diff options
| author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-10-30 12:31:45 +0100 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-10-30 12:31:45 +0100 |
| commit | f5e829cf01162d1b3e0593d952ab64da7a15bff2 (patch) | |
| tree | cdc6aac8d86252f9f499100d3dd3d7296c0e0ce0 | |
| parent | 12dedb6cfb87356d3770addbe51737411d6a865c (diff) | |
| download | queue-3.18-f5e829cf01162d1b3e0593d952ab64da7a15bff2.tar.gz | |
drop patches applied already
18 files changed, 0 insertions, 1146 deletions
diff --git a/asoc-rsnd-reinitialize-bit-clock-inversion-flag-for-every-format-setting.patch b/asoc-rsnd-reinitialize-bit-clock-inversion-flag-for-every-format-setting.patch deleted file mode 100644 index e7bc4a7..0000000 --- a/asoc-rsnd-reinitialize-bit-clock-inversion-flag-for-every-format-setting.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 22e58665a01006d05f0239621f7d41cacca96cc4 Mon Sep 17 00:00:00 2001 -From: Junya Monden <jmonden@jp.adit-jv.com> -Date: Wed, 16 Oct 2019 14:42:55 +0200 -Subject: ASoC: rsnd: Reinitialize bit clock inversion flag for every format setting - -From: Junya Monden <jmonden@jp.adit-jv.com> - -commit 22e58665a01006d05f0239621f7d41cacca96cc4 upstream. - -Unlike other format-related DAI parameters, rdai->bit_clk_inv flag -is not properly re-initialized when setting format for new stream -processing. The inversion, if requested, is then applied not to default, -but to a previous value, which leads to SCKP bit in SSICR register being -set incorrectly. -Fix this by re-setting the flag to its initial value, determined by format. - -Fixes: 1a7889ca8aba3 ("ASoC: rsnd: fixup SND_SOC_DAIFMT_xB_xF behavior") -Cc: Andrew Gabbasov <andrew_gabbasov@mentor.com> -Cc: Jiada Wang <jiada_wang@mentor.com> -Cc: Timo Wischer <twischer@de.adit-jv.com> -Cc: stable@vger.kernel.org # v3.17+ -Signed-off-by: Junya Monden <jmonden@jp.adit-jv.com> -Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com> -Acked-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com> -Link: https://lore.kernel.org/r/20191016124255.7442-1-erosca@de.adit-jv.com -Signed-off-by: Mark Brown <broonie@kernel.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - sound/soc/sh/rcar/core.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/sound/soc/sh/rcar/core.c -+++ b/sound/soc/sh/rcar/core.c -@@ -625,6 +625,7 @@ static int rsnd_soc_dai_set_fmt(struct s - } - - /* set format */ -+ rdai->bit_clk_inv = 0; - switch (fmt & SND_SOC_DAIFMT_FORMAT_MASK) { - case SND_SOC_DAIFMT_I2S: - rdai->sys_delay = 0; diff --git a/cfg80211-wext-avoid-copying-malformed-ssids.patch b/cfg80211-wext-avoid-copying-malformed-ssids.patch deleted file mode 100644 index ee29214..0000000 --- a/cfg80211-wext-avoid-copying-malformed-ssids.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 4ac2813cc867ae563a1ba5a9414bfb554e5796fa Mon Sep 17 00:00:00 2001 -From: Will Deacon <will@kernel.org> -Date: Fri, 4 Oct 2019 10:51:32 +0100 -Subject: cfg80211: wext: avoid copying malformed SSIDs - -From: Will Deacon <will@kernel.org> - -commit 4ac2813cc867ae563a1ba5a9414bfb554e5796fa upstream. - -Ensure the SSID element is bounds-checked prior to invoking memcpy() -with its length field, when copying to userspace. - -Cc: <stable@vger.kernel.org> -Cc: Kees Cook <keescook@chromium.org> -Reported-by: Nicolas Waisman <nico@semmle.com> -Signed-off-by: Will Deacon <will@kernel.org> -Link: https://lore.kernel.org/r/20191004095132.15777-2-will@kernel.org -[adjust commit log a bit] -Signed-off-by: Johannes Berg <johannes.berg@intel.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - net/wireless/wext-sme.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - ---- a/net/wireless/wext-sme.c -+++ b/net/wireless/wext-sme.c -@@ -225,6 +225,7 @@ int cfg80211_mgd_wext_giwessid(struct ne - struct iw_point *data, char *ssid) - { - struct wireless_dev *wdev = dev->ieee80211_ptr; -+ int ret = 0; - - /* call only for station! */ - if (WARN_ON(wdev->iftype != NL80211_IFTYPE_STATION)) -@@ -242,7 +243,10 @@ int cfg80211_mgd_wext_giwessid(struct ne - if (ie) { - data->flags = 1; - data->length = ie[1]; -- memcpy(ssid, ie + 2, data->length); -+ if (data->length > IW_ESSID_MAX_SIZE) -+ ret = -EINVAL; -+ else -+ memcpy(ssid, ie + 2, data->length); - } - rcu_read_unlock(); - } else if (wdev->wext.connect.ssid && wdev->wext.connect.ssid_len) { -@@ -252,7 +256,7 @@ int cfg80211_mgd_wext_giwessid(struct ne - } - wdev_unlock(wdev); - -- return 0; -+ return ret; - } - - int cfg80211_mgd_wext_siwap(struct net_device *dev, diff --git a/cifs-avoid-using-mid-0xffff.patch b/cifs-avoid-using-mid-0xffff.patch deleted file mode 100644 index 0942892..0000000 --- a/cifs-avoid-using-mid-0xffff.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 03d9a9fe3f3aec508e485dd3dcfa1e99933b4bdb Mon Sep 17 00:00:00 2001 -From: Roberto Bergantinos Corpas <rbergant@redhat.com> -Date: Mon, 14 Oct 2019 10:59:23 +0200 -Subject: CIFS: avoid using MID 0xFFFF - -From: Roberto Bergantinos Corpas <rbergant@redhat.com> - -commit 03d9a9fe3f3aec508e485dd3dcfa1e99933b4bdb upstream. - -According to MS-CIFS specification MID 0xFFFF should not be used by the -CIFS client, but we actually do. Besides, this has proven to cause races -leading to oops between SendReceive2/cifs_demultiplex_thread. On SMB1, -MID is a 2 byte value easy to reach in CurrentMid which may conflict with -an oplock break notification request coming from server - -Signed-off-by: Roberto Bergantinos Corpas <rbergant@redhat.com> -Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com> -Reviewed-by: Aurelien Aptel <aaptel@suse.com> -Signed-off-by: Steve French <stfrench@microsoft.com> -CC: Stable <stable@vger.kernel.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - fs/cifs/smb1ops.