tasklet function calls to be delayed. Some real-time applications(such as KB and Mouse) will see noticeable lag. In order to prevent the tasklet function from occupying the cpu for a long time at a time, new URBS will not be added to the local_list even though the bh->head list is not empty. But also need to ensure the left URB giveback to be processed in time, so add a member high_prio for structure giveback_urb_bh to prioritize tasklet and schelule this tasklet again if bh->head list is not empty. At the same time, we are able to prioritize tasklet through structure member high_prio. So, replace the local high_prio_bh variable with this structure member in usb_hcd_giveback_urb. Fixes: 94dfd7ed ("USB: HCD: support giveback of URB in tasklet context") Cc: stable <stable@kernel.org> Reviewed-by:
Weitao Wang <WeitaoWang-oc@zhaoxin.com> Link: https://lore.kernel.org/r/20220726074918.5114-1-WeitaoWang-oc@zhaoxin.comSigned-off-by:
-
Alexey Sheplyakov authored
Since commit 4736ebd7 ("usb: host: xhci-plat: omit shared hcd if either root hub has no ports") xhci->shared_hcd can be NULL, which causes the following Oops on reboot: [ 710.124450] systemd-shutdown[1]: Rebooting. [ 710.298861] xhci-hcd xhci-hcd.2.auto: remove, state 4 [ 710.304217] usb usb3: USB disconnect, device number 1 [ 710.317441] xhci-hcd xhci-hcd.2.auto: USB bus 3 deregistered [ 710.323280] xhci-hcd xhci-hcd.2.auto: remove, state 1 [ 710.328401] usb usb2: USB disconnect, device number 1 [ 710.333515] usb 2-3: USB disconnect, device number 2 [ 710.467649] xhci-hcd xhci-hcd.2.auto: USB bus 2 deregistered [ 710.475450] Unable to handle kernel NULL pointer dereference at virtual address 00000000000003b8 [ 710.484425] Mem abort info: [ 710.487265] ESR = 0x0000000096000004 [ 710.491060] EC = 0x25: DABT (current EL), IL = 32 bits [ 710.496427] SET = 0, FnV = 0 [ 710.499525] EA = 0, S1PTW = 0 [ 710.502716] FSC = 0x04: level 0 translation fault [ 710.507648] Data abort info: [ 710.510577] ISV = 0, ISS = 0x00000004 [ 710.514462] CM = 0, WnR = 0 [ 710.517480] user pgtable: 4k pages, 48-bit VAs, pgdp=00000008b0050000 [ 710.523976] [00000000000003b8] pgd=0000000000000000, p4d=0000000000000000 [ 710.530961] Internal error: Oops: 96000004 [#1] PREEMPT SMP [ 710.536551] Modules linked in: rfkill input_leds snd_soc_simple_card snd_soc_simple_card_utils snd_soc_nau8822 designware_i2s snd_soc_core dw_hdmi_ahb_audio snd_pcm_dmaengine arm_ccn panfrost ac97_bus gpu_sched snd_pcm at24 fuse configfs sdhci_of_dwcmshc sdhci_pltfm sdhci nvme led_class mmc_core nvme_core bt1_pvt polynomial tp_serio snd_seq_midi snd_seq_midi_event snd_seq snd_timer snd_rawmidi snd_seq_device snd soundcore efivarfs ipv6 [ 710.575286] CPU: 7 PID: 1 Comm: systemd-shutdow Not tainted 5.19.0-rc7-00043-gfd8619f4fd54 #1 [ 710.583822] Hardware name: T-Platforms TF307-MB/BM1BM1-A, BIOS 5.6 07/06/2022 [ 710.590972] pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 710.597949] pc : usb_remove_hcd+0x34/0x1e4 [ 710.602067] lr : xhci_plat_remove+0x74/0x140 [ 710.606351] sp : ffff800009f3b7c0 [ 710.609674] x29: ffff800009f3b7c0 x28: ffff000800960040 x27: 0000000000000000 [ 710.616833] x26: ffff800008dc22a0 x25: 0000000000000000 x24: 0000000000000000 [ 710.623992] x23: 0000000000000000 x22: ffff000805465810 x21: ffff000805465800 [ 710.631149] x20: ffff000800f80000 x19: 0000000000000000 x18: ffffffffffffffff [ 710.638307] x17: ffff000805096000 x16: ffff00080633b800 x15: ffff000806537a1c [ 710.645465] x14: 0000000000000001 x13: 0000000000000000 x12: ffff00080378d6f0 [ 710.652621] x11: ffff00080041a900 x10: ffff800009b204e8 x9 : ffff8000088abaa4 [ 710.659779] x8 : ffff000800960040 x7 : ffff800009409000 x6 : 0000000000000001 [ 710.666936] x5 : ffff800009241000 x4 : ffff800009241440 x3 : 0000000000000000 [ 710.674094] x2 : ffff000800960040 x1 : ffff000800960040 x0 : 0000000000000000 [ 710.681251] Call trace: [ 710.683704] usb_remove_hcd+0x34/0x1e4 [ 710.687467] xhci_plat_remove+0x74/0x140 [ 710.691400] platform_remove+0x34/0x70 [ 710.695165] device_remove+0x54/0x90 [ 710.698753] device_release_driver_internal+0x200/0x270 [ 710.703992] device_release_driver+0x24/0x30 [ 710.708273] bus_remove_device+0xe0/0x16c [ 710.712293] device_del+0x178/0x390 [ 710.715797] platform_device_del.part.0+0x24/0x90 [ 710.720514] platform_device_unregister+0x30/0x50 [ 710.725232] dwc3_host_exit+0x20/0x30 [ 710.728907] dwc3_remove+0x174/0x1b0 [ 710.732494] platform_remove+0x34/0x70 [ 710.736254] device_remove+0x54/0x90 [ 710.739840] device_release_driver_internal+0x200/0x270 [ 710.745078] device_release_driver+0x24/0x30 [ 710.749359] bus_remove_device+0xe0/0x16c [ 710.753380] device_del+0x178/0x390 [ 710.756881] platform_device_del.part.0+0x24/0x90 [ 710.761598] platform_device_unregister+0x30/0x50 [ 710.766314] of_platform_device_destroy+0xe8/0x100 [ 710.771119] device_for_each_child_reverse+0x70/0xc0 [ 710.776099] of_platform_depopulate+0x48/0x90 [ 710.780468] __dwc3_of_simple_teardown+0x28/0xe0 [ 710.785099] dwc3_of_simple_shutdown+0x20/0x30 [ 710.789555] platform_shutdown+0x30/0x40 [ 710.793490] device_shutdown+0x138/0x32c [ 710.797425] __do_sys_reboot+0x1c4/0x2ac [ 710.801362] __arm64_sys_reboot+0x30/0x40 [ 710.805383] invoke_syscall+0x50/0x120 [ 710.809146] el0_svc_common.constprop.0+0x68/0x124 [ 710.813950] do_el0_svc+0x3c/0xcc [ 710.817275] el0_svc+0x60/0x12c [ 710.820428] el0t_64_sync_handler+0xc0/0x13c [ 710.824710] el0t_64_sync+0x18c/0x190 [ 710.828386] Code: a9025bf5 f942c420 f9001fe0 d2800000 (b943ba62) [ 710.834498] ---[ end trace 0000000000000000 ]--- [ 710.875958] pstore: crypto_comp_compress failed, ret = -22! [ 710.895047] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b [ 710.902757] Kernel Offset: disabled [ 710.906255] CPU features: 0x800,00004811,00001082 [ 710.910971] Memory Limit: none [ 710.927474] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b ]--- To avoid the problem check for NULL in usb_remove_hcd. Fixes: 4736ebd7 ("usb: host: xhci-plat: omit shared hcd if either root hub has no ports") Signed-off-by:
Alexey Sheplyakov <asheplyakov@basealt.ru> Link: https://lore.kernel.org/r/20220722141700.1271439-1-asheplyakov@basealt.ruSigned-off-by:
-
Xin Ji authored
Fix anx7411_register_partner() warn: passing zero to 'PTR_ERR' Fixes: fe6d8a9c ("usb: typec: anx7411: Add Analogix PD ANX7411 support") Signed-off-by:
Xin Ji <xji@analogixsemi.com> Link: https://lore.kernel.org/r/20220722081836.3380885-1-xji@analogixsemi.comSigned-off-by:
-
Yang Yingliang authored
Add mising error return code when failed to get interrupt or failed to register psy. Fixes: fe6d8a9c ("usb: typec: anx7411: Add Analogix PD ANX7411 support") Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Link: https://lore.kernel.org/r/20220721071201.269344-3-yangyingliang@huawei.comSigned-off-by:
-
Yang Yingliang authored
If i2c_new_dummy_device() fails, it never return NULL pointer, replace NULL test with IS_ERR() to fix it. Fixes: fe6d8a9c ("usb: typec: anx7411: Add Analogix PD ANX7411 support") Signed-off-by:
-
Yang Yingliang authored
It should be 'ctx->typec.amode[i]' passed to PTR_ERR() when typec_partner_register_altmode() failed. Fixes: fe6d8a9c ("usb: typec: anx7411: Add Analogix PD ANX7411 support") Signed-off-by:
-
Dan Carpenter authored
Semi colons and commas are equivalent in this context but semi-colons are better style. Reviewed-by:
Dan Carpenter <dan.carpenter@oracle.com> Link: https://lore.kernel.org/r/YtpD4MKBa43higNc@kiliSigned-off-by:
-
Dan Carpenter authored
