1. 22 Sep, 2017 4 commits
    • Alan Stern's avatar
      USB: gadgetfs: fix copy_to_user while holding spinlock · 6e76c01e
      Alan Stern authored
      The gadgetfs driver as a long-outstanding FIXME, regarding a call of
      copy_to_user() made while holding a spinlock.  This patch fixes the
      issue by dropping the spinlock and using the dev->udc_usage mechanism
      introduced by another recent patch to guard against status changes
      while the lock isn't held.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      CC: <stable@vger.kernel.org>
      Acked-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6e76c01e
    • Alan Stern's avatar
      USB: uas: fix bug in handling of alternate settings · 786de92b
      Alan Stern authored
      The uas driver has a subtle bug in the way it handles alternate
      settings.  The uas_find_uas_alt_setting() routine returns an
      altsetting value (the bAlternateSetting number in the descriptor), but
      uas_use_uas_driver() then treats that value as an index to the
      intf->altsetting array, which it isn't.
      
      Normally this doesn't cause any problems because the various
      alternate settings have bAlternateSetting values 0, 1, 2, ..., so the
      value is equal to the index in the array.  But this is not guaranteed,
      and Andrey Konovalov used the syzkaller fuzzer with KASAN to get a
      slab-out-of-bounds error by violating this assumption.
      
      This patch fixes the bug by making uas_find_uas_alt_setting() return a
      pointer to the altsetting entry rather than either the value or the
      index.  Pointers are less subject to misinterpretation.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Tested-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      CC: Oliver Neukum <oneukum@suse.com>
      CC: <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      786de92b
    • Alan Stern's avatar
      usb-storage: unusual_devs entry to fix write-access regression for Seagate external drives · 113f6eb6
      Alan Stern authored
      Kris Lindgren reports that without the NO_WP_DETECT flag, his Seagate
      external disk drive fails all write accesses.  This regresssion dates
      back approximately to the start of the 4.x kernel releases.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-by: default avatarKris Lindgren <kris.lindgren@gmail.com>
      CC: <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      113f6eb6
    • Alan Stern's avatar
      usb-storage: fix bogus hardware error messages for ATA pass-thru devices · a4fd4a72
      Alan Stern authored
      Ever since commit a621bac3 ("scsi_lib: correctly retry failed zero
      length REQ_TYPE_FS commands"), people have been getting bogus error
      messages for USB disk drives using ATA pass-thru.  For example:
      
      [ 1344.880193] sd 6:0:0:0: [sdb] Attached SCSI disk
      [ 1345.069152] sd 6:0:0:0: [sdb] tag#0 FAILED Result: hostbyte=DID_ERROR driverbyte=DRIVER_SENSE
      [ 1345.069159] sd 6:0:0:0: [sdb] tag#0 Sense Key : Hardware Error [current] [descriptor]
      [ 1345.069162] sd 6:0:0:0: [sdb] tag#0 Add. Sense: No additional sense information
      [ 1345.069168] sd 6:0:0:0: [sdb] tag#0 CDB: ATA command pass through(16) 85 06 20 00 00 00 00 00 00 00 00 00 00 00 e5 00
      [ 1345.172252] sd 6:0:0:0: [sdb] tag#0 FAILED Result: hostbyte=DID_ERROR driverbyte=DRIVER_SENSE
      [ 1345.172258] sd 6:0:0:0: [sdb] tag#0 Sense Key : Hardware Error [current] [descriptor]
      [ 1345.172261] sd 6:0:0:0: [sdb] tag#0 Add. Sense: No additional sense information
      [ 1345.172266] sd 6:0:0:0: [sdb] tag#0 CDB: ATA command pass through(12)/Blank a1 06 20 da 00 00 4f c2 00 b0 00 00
      
      These messages can be quite annoying, because programs like udisks2
      provoke them every 10 minutes or so.  Other programs can also have
      this effect, such as those in smartmontools.
      
      I don't fully understand how that commit induced the SCSI core to log
      these error messages, but the underlying cause for them is code added
      to usb-storage by commit f1a0743b ("USB: storage: When a device
      returns no sense data, call it a Hardware Error").  At the time it was
      necessary to do this, in order to prevent an infinite retry loop with
      some not-so-great mass storage devices.
      
      However, the ATA pass-thru protocol uses SCSI sense data to return
      command status values, and some devices always report Check Condition
      status for ATA pass-thru commands to ensure that the host retrieves
      the sense data, even if the command succeeded.  This violates the USB
      mass-storage protocol (Check Condition status is supposed to mean the
      command failed), but we can't help that.
      
      This patch attempts to mitigate the problem of these bogus error
      reports by changing usb-storage.  The HARDWARE ERROR sense key will be
      inserted only for commands that aren't ATA pass-thru.
      
      Thanks to Ewan Milne for pointing out that this mechanism was present
      in usb-storage.  8 years after writing it, I had completely forgotten
      its existence.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Tested-by: default avatarKris Lindgren <kris.lindgren@gmail.com>
      Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1351305
      CC: Ewan D. Milne <emilne@redhat.com>
      CC: <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a4fd4a72
  2. 21 Sep, 2017 2 commits
  3. 20 Sep, 2017 4 commits
    • Arnd Bergmann's avatar
      usb: gadget: dummy: fix nonsensical comparisons · 7661ca09
      Arnd Bergmann authored
      gcc-8 points out two comparisons that are clearly bogus
      and almost certainly not what the author intended to write:
      
      drivers/usb/gadget/udc/dummy_hcd.c: In function 'set_link_state_by_speed':
      drivers/usb/gadget/udc/dummy_hcd.c:379:31: error: bitwise comparison always evaluates to false [-Werror=tautological-compare]
               USB_PORT_STAT_ENABLE) == 1 &&
                                     ^~
      drivers/usb/gadget/udc/dummy_hcd.c:381:25: error: bitwise comparison always evaluates to false [-Werror=tautological-compare]
            USB_SS_PORT_LS_U0) == 1 &&
                               ^~
      
      I looked at the code for a bit and came up with a change that makes
      it look like what the author probably meant here. This makes it
      look reasonable to me and to gcc, shutting up the warning.
      
