1. 05 Dec, 2019 10 commits
  2. 01 Dec, 2019 30 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.19.87 · 174651bd
      Greg Kroah-Hartman authored
      174651bd
    • Ezequiel Garcia's avatar
      PM / devfreq: Fix kernel oops on governor module load · 6938a9da
      Ezequiel Garcia authored
      commit 7544fd7f upstream.
      
      A bit unexpectedly (but still documented), request_module may
      return a positive value, in case of a modprobe error.
      This is currently causing issues in the devfreq framework.
      
      When a request_module exits with a positive value, we currently
      return that via ERR_PTR. However, because the value is positive,
      it's not a ERR_VALUE proper, and is therefore treated as a
      valid struct devfreq_governor pointer, leading to a kernel oops.
      
      Fix this by returning -EINVAL if request_module returns a positive
      value.
      
      Fixes: b53b0128 ("PM / devfreq: Fix static checker warning in try_then_request_governor")
      Signed-off-by: default avatarEzequiel Garcia <ezequiel@collabora.com>
      Reviewed-by: default avatarChanwoo Choi <cw00.choi@samsung.com>
      Signed-off-by: default avatarMyungJoo Ham <myungjoo.ham@samsung.com>
      Cc: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6938a9da
    • Michael Ellerman's avatar
      KVM: PPC: Book3S HV: Flush link stack on guest exit to host kernel · 345712c9
      Michael Ellerman authored
      commit af2e8c68 upstream.
      
      On some systems that are vulnerable to Spectre v2, it is up to
      software to flush the link stack (return address stack), in order to
      protect against Spectre-RSB.
      
      When exiting from a guest we do some house keeping and then
      potentially exit to C code which is several stack frames deep in the
      host kernel. We will then execute a series of returns without
      preceeding calls, opening up the possiblity that the guest could have
      poisoned the link stack, and direct speculative execution of the host
      to a gadget of some sort.
      
      To prevent this we add a flush of the link stack on exit from a guest.
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      [dja: straightforward backport to v4.19]
      Signed-off-by: default avatarDaniel Axtens <dja@axtens.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      345712c9
    • Michael Ellerman's avatar
      powerpc/book3s64: Fix link stack flush on context switch · 0a60d4bd
      Michael Ellerman authored
      commit 39e72bf9 upstream.
      
      In commit ee13cb24 ("powerpc/64s: Add support for software count
      cache flush"), I added support for software to flush the count
      cache (indirect branch cache) on context switch if firmware told us
      that was the required mitigation for Spectre v2.
      
      As part of that code we also added a software flush of the link
      stack (return address stack), which protects against Spectre-RSB
      between user processes.
      
      That is all correct for CPUs that activate that mitigation, which is
      currently Power9 Nimbus DD2.3.
      
      What I got wrong is that on older CPUs, where firmware has disabled
      the count cache, we also need to flush the link stack on context
      switch.
      
      To fix it we create a new feature bit which is not set by firmware,
      which tells us we need to flush the link stack. We set that when
      firmware tells us that either of the existing Spectre v2 mitigations
      are enabled.
      
      Then we adjust the patching code so that if we see that feature bit we
      enable the link stack flush. If we're also told to flush the count
      cache in software then we fall through and do that also.
      
      On the older CPUs we don't need to do do the software count cache
      flush, firmware has disabled it, so in that case we patch in an early
      return after the link stack flush.
      
      The naming of some of the functions is awkward after this patch,
      because they're called "count cache" but they also do link stack. But
      we'll fix that up in a later commit to ease backporting.
      
      This is the fix for CVE-2019-18660.
      Reported-by: default avatarAnthony Steinhauser <asteinhauser@google.com>
      Fixes: ee13cb24 ("powerpc/64s: Add support for software count cache flush")
      Cc: stable@vger.kernel.org # v4.4+
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0a60d4bd
    • Christopher M. Riedl's avatar
      powerpc/64s: support nospectre_v2 cmdline option · 19d98b4d
      Christopher M. Riedl authored
      commit d8f0e0b0 upstream.
      
      Add support for disabling the kernel implemented spectre v2 mitigation
      (count cache flush on context switch) via the nospectre_v2 and
      mitigations=off cmdline options.
      Suggested-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarChristopher M. Riedl <cmr@informatik.wtf>
      Reviewed-by: default avatarAndrew Donnellan <ajd@linux.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Link: https://lore.kernel.org/r/20190524024647.381-1-cmr@informatik.wtfSigned-off-by: default avatarDaniel Axtens <dja@axtens.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      19d98b4d
    • Bernd Porr's avatar
      staging: comedi: usbduxfast: usbduxfast_ai_cmdtest rounding error · b7e2a040
      Bernd Porr authored
      commit 5618332e upstream.
      