This is a minor bug which means that certain error messages are not printed. The devm_gpiod_get_optional() function can return either error pointers or NULL. It returns error pointers if there is an allocation failure, or a similar issue. It returns NULL if no GPIO was assigned to the requested function. Print an error in either case. The gpiod_to_irq() function never returns zero. It either returns a positive IRQ number or a negative error code. Fixes: fe6d8a9c ("usb: typec: anx7411: Add Analogix PD ANX7411 support") Reviewed-by:
-
Dan Carpenter authored
This should be ARRAY_SIZE() instead of sizeof(). ARRAY_SIZE is 4 and sizeof is 8. Fixes: fe6d8a9c ("usb: typec: anx7411: Add Analogix PD ANX7411 support") Reviewed-by:
-
Colin Ian King authored
There is no need to store the result of the & operation back to the variable var. The store is redundant, replace &= with just &. Cleans up clang scan warning: drivers/usb/phy/phy-keystone.c:62:5: warning: Although the value stored to 'val' is used in the enclosing expression, the value is never actually read from 'val' [deadcode.DeadStores] Signed-off-by:
Colin Ian King <colin.i.king@gmail.com> Link: https://lore.kernel.org/r/20220715225657.353828-1-colin.i.king@gmail.comSigned-off-by:
-
- 25 Jul, 2022 9 commits
-
-
Greg Kroah-Hartman authored
Merge tag 'usb-serial-5.20-rc1' of https://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial into usb-next Johan writes: USB-serial updates for 5.20-rc1 Here are the USB-serial updates for 5.20-rc1, including - a fix up of some tty-port initialized comments that had got truncated and obfuscated Included are also various clean ups. All but the final commit have been in linux-next and with no reported issues. * tag 'usb-serial-5.20-rc1' of https://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial: USB: serial: fix tty-port initialized comments USB: serial: fix repeated word "the" in comments USB: serial: io_edgeport: fix spelling mistakes USB: serial: use kmemdup instead of kmalloc + memcpy
-
Johan Hovold authored
Fix up the tty-port initialized comments which got truncated and obfuscated when replacing the old ASYNCB_INITIALIZED flag. Fixes: d41861ca ("tty: Replace ASYNC_INITIALIZED bit and update atomically") Reviewed-by:
Johan Hovold <johan@kernel.org>
-
Yan Xinyu authored
The usb_wwan_send_setup function generates DTR/RTS signals in compliance with CDC ACM standard. This patch changes magic numbers in this function to equivalent macros. Link: https://lore.kernel.org/r/20220722085040.704885-1-sdlyyxy@bupt.edu.cn [ johan: use the new CDC control-line defines ] Signed-off-by:
Yan Xinyu <sdlyyxy@bupt.edu.cn> Signed-off-by:
-
Johan Hovold authored
Use the new CDC control-line and serial-state defines. Signed-off-by:
-
Johan Hovold authored
This driver has a copy of some of the CDC defines but which are currently unused. Signed-off-by:
-
Johan Hovold authored
Use the new CDC serial-state defines. Signed-off-by:
-
Johan Hovold authored
Use the new CDC control-line defines. Signed-off-by:
-
Johan Hovold authored
Add defines for the serial-state bitmap values from section 6.3.5 SerialState of the CDC specification version 1.1. Note that the bTxCarrier and bRxCarrier bits have been named after their RS-232 signal equivalents DSR and DCD. Signed-off-by:
-
Johan Hovold authored
Add defines for the Control Signal Bitmap Values from section 6.2.14 SetControlLineState of the CDC specification version 1.1. Signed-off-by:
-
- 23 Jul, 2022 1 commit
-
-
Maxim Devaev authored
After merging forced_eject patch, there was a broken margin in the configfs parameters table in the ABI documentation. This patch fixes it. Fixes: 421c8d9a ("usb: gadget: f_mass_storage: forced_eject attribute") Reported-by:
Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by:
Maxim Devaev <mdevaev@gmail.com> Link: https://lore.kernel.org/r/20220723101432.72178-1-mdevaev@gmail.comSigned-off-by:
-
- 19 Jul, 2022 8 commits
-
-
Greg Kroah-Hartman authored