      It does of course change behavior as the two conditions are actually
      evaluated rather than being hardcoded to false, and I have made no
      attempt at verifying that the changed logic makes sense in the context
      of a USB HCD, so that part needs to be reviewed carefully.
      
      Fixes: 1cd8fd28 ("usb: gadget: dummy_hcd: add SuperSpeed support")
      Cc: Tatyana Brokhman <tlinder@codeaurora.org>
      Cc: Felipe Balbi <balbi@kernel.org>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      7661ca09
    • Randy Dunlap's avatar
      usb: gadget: udc: fix snps_udc_plat.c build errors · 641663a1
      Randy Dunlap authored
      Fix build errors that happen when CONFIG_EXTCON=m and
      CONFIG_USB_SNP_UDC_PLAT=y by preventing that combination in Kconfig.
      CONFIG_EXTCON can still be disabled or enabled for this driver since
      <linux/extcon.h> has stubs for the disabled case, but if CONFIG_EXTCON=m,
      USB_SNP_UDC_PLAT is restricted to m or n (cannot be builtin).
      
      drivers/built-in.o: In function `udc_plat_remove':
      snps_udc_plat.c:(.text+0x2c4060): undefined reference to `extcon_unregister_notifier'
      drivers/built-in.o: In function `udc_plat_probe':
      snps_udc_plat.c:(.text+0x2c438c): undefined reference to `extcon_get_edev_by_phandle'
      snps_udc_plat.c:(.text+0x2c43f2): undefined reference to `extcon_register_notifier'
      snps_udc_plat.c:(.text+0x2c4416): undefined reference to `extcon_get_state'
      snps_udc_plat.c:(.text+0x2c44f7): undefined reference to `extcon_unregister_notifier'
      Reported-by: default avatarkbuild test robot <fengguang.wu@intel.com>
      Signed-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      641663a1
    • Yoshihiro Shimoda's avatar
      usb: gadget: function: printer: avoid spinlock recursion · 9ada8c58
      Yoshihiro Shimoda authored
      If usb_gadget_giveback_request() is called in usb_ep_queue(),
      this printer_write() is possible to cause spinlock recursion. So,
      this patch adds spin_unlock() before calls usb_ep_queue() to avoid it.
      Signed-off-by: default avatarYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      9ada8c58
    • Roger Quadros's avatar
      usb: gadget: core: fix ->udc_set_speed() logic · 97e133d5
      Roger Quadros authored
      Consider the following case: udc controller supports SuperSpeed.  If we
      first load a HighSpeed gadget followed by a SuperSpeed gadget, the
      SuperSpeed gadget will be limited to HighSpeed as UDC core driver
      doesn't call ->udc_set_speed() in the second case.
      
      Call ->udc_set_speed() unconditionally to fix this issue.
      
      This will also fix the case for dwc3 controller driver when SuperSpeed
      gadget is loaded first and works in HighSpeed only as udc_set_speed()
      was never being called.
      
      Fixes: 6099eca796ae ("usb: gadget: core: introduce ->udc_set_speed() method")
      Cc: <stable@vger.kernel.org> [v4.13+]
      Signed-off-by: default avatarRoger Quadros <rogerq@ti.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      97e133d5
  4. 19 Sep, 2017 1 commit
  5. 18 Sep, 2017 12 commits
    • Kai-Heng Feng's avatar
      Revert "xhci: Limit USB2 port wake support for AMD Promontory hosts" · bcd6a7aa
      Kai-Heng Feng authored
      This reverts commit dec08194.
      
      Commit dec08194 ("xhci: Limit USB2 port wake support for AMD Promontory
      hosts") makes all high speed USB ports on ASUS PRIME B350M-A cease to
      function after enabling runtime PM.
      
      All boards with this chipsets will be affected, so revert the commit.
      
      The original patch was added to stable 4.9, 4.11 and 4.12 and needs
      to reverted from there as well
      
      Cc: <stable@vger.kernel.org> # 4.9+
      Signed-off-by: default avatarKai-Heng Feng <kai.heng.feng@canonical.com>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bcd6a7aa
    • Mathias Nyman's avatar
      xhci: set missing SuperSpeedPlus Link Protocol bit in roothub descriptor · 7bea22b1
      Mathias Nyman authored
      A SuperSpeedPlus roothub needs to have the Link Protocol (LP) bit set in
      the bmSublinkSpeedAttr[] entry of a SuperSpeedPlus descriptor.
      
      If the xhci controller has an optional Protocol Speed ID (PSI) table then
      that will be used as a base to create the roothub SuperSpeedPlus
      descriptor.
      The PSI table does not however necessary contain the LP bit so we need
      to set it manually.
      
      Check the psi speed and set LP bit if speed is 10Gbps or higher.
      We're not setting it for 5 to 10Gbps as USB 3.1 specification always
      mention SuperSpeedPlus for 10Gbps or higher, and some SSIC USB 3.0 speeds
      can be over 5Gbps, such as SSIC-G3B-L1 at 5830 Mbps
      
      Cc: <stable@vger.kernel.org> # 4.6+
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7bea22b1
    • Mathias Nyman's avatar
      xhci: Fix sleeping with spin_lock_irq() held in ASmedia 1042A workaround · 4ec1cd3e
      Mathias Nyman authored
      The flow control workaround for ASM1042A xHC hosts sleeps between
      register polling. The workaround gets called in several places, among
      them with spin_lock_irq() held when xHC host is resumed or hoplug removed.
      