      The userspace comedilib function 'get_cmd_generic_timed' fills
      the cmd structure with an informed guess and then calls the
      function 'usbduxfast_ai_cmdtest' in this driver repeatedly while
      'usbduxfast_ai_cmdtest' is modifying the cmd struct until it
      no longer changes. However, because of rounding errors this never
      converged because 'steps = (cmd->convert_arg * 30) / 1000' and then
      back to 'cmd->convert_arg = (steps * 1000) / 30' won't be the same
      because of rounding errors. 'Steps' should only be converted back to
      the 'convert_arg' if 'steps' has actually been modified. In addition
      the case of steps being 0 wasn't checked which is also now done.
      Signed-off-by: default avatarBernd Porr <mail@berndporr.me.uk>
      Cc: <stable@vger.kernel.org> # 4.4+
      Reviewed-by: default avatarIan Abbott <abbotti@mev.co.uk>
      Link: https://lore.kernel.org/r/20191118230759.1727-1-mail@berndporr.me.ukSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b7e2a040
    • Aleksander Morgado's avatar
      USB: serial: option: add support for Foxconn T77W968 LTE modules · 4101916e
      Aleksander Morgado authored
      commit f0797095 upstream.
      
      These are the Foxconn-branded variants of the Dell DW5821e modules,
      same USB layout as those. The device exposes AT, NMEA and DIAG ports
      in both USB configurations.
      
      P:  Vendor=0489 ProdID=e0b4 Rev=03.18
      S:  Manufacturer=FII
      S:  Product=T77W968 LTE
      S:  SerialNumber=0123456789ABCDEF
      C:  #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
      I:  If#=0x0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
      I:  If#=0x1 Alt= 0 #EPs= 1 Cls=03(HID  ) Sub=00 Prot=00 Driver=usbhid
      I:  If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      
      P:  Vendor=0489 ProdID=e0b4 Rev=03.18
      S:  Manufacturer=FII
      S:  Product=T77W968 LTE
      S:  SerialNumber=0123456789ABCDEF
      C:  #Ifs= 7 Cfg#= 2 Atr=a0 MxPwr=500mA
      I:  If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
      I:  If#=0x1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
      I:  If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      I:  If#=0x6 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
      Signed-off-by: default avatarAleksander Morgado <aleksander@aleksander.es>
      [ johan: drop id defines ]
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4101916e
    • Aleksander Morgado's avatar
      USB: serial: option: add support for DW5821e with eSIM support · 62aca664
      Aleksander Morgado authored
      commit 957c31ea upstream.
      
      The device exposes AT, NMEA and DIAG ports in both USB configurations.
      Exactly same layout as the default DW5821e module, just a different
      vid/pid.
      
      P:  Vendor=413c ProdID=81e0 Rev=03.18
      S:  Manufacturer=Dell Inc.
      S:  Product=DW5821e-eSIM Snapdragon X20 LTE
      S:  SerialNumber=0123456789ABCDEF
      C:  #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
      I:  If#=0x0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
      I:  If#=0x1 Alt= 0 #EPs= 1 Cls=03(HID  ) Sub=00 Prot=00 Driver=usbhid
      I:  If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      
      P:  Vendor=413c ProdID=81e0 Rev=03.18
      S:  Manufacturer=Dell Inc.
      S:  Product=DW5821e-eSIM Snapdragon X20 LTE
      S:  SerialNumber=0123456789ABCDEF
      C:  #Ifs= 7 Cfg#= 2 Atr=a0 MxPwr=500mA
      I:  If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
      I:  If#=0x1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
      I:  If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      I:  If#=0x6 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
      Signed-off-by: default avatarAleksander Morgado <aleksander@aleksander.es>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      62aca664
    • Johan Hovold's avatar
      USB: serial: mos7840: fix remote wakeup · 3349ed26
      Johan Hovold authored
      commit 92fe35fb upstream.
      
      The driver was setting the device remote-wakeup feature during probe in
      violation of the USB specification (which says it should only be set
      just prior to suspending the device). This could potentially waste
      power during suspend as well as lead to spurious wakeups.
      
      Note that USB core would clear the remote-wakeup feature at first
      resume.
      
