May 2018 - Linux-stable-mirror

[patch 07/16] mm/kasan: don't vfree() nonexistent vm_area

by akpm＠linux-foundation.org

From: Andrey Ryabinin <aryabinin(a)virtuozzo.com> Subject: mm/kasan: don't vfree() nonexistent vm_area KASAN uses different routines to map shadow for hot added memory and memory obtained in boot process. Attempt to offline memory onlined by normal boot process leads to this: Trying to vfree() nonexistent vm area (000000005d3b34b9) WARNING: CPU: 2 PID: 13215 at mm/vmalloc.c:1525 __vunmap+0x147/0x190 Call Trace: kasan_mem_notifier+0xad/0xb9 notifier_call_chain+0x166/0x260 __blocking_notifier_call_chain+0xdb/0x140 __offline_pages+0x96a/0xb10 memory_subsys_offline+0x76/0xc0 device_offline+0xb8/0x120 store_mem_state+0xfa/0x120 kernfs_fop_write+0x1d5/0x320 __vfs_write+0xd4/0x530 vfs_write+0x105/0x340 SyS_write+0xb0/0x140 Obviously we can't call vfree() to free memory that wasn't allocated via vmalloc(). Use find_vm_area() to see if we can call vfree(). Unfortunately it's a bit tricky to properly unmap and free shadow allocated during boot, so we'll have to keep it. If memory will come online again that shadow will be reused. Matthew asked: how can you call vfree() on something that isn't a vmalloc address? vfree() is able to free any address returned by __vmalloc_node_range(). And __vmalloc_node_range() gives you any address you ask. It doesn't have to be an address in [VMALLOC_START, VMALLOC_END] range. That's also how the module_alloc()/module_memfree() works on architectures that have designated area for modules. [aryabinin(a)virtuozzo.com: improve comments] Link: http://lkml.kernel.org/r/dabee6ab-3a7a-51cd-3b86-5468718e0390@virtuozzo.com [akpm(a)linux-foundation.org: fix typos, reflow comment] Link: http://lkml.kernel.org/r/20180201163349.8700-1-aryabinin@virtuozzo.com Fixes: fa69b5989bb0 ("mm/kasan: add support for memory hotplug") Signed-off-by: Andrey Ryabinin <aryabinin(a)virtuozzo.com> Reported-by: Paul Menzel <pmenzel+linux-kasan-dev(a)molgen.mpg.de> Cc: Alexander Potapenko <glider(a)google.com> Cc: Dmitry Vyukov <dvyukov(a)google.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/kasan/kasan.c | 63 +++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 61 insertions(+), 2 deletions(-) diff -puN mm/kasan/kasan.c~mm-kasan-dont-vfree-nonexistent-vm_area mm/kasan/kasan.c --- a/mm/kasan/kasan.c~mm-kasan-dont-vfree-nonexistent-vm_area +++ a/mm/kasan/kasan.c @@ -792,6 +792,40 @@ DEFINE_ASAN_SET_SHADOW(f5); DEFINE_ASAN_SET_SHADOW(f8); #ifdef CONFIG_MEMORY_HOTPLUG +static bool shadow_mapped(unsigned long addr) +{ + pgd_t *pgd = pgd_offset_k(addr); + p4d_t *p4d; + pud_t *pud; + pmd_t *pmd; + pte_t *pte; + + if (pgd_none(*pgd)) + return false; + p4d = p4d_offset(pgd, addr); + if (p4d_none(*p4d)) + return false; + pud = pud_offset(p4d, addr); + if (pud_none(*pud)) + return false; + + /* + * We can't use pud_large() or pud_huge(), the first one is + * arch-specific, the last one depends on HUGETLB_PAGE. So let's abuse + * pud_bad(), if pud is bad then it's bad because it's huge. + */ + if (pud_bad(*pud)) + return true; + pmd = pmd_offset(pud, addr); + if (pmd_none(*pmd)) + return false; + + if (pmd_bad(*pmd)) + return true; + pte = pte_offset_kernel(pmd, addr); + return !pte_none(*pte); +} + static int __meminit kasan_mem_notifier(struct notifier_block *nb, unsigned long action, void *data) { @@ -813,6 +847,14 @@ static int __meminit kasan_mem_notifier( case MEM_GOING_ONLINE: { void *ret; + /* + * If shadow is mapped already than it must have been mapped + * during the boot. This could happen if we onlining previously + * offlined memory. + */ + if (shadow_mapped(shadow_start)) + return NOTIFY_OK; + ret = __vmalloc_node_range(shadow_size, PAGE_SIZE, shadow_start, shadow_end, GFP_KERNEL, PAGE_KERNEL, VM_NO_GUARD, @@ -824,8 +866,25 @@ static int __meminit kasan_mem_notifier( kmemleak_ignore(ret); return NOTIFY_OK; } - case MEM_OFFLINE: - vfree((void *)shadow_start); + case MEM_OFFLINE: { + struct vm_struct *vm; + + /* + * shadow_start was either mapped during boot by kasan_init() + * or during memory online by __vmalloc_node_range(). + * In the latter case we can use vfree() to free shadow. + * Non-NULL result of the find_vm_area() will tell us if + * that was the second case. + * + * Currently it's not possible to free shadow mapped + * during boot by kasan_init(). It's because the code + * to do that hasn't been written yet. So we'll just + * leak the memory. + */ + vm = find_vm_area((void *)shadow_start); + if (vm) + vfree((void *)shadow_start); + } } return NOTIFY_OK; _

