1. 11 Jun, 2020 36 commits
    • Mark Gross's avatar
      x86/cpu: Add a steppings field to struct x86_cpu_id · 5f8f4058
      Mark Gross authored
      commit e9d71445 upstream
      
      Intel uses the same family/model for several CPUs. Sometimes the
      stepping must be checked to tell them apart.
      
      On x86 there can be at most 16 steppings. Add a steppings bitmask to
      x86_cpu_id and a X86_MATCH_VENDOR_FAMILY_MODEL_STEPPING_FEATURE macro
      and support for matching against family/model/stepping.
      
       [ bp: Massage.
         tglx: Lightweight variant for backporting ]
      Signed-off-by: default avatarMark Gross <mgross@linux.intel.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarTony Luck <tony.luck@intel.com>
      Reviewed-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5f8f4058
    • Srinivas Kandagatla's avatar
      nvmem: qfprom: remove incorrect write support · 10873fe6
      Srinivas Kandagatla authored
      commit 8d9eb0d6 upstream.
      
      qfprom has different address spaces for read and write. Reads are
      always done from corrected address space, where as writes are done
      on raw address space.
      Writing to corrected address space is invalid and ignored, so it
      does not make sense to have this support in the driver which only
      supports corrected address space regions at the moment.
      
      Fixes: 4ab11996 ("nvmem: qfprom: Add Qualcomm QFPROM support.")
      Signed-off-by: default avatarSrinivas Kandagatla <srinivas.kandagatla@linaro.org>
      Reviewed-by: default avatarDouglas Anderson <dianders@chromium.org>
      Cc: stable <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20200522113341.7728-1-srinivas.kandagatla@linaro.orgSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      10873fe6
    • Pascal Terjan's avatar
      staging: rtl8712: Fix IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK · ed9a8783
      Pascal Terjan authored
      commit 15ea976a upstream.
      
      The value in shared headers was fixed 9 years ago in commit 8d661f1e
      ("ieee80211: correct IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK macro") and
      while looking at using shared headers for other duplicated constants
      I noticed this driver uses the old value.
      
      The macros are also defined twice in this file so I am deleting the
      second definition.
      Signed-off-by: default avatarPascal Terjan <pterjan@google.com>
      Cc: stable <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20200523211247.23262-1-pterjan@google.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ed9a8783
    • Jiri Slaby's avatar
      tty: hvc_console, fix crashes on parallel open/close · 2b37e4f0
      Jiri Slaby authored
      commit 24eb2377 upstream.
      
      hvc_open sets tty->driver_data to NULL when open fails at some point.
      Typically, the failure happens in hp->ops->notifier_add(). If there is
      a racing process which tries to open such mangled tty, which was not
      closed yet, the process will crash in hvc_open as tty->driver_data is
      NULL.
      
      All this happens because close wants to know whether open failed or not.
      But ->open should not NULL this and other tty fields for ->close to be
      happy. ->open should call tty_port_set_initialized(true) and close
      should check by tty_port_initialized() instead. So do this properly in
      this driver.
      
      So this patch removes these from ->open:
      * tty_port_tty_set(&hp->port, NULL). This happens on last close.
      * tty->driver_data = NULL. Dtto.
      * tty_port_put(&hp->port). This happens in shutdown and until now, this
        must have been causing a reference underflow, if I am not missing
        something.
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Cc: stable <stable@vger.kernel.org>
      Reported-and-tested-by: default avatarRaghavendra <rananta@codeaurora.org>
      Link: https://lore.kernel.org/r/20200526145632.13879-1-jslaby@suse.czSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2b37e4f0
    • Dmitry Torokhov's avatar
      vt: keyboard: avoid signed integer overflow in k_ascii · adf823fa
      Dmitry Torokhov authored
      commit b86dab05 upstream.
      
      When k_ascii is invoked several times in a row there is a potential for
      signed integer overflow:
      
      UBSAN: Undefined behaviour in drivers/tty/vt/keyboard.c:888:19 signed integer overflow:
      10 * 1111111111 cannot be represented in type 'int'
      CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.11 #1
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
      Call Trace:
       <IRQ>
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0xce/0x128 lib/dump_stack.c:118
       ubsan_epilogue+0xe/0x30 lib/ubsan.c:154
       handle_overflow+0xdc/0xf0 lib/ubsan.c:184
       __ubsan_handle_mul_overflow+0x2a/0x40 lib/ubsan.c:205
       k_ascii+0xbf/0xd0 drivers/tty/vt/keyboard.c:888
       kbd_keycode drivers/tty/vt/keyboard.c:1477 [inline]
       kbd_event+0x888/0x3be0 drivers/tty/vt/keyboard.c:1495
      
      While it can be worked around by using check_mul_overflow()/
      check_add_overflow(), it is better to introduce a separate flag to
      signal that number pad is being used to compose a symbol, and
      change type of the accumulator from signed to unsigned, thus
      avoiding undefined behavior when it overflows.
      Reported-by: default avatarKyungtae Kim <kt0755@gmail.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Cc: stable <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20200525232740.GA262061@dtor-wsSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      adf823fa
    • Dinghao Liu's avatar
      usb: musb: Fix runtime PM imbalance on error · 74d904c1
      Dinghao Liu authored
      commit e4befc12 upstream.
      
      When copy_from_user() returns an error code, there
      is a runtime PM usage counter imbalance.
      
      Fix this by moving copy_from_user() to the beginning
      of this function.
      
      Fixes: 7b6c1b4c ("usb: musb: fix runtime PM in debugfs")
      Signed-off-by: default avatarDinghao Liu <dinghao.liu@zju.edu.cn>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarBin Liu <b-liu@ti.com>
      Link: https://lore.kernel.org/r/20200525025049.3400-7-b-liu@ti.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      74d904c1
    • Daniele Palmas's avatar
      USB: serial: option: add Telit LE910C1-EUX compositions · a75aba90
      Daniele Palmas authored
      commit 399ad947 upstream.
      
      Add Telit LE910C1-EUX compositions:
      
      	0x1031: tty, tty, tty, rmnet
      	0x1033: tty, tty, tty, ecm
      Signed-off-by: default avatarDaniele Palmas <dnlplm@gmail.com>
      Link: https://lore.kernel.org/r/20200525211106.27338-1-dnlplm@gmail.com
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a75aba90
    • Bin Liu's avatar
      USB: serial: usb_wwan: do not resubmit rx urb on fatal errors · 337741cd
      Bin Liu authored
      commit 986c1748 upstream.
      
      usb_wwan_indat_callback() shouldn't resubmit rx urb if the previous urb
      status is a fatal error. Or the usb controller would keep processing the
      new urbs then run into interrupt storm, and has no chance to recover.
      