      This was noticed as kernel panics at resume on a Dell XPS15 9550 with
      TB16 thunderbolt dock.
      
      Avoid sleeping with spin_lock_irq() held, use udelay() instead
      
      The original workaround was added to 4.9 and 4.12 stable releases,
      this patch needs to be applied to those as well.
      
      Fixes: 9da5a109 ("xhci: Bad Ethernet performance plugged in ASM1042A host")
      Cc: <stable@vger.kernel.org> #4.9+
      Reported-by: default avatarJose Marino <marinoj@nso.edu>
      Tested-by: default avatarJose Marino <marinoj@nso.edu>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4ec1cd3e
    • Adam Wallis's avatar
      usb: host: xhci-plat: allow sysdev to inherit from ACPI · c6b8e793
      Adam Wallis authored
      Commit 4c39d4b9 ("usb: xhci: use bus->sysdev for DMA configuration")
      updated the method determining DMA for XHCI from sysdev. However, this
      patch broke the ability to enumerate the FWNODE from parent ACPI devices
      from the child plat XHCI device.
      
      Currently, xhci_plat is not set up properly when the parent device is an
      ACPI node. The conditions that xhci_plat_probe should satisfy are
      
      1. xhci_plat comes from firmware
      2. xhci_plat is child of a device from firmware (dwc3-plat)
      3. xhci_plat is grandchild of a pci device (dwc3-pci)
      
      Case 2 is covered when the child is an OF node (by checking
      sysdev->parent->of_node), however, an ACPI parent will return NULL in
      the of_node check and will thus not result in sysdev being set to
      sysdev->parent
      
      [   17.591549] xhci-hcd: probe of xhci-hcd.6.auto failed with error -5
      
      This change adds a check for ACPI to completely allow for condition 2.
      This is done by first checking if the parent node is of type ACPI (e.g.,
      dwc3-plat) and set sysdev to sysdev->parent if either of the two
      following conditions are met:
      
      1: If fwnode is empty (in the case that platform_device_add_properties
      was not called on the allocated platform device)
      2: fwnode exists but is not of type ACPI (this would happen if
      platform_device_add_properties was called on the allocated device.
      Instead of type FWNODE_ACPI, you would end up with FWNODE_PDATA)
      
      Cc: stable@vger.kernel.org #4.12.x
      Cc: stable@vger.kernel.org #4.13.x
      
      Fixes: 4c39d4b9 ("usb: xhci: use bus->sysdev for DMA configuration")
      Tested-by: default avatarThang Q. Nguyen <tqnguyen@apm.com>
      Signed-off-by: default avatarAdam Wallis <awallis@codeaurora.org>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c6b8e793
    • Mathias Nyman's avatar
      xhci: fix wrong endpoint ESIT value shown in tracing · 76a14d7b
      Mathias Nyman authored
      Read the endpiont ESIT from endpiont context using correct macro.
      Add a macro for reading the high bits of ESIT for Large ESIT Payload
      Capable hosts (LEC=1)
      
      Cc: <stable@vger.kernel.org> # 4.12
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      76a14d7b
    • Jim Dickerson's avatar
      usb: pci-quirks.c: Corrected timeout values used in handshake · 114ec3a6
      Jim Dickerson authored
      Servers were emitting failed handoff messages but were not
      waiting the full 1 second as designated in section 4.22.1 of
      the eXtensible Host Controller Interface specifications. The
      handshake was using wrong units so calls were made with milliseconds
      not microseconds. Comments referenced 5 seconds not 1 second as
      in specs.
      
      The wrong units were also corrected in a second handshake call.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarJim Dickerson <jim.dickerson@hpe.com>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      114ec3a6
    • Mathias Nyman's avatar
      xhci: fix finding correct bus_state structure for USB 3.1 hosts · 5a838a13
      Mathias Nyman authored
      xhci driver keeps a bus_state structure for each hcd (usb2 and usb3)
      
      The structure is picked based on hcd speed, but driver only compared
      for HCD_USB3 speed, returning the wrong bus_state for HCD_USB31 hosts.
      
      This caused null pointer dereference errors in bus_resume function.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5a838a13
    • Lu Baolu's avatar
      usb: xhci: Free the right ring in xhci_add_endpoint() · 9821786d
      Lu Baolu authored
      In the xhci_add_endpoint(), a new ring was allocated and saved at
      xhci_virt_ep->new_ring. Hence, when error happens, we need to free
      the allocated ring before returning error.
      
      Current code frees xhci_virt_ep->ring instead of the new_ring. This
      patch fixes this.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarLu Baolu <baolu.lu@linux.intel.com>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9821786d
    • Felipe Balbi's avatar
      usb: dwc3: ep0: fix DMA starvation by assigning req->trb on ep0 · 55168470
      Felipe Balbi authored
      If we don't assign a TRB to ep0 requests, we won't be able to unmap
      the request later on resulting in starvation of DMA resources.
      
      Fixes: 4a71fcb8 ("usb: dwc3: gadget: only unmap requests from DMA if mapped")
      Reported-by: default avatarThinh Nguyen <Thinh.Nguyen@synopsys.com>
      Tested-by: default avatarThinh Nguyen <Thinh.Nguyen@synopsys.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      55168470
    • Dmitry Fleytman's avatar
      usb: Increase quirk delay for USB devices · b2a542bb
      Dmitry Fleytman authored
      Commit e0429362
      ("usb: Add device quirk for Logitech HD Pro Webcams C920 and C930e")
      introduced quirk to workaround an issue with some Logitech webcams.
      
      The workaround is introducing delay for some USB operations.
      