      Fixes: 3f542974 ("USB: Moschip 7840 USB-Serial Driver")
      Cc: stable <stable@vger.kernel.org>     # 2.6.19
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3349ed26
    • Johan Hovold's avatar
      USB: serial: mos7720: fix remote wakeup · abbda35d
      Johan Hovold authored
      commit ea422312 upstream.
      
      The driver was setting the device remote-wakeup feature during probe in
      violation of the USB specification (which says it should only be set
      just prior to suspending the device). This could potentially waste
      power during suspend as well as lead to spurious wakeups.
      
      Note that USB core would clear the remote-wakeup feature at first
      resume.
      
      Fixes: 0f64478c ("USB: add USB serial mos7720 driver")
      Cc: stable <stable@vger.kernel.org>     # 2.6.19
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      abbda35d
    • Pavel Löbl's avatar
      USB: serial: mos7840: add USB ID to support Moxa UPort 2210 · 84743898
      Pavel Löbl authored
      commit e696d00e upstream.
      
      Add USB ID for MOXA UPort 2210. This device contains mos7820 but
      it passes GPIO0 check implemented by driver and it's detected as
      mos7840. Hence product id check is added to force mos7820 mode.
      Signed-off-by: default avatarPavel Löbl <pavel@loebl.cz>
      Cc: stable <stable@vger.kernel.org>
      [ johan: rename id defines and add vendor-id check ]
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      84743898
    • Oliver Neukum's avatar
      appledisplay: fix error handling in the scheduled work · 356440a7
      Oliver Neukum authored
      commit 91feb015 upstream.
      
      The work item can operate on
      
      1. stale memory left over from the last transfer
      the actual length of the data transfered needs to be checked
      2. memory already freed
      the error handling in appledisplay_probe() needs
      to cancel the work in that case
      
      Reported-and-tested-by: syzbot+495dab1f175edc9c2f13@syzkaller.appspotmail.com
      Signed-off-by: default avatarOliver Neukum <oneukum@suse.com>
      Cc: stable <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20191106124902.7765-1-oneukum@suse.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      356440a7
    • Oliver Neukum's avatar
      USB: chaoskey: fix error case of a timeout · 0439d6b9
      Oliver Neukum authored
      commit 92aa5986 upstream.
      
      In case of a timeout or if a signal aborts a read
      communication with the device needs to be ended
      lest we overwrite an active URB the next time we
      do IO to the device, as the URB may still be active.
      Signed-off-by: default avatarOliver Neukum <oneukum@suse.de>
      Cc: stable <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20191107142856.16774-1-oneukum@suse.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0439d6b9
    • Greg Kroah-Hartman's avatar
      usb-serial: cp201x: support Mark-10 digital force gauge · a18675e5
      Greg Kroah-Hartman authored
      commit 347bc8cb upstream.
      
      Add support for the Mark-10 digital force gauge device to the cp201x
      driver.
      
      Based on a report and a larger patch from Joel Jennings
      Reported-by: default avatarJoel Jennings <joel.jennings@makeitlabs.com>
      Cc: stable <stable@vger.kernel.org>
      Acked-by: default avatarJohan Hovold <johan@kernel.org>
      Link: https://lore.kernel.org/r/20191118092119.GA153852@kroah.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a18675e5
    • Suwan Kim's avatar
      usbip: Fix uninitialized symbol 'nents' in stub_recv_cmd_submit() · 61f6a3fa
      Suwan Kim authored
      commit 2a912531 upstream.
      
      Smatch reported that nents is not initialized and used in
      stub_recv_cmd_submit(). nents is currently initialized by sgl_alloc()
      and used to allocate multiple URBs when host controller doesn't
      support scatter-gather DMA. The use of uninitialized nents means that
      buf_len is zero and use_sg is true. But buffer length should not be
      zero when an URB uses scatter-gather DMA.
      
      To prevent this situation, add the conditional that checks buf_len
      and use_sg. And move the use of nents right after the sgl_alloc() to
      avoid the use of uninitialized nents.
      
      If the error occurs, it adds SDEV_EVENT_ERROR_MALLOC and stub_priv
      will be released by stub event handler and connection will be shut
      down.
      
      Fixes: ea44d190 ("usbip: Implement SG support to vhci-hcd and stub driver")
      Reported-by: default avatarkbuild test robot <lkp@intel.com>
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarSuwan Kim <suwan.kim027@gmail.com>
      Acked-by: default avatarShuah Khan <skhan@linuxfoundation.org>
      Cc: stable <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20191111141035.27788-1-suwan.kim027@gmail.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      61f6a3fa
    • Hewenliang's avatar
      usbip: tools: fix fd leakage in the function of read_attr_usbip_status · 375b26a8
      Hewenliang authored
      commit 26a4d4c0 upstream.
      