      Fixes: 6c1ee66a ("USB-Serial: Fix error handling of usb_wwan")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarBin Liu <b-liu@ti.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      337741cd
    • Matt Jolly's avatar
      USB: serial: qcserial: add DW5816e QDL support · 3a080869
      Matt Jolly authored
      commit 3429444a upstream.
      
      Add support for Dell Wireless 5816e Download Mode (AKA boot & hold mode /
      QDL download mode) to drivers/usb/serial/qcserial.c
      
      This is required to update device firmware.
      Signed-off-by: default avatarMatt Jolly <Kangie@footclan.ninja>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3a080869
    • Eric Dumazet's avatar
      l2tp: add sk_family checks to l2tp_validate_socket · eeced742
      Eric Dumazet authored
      [ Upstream commit d9a81a22 ]
      
      syzbot was able to trigger a crash after using an ISDN socket
      and fool l2tp.
      
      Fix this by making sure the UDP socket is of the proper family.
      
      BUG: KASAN: slab-out-of-bounds in setup_udp_tunnel_sock+0x465/0x540 net/ipv4/udp_tunnel.c:78
      Write of size 1 at addr ffff88808ed0c590 by task syz-executor.5/3018
      
      CPU: 0 PID: 3018 Comm: syz-executor.5 Not tainted 5.7.0-rc6-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x188/0x20d lib/dump_stack.c:118
       print_address_description.constprop.0.cold+0xd3/0x413 mm/kasan/report.c:382
       __kasan_report.cold+0x20/0x38 mm/kasan/report.c:511
       kasan_report+0x33/0x50 mm/kasan/common.c:625
       setup_udp_tunnel_sock+0x465/0x540 net/ipv4/udp_tunnel.c:78
       l2tp_tunnel_register+0xb15/0xdd0 net/l2tp/l2tp_core.c:1523
       l2tp_nl_cmd_tunnel_create+0x4b2/0xa60 net/l2tp/l2tp_netlink.c:249
       genl_family_rcv_msg_doit net/netlink/genetlink.c:673 [inline]
       genl_family_rcv_msg net/netlink/genetlink.c:718 [inline]
       genl_rcv_msg+0x627/0xdf0 net/netlink/genetlink.c:735
       netlink_rcv_skb+0x15a/0x410 net/netlink/af_netlink.c:2469
       genl_rcv+0x24/0x40 net/netlink/genetlink.c:746
       netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
       netlink_unicast+0x537/0x740 net/netlink/af_netlink.c:1329
       netlink_sendmsg+0x882/0xe10 net/netlink/af_netlink.c:1918
       sock_sendmsg_nosec net/socket.c:652 [inline]
       sock_sendmsg+0xcf/0x120 net/socket.c:672
       ____sys_sendmsg+0x6e6/0x810 net/socket.c:2352
       ___sys_sendmsg+0x100/0x170 net/socket.c:2406
       __sys_sendmsg+0xe5/0x1b0 net/socket.c:2439
       do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
       entry_SYSCALL_64_after_hwframe+0x49/0xb3
      RIP: 0033:0x45ca29
      Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007effe76edc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 00000000004fe1c0 RCX: 000000000045ca29
      RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000005
      RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
      R13: 000000000000094e R14: 00000000004d5d00 R15: 00007effe76ee6d4
      
      Allocated by task 3018:
       save_stack+0x1b/0x40 mm/kasan/common.c:49
       set_track mm/kasan/common.c:57 [inline]
       __kasan_kmalloc mm/kasan/common.c:495 [inline]
       __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:468
       __do_kmalloc mm/slab.c:3656 [inline]
       __kmalloc+0x161/0x7a0 mm/slab.c:3665
       kmalloc include/linux/slab.h:560 [inline]
       sk_prot_alloc+0x223/0x2f0 net/core/sock.c:1612
       sk_alloc+0x36/0x1100 net/core/sock.c:1666
       data_sock_create drivers/isdn/mISDN/socket.c:600 [inline]
       mISDN_sock_create+0x272/0x400 drivers/isdn/mISDN/socket.c:796
       __sock_create+0x3cb/0x730 net/socket.c:1428
       sock_create net/socket.c:1479 [inline]
       __sys_socket+0xef/0x200 net/socket.c:1521
       __do_sys_socket net/socket.c:1530 [inline]
       __se_sys_socket net/socket.c:1528 [inline]
       __x64_sys_socket+0x6f/0xb0 net/socket.c:1528
       do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
       entry_SYSCALL_64_after_hwframe+0x49/0xb3
      
      Freed by task 2484:
       save_stack+0x1b/0x40 mm/kasan/common.c:49
       set_track mm/kasan/common.c:57 [inline]
       kasan_set_free_info mm/kasan/common.c:317 [inline]
       __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:456
       __cache_free mm/slab.c:3426 [inline]
       kfree+0x109/0x2b0 mm/slab.c:3757
       kvfree+0x42/0x50 mm/util.c:603
       __free_fdtable+0x2d/0x70 fs/file.c:31
       put_files_struct fs/file.c:420 [inline]
       put_files_struct+0x248/0x2e0 fs/file.c:413
       exit_files+0x7e/0xa0 fs/file.c:445
       do_exit+0xb04/0x2dd0 kernel/exit.c:791
       do_group_exit+0x125/0x340 kernel/exit.c:894
       get_signal+0x47b/0x24e0 kernel/signal.c:2739
       do_signal+0x81/0x2240 arch/x86/kernel/signal.c:784
       exit_to_usermode_loop+0x26c/0x360 arch/x86/entry/common.c:161
       prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
       syscall_return_slowpath arch/x86/entry/common.c:279 [inline]
       do_syscall_64+0x6b1/0x7d0 arch/x86/entry/common.c:305
       entry_SYSCALL_64_after_hwframe+0x49/0xb3
      
      The buggy address belongs to the object at ffff88808ed0c000
       which belongs to the cache kmalloc-2k of size 2048
      The buggy address is located 1424 bytes inside of
       2048-byte region [ffff88808ed0c000, ffff88808ed0c800)
      The buggy address belongs to the page:
      page:ffffea00023b4300 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0
      flags: 0xfffe0000000200(slab)
      raw: 00fffe0000000200 ffffea0002838208 ffffea00015ba288 ffff8880aa000e00
      raw: 0000000000000000 ffff88808ed0c000 0000000100000001 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff88808ed0c480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
       ffff88808ed0c500: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
      >ffff88808ed0c580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                               ^
       ffff88808ed0c600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
       ffff88808ed0c680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      
      Fixes: 6b9f3423 ("l2tp: fix races in tunnel creation")
      Fixes: fd558d18 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: James Chapman <jchapman@katalix.com>
      Cc: Guillaume Nault <gnault@redhat.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Acked-by: default avatarGuillaume Nault <gnault@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      eeced742
    • Stefano Garzarella's avatar
      vsock: fix timeout in vsock_accept() · efbdae03
      Stefano Garzarella authored
      [ Upstream commit 7e0afbdf ]
      
      The accept(2) is an "input" socket interface, so we should use
      SO_RCVTIMEO instead of SO_SNDTIMEO to set the timeout.
      
