From nobody Mon Jun 22 15:38:36 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DA311C433EF for ; Mon, 21 Mar 2022 14:03:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244924AbiCUOEl (ORCPT ); Mon, 21 Mar 2022 10:04:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58892 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349104AbiCUN7J (ORCPT ); Mon, 21 Mar 2022 09:59:09 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 866CE10CC; Mon, 21 Mar 2022 06:57:43 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 2E597B81598; Mon, 21 Mar 2022 13:57:42 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5D7B6C340E8; Mon, 21 Mar 2022 13:57:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1647871060; bh=5yEzG5mCcTVSwH9OiUgBrwqHfwd0OfKOqGsA5QmuISQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Dk3DP0+Mlg5VFzLTfCZJEEue4hu9BijiY9d4ES2ZKJxJA4mAXfAp4Q+x4kXP2knUa 61zMGUWY6Z3S/2PPUeQPEO4ZBiWbpw3WPpq1392wzrJhrW4nToWz1ySdxRY0aaAACN TaTPe3Ddsi2MSF++1pMDH/1rW80xJXhES/R6WFFA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Brian Masney , Bjorn Andersson , Andrew Halaney , Herbert Xu Subject: [PATCH 5.4 01/17] crypto: qcom-rng - ensure buffer for generate is completely filled Date: Mon, 21 Mar 2022 14:52:37 +0100 Message-Id: <20220321133217.193115204@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220321133217.148831184@linuxfoundation.org> References: <20220321133217.148831184@linuxfoundation.org> User-Agent: quilt/0.66 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Brian Masney commit a680b1832ced3b5fa7c93484248fd221ea0d614b upstream. The generate function in struct rng_alg expects that the destination buffer is completely filled if the function returns 0. qcom_rng_read() can run into a situation where the buffer is partially filled with randomness and the remaining part of the buffer is zeroed since qcom_rng_generate() doesn't check the return value. This issue can be reproduced by running the following from libkcapi: kcapi-rng -b 9000000 > OUTFILE The generated OUTFILE will have three huge sections that contain all zeros, and this is caused by the code where the test 'val & PRNG_STATUS_DATA_AVAIL' fails. Let's fix this issue by ensuring that qcom_rng_read() always returns with a full buffer if the function returns success. Let's also have qcom_rng_generate() return the correct value. Here's some statistics from the ent project (https://www.fourmilab.ch/random/) that shows information about the quality of the generated numbers: $ ent -c qcom-random-before Value Char Occurrences Fraction 0 606748 0.067416 1 33104 0.003678 2 33001 0.003667 ... 253 =EF=BF=BD 32883 0.003654 254 =EF=BF=BD 33035 0.003671 255 =EF=BF=BD 33239 0.003693 Total: 9000000 1.000000 Entropy =3D 7.811590 bits per byte. Optimum compression would reduce the size of this 9000000 byte file by 2 percent. Chi square distribution for 9000000 samples is 9329962.81, and randomly would exceed this value less than 0.01 percent of the times. Arithmetic mean value of data bytes is 119.3731 (127.5 =3D random). Monte Carlo value for Pi is 3.197293333 (error 1.77 percent). Serial correlation coefficient is 0.159130 (totally uncorrelated =3D 0.0). Without this patch, the results of the chi-square test is 0.01%, and the numbers are certainly not random according to ent's project page. The results improve with this patch: $ ent -c qcom-random-after Value Char Occurrences Fraction 0 35432 0.003937 1 35127 0.003903 2 35424 0.003936 ... 253 =EF=BF=BD 35201 0.003911 254 =EF=BF=BD 34835 0.003871 255 =EF=BF=BD 35368 0.003930 Total: 9000000 1.000000 Entropy =3D 7.999979 bits per byte. Optimum compression would reduce the size of this 9000000 byte file by 0 percent. Chi square distribution for 9000000 samples is 258.77, and randomly would exceed this value 42.24 percent of the times. Arithmetic mean value of data bytes is 127.5006 (127.5 =3D random). Monte Carlo value for Pi is 3.141277333 (error 0.01 percent). Serial correlation coefficient is 0.000468 (totally uncorrelated =3D 0.0). This change was tested on a Nexus 5 phone (msm8974 SoC). Signed-off-by: Brian Masney Fixes: ceec5f5b5988 ("crypto: qcom-rng - Add Qcom prng driver") Cc: stable@vger.kernel.org # 4.19+ Reviewed-by: Bjorn Andersson Reviewed-by: Andrew Halaney Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Hulk Robot Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/crypto/qcom-rng.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) --- a/drivers/crypto/qcom-rng.c +++ b/drivers/crypto/qcom-rng.c @@ -7,6 +7,7 @@ #include #include #include +#include #include #include #include @@ -42,16 +43,19 @@ static int qcom_rng_read(struct qcom_rng { unsigned int currsize =3D 0; u32 val; + int ret; =20 /* read random data from hardware */ do { - val =3D readl_relaxed(rng->base + PRNG_STATUS); - if (!(val & PRNG_STATUS_DATA_AVAIL)) - break; + ret =3D readl_poll_timeout(rng->base + PRNG_STATUS, val, + val & PRNG_STATUS_DATA_AVAIL, + 200, 10000); + if (ret) + return ret; =20 val =3D readl_relaxed(rng->base + PRNG_DATA_OUT); if (!val) - break; + return -EINVAL; =20 if ((max - currsize) >=3D WORD_SZ) { memcpy(data, &val, WORD_SZ); @@ -60,11 +64,10 @@ static int qcom_rng_read(struct qcom_rng } else { /* copy only remaining bytes */ memcpy(data, &val, max - currsize); - break; } } while (currsize < max); =20 - return currsize; + return 0; } =20 static int qcom_rng_generate(struct crypto_rng *tfm, @@ -86,7 +89,7 @@ static int qcom_rng_generate(struct cryp mutex_unlock(&rng->lock); clk_disable_unprepare(rng->clk); =20 - return 0; + return ret; } =20 static int qcom_rng_seed(struct crypto_rng *tfm, const u8 *seed, From nobody Mon Jun 22 15:38:36 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9798AC433F5 for ; Mon, 21 Mar 2022 14:04:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1348917AbiCUOFl (ORCPT ); Mon, 21 Mar 2022 10:05:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60300 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349169AbiCUN7d (ORCPT ); Mon, 21 Mar 2022 09:59:33 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3F83D22513; Mon, 21 Mar 2022 06:58:08 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id E4A5FB81598; Mon, 21 Mar 2022 13:58:06 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2F026C340E8; Mon, 21 Mar 2022 13:58:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1647871085; bh=9BTH4l2nUijaCftcHoyPmyiVcOiGnzGXNLmpimNUF+w=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=bb+45hAll1IA8gcfZWTyCSDGj6YRLbDiC48Bg2aAFUpUcKPmIEUQQX+PUczEGNtX0 Yghpx0WfzalHN3AsWZmHGNCA3OPx64l/0Kaa8+RZ1DKR7bCFAXutUpPYGV3E3yzlxS Xm378gO3qlWu9pnJb3GU+R2Y1ObzoPO3/tSdJCGw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Joseph Qi , Mark Fasheh , Joel Becker , Junxiao Bi , Changwei Ge , Gang He , Jun Piao , Andrew Morton , Linus Torvalds Subject: [PATCH 5.4 02/17] ocfs2: fix crash when initialize filecheck kobj fails Date: Mon, 21 Mar 2022 14:52:38 +0100 Message-Id: <20220321133217.223599318@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220321133217.148831184@linuxfoundation.org> References: <20220321133217.148831184@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Joseph Qi commit 7b0b1332cfdb94489836b67d088a779699f8e47e upstream. Once s_root is set, genric_shutdown_super() will be called if fill_super() fails. That means, we will call ocfs2_dismount_volume() twice in such case, which can lead to kernel crash. Fix this issue by initializing filecheck kobj before setting s_root. Link: https://lkml.kernel.org/r/20220310081930.86305-1-joseph.qi@linux.alib= aba.com Fixes: 5f483c4abb50 ("ocfs2: add kobject for online file check") Signed-off-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Changwei Ge Cc: Gang He Cc: Jun Piao Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Hulk Robot Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- fs/ocfs2/super.