      We should close the fd before the return of read_attr_usbip_status.
      
      Fixes: 3391ba0e ("usbip: tools: Extract generic code to be shared with vudc backend")
      Signed-off-by: default avatarHewenliang <hewenliang4@huawei.com>
      Cc: stable <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20191025043515.20053-1-hewenliang4@huawei.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      375b26a8
    • Oliver Neukum's avatar
      USBIP: add config dependency for SGL_ALLOC · e70448b9
      Oliver Neukum authored
      commit 1ec13aba upstream.
      
      USBIP uses lib/scatterlist.h
      Hence it needs to set CONFIG_SGL_ALLOC
      Signed-off-by: default avatarOliver Neukum <oneukum@suse.com>
      Cc: stable <stable@vger.kernel.org>
      Acked-by: default avatarShuah Khan <skhan@linuxfoundation.org>
      Link: https://lore.kernel.org/r/20191112154939.21217-1-oneukum@suse.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e70448b9
    • Halil Pasic's avatar
      virtio_ring: fix return code on DMA mapping fails · 5d0b56f6
      Halil Pasic authored
      [ Upstream commit f7728002 ]
      
      Commit 780bc790 ("virtio_ring: Support DMA APIs")  makes
      virtqueue_add() return -EIO when we fail to map our I/O buffers. This is
      a very realistic scenario for guests with encrypted memory, as swiotlb
      may run out of space, depending on it's size and the I/O load.
      
      The virtio-blk driver interprets -EIO form virtqueue_add() as an IO
      error, despite the fact that swiotlb full is in absence of bugs a
      recoverable condition.
      
      Let us change the return code to -ENOMEM, and make the block layer
      recover form these failures when virtio-blk encounters the condition
      described above.
      
      Cc: stable@vger.kernel.org
      Fixes: 780bc790 ("virtio_ring: Support DMA APIs")
      Signed-off-by: default avatarHalil Pasic <pasic@linux.ibm.com>
      Tested-by: default avatarMichael Mueller <mimu@linux.ibm.com>
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      5d0b56f6
    • Sean Young's avatar
      media: imon: invalid dereference in imon_touch_event · 78260a29
      Sean Young authored
      commit f3f5ba42 upstream.
      
      The touch timer is set up in intf1. If the second interface does not exist,
      the timer and touch input device are not setup and we get the following
      error, when touch events are reported via intf0.
      
      kernel BUG at kernel/time/timer.c:956!
      invalid opcode: 0000 [#1] SMP KASAN
      CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.0-rc1+ #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:__mod_timer kernel/time/timer.c:956 [inline]
      RIP: 0010:__mod_timer kernel/time/timer.c:949 [inline]
      RIP: 0010:mod_timer+0x5a2/0xb50 kernel/time/timer.c:1100
      Code: 45 10 c7 44 24 14 ff ff ff ff 48 89 44 24 08 48 8d 45 20 48 c7 44 24 18 00 00 00 00 48 89 04 24 e9 5a fc ff ff e8 ae ce 0e 00 <0f> 0b e8 a7 ce 0e 00 4c 89 74 24 20 e9 37 fe ff ff e8 98 ce 0e 00
      RSP: 0018:ffff8881db209930 EFLAGS: 00010006
      RAX: ffffffff86c2b200 RBX: 00000000ffffa688 RCX: ffffffff83efc583
      RDX: 0000000000000100 RSI: ffffffff812f4d82 RDI: ffff8881d2356200
      RBP: ffff8881d23561e8 R08: ffffffff86c2b200 R09: ffffed103a46abeb
      R10: ffffed103a46abea R11: ffff8881d2355f53 R12: dffffc0000000000
      R13: 1ffff1103b64132d R14: ffff8881d2355f50 R15: 0000000000000006
      FS:  0000000000000000(0000) GS:ffff8881db200000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007f75e2799000 CR3: 00000001d3b07000 CR4: 00000000001406f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       <IRQ>
       imon_touch_event drivers/media/rc/imon.c:1348 [inline]
       imon_incoming_packet.isra.0+0x2546/0x2f10 drivers/media/rc/imon.c:1603
       usb_rx_callback_intf0+0x151/0x1e0 drivers/media/rc/imon.c:1734
       __usb_hcd_giveback_urb+0x1f2/0x470 drivers/usb/core/hcd.c:1654
       usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1719
       dummy_timer+0x120f/0x2fa2 drivers/usb/gadget/udc/dummy_hcd.c:1965
       call_timer_fn+0x179/0x650 kernel/time/timer.c:1404
       expire_timers kernel/time/timer.c:1449 [inline]
       __run_timers kernel/time/timer.c:1773 [inline]
       __run_timers kernel/time/timer.c:1740 [inline]
       run_timer_softirq+0x5e3/0x1490 kernel/time/timer.c:1786
       __do_softirq+0x221/0x912 kernel/softirq.c:292
       invoke_softirq kernel/softirq.c:373 [inline]
       irq_exit+0x178/0x1a0 kernel/softirq.c:413
       exiting_irq arch/x86/include/asm/apic.h:536 [inline]
       smp_apic_timer_interrupt+0x12f/0x500 arch/x86/kernel/apic/apic.c:1137
       apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830
       </IRQ>
      RIP: 0010:default_idle+0x28/0x2e0 arch/x86/kernel/process.c:581
      Code: 90 90 41 56 41 55 65 44 8b 2d 44 3a 8f 7a 41 54 55 53 0f 1f 44 00 00 e8 36 ee d0 fb e9 07 00 00 00 0f 00 2d fa dd 4f 00 fb f4 <65> 44 8b 2d 20 3a 8f 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
      RSP: 0018:ffffffff86c07da8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
      RAX: 0000000000000007 RBX: ffffffff86c2b200 RCX: 0000000000000000
      RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffffff86c2ba4c
      RBP: fffffbfff0d85640 R08: ffffffff86c2b200 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
      R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
       cpuidle_idle_call kernel/sched/idle.c:154 [inline]
       do_idle+0x3b6/0x500 kernel/sched/idle.c:263
       cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:355
       start_kernel+0x82a/0x864 init/main.c:784
       secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:241
      Modules linked in:
      