      According to our testing, delay introduced by original commit
      is not long enough and in rare cases we still see issues described
      by the aforementioned commit.
      
      This patch increases delays introduced by original commit.
      Having this patch applied we do not see those problems anymore.
      Signed-off-by: default avatarDmitry Fleytman <dmitry@daynix.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b2a542bb
    • Andrey Konovalov's avatar
      uwb: properly check kthread_run return value · bbf26183
      Andrey Konovalov authored
      uwbd_start() calls kthread_run() and checks that the return value is
      not NULL. But the return value is not NULL in case kthread_run() fails,
      it takes the form of ERR_PTR(-EINTR).
      
      Use IS_ERR() instead.
      
      Also add a check to uwbd_stop().
      Signed-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bbf26183
    • Andrey Konovalov's avatar
      uwb: ensure that endpoint is interrupt · 70e743e4
      Andrey Konovalov authored
      hwarc_neep_init() assumes that endpoint 0 is interrupt, but there's no
      check for that, which results in a WARNING in USB core code, when a bad
      USB descriptor is provided from a device:
      
      usb 1-1: BOGUS urb xfer, pipe 1 != type 3
      ------------[ cut here ]------------
      WARNING: CPU: 0 PID: 3 at drivers/usb/core/urb.c:449 usb_submit_urb+0xf8a/0x11d0
      Modules linked in:
      CPU: 0 PID: 3 Comm: kworker/0:0 Not tainted 4.13.0+ #111
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
      Workqueue: usb_hub_wq hub_event
      task: ffff88006bdc1a00 task.stack: ffff88006bde8000
      RIP: 0010:usb_submit_urb+0xf8a/0x11d0 drivers/usb/core/urb.c:448
      RSP: 0018:ffff88006bdee3c0 EFLAGS: 00010282
      RAX: 0000000000000029 RBX: ffff8800672a7200 RCX: 0000000000000000
      RDX: 0000000000000029 RSI: ffff88006c815c78 RDI: ffffed000d7bdc6a
      RBP: ffff88006bdee4c0 R08: fffffbfff0fe00ff R09: fffffbfff0fe00ff
      R10: 0000000000000018 R11: fffffbfff0fe00fe R12: 1ffff1000d7bdc7f
      R13: 0000000000000003 R14: 0000000000000001 R15: ffff88006b02cc90
      FS:  0000000000000000(0000) GS:ffff88006c800000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007fe4daddf000 CR3: 000000006add6000 CR4: 00000000000006f0
      Call Trace:
       hwarc_neep_init+0x4ce/0x9c0 drivers/uwb/hwa-rc.c:710
       uwb_rc_add+0x2fb/0x730 drivers/uwb/lc-rc.c:361
       hwarc_probe+0x34e/0x9b0 drivers/uwb/hwa-rc.c:858
       usb_probe_interface+0x351/0x8d0 drivers/usb/core/driver.c:361
       really_probe drivers/base/dd.c:385
       driver_probe_device+0x610/0xa00 drivers/base/dd.c:529
       __device_attach_driver+0x230/0x290 drivers/base/dd.c:625
       bus_for_each_drv+0x15e/0x210 drivers/base/bus.c:463
       __device_attach+0x269/0x3c0 drivers/base/dd.c:682
       device_initial_probe+0x1f/0x30 drivers/base/dd.c:729
       bus_probe_device+0x1da/0x280 drivers/base/bus.c:523
       device_add+0xcf9/0x1640 drivers/base/core.c:1703
       usb_set_configuration+0x1064/0x1890 drivers/usb/core/message.c:1932
       generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
       usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
       really_probe drivers/base/dd.c:385
       driver_probe_device+0x610/0xa00 drivers/base/dd.c:529
       __device_attach_driver+0x230/0x290 drivers/base/dd.c:625
       bus_for_each_drv+0x15e/0x210 drivers/base/bus.c:463
       __device_attach+0x269/0x3c0 drivers/base/dd.c:682
       device_initial_probe+0x1f/0x30 drivers/base/dd.c:729
       bus_probe_device+0x1da/0x280 drivers/base/bus.c:523
       device_add+0xcf9/0x1640 drivers/base/core.c:1703
       usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
       hub_port_connect drivers/usb/core/hub.c:4890
       hub_port_connect_change drivers/usb/core/hub.c:4996
       port_event drivers/usb/core/hub.c:5102
       hub_event+0x23c8/0x37c0 drivers/usb/core/hub.c:5182
       process_one_work+0x9fb/0x1570 kernel/workqueue.c:2097
       worker_thread+0x1e4/0x1350 kernel/workqueue.c:2231
       kthread+0x324/0x3f0 kernel/kthread.c:231
       ret_from_fork+0x25/0x30 arch/x86/entry/entry_64.S:425
      Code: 48 8b 85 30 ff ff ff 48 8d b8 98 00 00 00 e8 8e 93 07 ff 45 89
      e8 44 89 f1 4c 89 fa 48 89 c6 48 c7 c7 a0 e5 55 86 e8 20 08 8f fd <0f>
      ff e9 9b f7 ff ff e8 4a 04 d6 fd e9 80 f7 ff ff e8 60 11 a6
      ---[ end trace 55d741234124cfc3 ]---
      
      Check that endpoint is interrupt.
      