      So this patch replace sock_sndtimeo() with sock_rcvtimeo() to
      use the right timeout in the vsock_accept().
      
      Fixes: d021c344 ("VSOCK: Introduce VM Sockets")
      Signed-off-by: default avatarStefano Garzarella <sgarzare@redhat.com>
      Reviewed-by: default avatarJorgen Hansen <jhansen@vmware.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      efbdae03
    • Chuhong Yuan's avatar
      NFC: st21nfca: add missed kfree_skb() in an error path · 990c16ed
      Chuhong Yuan authored
      [ Upstream commit 3decabdc ]
      
      st21nfca_tm_send_atr_res() misses to call kfree_skb() in an error path.
      Add the missed function call to fix it.
      
      Fixes: 1892bf84 ("NFC: st21nfca: Adding P2P support to st21nfca in Initiator & Target mode")
      Signed-off-by: default avatarChuhong Yuan <hslester96@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      990c16ed
    • Daniele Palmas's avatar
      net: usb: qmi_wwan: add Telit LE910C1-EUX composition · 1331f667
      Daniele Palmas authored
      [ Upstream commit 591612aa ]
      
      Add support for Telit LE910C1-EUX composition
      
      0x1031: tty, tty, tty, rmnet
      Signed-off-by: default avatarDaniele Palmas <dnlplm@gmail.com>
      Acked-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1331f667
    • Eric Dumazet's avatar
      l2tp: do not use inet_hash()/inet_unhash() · 78320d30
      Eric Dumazet authored
      [ Upstream commit 02c71b14 ]
      
      syzbot recently found a way to crash the kernel [1]
      
      Issue here is that inet_hash() & inet_unhash() are currently
      only meant to be used by TCP & DCCP, since only these protocols
      provide the needed hashinfo pointer.
      
      L2TP uses a single list (instead of a hash table)
      
      This old bug became an issue after commit 61023658
      ("bpf: Add new cgroup attach type to enable sock modifications")
      since after this commit, sk_common_release() can be called
      while the L2TP socket is still considered 'hashed'.
      
      general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
      KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
      CPU: 0 PID: 7063 Comm: syz-executor654 Not tainted 5.7.0-rc6-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:inet_unhash+0x11f/0x770 net/ipv4/inet_hashtables.c:600
      Code: 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e dd 04 00 00 48 8d 7d 08 44 8b 73 08 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 55 05 00 00 48 8d 7d 14 4c 8b 6d 08 48 b8 00 00
      RSP: 0018:ffffc90001777d30 EFLAGS: 00010202
      RAX: dffffc0000000000 RBX: ffff88809a6df940 RCX: ffffffff8697c242
      RDX: 0000000000000001 RSI: ffffffff8697c251 RDI: 0000000000000008
      RBP: 0000000000000000 R08: ffff88809f3ae1c0 R09: fffffbfff1514cc1
      R10: ffffffff8a8a6607 R11: fffffbfff1514cc0 R12: ffff88809a6df9b0
      R13: 0000000000000007 R14: 0000000000000000 R15: ffffffff873a4d00
      FS:  0000000001d2b880(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00000000006cd090 CR3: 000000009403a000 CR4: 00000000001406f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       sk_common_release+0xba/0x370 net/core/sock.c:3210
       inet_create net/ipv4/af_inet.c:390 [inline]
       inet_create+0x966/0xe00 net/ipv4/af_inet.c:248
       __sock_create+0x3cb/0x730 net/socket.c:1428
       sock_create net/socket.c:1479 [inline]
       __sys_socket+0xef/0x200 net/socket.c:1521
       __do_sys_socket net/socket.c:1530 [inline]
       __se_sys_socket net/socket.c:1528 [inline]
       __x64_sys_socket+0x6f/0xb0 net/socket.c:1528
       do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
       entry_SYSCALL_64_after_hwframe+0x49/0xb3
      RIP: 0033:0x441e29
      Code: e8 fc b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007ffdce184148 EFLAGS: 00000246 ORIG_RAX: 0000000000000029
      RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441e29
      RDX: 0000000000000073 RSI: 0000000000000002 RDI: 0000000000000002
      RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
      R13: 0000000000402c30 R14: 0000000000000000 R15: 0000000000000000
      Modules linked in:
      ---[ end trace 23b6578228ce553e ]---
      RIP: 0010:inet_unhash+0x11f/0x770 net/ipv4/inet_hashtables.c:600
      Code: 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e dd 04 00 00 48 8d 7d 08 44 8b 73 08 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 55 05 00 00 48 8d 7d 14 4c 8b 6d 08 48 b8 00 00
      RSP: 0018:ffffc90001777d30 EFLAGS: 00010202
      RAX: dffffc0000000000 RBX: ffff88809a6df940 RCX: ffffffff8697c242
      RDX: 0000000000000001 RSI: ffffffff8697c251 RDI: 0000000000000008
      RBP: 0000000000000000 R08: ffff88809f3ae1c0 R09: fffffbfff1514cc1
      R10: ffffffff8a8a6607 R11: fffffbfff1514cc0 R12: ffff88809a6df9b0
      R13: 0000000000000007 R14: 0000000000000000 R15: ffffffff873a4d00
      FS:  0000000001d2b880(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00000000006cd090 CR3: 000000009403a000 CR4: 00000000001406f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      
      Fixes: 0d76751f ("l2tp: Add L2TPv3 IP encapsulation (no UDP) support")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: James Chapman <jchapman@katalix.com>
      Cc: Andrii Nakryiko <andriin@fb.com>
      Reported-by: syzbot+3610d489778b57cc8031@syzkaller.appspotmail.com
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      78320d30
    • Yang Yingliang's avatar
      devinet: fix memleak in inetdev_init() · d2d51114
      Yang Yingliang authored
      [ Upstream commit 1b49cd71 ]
      
      When devinet_sysctl_register() failed, the memory allocated
      in neigh_parms_alloc() should be freed.
      
      Fixes: 20e61da7 ("ipv4: fail early when creating netdev named all or default")
      Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
      Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d2d51114
    • Dan Carpenter's avatar
      airo: Fix read overflows sending packets · b925f159
      Dan Carpenter authored
      commit 11e7a919 upstream.
      
      The problem is that we always copy a minimum of ETH_ZLEN (60) bytes from
      skb->data even when skb->len is less than ETH_ZLEN so it leads to a read
      overflow.
      
