aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2022-02-18fuse: fix fileattr op failureMiklos Szeredi
The fileattr API conversion broke lsattr on ntfs3g. Previously the ioctl(... FS_IOC_GETFLAGS) returned an EINVAL error, but after the conversion the error returned by the fuse filesystem was not propagated back to the ioctl() system call, resulting in success being returned with bogus values. Fix by checking for outarg.result in fuse_priv_ioctl(), just as generic ioctl code does. Reported-by: Jean-Pierre André <jean-pierre.andre@wanadoo.fr> Fixes: 72227eac177d ("fuse: convert to fileattr") Cc: <stable@vger.kernel.org> # v5.13 Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2022-02-13Linux 5.17-rc4Linus Torvalds
2022-02-13Merge tag 'kbuild-fixes-v5.17-2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild Pull Kbuild fixes from Masahiro Yamada: - Fix the truncated path issue for HAVE_GCC_PLUGINS test in Kconfig - Move -Wunsligned-access to W=1 builds to avoid sprinkling warnings for the latest Clang - Fix missing fclose() in Kconfig - Fix Kconfig to touch dep headers correctly when KCONFIG_AUTOCONFIG is overridden. * tag 'kbuild-fixes-v5.17-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild: kconfig: fix failing to generate auto.conf kconfig: fix missing fclose() on error paths Makefile.extrawarn: Move -Wunaligned-access to W=1 kconfig: let 'shell' return enough output for deep path names
2022-02-13Merge tag 'irq-urgent-2022-02-13' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull irq fixes from Thomas Gleixner: "Interrupt chip driver fixes: - Don't install an hotplug notifier for GICV3-ITS on systems which do not need it to prevent a warning in the notifier about inconsistent state - Add the missing device tree matching for the T-HEAD PLIC variant so the related SoC is properly supported" * tag 'irq-urgent-2022-02-13' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: irqchip/sifive-plic: Add missing thead,c900-plic match string dt-bindings: update riscv plic compatible string irqchip/gic-v3-its: Skip HP notifier when no ITS is registered
2022-02-13Merge tag 'objtool_urgent_for_v5.17_rc4' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull objtool fix from Borislav Petkov: "Fix a case where objtool would mistakenly warn about instructions being unreachable" * tag 'objtool_urgent_for_v5.17_rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/bug: Merge annotate_reachable() into _BUG_FLAGS() asm
2022-02-13Merge tag 'sched_urgent_for_v5.17_rc4' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull scheduler fix from Borislav Petkov: "Fix a NULL-ptr dereference when recalculating a sched entity's weight" * tag 'sched_urgent_for_v5.17_rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: sched/fair: Fix fault in reweight_entity
2022-02-13Merge tag 'perf_urgent_for_v5.17_rc4' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull perf fix from Borislav Petkov: "Prevent cgroup event list corruption when switching events" * tag 'perf_urgent_for_v5.17_rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: perf: Fix list corruption in perf_cgroup_switch()
2022-02-13Merge tag 'x86_urgent_for_v5.17_rc4' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fix from Borislav Petkov: "Prevent softlockups when tearing down large SGX enclaves" * tag 'x86_urgent_for_v5.17_rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/sgx: Silence softlockup detection when releasing large enclaves
2022-02-13Merge tag '5.17-rc4-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6Linus Torvalds
Pull cifs fixes from Steve French: "Three small smb3 reconnect fixes and an error log clarification" * tag '5.17-rc4-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6: cifs: mark sessions for reconnection in helper function cifs: call helper functions for marking channels for reconnect cifs: call cifs_reconnect when a connection is marked [smb3] improve error message when mount options conflict with posix
2022-02-13Merge tag 'irqchip-fixes-5.17-2' of ↵Thomas Gleixner
git://git.kernel.org/pub/scm/linux/kernel/git/maz/arm-platforms into irq/urgent Pull irqchip fixes from Marc Zyngier: - Don't register a hotplug notifier on GICv3 systems that advertise LPI support, but have no ITS to make use of it - Add missing DT matching for the thead,c900-plic variant of the SiFive PLIC Link: https://lore.kernel.org/r/20220211110038.1179155-1-maz@kernel.org
2022-02-12Merge tag 'scsi-fixes' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi Pull SCSI fixes from James Bottomley: "Two minor fixes in the lpfc driver. One changing the classification of trace messages and the other fixing a build issue when NVME_FC is disabled" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: lpfc: Reduce log messages seen after firmware download scsi: lpfc: Remove NVMe support if kernel has NVME_FC disabled