      Reported-by: syzbot+f49d12d34f2321cf4df2@syzkaller.appspotmail.com
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      78260a29
    • Vito Caputo's avatar
      media: cxusb: detect cxusb_ctrl_msg error in query · 94a94b60
      Vito Caputo authored
      commit ca8f245f upstream.
      
      Don't use uninitialized ircode[] in cxusb_rc_query() when
      cxusb_ctrl_msg() fails to populate its contents.
      
      syzbot reported:
      
      dvb-usb: bulk message failed: -22 (1/-30591)
      =====================================================
      BUG: KMSAN: uninit-value in ir_lookup_by_scancode drivers/media/rc/rc-main.c:494 [inline]
      BUG: KMSAN: uninit-value in rc_g_keycode_from_table drivers/media/rc/rc-main.c:582 [inline]
      BUG: KMSAN: uninit-value in rc_keydown+0x1a6/0x6f0 drivers/media/rc/rc-main.c:816
      CPU: 1 PID: 11436 Comm: kworker/1:2 Not tainted 5.3.0-rc7+ #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Workqueue: events dvb_usb_read_remote_control
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x191/0x1f0 lib/dump_stack.c:113
       kmsan_report+0x13a/0x2b0 mm/kmsan/kmsan_report.c:108
       __msan_warning+0x73/0xe0 mm/kmsan/kmsan_instr.c:250
       bsearch+0x1dd/0x250 lib/bsearch.c:41
       ir_lookup_by_scancode drivers/media/rc/rc-main.c:494 [inline]
       rc_g_keycode_from_table drivers/media/rc/rc-main.c:582 [inline]
       rc_keydown+0x1a6/0x6f0 drivers/media/rc/rc-main.c:816
       cxusb_rc_query+0x2e1/0x360 drivers/media/usb/dvb-usb/cxusb.c:548
       dvb_usb_read_remote_control+0xf9/0x290 drivers/media/usb/dvb-usb/dvb-usb-remote.c:261
       process_one_work+0x1572/0x1ef0 kernel/workqueue.c:2269
       worker_thread+0x111b/0x2460 kernel/workqueue.c:2415
       kthread+0x4b5/0x4f0 kernel/kthread.c:256
       ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355
      
      Uninit was stored to memory at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:150 [inline]
       kmsan_internal_chain_origin+0xd2/0x170 mm/kmsan/kmsan.c:314
       __msan_chain_origin+0x6b/0xe0 mm/kmsan/kmsan_instr.c:184
       rc_g_keycode_from_table drivers/media/rc/rc-main.c:583 [inline]
       rc_keydown+0x2c4/0x6f0 drivers/media/rc/rc-main.c:816
       cxusb_rc_query+0x2e1/0x360 drivers/media/usb/dvb-usb/cxusb.c:548
       dvb_usb_read_remote_control+0xf9/0x290 drivers/media/usb/dvb-usb/dvb-usb-remote.c:261
       process_one_work+0x1572/0x1ef0 kernel/workqueue.c:2269
       worker_thread+0x111b/0x2460 kernel/workqueue.c:2415
       kthread+0x4b5/0x4f0 kernel/kthread.c:256
       ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355
      