This reverts commit 28a6ed8e. The chrome platform driver changes need to come in through the platform tree due to some api changes that showed up there that cause build errors in linux-next Reported-by:
-
Greg Kroah-Hartman authored
This reverts commit e5436905. The chrome platform driver changes need to come in through the platform tree due to some api changes that showed up there that cause build errors in linux-next Reported-by:
-
Greg Kroah-Hartman authored
This reverts commit 88a15fbb. The chrome platform driver changes need to come in through the platform tree due to some api changes that showed up there that cause build errors in linux-next Reported-by:
-
Greg Kroah-Hartman authored
This reverts commit 34f375f0. The chrome platform driver changes need to come in through the platform tree due to some api changes that showed up there that cause build errors in linux-next Reported-by:
-
Greg Kroah-Hartman authored
This reverts commit bb53ad95. The chrome platform driver changes need to come in through the platform tree due to some api changes that showed up there that cause build errors in linux-next Reported-by:
-
Greg Kroah-Hartman authored
This reverts commit f5434e30. The chrome platform driver changes need to come in through the platform tree due to some api changes that showed up there that cause build errors in linux-next Reported-by:
-
Greg Kroah-Hartman authored
This reverts commit 66fe238a. The chrome platform driver changes need to come in through the platform tree due to some api changes that showed up there that cause build errors in linux-next Reported-by:
-
Greg Kroah-Hartman authored
This reverts commit c76d09da. The chrome platform driver changes need to come in through the platform tree due to some api changes that showed up there that cause build errors in linux-next Reported-by:
-
- 18 Jul, 2022 2 commits
-
-
Prashant Malani authored
Add the ACPI Kconfig dependency that was missed during the initial driver submission. Fixes the following compiler errors: drivers/platform/chrome/cros_typec_switch.c:93:9: error: call to undeclared function 'acpi_evaluate_integer'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration] ret = acpi_evaluate_integer(adev->handle, "_ADR", NULL, &index); drivers/platform/chrome/cros_typec_switch.c:93:35: error: incomplete definition of type 'struct acpi_device' ret = acpi_evaluate_integer(adev->handle, "_ADR", NULL, &index); Fixes: e5436905 ("platform/chrome: cros_typec_switch: Add switch driver") Reported-by:
Reported-by: kernel test robot <lkp@intel.com> Signed-off-by:
Prashant Malani <pmalani@chromium.org> Link: https://lore.kernel.org/r/20220718185551.1025288-1-pmalani@chromium.orgSigned-off-by:
-
Greg Kroah-Hartman authored
We need the USB fixes in here as well. Signed-off-by:
-
- 17 Jul, 2022 9 commits
-
-
Linus Torvalds authored
-
git://anongit.freedesktop.org/drm/drm-intelLinus Torvalds authored
Pull intel drm build fix from Rodrigo Vivi: "Our 'dim' flow has a problem with fixes of fixes getting missed. We need to take a look on that later. Meanwhile, please allow me to quickly propagate this fix for the 32-bit build issue here upstream" * tag 'drm-intel-fixes-2022-07-17' of git://anongit.freedesktop.org/drm/drm-intel: drm/i915/ttm: fix 32b build
-
Linus Torvalds authored
Merge tag 'perf-tools-fixes-for-v5.19-2022-07-17' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux Pull perf tools fixes from Arnaldo Carvalho de Melo: - Fix SIGSEGV when processing syscall args in perf.data files in 'perf trace' - Sync kvm, msr-index and cpufeatures headers with the kernel sources - Fix 'convert perf time to TSC' 'perf test': - No need to open events twice - Fix finding correct event on hybrid systems * tag 'perf-tools-fixes-for-v5.19-2022-07-17' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux: perf trace: Fix SIGSEGV when processing syscall args perf tests: Fix Convert perf time to TSC test for hybrid perf tests: Stop Convert perf time to TSC test opening events twice tools arch x86: Sync the msr-index.h copy with the kernel sources tools headers cpufeatures: Sync with the kernel sources tools headers UAPI: Sync linux/kvm.h with the kernel sources