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) --- a/fs/ocfs2/super.c +++ b/fs/ocfs2/super.c @@ -1100,17 +1100,6 @@ static int ocfs2_fill_super(struct super goto read_super_error; } =20 - root =3D d_make_root(inode); - if (!root) { - status =3D -ENOMEM; - mlog_errno(status); - goto read_super_error; - } - - sb->s_root =3D root; - - ocfs2_complete_mount_recovery(osb); - osb->osb_dev_kset =3D kset_create_and_add(sb->s_id, NULL, &ocfs2_kset->kobj); if (!osb->osb_dev_kset) { @@ -1128,6 +1117,17 @@ static int ocfs2_fill_super(struct super goto read_super_error; } =20 + root =3D d_make_root(inode); + if (!root) { + status =3D -ENOMEM; + mlog_errno(status); + goto read_super_error; + } + + sb->s_root =3D root; + + ocfs2_complete_mount_recovery(osb); + if (ocfs2_mount_local(osb)) snprintf(nodestr, sizeof(nodestr), "local"); else From nobody Mon Jun 22 15:38:36 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1EA52C433EF for ; Mon, 21 Mar 2022 14:04:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1348930AbiCUOFp (ORCPT ); Mon, 21 Mar 2022 10:05:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60362 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349173AbiCUN7e (ORCPT ); Mon, 21 Mar 2022 09:59:34 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8C438255B0; Mon, 21 Mar 2022 06:58:09 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 2778E6126A; Mon, 21 Mar 2022 13:58:09 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id EBA33C340E8; Mon, 21 Mar 2022 13:58:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1647871088; bh=hg12RVOcVeX/qVd5Vr1cnlSIyR3Is5JuwGoCxLJRNE8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=BIDLf2+evEhqzuOEWkDvjKHlZHS3qhZ4ohu3hjLxARW6tuM8pR2UJoVFGwWIhdpTy aRZItNnGDh9YfSc2QpeU6Z9cx8nC+32tXPRv/vr/9w0rInAIKVLXBpng4vM6yemkPj wcD0fQSNltxFAaESI2nb8gAdndzSGUV7GO0mKllU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Randy Dunlap , Igor Zhbanov , Ard Biesheuvel , linux-efi@vger.kernel.org, Lukas Wunner , Octavian Purdila , "Rafael J. Wysocki" , Matt Fleming , Sasha Levin Subject: [PATCH 5.4 03/17] efi: fix return value of __setup handlers Date: Mon, 21 Mar 2022 14:52:39 +0100 Message-Id: <20220321133217.252494434@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220321133217.148831184@linuxfoundation.org> References: <20220321133217.148831184@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Randy Dunlap [ Upstream commit 9feaf8b387ee0ece9c1d7add308776b502a35d0c ] When "dump_apple_properties" is used on the kernel boot command line, it causes an Unknown parameter message and the string is added to init's argument strings: Unknown kernel command line parameters "dump_apple_properties BOOT_IMAGE=3D/boot/bzImage-517rc6 efivar_ssdt=3Dnewcpu_ssdt", will be passed to user space. Run /sbin/init as init process with arguments: /sbin/init dump_apple_properties with environment: HOME=3D/ TERM=3Dlinux BOOT_IMAGE=3D/boot/bzImage-517rc6 efivar_ssdt=3Dnewcpu_ssdt Similarly when "efivar_ssdt=3Dsomestring" is used, it is added to the Unknown parameter message and to init's environment strings, polluting them (see examples above). Change the return value of the __setup functions to 1 to indicate that the __setup options have been handled. Fixes: 58c5475aba67 ("x86/efi: Retrieve and assign Apple device properties") Fixes: 475fb4e8b2f4 ("efi / ACPI: load SSTDs from EFI variables") Signed-off-by: Randy Dunlap Reported-by: Igor Zhbanov Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Cc: Ard Biesheuvel Cc: linux-efi@vger.kernel.org Cc: Lukas Wunner Cc: Octavian Purdila Cc: "Rafael J. Wysocki" Cc: Matt Fleming Link: https://lore.kernel.org/r/20220301041851.12459-1-rdunlap@infradead.org Signed-off-by: Ard Biesheuvel Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Hulk Robot Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/firmware/efi/apple-properties.c | 2 +- drivers/firmware/efi/efi.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/firmware/efi/apple-properties.c b/drivers/firmware/efi= /apple-properties.c index 0e206c9e0d7a..7ad2d85d7270 100644 --- a/drivers/firmware/efi/apple-properties.c +++ b/drivers/firmware/efi/apple-properties.c @@ -23,7 +23,7 @@ static bool dump_properties __initdata; static int __init dump_properties_enable(char *arg) { dump_properties =3D true; - return 0; + return 1; } =20 __setup("dump_apple_properties", dump_properties_enable); diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index 415d7b3a59f8..8fd74a7501d4 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -231,7 +231,7 @@ static int __init efivar_ssdt_setup(char *str) memcpy(efivar_ssdt, str, strlen(str)); else pr_warn("efivar_ssdt: name too long: %s\n", str); - return 0; + return 1; } __setup("efivar_ssdt=3D", efivar_ssdt_setup); =20 --=20 2.34.1 From nobody Mon Jun 22 15:38:36 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3DBF2C433F5 for ; Mon, 21 Mar 2022 14:04:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243645AbiCUOFv (ORCPT ); Mon, 21 Mar 2022 10:05:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60518 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349185AbiCUN7k (ORCPT ); Mon, 21 Mar 2022 09:59:40 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CFE2C2529B; Mon, 21 Mar 2022 06:58:13 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 7EF79B816CE; Mon, 21 Mar 2022 13:58:12 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E8625C340E8; Mon, 21 Mar 2022 13:58:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1647871091; bh=cBni2buC7H1TRb79ApwE1RHigOmlD6zjLemNukfcyac=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=DJeWaVRU1rqR4aqZ1kBiYY2a79Acz1mz/suNRFPK5N6FjxEFv0q9XoALWICvoDSR5 KKBlGQMFnQqA/vWjveU4r8+R16Fy6bWA00NzymGGEfdqLNfOfaEr+587geD+qsqAV2 TTWFms5+/gp5S8gecxsd13aYdsO1BCdzv7oj8cVg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kurt Cancemi , Andrew Lunn , Jakub Kicinski , Sasha Levin Subject: [PATCH 5.4 04/17] net: phy: marvell: Fix invalid comparison in the resume and suspend functions Date: Mon, 21 Mar 2022 14:52:40 +0100 Message-Id: <20220321133217.282060904@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220321133217.148831184@linuxfoundation.org> References: <20220321133217.148831184@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kurt Cancemi [ Upstream commit 837d9e49402eaf030db55a49f96fc51d73b4b441 ] This bug resulted in only the current mode being resumed and suspended when the PHY supported both fiber and copper modes and when the PHY only support= ed copper mode the fiber mode would incorrectly be attempted to be resumed and suspended. Fixes: 3758be3dc162 ("Marvell phy: add functions to suspend and resume both= interfaces: fiber and copper links.") Signed-off-by: Kurt Cancemi Reviewed-by: Andrew Lunn Link: https://lore.kernel.org/r/20220312201512.326047-1-kurt@x64architectur= e.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Hulk Robot Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/net/phy/marvell.