2022-02-12Merge tag 'char-misc-5.17-rc4' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc Pull char/misc driver fixes from Greg KH: "Here are a small number of char/misc driver fixes for 5.17-rc4 for reported issues. They contain: - phy driver fixes - iio driver fix - eeprom driver fix - speakup regression fix - fastrpc fix All of these have been in linux-next with no reported issues" * tag 'char-misc-5.17-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: iio: buffer: Fix file related error handling in IIO_BUFFER_GET_FD_IOCTL speakup-dectlk: Restore pitch setting bus: mhi: pci_generic: Add mru_default for Cinterion MV31-W bus: mhi: pci_generic: Add mru_default for Foxconn SDX55 eeprom: ee1004: limit i2c reads to I2C_SMBUS_BLOCK_MAX misc: fastrpc: avoid double fput() on failed usercopy phy: dphy: Correct clk_pre parameter phy: phy-mtk-tphy: Fix duplicated argument in phy-mtk-tphy phy: stm32: fix a refcount leak in stm32_usbphyc_pll_enable() phy: xilinx: zynqmp: Fix bus width setting for SGMII phy: cadence: Sierra: fix error handling bugs in probe() phy: ti: Fix missing sentinel for clk_div_table phy: broadcom: Kconfig: Fix PHY_BRCM_USB config option phy: usb: Leave some clocks running during suspend
2022-02-12Merge tag 'staging-5.17-rc4' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging Pullstaging driver fixes from Greg KH: "Here are two staging driver fixes for 5.17-rc4. These are: - fbtft error path fix - vc04_services rcu dereference fix Both of these have been in linux-next for a while with no reported issues" * tag 'staging-5.17-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: staging: fbtft: Fix error path in fbtft_driver_module_init() staging: vc04_services: Fix RCU dereference check
2022-02-12Merge tag 'tty-5.17-rc4' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty Pull tty/serial fixes from Greg KH: "Here are four small tty/serial fixes for 5.17-rc4. They are: - 8250_pericom change revert to fix a reported regression - two speculation fixes for vt_ioctl - n_tty regression fix for polling All of these have been in linux-next for a while with no reported issues" * tag 'tty-5.17-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: vt_ioctl: add array_index_nospec to VT_ACTIVATE vt_ioctl: fix array_index_nospec in vt_setactivate serial: 8250_pericom: Revert "Re-enable higher baud rates" n_tty: wake up poll(POLLRDNORM) on receiving data
2022-02-12Merge tag 'usb-5.17-rc4' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb Pull USB fixes from Greg KH: "Here are some small USB driver fixes for 5.17-rc4 that resolve some reported issues and add new device ids: - usb-serial new device ids - ulpi cleanup fixes - f_fs use-after-free fix - dwc3 driver fixes - ax88179_178a usb network driver fix - usb gadget fixes There is a revert at the end of this series to resolve a build problem that 0-day found yesterday. Most of these have been in linux-next, except for the last few, and all have now passed 0-day tests" * tag 'usb-5.17-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: Revert "usb: dwc2: drd: fix soft connect when gadget is unconfigured" usb: dwc2: drd: fix soft connect when gadget is unconfigured usb: gadget: rndis: check size of RNDIS_MSG_SET command USB: gadget: validate interface OS descriptor requests usb: core: Unregister device on component_add() failure net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup usb: dwc3: gadget: Prevent core from processing stale TRBs USB: serial: cp210x: add CPI Bulk Coin Recycler id USB: serial: cp210x: add NCR Retail IO box id USB: serial: ftdi_sio: add support for Brainboxes US-159/235/320 usb: gadget: f_uac2: Define specific wTerminalType usb: gadget: udc: renesas_usb3: Fix host to USB_ROLE_NONE transition usb: raw-gadget: fix handling of dual-direction-capable endpoints usb: usb251xb: add boost-up property support usb: ulpi: Call of_node_put correctly usb: ulpi: Move of_node_put to ulpi_dev_release USB: serial: option: add ZTE MF286D modem USB: serial: ch341: add support for GW Instek USB2.0-Serial devices usb: f_fs: Fix use-after-free for epfile usb: dwc3: xilinx: fix uninitialized return value
2022-02-12Merge tag 's390-5.17-4' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux Pull s390 updates from Vasily Gorbik: "Maintainers and reviewers changes: - Add Alexander Gordeev as maintainer for s390. - Christian Borntraeger will focus on s390 KVM maintainership and stays as s390 reviewer. Fixes: - Fix clang build of modules loader KUnit test. - Fix kernel panic in CIO code on FCES path-event when no driver is attached to a device or the driver does not provide the path_event function" * tag 's390-5.17-4' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux: s390/cio: verify the driver availability for path_event call s390/module: fix building test_modules_helpers.o with clang MAINTAINERS: downgrade myself to Reviewer for s390 MAINTAINERS: add Alexander Gordeev as maintainer for s390
2022-02-12Merge tag 'for-linus-5.17a-rc4-tag' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip Pull xen fixes from Juergen Gross: - Two small cleanups - Another fix for addressing the EFI framebuffer above 4GB when running as Xen dom0 - A patch to let Xen guests use reserved bits in MSI- and IO-APIC- registers for extended APIC-IDs the same way KVM guests are doing it already * tag 'for-linus-5.17a-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip: xen/pci: Make use of the helper macro LIST_HEAD() xen/x2apic: Fix inconsistent indenting xen/x86: detect support for extended destination ID xen/x86: obtain full video frame buffer address for Dom0 also under EFI
2022-02-12Merge tag 'seccomp-v5.17-rc4' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux Pull seccomp fixes from Kees Cook: "This fixes a corner case of fatal SIGSYS being ignored since v5.15. Along with the signal fix is a change to seccomp so that seeing another syscall after a fatal filter result will cause seccomp to kill the process harder. Summary: - Force HANDLER_EXIT even for SIGNAL_UNKILLABLE - Make seccomp self-destruct after fatal filter results - Update seccomp samples for easier behavioral demonstration" * tag 'seccomp-v5.17-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: samples/seccomp: Adjust sample to also provide kill option seccomp: Invalidate seccomp mode to catch death failures signal: HANDLER_EXIT should clear SIGNAL_UNKILLABLE