6 years, 7 months

1
0
0 0

[patch 05/16] ipc/shm: fix shmat() nil address after round-down when remapping

by akpm＠linux-foundation.org

From: Davidlohr Bueso <dave(a)stgolabs.net> Subject: ipc/shm: fix shmat() nil address after round-down when remapping shmat()'s SHM_REMAP option forbids passing a nil address for; this is in fact the very first thing we check for. Andrea reported that for SHM_RND|SHM_REMAP cases we can end up bypassing the initial addr check, but we need to check again if the address was rounded down to nil. As of this patch, such cases will return -EINVAL. Link: http://lkml.kernel.org/r/20180503204934.kk63josdu6u53fbd@linux-n805 Signed-off-by: Davidlohr Bueso <dbueso(a)suse.de> Reported-by: Andrea Arcangeli <aarcange(a)redhat.com> Cc: Joe Lawrence <joe.lawrence(a)redhat.com> Cc: Manfred Spraul <manfred(a)colorfullife.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- ipc/shm.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff -puN ipc/shm.c~ipc-shm-fix-shmat-nil-address-after-round-down-when-remapping ipc/shm.c --- a/ipc/shm.c~ipc-shm-fix-shmat-nil-address-after-round-down-when-remapping +++ a/ipc/shm.c @@ -1363,9 +1363,17 @@ long do_shmat(int shmid, char __user *sh if (addr) { if (addr & (shmlba - 1)) { - if (shmflg & SHM_RND) + if (shmflg & SHM_RND) { addr &= ~(shmlba - 1); /* round down */ - else + + /* + * Ensure that the round-down is non-nil + * when remapping. This can happen for + * cases when addr < shmlba. + */ + if (!addr && (shmflg & SHM_REMAP)) + goto out; + } else #ifndef __ARCH_FORCE_SHMLBA if (addr & ~PAGE_MASK) #endif _

6 years, 7 months

1
0
0 0

[patch 04/16] Revert "ipc/shm: Fix shmat mmap nil-page protection"