      Local variable description: ----ircode@cxusb_rc_query
      Variable was created at:
       cxusb_rc_query+0x4d/0x360 drivers/media/usb/dvb-usb/cxusb.c:543
       dvb_usb_read_remote_control+0xf9/0x290 drivers/media/usb/dvb-usb/dvb-usb-remote.c:261
      Signed-off-by: default avatarVito Caputo <vcaputo@pengaru.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      94a94b60
    • Oliver Neukum's avatar
      media: b2c2-flexcop-usb: add sanity checking · 8b42c263
      Oliver Neukum authored
      commit 1b976fc6 upstream.
      
      The driver needs an isochronous endpoint to be present. It will
      oops in its absence. Add checking for it.
      
      Reported-by: syzbot+d93dff37e6a89431c158@syzkaller.appspotmail.com
      Signed-off-by: default avatarOliver Neukum <oneukum@suse.com>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8b42c263
    • Laurent Pinchart's avatar
      media: uvcvideo: Fix error path in control parsing failure · 56be9f1b
      Laurent Pinchart authored
      commit 8c279e93 upstream.
      
      When parsing the UVC control descriptors fails, the error path tries to
      cleanup a media device that hasn't been initialised, potentially
      resulting in a crash. Fix this by initialising the media device before
      the error handling path can be reached.
      
      Fixes: 5a254d75 ("[media] uvcvideo: Register a v4l2_device")
      Reported-by: syzbot+c86454eb3af9e8a4da20@syzkaller.appspotmail.com
      Signed-off-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      56be9f1b
    • Kai Shen's avatar
      cpufreq: Add NULL checks to show() and store() methods of cpufreq · 61e73cf5
      Kai Shen authored
      commit e6e8df07 upstream.
      
      Add NULL checks to show() and store() in cpufreq.c to avoid attempts
      to invoke a NULL callback.
      
      Though some interfaces of cpufreq are set as read-only, users can
      still get write permission using chmod which can lead to a kernel
      crash, as follows:
      
      chmod +w /sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq
      echo 1 >  /sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq
      
      This bug was found in linux 4.19.
      Signed-off-by: default avatarKai Shen <shenkai8@huawei.com>
      Reported-by: default avatarFeilong Lin <linfeilong@huawei.com>
      Reviewed-by: default avatarFeilong Lin <linfeilong@huawei.com>
      Acked-by: default avatarViresh Kumar <viresh.kumar@linaro.org>
      [ rjw: Subject & changelog ]
      Cc: All applicable <stable@vger.kernel.org>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      61e73cf5
    • Alan Stern's avatar
      media: usbvision: Fix races among open, close, and disconnect · f217cef9
      Alan Stern authored
      commit 9e08117c upstream.
      
      Visual inspection of the usbvision driver shows that it suffers from
      three races between its open, close, and disconnect handlers.  In
      particular, the driver is careful to update its usbvision->user and
      usbvision->remove_pending flags while holding the private mutex, but:
      
      	usbvision_v4l2_close() and usbvision_radio_close() don't hold
      	the mutex while they check the value of
      	usbvision->remove_pending;
      
      	usbvision_disconnect() doesn't hold the mutex while checking
      	the value of usbvision->user; and
      
      	also, usbvision_v4l2_open() and usbvision_radio_open() don't
      	check whether the device has been unplugged before allowing
      	the user to open the device files.
      
      Each of these can potentially lead to usbvision_release() being called
      twice and use-after-free errors.
      
      This patch fixes the races by reading the flags while the mutex is
      still held and checking for pending removes before allowing an open to
      succeed.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      CC: <stable@vger.kernel.org>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f217cef9
    • Alexander Popov's avatar
      media: vivid: Fix wrong locking that causes race conditions on streaming stop · 467052f6
      Alexander Popov authored
      commit 6dcd5d7a upstream.
      
      There is the same incorrect approach to locking implemented in
      vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out() and
      sdr_cap_stop_streaming().
      