      The fix is to pad skb->data to at least ETH_ZLEN bytes.
      
      Cc: <stable@vger.kernel.org>
      Reported-by: default avatarHu Jiahui <kirin.say@gmail.com>
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Link: https://lore.kernel.org/r/20200527184830.GA1164846@mwandaSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b925f159
    • Can Guo's avatar
      scsi: ufs: Release clock if DMA map fails · ffa5baf3
      Can Guo authored
      commit 17c7d35f upstream.
      
      In queuecommand path, if DMA map fails, it bails out with clock held.  In
      this case, release the clock to keep its usage paired.
      
      [mkp: applied by hand]
      
      Link: https://lore.kernel.org/r/0101016ed3d66395-1b7e7fce-b74d-42ca-a88a-4db78b795d3b-000000@us-west-2.amazonses.comReviewed-by: default avatarBean Huo <beanhuo@micron.com>
      Signed-off-by: default avatarCan Guo <cang@codeaurora.org>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      [EB: resolved cherry-pick conflict caused by newer kernels not having
       the clear_bit_unlock() line]
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ffa5baf3
    • yangerkun's avatar
      slip: not call free_netdev before rtnl_unlock in slip_open · 3f491c62
      yangerkun authored
      commit f596c870 upstream.
      
      As the description before netdev_run_todo, we cannot call free_netdev
      before rtnl_unlock, fix it by reorder the code.
      Signed-off-by: default avataryangerkun <yangerkun@huawei.com>
      Reviewed-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to <4.11: free_netdev() is called through sl_free_netdev()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3f491c62
    • Ben Hutchings's avatar
      slcan: Fix double-free on slcan_open() error path · f8535892
      Ben Hutchings authored
      Commit 9ebd796e ("can: slcan: Fix use-after-free Read in
      slcan_open") was incorrectly backported to 4.4 and 4.9 stable
      branches.
      
      Since they do not have commit cf124db5 ("net: Fix inconsistent
      teardown and release of private netdev state."), the destructor
      function slc_free_netdev() is already responsible for calling
      free_netdev() and slcan_open() must not call both of them.
      
      yangerkun previously fixed the same bug in slip.
      
      Fixes: ce624b2089ea ("can: slcan: Fix use-after-free Read in slcan_open") # 4.4
      Fixes: f59604a80fa4 ("slcan: not call free_netdev before rtnl_unlock ...") # 4.4
      Fixes: 56635a1e ("can: slcan: Fix use-after-free Read in slcan_open") # 4.9
      Fixes: a1c9b231 ("slcan: not call free_netdev before rtnl_unlock ...") # 4.9
      Cc: yangerkun <yangerkun@huawei.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f8535892
    • Jérôme Pouiller's avatar
      mmc: fix compilation of user API · a7481f5f
      Jérôme Pouiller authored
      commit 83fc5dd5 upstream.
      
      The definitions of MMC_IOC_CMD  and of MMC_IOC_MULTI_CMD rely on
      MMC_BLOCK_MAJOR:
      
          #define MMC_IOC_CMD       _IOWR(MMC_BLOCK_MAJOR, 0, struct mmc_ioc_cmd)
          #define MMC_IOC_MULTI_CMD _IOWR(MMC_BLOCK_MAJOR, 1, struct mmc_ioc_multi_cmd)
      
      However, MMC_BLOCK_MAJOR is defined in linux/major.h and
      linux/mmc/ioctl.h did not include it.
      Signed-off-by: default avatarJérôme Pouiller <jerome.pouiller@silabs.com>
      Cc: stable@vger.kernel.org
      Link: https://lore.kernel.org/r/20200511161902.191405-1-Jerome.Pouiller@silabs.comSigned-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a7481f5f
    • Daniel Axtens's avatar
      kernel/relay.c: handle alloc_percpu returning NULL in relay_open · d1774b04
      Daniel Axtens authored
      commit 54e200ab upstream.
      
      alloc_percpu() may return NULL, which means chan->buf may be set to NULL.
      In that case, when we do *per_cpu_ptr(chan->buf, ...), we dereference an
      invalid pointer:
      
        BUG: Unable to handle kernel data access at 0x7dae0000
        Faulting instruction address: 0xc0000000003f3fec
        ...
        NIP relay_open+0x29c/0x600
        LR relay_open+0x270/0x600
        Call Trace:
           relay_open+0x264/0x600 (unreliable)
           __blk_trace_setup+0x254/0x600
           blk_trace_setup+0x68/0xa0
           sg_ioctl+0x7bc/0x2e80
           do_vfs_ioctl+0x13c/0x1300
           ksys_ioctl+0x94/0x130
           sys_ioctl+0x48/0xb0
           system_call+0x5c/0x68
      
      Check if alloc_percpu returns NULL.
      
      This was found by syzkaller both on x86 and powerpc, and the reproducer
      it found on powerpc is capable of hitting the issue as an unprivileged
      user.
      
      Fixes: 017c59c0 ("relay: Use per CPU constructs for the relay channel buffer pointers")
      Reported-by: syzbot+1e925b4b836afe85a1c6@syzkaller-ppc64.appspotmail.com
      Reported-by: syzbot+587b2421926808309d21@syzkaller-ppc64.appspotmail.com
      Reported-by: syzbot+58320b7171734bf79d26@syzkaller.appspotmail.com
      Reported-by: syzbot+d6074fb08bdb2e010520@syzkaller.appspotmail.com
      Signed-off-by: default avatarDaniel Axtens <dja@axtens.net>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Reviewed-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Reviewed-by: default avatarAndrew Donnellan <ajd@linux.ibm.com>
      Acked-by: default avatarDavid Rientjes <rientjes@google.com>
      Cc: Akash Goel <akash.goel@intel.com>
      Cc: Andrew Donnellan <ajd@linux.ibm.com>
      Cc: Guenter Roeck <linux@roeck-us.net>
      Cc: Salvatore Bonaccorso <carnil@debian.org>
      Cc: <stable@vger.kernel.org>	[4.10+]
      Link: http://lkml.kernel.org/r/20191219121256.26480-1-dja@axtens.netSigned-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d1774b04
    • Giuseppe Marco Randazzo's avatar
      p54usb: add AirVasT USB stick device-id · 5ac8ff17
      Giuseppe Marco Randazzo authored
      commit 63e49a9f upstream.
      
      This patch adds the AirVasT USB wireless devices 124a:4026
      to the list of supported devices. It's using the ISL3886
      usb firmware. Without this modification, the wiki adapter
      is not recognized.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarGiuseppe Marco Randazzo <gmrandazzo@gmail.com>
      Signed-off-by: Christian Lamparter <chunkeey@gmail.com> [formatted, reworded]
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Link: https://lore.kernel.org/r/20200405220659.45621-1-chunkeey@gmail.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5ac8ff17
    • Julian Sax's avatar
      HID: i2c-hid: add Schneider SCL142ALM to descriptor override · 80581e21
      Julian Sax authored
      commit 6507ef10 upstream.
      