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/net/phy/marvell.c b/drivers/net/phy/marvell.c index 53420c531266..49801c2eb627 100644 --- a/drivers/net/phy/marvell.c +++ b/drivers/net/phy/marvell.c @@ -1408,8 +1408,8 @@ static int marvell_suspend(struct phy_device *phydev) int err; =20 /* Suspend the fiber mode first */ - if (!linkmode_test_bit(ETHTOOL_LINK_MODE_FIBRE_BIT, - phydev->supported)) { + if (linkmode_test_bit(ETHTOOL_LINK_MODE_FIBRE_BIT, + phydev->supported)) { err =3D marvell_set_page(phydev, MII_MARVELL_FIBER_PAGE); if (err < 0) goto error; @@ -1443,8 +1443,8 @@ static int marvell_resume(struct phy_device *phydev) int err; =20 /* Resume the fiber mode first */ - if (!linkmode_test_bit(ETHTOOL_LINK_MODE_FIBRE_BIT, - phydev->supported)) { + if (linkmode_test_bit(ETHTOOL_LINK_MODE_FIBRE_BIT, + phydev->supported)) { err =3D marvell_set_page(phydev, MII_MARVELL_FIBER_PAGE); if (err < 0) goto error; --=20 2.34.1 From nobody Mon Jun 22 15:38:36 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 32549C433F5 for ; Mon, 21 Mar 2022 14:04:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1348822AbiCUOFw (ORCPT ); Mon, 21 Mar 2022 10:05:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60610 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349192AbiCUN7m (ORCPT ); Mon, 21 Mar 2022 09:59:42 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A89502529B; Mon, 21 Mar 2022 06:58:16 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 5502FB816D9; Mon, 21 Mar 2022 13:58:15 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id A40BBC340E8; Mon, 21 Mar 2022 13:58:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1647871094; bh=yPZRnszcRnTlK724j8QKykCYhFFiHM1RE3ZWDxWCnu8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=MEGYNFHxj3UZI0MXD2Tb12S3919sWlpyCrBgRRCLQ4Ncm/L6FpukfDIcbVmFcaUVZ AioOJXyGvCeYHrKc9rO87fejzLT+P5O8T6Mv0IZxeiHQ8PHeX2PvkEVFwCkMNM8gTE EadWLSKvt7EqYHH4pmAibacj1HVl9C/wQo/OEocA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Dumazet , syzbot , Jakub Kicinski , Sasha Levin Subject: [PATCH 5.4 05/17] net/packet: fix slab-out-of-bounds access in packet_recvmsg() Date: Mon, 21 Mar 2022 14:52:41 +0100 Message-Id: <20220321133217.310908340@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220321133217.148831184@linuxfoundation.org> References: <20220321133217.148831184@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Eric Dumazet [ Upstream commit c700525fcc06b05adfea78039de02628af79e07a ] syzbot found that when an AF_PACKET socket is using PACKET_COPY_THRESH and mmap operations, tpacket_rcv() is queueing skbs with garbage in skb->cb[], triggering a too big copy [1] Presumably, users of af_packet using mmap() already gets correct metadata from the mapped buffer, we can simply make sure to clear 12 bytes that might be copied to user space later. BUG: KASAN: stack-out-of-bounds in memcpy include/linux/fortify-string.h:22= 5 [inline] BUG: KASAN: stack-out-of-bounds in packet_recvmsg+0x56c/0x1150 net/packet/a= f_packet.c:3489 Write of size 165 at addr ffffc9000385fb78 by task syz-executor233/3631 CPU: 0 PID: 3631 Comm: syz-executor233 Not tainted 5.17.0-rc7-syzkaller-023= 96-g0b3660695e80 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Goo= gle 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0xf/0x336 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189 memcpy+0x39/0x60 mm/kasan/shadow.c:66 memcpy include/linux/fortify-string.h:225 [inline] packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489 sock_recvmsg_nosec net/socket.c:948 [inline] sock_recvmsg net/socket.c:966 [inline] sock_recvmsg net/socket.c:962 [inline] ____sys_recvmsg+0x2c4/0x600 net/socket.c:2632 ___sys_recvmsg+0x127/0x200 net/socket.c:2674 __sys_recvmsg+0xe2/0x1a0 net/socket.c:2704 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fdfd5954c29 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 = 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff f= f 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffcf8e71e48 EFLAGS: 00000246 ORIG_RAX: 000000000000002f RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdfd5954c29 RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000005 RBP: 0000000000000000 R08: 000000000000000d R09: 000000000000000d R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcf8e71e60 R13: 00000000000f4240 R14: 000000000000c1ff R15: 00007ffcf8e71e54 addr ffffc9000385fb78 is located in stack of task syz-executor233/3631 at o= ffset 32 in frame: ____sys_recvmsg+0x0/0x600 include/linux/uio.h:246 this frame has 1 object: [32, 160) 'addr' Memory state around the buggy address: ffffc9000385fa80: 00 04 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 ffffc9000385fb00: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 >ffffc9000385fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3 ^ ffffc9000385fc00: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 f1 ffffc9000385fc80: f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 00 00 00 00 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Fixes: 0fb375fb9b93 ("[AF_PACKET]: Allow for > 8 byte hardware addresses.") Signed-off-by: Eric Dumazet Reported-by: syzbot Link: https://lore.kernel.org/r/20220312232958.3535620-1-eric.dumazet@gmail= .com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Hulk Robot Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/packet/af_packet.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index ed11013d4b95..70c102359bfe 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -2257,8 +2257,11 @@ static int tpacket_rcv(struct sk_buff *skb, struct n= et_device *dev, copy_skb =3D skb_get(skb); skb_head =3D skb->data; } - if (copy_skb) + if (copy_skb) { + memset(&PACKET_SKB_CB(copy_skb)->sa.ll, 0, + sizeof(PACKET_SKB_CB(copy_skb)->sa.ll)); skb_set_owner_r(copy_skb, sk); + } } snaplen =3D po->rx_ring.frame_size - macoff; if ((int)snaplen < 0) { @@ -3405,6 +3408,8 @@ static int packet_recvmsg(struct socket *sock, struct= msghdr *msg, size_t len, sock_recv_ts_and_drops(msg, sk, skb); =20 if (msg->msg_name) { + const size_t max_len =3D min(sizeof(skb->cb), + sizeof(struct sockaddr_storage)); int copy_len; =20 /* If the address length field is there to be filled @@ -3427,6 +3432,10 @@ static int packet_recvmsg(struct socket *sock, struc= t msghdr *msg, size_t len, msg->msg_namelen =3D sizeof(struct sockaddr_ll); } } + if (WARN_ON_ONCE(copy_len > max_len)) { + copy_len =3D max_len; + msg->msg_namelen =3D copy_len; + } memcpy(msg->msg_name, &PACKET_SKB_CB(skb)->sa, copy_len); } =20 --=20 2.34.1 From nobody Mon Jun 22 15:38:36 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4968DC433F5 for ; Mon, 21 Mar 2022 14:04:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1348860AbiCUOGA (ORCPT ); Mon, 21 Mar 2022 10:06:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60640 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349196AbiCUN7o (ORCPT ); Mon, 21 Mar 2022 09:59:44 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B96A8255B0; Mon, 21 Mar 2022 06:58:17 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 5535D6125C; Mon, 21 Mar 2022 13:58:17 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 63456C340E8; Mon, 21 Mar 2022 13:58:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1647871096; bh=Iu6+8UKizmEfUSOoYi6/uV6d0fxVYQ5PqqCfF95FSwA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=buYsdJXczLIr17MXuA+xJsLAeh2M7Pu0fOyOcMt7iwBpOqATJdRhfk/sup+Y/2Kja 8lm151kozU8UzYT0uqhNZj2oGPQ8ruSFuFRjie9a1PLXMQqGrdDsxCTNFjpMgEH+MZ ahV2BnGh8LFogX8esEIYJA1DgAu7BWA8MxdiuO9E= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jiasheng Jiang , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 06/17] atm: eni: Add check for dma_map_single Date: Mon, 21 Mar 2022 14:52:42 +0100 Message-Id: <20220321133217.340072563@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220321133217.148831184@linuxfoundation.org> References: <20220321133217.148831184@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Jiasheng Jiang [ Upstream commit 0f74b29a4f53627376cf5a5fb7b0b3fa748a0b2b ] As the potential failure of the dma_map_single(), it should be better to check it and return error if fails. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Jiasheng Jiang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Hulk Robot Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/atm/eni.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/atm/eni.c b/drivers/atm/eni.c index de52428b8833..4816db0553ef 100644 --- a/drivers/atm/eni.c +++ b/drivers/atm/eni.c @@ -1116,6 +1116,8 @@ DPRINTK("iovcnt =3D %d\n",skb_shinfo(skb)->nr_frags); } paddr =3D dma_map_single(&eni_dev->pci_dev->dev,skb->data,skb->len, DMA_TO_DEVICE); + if (dma_mapping_error(&eni_dev->pci_dev->dev, paddr)) + return enq_next; ENI_PRV_PADDR(skb) =3D paddr; /* prepare DMA queue entries */ j =3D 0; --=20 2.34.1 From nobody Mon Jun 22 15:38:36 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4D934C433F5 for ; Mon, 21 Mar 2022 14:04:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1348861AbiCUOGJ (ORCPT ); Mon, 21 Mar 2022 10:06:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60734 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349200AbiCUN7q (ORCPT ); Mon, 21 Mar 2022 09:59:46 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8CE982529B; Mon, 21 Mar 2022 06:58:20 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 2A8216126A; Mon, 21 Mar 2022 13:58:20 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 35929C340E8; Mon, 21 Mar 2022 13:58:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1647871099; bh=piknHTfz8IlmjbVBR/wSKw2KHljvoIVt9GWTNwsHhUU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mkR6W28nRXiMS0PZ/Mh8GkGyfOz3MZjsKkMmAbcNFsRZZvvugadXjr9Lej85gN5qq Z0HEeDILBwlxB3jfUSgp3CaSBgGzloKJoPbpORB+vWXM8FUFeANtbvgxkgy4+UJJn0 PFZFcgNqai5ATwr/ZO92CGBPkXNdwd8W92RPXJdg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jiasheng Jiang , Jakub Kicinski , Sasha Levin Subject: [PATCH 5.4 07/17] hv_netvsc: Add check for kvmalloc_array Date: Mon, 21 Mar 2022 14:52:43 +0100 Message-Id: <20220321133217.369659883@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220321133217.148831184@linuxfoundation.org> References: <20220321133217.148831184@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Jiasheng Jiang [ Upstream commit 886e44c9298a6b428ae046e2fa092ca52e822e6a ] As the potential failure of the kvmalloc_array(), it should be better to check and restore the 'data' if fails in order to avoid the dereference of the NULL pointer. Fixes: 6ae746711263 ("hv_netvsc: Add per-cpu ethtool stats for netvsc") Signed-off-by: Jiasheng Jiang Link: https://lore.kernel.org/r/20220314020125.2365084-1-jiasheng@iscas.ac.= cn Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Hulk Robot Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/net/hyperv/netvsc_drv.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_dr= v.c index 362b7ca6f3b2..57e92c5bfcc9 100644 --- a/drivers/net/hyperv/netvsc_drv.c +++ b/drivers/net/hyperv/netvsc_drv.c @@ -1445,6 +1445,9 @@ static void netvsc_get_ethtool_stats(struct net_devic= e *dev, pcpu_sum =3D kvmalloc_array(num_possible_cpus(), sizeof(struct netvsc_ethtool_pcpu_stats), GFP_KERNEL); + if (!pcpu_sum) + return; + netvsc_get_pcpu_stats(dev, pcpu_sum); for_each_present_cpu(cpu) { struct netvsc_ethtool_pcpu_stats *this_sum =3D &pcpu_sum[cpu]; --=20 2.34.1 From nobody Mon Jun 22 15:38:36 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EA349C433EF for ; Mon, 21 Mar 2022 14:04:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1348736AbiCUOGP (ORCPT ); Mon, 21 Mar 2022 10:06:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60858 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349213AbiCUN7u (ORCPT ); Mon, 21 Mar 2022 09:59:50 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3A4622529B; Mon, 21 Mar 2022 06:58:25 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id D58CFB816D2; Mon, 21 Mar 2022 13:58:23 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E3771C340E8; Mon, 21 Mar 2022 13:58:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1647871102; bh=bxKaI78TST9aNbXIOxncy2ZRjY5+Q4ivxya09cBs6XE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=uu96r14uwG5phlaF6E8e3mpU1B/NtTuUsvjl6NWdNIZulTHmaYpiw29eB/OcTRvZ1 vgfuWYmk192/MAXBLmPdYzeq7W86YiblFAkDIoSsuC9gAmOSGGAW5vGlhqUKOsxy1O q3ueftffgz415zSpnkrhsi8GMjgmQRYdt525QsRk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Marek Vasut , Christoph Fritz , Laurent Pinchart , Maxime Ripard , Sam Ravnborg , Thomas Zimmermann , Laurent Pinchart , Maarten Lankhorst , Sasha Levin Subject: [PATCH 5.4 08/17] drm/panel: simple: Fix Innolux G070Y2-L01 BPP settings Date: Mon, 21 Mar 2022 14:52:44 +0100 Message-Id: <20220321133217.397728564@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220321133217.148831184@linuxfoundation.org> References: <20220321133217.148831184@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Marek Vasut [ Upstream commit fc1b6ef7bfb3d1d4df868b1c3e0480cacda6cd81 ] The Innolux G070Y2-L01 supports two modes of operation: 1) FRC=3DLow/NC ... MEDIA_BUS_FMT_RGB666_1X7X3_SPWG ... BPP=3D6 2) FRC=3DHigh ..... MEDIA_BUS_FMT_RGB888_1X7X4_SPWG ... BPP=3D8 Currently the panel description mixes both, BPP from 1) and bus format from 2), which triggers a warning at panel-simple.c:615. Pick the later, set bpp=3D8, fix the warning. Fixes: a5d2ade627dca ("drm/panel: simple: Add support for Innolux G070Y2-L0= 1") Signed-off-by: Marek Vasut Cc: Christoph Fritz Cc: Laurent Pinchart Cc: Maxime Ripard Cc: Sam Ravnborg Cc: Thomas Zimmermann Reviewed-by: Laurent Pinchart Link: https://patchwork.freedesktop.org/patch/msgid/20220220040718.532866-1= -marex@denx.de Signed-off-by: Maarten Lankhorst Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Hulk Robot Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/gpu/drm/panel/panel-simple.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/p= anel-simple.c index f0ea782df836..312a3c4e2331 100644 --- a/drivers/gpu/drm/panel/panel-simple.c +++ b/drivers/gpu/drm/panel/panel-simple.c @@ -1619,7 +1619,7 @@ static const struct display_timing innolux_g070y2_l01= _timing =3D { static const struct panel_desc innolux_g070y2_l01 =3D { .timings =3D &innolux_g070y2_l01_timing, .num_timings =3D 1, - .bpc =3D 6, + .bpc =3D 8, .size =3D { .width =3D 152, .height =3D 91, --=20 2.34.1 From nobody Mon Jun 22 15:38:36 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6B645C433F5 for ; Mon, 21 Mar 2022 14:05:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344886AbiCUOGX (ORCPT ); Mon, 21 Mar 2022 10:06:23 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32840 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349232AbiCUN7y (ORCPT ); Mon, 21 Mar 2022 09:59:54 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9D80B2529B; Mon, 21 Mar 2022 06:58:28 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 4624BB81598; Mon, 21 Mar 2022 13:58:27 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7F890C340E8; Mon, 