      Found by syzkaller.
      Signed-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      70e743e4
  6. 16 Sep, 2017 13 commits
    • Linus Torvalds's avatar
      Linux 4.14-rc1 · 2bd6bf03
      Linus Torvalds authored
      2bd6bf03
    • Linus Torvalds's avatar
      Merge tag 'upstream-4.14-rc1' of git://git.infradead.org/linux-ubifs · 194a4ef9
      Linus Torvalds authored
      Pull UBI updates from Richard Weinberger:
       "Minor improvements"
      
      * tag 'upstream-4.14-rc1' of git://git.infradead.org/linux-ubifs:
        UBI: Fix two typos in comments
        ubi: fastmap: fix spelling mistake: "invalidiate" -> "invalidate"
        ubi: pr_err() strings should end with newlines
        ubi: pr_err() strings should end with newlines
        ubi: pr_err() strings should end with newlines
      194a4ef9
    • Linus Torvalds's avatar
      Merge branch 'for-linus-4.14-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/uml · 2896b80e
      Linus Torvalds authored
      Pull UML updates from Richard Weinberger:
      
       - minor improvements
      
       - fixes for Debian's new gcc defaults (pie enabled by default)
      
       - fixes for XSTATE/XSAVE to make UML work again on modern systems
      
      * 'for-linus-4.14-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/uml:
        um: return negative in tuntap_open_tramp()
        um: remove a stray tab
        um: Use relative modversions with LD_SCRIPT_DYN
        um: link vmlinux with -no-pie
        um: Fix CONFIG_GCOV for modules.
        Fix minor typos and grammar in UML start_up help
        um: defconfig: Cleanup from old Kconfig options
        um: Fix FP register size for XSTATE/XSAVE
      2896b80e
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 48bddb14
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix hotplug deadlock in hv_netvsc, from Stephen Hemminger.
      
       2) Fix double-free in rmnet driver, from Dan Carpenter.
      
       3) INET connection socket layer can double put request sockets, fix
          from Eric Dumazet.
      
       4) Don't match collect metadata-mode tunnels if the device is down,
          from Haishuang Yan.
      
       5) Do not perform TSO6/GSO on ipv6 packets with extensions headers in
          be2net driver, from Suresh Reddy.
      
       6) Fix scaling error in gen_estimator, from Eric Dumazet.
      
       7) Fix 64-bit statistics deadlock in systemport driver, from Florian
          Fainelli.
      
       8) Fix use-after-free in sctp_sock_dump, from Xin Long.
      
       9) Reject invalid BPF_END instructions in verifier, from Edward Cree.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (43 commits)
        mlxsw: spectrum_router: Only handle IPv4 and IPv6 events
        Documentation: link in networking docs
        tcp: fix data delivery rate
        bpf/verifier: reject BPF_ALU64|BPF_END
        sctp: do not mark sk dumped when inet_sctp_diag_fill returns err
        sctp: fix an use-after-free issue in sctp_sock_dump
        netvsc: increase default receive buffer size
        tcp: update skb->skb_mstamp more carefully
        net: ipv4: fix l3slave check for index returned in IP_PKTINFO
        net: smsc911x: Quieten netif during suspend
        net: systemport: Fix 64-bit stats deadlock
        net: vrf: avoid gcc-4.6 warning
        qed: remove unnecessary call to memset
        tg3: clean up redundant initialization of tnapi
        tls: make tls_sw_free_resources static
        sctp: potential read out of bounds in sctp_ulpevent_type_enabled()
        MAINTAINERS: review Renesas DT bindings as well
        net_sched: gen_estimator: fix scaling error in bytes/packets samples
        nfp: wait for the NSP resource to appear on boot
        nfp: wait for board state before talking to the NSP
        ...
      48bddb14
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · c8503720
      Linus Torvalds authored
      Pull more input updates from Dmitry Torokhov:
       "A second round of updates for the input subsystem:
      
         - a new driver for PWM-controlled vibrators
      
         - ucb1400 touchscreen driver had completely busted suspend/resume
           handling
      
         - we now handle "home" button found on some devices with Goodix
           touchscreens
      
         - assorted other fixups"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
        Input: i8042 - add Gigabyte P57 to the keyboard reset table
        Input: xpad - validate USB endpoint type during probe
        Input: ucb1400_ts - fix suspend and resume handling
        Input: edt-ft5x06 - fix access to non-existing register
        Input: elantech - make arrays debounce_packet static, reduces object code size
        Input: surface3_spi - make const array header static, reduces object code size
        Input: goodix - add support for capacitive home button
        Input: add a driver for PWM controllable vibrators
        Input: adi - make array seq static, reduces object code size
      c8503720
    • Markus Trippelsdorf's avatar
      firmware: Restore support for built-in firmware · df85b2d7
      Markus Trippelsdorf authored
      Commit 5620a0d1 ("firmware: delete in-kernel firmware") removed the
      entire firmware directory.  Unfortunately it thereby also removed the
      support for built-in firmware.
      
      This restores the ability to build firmware directly into the kernel by
      pruning the original Makefile to the necessary minimum.  The default for
      EXTRA_FIRMWARE_DIR is now the standard directory /lib/firmware/.
      
      Fixes: 5620a0d1 ("firmware: delete in-kernel firmware")
      Signed-off-by: default avatarMarkus Trippelsdorf <markus@trippelsdorf.de>
      Acked-by: default avatarGreg K-H <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      df85b2d7
    • Ido Schimmel's avatar
      mlxsw: spectrum_router: Only handle IPv4 and IPv6 events · 8e29f979
      Ido Schimmel authored
      The driver doesn't support events from address families other than IPv4
      and IPv6, so ignore them. Otherwise, we risk queueing a work item before
      it's initialized.
      
      This can happen in case a VRF is configured when MROUTE_MULTIPLE_TABLES
      is enabled, as the VRF driver will try to add an l3mdev rule for the
      IPMR family.
      