      This device uses the SIPODEV SP1064 touchpad, which does not
      supply descriptors, so it has to be added to the override list.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJulian Sax <jsbc@gmx.de>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      80581e21
    • Fan Yang's avatar
      mm: Fix mremap not considering huge pmd devmap · c915cffd
      Fan Yang authored
      commit 5bfea2d9 upstream.
      
      The original code in mm/mremap.c checks huge pmd by:
      
      		if (is_swap_pmd(*old_pmd) || pmd_trans_huge(*old_pmd)) {
      
      However, a DAX mapped nvdimm is mapped as huge page (by default) but it
      is not transparent huge page (_PAGE_PSE | PAGE_DEVMAP).  This commit
      changes the condition to include the case.
      
      This addresses CVE-2020-10757.
      
      Fixes: 5c7fb56e ("mm, dax: dax-pmd vs thp-pmd vs hugetlbfs-pmd")
      Cc: <stable@vger.kernel.org>
      Reported-by: default avatarFan Yang <Fan_Yang@sjtu.edu.cn>
      Signed-off-by: default avatarFan Yang <Fan_Yang@sjtu.edu.cn>
      Tested-by: default avatarFan Yang <Fan_Yang@sjtu.edu.cn>
      Tested-by: default avatarDan Williams <dan.j.williams@intel.com>
      Reviewed-by: default avatarDan Williams <dan.j.williams@intel.com>
      Acked-by: default avatarKirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c915cffd
    • Guillaume Nault's avatar
      pppoe: only process PADT targeted at local interfaces · b1fa53f2
      Guillaume Nault authored
      We don't want to disconnect a session because of a stray PADT arriving
      while the interface is in promiscuous mode.
      Furthermore, multicast and broadcast packets make no sense here, so
      only PACKET_HOST is accepted.
      Reported-by: default avatarDavid Balažic <xerces9@gmail.com>
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarGuillaume Nault <gnault@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b1fa53f2
    • Dinghao Liu's avatar
      net: smsc911x: Fix runtime PM imbalance on error · 0e776721
      Dinghao Liu authored
      [ Upstream commit 539d39ad ]
      
      Remove runtime PM usage counter decrement when the
      increment function has not been called to keep the
      counter balanced.
      Signed-off-by: default avatarDinghao Liu <dinghao.liu@zju.edu.cn>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      0e776721
    • Jonathan McDowell's avatar
      net: ethernet: stmmac: Enable interface clocks on probe for IPQ806x · 7b880cc0
      Jonathan McDowell authored
      [ Upstream commit a96ac8a0 ]
      
      The ipq806x_gmac_probe() function enables the PTP clock but not the
      appropriate interface clocks. This means that if the bootloader hasn't
      done so attempting to bring up the interface will fail with an error
      like:
      
      [   59.028131] ipq806x-gmac-dwmac 37600000.ethernet: Failed to reset the dma
      [   59.028196] ipq806x-gmac-dwmac 37600000.ethernet eth1: stmmac_hw_setup: DMA engine initialization failed
      [   59.034056] ipq806x-gmac-dwmac 37600000.ethernet eth1: stmmac_open: Hw setup failed
      
      This patch, a slightly cleaned up version of one posted by Sergey
      Sergeev in:
      
      https://forum.openwrt.org/t/support-for-mikrotik-rb3011uias-rm/4064/257
      
      correctly enables the clock; we have already configured the source just
      before this.
      
      Tested on a MikroTik RB3011.
      Signed-off-by: default avatarJonathan McDowell <noodles@earth.li>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7b880cc0
    • Valentin Longchamp's avatar
      net/ethernet/freescale: rework quiesce/activate for ucc_geth · dee26e88
      Valentin Longchamp authored
      [ Upstream commit 79dde73c ]
      
      ugeth_quiesce/activate are used to halt the controller when there is a
      link change that requires to reconfigure the mac.
      
      The previous implementation called netif_device_detach(). This however
      causes the initial activation of the netdevice to fail precisely because
      it's detached. For details, see [1].
      
      A possible workaround was the revert of commit
      net: linkwatch: add check for netdevice being present to linkwatch_do_dev
      However, the check introduced in the above commit is correct and shall be
      kept.
      
      The netif_device_detach() is thus replaced with
      netif_tx_stop_all_queues() that prevents any tranmission. This allows to
      perform mac config change required by the link change, without detaching
      the corresponding netdevice and thus not preventing its initial
      activation.
      
      [1] https://lists.openwall.net/netdev/2020/01/08/201Signed-off-by: default avatarValentin Longchamp <valentin@longchamp.me>
      Acked-by: default avatarMatteo Ghidoni <matteo.ghidoni@ch.abb.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      dee26e88
    • Jeremy Kerr's avatar
      net: bmac: Fix read of MAC address from ROM · 9849292d
      Jeremy Kerr authored
      [ Upstream commit ef01cee2 ]
      
      In bmac_get_station_address, We're reading two bytes at a time from ROM,
      but we do that six times, resulting in 12 bytes of read & writes. This
      means we will write off the end of the six-byte destination buffer.
      
      This change fixes the for-loop to only read/write six bytes.
      
      Based on a proposed fix from Finn Thain <fthain@telegraphics.com.au>.
      Signed-off-by: default avatarJeremy Kerr <jk@ozlabs.org>
      Reported-by: default avatarStan Johnson <userm57@yahoo.com>
      Tested-by: default avatarStan Johnson <userm57@yahoo.com>
      Reported-by: default avatarFinn Thain <fthain@telegraphics.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      9849292d
    • Nathan Chancellor's avatar
      x86/mmiotrace: Use cpumask_available() for cpumask_var_t variables · c4400d9d
      Nathan Chancellor authored
      [ Upstream commit d7110a26 ]
      
      When building with Clang + -Wtautological-compare and
      CONFIG_CPUMASK_OFFSTACK unset:
      
        arch/x86/mm/mmio-mod.c:375:6: warning: comparison of array 'downed_cpus'
        equal to a null pointer is always false [-Wtautological-pointer-compare]
                if (downed_cpus == NULL &&
                    ^~~~~~~~~~~    ~~~~
        arch/x86/mm/mmio-mod.c:405:6: warning: comparison of array 'downed_cpus'
        equal to a null pointer is always false [-Wtautological-pointer-compare]
                if (downed_cpus == NULL || cpumask_weight(downed_cpus) == 0)
                    ^~~~~~~~~~~    ~~~~
        2 warnings generated.
      