21 Mar 2022 13:58:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1647871105; bh=z5b40hV7USiaybTi52DgQM4KYPVIVs5XmZFdjoSRWQE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=dC97XBpaEqAGch/Hpnu9ReTUkIcZati51cN0/4DrxeIPFFym8jMbb/Gnlq2/lGf3E qb67I7IvuZ/MQlEbufsNik0aTs3RIyeKoJUlNe/vFKdflKn7xykWFxMntrCxwNgcQd sC35GLxbUQti8tE2b/fFl/lxIYYPQCcrs3fPGHTI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Nicolas Dichtel , Jakub Kicinski , Sasha Levin Subject: [PATCH 5.4 09/17] net: handle ARPHRD_PIMREG in dev_is_mac_header_xmit() Date: Mon, 21 Mar 2022 14:52:45 +0100 Message-Id: <20220321133217.426561871@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220321133217.148831184@linuxfoundation.org> References: <20220321133217.148831184@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Nicolas Dichtel [ Upstream commit 4ee06de7729d795773145692e246a06448b1eb7a ] This kind of interface doesn't have a mac header. This patch fixes bpf_redirect() to a PIM interface. Fixes: 27b29f63058d ("bpf: add bpf_redirect() helper") Signed-off-by: Nicolas Dichtel Link: https://lore.kernel.org/r/20220315092008.31423-1-nicolas.dichtel@6win= d.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Hulk Robot Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- include/linux/if_arp.h | 1 + 1 file changed, 1 insertion(+) diff --git a/include/linux/if_arp.h b/include/linux/if_arp.h index bf5c5f32c65e..e147ea679467 100644 --- a/include/linux/if_arp.h +++ b/include/linux/if_arp.h @@ -51,6 +51,7 @@ static inline bool dev_is_mac_header_xmit(const struct ne= t_device *dev) case ARPHRD_VOID: case ARPHRD_NONE: case ARPHRD_RAWIP: + case ARPHRD_PIMREG: return false; default: return true; --=20 2.34.1 From nobody Mon Jun 22 15:38:36 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 58031C433FE for ; Mon, 21 Mar 2022 14:04:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1348975AbiCUOEt (ORCPT ); Mon, 21 Mar 2022 10:04:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59090 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349111AbiCUN7L (ORCPT ); Mon, 21 Mar 2022 09:59:11 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 400CE10CC; Mon, 21 Mar 2022 06:57:46 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id DD594B81598; Mon, 21 Mar 2022 13:57:44 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4F938C340E8; Mon, 21 Mar 2022 13:57:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1647871063; bh=iAWoA/KtW5sunOlZanpzjYKJC7pZGFvMadTuEFgrzKQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Lygqz3ANgmJZkHhbMqmsoIRtBqAA7iox7PIFFMMOhjMUKU/ugSQl63V1R1WKnmpZW 22wxyzjOcSVgnSr1aRnw8L73pDQ1THNO0YfJg05Kq7rwzy/++Ov40eQObzE5AZUcYh QMRgUcCcxCv+lDEJPnrd0Qnl1PCLJ178py23n+hQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Miaoqian Lin , Paolo Abeni , Sasha Levin Subject: [PATCH 5.4 10/17] net: dsa: Add missing of_node_put() in dsa_port_parse_of Date: Mon, 21 Mar 2022 14:52:46 +0100 Message-Id: <20220321133217.455384427@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220321133217.148831184@linuxfoundation.org> References: <20220321133217.148831184@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Miaoqian Lin [ Upstream commit cb0b430b4e3acc88c85e0ad2e25f2a25a5765262 ] The device_node pointer is returned by of_parse_phandle() with refcount incremented. We should use of_node_put() on it when done. Fixes: 6d4e5c570c2d ("net: dsa: get port type at parse time") Signed-off-by: Miaoqian Lin Link: https://lore.kernel.org/r/20220316082602.10785-1-linmq006@gmail.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Hulk Robot Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/dsa/dsa2.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/dsa/dsa2.c b/net/dsa/dsa2.c index 70e6fc2edd30..1f27641f9cc0 100644 --- a/net/dsa/dsa2.c +++ b/net/dsa/dsa2.c @@ -669,6 +669,7 @@ static int dsa_port_parse_of(struct dsa_port *dp, struc= t device_node *dn) struct net_device *master; =20 master =3D of_find_net_device_by_node(ethernet); + of_node_put(ethernet); if (!master) return -EPROBE_DEFER; =20 --=20 2.34.1 From nobody Mon Jun 22 15:38:36 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A8A83C433EF for ; Mon, 21 Mar 2022 14:03:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1348784AbiCUOFF (ORCPT ); Mon, 21 Mar 2022 10:05:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59282 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349119AbiCUN7P (ORCPT ); Mon, 21 Mar 2022 09:59:15 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 39C5010CC; Mon, 21 Mar 2022 06:57:49 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id C15BFB816CC; Mon, 21 Mar 2022 13:57:47 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 10F37C340E8; Mon, 21 Mar 2022 13:57:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1647871066; bh=jbi74pirWmIJryKTHRKMdiKZsXWXK+wLnFhWCEPB59E=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=fYafc3GE6Dk9sq1GN64lwXnQWTSnpbCkojE0uTiv0oC3OETOlqCBoapwccsi/OBkn +Rk4nHTj2poDo/JIAoiObNA2fpQBvC0cnzuH4H7qxv62jmJ9j7KETQyeBpMGW/hgR7 9fr7nEGI3IvHScfP9TrBPDCNG8Vt4Ho78NgWXqUE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Arnd Bergmann , James Morse , Catalin Marinas , Sasha Levin Subject: [PATCH 5.4 11/17] arm64: fix clang warning about TRAMP_VALIAS Date: Mon, 21 Mar 2022 14:52:47 +0100 Message-Id: <20220321133217.483718656@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220321133217.148831184@linuxfoundation.org> References: <20220321133217.148831184@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Arnd Bergmann [ Upstream commit 7f34b43e07cb512b28543fdcb9f35d1fbfda9ebc ] The newly introduced TRAMP_VALIAS definition causes a build warning with clang-14: arch/arm64/include/asm/vectors.h:66:31: error: arithmetic on a null pointer= treated as a cast from integer to pointer is a GNU extension [-Werror,-Wnu= ll-pointer-arithmetic] return (char *)TRAMP_VALIAS + SZ_2K * slot; Change the addition to something clang does not complain about. Fixes: bd09128d16fa ("arm64: Add percpu vectors for EL1") Signed-off-by: Arnd Bergmann Acked-by: James Morse Link: https://lore.kernel.org/r/20220316183833.1563139-1-arnd@kernel.org Signed-off-by: Catalin Marinas Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Hulk Robot Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- arch/arm64/include/asm/vectors.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/arm64/include/asm/vectors.h b/arch/arm64/include/asm/vect= ors.h index f64613a96d53..bc9a2145f419 100644 --- a/arch/arm64/include/asm/vectors.h +++ b/arch/arm64/include/asm/vectors.h @@ -56,14 +56,14 @@ enum arm64_bp_harden_el1_vectors { DECLARE_PER_CPU_READ_MOSTLY(const char *, this_cpu_vector); =20 #ifndef CONFIG_UNMAP_KERNEL_AT_EL0 -#define TRAMP_VALIAS 0 +#define TRAMP_VALIAS 0ul #endif =20 static inline const char * arm64_get_bp_hardening_vector(enum arm64_bp_harden_el1_vectors slot) { if (arm64_kernel_unmapped_at_el0()) - return (char *)TRAMP_VALIAS + SZ_2K * slot; + return (char *)(TRAMP_VALIAS + SZ_2K * slot); =20 WARN_ON_ONCE(slot =3D=3D EL1_VECTOR_KPTI); =20 --=20 2.34.1 From nobody Mon Jun 22 15:38:36 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2A744C433F5 for ; Mon, 21 Mar 2022 14:03:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1348988AbiCUOE6 (ORCPT ); Mon, 21 Mar 2022 10:04:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59284 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349118AbiCUN7P (ORCPT ); Mon, 21 Mar 2022 09:59:15 