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/fs/cifs/smb1ops.c -+++ b/fs/cifs/smb1ops.c -@@ -180,6 +180,9 @@ cifs_get_next_mid(struct TCP_Server_Info - /* we do not want to loop forever */ - last_mid = cur_mid; - cur_mid++; -+ /* avoid 0xFFFF MID */ -+ if (cur_mid == 0xffff) -+ cur_mid++; - - /* - * This nested loop looks more expensive than it is. diff --git a/mac80211-reject-malformed-ssid-elements.patch b/mac80211-reject-malformed-ssid-elements.patch deleted file mode 100644 index 2f13268..0000000 --- a/mac80211-reject-malformed-ssid-elements.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 4152561f5da3fca92af7179dd538ea89e248f9d0 Mon Sep 17 00:00:00 2001 -From: Will Deacon <will@kernel.org> -Date: Fri, 4 Oct 2019 10:51:31 +0100 -Subject: mac80211: Reject malformed SSID elements - -From: Will Deacon <will@kernel.org> - -commit 4152561f5da3fca92af7179dd538ea89e248f9d0 upstream. - -Although this shouldn't occur in practice, it's a good idea to bounds -check the length field of the SSID element prior to using it for things -like allocations or memcpy operations. - -Cc: <stable@vger.kernel.org> -Cc: Kees Cook <keescook@chromium.org> -Reported-by: Nicolas Waisman <nico@semmle.com> -Signed-off-by: Will Deacon <will@kernel.org> -Link: https://lore.kernel.org/r/20191004095132.15777-1-will@kernel.org -Signed-off-by: Johannes Berg <johannes.berg@intel.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - net/mac80211/mlme.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - ---- a/net/mac80211/mlme.c -+++ b/net/mac80211/mlme.c -@@ -2195,7 +2195,8 @@ struct sk_buff *ieee80211_ap_probereq_ge - - rcu_read_lock(); - ssid = ieee80211_bss_get_ie(cbss, WLAN_EID_SSID); -- if (WARN_ON_ONCE(ssid == NULL)) -+ if (WARN_ONCE(!ssid || ssid[1] > IEEE80211_MAX_SSID_LEN, -+ "invalid SSID element (len=%d)", ssid ? ssid[1] : -1)) - ssid_len = 0; - else - ssid_len = ssid[1]; -@@ -4359,7 +4360,7 @@ int ieee80211_mgd_assoc(struct ieee80211 - - rcu_read_lock(); - ssidie = ieee80211_bss_get_ie(req->bss, WLAN_EID_SSID); -- if (!ssidie) { -+ if (!ssidie || ssidie[1] > sizeof(assoc_data->ssid)) { - rcu_read_unlock(); - kfree(assoc_data); - return -EINVAL; diff --git a/memstick-jmb38x_ms-fix-an-error-handling-path-in-jmb38x_ms_probe.patch b/memstick-jmb38x_ms-fix-an-error-handling-path-in-jmb38x_ms_probe.patch deleted file mode 100644 index f27d622..0000000 --- a/memstick-jmb38x_ms-fix-an-error-handling-path-in-jmb38x_ms_probe.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 28c9fac09ab0147158db0baeec630407a5e9b892 Mon Sep 17 00:00:00 2001 -From: Christophe JAILLET <christophe.jaillet@wanadoo.fr> -Date: Sat, 5 Oct 2019 13:21:01 +0200 -Subject: memstick: jmb38x_ms: Fix an error handling path in 'jmb38x_ms_probe()' - -From: Christophe JAILLET <christophe.jaillet@wanadoo.fr> - -commit 28c9fac09ab0147158db0baeec630407a5e9b892 upstream. - -If 'jmb38x_ms_count_slots()' returns 0, we must undo the previous -'pci_request_regions()' call. - -Goto 'err_out_int' to fix it. - -Fixes: 60fdd931d577 ("memstick: add support for JMicron jmb38x MemoryStick host controller") -Cc: stable@vger.kernel.org -Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> -Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/memstick/host/jmb38x_ms.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/memstick/host/jmb38x_ms.c -+++ b/drivers/memstick/host/jmb38x_ms.c -@@ -947,7 +947,7 @@ static int jmb38x_ms_probe(struct pci_de - if (!cnt) { - rc = -ENODEV; - pci_dev_busy = 1; -- goto err_out; -+ goto err_out_int; - } - - jm = kzalloc(sizeof(struct jmb38x_ms) diff --git a/mm-slub-fix-a-deadlock-in-show_slab_objects.patch b/mm-slub-fix-a-deadlock-in-show_slab_objects.patch deleted file mode 100644 index f84f89e..0000000 --- a/mm-slub-fix-a-deadlock-in-show_slab_objects.patch +++ /dev/null @@ -1,186 +0,0 @@ -From e4f8e513c3d353c134ad4eef9fd0bba12406c7c8 Mon Sep 17 00:00:00 2001 -From: Qian Cai <cai@lca.pw> -Date: Mon, 14 Oct 2019 14:11:51 -0700 -Subject: mm/slub: fix a deadlock in show_slab_objects() - -From: Qian Cai <cai@lca.pw> - -commit e4f8e513c3d353c134ad4eef9fd0bba12406c7c8 upstream. - -A long time ago we fixed a similar deadlock in show_slab_objects() [1]. -However, it is apparently due to the commits like 01fb58bcba63 ("slab: -remove synchronous synchronize_sched() from memcg cache deactivation -path") and 03afc0e25f7f ("slab: get_online_mems for -kmem_cache_{create,destroy,shrink}"), this kind of deadlock is back by -just reading files in /sys/kernel/slab which will generate a lockdep -splat below. - -Since the "mem_hotplug_lock" here is only to obtain a stable online node -mask while racing with NUMA node hotplug, in the worst case, the results -may me miscalculated while doing NUMA node hotplug, but they shall be -corrected by later reads of the same files. - - WARNING: possible circular locking dependency detected - ------------------------------------------------------ - cat/5224 is trying to acquire lock: - ffff900012ac3120 (mem_hotplug_lock.rw_sem){++++}, at: - show_slab_objects+0x94/0x3a8 - - but task is already holding lock: - b8ff009693eee398 (kn->count#45){++++}, at: kernfs_seq_start+0x44/0xf0 - - which lock already depends on the new lock. - - the existing dependency chain (in reverse order) is: - - -> #2 (kn->count#45){++++}: - lock_acquire+0x31c/0x360 - __kernfs_remove+0x290/0x490 - kernfs_remove+0x30/0x44 - sysfs_remove_dir+0x70/0x88 - kobject_del+0x50/0xb0 - sysfs_slab_unlink+0x2c/0x38 - shutdown_cache+0xa0/0xf0 - kmemcg_cache_shutdown_fn+0x1c/0x34 - kmemcg_workfn+0x44/0x64 - process_one_work+0x4f4/0x950 - worker_thread+0x390/0x4bc - kthread+0x1cc/0x1e8 - ret_from_fork+0x10/0x18 - - -> #1 (slab_mutex){+.+.