      Commit
      
        f7e30f01 ("cpumask: Add helper cpumask_available()")
      
      added cpumask_available() to fix warnings of this nature. Use that here
      so that clang does not warn regardless of CONFIG_CPUMASK_OFFSTACK's
      value.
      Reported-by: default avatarSedat Dilek <sedat.dilek@gmail.com>
      Signed-off-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Reviewed-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      Acked-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Link: https://github.com/ClangBuiltLinux/linux/issues/982
      Link: https://lkml.kernel.org/r/20200408205323.44490-1-natechancellor@gmail.comSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      c4400d9d
    • Eugeniy Paltsev's avatar
      ARC: Fix ICCM & DCCM runtime size checks · d7106057
      Eugeniy Paltsev authored
      [ Upstream commit 43900edf ]
      
      As of today the ICCM and DCCM size checks are incorrectly using
      mismatched units (KiB checked against bytes). The CONFIG_ARC_DCCM_SZ
      and CONFIG_ARC_ICCM_SZ are in KiB, but the size calculated in
      runtime and stored in cpu->dccm.sz and cpu->iccm.sz is in bytes.
      
      Fix that.
      Reported-by: default avatarPaul Greco <pmgreco@us.ibm.com>
      Signed-off-by: default avatarEugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
      Signed-off-by: default avatarVineet Gupta <vgupta@synopsys.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      d7106057
    • Vasily Gorbik's avatar
      s390/ftrace: save traced function caller · 4237e949
      Vasily Gorbik authored
      [ Upstream commit b4adfe55 ]
      
      A typical backtrace acquired from ftraced function currently looks like
      the following (e.g. for "path_openat"):
      
      arch_stack_walk+0x15c/0x2d8
      stack_trace_save+0x50/0x68
      stack_trace_call+0x15a/0x3b8
      ftrace_graph_caller+0x0/0x1c
      0x3e0007e3c98 <- ftraced function caller (should be do_filp_open+0x7c/0xe8)
      do_open_execat+0x70/0x1b8
      __do_execve_file.isra.0+0x7d8/0x860
      __s390x_sys_execve+0x56/0x68
      system_call+0xdc/0x2d8
      
      Note random "0x3e0007e3c98" stack value as ftraced function caller. This
      value causes either imprecise unwinder result or unwinding failure.
      That "0x3e0007e3c98" comes from r14 of ftraced function stack frame, which
      it haven't had a chance to initialize since the very first instruction
      calls ftrace code ("ftrace_caller"). (ftraced function might never
      save r14 as well). Nevertheless according to s390 ABI any function
      is called with stack frame allocated for it and r14 contains return
      address. "ftrace_caller" itself is called with "brasl %r0,ftrace_caller".
      So, to fix this issue simply always save traced function caller onto
      ftraced function stack frame.
      Reported-by: default avatarSven Schnelle <svens@linux.ibm.com>
      Signed-off-by: default avatarVasily Gorbik <gor@linux.ibm.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      4237e949
    • Xinwei Kong's avatar
      spi: dw: use "smp_mb()" to avoid sending spi data error · 5720901b
      Xinwei Kong authored
      [ Upstream commit bfda0445 ]
      
      Because of out-of-order execution about some CPU architecture,
      In this debug stage we find Completing spi interrupt enable ->
      prodrucing TXEI interrupt -> running "interrupt_transfer" function
      will prior to set "dw->rx and dws->rx_end" data, so this patch add
      memory barrier to enable dw->rx and dw->rx_end to be visible and
      solve to send SPI data error.
      eg:
      it will fix to this following low possibility error in testing environment
      which using SPI control to connect TPM Modules
      
      kernel: tpm tpm0: Operation Timed out
      kernel: tpm tpm0: tpm_relinquish_locality: : error -1
      Signed-off-by: default avatarfengsheng <fengsheng5@huawei.com>
      Signed-off-by: default avatarXinwei Kong <kong.kongxinwei@hisilicon.com>
      Link: https://lore.kernel.org/r/1578019930-55858-1-git-send-email-kong.kongxinwei@hisilicon.comSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      5720901b
    • Zhen Lei's avatar
      esp6: fix memleak on error path in esp6_input · 7aebadb4
      Zhen Lei authored
      commit 7284fdf3 upstream.
      
      This ought to be an omission in e6194923 ("esp: Fix memleaks on error
      paths."). The memleak on error path in esp6_input is similar to esp_input
      of esp4.
      
      Fixes: e6194923 ("esp: Fix memleaks on error paths.")
      Fixes: 3f297707 ("ipsec: check return value of skb_to_sgvec always")
      Signed-off-by: default avatarZhen Lei <thunder.leizhen@huawei.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Cc: Guenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7aebadb4
    • Eugeniu Rosca's avatar
      usb: gadget: f_uac2: fix error handling in afunc_bind (again) · a7add20e
      Eugeniu Rosca authored
      commit e87581fe upstream.
      
      If usb_ep_autoconfig() fails (i.e. returns a null endpoint descriptor),
      we expect afunc_bind() to fail (i.e. return a negative error code).
      
      However, due to v4.10-rc1 commit f1d3861d ("usb: gadget: f_uac2: fix
      error handling at afunc_bind"), afunc_bind() returns zero, telling the
      caller that it succeeded. This then generates NULL pointer dereference
      in below scenario on Rcar H3-ES20-Salvator-X target:
      