by akpm＠linux-foundation.org

From: Davidlohr Bueso <dave(a)stgolabs.net> Subject: Revert "ipc/shm: Fix shmat mmap nil-page protection" Patch series "ipc/shm: shmat() fixes around nil-page". These patches fix two issues reported[1] a while back by Joe and Andrea around how shmat(2) behaves with nil-page. The first reverts a commit that it was incorrectly thought that mapping nil-page (address=0) was a no no with MAP_FIXED. This is not the case, with the exception of SHM_REMAP; which is address in the second patch. I chose two patches because it is easier to backport and it explicitly reverts bogus behaviour. Both patches ought to be in -stable and ltp testcases need updated (the added testcase around the cve can be modified to just test for SHM_RND|SHM_REMAP). [1] lkml.kernel.org/r/20180430172152.nfa564pvgpk3ut7p@linux-n805 This patch (of 2): 95e91b831f87 ("ipc/shm: Fix shmat mmap nil-page protection") worked on the idea that we should not be mapping as root addr=0 and MAP_FIXED. However, it was reported that this scenario is in fact valid, thus making the patch both bogus and breaks userspace as well. For example X11's libint10.so relies on shmat(1, SHM_RND) for lowmem initialization[1]. [1] https://cgit.freedesktop.org/xorg/xserver/tree/hw/xfree86/os-support/linux/… Link: http://lkml.kernel.org/r/20180503203243.15045-2-dave@stgolabs.net Fixes: 95e91b831f87 ("ipc/shm: Fix shmat mmap nil-page protection") Signed-off-by: Davidlohr Bueso <dbueso(a)suse.de> Reported-by: Joe Lawrence <joe.lawrence(a)redhat.com> Reported-by: Andrea Arcangeli <aarcange(a)redhat.com> Cc: Manfred Spraul <manfred(a)colorfullife.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- ipc/shm.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff -puN ipc/shm.c~revert-ipc-shm-fix-shmat-mmap-nil-page-protection ipc/shm.c --- a/ipc/shm.c~revert-ipc-shm-fix-shmat-mmap-nil-page-protection +++ a/ipc/shm.c @@ -1363,13 +1363,8 @@ long do_shmat(int shmid, char __user *sh if (addr) { if (addr & (shmlba - 1)) { - /* - * Round down to the nearest multiple of shmlba. - * For sane do_mmap_pgoff() parameters, avoid - * round downs that trigger nil-page and MAP_FIXED. - */ - if ((shmflg & SHM_RND) && addr >= shmlba) - addr &= ~(shmlba - 1); + if (shmflg & SHM_RND) + addr &= ~(shmlba - 1); /* round down */ else #ifndef __ARCH_FORCE_SHMLBA if (addr & ~PAGE_MASK) _

6 years, 7 months

1
0
0 0

[patch 03/16] idr: fix invalid ptr dereference on item delete

by akpm＠linux-foundation.org

From: Matthew Wilcox <mawilcox(a)microsoft.com> Subject: idr: fix invalid ptr dereference on item delete If the radix tree underlying the IDR happens to be full and we attempt to remove an id which is larger than any id in the IDR, we will call __radix_tree_delete() with an uninitialised 'slot' pointer, at which point anything could happen. This was easiest to hit with a single entry at id 0 and attempting to remove a non-0 id, but it could have happened with 64 entries and attempting to remove an id >= 64. Roman said: The syzcaller test boils down to opening /dev/kvm, creating an eventfd, and calling a couple of KVM ioctls. None of this requires superuser. And the result is dereferencing an uninitialized pointer which is likely a crash. The specific path caught by syzbot is via KVM_HYPERV_EVENTD ioctl which is new in 4.17. But I guess there are other user-triggerable paths, so cc:stable is probably justified. Matthew added: We have around 250 calls to idr_remove() in the kernel today. Many of them pass an ID which is embedded in the object they're removing, so they're safe. Picking a few likely candidates: drivers/firewire/core-cdev.c looks unsafe; the ID comes from an ioctl. drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c is similar drivers/atm/nicstar.c could be taken down by a handcrafted packet Link: http://lkml.kernel.org/r/20180518175025.GD6361@bombadil.infradead.org Fixes: 0a835c4f090a ("Reimplement IDR and IDA using the radix tree") Reported-by: <syzbot+35666cba7f0a337e2e79(a)syzkaller.appspotmail.com> Debugged-by: Roman Kagan <rkagan(a)virtuozzo.com> Signed-off-by: Matthew Wilcox <mawilcox(a)microsoft.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- lib/radix-tree.c | 4 +++- tools/testing/radix-tree/idr-test.c | 7 +++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff -puN lib/radix-tree.c~idr-fix-invalid-ptr-dereference-on-item-delete lib/radix-tree.c --- a/lib/radix-tree.c~idr-fix-invalid-ptr-dereference-on-item-delete +++ a/lib/radix-tree.c @@ -2034,10 +2034,12 @@ void *radix_tree_delete_item(struct radi unsigned long index, void *item) { struct radix_tree_node *node = NULL; - void __rcu **slot; + void __rcu **slot = NULL; void *entry; entry = __radix_tree_lookup(root, index, &node, &slot); + if (!slot) + return NULL; if (!entry && (!is_idr(root) || node_tag_get(root, node, IDR_FREE, get_slot_offset(node, slot)))) return NULL; diff -puN tools/testing/radix-tree/idr-test.c~idr-fix-invalid-ptr-dereference-on-item-delete tools/testing/radix-tree/idr-test.c --- a/tools/testing/radix-tree/idr-test.c~idr-fix-invalid-ptr-dereference-on-item-delete +++ a/tools/testing/radix-tree/idr-test.c @@ -252,6 +252,13 @@ void idr_checks(void) idr_remove(&idr, 3); idr_remove(&idr, 0); + assert(idr_alloc(&idr, DUMMY_PTR, 0, 0, GFP_KERNEL) == 0); + idr_remove(&idr, 1); + for (i = 1; i < RADIX_TREE_MAP_SIZE; i++) + assert(idr_alloc(&idr, DUMMY_PTR, 0, 0, GFP_KERNEL) == i); + idr_remove(&idr, 1 << 30); + idr_destroy(&idr); + for (i = INT_MAX - 3UL; i < INT_MAX + 1UL; i++) { struct item *item = item_create(i, 0); assert(idr_alloc(&idr, item, i, i + 10, GFP_KERNEL) == i); _