      These functions are called during streaming stopping with vivid_dev.mutex
      locked. And they all do the same mistake while stopping their kthreads,
      which need to lock this mutex as well. See the example from
      vivid_stop_generating_vid_cap():
        /* shutdown control thread */
        vivid_grab_controls(dev, false);
        mutex_unlock(&dev->mutex);
        kthread_stop(dev->kthread_vid_cap);
        dev->kthread_vid_cap = NULL;
        mutex_lock(&dev->mutex);
      
      But when this mutex is unlocked, another vb2_fop_read() can lock it
      instead of vivid_thread_vid_cap() and manipulate the buffer queue.
      That causes a use-after-free access later.
      
      To fix those issues let's:
        1. avoid unlocking the mutex in vivid_stop_generating_vid_cap(),
      vivid_stop_generating_vid_out() and sdr_cap_stop_streaming();
        2. use mutex_trylock() with schedule_timeout_uninterruptible() in
      the loops of the vivid kthread handlers.
      Signed-off-by: default avatarAlexander Popov <alex.popov@linux.com>
      Acked-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Tested-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Cc: <stable@vger.kernel.org>      # for v3.18 and up
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      467052f6
    • Vandana BN's avatar
      media: vivid: Set vid_cap_streaming and vid_out_streaming to true · b73b28b1
      Vandana BN authored
      commit b4add02d upstream.
      
      When vbi stream is started, followed by video streaming,
      the vid_cap_streaming and vid_out_streaming were not being set to true,
      which would cause the video stream to stop when vbi stream is stopped.
      This patch allows to set vid_cap_streaming and vid_out_streaming to true.
      According to Hans Verkuil it appears that these 'if (dev->kthread_vid_cap)'
      checks are a left-over from the original vivid development and should never
      have been there.
      Signed-off-by: default avatarVandana BN <bnvandana@gmail.com>
      Cc: <stable@vger.kernel.org>      # for v3.18 and up
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b73b28b1
    • Oliver Neukum's avatar
      nfc: port100: handle command failure cleanly · af8071f5
      Oliver Neukum authored
      commit 5f9f0b11 upstream.
      
      If starting the transfer of a command suceeds but the transfer for the reply
      fails, it is not enough to initiate killing the transfer for the
      command may still be running. You need to wait for the killing to finish
      before you can reuse URB and buffer.
      
      Reported-and-tested-by: syzbot+711468aa5c3a1eabf863@syzkaller.appspotmail.com
      Signed-off-by: default avatarOliver Neukum <oneukum@suse.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      af8071f5
    • Takashi Iwai's avatar
      ALSA: usb-audio: Fix NULL dereference at parsing BADD · 3510fb79
      Takashi Iwai authored
      commit 9435f2bb upstream.
      
      snd_usb_mixer_controls_badd() that parses UAC3 BADD profiles misses a
      NULL check for the given interfaces.  When a malformed USB descriptor
      is passed, this may lead to an Oops, as spotted by syzkaller.
      Skip the iteration if the interface doesn't exist for avoiding the
      crash.
      
      Fixes: 17156f23 ("ALSA: usb: add UAC3 BADD profiles support")
      Reported-by: syzbot+a36ab65c6653d7ccdd62@syzkaller.appspotmail.com
      Suggested-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Cc: <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20191122112840.24797-1-tiwai@suse.deSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3510fb79
    • Yang Tao's avatar
      futex: Prevent robust futex exit race · 2819f403
      Yang Tao authored
      commit ca16d5be upstream.
      
      Robust futexes utilize the robust_list mechanism to allow the kernel to
      release futexes which are held when a task exits. The exit can be voluntary
      or caused by a signal or fault. This prevents that waiters block forever.
      
      The futex operations in user space store a pointer to the futex they are
      either locking or unlocking in the op_pending member of the per task robust
      list.
      
      After a lock operation has succeeded the futex is queued in the robust list
      linked list and the op_pending pointer is cleared.
      
      After an unlock operation has succeeded the futex is removed from the
      robust list linked list and the op_pending pointer is cleared.
      
      The robust list exit code checks for the pending operation and any futex
      which is queued in the linked list. It carefully checks whether the futex
      value is the TID of the exiting task. If so, it sets the OWNER_DIED bit and
      tries to wake up a potential waiter.
      
      This is race free for the lock operation but unlock has two race scenarios
      where waiters might not be woken up. These issues can be observed with
      regular robust pthread mutexes. PI aware pthread mutexes are not affected.
      