2022-02-12Merge branch 'akpm' (patches from Andrew)Linus Torvalds
Merge misc fixes from Andrew Morton: "5 patches. Subsystems affected by this patch series: binfmt, procfs, and mm (vmscan, memcg, and kfence)" * emailed patches from Andrew Morton <akpm@linux-foundation.org>: kfence: make test case compatible with run time set sample interval mm: memcg: synchronize objcg lists with a dedicated spinlock mm: vmscan: remove deadlock due to throttling failing to make progress fs/proc: task_mmu.c: don't read mapcount for migration entry fs/binfmt_elf: fix PT_LOAD p_align values for loaders
2022-02-12kconfig: fix failing to generate auto.confJing Leng
When the KCONFIG_AUTOCONFIG is specified (e.g. export \ KCONFIG_AUTOCONFIG=output/config/auto.conf), the directory of include/config/ will not be created, so kconfig can't create deps files in it and auto.conf can't be generated. Signed-off-by: Jing Leng <jleng@ambarella.com> Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
2022-02-12Revert "usb: dwc2: drd: fix soft connect when gadget is unconfigured"Greg Kroah-Hartman
This reverts commit 269cbcf7b72de6f0016806d4a0cec1d689b55a87. It causes build errors as reported by the kernel test robot. Link: https://lore.kernel.org/r/202202112236.AwoOTtHO-lkp@intel.com Reported-by: kernel test robot <lkp@intel.com> Fixes: 269cbcf7b72d ("usb: dwc2: drd: fix soft connect when gadget is unconfigured") Cc: stable@kernel.org Cc: Amelie Delaunay <amelie.delaunay@foss.st.com> Cc: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com> Cc: Fabrice Gasnier <fabrice.gasnier@foss.st.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-02-11kfence: make test case compatible with run time set sample intervalPeng Liu
The parameter kfence_sample_interval can be set via boot parameter and late shell command, which is convenient for automated tests and KFENCE parameter optimization. However, KFENCE test case just uses compile-time CONFIG_KFENCE_SAMPLE_INTERVAL, which will make KFENCE test case not run as users desired. Export kfence_sample_interval, so that KFENCE test case can use run-time-set sample interval. Link: https://lkml.kernel.org/r/20220207034432.185532-1-liupeng256@huawei.com Signed-off-by: Peng Liu <liupeng256@huawei.com> Reviewed-by: Marco Elver <elver@google.com> Cc: Alexander Potapenko <glider@google.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Jonathan Corbet <corbet@lwn.net> Cc: Sumit Semwal <sumit.semwal@linaro.org> Cc: Christian Knig <christian.koenig@amd.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2022-02-11mm: memcg: synchronize objcg lists with a dedicated spinlockRoman Gushchin
Alexander reported a circular lock dependency revealed by the mmap1 ltp test: LOCKDEP_CIRCULAR (suite: ltp, case: mtest06 (mmap1)) WARNING: possible circular locking dependency detected 5.17.0-20220113.rc0.git0.f2211f194038.300.fc35.s390x+debug #1 Not tainted ------------------------------------------------------ mmap1/202299 is trying to acquire lock: 00000001892c0188 (css_set_lock){..-.}-{2:2}, at: obj_cgroup_release+0x4a/0xe0 but task is already holding lock: 00000000ca3b3818 (&sighand->siglock){-.-.}-{2:2}, at: force_sig_info_to_task+0x38/0x180 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&sighand->siglock){-.-.}-{2:2}: __lock_acquire+0x604/0xbd8 lock_acquire.part.0+0xe2/0x238 lock_acquire+0xb0/0x200 _raw_spin_lock_irqsave+0x6a/0xd8 __lock_task_sighand+0x90/0x190 cgroup_freeze_task+0x2e/0x90 cgroup_migrate_execute+0x11c/0x608 cgroup_update_dfl_csses+0x246/0x270 cgroup_subtree_control_write+0x238/0x518 kernfs_fop_write_iter+0x13e/0x1e0 new_sync_write+0x100/0x190 vfs_write+0x22c/0x2d8 ksys_write+0x6c/0xf8 __do_syscall+0x1da/0x208 system_call+0x82/0xb0 -> #0 (css_set_lock){..-.}-{2:2}: check_prev_add+0xe0/0xed8 validate_chain+0x736/0xb20 __lock_acquire+0x604/0xbd8 lock_acquire.part.0+0xe2/0x238 lock_acquire+0xb0/0x200 _raw_spin_lock_irqsave+0x6a/0xd8 obj_cgroup_release+0x4a/0xe0 percpu_ref_put_many.constprop.0+0x150/0x168 drain_obj_stock+0x94/0xe8 refill_obj_stock+0x94/0x278 obj_cgroup_charge+0x164/0x1d8 kmem_cache_alloc+0xac/0x528 __sigqueue_alloc+0x150/0x308 __send_signal+0x260/0x550 send_signal+0x7e/0x348 force_sig_info_to_task+0x104/0x180 force_sig_fault+0x48/0x58 __do_pgm_check+0x120/0x1f0 pgm_check_handler+0x11e/0x180 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&sighand->siglock); lock(css_set_lock); lock(&sighand->siglock); lock(css_set_lock); *** DEADLOCK *** 2 locks held by mmap1/202299: #0: 00000000ca3b3818 (&sighand->siglock){-.-.}-{2:2}, at: force_sig_info_to_task+0x38/0x180 #1: 00000001892ad560 (rcu_read_lock){....