      rcar-gen3:/home/root# modprobe g_audio
      [  626.521155] g_audio gadget: afunc_bind:565 Error!
      [  626.526319] g_audio gadget: Linux USB Audio Gadget, version: Feb 2, 2012
      [  626.533405] g_audio gadget: g_audio ready
      rcar-gen3:/home/root#
      rcar-gen3:/home/root# modprobe -r g_audio
      [  728.256707] ==================================================================
      [  728.264293] BUG: KASAN: null-ptr-deref in u_audio_stop_capture+0x70/0x268 [u_audio]
      [  728.272244] Read of size 8 at addr 00000000000000a0 by task modprobe/2545
      [  728.279309]
      [  728.280849] CPU: 0 PID: 2545 Comm: modprobe Tainted: G        WC      4.14.47+ #152
      [  728.288778] Hardware name: Renesas Salvator-X board based on r8a7795 ES2.0+ (DT)
      [  728.296454] Call trace:
      [  728.299151] [<ffff2000080925ac>] dump_backtrace+0x0/0x364
      [  728.304808] [<ffff200008092924>] show_stack+0x14/0x1c
      [  728.310081] [<ffff200008f8d5cc>] dump_stack+0x108/0x174
      [  728.315522] [<ffff2000083c77c8>] kasan_report+0x1fc/0x354
      [  728.321134] [<ffff2000083c611c>] __asan_load8+0x24/0x94
      [  728.326600] [<ffff2000021e1618>] u_audio_stop_capture+0x70/0x268 [u_audio]
      [  728.333735] [<ffff2000021f8b7c>] afunc_disable+0x44/0x60 [usb_f_uac2]
      [  728.340503] [<ffff20000218177c>] usb_remove_function+0x9c/0x210 [libcomposite]
      [  728.348060] [<ffff200002183320>] remove_config.isra.2+0x1d8/0x218 [libcomposite]
      [  728.355788] [<ffff200002186c54>] __composite_unbind+0x104/0x1f8 [libcomposite]
      [  728.363339] [<ffff200002186d58>] composite_unbind+0x10/0x18 [libcomposite]
      [  728.370536] [<ffff20000152f158>] usb_gadget_remove_driver+0xc0/0x170 [udc_core]
      [  728.378172] [<ffff20000153154c>] usb_gadget_unregister_driver+0x1cc/0x258 [udc_core]
      [  728.386274] [<ffff200002180de8>] usb_composite_unregister+0x10/0x18 [libcomposite]
      [  728.394116] [<ffff2000021d035c>] audio_driver_exit+0x14/0x28 [g_audio]
      [  728.400878] [<ffff200008213ed4>] SyS_delete_module+0x288/0x32c
      [  728.406935] Exception stack(0xffff8006cf6c7ec0 to 0xffff8006cf6c8000)
      [  728.413624] 7ec0: 0000000006136428 0000000000000800 0000000000000000 0000ffffd706efe8
      [  728.421718] 7ee0: 0000ffffd706efe9 000000000000000a 1999999999999999 0000000000000000
      [  728.429792] 7f00: 000000000000006a 000000000042c078 0000000000000000 0000000000000005
      [  728.437870] 7f20: 0000000000000000 0000000000000000 0000000000000004 0000000000000000
      [  728.445952] 7f40: 000000000042bfc8 0000ffffbc7c8f40 0000000000000000 00000000061363c0
      [  728.454035] 7f60: 0000000006136428 0000000000000000 0000000000000000 0000000006136428
      [  728.462114] 7f80: 000000000042c000 0000ffffd7071448 000000000042c000 0000000000000000
      [  728.470190] 7fa0: 00000000061350c0 0000ffffd7070010 000000000041129c 0000ffffd7070010
      [  728.478281] 7fc0: 0000ffffbc7c8f48 0000000060000000 0000000006136428 000000000000006a
      [  728.486351] 7fe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
      [  728.494434] [<ffff200008084780>] el0_svc_naked+0x34/0x38
      [  728.499957] ==================================================================
      [  728.507801] Unable to handle kernel NULL pointer dereference at virtual address 000000a0
      [  728.517742] Mem abort info:
      [  728.520993]   Exception class = DABT (current EL), IL = 32 bits
      [  728.527375]   SET = 0, FnV = 0
      [  728.530731]   EA = 0, S1PTW = 0
      [  728.534361] Data abort info:
      [  728.537650]   ISV = 0, ISS = 0x00000006
      [  728.541863]   CM = 0, WnR = 0
      [  728.545167] user pgtable: 4k pages, 48-bit VAs, pgd = ffff8006c6100000
      [  728.552156] [00000000000000a0] *pgd=0000000716a8d003
      [  728.557519] , *pud=00000007116fc003
      [  728.561259] , *pmd=0000000000000000
      [  728.564985] Internal error: Oops: 96000006 [#1] PREEMPT SMP
      [  728.570815] Modules linked in:
      [  728.574023]  usb_f_uac2
      [  728.576560]  u_audio
      [  728.578827]  g_audio(-)
      [  728.581361]  libcomposite
      [  728.584071]  configfs
      [  728.586428]  aes_ce_blk
      [  728.588960]  sata_rcar
      [  728.591421]  crypto_simd
      [  728.594039]  cryptd
      [  728.596217]  libata
      [  728.598396]  aes_ce_cipher
      [  728.601188]  crc32_ce
      [  728.603542]  ghash_ce
      [  728.605896]  gf128mul
      [  728.608250]  aes_arm64
      [  728.610692]  scsi_mod
      [  728.613046]  sha2_ce
      [  728.615313]  xhci_plat_hcd
      [  728.618106]  sha256_arm64
      [  728.620811]  sha1_ce
      [  728.623077]  renesas_usbhs
      [  728.625869]  xhci_hcd
      [  728.628243]  renesas_usb3
      [  728.630948]  sha1_generic
      [  728.633670]  ravb_streaming(C)
      [  728.636814]  udc_core
      [  728.639168]  cpufreq_dt
      [  728.641697]  rcar_gen3_thermal
      [  728.644840]  usb_dmac
      [  728.647194]  pwm_rcar
      [  728.649548]  thermal_sys
      [  728.652165]  virt_dma
      [  728.654519]  mch_core(C)
      [  728.657137]  pwm_bl
      [  728.659315]  snd_soc_rcar
      [  728.662020]  snd_aloop
      [  728.664462]  snd_soc_generic_card
      [  728.667869]  snd_soc_ak4613
      [  728.670749]  ipv6
      [  728.672768]  autofs4
      [  728.675052] CPU: 0 PID: 2545 Comm: modprobe Tainted: G    B   WC      4.14.47+ #152
      [  728.682973] Hardware name: Renesas Salvator-X board based on r8a7795 ES2.0+ (DT)
      [  728.690637] task: ffff8006ced38000 task.stack: ffff8006cf6c0000
      [  728.696814] PC is at u_audio_stop_capture+0x70/0x268 [u_audio]
      [  728.702896] LR is at u_audio_stop_capture+0x70/0x268 [u_audio]
      [  728.708964] pc : [<ffff2000021e1618>] lr : [<ffff2000021e1618>] pstate: 60000145
      [  728.716620] sp : ffff8006cf6c7a50
      [  728.720154] x29: ffff8006cf6c7a50
      [  728.723760] x28: ffff8006ced38000
      [  728.727272] x27: ffff200008fd7000
      [  728.730857] x26: ffff2000021d2340
      [  728.734361] x25: 0000000000000000
      [  728.737948] x24: ffff200009e94b08
      [  728.741452] x23: 00000000000000a0
      [  728.745052] x22: 00000000000000a8
      [  728.748558] x21: 1ffff000d9ed8f7c
      [  728.752142] x20: ffff8006d671a800
      [  728.755646] x19: 0000000000000000
      [  728.759231] x18: 0000000000000000
      [  728.762736] x17: 0000ffffbc7c8f40
      [  728.766320] x16: ffff200008213c4c
      [  728.769823] x15: 0000000000000000
      [  728.773408] x14: 0720072007200720
      [  728.776912] x13: 0720072007200720
      [  728.780497] x12: ffffffffffffffff
      [  728.784001] x11: 0000000000000040
      [  728.787598] x10: 0000000000001600
      [  728.791103] x9 : ffff8006cf6c77a0
      [  728.794689] x8 : ffff8006ced39660
      [  728.798193] x7 : ffff20000811c738
      [  728.801794] x6 : 0000000000000000
      [  728.805299] x5 : dfff200000000000
      [  728.808885] x4 : ffff8006ced38000
      [  728.812390] x3 : ffff200008fb46e8
      [  728.815976] x2 : 0000000000000007
      [  728.819480] x1 : 3ba68643e7431500
      [  728.823066] x0 : 0000000000000000
      [  728.826574] Process modprobe (pid: 2545, stack limit = 0xffff8006cf6c0000)
      [  728.833704] Call trace:
      [  728.836292] Exception stack(0xffff8006cf6c7910 to 0xffff8006cf6c7a50)
      [  728.842987] 7900:                                   0000000000000000 3ba68643e7431500
      [  728.851084] 7920: 0000000000000007 ffff200008fb46e8 ffff8006ced38000 dfff200000000000
      [  728.859173] 7940: 0000000000000000 ffff20000811c738 ffff8006ced39660 ffff8006cf6c77a0
      [  728.867248] 7960: 0000000000001600 0000000000000040 ffffffffffffffff 0720072007200720
      [  728.875323] 7980: 0720072007200720 0000000000000000 ffff200008213c4c 0000ffffbc7c8f40
      [  728.883412] 79a0: 0000000000000000 0000000000000000 ffff8006d671a800 1ffff000d9ed8f7c
      [  728.891485] 79c0: 00000000000000a8 00000000000000a0 ffff200009e94b08 0000000000000000
      [  728.899561] 79e0: ffff2000021d2340 ffff200008fd7000 ffff8006ced38000 ffff8006cf6c7a50
      [  728.907636] 7a00: ffff2000021e1618 ffff8006cf6c7a50 ffff2000021e1618 0000000060000145
      [  728.915710] 7a20: 0000000000000008 0000000000000000 0000ffffffffffff 3ba68643e7431500
      [  728.923780] 7a40: ffff8006cf6c7a50 ffff2000021e1618
      [  728.928880] [<ffff2000021e1618>] u_audio_stop_capture+0x70/0x268 [u_audio]
      [  728.936032] [<ffff2000021f8b7c>] afunc_disable+0x44/0x60 [usb_f_uac2]
      [  728.942822] [<ffff20000218177c>] usb_remove_function+0x9c/0x210 [libcomposite]
      [  728.950385] [<ffff200002183320>] remove_config.isra.2+0x1d8/0x218 [libcomposite]
      [  728.958134] [<ffff200002186c54>] __composite_unbind+0x104/0x1f8 [libcomposite]
      [  728.965689] [<ffff200002186d58>] composite_unbind+0x10/0x18 [libcomposite]
      [  728.972882] [<ffff20000152f158>] usb_gadget_remove_driver+0xc0/0x170 [udc_core]
      [  728.980522] [<ffff20000153154c>] usb_gadget_unregister_driver+0x1cc/0x258 [udc_core]
      [  728.988638] [<ffff200002180de8>] usb_composite_unregister+0x10/0x18 [libcomposite]
      [  728.996472] [<ffff2000021d035c>] audio_driver_exit+0x14/0x28 [g_audio]
      [  729.003231] [<ffff200008213ed4>] SyS_delete_module+0x288/0x32c
      [  729.009278] Exception stack(0xffff8006cf6c7ec0 to 0xffff8006cf6c8000)
      [  729.015946] 7ec0: 0000000006136428 0000000000000800 0000000000000000 0000ffffd706efe8
      [  729.024022] 7ee0: 0000ffffd706efe9 000000000000000a 1999999999999999 0000000000000000
      [  729.032099] 7f00: 000000000000006a 000000000042c078 0000000000000000 0000000000000005
      [  729.040172] 7f20: 0000000000000000 0000000000000000 0000000000000004 0000000000000000
      [  729.048263] 7f40: 000000000042bfc8 0000ffffbc7c8f40 0000000000000000 00000000061363c0
      [  729.056337] 7f60: 0000000006136428 0000000000000000 0000000000000000 0000000006136428
      [  729.064411] 7f80: 000000000042c000 0000ffffd7071448 000000000042c000 0000000000000000
      [  729.072484] 7fa0: 00000000061350c0 0000ffffd7070010 000000000041129c 0000ffffd7070010
      [  729.080563] 7fc0: 0000ffffbc7c8f48 0000000060000000 0000000006136428 000000000000006a
      [  729.088636] 7fe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
      [  729.096733] [<ffff200008084780>] el0_svc_naked+0x34/0x38
      [  729.102259] Code: 9597d1b3 aa1703e0 9102a276 958792b9 (f9405275)
      [  729.108617] ---[ end trace 7560c5fa3d100243 ]---
      