      Fixes: 65e65ec1 ("mlxsw: spectrum_router: Don't ignore IPv6 notifications")
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Reported-by: default avatarAndreas Rammhold <andreas@rammhold.de>
      Reported-by: default avatarFlorian Klink <flokli@flokli.de>
      Signed-off-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8e29f979
    • Pavel Machek's avatar
      Documentation: link in networking docs · 2130c028
      Pavel Machek authored
      Fix link in filter.txt.
      Acked-by: default avatarPavel Machek <pavel@ucw.cz>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2130c028
    • Eric Dumazet's avatar
      tcp: fix data delivery rate · fc225799
      Eric Dumazet authored
      Now skb->mstamp_skb is updated later, we also need to call
      tcp_rate_skb_sent() after the update is done.
      
      Fixes: 8c72c65b ("tcp: update skb->skb_mstamp more carefully")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarSoheil Hassas Yeganeh <soheil@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fc225799
    • Linus Torvalds's avatar
      Merge branch '4.14-features' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus · 73184130
      Linus Torvalds authored
      Pull MIPS updates from Ralf Baechle:
       "This is the main pull request for 4.14 for MIPS; below a summary of
        the non-merge commits:
      
        CM:
         - Rename mips_cm_base to mips_gcr_base
         - Specify register size when generating accessors
         - Use BIT/GENMASK for register fields, order & drop shifts
         - Add cluster & block args to mips_cm_lock_other()
      
        CPC:
         - Use common CPS accessor generation macros
         - Use BIT/GENMASK for register fields, order & drop shifts
         - Introduce register modify (set/clear/change) accessors
         - Use change_*, set_* & clear_* where appropriate
         - Add CM/CPC 3.5 register definitions
         - Use GlobalNumber macros rather than magic numbers
         - Have asm/mips-cps.h include CM & CPC headers
         - Cluster support for topology functions
         - Detect CPUs in secondary clusters
      
        CPS:
         - Read GIC_VL_IDENT directly, not via irqchip driver
      
        DMA:
         - Consolidate coherent and non-coherent dma_alloc code
         - Don't use dma_cache_sync to implement fd_cacheflush
      
        FPU emulation / FP assist code:
         - Another series of 14 commits fixing corner cases such as NaN
           propgagation and other special input values.
         - Zero bits 32-63 of the result for a CLASS.D instruction.
         - Enhanced statics via debugfs
         - Do not use bools for arithmetic. GCC 7.1 moans about this.
         - Correct user fault_addr type
      
        Generic MIPS:
         - Enhancement of stack backtraces
         - Cleanup from non-existing options
         - Handle non word sized instructions when examining frame
         - Fix detection and decoding of ADDIUSP instruction
         - Fix decoding of SWSP16 instruction
         - Refactor handling of stack pointer in get_frame_info
         - Remove unreachable code from force_fcr31_sig()
         - Convert to using %pOF instead of full_name
         - Remove the R6000 support.
         - Move FP code from *_switch.S to *_fpu.S
         - Remove unused ST_OFF from r2300_switch.S
         - Allow platform to specify multiple its.S files
         - Add #includes to various files to ensure code builds reliable and
           without warning..
         - Remove __invalidate_kernel_vmap_range
         - Remove plat_timer_setup
         - Declare various variables & functions static
         - Abstract CPU core & VP(E) ID access through accessor functions
         - Store core & VP IDs in GlobalNumber-style variable
         - Unify checks for sibling CPUs
         - Add CPU cluster number accessors
         - Prevent direct use of generic_defconfig
         - Make CONFIG_MIPS_MT_SMP default y
         - Add __ioread64_copy
         - Remove unnecessary inclusions of linux/irqchip/mips-gic.h
      
        GIC:
         - Introduce asm/mips-gic.h with accessor functions
         - Use new GIC accessor functions in mips-gic-timer
         - Remove counter access functions from irq-mips-gic.c
         - Remove gic_read_local_vp_id() from irq-mips-gic.c
         - Simplify shared interrupt pending/mask reads in irq-mips-gic.c
         - Simplify gic_local_irq_domain_map() in irq-mips-gic.c
         - Drop gic_(re)set_mask() functions in irq-mips-gic.c
         - Remove gic_set_polarity(), gic_set_trigger(), gic_set_dual_edge(),
           gic_map_to_pin() and gic_map_to_vpe() from irq-mips-gic.c.
         - Convert remaining shared reg access, local int mask access and
           remaining local reg access to new accessors
         - Move GIC_LOCAL_INT_* to asm/mips-gic.h
         - Remove GIC_CPU_INT* macros from irq-mips-gic.c
         - Move various definitions to the driver
         - Remove gic_get_usm_range()
         - Remove __gic_irq_dispatch() forward declaration
         - Remove gic_init()
         - Use mips_gic_present() in place of gic_present and remove
           gic_present
         - Move gic_get_c0_*_int() to asm/mips-gic.h
         - Remove linux/irqchip/mips-gic.h
         - Inline __gic_init()
         - Inline gic_basic_init()
         - Make pcpu_masks a per-cpu variable
         - Use pcpu_masks to avoid reading GIC_SH_MASK*
         - Clean up mti, reserved-cpu-vectors handling
         - Use cpumask_first_and() in gic_set_affinity()
         - Let the core set struct irq_common_data affinity
      
        microMIPS:
         - Fix microMIPS stack unwinding on big endian systems
      
        MIPS-GIC:
         - SYNC after enabling GIC region
      
        NUMA:
         - Remove the unused parent_node() macro
      
        R6:
         - Constify r2_decoder_tables
         - Add accessor & bit definitions for GlobalNumber
      
        SMP:
         - Constify smp ops
         - Allow boot_secondary SMP op to return errors
      
        VDSO:
         - Drop gic_get_usm_range() usage
         - Avoid use of linux/irqchip/mips-gic.h
      
        Platform changes:
      
        Alchemy:
         - Add devboard machine type to cpuinfo
         - update cpu feature overrides
         - Threaded carddetect irqs for devboards
      