}-{1:2}, at: percpu_ref_put_many.constprop.0+0x0/0x168 stack backtrace: CPU: 15 PID: 202299 Comm: mmap1 Not tainted 5.17.0-20220113.rc0.git0.f2211f194038.300.fc35.s390x+debug #1 Hardware name: IBM 3906 M04 704 (LPAR) Call Trace: dump_stack_lvl+0x76/0x98 check_noncircular+0x136/0x158 check_prev_add+0xe0/0xed8 validate_chain+0x736/0xb20 __lock_acquire+0x604/0xbd8 lock_acquire.part.0+0xe2/0x238 lock_acquire+0xb0/0x200 _raw_spin_lock_irqsave+0x6a/0xd8 obj_cgroup_release+0x4a/0xe0 percpu_ref_put_many.constprop.0+0x150/0x168 drain_obj_stock+0x94/0xe8 refill_obj_stock+0x94/0x278 obj_cgroup_charge+0x164/0x1d8 kmem_cache_alloc+0xac/0x528 __sigqueue_alloc+0x150/0x308 __send_signal+0x260/0x550 send_signal+0x7e/0x348 force_sig_info_to_task+0x104/0x180 force_sig_fault+0x48/0x58 __do_pgm_check+0x120/0x1f0 pgm_check_handler+0x11e/0x180 INFO: lockdep is turned off. In this example a slab allocation from __send_signal() caused a refilling and draining of a percpu objcg stock, resulted in a releasing of another non-related objcg. Objcg release path requires taking the css_set_lock, which is used to synchronize objcg lists. This can create a circular dependency with the sighandler lock, which is taken with the locked css_set_lock by the freezer code (to freeze a task). In general it seems that using css_set_lock to synchronize objcg lists makes any slab allocations and deallocation with the locked css_set_lock and any intervened locks risky. To fix the problem and make the code more robust let's stop using css_set_lock to synchronize objcg lists and use a new dedicated spinlock instead. Link: https://lkml.kernel.org/r/Yfm1IHmoGdyUR81T@carbon.dhcp.thefacebook.com Fixes: bf4f059954dc ("mm: memcg/slab: obj_cgroup API") Signed-off-by: Roman Gushchin <guro@fb.com> Reported-by: Alexander Egorenkov <egorenar@linux.ibm.com> Tested-by: Alexander Egorenkov <egorenar@linux.ibm.com> Reviewed-by: Waiman Long <longman@redhat.com> Acked-by: Tejun Heo <tj@kernel.org> Reviewed-by: Shakeel Butt <shakeelb@google.com> Reviewed-by: Jeremy Linton <jeremy.linton@arm.com> Tested-by: Jeremy Linton <jeremy.linton@arm.com> Cc: Johannes Weiner <hannes@cmpxchg.org> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2022-02-11mm: vmscan: remove deadlock due to throttling failing to make progressMel Gorman
A soft lockup bug in kcompactd was reported in a private bugzilla with the following visible in dmesg; watchdog: BUG: soft lockup - CPU#33 stuck for 26s! [kcompactd0:479] watchdog: BUG: soft lockup - CPU#33 stuck for 52s! [kcompactd0:479] watchdog: BUG: soft lockup - CPU#33 stuck for 78s! [kcompactd0:479] watchdog: BUG: soft lockup - CPU#33 stuck for 104s! [kcompactd0:479] The machine had 256G of RAM with no swap and an earlier failed allocation indicated that node 0 where kcompactd was run was potentially unreclaimable; Node 0 active_anon:29355112kB inactive_anon:2913528kB active_file:0kB inactive_file:0kB unevictable:64kB isolated(anon):0kB isolated(file):0kB mapped:8kB dirty:0kB writeback:0kB shmem:26780kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 23480320kB writeback_tmp:0kB kernel_stack:2272kB pagetables:24500kB all_unreclaimable? yes Vlastimil Babka investigated a crash dump and found that a task migrating pages was trying to drain PCP lists; PID: 52922 TASK: ffff969f820e5000 CPU: 19 COMMAND: "kworker/u128:3" Call Trace: __schedule schedule schedule_timeout wait_for_completion __flush_work __drain_all_pages __alloc_pages_slowpath.constprop.114 __alloc_pages alloc_migration_target migrate_pages migrate_to_node do_migrate_pages cpuset_migrate_mm_workfn process_one_work worker_thread kthread ret_from_fork This failure is specific to CONFIG_PREEMPT=n builds. The root of the problem is that kcompact0 is not rescheduling on a CPU while a task that has isolated a large number of the pages from the LRU is waiting on kcompact0 to reschedule so the pages can be released. While shrink_inactive_list() only loops once around too_many_isolated, reclaim can continue without rescheduling if sc->skipped_deactivate == 1 which could happen if there was no file LRU and the inactive anon list was not low. Link: https://lkml.kernel.org/r/20220203100326.GD3301@suse.de Fixes: d818fca1cac3 ("mm/vmscan: throttle reclaim and compaction when too may pages are isolated") Signed-off-by: Mel Gorman <mgorman@suse.de> Debugged-by: Vlastimil Babka <vbabka@suse.cz> Reviewed-by: Vlastimil Babka <vbabka@suse.cz> Acked-by: Michal Hocko <mhocko@suse.com> Acked-by: David Rientjes <rientjes@google.com> Cc: Hugh Dickins <hughd@google.com> Cc: Michal Hocko <mhocko@suse.com> Cc: Rik van Riel <riel@surriel.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2022-02-11fs/proc: task_mmu.c: don't read mapcount for migration entryYang Shi
The syzbot reported the below BUG: kernel BUG at include/linux/page-flags.h:785! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 4392 Comm: syz-executor560 Not tainted 5.16.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:PageDoubleMap include/linux/page-flags.h:785 [inline] RIP: 0010:__page_mapcount+0x2d2/0x350 mm/util.c:744 Call Trace: page_mapcount include/linux/mm.h:837 [inline] smaps_account+0x470/0xb10 fs/proc/task_mmu.c:466 smaps_pte_entry fs/proc/task_mmu.c:538 [inline] smaps_pte_range+0x611/0x1250 fs/proc/task_mmu.c:601 walk_pmd_range mm/pagewalk.c:128 [inline] walk_pud_range mm/pagewalk.c:205 [inline] walk_p4d_range mm/pagewalk.c:240 [inline] walk_pgd_range mm/pagewalk.c:277 [inline] __walk_page_range+0xe23/0x1ea0 mm/pagewalk.c:379 walk_page_vma+0x277/0x350 mm/pagewalk.c:530 smap_gather_stats.part.0+0x148/0x260 fs/proc/task_mmu.c:768 smap_gather_stats fs/proc/task_mmu.c:741 [inline] show_smap+0xc6/0x440 fs/proc/task_mmu.c:822 seq_read_iter+0xbb0/0x1240 fs/seq_file.c:272 seq_read+0x3e0/0x5b0 fs/seq_file.c:162 vfs_read+0x1b5/0x600 fs/read_write.c:479 ksys_read+0x12d/0x250 fs/read_write.c:619 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae The reproducer was trying to read /proc/$PID/smaps when calling MADV_FREE at the mean time. MADV_FREE may split THPs if it is called for partial THP. It may trigger the below race: CPU A CPU B ----- ----- smaps walk: MADV_FREE: page_mapcount() PageCompound() split_huge_page() page = compound_head(page) PageDoubleMap(page) When calling PageDoubleMap() this page is not a tail page of THP anymore so the BUG is triggered. This could be fixed by elevated refcount of the page before calling mapcount, but that would prevent it from counting migration entries, and it seems overkilling because the race just could happen when PMD is split so all PTE entries of tail pages are actually migration entries, and smaps_account() does treat migration entries as mapcount == 1 as Kirill pointed out. Add a new parameter for smaps_account() to tell this entry is migration entry then skip calling page_mapcount(). Don't skip getting mapcount for device private entries since they do track references with mapcount. Pagemap also has the similar issue although it was not reported. Fixed it as well. [shy828301@gmail.com: v4] Link: https://lkml.kernel.org/r/20220203182641.824731-1-shy828301@gmail.com [nathan@kernel.org: avoid unused variable warning in pagemap_pmd_range()] Link: https://lkml.kernel.org/r/20220207171049.1102239-1-nathan@kernel.org Link: https://lkml.kernel.org/r/20220120202805.3369-1-shy828301@gmail.com Fixes: e9b61f19858a ("thp: reintroduce split_huge_page()") Signed-off-by: Yang Shi <shy828301@gmail.com> Signed-off-by: Nathan Chancellor <nathan@kernel.org> Reported-by: syzbot+1f52b3a18d5633fa7f82@syzkaller.appspotmail.com Acked-by: David Hildenbrand <david@redhat.com> Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com> Cc: Jann Horn <jannh@google.com> Cc: Matthew Wilcox <willy@infradead.org> Cc: Alexey Dobriyan <adobriyan@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2022-02-11fs/binfmt_elf: fix PT_LOAD p_align values for loadersMike Rapoport
Rui Salvaterra reported that Aisleroit solitaire crashes with "Wrong __data_start/_end pair" assertion from libgc after update to v5.17-rc1. Bisection pointed to commit 9630f0d60fec ("fs/binfmt_elf: use PT_LOAD p_align values for static PIE") that fixed handling of static PIEs, but made the condition that guards load_bias calculation to exclude loader binaries. Restoring the check for presence of interpreter fixes the problem. Link: https://lkml.kernel.org/r/20220202121433.3697146-1-rppt@kernel.org Fixes: 9630f0d60fec ("fs/binfmt_elf: use PT_LOAD p_align values for static PIE") Signed-off-by: Mike Rapoport <rppt@linux.ibm.com> Reported-by: Rui Salvaterra <rsalvaterra@gmail.com> Tested-by: Rui Salvaterra <rsalvaterra@gmail.com> Cc: Alexander Viro <viro@zeniv.linux.org.uk> Cc: Eric Biederman <ebiederm@xmission.com> Cc: "H.J. Lu" <hjl.tools@gmail.com> Cc: Kees Cook <keescook@chromium.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2022-02-11Merge tag 'soc-fixes-5.17-1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc Pull ARM SoC fixes from Arnd Bergmann: "This is a fairly large set of bugfixes, most of which had been sent a while ago but only now made it into the soc tree: Maintainer file updates: - Claudiu Beznea now co-maintains the at91 soc family, replacing Ludovic Desroches. - Michael Walle maintains the sl28cpld drivers - Alain Volmat and Raphael Gallais-Pou take over some drivers for ST platforms - Alim Akhtar is an additional reviewer for Samsung platforms Code fixes: - Op-tee had a problem with object lifetime that needs a slightly complex fix, as well as another bug with error handling. - Several minor issues for the OMAP platform, including a regression with the timer - A Kconfig change to fix a build-time issue on Intel SoCFPGA Device tree fixes: - The Amlogic Meson platform fixes a boot regression on am1-odroid, a spurious interrupt, and a problem with reserved memory regions - In the i.MX platform, several bug fixes are needed to make devices work correctly: SD card detection, alarmtimer, and sound card on some board. One patch for the GPU got in there by accident and gets reverted again. - TI K3 needs a fix for J721S2 serial port numbers - ux500 needs a fix to mount the SD card as root on the Skomer phone" * tag 'soc-fixes-5.17-1' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: (46 commits) Revert "arm64: dts: imx8mn-venice-gw7902: disable gpu" arm64: Remove ARCH_VULCAN MAINTAINERS: add myself as a maintainer for the sl28cpld MAINTAINERS: add IRC to ARM sub-architectures and Devicetree MAINTAINERS: arm: samsung: add Git tree and IRC ARM: dts: Fix boot regression on Skomer ARM: dts: spear320: Drop unused and undocumented 'irq-over-gpio' property soc: aspeed: lpc-ctrl: Block error printing on probe defer cases docs/ABI: testing: aspeed-uart-routing: Escape asterisk MAINTAINERS: update drm/stm drm/sti and cec/sti maintainers MAINTAINERS: Update Benjamin Gaignard maintainer status ARM: socfpga: fix missing RESET_CONTROLLER arm64: dts: meson-sm1-odroid: fix boot loop after reboot arm64: dts: meson-g12: drop BL32 region from SEI510/SEI610 arm64: dts: meson-g12: add ATF BL32 reserved-memory region arm64: dts: meson-gx: add ATF BL32 reserved-memory region arm64: dts: meson-sm1-bananapi-m5: fix wrong GPIO domain for GPIOE_2 arm64: dts: meson-sm1-odroid: use correct enable-gpio pin for tf-io regulator arm64: dts: meson-g12b-odroid-n2: fix typo 'dio2133' optee: use driver internal tee_context for some rpc ...