-
Matthew Auld authored
Since segment_pages is no longer a compile time constant, it looks the DIV_ROUND_UP(node->size, segment_pages) breaks the 32b build. Simplest is just to use the ULL variant, but really we should need not need more than u32 for the page alignment (also we are limited by that due to the sg->length type), so also make it all u32. Reported-by:
Ville Syrjälä <ville.syrjala@linux.intel.com> Fixes: aff1e0b0 ("drm/i915/ttm: fix sg_table construction") Signed-off-by:
Matthew Auld <matthew.auld@intel.com> Cc: Nirmoy Das <nirmoy.das@linux.intel.com> Reviewed-by:
Nirmoy Das <nirmoy.das@intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20220712174050.592550-1-matthew.auld@intel.com (cherry picked from commit 9306b2b2) Signed-off-by:
Rodrigo Vivi <rodrigo.vivi@intel.com>
-
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tipLinus Torvalds authored
Pull perf fix from Borislav Petkov: - A single data race fix on the perf event cleanup path to avoid endless loops due to insufficient locking * tag 'perf_urgent_for_v5.19_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: perf/core: Fix data race between perf_event_set_output() and perf_mmap_close()
-
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tipLinus Torvalds authored
Pull x86 fixes from Borislav Petkov: - Improve the check whether the kernel supports WP mappings so that it can accomodate a XenPV guest due to how the latter is setting up the PAT machinery - Now that the retbleed nightmare is public, here's the first round of fallout fixes: * Fix a build failure on 32-bit due to missing include * Remove an untraining point in espfix64 return path * other small cleanups * tag 'x86_urgent_for_v5.19_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/bugs: Remove apostrophe typo um: Add missing apply_returns() x86/entry: Remove UNTRAIN_RET from native_irq_return_ldt x86/bugs: Mark retbleed_strings static x86/pat: Fix x86_has_pat_wp() x86/asm/32: Fix ANNOTATE_UNRET_SAFE use on 32-bit -
git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linuxLinus Torvalds authored
Pull gpio fix from Bartosz Golaszewski: - fix a configfs attribute of the gpio-sim module * tag 'gpio-fixes-for-v5.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux: gpio: sim: fix the chip_name configfs item
-
git://git.kernel.org/pub/scm/linux/kernel/git/dtor/inputLinus Torvalds authored
Pull input fixes from Dmitry Torokhov: - fix Goodix driver to properly behave on the Aya Neo Next - some more sanity checks in usbtouchscreen driver - a tweak in wm97xx driver in preparation for remove() to return void - a clarification in input core regarding units of measurement for resolution on touch events. * tag 'input-for-v5.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: Input: document the units for resolution of size axes Input: goodix - call acpi_device_fix_up_power() in some cases Input: wm97xx - make .remove() obviously always return 0 Input: usbtouchscreen - add driver_info sanity check
-
git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supplyLinus Torvalds authored
Pull power supply fixes from Sebastian Reichel: - power-supply core temperature interpolation regression fix for incorrect boundaries - ab8500 needs to destroy its work queues in error paths - Fix old DT refcount leak in arm-versatile * tag 'for-v5.19-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply: power: supply: core: Fix boundary conditions in interpolation power/reset: arm-versatile: Fix refcount leak in versatile_reboot_probe power: supply: ab8500_fg: add missing destroy_workqueue in ab8500_fg_probe
-