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3A471764C; Mon, 21 Mar 2022 06:57:50 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id AD3CA6126A; Mon, 21 Mar 2022 13:57:49 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B8C80C340E8; Mon, 21 Mar 2022 13:57:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1647871069; bh=JBwT2FpWuW+DXrzrhNxMCQ2pX1GZUCBphhPILV5OTbU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=OXqbDg7l+fn4GsmxsJ5hi0BssIi07/caBCeAhk+Hel+SqackmIkIiOQx8ebVbqvhs smo58B9oISV20GFC8IWCcw1MxVbSQQ7umhSjL32SBHpQF6lEyZa8MkyROiwLTuDD5A DnSHtX7iKJ5tpHBeh/hzGTnO82q7pruat6iZ2vQI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, stable@kernel.org, Dan Carpenter Subject: [PATCH 5.4 12/17] usb: gadget: rndis: prevent integer overflow in rndis_set_response() Date: Mon, 21 Mar 2022 14:52:48 +0100 Message-Id: <20220321133217.511729578@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220321133217.148831184@linuxfoundation.org> References: <20220321133217.148831184@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Dan Carpenter commit 65f3324f4b6fed78b8761c3b74615ecf0ffa81fa upstream. If "BufOffset" is very large the "BufOffset + 8" operation can have an integer overflow. Cc: stable@kernel.org Fixes: 38ea1eac7d88 ("usb: gadget: rndis: check size of RNDIS_MSG_SET comma= nd") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/20220301080424.GA17208@kili Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Hulk Robot Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/usb/gadget/function/rndis.c | 1 + 1 file changed, 1 insertion(+) --- a/drivers/usb/gadget/function/rndis.c +++ b/drivers/usb/gadget/function/rndis.c @@ -640,6 +640,7 @@ static int rndis_set_response(struct rnd BufLength =3D le32_to_cpu(buf->InformationBufferLength); BufOffset =3D le32_to_cpu(buf->InformationBufferOffset); if ((BufLength > RNDIS_MAX_TOTAL_SIZE) || + (BufOffset > RNDIS_MAX_TOTAL_SIZE) || (BufOffset + 8 >=3D RNDIS_MAX_TOTAL_SIZE)) return -EINVAL; From nobody Mon Jun 22 15:38:36 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6D4E5C433EF for ; Mon, 21 Mar 2022 14:03:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1348879AbiCUOFM (ORCPT ); Mon, 21 Mar 2022 10:05:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59410 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349126AbiCUN7S (ORCPT ); Mon, 21 Mar 2022 09:59:18 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C67D710CC; Mon, 21 Mar 2022 06:57:52 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 63D586125C; Mon, 21 Mar 2022 13:57:52 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 767D3C340E8; Mon, 21 Mar 2022 13:57:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1647871071; bh=iTxtJC1l3ApI+080GeDg+/sXNoxalLmyjWgvZ1KIW7g=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=L77uKD0/nJGMbQS0WMfu5y5ecBJlUs4VJxmVLoEfvFZCA+NrO2MCFIA36uvTRzvuu W59N5LIS+A1NAVbkdxU8nlYxtHn/jqVcpv/4ieLDCHNxtXthdN2C615twfjI7G9gbN BqhJEce6ywawTPE6VyKJ/D6b4aQsjoSIyHaTmTsE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alan Stern , syzbot+348b571beb5eeb70a582@syzkaller.appspotmail.com Subject: [PATCH 5.4 13/17] usb: gadget: Fix use-after-free bug by not setting udc->dev.driver Date: Mon, 21 Mar 2022 14:52:49 +0100 Message-Id: <20220321133217.540026477@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220321133217.148831184@linuxfoundation.org> References: <20220321133217.148831184@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Alan Stern commit 16b1941eac2bd499f065a6739a40ce0011a3d740 upstream. The syzbot fuzzer found a use-after-free bug: BUG: KASAN: use-after-free in dev_uevent+0x712/0x780 drivers/base/core.c:23= 20 Read of size 8 at addr ffff88802b934098 by task udevd/3689 CPU: 2 PID: 3689 Comm: udevd Not tainted 5.17.0-rc4-syzkaller-00229-g4f12b7= 42eb2b #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 dev_uevent+0x712/0x780 drivers/base/core.c:2320 uevent_show+0x1b8/0x380 drivers/base/core.c:2391 dev_attr_show+0x4b/0x90 drivers/base/core.c:2094 Although the bug manifested in the driver core, the real cause was a race with the gadget core. dev_uevent() does: if (dev->driver) add_uevent_var(env, "DRIVER=3D%s", dev->driver->name); and between the test and the dereference of dev->driver, the gadget core sets dev->driver to NULL. The race wouldn't occur if the gadget core registered its devices on a real bus, using the standard synchronization techniques of the driver core. However, it's not necessary to make such a large change in order to fix this bug; all we need to do is make sure that udc->dev.driver is always NULL. In fact, there is no reason for udc->dev.driver ever to be set to anything, let alone to the value it currently gets: the address of the gadget's driver. After all, a gadget driver only knows how to manage a gadget, not how to manage a UDC. This patch simply removes the statements in the gadget core that touch udc->dev.driver. Fixes: 2ccea03a8f7e ("usb: gadget: introduce UDC Class") CC: Reported-and-tested-by: syzbot+348b571beb5eeb70a582@syzkaller.appspotmail.c= om Signed-off-by: Alan Stern Link: https://lore.kernel.org/r/YiQgukfFFbBnwJ/9@rowland.harvard.edu Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Hulk Robot Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/usb/gadget/udc/core.c | 3 --- 1 file changed, 3 deletions(-) --- a/drivers/usb/gadget/udc/core.c +++ b/drivers/usb/gadget/udc/core.c @@ -1303,7 +1303,6 @@ static void usb_gadget_remove_driver(str usb_gadget_udc_stop(udc); =20 udc->driver =3D NULL; - udc->dev.driver =3D NULL; udc->gadget->dev.driver =3D NULL; } =20 @@ -1352,7 +1351,6 @@ static int udc_bind_to_driver(struct usb driver->function); =20 udc->driver =3D driver; - udc->dev.driver =3D &driver->driver; udc->gadget->dev.driver =3D &driver->driver; =20 usb_gadget_udc_set_speed(udc, driver->max_speed); @@ -1374,7 +1372,6 @@ err1: dev_err(&udc->dev, "failed to start %s: %d\n", udc->driver->function, ret); udc->driver =3D NULL; - udc->dev.driver =3D NULL; udc->gadget->dev.driver =3D NULL; return ret; } From nobody Mon Jun 22 15:38:36 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 82848C433FE for ; Mon, 21 Mar 2022 14:03:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1348700AbiCUOFV (ORCPT ); Mon, 21 Mar 2022 10:05:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59622 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349134AbiCUN7U (ORCPT ); Mon, 21 Mar 2022 09:59:20 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ADC72BC34; Mon, 21 Mar 2022 06:57:55 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 3FA0E611D5; Mon, 21 Mar 2022 13:57:55 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4BE6CC340E8; Mon, 21 Mar 2022 13:57:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1647871074; bh=B2PwWKJauXDFQuvSQYT/EWCzPk39Vbs2uYKXUVD7pOM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=xS5HMhVBtD9nxfy03qiSWqnTICjoDP8NJmk6Zm/Q1iqt+3icHv0N4fJclSxxkvvm4 z1bx6NpTJsfKtu7E+8ImxGqhOCihWbwEiM93/baeUWj2pSGmIdJaQdPM9UZZNzr5yu drF+xrT4L6ghZv8Qt8rJG5ITpSjGjqVwkVFMzh/8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alan Stern , syzbot+a48e3d1a875240cab5de@syzkaller.appspotmail.com Subject: [PATCH 5.4 14/17] usb: usbtmc: Fix bug in pipe direction for control transfers Date: Mon, 21 Mar 2022 14:52:50 +0100 Message-Id: <20220321133217.568942903@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220321133217.148831184@linuxfoundation.org> References: <20220321133217.148831184@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Alan Stern commit e9b667a82cdcfe21d590344447d65daed52b353b upstream. The syzbot fuzzer reported a minor bug in the usbtmc driver: usb 5-1: BOGUS control dir, pipe 80001e80 doesn't match bRequestType 0 WARNING: CPU: 0 PID: 3813 at drivers/usb/core/urb.c:412 usb_submit_urb+0x13a5/0x1970 drivers/usb/core/urb.c:410 Modules linked in: CPU: 0 PID: 3813 Comm: syz-executor122 Not tainted 5.17.0-rc5-syzkaller-00306-g2293be58d6a1 #0 ... Call Trace: usb_start_wait_urb+0x113/0x530 drivers/usb/core/message.c:58 usb_internal_control_msg drivers/usb/core/message.c:102 [inline] usb_control_msg+0x2a5/0x4b0 drivers/usb/core/message.c:153 usbtmc_ioctl_request drivers/usb/class/usbtmc.c:1947 [inline] The problem is that usbtmc_ioctl_request() uses usb_rcvctrlpipe() for all of its transfers, whether they are in or out. It's easy to fix. CC: Reported-and-tested-by: syzbot+a48e3d1a875240cab5de@syzkaller.appspotmail.c= om Signed-off-by: Alan Stern Link: https://lore.kernel.org/r/YiEsYTPEE6lOCOA5@rowland.harvard.edu Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Hulk Robot Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/usb/class/usbtmc.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) --- a/drivers/usb/class/usbtmc.c +++ b/drivers/usb/class/usbtmc.c @@ -1889,6 +1889,7 @@ static int usbtmc_ioctl_request(struct u struct usbtmc_ctrlrequest request; u8 *buffer =3D NULL; int rv; + unsigned int is_in, pipe; unsigned long res; =20 res =3D copy_from_user(&request, arg, sizeof(struct usbtmc_ctrlrequest)); @@ -1898,12 +1899,14 @@ static int usbtmc_ioctl_request(struct u if (request.req.wLength > USBTMC_BUFSIZE) return -EMSGSIZE; =20 + is_in =3D request.req.bRequestType & USB_DIR_IN; + if (request.req.wLength) { buffer =3D kmalloc(request.req.wLength, GFP_KERNEL); if (!buffer) return -ENOMEM; =20 - if ((request.req.bRequestType & USB_DIR_IN) =3D=3D 0) { + if (!is_in) { /* Send control data to device */ res =3D copy_from_user(buffer, request.data, request.req.wLength); @@ -1914,8 +1917,12 @@ static int usbtmc_ioctl_request(struct u } } =20 + if (is_in) + pipe =3D usb_rcvctrlpipe(data->usb_dev, 0); + else + pipe =3D usb_sndctrlpipe(data->usb_dev, 0); rv =3D usb_control_msg(data->usb_dev, - usb_rcvctrlpipe(data->usb_dev, 0), + pipe, request.req.bRequest, request.req.bRequestType, request.req.wValue, @@ -1927,7 +1934,7 @@ static int usbtmc_ioctl_request(struct u goto exit; } =20 - if (rv && (request.req.bRequestType & USB_DIR_IN)) { + if (rv && is_in) { /* Read control data from device */ res =3D copy_to_user(request.data, buffer, rv); if (res) From nobody Mon Jun 22 15:38:36 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D5000C433F5 for ; Mon, 21 Mar 2022 14:04:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240343AbiCUOF2 (ORCPT ); Mon, 21 Mar 2022 10:05:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59842 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349147AbiCUN7Y (ORCPT ); Mon, 21 Mar 2022 09:59:24 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6422D7672; Mon, 21 Mar 2022 06:57:58 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id F3D19611D5; Mon, 21 Mar 2022 13:57:57 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0AB74C340E8; Mon, 21 Mar 2022 13:57:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1647871077; bh=dGOcXsBKGb+pa/3WupTRMH4qEFSFdcbUJ2kNGLJFczo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=wNYvsx8qu26nv3wSAKblb/LEd3/1mpmDYk8Rjtpp3v0ZBt+fND6vYqo40LCbaGIAt xOtGCsA3lpCKE94SOdu/BjzvDWal1CNzoI23Kb4ehsgKY17NaI1x5lMY2Lm04aymwL d+HGK9/rXMvQh9fEiJCXvOYpAxbRNT4/QHcYXL0k= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Pavel Skripkin , Dmitry Torokhov , syzbot+75cccf2b7da87fb6f84b@syzkaller.appspotmail.com Subject: [PATCH 5.4 15/17] Input: aiptek - properly check endpoint type Date: Mon, 21 Mar 2022 14:52:51 +0100 Message-Id: <20220321133217.597455661@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220321133217.148831184@linuxfoundation.org> References: <20220321133217.148831184@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Pavel Skripkin commit 5600f6986628dde8881734090588474f54a540a8 upstream. Syzbot reported warning in usb_submit_urb() which is caused by wrong endpoint type. There was a check for the number of endpoints, but not for the type of endpoint. Fix it by replacing old desc.bNumEndpoints check with usb_find_common_endpoints() helper for finding endpoints Fail log: usb 5-1: BOGUS urb xfer, pipe 1 !=3D type 3 WARNING: CPU: 2 PID: 48 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/= 0x18a0 drivers/usb/core/urb.c:502 Modules linked in: CPU: 2 PID: 48 Comm: kworker/2:2 Not tainted 5.17.0-rc6-syzkaller-00226-g07= ebd38a0da2 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Workqueue: usb_hub_wq hub_event ... Call Trace: aiptek_open+0xd5/0x130 drivers/input/tablet/aiptek.c:830 input_open_device+0x1bb/0x320 drivers/input/input.c:629 kbd_connect+0xfe/0x160 drivers/tty/vt/keyboard.c:1593 Fixes: 8e20cf2bce12 ("Input: aiptek - fix crash on detecting device without= endpoints") Reported-and-tested-by: syzbot+75cccf2b7da87fb6f84b@syzkaller.appspotmail.c= om Signed-off-by: Pavel Skripkin Link: https://lore.kernel.org/r/20220308194328.26220-1-paskripkin@gmail.com Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Hulk Robot Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/input/tablet/aiptek.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) --- a/drivers/input/tablet/aiptek.c +++ b/drivers/input/tablet/aiptek.c @@ -1801,15 +1801,13 @@ aiptek_probe(struct usb_interface *intf, input_set_abs_params(inputdev, ABS_TILT_Y, AIPTEK_TILT_MIN, AIPTEK_TILT_M= AX, 0, 0); input_set_abs_params(inputdev, ABS_WHEEL, AIPTEK_WHEEL_MIN, AIPTEK_WHEEL_= MAX - 1, 0, 0); =20 - /* Verify that a device really has an endpoint */ - if (intf->cur_altsetting->desc.bNumEndpoints < 1) { + err =3D usb_find_common_endpoints(intf->cur_altsetting, + NULL, NULL, &endpoint, NULL); + if (err) { dev_err(&intf->dev, - "interface has %d endpoints, but must have minimum 1\n", - intf->cur_altsetting->desc.bNumEndpoints); - err =3D -EINVAL; + "interface has no int in endpoints, but must have minimum 1\n"); goto fail3; } - endpoint =3D &intf->cur_altsetting->endpoint[0].desc; =20 /* Go set up our URB, which is called when the tablet receives * input. From nobody Mon Jun 22 15:38:36 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 02BA8C433EF for ; Mon, 21 Mar 2022 14:04:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345740AbiCUOFc (ORCPT ); Mon, 21 Mar 2022 10:05:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59984 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349155AbiCUN71 (ORCPT ); Mon, 21 Mar 2022 09:59:27 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4A5657672; Mon, 21 Mar 2022 06:58:01 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id D1C796125C; Mon, 21 Mar 2022 13:58:00 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id DD750C340E8; Mon, 21 Mar 2022 13:57:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1647871080; bh=tj33CDVipt3Hwcf7gdEjoaIZbWPVmkUS+u0jcdrdLGM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Xl21rsFR58KjffptMJonZ8hBxrgiTe52k9YSX3KUaluXabObpICw+Yj3bFnekoKLr Gfc6KAJl5cGM/2RWjK+jlM3KBZaU7nBZGoLB3RzjyaQFYmM2o5zOGrU2g2xi+K1HrI xX6mc0NXcdZSksKjQ84kafKgf3gX9Aw9iPZP97/0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Michael Petlan , Athira Jajeev , Jiri Olsa , Kajol Jain , Madhavan Srinivasan , Arnaldo Carvalho de Melo Subject: [PATCH 5.4 16/17] perf symbols: Fix symbol size calculation condition Date: Mon, 21 Mar 2022 14:52:52 +0100 Message-Id: <20220321133217.625197205@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220321133217.148831184@linuxfoundation.org> References: <20220321133217.148831184@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Michael Petlan commit 3cf6a32f3f2a45944dd5be5c6ac4deb46bcd3bee upstream. Before this patch, the symbol end address fixup to be called, needed two conditions being met: if (prev->end =3D=3D prev->start && prev->end !