2022-02-11Merge tag 'pci-v5.17-fixes-4' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci Pull pci fix from Bjorn Helgaas: "Revert a commit that reduced the number of IRQs used but resulted in interrupt storms (Bjorn Helgaas)" * tag 'pci-v5.17-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci: Revert "PCI/portdrv: Do not setup up IRQs if there are no users"
2022-02-11Revert "PCI/portdrv: Do not setup up IRQs if there are no users"Bjorn Helgaas
This reverts commit 0e8ae5a6ff5952253cd7cc0260df838ab4c21009. 0e8ae5a6ff59 ("PCI/portdrv: Do not setup up IRQs if there are no users") reduced usage of IRQs when we don't think we need them. But Joey, Sergiu, and David reported choppy GUI rendering, systems that became unresponsive every few seconds, incorrect values reported by cpufreq, and high IRQ 16 CPU usage. Joey bisected the issues to 0e8ae5a6ff59, so revert it until we figure out a better solution. Link: https://lore.kernel.org/r/20220210222717.GA658201@bhelgaas Link: https://bugzilla.kernel.org/show_bug.cgi?id=215533 Link: https://bugzilla.kernel.org/show_bug.cgi?id=215546 Reported-by: Joey Corleone <joey.corleone@mail.ru> Reported-by: Sergiu Deitsch <sergiu.deitsch@gmail.com> Reported-by: David Spencer <dspencer577@gmail.com> Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Cc: stable@vger.kernel.org # v5.16+ Cc: Jan Kiszka <jan.kiszka@siemens.com>
2022-02-11Merge tag 'riscv-for-linus-5.17-rc4' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux Pull RISC-V fixes from Palmer Dabbelt: - A fix to avoid undefined behavior when stack backtracing, which manifests in GCC as incorrect stack addresses - A few fixes for the XIP kernels - A fix to tracking NUMA state on CPU hotplug - Support for the recently relesaed binutils-2.38, which changed the default ISA version to one without CSRs or fence.i in 'I' extension * tag 'riscv-for-linus-5.17-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux: riscv: fix build with binutils 2.38 riscv: cpu-hotplug: clear cpu from numa map when teardown riscv: extable: fix err reg writing in dedicated uaccess handler riscv/mm: Add XIP_FIXUP for riscv_pfn_base riscv/mm: Add XIP_FIXUP for phys_ram_base riscv: Fix XIP_FIXUP_FLASH_OFFSET riscv: eliminate unreliable __builtin_frame_address(1)
2022-02-11Merge tag 'arm64-fixes' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux Pull arm64 fixes from Catalin Marinas: - Enable Cortex-A510 erratum 2051678 by default as we do with other errata. - arm64 IORT: Check the node revision for PMCG resources to cope with old firmware based on a broken revision of the spec that had no way to describe the second register page (when an implementation is using the recommended RELOC_CTRS feature). * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: ACPI/IORT: Check node revision for PMCG resources arm64: Enable Cortex-A510 erratum 2051678 by default
2022-02-11Merge tag 'acpi-5.17-rc4' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull ACPI fixes from Rafael Wysocki: "These revert two commits that turned out to be problematic and fix two issues related to wakeup from suspend-to-idle on x86. Specifics: - Revert a recent change that attempted to avoid issues with conflicting address ranges during PCI initialization, because it turned out to introduce a regression (Hans de Goede). - Revert a change that limited EC GPE wakeups from suspend-to-idle to systems based on Intel hardware, because it turned out that systems based on hardware from other vendors depended on that functionality too (Mario Limonciello). - Fix two issues related to the handling of wakeup interrupts and wakeup events signaled through the EC GPE during suspend-to-idle on x86 (Rafael Wysocki)" * tag 'acpi-5.17-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: x86/PCI: revert "Ignore E820 reservations for bridge windows on newer systems" PM: s2idle: ACPI: Fix wakeup interrupts handling ACPI: PM: s2idle: Cancel wakeup before dispatching EC GPE ACPI: PM: Revert "Only mark EC GPE for wakeup on Intel systems"
2022-02-11Merge tag 'gfs2-v5.16-rc3-fixes2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2 Pull gfs2 fixes from Andreas Gruenbacher: - Revert debug commit that causes unexpected data corruption - Fix muti-block reservation regression * tag 'gfs2-v5.16-rc3-fixes2' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2: gfs2: Fix gfs2_release for non-writers regression Revert "gfs2: check context in gfs2_glock_put"
2022-02-11Merge tag 'block-5.17-2022-02-11' of git://git.kernel.dk/linux-blockLinus Torvalds
Pull block fixes from Jens Axboe: - NVMe pull request - nvme-tcp: fix bogus request completion when failing to send AER (Sagi Grimberg) - add the missing nvme_complete_req tracepoint for batched completion (Bean Huo) - Revert of the loop async autoclear issue that has continued to plague us this release. A few patchsets exists to improve this, but they are too invasive to be considered at this point (Tetsuo) * tag 'block-5.17-2022-02-11' of git://git.kernel.dk/linux-block: loop: revert "make autoclear operation asynchronous" nvme-tcp: fix bogus request completion when failing to send AER nvme: add nvme_complete_req tracepoint for batched completion
2022-02-11Merge tag 'io_uring-5.17-2022-02-11' of git://git.kernel.dk/linux-blockLinus Torvalds
Pull io_uring fixes from Jens Axboe: - Fix a false-positive warning from an older gcc (Alviro) - Allow oom killer invocations from io_uring_setup (Shakeel) * tag 'io_uring-5.17-2022-02-11' of git://git.kernel.dk/linux-block: mm: io_uring: allow oom-killer from io_uring_setup io_uring: Clean up a false-positive warning from GCC 9.3.0
2022-02-11Merge tag 'gpio-fixes-for-v5.17-rc4' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux Pull gpio fixes from Bartosz Golaszewski: - use sleeping variants of GPIO accessors where needed in gpio-aggregator - never return kernel's internal error codes to user-space in gpiolib core - use the correct register for reading output values in gpio-sifive - fix line hogging in gpio-sim * tag 'gpio-fixes-for-v5.17-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux: gpio: sim: fix hogs with custom chip labels gpio: sifive: use the correct register to read output values gpiolib: Never return internal error codes to user space gpio: aggregator: Fix calling into sleeping GPIO controllers