        AR7:
         - allow NULL clock for clk_get_rate
      
        BCM63xx:
         - Fix ENETDMA_6345_MAXBURST_REG offset
         - Allow NULL clock for clk_get_rate
      
        CI20:
         - Enable GPIO and RTC drivers in defconfig
         - Add ethernet and fixed-regulator nodes to DTS
      
        Generic platform:
         - Move Boston and NI 169445 FIT image source to their own files
         - Include asm/bootinfo.h for plat_fdt_relocated()
         - Include asm/time.h for get_c0_*_int()
         - Include asm/bootinfo.h for plat_fdt_relocated()
         - Include asm/time.h for get_c0_*_int()
         - Allow filtering enabled boards by requirements
         - Don't explicitly disable CONFIG_USB_SUPPORT
         - Bump default NR_CPUS to 16
      
        JZ4700:
         - Probe the jz4740-rtc driver from devicetree
      
        Lantiq:
         - Drop check of boot select from the spi-falcon driver.
         - Drop check of boot select from the lantiq-flash MTD driver.
         - Access boot cause register in the watchdog driver through regmap
         - Add device tree binding documentation for the watchdog driver
         - Add docs for the RCU DT bindings.
         - Convert the fpi bus driver to a platform_driver
         - Remove ltq_reset_cause() and ltq_boot_select(
         - Switch to a proper reset driver
         - Switch to a new drivers/soc GPHY driver
         - Add an USB PHY driver for the Lantiq SoCs using the RCU module
         - Use of_platform_default_populate instead of __dt_register_buses
         - Enable MFD_SYSCON to be able to use it for the RCU MFD
         - Replace ltq_boot_select() with dummy implementation.
      
        Loongson 2F:
         - Allow NULL clock for clk_get_rate
      
        Malta:
         - Use new GIC accessor functions
      
        NI 169445:
         - Add support for NI 169445 board.
         - Only include in 32r2el kernels
      
        Octeon:
         - Add support for watchdog of 78XX SOCs.
         - Add support for watchdog of CN68XX SOCs.
         - Expose support for mips32r1, mips32r2 and mips64r1
         - Enable more drivers in config file
         - Add support for accessing the boot vector.
         - Remove old boot vector code from watchdog driver
         - Define watchdog registers for 70xx, 73xx, 78xx, F75xx.
         - Make CSR functions node aware.
         - Allow access to CIU3 IRQ domains.
         - Misc cleanups in the watchdog driver
      
        Omega2+:
         - New board, add support and defconfig
      
        Pistachio:
         - Enable Root FS on NFS in defconfig
      
        Ralink:
         - Add Mediatek MT7628A SoC
         - Allow NULL clock for clk_get_rate
         - Explicitly request exclusive reset control in the pci-mt7620 PCI driver.
      
        SEAD3:
         - Only include in 32 bit kernels by default
      
        VoCore:
         - Add VoCore as a vendor t0 dt-bindings
         - Add defconfig file"
      
      * '4.14-features' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus: (167 commits)
        MIPS: Refactor handling of stack pointer in get_frame_info
        MIPS: Stacktrace: Fix microMIPS stack unwinding on big endian systems
        MIPS: microMIPS: Fix decoding of swsp16 instruction
        MIPS: microMIPS: Fix decoding of addiusp instruction
        MIPS: microMIPS: Fix detection of addiusp instruction
        MIPS: Handle non word sized instructions when examining frame
        MIPS: ralink: allow NULL clock for clk_get_rate
        MIPS: Loongson 2F: allow NULL clock for clk_get_rate
        MIPS: BCM63XX: allow NULL clock for clk_get_rate
        MIPS: AR7: allow NULL clock for clk_get_rate
        MIPS: BCM63XX: fix ENETDMA_6345_MAXBURST_REG offset
        mips: Save all registers when saving the frame
        MIPS: Add DWARF unwinding to assembly
        MIPS: Make SAVE_SOME more standard
        MIPS: Fix issues in backtraces
        MIPS: jz4780: DTS: Probe the jz4740-rtc driver from devicetree
        MIPS: Ci20: Enable RTC driver
        watchdog: octeon-wdt: Add support for 78XX SOCs.
        watchdog: octeon-wdt: Add support for cn68XX SOCs.
        watchdog: octeon-wdt: File cleaning.
        ...
      73184130
    • Linus Torvalds's avatar
      Merge tag 'pci-v4.14-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci · 8d93c7a4
      Linus Torvalds authored
      Pull PCI fix from Bjorn Helgaas:
       "Revert an attempt to fix a race while enabling upstream bridges
        because it broke iwlwifi firmware loading"
      
      * tag 'pci-v4.14-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
        Revert "PCI: Avoid race while enabling upstream bridges"
      8d93c7a4
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-for-v4.14-rc1' of git://people.freedesktop.org/~airlied/linux · 02cfe977
      Linus Torvalds authored
      Pull drm AMD fixes from Dave Airlie:
       "Just had a single AMD fixes pull from Alex for rc1"
      