=3D curr->start) Where "prev->end =3D=3D prev->start" means that prev is zero-long (and thus needs a fixup) and "prev->end !=3D curr->start" means that fixup hasn't been applied yet However, this logic is incorrect in the following situation: *curr =3D {rb_node =3D {__rb_parent_color =3D 278218928, rb_right =3D 0x0, rb_left =3D 0x0}, start =3D 0xc000000000062354, end =3D 0xc000000000062354, namelen =3D 40, type =3D 2 '\002', binding =3D 0 '\000', idle =3D 0 '\000', ignore =3D 0 '\000', inlined =3D 0 '\000', arch_sym =3D 0 '\000', annotate2 =3D false, name =3D 0x1159739e "kprobe_optinsn_page\t[__builtin__kprobes]"} *prev =3D {rb_node =3D {__rb_parent_color =3D 278219041, rb_right =3D 0x109548b0, rb_left =3D 0x109547c0}, start =3D 0xc000000000062354, end =3D 0xc000000000062354, namelen =3D 12, type =3D 2 '\002', binding =3D 1 '\001', idle =3D 0 '\000', ignore =3D 0 '\000', inlined =3D 0 '\000', arch_sym =3D 0 '\000', annotate2 =3D false, name =3D 0x1095486e "optinsn_slot"} In this case, prev->start =3D=3D prev->end =3D=3D curr->start =3D=3D curr->= end, thus the condition above thinks that "we need a fixup due to zero length of prev symbol, but it has been probably done, since the prev->end =3D=3D curr->start", which is wrong. After the patch, the execution path proceeds to arch__symbols__fixup_end function which fixes up the size of prev symbol by adding page_size to its end offset. Fixes: 3b01a413c196c910 ("perf symbols: Improve kallsyms symbol end addr ca= lculation") Signed-off-by: Michael Petlan Cc: Athira Jajeev Cc: Jiri Olsa Cc: Kajol Jain Cc: Madhavan Srinivasan Link: http://lore.kernel.org/lkml/20220317135536.805-1-mpetlan@redhat.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Hulk Robot Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- tools/perf/util/symbol.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/tools/perf/util/symbol.c +++ b/tools/perf/util/symbol.c @@ -231,7 +231,7 @@ void symbols__fixup_end(struct rb_root_c prev =3D curr; curr =3D rb_entry(nd, struct symbol, rb_node); =20 - if (prev->end =3D=3D prev->start && prev->end !=3D curr->start) + if (prev->end =3D=3D prev->start || prev->end !=3D curr->start) arch__symbols__fixup_end(prev, curr); } From nobody Mon Jun 22 15:38:36 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BB15AC433FE for ; Mon, 21 Mar 2022 14:04:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1348804AbiCUOFh (ORCPT ); Mon, 21 Mar 2022 10:05:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60128 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349161AbiCUN73 (ORCPT ); Mon, 21 Mar 2022 09:59:29 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3DA0B17E34; Mon, 21 Mar 2022 06:58:03 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 833786125C; Mon, 21 Mar 2022 13:58:03 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 937CBC340E8; Mon, 21 Mar 2022 13:58:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1647871083; bh=JsBG2MyiRhsA2oGen2dAlVo6MAvoBKtGqss16qFVF4k=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=YEKPWPwESqiCRGNiviQgHrfGtxs2lVfmjvMI0XJBf5M+5rxEfo1i9OkzhCyJ2wDiC Q51UFqcNez7U+9uW4uE6d3e29BHdSokqyNvHFVS3Q/YOd088rmOPiACEQgMPg0f37i dURGRkS/8r5HKx72DnpJdr63OtAFj+0yvtyhOyhU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Geliang Tang , Tommi Rantala , Kumar Kartikeya Dwivedi , Alexei Starovoitov , Sasha Levin Subject: [PATCH 5.4 17/17] Revert "selftests/bpf: Add test for bpf_timer overwriting crash" Date: Mon, 21 Mar 2022 14:52:53 +0100 Message-Id: <20220321133217.653517515@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220321133217.148831184@linuxfoundation.org> References: <20220321133217.148831184@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Greg Kroah-Hartman This reverts commit dcf55b071de9231e197ba7b1a2d0a423e8d7d33a which is commit a7e75016a0753c24d6c995bc02501ae35368e333 upstream. It is reported to break the bpf self-tests. Reported-by: Geliang Tang Reported-by: Tommi Rantala Cc: Kumar Kartikeya Dwivedi Cc: Alexei Starovoitov Link: https://lore.kernel.org/bpf/20220209070324.1093182-3-memxor@gmail.com Cc: Sasha Levin Link: https://lore.kernel.org/r/a0a7298ca5c64b3d0ecfcc8821c2de79186fa9f7.ca= mel@nokia.com Link: https://lore.kernel.org/r/HE1PR0402MB3497CB13A12C4D15D20A1FCCF8139@HE= 1PR0402MB3497.eurprd04.prod.outlook.com Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Hulk Robot Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- tools/testing/selftests/bpf/prog_tests/timer_crash.c | 32 ----------- tools/testing/selftests/bpf/progs/timer_crash.c | 54 --------------= ----- 2 files changed, 86 deletions(-) delete mode 100644 tools/testing/selftests/bpf/prog_tests/timer_crash.c delete mode 100644 tools/testing/selftests/bpf/progs/timer_crash.c --- a/tools/testing/selftests/bpf/prog_tests/timer_crash.c +++ /dev/null @@ -1,32 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0 -#include -#include "timer_crash.skel.h" - -enum { - MODE_ARRAY, - MODE_HASH, -}; - -static void test_timer_crash_mode(int mode) -{ - struct timer_crash *skel; - - skel =3D timer_crash__open_and_load(); - if (!ASSERT_OK_PTR(skel, "timer_crash__open_and_load")) - return; - skel->bss->pid =3D getpid(); - skel->bss->crash_map =3D mode; - if (!ASSERT_OK(timer_crash__attach(skel), "timer_crash__attach")) - goto end; - usleep(1); -end: - timer_crash__destroy(skel); -} - -void test_timer_crash(void) -{ - if (test__start_subtest("array")) - test_timer_crash_mode(MODE_ARRAY); - if (test__start_subtest("hash")) - test_timer_crash_mode(MODE_HASH); -} --- a/tools/testing/selftests/bpf/progs/timer_crash.c +++ /dev/null @@ -1,54 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0 - -#include -#include -#include - -struct map_elem { - struct bpf_timer timer; - struct bpf_spin_lock lock; -}; - -struct { - __uint(type, BPF_MAP_TYPE_ARRAY); - __uint(max_entries, 1); - __type(key, int); - __type(value, struct map_elem); -} amap SEC(".maps"); - -struct { - __uint(type, BPF_MAP_TYPE_HASH); - __uint(max_entries, 1); - __type(key, int); - __type(value, struct map_elem); -} hmap SEC(".maps"); - -int pid =3D 0; -int crash_map =3D 0; /* 0 for amap, 1 for hmap */ - -SEC("fentry/do_nanosleep") -int sys_enter(void *ctx) -{ - struct map_elem *e, value =3D {}; - void *map =3D crash_map ? (void *)&hmap : (void *)&amap; - - if (bpf_get_current_task_btf()->tgid !=3D pid) - return 0; - - *(void **)&value =3D (void *)0xdeadcaf3; - - bpf_map_update_elem(map, &(int){0}, &value, 0); - /* For array map, doing bpf_map_update_elem will do a - * check_and_free_timer_in_array, which will trigger the crash if timer - * pointer was overwritten, for hmap we need to use bpf_timer_cancel. - */ - if (crash_map =3D=3D 1) { - e =3D bpf_map_lookup_elem(map, &(int){0}); - if (!e) - return 0; - bpf_timer_cancel(&e->timer); - } - return 0; -} - -char _license[] SEC("license") =3D "GPL";