2022-02-11Merge tag 'ata-5.17-rc4-2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata Pull ata fixes from Damien Le Moal: "A couple of additional fixes for 5.17-rc4: - Fix compilation warnings in the sata_fsl driver (powerpc) (me) - Disable TRIM commands on M88V29 devices as these commands are failing despite the device reporting it supports TRIM (Zoltan)" * tag 'ata-5.17-rc4-2' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata: ata: libata-core: Disable TRIM on M88V29 ata: sata_fsl: fix sscanf() and sysfs_emit() format strings
2022-02-11Merge tag 'drm-fixes-2022-02-11' of git://anongit.freedesktop.org/drm/drmLinus Torvalds
Pull drm fixes from Dave Airlie: "Regular fixes pull, mostly i915 and amd fixes, along with a maintainers update for fbdev core. Otherwise just some build fixes and vc4 HDMI fixes. fbdev: - MAINTAINERS: add Daniel as fbdev core module maintainer - build warning fix - implicit type cast fix panel: - simple: Fix assignments from panel_dpi_probe() privacy-screen: - fix docs warning i915: - non-x86 build fix - ttm error propogation fix - drrs on hsw/ivb disabled - BIOS readout fixes - missing stackdepot oops fix amd: - DCN 3.1 display fixes - GC 10.3.1 harvest fix - Page flip irq fix - hwmon label fix - DCN 2.0 display fix rockchip: - fix HDMI error cleanup - fix RK3399 VOP register fields vc4: - HDMI fixes - remove redundant code" * tag 'drm-fixes-2022-02-11' of git://anongit.freedesktop.org/drm/drm: (25 commits) drm/amdgpu/display: change pipe policy for DCN 2.0 drm/amd/pm: fix hwmon node of power1_label create issue drm/amd/display: keep eDP Vdd on when eDP stream is already enabled drm/amd/display: fix yellow carp wm clamping drm/amd/display: Cap pflip irqs per max otg number drm/amdgpu: add utcl2_harvest to gc 10.3.1 display/amd: decrease message verbosity about watermarks table failure drm/rockchip: vop: Correct RK3399 VOP register fields drm/rockchip: dw_hdmi: Do not leave clock enabled in error case MAINTAINERS: Add entry for fbdev core fbcon: Avoid 'cap' set but not used warning drm/privacy-screen: Fix sphinx warning drm/i915: Workaround broken BIOS DBUF configuration on TGL/RKL drm/i915: Populate pipe dbuf slices more accurately during readout drm/i915: Allow !join_mbus cases for adlp+ dbuf configuration drm/i915: Fix header test for !CONFIG_X86 drm/i915/ttm: Return some errors instead of trying memcpy move drm/i915: Disable DRRS on IVB/HSW port != A drm/i915: Fix oops due to missing stack depot drm/vc4: crtc: Fix redundant variable assignment ...
2022-02-11Merge tag 'trace-v5.17-rc2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace Pull tracing fixes from Steven Rostedt: - Fixes to the RTLA tooling - A fix to a tp_printk overriding tp_printk_stop_on_boot on the command line * tag 'trace-v5.17-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace: tracing: Fix tp_printk option related with tp_printk_stop_on_boot MAINTAINERS: Add RTLA entry rtla: Fix segmentation fault when failing to enable -t rtla/trace: Error message fixup rtla/utils: Fix session duration parsing rtla: Follow kernel version
2022-02-11gfs2: Fix gfs2_release for non-writers regressionBob Peterson
When a file is opened for writing, the vfs code (do_dentry_open) calls get_write_access for the inode, thus incrementing the inode's write count. That writer normally then creates a multi-block reservation for the inode (i_res) that can be re-used by other writers, which speeds up writes for applications that stupidly loop on open/write/close. When the writes are all done, the multi-block reservation should be deleted when the file is closed by the last "writer." Commit 0ec9b9ea4f83 broke that concept when it moved the call to gfs2_rs_delete before the check for FMODE_WRITE. Non-writers have no business removing the multi-block reservations of writers. In fact, if someone opens and closes the file for RO while a writer has a multi-block reservation, the RO closer will delete the reservation midway through the write, and this results in: kernel BUG at fs/gfs2/rgrp.c:677! (or thereabouts) which is: BUG_ON(rs->rs_requested); from function gfs2_rs_deltree. This patch moves the check back inside the check for FMODE_WRITE. Fixes: 0ec9b9ea4f83 ("gfs2: Check for active reservation in gfs2_release") Cc: stable@vger.kernel.org # v5.12+ Signed-off-by: Bob Peterson <rpeterso@redhat.com> Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
2022-02-11Revert "gfs2: check context in gfs2_glock_put"Andreas Gruenbacher
It turns out that the might_sleep() call that commit 660a6126f8c3 adds is triggering occasional data corruption in testing. We're not sure about the root cause yet, but since this commit was added as a debugging aid only, revert it for now. This reverts commit 660a6126f8c3208f6df8d552039cda078a8426d1. Fixes: 660a6126f8c3 ("gfs2: check context in gfs2_glock_put") Cc: stable@vger.kernel.org # v5.16+ Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
2022-02-11Merge branch 'acpi-x86'Rafael J. Wysocki
Merge a revert of a problematic commit for 5.17-rc4. * acpi-x86: x86/PCI: revert "Ignore E820 reservations for bridge windows on newer systems"
2022-02-11Merge tag 'usb-serial-5.17-rc4' of ↵Greg Kroah-Hartman
https://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial into usb-linus Johan writes: USB-serial fixes for 5.17-rc4 Here are some new device ids for 5.17-rc4. All have been in linux-next with no reported issues. * tag 'usb-serial-5.17-rc4' of https://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial: USB: serial: cp210x: add CPI Bulk Coin Recycler id USB: serial: cp210x: add NCR Retail IO box id USB: serial: ftdi_sio: add support for Brainboxes US-159/235/320 USB: serial: option: add ZTE MF286D modem USB: serial: ch341: add support for GW Instek USB2.0-Serial devices
2022-02-11loop: revert "make autoclear operation asynchronous"Tetsuo Handa