}: - lock_acquire+0x31c/0x360 - __mutex_lock_common+0x16c/0xf78 - mutex_lock_nested+0x40/0x50 - memcg_create_kmem_cache+0x38/0x16c - memcg_kmem_cache_create_func+0x3c/0x70 - process_one_work+0x4f4/0x950 - worker_thread+0x390/0x4bc - kthread+0x1cc/0x1e8 - ret_from_fork+0x10/0x18 - - -> #0 (mem_hotplug_lock.rw_sem){++++}: - validate_chain+0xd10/0x2bcc - __lock_acquire+0x7f4/0xb8c - lock_acquire+0x31c/0x360 - get_online_mems+0x54/0x150 - show_slab_objects+0x94/0x3a8 - total_objects_show+0x28/0x34 - slab_attr_show+0x38/0x54 - sysfs_kf_seq_show+0x198/0x2d4 - kernfs_seq_show+0xa4/0xcc - seq_read+0x30c/0x8a8 - kernfs_fop_read+0xa8/0x314 - __vfs_read+0x88/0x20c - vfs_read+0xd8/0x10c - ksys_read+0xb0/0x120 - __arm64_sys_read+0x54/0x88 - el0_svc_handler+0x170/0x240 - el0_svc+0x8/0xc - - other info that might help us debug this: - - Chain exists of: - mem_hotplug_lock.rw_sem --> slab_mutex --> kn->count#45 - - Possible unsafe locking scenario: - - CPU0 CPU1 - ---- ---- - lock(kn->count#45); - lock(slab_mutex); - lock(kn->count#45); - lock(mem_hotplug_lock.rw_sem); - - *** DEADLOCK *** - - 3 locks held by cat/5224: - #0: 9eff00095b14b2a0 (&p->lock){+.+.}, at: seq_read+0x4c/0x8a8 - #1: 0eff008997041480 (&of->mutex){+.+.}, at: kernfs_seq_start+0x34/0xf0 - #2: b8ff009693eee398 (kn->count#45){++++}, at: - kernfs_seq_start+0x44/0xf0 - - stack backtrace: - Call trace: - dump_backtrace+0x0/0x248 - show_stack+0x20/0x2c - dump_stack+0xd0/0x140 - print_circular_bug+0x368/0x380 - check_noncircular+0x248/0x250 - validate_chain+0xd10/0x2bcc - __lock_acquire+0x7f4/0xb8c - lock_acquire+0x31c/0x360 - get_online_mems+0x54/0x150 - show_slab_objects+0x94/0x3a8 - total_objects_show+0x28/0x34 - slab_attr_show+0x38/0x54 - sysfs_kf_seq_show+0x198/0x2d4 - kernfs_seq_show+0xa4/0xcc - seq_read+0x30c/0x8a8 - kernfs_fop_read+0xa8/0x314 - __vfs_read+0x88/0x20c - vfs_read+0xd8/0x10c - ksys_read+0xb0/0x120 - __arm64_sys_read+0x54/0x88 - el0_svc_handler+0x170/0x240 - el0_svc+0x8/0xc - -I think it is important to mention that this doesn't expose the -show_slab_objects to use-after-free. There is only a single path that -might really race here and that is the slab hotplug notifier callback -__kmem_cache_shrink (via slab_mem_going_offline_callback) but that path -doesn't really destroy kmem_cache_node data structures. - -[1] http://lkml.iu.edu/hypermail/linux/kernel/1101.0/02850.html - -[akpm@linux-foundation.org: add comment explaining why we don't need mem_hotplug_lock] -Link: http://lkml.kernel.org/r/1570192309-10132-1-git-send-email-cai@lca.pw -Fixes: 01fb58bcba63 ("slab: remove synchronous synchronize_sched() from memcg cache deactivation path") -Fixes: 03afc0e25f7f ("slab: get_online_mems for kmem_cache_{create,destroy,shrink}") -Signed-off-by: Qian Cai <cai@lca.pw> -Acked-by: Michal Hocko <mhocko@suse.com> -Cc: Christoph Lameter <cl@linux.com> -Cc: Pekka Enberg <penberg@kernel.org> -Cc: David Rientjes <rientjes@google.com> -Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> -Cc: Tejun Heo <tj@kernel.org> -Cc: Vladimir Davydov <vdavydov.dev@gmail.com> -Cc: Roman Gushchin <guro@fb.com> -Cc: <stable@vger.kernel.org> -Signed-off-by: Andrew Morton <akpm@linux-foundation.org> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - mm/slub.c | 13 +++++++++++-- - 1 file changed, 11 insertions(+), 2 deletions(-) - ---- a/mm/slub.c -+++ b/mm/slub.c -@@ -4296,7 +4296,17 @@ static ssize_t show_slab_objects(struct - } - } - -- get_online_mems(); -+ /* -+ * It is impossible to take "mem_hotplug_lock" here with "kernfs_mutex" -+ * already held which will conflict with an existing lock order: -+ * -+ * mem_hotplug_lock->slab_mutex->kernfs_mutex -+ * -+ * We don't really need mem_hotplug_lock (to hold off -+ * slab_mem_going_offline_callback) here because slab's memory hot -+ * unplug code doesn't destroy the kmem_cache->node[] data. -+ */ -+ - #ifdef CONFIG_SLUB_DEBUG - if (flags & SO_ALL) { - struct kmem_cache_node *n; -@@ -4337,7 +4347,6 @@ static ssize_t show_slab_objects(struct - x += sprintf(buf + x, " N%d=%lu", - node, nodes[node]); - #endif -- put_online_mems(); - kfree(nodes); - return x + sprintf(buf + x, "\n"); - } diff --git a/net-avoid-potential-infinite-loop-in-tc_ctl_action.patch b/net-avoid-potential-infinite-loop-in-tc_ctl_action.patch deleted file mode 100644 index 229e28d..0000000 --- a/net-avoid-potential-infinite-loop-in-tc_ctl_action.patch +++ /dev/null @@ -1,132 +0,0 @@ -From foo@baz Thu 24 Oct 2019 09:41:49 PM EDT -From: Eric Dumazet <edumazet@google.com> -Date: Mon, 14 Oct 2019 11:22:30 -0700 -Subject: net: avoid potential infinite loop in tc_ctl_action() - -From: Eric Dumazet <edumazet@google.com> - -[ Upstream commit 39f13ea2f61b439ebe0060393e9c39925c9ee28c ] - -tc_ctl_action() has the ability to loop forever if tcf_action_add() -returns -EAGAIN. - -This special case has been done in case a module needed to be loaded, -but it turns out that tcf_add_notify() could also return -EAGAIN -if the socket sk_rcvbuf limit is hit. - -We need to separate the two cases, and only loop for the module -loading case. - -While we are at it, add a limit of 10 attempts since unbounded -loops are always scary. - -syzbot repro was something like : - -socket(PF_NETLINK, SOCK_RAW|SOCK_NONBLOCK, NETLINK_ROUTE) = 3 -write(3, ..., 38) = 38 -setsockopt(3, SOL_SOCKET, SO_RCVBUF, [0], 4) = 0 -sendmsg(3, {msg_name(0)=NULL, msg_iov(1)=[{..., 388}], msg_controllen=0, msg_flags=0x10}, ...) - -NMI backtrace for cpu 0 -CPU: 0 PID: 1054 Comm: khungtaskd Not tainted 5.4.0-rc1+ #0 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 -Call Trace: - __dump_stack lib/dump_stack.c:77 [inline] - dump_stack+0x172/0x1f0 lib/dump_stack.c:113 - nmi_cpu_backtrace.cold+0x70/0xb2 lib/nmi_backtrace.c:101 - nmi_trigger_cpumask_backtrace+0x23b/0x28b lib/nmi_backtrace.c:62 - arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38 - trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline] - check_hung_uninterruptible_tasks kernel/hung_task.c:205 [inline] - watchdog+0x9d0/0xef0 kernel/hung_task.c:289 - kthread+0x361/0x430 kernel/kthread.c:255 - ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 -Sending NMI from CPU 0 to CPUs 1: -NMI backtrace for cpu 1 -CPU: 1 PID: 8859 Comm: syz-executor910 Not tainted 5.4.0-rc1+ #0 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 -RIP: 0010:arch_local_save_flags arch/x86/include/asm/paravirt.h:751 [inline] -RIP: 0010:lockdep_hardirqs_off+0x1df/0x2e0 kernel/locking/lockdep.c:3453 -Code: 5c 08 00 00 5b 41 5c 41 5d 5d c3 48 c7 c0 58 1d f3 88 48 ba 00 00 00 00 00 fc ff df 48 c1 e8 03 80 3c 10 00 0f 85 d3 00 00 00 <48> 83 3d 21 9e 99 07 00 0f 84 b9 00 00 00 9c 58 0f 1f 44 00 00 f6 -RSP: 0018:ffff8880a6f3f1b8 EFLAGS: 00000046 -RAX: 1ffffffff11e63ab RBX: ffff88808c9c6080 RCX: 0000000000000000 -RDX: dffffc0000000000 RSI: 0000000000000000 RDI: ffff88808c9c6914 -RBP: ffff8880a6f3f1d0 R08: ffff88808c9c6080 R09: fffffbfff16be5d1 -R10: fffffbfff16be5d0 R11: 0000000000000003 R12: ffffffff8746591f -R13: ffff88808c9c6080 R14: ffffffff8746591f R15: 0000000000000003 -FS: 00000000011e4880(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 -CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -CR2: ffffffffff600400 CR3: 00000000a8920000 CR4: 00000000001406e0 -DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 -DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 -Call Trace: - trace_hardirqs_off+0x62/0x240 kernel/trace/trace_preemptirq.c:45 - __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] - _raw_spin_lock_irqsave+0x6f/0xcd kernel/locking/spinlock.c:159 - __wake_up_common_lock+0xc8/0x150 kernel/sched/wait.c:122 - __wake_up+0xe/0x10 kernel/sched/wait.c:142 - netlink_unlock_table net/netlink/af_netlink.c:466 [inline] - netlink_unlock_table net/netlink/af_netlink.c:463 [inline] - netlink_broadcast_filtered+0x705/0xb80 net/netlink/af_netlink.c:1514 - netlink_broadcast+0x3a/0x50 net/netlink/af_netlink.c:1534 - rtnetlink_send+0xdd/0x110 net/core/rtnetlink.c:714 - tcf_add_notify net/sched/act_api.c:1343 [inline] - tcf_action_add+0x243/0x370 net/sched/act_api.c:1362 - tc_ctl_action+0x3b5/0x4bc net/sched/act_api.c:1410 - rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:5386 - netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477 - rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5404 - netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] - netlink_unicast+0x531/0x710 net/netlink/af_netlink.c:1328 - netlink_sendmsg+0x8a5/0xd60 net/netlink/af_netlink.c:1917 - sock_sendmsg_nosec net/socket.c:637 [inline] - sock_sendmsg+0xd7/0x130 net/socket.c:657 - ___sys_sendmsg+0x803/0x920 net/socket.c:2311 - __sys_sendmsg+0x105/0x1d0 net/socket.c:2356 - __do_sys_sendmsg net/socket.c:2365 [inline] - __se_sys_sendmsg net/socket.c:2363 [inline] - __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2363 - do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290 - entry_SYSCALL_64_after_hwframe+0x49/0xbe -RIP: 0033:0x440939 - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Eric Dumazet <edumazet@google.com> -Reported-by: syzbot+cf0adbb9c28c8866c788@syzkaller.appspotmail.com -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/sched/act_api.c | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - ---- a/net/sched/act_api.c -+++ b/net/sched/act_api.c -@@ -927,10 +927,15 @@ static int - tcf_action_add(struct net *net, struct nlattr *nla, struct nlmsghdr *n, - u32 portid, int ovr) - { -- int ret = 0; -+ int loop, ret; - LIST_HEAD(actions); - -- ret = tcf_action_init(net, nla, NULL, NULL, ovr, 0, &actions); -+ for (loop = 0; loop < 10; loop++) { -+ ret = tcf_action_init(net, nla, NULL, NULL, ovr, 0, &actions); -+ if (ret != -EAGAIN) -+ break; -+ } -+ - if (ret) - goto done; - -@@ -973,10 +978,7 @@ static int tc_ctl_action(struct sk_buff - */ - if (n->nlmsg_flags & NLM_F_REPLACE) - ovr = 1; --replay: - ret = tcf_action_add(net, tca[TCA_ACT_TAB], n, portid, ovr); -- if (ret == -EAGAIN) -- goto replay; - break; - case RTM_DELACTION: - ret = tca_action_gd(net, tca[TCA_ACT_TAB], n, diff --git a/parisc-fix-vmap-memory-leak-in-ioremap-iounmap.patch b/parisc-fix-vmap-memory-leak-in-ioremap-iounmap.patch deleted file mode 100644 index 611ee77..0000000 --- a/parisc-fix-vmap-memory-leak-in-ioremap-iounmap.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 513f7f747e1cba81f28a436911fba0b485878ebd Mon Sep 17 00:00:00 2001 -From: Helge Deller <deller@gmx.de> -Date: Fri, 4 Oct 2019 19:23:37 +0200 -Subject: parisc: Fix vmap memory leak in ioremap()/iounmap() - -From: Helge Deller <deller@gmx.de> - -commit 513f7f747e1cba81f28a436911fba0b485878ebd upstream. - -Sven noticed that calling ioremap() and iounmap() multiple times leads -to a vmap memory leak: - vmap allocation for size 4198400 failed: - use vmalloc=<size> to increase size - -It seems we missed calling vunmap() in iounmap(). - -Signed-off-by: Helge Deller <deller@gmx.de> -Noticed-by: Sven Schnelle <svens@stackframe.org> -Cc: <stable@vger.kernel.org> # v3.16+ -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - arch/parisc/mm/ioremap.c | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - ---- a/arch/parisc/mm/ioremap.c -+++ b/arch/parisc/mm/ioremap.c -@@ -2,7 +2,7 @@ - * arch/parisc/mm/ioremap.c - * - * (C) Copyright 1995 1996 Linus Torvalds -- * (C) Copyright 2001-2006 Helge Deller <deller@gmx.de> -+ * (C) Copyright 2001-2019 Helge Deller <deller@gmx.de> - * (C) Copyright 2005 Kyle McMartin <kyle@parisc-linux.org> - */ - -@@ -83,7 +83,7 @@ void __iomem * __ioremap(unsigned long p - addr = (void __iomem *) area->addr; - if (ioremap_page_range((unsigned long)addr, (unsigned long)addr + size, - phys_addr, pgprot)) { -- vfree(addr); -+ vunmap(addr); - return NULL; - } - -@@ -91,9 +91,11 @@ void __iomem * __ioremap(unsigned long p - } - EXPORT_SYMBOL(__ioremap); - --void iounmap(const volatile void __iomem *addr) -+void iounmap(const volatile void __iomem *io_addr) - { -- if (addr > high_memory) -- return vfree((void *) (PAGE_MASK & (unsigned long __force) addr)); -+ unsigned long addr = (unsigned long)io_addr & PAGE_MASK; -+ -+ if (is_vmalloc_addr((void *)addr)) -+ vunmap((void *)addr); - } - EXPORT_SYMBOL(iounmap); diff --git a/pci-pm-fix-pci_power_up.patch b/pci-pm-fix-pci_power_up.patch deleted file mode 100644 index cd90683..0000000 --- a/pci-pm-fix-pci_power_up.