      * tag 'drm-fixes-for-v4.14-rc1' of git://people.freedesktop.org/~airlied/linux:
        drm/amdgpu: revert "fix deadlock of reservation between cs and gpu reset v2"
        drm/amdgpu: remove duplicate return statement
        drm/amdgpu: check memory allocation failure
        drm/amd/amdgpu: fix BANK_SELECT on Vega10 (v2)
        drm/amdgpu: inline amdgpu_ttm_do_bind again
        drm/amdgpu: fix amdgpu_ttm_bind
        drm/amdgpu: remove the GART copy hack
        drm/ttm:fix wrong decoding of bo_count
        drm/ttm: fix missing inc bo_count
        drm/amdgpu: set sched_hw_submission higher for KIQ (v3)
        drm/amdgpu: move default gart size setting into gmc modules
        drm/amdgpu: refine default gart size
        drm/amd/powerplay: ACG frequency added in PPTable
        drm/amdgpu: discard commands of killed processes
        drm/amdgpu: fix and cleanup shadow handling
        drm/amdgpu: add automatic per asic settings for gart_size
        drm/amdgpu/gfx8: fix spelling typo in mqd allocation
        drm/amd/powerplay: unhalt mec after loading
        drm/amdgpu/virtual_dce: Virtual display doesn't support disable vblank immediately
        drm/amdgpu: Fix huge page updates with CPU
      02cfe977
    • Linus Torvalds's avatar
      Merge branch 'i2c/for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · bbe05e54
      Linus Torvalds authored
      Pull more i2c updates from Wolfram Sang:
       "I2C has two more new drivers: Altera FPGA and STM32F7"
      
      * 'i2c/for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: i2c-stm32f7: add driver
        i2c: i2c-stm32f4: use generic definition of speed enum
        dt-bindings: i2c-stm32: Document the STM32F7 I2C bindings
        i2c: altera: Add Altera I2C Controller driver
        dt-bindings: i2c: Add Altera I2C Controller
      bbe05e54
  7. 15 Sep, 2017 4 commits
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 9db59599
      Linus Torvalds authored
      Pull more KVM updates from Paolo Bonzini:
       - PPC bugfixes
       - RCU splat fix
       - swait races fix
       - pointless userspace-triggerable BUG() fix
       - misc fixes for KVM_RUN corner cases
       - nested virt correctness fixes + one host DoS
       - some cleanups
       - clang build fix
       - fix AMD AVIC with default QEMU command line options
       - x86 bugfixes
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: (28 commits)
        kvm: nVMX: Handle deferred early VMLAUNCH/VMRESUME failure properly
        kvm: vmx: Handle VMLAUNCH/VMRESUME failure properly
        kvm: nVMX: Remove nested_vmx_succeed after successful VM-entry
        kvm,mips: Fix potential swait_active() races
        kvm,powerpc: Serialize wq active checks in ops->vcpu_kick
        kvm: Serialize wq active checks in kvm_vcpu_wake_up()
        kvm,x86: Fix apf_task_wake_one() wq serialization
        kvm,lapic: Justify use of swait_active()
        kvm,async_pf: Use swq_has_sleeper()
        sched/wait: Add swq_has_sleeper()
        KVM: VMX: Do not BUG() on out-of-bounds guest IRQ
        KVM: Don't accept obviously wrong gsi values via KVM_IRQFD
        kvm: nVMX: Don't allow L2 to access the hardware CR8
        KVM: trace events: update list of exit reasons
        KVM: async_pf: Fix #DF due to inject "Page not Present" and "Page Ready" exceptions simultaneously
        KVM: X86: Don't block vCPU if there is pending exception
        KVM: SVM: Add irqchip_split() checks before enabling AVIC
        KVM: Add struct kvm_vcpu pointer parameter to get_enable_apicv()
        KVM: SVM: Refactor AVIC vcpu initialization into avic_init_vcpu()
        KVM: x86: fix clang build
        ...
      9db59599
    • Edward Cree's avatar
      bpf/verifier: reject BPF_ALU64|BPF_END · e67b8a68
      Edward Cree authored
      Neither ___bpf_prog_run nor the JITs accept it.
      Also adds a new test case.
      
      Fixes: 17a52670 ("bpf: verifier (add verifier core)")
      Signed-off-by: default avatarEdward Cree <ecree@solarflare.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e67b8a68
    • Xin Long's avatar
      sctp: do not mark sk dumped when inet_sctp_diag_fill returns err · 8c7c19a5
      Xin Long authored
      sctp_diag would not actually dump out sk/asoc if inet_sctp_diag_fill
      returns err, in which case it shouldn't mark sk dumped by setting
      cb->args[3] as 1 in sctp_sock_dump().
      
      Otherwise, it could cause some asocs to have no parent's sk dumped
      in 'ss --sctp'.
      
      So this patch is to not set cb->args[3] when inet_sctp_diag_fill()
      returns err in sctp_sock_dump().
      
      Fixes: 8f840e47 ("sctp: add the sctp_diag.c file")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8c7c19a5
    • Xin Long's avatar
      sctp: fix an use-after-free issue in sctp_sock_dump · d25adbeb
      Xin Long authored
      Commit 86fdb344 ("sctp: ensure ep is not destroyed before doing the
      dump") tried to fix an use-after-free issue by checking !sctp_sk(sk)->ep
      with holding sock and sock lock.
      
      But Paolo noticed that endpoint could be destroyed in sctp_rcv without
      sock lock protection. It means the use-after-free issue still could be
      triggered when sctp_rcv put and destroy ep after sctp_sock_dump checks
      !ep, although it's pretty hard to reproduce.
      
      I could reproduce it by mdelay in sctp_rcv while msleep in sctp_close
      and sctp_sock_dump long time.
      
      This patch is to add another param cb_done to sctp_for_each_transport
      and dump ep->assocs with holding tsp after jumping out of transport's
      traversal in it to avoid this issue.
      
      It can also improve sctp diag dump to make it run faster, as no need
      to save sk into cb->args[5] and keep calling sctp_for_each_transport
      any more.
      
      This patch is also to use int * instead of int for the pos argument
      in sctp_for_each_transport, which could make postion increment only
      in sctp_for_each_transport and no need to keep changing cb->args[2]
      in sctp_sock_filter and sctp_sock_dump any more.
      
      Fixes: 86fdb344 ("sctp: ensure ep is not destroyed before doing the dump")
      Reported-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d25adbeb