The kernel test robot is reporting that xfstest which does umount ext2 on xfs umount xfs sequence started failing, for commit 322c4293ecc58110 ("loop: make autoclear operation asynchronous") removed a guarantee that fput() of backing file is processed before lo_release() from close() returns to user mode. And syzbot is reporting that deferring destroy_workqueue() from __loop_clr_fd() to a WQ context did not help [1]. Revert that commit. Link: https://syzkaller.appspot.com/bug?extid=831661966588c802aae9 [1] Reported-by: kernel test robot <oliver.sang@intel.com> Acked-by: Jan Kara <jack@suse.cz> Reviewed-by: Christoph Hellwig <hch@lst.de> Reported-by: syzbot <syzbot+831661966588c802aae9@syzkaller.appspotmail.com> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Link: https://lore.kernel.org/r/20220211071554.3424-1-penguin-kernel@I-love.SAKURA.ne.jp Signed-off-by: Jens Axboe <axboe@kernel.dk>
2022-02-11iio: buffer: Fix file related error handling in IIO_BUFFER_GET_FD_IOCTLMathias Krause
If we fail to copy the just created file descriptor to userland, we try to clean up by putting back 'fd' and freeing 'ib'. The code uses put_unused_fd() for the former which is wrong, as the file descriptor was already published by fd_install() which gets called internally by anon_inode_getfd(). This makes the error handling code leaving a half cleaned up file descriptor table around and a partially destructed 'file' object, allowing userland to play use-after-free tricks on us, by abusing the still usable fd and making the code operate on a dangling 'file->private_data' pointer. Instead of leaving the kernel in a partially corrupted state, don't attempt to explicitly clean up and leave this to the process exit path that'll release any still valid fds, including the one created by the previous call to anon_inode_getfd(). Simply return -EFAULT to indicate the error. Fixes: f73f7f4da581 ("iio: buffer: add ioctl() to support opening extra buffers for IIO device") Cc: stable@kernel.org Cc: Jonathan Cameron <jic23@kernel.org> Cc: Alexandru Ardelean <ardeleanalex@gmail.com> Cc: Lars-Peter Clausen <lars@metafoo.de> Cc: Nuno Sa <Nuno.Sa@analog.com> Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Mathias Krause <minipli@grsecurity.net> Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-02-11usb: dwc2: drd: fix soft connect when gadget is unconfiguredFabrice Gasnier
When the gadget driver hasn't been (yet) configured, and the cable is connected to a HOST, the SFTDISCON gets cleared unconditionally, so the HOST tries to enumerate it. At the host side, this can result in a stuck USB port or worse. When getting lucky, some dmesg can be observed at the host side: new high-speed USB device number ... device descriptor read/64, error -110 Fix it in drd, by checking the enabled flag before calling dwc2_hsotg_core_connect(). It will be called later, once configured, by the normal flow: - udc_bind_to_driver - usb_gadget_connect - dwc2_hsotg_pullup - dwc2_hsotg_core_connect Fixes: 17f934024e84 ("usb: dwc2: override PHY input signals with usb role switch support") Cc: stable@kernel.org Reviewed-by: Amelie Delaunay <amelie.delaunay@foss.st.com> Acked-by: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com> Signed-off-by: Fabrice Gasnier <fabrice.gasnier@foss.st.com> Link: https://lore.kernel.org/r/1644423353-17859-1-git-send-email-fabrice.gasnier@foss.st.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-02-11usb: gadget: rndis: check size of RNDIS_MSG_SET commandGreg Kroah-Hartman
Check the size of the RNDIS_MSG_SET command given to us before attempting to respond to an invalid message size. Reported-by: Szymon Heidrich <szymon.heidrich@gmail.com> Cc: stable@kernel.org Tested-by: Szymon Heidrich <szymon.heidrich@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-02-11USB: gadget: validate interface OS descriptor requestsSzymon Heidrich
Stall the control endpoint in case provided index exceeds array size of MAX_CONFIG_INTERFACES or when the retrieved function pointer is null. Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com> Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-02-11usb: core: Unregister device on component_add() failureFabio M. De Francesco
Commit 8c67d06f3fd9 ("usb: Link the ports to the connectors they are attached to") creates a link to the USB Type-C connector for every new port that is added when possible. If component_add() fails, usb_hub_create_port_device() prints a warning but does not unregister the device and does not return errors to the callers. Syzbot reported a "WARNING in component_del()". Fix this issue in usb_hub_create_port_device by calling device_unregister() and returning the errors from component_add(). Fixes: 8c67d06f3fd9 ("usb: Link the ports to the connectors they are attached to") Reported-and-tested-by: syzbot+60df062e1c41940cae0f@syzkaller.appspotmail.com Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com> Signed-off-by: Fabio M. De Francesco <fmdefrancesco@gmail.com> Link: https://lore.kernel.org/r/20220209164500.8769-1-fmdefrancesco@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-02-11net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixupJann Horn
ax88179_rx_fixup() contains several out-of-bounds accesses that can be triggered by a malicious (or defective) USB device, in particular: - The metadata array (hdr_off..hdr_off+2*pkt_cnt) can be out of bounds, causing OOB reads and (on big-endian systems) OOB endianness flips. - A packet can overlap the metadata array, causing a later OOB endianness flip to corrupt data used by a cloned SKB that has already been handed off into the network stack. - A packet SKB can be constructed whose tail is far beyond its end, causing out-of-bounds heap data to be considered part of the SKB's data. I have tested that this can be used by a malicious USB device to send a bogus ICMPv6 Echo Request and receive an ICMPv6 Echo Reply in response that contains random kernel heap data. It's probably also possible to get OOB writes from this on a little-endian system somehow - maybe by triggering skb_cow() via IP options processing -, but I haven't tested that. Fixes: e2ca90c276e1 ("ax88179_178a: ASIX AX88179_178A USB 3.0/2.0 to gigabit ethernet adapter driver") Cc: stable@kernel.org Signed-off-by: Jann Horn <jannh@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>