      (1) Unlocking task is killed after unlocking the futex value in user space
          before being able to wake a waiter.
      
              pthread_mutex_unlock()
                      |
                      V
              atomic_exchange_rel (&mutex->__data.__lock, 0)
                              <------------------------killed
                  lll_futex_wake ()                   |
                                                      |
                                                      |(__lock = 0)
                                                      |(enter kernel)
                                                      |
                                                      V
                                                  do_exit()
                                                  exit_mm()
                                                mm_release()
                                              exit_robust_list()
                                              handle_futex_death()
                                                      |
                                                      |(__lock = 0)
                                                      |(uval = 0)
                                                      |
                                                      V
              if ((uval & FUTEX_TID_MASK) != task_pid_vnr(curr))
                      return 0;
      
          The sanity check which ensures that the user space futex is owned by
          the exiting task prevents the wakeup of waiters which in consequence
          block infinitely.
      
      (2) Waiting task is killed after a wakeup and before it can acquire the
          futex in user space.
      
              OWNER                         WAITER
      				futex_wait()
         pthread_mutex_unlock()               |
                      |                       |
                      |(__lock = 0)           |
                      |                       |
                      V                       |
               futex_wake() ------------>  wakeup()
                                              |
                                              |(return to userspace)
                                              |(__lock = 0)
                                              |
                                              V
                              oldval = mutex->__data.__lock
                                                <-----------------killed
          atomic_compare_and_exchange_val_acq (&mutex->__data.__lock,  |
                              id | assume_other_futex_waiters, 0)      |
                                                                       |
                                                                       |
                                                         (enter kernel)|
                                                                       |
                                                                       V
                                                               do_exit()
                                                              |
                                                              |
                                                              V
                                              handle_futex_death()
                                              |
                                              |(__lock = 0)
                                              |(uval = 0)
                                              |
                                              V
              if ((uval & FUTEX_TID_MASK) != task_pid_vnr(curr))
                      return 0;
      
          The sanity check which ensures that the user space futex is owned
          by the exiting task prevents the wakeup of waiters, which seems to
          be correct as the exiting task does not own the futex value, but
          the consequence is that other waiters wont be woken up and block
          infinitely.
      
      In both scenarios the following conditions are true:
      
         - task->robust_list->list_op_pending != NULL
         - user space futex value == 0
         - Regular futex (not PI)
      
      If these conditions are met then it is reasonably safe to wake up a
      potential waiter in order to prevent the above problems.
      
      As this might be a false positive it can cause spurious wakeups, but the
      waiter side has to handle other types of unrelated wakeups, e.g. signals
      gracefully anyway. So such a spurious wakeup will not affect the
      correctness of these operations.
      
      This workaround must not touch the user space futex value and cannot set
      the OWNER_DIED bit because the lock value is 0, i.e. uncontended. Setting
      OWNER_DIED in this case would result in inconsistent state and subsequently
      in malfunction of the owner died handling in user space.
      
      The rest of the user space state is still consistent as no other task can
      observe the list_op_pending entry in the exiting tasks robust list.
      
      The eventually woken up waiter will observe the uncontended lock value and
      take it over.
      
      [ tglx: Massaged changelog and comment. Made the return explicit and not
        	depend on the subsequent check and added constants to hand into
        	handle_futex_death() instead of plain numbers. Fixed a few coding
      	style issues. ]
      
      Fixes: 0771dfef ("[PATCH] lightweight robust futexes: core")
      Signed-off-by: default avatarYang Tao <yang.tao172@zte.com.cn>
      Signed-off-by: default avatarYi Wang <wang.yi59@zte.com.cn>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarIngo Molnar <mingo@kernel.org>
      Acked-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/1573010582-35297-1-git-send-email-wang.yi59@zte.com.cn
      Link: https://lkml.kernel.org/r/20191106224555.943191378@linutronix.deSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2819f403
    • Arnd Bergmann's avatar
      y2038: futex: Move compat implementation into futex.c · d3f8c58d
      Arnd Bergmann authored
      commit 04e7712f upstream.
      
      We are going to share the compat_sys_futex() handler between 64-bit
      architectures and 32-bit architectures that need to deal with both 32-bit
      and 64-bit time_t, and this is easier if both entry points are in the
      same file.
      
      In fact, most other system call handlers do the same thing these days, so
      let's follow the trend here and merge all of futex_compat.c into futex.c.
      
      In the process, a few minor changes have to be done to make sure everything
      still makes sense: handle_futex_death() and futex_cmpxchg_enabled() become
      local symbol, and the compat version of the fetch_robust_entry() function
      gets renamed to compat_fetch_robust_entry() to avoid a symbol clash.
      
      This is intended as a purely cosmetic patch, no behavior should
      change.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d3f8c58d