6 years, 7 months

1
0
0 0

+ mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset.patch added to -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: mm, page_alloc: do not break __GFP_THISNODE by zonelist reset has been added to the -mm tree. Its filename is mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset.patch This patch should soon appear at http://ozlabs.org/~akpm/mmots/broken-out/mm-page_alloc-do-not-break-__gfp_t… and later at http://ozlabs.org/~akpm/mmotm/broken-out/mm-page_alloc-do-not-break-__gfp_t… Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Vlastimil Babka <vbabka(a)suse.cz> Subject: mm, page_alloc: do not break __GFP_THISNODE by zonelist reset In __alloc_pages_slowpath() we reset zonelist and preferred_zoneref for allocations that can ignore memory policies. The zonelist is obtained from current CPU's node. This is a problem for __GFP_THISNODE allocations that want to allocate on a different node, e.g. because the allocating thread has been migrated to a different CPU. This has been observed to break SLAB in our 4.4-based kernel, because there it relies on __GFP_THISNODE working as intended. If a slab page is put on wrong node's list, then further list manipulations may corrupt the list because page_to_nid() is used to determine which node's list_lock should be locked and thus we may take a wrong lock and race. Current SLAB implementation seems to be immune by luck thanks to commit 511e3a058812 ("mm/slab: make cache_grow() handle the page allocated on arbitrary node") but there may be others assuming that __GFP_THISNODE works as promised. We can fix it by simply removing the zonelist reset completely. There is actually no reason to reset it, because memory policies and cpusets don't affect the zonelist choice in the first place. This was different when commit 183f6371aac2 ("mm: ignore mempolicies when using ALLOC_NO_WATERMARK") introduced the code, as mempolicies provided their own restricted zonelists. We might consider this for 4.17 although I don't know if there's anything currently broken. Stable backports should be more important, but will have to be reviewed carefully, as the code went through many changes. BTW I think that also the ac->preferred_zoneref reset is currently useless if we don't also reset ac->nodemask from a mempolicy to NULL first (which we probably should for the OOM victims etc?), but I would leave that for a separate patch. Link: http://lkml.kernel.org/r/20180525130853.13915-1-vbabka@suse.cz Signed-off-by: Vlastimil Babka <vbabka(a)suse.cz> Fixes: 183f6371aac2 ("mm: ignore mempolicies when using ALLOC_NO_WATERMARK") Cc: Mel Gorman <mgorman(a)techsingularity.net> Cc: Michal Hocko <mhocko(a)kernel.org> Cc: David Rientjes <rientjes(a)google.com> Cc: Joonsoo Kim <iamjoonsoo.kim(a)lge.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/page_alloc.c | 1 - 1 file changed, 1 deletion(-) diff -puN mm/page_alloc.c~mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset mm/page_alloc.c --- a/mm/page_alloc.c~mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset +++ a/mm/page_alloc.c @@ -4169,7 +4169,6 @@ retry: * orientated. */ if (!(alloc_flags & ALLOC_CPUSET) || reserve_flags) { - ac->zonelist = node_zonelist(numa_node_id(), gfp_mask); ac->preferred_zoneref = first_zones_zonelist(ac->zonelist, ac->high_zoneidx, ac->nodemask); } _ Patches currently in -mm which might be from vbabka(a)suse.cz are mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset.patch