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 45144d42f299455911cc29366656c7324a3a7c97 Mon Sep 17 00:00:00 2001 -From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com> -Date: Mon, 14 Oct 2019 13:25:00 +0200 -Subject: PCI: PM: Fix pci_power_up() - -From: Rafael J. Wysocki <rafael.j.wysocki@intel.com> - -commit 45144d42f299455911cc29366656c7324a3a7c97 upstream. - -There is an arbitrary difference between the system resume and -runtime resume code paths for PCI devices regarding the delay to -apply when switching the devices from D3cold to D0. - -Namely, pci_restore_standard_config() used in the runtime resume -code path calls pci_set_power_state() which in turn invokes -__pci_start_power_transition() to power up the device through the -platform firmware and that function applies the transition delay -(as per PCI Express Base Specification Revision 2.0, Section 6.6.1). -However, pci_pm_default_resume_early() used in the system resume -code path calls pci_power_up() which doesn't apply the delay at -all and that causes issues to occur during resume from -suspend-to-idle on some systems where the delay is required. - -Since there is no reason for that difference to exist, modify -pci_power_up() to follow pci_set_power_state() more closely and -invoke __pci_start_power_transition() from there to call the -platform firmware to power up the device (in case that's necessary). - -Fixes: db288c9c5f9d ("PCI / PM: restore the original behavior of pci_set_power_state()") -Reported-by: Daniel Drake <drake@endlessm.com> -Tested-by: Daniel Drake <drake@endlessm.com> -Link: https://lore.kernel.org/linux-pm/CAD8Lp44TYxrMgPLkHCqF9hv6smEurMXvmmvmtyFhZ6Q4SE+dig@mail.gmail.com/T/#m21be74af263c6a34f36e0fc5c77c5449d9406925 -Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> -Acked-by: Bjorn Helgaas <bhelgaas@google.com> -Cc: 3.10+ <stable@vger.kernel.org> # 3.10+ -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/pci/pci.c | 24 +++++++++++------------- - 1 file changed, 11 insertions(+), 13 deletions(-) - ---- a/drivers/pci/pci.c -+++ b/drivers/pci/pci.c -@@ -659,19 +659,6 @@ void pci_update_current_state(struct pci - } - - /** -- * pci_power_up - Put the given device into D0 forcibly -- * @dev: PCI device to power up -- */ --void pci_power_up(struct pci_dev *dev) --{ -- if (platform_pci_power_manageable(dev)) -- platform_pci_set_power_state(dev, PCI_D0); -- -- pci_raw_set_power_state(dev, PCI_D0); -- pci_update_current_state(dev, PCI_D0); --} -- --/** - * pci_platform_power_transition - Use platform to change device power state - * @dev: PCI device to handle. - * @state: State to put the device into. -@@ -847,6 +834,17 @@ int pci_set_power_state(struct pci_dev * - EXPORT_SYMBOL(pci_set_power_state); - - /** -+ * pci_power_up - Put the given device into D0 forcibly -+ * @dev: PCI device to power up -+ */ -+void pci_power_up(struct pci_dev *dev) -+{ -+ __pci_start_power_transition(dev, PCI_D0); -+ pci_raw_set_power_state(dev, PCI_D0); -+ pci_update_current_state(dev, PCI_D0); -+} -+ -+/** - * pci_choose_state - Choose the power state of a PCI device - * @dev: PCI device to be suspended - * @state: target sleep state for the whole system. This is the value diff --git a/scsi-core-try-to-get-module-before-removing-device.patch b/scsi-core-try-to-get-module-before-removing-device.patch deleted file mode 100644 index 5a2f7b2..0000000 --- a/scsi-core-try-to-get-module-before-removing-device.patch +++ /dev/null @@ -1,94 +0,0 @@ -From 77c301287ebae86cc71d03eb3806f271cb14da79 Mon Sep 17 00:00:00 2001 -From: Yufen Yu <yuyufen@huawei.com> -Date: Tue, 15 Oct 2019 21:05:56 +0800 -Subject: scsi: core: try to get module before removing device - -From: Yufen Yu <yuyufen@huawei.com> - -commit 77c301287ebae86cc71d03eb3806f271cb14da79 upstream. - -We have a test case like block/001 in blktests, which will create a scsi -device by loading scsi_debug module and then try to delete the device by -sysfs interface. At the same time, it may remove the scsi_debug module. - -And getting a invalid paging request BUG_ON as following: - -[ 34.625854] BUG: unable to handle page fault for address: ffffffffa0016bb8 -[ 34.629189] Oops: 0000 [#1] SMP PTI -[ 34.629618] CPU: 1 PID: 450 Comm: bash Tainted: G W 5.4.0-rc3+ #473 -[ 34.632524] RIP: 0010:scsi_proc_hostdir_rm+0x5/0xa0 -[ 34.643555] CR2: ffffffffa0016bb8 CR3: 000000012cd88000 CR4: 00000000000006e0 -[ 34.644545] Call Trace: -[ 34.644907] scsi_host_dev_release+0x6b/0x1f0 -[ 34.645511] device_release+0x74/0x110 -[ 34.646046] kobject_put+0x116/0x390 -[ 34.646559] put_device+0x17/0x30 -[ 34.647041] scsi_target_dev_release+0x2b/0x40 -[ 34.647652] device_release+0x74/0x110 -[ 34.648186] kobject_put+0x116/0x390 -[ 34.648691] put_device+0x17/0x30 -[ 34.649157] scsi_device_dev_release_usercontext+0x2e8/0x360 -[ 34.649953] execute_in_process_context+0x29/0x80 -[ 34.650603] scsi_device_dev_release+0x20/0x30 -[ 34.651221] device_release+0x74/0x110 -[ 34.651732] kobject_put+0x116/0x390 -[ 34.652230] sysfs_unbreak_active_protection+0x3f/0x50 -[ 34.652935] sdev_store_delete.cold.4+0x71/0x8f -[ 34.653579] dev_attr_store+0x1b/0x40 -[ 34.654103] sysfs_kf_write+0x3d/0x60 -[ 34.654603] kernfs_fop_write+0x174/0x250 -[ 34.655165] __vfs_write+0x1f/0x60 -[ 34.655639] vfs_write+0xc7/0x280 -[ 34.656117] ksys_write+0x6d/0x140 -[ 34.656591] __x64_sys_write+0x1e/0x30 -[ 34.657114] do_syscall_64+0xb1/0x400 -[ 34.657627] entry_SYSCALL_64_after_hwframe+0x44/0xa9 -[ 34.658335] RIP: 0033:0x7f156f337130 - -During deleting scsi target, the scsi_debug module have been removed. Then, -sdebug_driver_template belonged to the module cannot be accessd, resulting -in scsi_proc_hostdir_rm() BUG_ON. - -To fix the bug, we add scsi_device_get() in sdev_store_delete() to try to -increase refcount of module, avoiding the module been removed. - -Cc: stable@vger.kernel.org -Link: https://lore.kernel.org/r/20191015130556.18061-1-yuyufen@huawei.com -Signed-off-by: Yufen Yu <yuyufen@huawei.com> -Reviewed-by: Bart Van Assche <bvanassche@acm.org> -Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/scsi/scsi_sysfs.c | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - ---- a/drivers/scsi/scsi_sysfs.c -+++ b/drivers/scsi/scsi_sysfs.c -@@ -677,6 +677,14 @@ sdev_store_delete(struct device *dev, st - const char *buf, size_t count) - { - struct kernfs_node *kn; -+ struct scsi_device *sdev = to_scsi_device(dev); -+ -+ /* -+ * We need to try to get module, avoiding the module been removed -+ * during delete. -+ */ -+ if (scsi_device_get(sdev)) -+ return -ENODEV; - - kn = sysfs_break_active_protection(&dev->kobj, &attr->attr); - WARN_ON_ONCE(!kn); -@@ -691,9 +699,10 @@ sdev_store_delete(struct device *dev, st - * state into SDEV_DEL. - */ - device_remove_file(dev, attr); -- scsi_remove_device(to_scsi_device(dev)); -+ scsi_remove_device(sdev); - if (kn) - sysfs_unbreak_active_protection(kn); -+ scsi_device_put(sdev); - return count; - }; - static DEVICE_ATTR(delete, S_IWUSR, NULL, sdev_store_delete); diff --git a/sctp-change-sctp_prot-.no_autobind-with-true.patch b/sctp-change-sctp_prot-.no_autobind-with-true.patch deleted file mode 100644 index 2414332..0000000 --- a/sctp-change-sctp_prot-.no_autobind-with-true.patch +++ /dev/null @@ -1,71 +0,0 @@ -From foo@baz Thu 24 Oct 2019 09:55:34 PM EDT -From: Xin Long <lucien.xin@gmail.com> -Date: Tue, 15 Oct 2019 15:24:38 +0800 -Subject: sctp: change sctp_prot .no_autobind with true - -From: Xin Long <lucien.xin@gmail.com> - -[ Upstream commit 63dfb7938b13fa2c2fbcb45f34d065769eb09414 ] - -syzbot reported a memory leak: - - BUG: memory leak, unreferenced object 0xffff888120b3d380 (size 64): - backtrace: - - [...] slab_alloc mm/slab.c:3319 [inline] - [...] kmem_cache_alloc+0x13f/0x2c0 mm/slab.c:3483 - [...] sctp_bucket_create net/sctp/socket.c:8523 [inline] - [...] sctp_get_port_local+0x189/0x5a0 net/sctp/socket.c:8270 - [...] sctp_do_bind+0xcc/0x200 net/sctp/socket.c:402 - [...] sctp_bindx_add+0x4b/0xd0 net/sctp/socket.c:497 - [...] sctp_setsockopt_bindx+0x156/0x1b0 net/sctp/socket.c:1022 - [...] sctp_setsockopt net/sctp/socket.c:4641 [inline] - [...] sctp_setsockopt+0xaea/0x2dc0 net/sctp/socket.c:4611 - [...] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3147 - [...] __sys_setsockopt+0x10f/0x220 net/socket.c:2084 - [...] __do_sys_setsockopt net/socket.c:2100 [inline] - -It was caused by when sending msgs without binding a port, in the path: -inet_sendmsg() -> inet_send_prepare() -> inet_autobind() -> -.get_port/sctp_get_port(), sp->bind_hash will be set while bp->port is -not. Later when binding another port by sctp_setsockopt_bindx(), a new -bucket will be created as bp->port is not set. - -sctp's autobind is supposed to call sctp_autobind() where it does all -things including setting bp->port. Since sctp_autobind() is called in -sctp_sendmsg() if the sk is not yet bound, it should have skipped the -auto bind. - -THis patch is to avoid calling inet_autobind() in inet_send_prepare() -by changing sctp_prot .no_autobind with true, also remove the unused -.get_port. - -Reported-by: syzbot+d44f7bbebdea49dbc84a@syzkaller.appspotmail.com -Signed-off-by: Xin Long <lucien.xin@gmail.com> -Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/sctp/socket.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/net/sctp/socket.c -+++ b/net/sctp/socket.c -@@ -7453,7 +7453,7 @@ struct proto sctp_prot = { - .backlog_rcv = sctp_backlog_rcv, - .hash = sctp_hash, - .unhash = sctp_unhash, -- .get_port = sctp_get_port, -+ .no_autobind = true, - .obj_size = sizeof(struct sctp_sock), - .sysctl_mem = sysctl_sctp_mem, - .sysctl_rmem = sysctl_sctp_rmem, -@@ -7492,7 +7492,7 @@ struct proto sctpv6_prot = { - .backlog_rcv = sctp_backlog_rcv, - .hash = sctp_hash, - .unhash = sctp_unhash, -- .get_port = sctp_get_port, -+ .no_autobind = true, - .obj_size = sizeof(struct sctp6_sock), - .sysctl_mem = sysctl_sctp_mem, - .sysctl_rmem = sysctl_sctp_rmem, @@ -1,17 +0,0 @@ -sctp-change-sctp_prot-.no_autobind-with-true.patch -net-avoid-potential-infinite-loop-in-tc_ctl_action.patch -usb-legousbtower-fix-memleak-on-disconnect.patch -usb-udc-lpc32xx-fix-bad-bit-shift-operation.patch -usb-serial-ti_usb_3410_5052-fix-port-close-races.patch -usb-ldusb-fix-memleak-on-disconnect.patch -usb-ldusb-fix-read-info-leaks.patch -scsi-core-try-to-get-module-before-removing-device.patch -asoc-rsnd-reinitialize-bit-clock-inversion-flag-for-every-format-setting.patch -cfg80211-wext-avoid-copying-malformed-ssids.patch -mac80211-reject-malformed-ssid-elements.patch -mm-slub-fix-a-deadlock-in-show_slab_objects.patch -parisc-fix-vmap-memory-leak-in-ioremap-iounmap.patch -cifs-avoid-using-mid-0xffff.patch -memstick-jmb38x_ms-fix-an-error-handling-path-in-jmb38x_ms_probe.patch -xen-netback-fix-error-path-of-xenvif_connect_data.patch -pci-pm-fix-pci_power_up.patch diff --git