      After this patch is applied, the issue is fixed:
      rcar-gen3:/home/root# modprobe g_audio
      [   59.217127] g_audio gadget: afunc_bind:565 Error!
      [   59.222329] g_audio ee020000.usb: failed to start g_audio: -19
      modprobe: ERROR: could not insert 'g_audio': No such device
      rcar-gen3:/home/root# modprobe -r g_audio
      rcar-gen3:/home/root#
      
      Fixes: f1d3861d ("usb: gadget: f_uac2: fix error handling at afunc_bind")
      Signed-off-by: default avatarEugeniu Rosca <erosca@de.adit-jv.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Cc: Guenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a7add20e
    • Hannes Reinecke's avatar
      scsi: scsi_devinfo: fixup string compare · d74a350d
      Hannes Reinecke authored
      commit b8018b97 upstream.
      
      When checking the model and vendor string we need to use the minimum
      value of either string, otherwise we'll miss out on wildcard matches.
      
      And we should take care when matching with zero size strings; results
      might be unpredictable.  With this patch the rules for matching devinfo
      strings are as follows:
      
      - Vendor strings must match exactly
      - Empty Model strings will only match if the devinfo model
        is also empty
      - Model strings shorter than the devinfo model string will
        not match
      
      Fixes: 5e7ff2ca ("SCSI: fix new bug in scsi_dev_info_list string matching")
      Signed-off-by: default avatarHannes Reinecke <hare@suse.com>
      Reviewed-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reviewed-by: default avatarBart Van Assche <bart.vanassche@wdc.com>
      Reviewed-by: default avatarJohannes Thumshirn <jthumshirn@suse.de>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Cc: Guenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d74a350d
  2. 03 Jun, 2020 4 commits