6 years, 7 months

1
0
0 0

patch "phy: qcom-qusb2: Fix crash if nvmem cell not specified" added to usb-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled phy: qcom-qusb2: Fix crash if nvmem cell not specified to my usb git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git in the usb-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. >From 0b4555e776ba0712c6fafb98b226b21fd05d2427 Mon Sep 17 00:00:00 2001 From: Manu Gautam <mgautam(a)codeaurora.org> Date: Thu, 3 May 2018 02:36:10 +0530 Subject: phy: qcom-qusb2: Fix crash if nvmem cell not specified Driver currently crashes due to NULL pointer deference while updating PHY tune register if nvmem cell is NULL. Since, fused value for Tune1/2 register is optional, we'd rather bail out. Fixes: ca04d9d3e1b1 ("phy: qcom-qusb2: New driver for QUSB2 PHY on Qcom chips") Reviewed-by: Vivek Gautam <vivek.gautam(a)codeaurora.org> Reviewed-by: Evan Green <evgreen(a)chromium.org> Cc: stable <stable(a)vger.kernel.org> # 4.14+ Signed-off-by: Manu Gautam <mgautam(a)codeaurora.org> Signed-off-by: Kishon Vijay Abraham I <kishon(a)ti.com> --- drivers/phy/qualcomm/phy-qcom-qusb2.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/phy/qualcomm/phy-qcom-qusb2.c b/drivers/phy/qualcomm/phy-qcom-qusb2.c index 94afeac1a19e..40fdef8b5b75 100644 --- a/drivers/phy/qualcomm/phy-qcom-qusb2.c +++ b/drivers/phy/qualcomm/phy-qcom-qusb2.c @@ -315,6 +315,10 @@ static void qusb2_phy_set_tune2_param(struct qusb2_phy *qphy) const struct qusb2_phy_cfg *cfg = qphy->cfg; u8 *val; + /* efuse register is optional */ + if (!qphy->cell) + return; + /* * Read efuse register having TUNE2/1 parameter's high nibble. * If efuse register shows value as 0x0, or if we fail to find -- 2.17.0

6 years, 7 months

1
0
0 0

[PATCH] ext4: Forbid overflowing inode count when resizing

by Jan Kara

ext4_resize_fs() has an off-by-one bug when checking whether growing of a filesystem will not overflow inode count. As a result it allows a filesystem with 8192 inodes per group to grow to 64TB which overflows inode count to 0 and makes filesystem unusable. Fix it. CC: stable(a)vger.kernel.org Fixes: 3f8a6411fbada1fa482276591e037f3b1adcf55b Reported-by: Jaco Kroon <jaco(a)uls.co.za> Signed-off-by: Jan Kara <jack(a)suse.cz> --- fs/ext4/resize.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c index b6bec270a8e4..d792b7689d92 100644 --- a/fs/ext4/resize.c +++ b/fs/ext4/resize.c @@ -1933,7 +1933,7 @@ int ext4_resize_fs(struct super_block *sb, ext4_fsblk_t n_blocks_count) return 0; n_group = ext4_get_group_number(sb, n_blocks_count - 1); - if (n_group > (0xFFFFFFFFUL / EXT4_INODES_PER_GROUP(sb))) { + if (n_group >= (0xFFFFFFFFUL / EXT4_INODES_PER_GROUP(sb))) { ext4_warning(sb, "resize would cause inodes_count overflow"); return -EINVAL; } -- 2.13.6

6 years, 7 months

4
4
0 0

[PATCH] usb: core: message: remove extra endianness conversion in usb_set_isoch_delay

by Ruslan Bilovol

No need to do extra endianness conversion in usb_set_isoch_delay because it is already done in usb_control_msg() Fixes: 886ee36e7205 ("usb: core: add support for USB_REQ_SET_ISOCH_DELAY") Cc: Dmytro Panchenko <dmytro.panchenko(a)globallogic.com> Cc: Felipe Balbi <felipe.balbi(a)linux.intel.com> Cc: stable <stable(a)vger.kernel.org> # v4.16+ Signed-off-by: Ruslan Bilovol <ruslan.bilovol(a)gmail.com> --- drivers/usb/core/message.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c index 0c11d40..7b13700 100644 --- a/drivers/usb/core/message.c +++ b/drivers/usb/core/message.c @@ -940,7 +940,7 @@ int usb_set_isoch_delay(struct usb_device *dev) return usb_control_msg(dev, usb_sndctrlpipe(dev, 0), USB_REQ_SET_ISOCH_DELAY, USB_DIR_OUT | USB_TYPE_STANDARD | USB_RECIP_DEVICE, - cpu_to_le16(dev->hub_delay), 0, NULL, 0, + dev->hub_delay, 0, NULL, 0, USB_CTRL_SET_TIMEOUT); } -- 1.9.1