a/usb-ldusb-fix-memleak-on-disconnect.patch b/usb-ldusb-fix-memleak-on-disconnect.patch deleted file mode 100644 index 2363054..0000000 --- a/usb-ldusb-fix-memleak-on-disconnect.patch +++ /dev/null @@ -1,37 +0,0 @@ -From b14a39048c1156cfee76228bf449852da2f14df8 Mon Sep 17 00:00:00 2001 -From: Johan Hovold <johan@kernel.org> -Date: Thu, 10 Oct 2019 14:58:34 +0200 -Subject: USB: ldusb: fix memleak on disconnect - -From: Johan Hovold <johan@kernel.org> - -commit b14a39048c1156cfee76228bf449852da2f14df8 upstream. - -If disconnect() races with release() after a process has been -interrupted, release() could end up returning early and the driver would -fail to free its driver data. - -Fixes: 2824bd250f0b ("[PATCH] USB: add ldusb driver") -Cc: stable <stable@vger.kernel.org> # 2.6.13 -Signed-off-by: Johan Hovold <johan@kernel.org> -Link: https://lore.kernel.org/r/20191010125835.27031-2-johan@kernel.org -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/usb/misc/ldusb.c | 5 +---- - 1 file changed, 1 insertion(+), 4 deletions(-) - ---- a/drivers/usb/misc/ldusb.c -+++ b/drivers/usb/misc/ldusb.c -@@ -388,10 +388,7 @@ static int ld_usb_release(struct inode * - goto exit; - } - -- if (mutex_lock_interruptible(&dev->mutex)) { -- retval = -ERESTARTSYS; -- goto exit; -- } -+ mutex_lock(&dev->mutex); - - if (dev->open_count != 1) { - retval = -ENODEV; diff --git a/usb-ldusb-fix-read-info-leaks.patch b/usb-ldusb-fix-read-info-leaks.patch deleted file mode 100644 index 28d0e76..0000000 --- a/usb-ldusb-fix-read-info-leaks.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 7a6f22d7479b7a0b68eadd308a997dd64dda7dae Mon Sep 17 00:00:00 2001 -From: Johan Hovold <johan@kernel.org> -Date: Fri, 18 Oct 2019 17:19:54 +0200 -Subject: USB: ldusb: fix read info leaks - -From: Johan Hovold <johan@kernel.org> - -commit 7a6f22d7479b7a0b68eadd308a997dd64dda7dae upstream. - -Fix broken read implementation, which could be used to trigger slab info -leaks. - -The driver failed to check if the custom ring buffer was still empty -when waking up after having waited for more data. This would happen on -every interrupt-in completion, even if no data had been added to the -ring buffer (e.g. on disconnect events). - -Due to missing sanity checks and uninitialised (kmalloced) ring-buffer -entries, this meant that huge slab info leaks could easily be triggered. - -Note that the empty-buffer check after wakeup is enough to fix the info -leak on disconnect, but let's clear the buffer on allocation and add a -sanity check to read() to prevent further leaks. - -Fixes: 2824bd250f0b ("[PATCH] USB: add ldusb driver") -Cc: stable <stable@vger.kernel.org> # 2.6.13 -Reported-by: syzbot+6fe95b826644f7f12b0b@syzkaller.appspotmail.com -Signed-off-by: Johan Hovold <johan@kernel.org> -Link: https://lore.kernel.org/r/20191018151955.25135-2-johan@kernel.org -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/usb/misc/ldusb.c | 15 +++++++++++---- - 1 file changed, 11 insertions(+), 4 deletions(-) - ---- a/drivers/usb/misc/ldusb.c -+++ b/drivers/usb/misc/ldusb.c -@@ -472,7 +472,7 @@ static ssize_t ld_usb_read(struct file * - - /* wait for data */ - spin_lock_irq(&dev->rbsl); -- if (dev->ring_head == dev->ring_tail) { -+ while (dev->ring_head == dev->ring_tail) { - dev->interrupt_in_done = 0; - spin_unlock_irq(&dev->rbsl); - if (file->f_flags & O_NONBLOCK) { -@@ -482,12 +482,17 @@ static ssize_t ld_usb_read(struct file * - retval = wait_event_interruptible(dev->read_wait, dev->interrupt_in_done); - if (retval < 0) - goto unlock_exit; -- } else { -- spin_unlock_irq(&dev->rbsl); -+ -+ spin_lock_irq(&dev->rbsl); - } -+ spin_unlock_irq(&dev->rbsl); - - /* actual_buffer contains actual_length + interrupt_in_buffer */ - actual_buffer = (size_t*)(dev->ring_buffer + dev->ring_tail*(sizeof(size_t)+dev->interrupt_in_endpoint_size)); -+ if (*actual_buffer > dev->interrupt_in_endpoint_size) { -+ retval = -EIO; -+ goto unlock_exit; -+ } - bytes_to_read = min(count, *actual_buffer); - if (bytes_to_read < *actual_buffer) - dev_warn(&dev->intf->dev, "Read buffer overflow, %zd bytes dropped\n", -@@ -707,7 +712,9 @@ static int ld_usb_probe(struct usb_inter - dev_warn(&intf->dev, "Interrupt out endpoint not found (using control endpoint instead)\n"); - - dev->interrupt_in_endpoint_size = usb_endpoint_maxp(dev->interrupt_in_endpoint); -- dev->ring_buffer = kmalloc(ring_buffer_size*(sizeof(size_t)+dev->interrupt_in_endpoint_size), GFP_KERNEL); -+ dev->ring_buffer = kcalloc(ring_buffer_size, -+ sizeof(size_t) + dev->interrupt_in_endpoint_size, -+ GFP_KERNEL); - if (!dev->ring_buffer) { - dev_err(&intf->dev, "Couldn't allocate ring_buffer\n"); - goto error; diff --git a/usb-legousbtower-fix-memleak-on-disconnect.patch b/usb-legousbtower-fix-memleak-on-disconnect.patch deleted file mode 100644 index 13a7482..0000000 --- a/usb-legousbtower-fix-memleak-on-disconnect.patch +++ /dev/null @@ -1,37 +0,0 @@ -From b6c03e5f7b463efcafd1ce141bd5a8fc4e583ae2 Mon Sep 17 00:00:00 2001 -From: Johan Hovold <johan@kernel.org> -Date: Thu, 10 Oct 2019 14:58:35 +0200 -Subject: USB: legousbtower: fix memleak on disconnect - -From: Johan Hovold <johan@kernel.org> - -commit b6c03e5f7b463efcafd1ce141bd5a8fc4e583ae2 upstream. - -If disconnect() races with release() after a process has been -interrupted, release() could end up returning early and the driver would -fail to free its driver data. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Cc: stable <stable@vger.kernel.org> -Signed-off-by: Johan Hovold <johan@kernel.org> -Link: https://lore.kernel.org/r/20191010125835.27031-3-johan@kernel.org -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/usb/misc/legousbtower.c | 5 +---- - 1 file changed, 1 insertion(+), 4 deletions(-) - ---- a/drivers/usb/misc/legousbtower.c -+++ b/drivers/usb/misc/legousbtower.c -@@ -425,10 +425,7 @@ static int tower_release (struct inode * - goto exit; - } - -- if (mutex_lock_interruptible(&dev->lock)) { -- retval = -ERESTARTSYS; -- goto exit; -- } -+ mutex_lock(&dev->lock); - - if (dev->open_count != 1) { - dev_dbg(&dev->udev->dev, "%s: device not opened exactly once\n", diff --git a/usb-serial-ti_usb_3410_5052-fix-port-close-races.patch b/usb-serial-ti_usb_3410_5052-fix-port-close-races.patch deleted file mode 100644 index 69c259f..0000000 --- a/usb-serial-ti_usb_3410_5052-fix-port-close-races.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 6f1d1dc8d540a9aa6e39b9cb86d3a67bbc1c8d8d Mon Sep 17 00:00:00 2001 -From: Johan Hovold <johan@kernel.org> -Date: Fri, 11 Oct 2019 11:57:35 +0200 -Subject: USB: serial: ti_usb_3410_5052: fix port-close races - -From: Johan Hovold <johan@kernel.org> - -commit 6f1d1dc8d540a9aa6e39b9cb86d3a67bbc1c8d8d upstream. - -Fix races between closing a port and opening or closing another port on -the same device which could lead to a failure to start or stop the -shared interrupt URB. The latter could potentially cause a -use-after-free or worse in the completion handler on driver unbind. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Cc: stable <stable@vger.kernel.org> -Signed-off-by: Johan Hovold <johan@kernel.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/usb/serial/ti_usb_3410_5052.c | 10 +++------- - 1 file changed, 3 insertions(+), 7 deletions(-) - ---- a/drivers/usb/serial/ti_usb_3410_5052.c -+++ b/drivers/usb/serial/ti_usb_3410_5052.c -@@ -533,7 +533,6 @@ static void ti_close(struct usb_serial_p - struct ti_port *tport; - int port_number; - int status; -- int do_unlock; - unsigned long flags; - - tdev = usb_get_serial_data(port->serial); -@@ -560,16 +559,13 @@ static void ti_close(struct usb_serial_p - "%s - cannot send close port command, %d\n" - , __func__, status); - -- /* if mutex_lock is interrupted, continue anyway */ -- do_unlock = !mutex_lock_interruptible(&tdev->td_open_close_lock); -+ mutex_lock(&tdev->td_open_close_lock); - --tport->tp_tdev->td_open_port_count; -- if (tport->tp_tdev->td_open_port_count <= 0) { -+ if (tport->tp_tdev->td_open_port_count == 0) { - /* last port is closed, shut down interrupt urb */ - usb_kill_urb(port->serial->port[0]->interrupt_in_urb); -- tport->tp_tdev->td_open_port_count = 0; - } -- if (do_unlock) -- mutex_unlock(&tdev->td_open_close_lock); -+ mutex_unlock(&tdev->td_open_close_lock); - } - - diff --git a/usb-udc-lpc32xx-fix-bad-bit-shift-operation.patch b/usb-udc-lpc32xx-fix-bad-bit-shift-operation.patch deleted file mode 100644 index 9379f10..0000000 --- a/usb-udc-lpc32xx-fix-bad-bit-shift-operation.patch +++ /dev/null @@ -1,48 +0,0 @@ -From b987b66ac3a2bc2f7b03a0ba48a07dc553100c07 Mon Sep 17 00:00:00 2001 -From: "Gustavo A. R. Silva" <gustavo@embeddedor.com> -Date: Mon, 14 Oct 2019 14:18:30 -0500 -Subject: usb: udc: lpc32xx: fix bad bit shift operation - -From: Gustavo A. R. Silva <gustavo@embeddedor.com> - -commit b987b66ac3a2bc2f7b03a0ba48a07dc553100c07 upstream. - -It seems that the right variable to use in this case is *i*, instead of -*n*, otherwise there is an undefined behavior when right shifiting by more -than 31 bits when multiplying n by 8; notice that *n* can take values -equal or greater than 4 (4, 8, 16, ...). - -Also, notice that under the current conditions (bl = 3), we are skiping -the handling of bytes 3, 7, 31... So, fix this by updating this logic -and limit *bl* up to 4 instead of up to 3. - -This fix is based on function udc_stuff_fifo(). - -Addresses-Coverity-ID: 1454834 ("Bad bit shift operation") -Fixes: 24a28e428351 ("USB: gadget driver for LPC32xx") -Cc: stable@vger.kernel.org -Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> -Link: https://lore.kernel.org/r/20191014191830.GA10721@embeddedor -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/usb/gadget/udc/lpc32xx_udc.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - ---- a/drivers/usb/gadget/udc/lpc32xx_udc.c -+++ b/drivers/usb/gadget/udc/lpc32xx_udc.c -@@ -1228,11 +1228,11 @@ static void udc_pop_fifo(struct lpc32xx_ - tmp = readl(USBD_RXDATA(udc->udp_baseaddr)); - - bl = bytes - n; -- if (bl > 3) -- bl = 3; -+ if (bl > 4) -+ bl = 4; - - for (i = 0; i < bl; i++) -- data[n + i] = (u8) ((tmp >> (n * 8)) & 0xFF); -+ data[n + i] = (u8) ((tmp >> (i * 8)) & 0xFF); - } - break; - diff --git a/xen-netback-fix-error-path-of-xenvif_connect_data.patch b/xen-netback-fix-error-path-of-xenvif_connect_data.patch deleted file mode 100644 index 5f45992..0000000 --- a/xen-netback-fix-error-path-of-xenvif_connect_data.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 3d5c1a037d37392a6859afbde49be5ba6a70a6b3 Mon Sep 17 00:00:00 2001 -From: Juergen Gross <jgross@suse.com> -Date: Fri, 18 Oct 2019 09:45:49 +0200 -Subject: xen/netback: fix error path of xenvif_connect_data() - -From: Juergen Gross <jgross@suse.com> - -commit 3d5c1a037d37392a6859afbde49be5ba6a70a6b3 upstream. - -xenvif_connect_data() calls module_put() in case of error. This is -wrong as there is no related module_get(). - -Remove the superfluous module_put(). - -Fixes: 279f438e36c0a7 ("xen-netback: Don't destroy the netdev until the vif is shut down") -Cc: <stable@vger.kernel.org> # 3.12 -Signed-off-by: Juergen Gross <jgross@suse.com> -Reviewed-by: Paul Durrant <paul@xen.org> -Reviewed-by: Wei Liu <wei.liu@kernel.org> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/net/xen-netback/interface.c | 1 - - 1 file changed, 1 deletion(-) - ---- a/drivers/net/xen-netback/interface.c -+++ b/drivers/net/xen-netback/interface.c -@@ -606,7 +606,6 @@ err_tx_unbind: - err_unmap: - xenvif_unmap_frontend_rings(queue); - err: -- module_put(THIS_MODULE); - return err; - } - |