6 years, 7 months

1
0
0 0

patch "phy: qcom-qusb2: Fix crash if nvmem cell not specified" added to usb-testing

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled phy: qcom-qusb2: Fix crash if nvmem cell not specified to my usb git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git in the usb-testing branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will be merged to the usb-next branch sometime soon, after it passes testing, and the merge window is open. If you have any questions about this process, please let me know. >From 0b4555e776ba0712c6fafb98b226b21fd05d2427 Mon Sep 17 00:00:00 2001 From: Manu Gautam <mgautam(a)codeaurora.org> Date: Thu, 3 May 2018 02:36:10 +0530 Subject: phy: qcom-qusb2: Fix crash if nvmem cell not specified Driver currently crashes due to NULL pointer deference while updating PHY tune register if nvmem cell is NULL. Since, fused value for Tune1/2 register is optional, we'd rather bail out. Fixes: ca04d9d3e1b1 ("phy: qcom-qusb2: New driver for QUSB2 PHY on Qcom chips") Reviewed-by: Vivek Gautam <vivek.gautam(a)codeaurora.org> Reviewed-by: Evan Green <evgreen(a)chromium.org> Cc: stable <stable(a)vger.kernel.org> # 4.14+ Signed-off-by: Manu Gautam <mgautam(a)codeaurora.org> Signed-off-by: Kishon Vijay Abraham I <kishon(a)ti.com> --- drivers/phy/qualcomm/phy-qcom-qusb2.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/phy/qualcomm/phy-qcom-qusb2.c b/drivers/phy/qualcomm/phy-qcom-qusb2.c index 94afeac1a19e..40fdef8b5b75 100644 --- a/drivers/phy/qualcomm/phy-qcom-qusb2.c +++ b/drivers/phy/qualcomm/phy-qcom-qusb2.c @@ -315,6 +315,10 @@ static void qusb2_phy_set_tune2_param(struct qusb2_phy *qphy) const struct qusb2_phy_cfg *cfg = qphy->cfg; u8 *val; + /* efuse register is optional */ + if (!qphy->cell) + return; + /* * Read efuse register having TUNE2/1 parameter's high nibble. * If efuse register shows value as 0x0, or if we fail to find -- 2.17.0

6 years, 7 months

1
0
0 0

Linux 4.16.12

by Greg KH

I'm announcing the release of the 4.16.12 kernel. All users of the 4.16 kernel series must upgrade. The updated 4.16.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.16.y and can be browsed at the normal kernel.org git web browser: http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/powerpc/include/asm/exception-64s.h | 29 + arch/powerpc/include/asm/feature-fixups.h | 19 + arch/powerpc/include/asm/hvcall.h | 3 arch/powerpc/include/asm/security_features.h | 85 +++++ arch/powerpc/kernel/Makefile | 2 arch/powerpc/kernel/exceptions-64s.S | 19 + arch/powerpc/kernel/security.c | 237 +++++++++++++++ arch/powerpc/kernel/setup_64.c | 8 arch/powerpc/kernel/vmlinux.lds.S | 14 arch/powerpc/lib/feature-fixups.c | 115 +++++++ arch/powerpc/platforms/powernv/setup.c | 96 ++++-- arch/powerpc/platforms/pseries/setup.c | 71 +++- arch/s390/Kconfig | 3 arch/s390/Makefile | 2 arch/s390/crypto/crc32be-vx.S | 5 arch/s390/crypto/crc32le-vx.S | 4 arch/s390/include/asm/alternative-asm.h | 108 ++++++ arch/s390/include/asm/nospec-branch.h | 7 arch/s390/include/asm/nospec-insn.h | 196 ++++++++++++ arch/s390/kernel/Makefile | 5 arch/s390/kernel/alternative.c | 24 - arch/s390/kernel/asm-offsets.c | 1 arch/s390/kernel/base.S | 24 - arch/s390/kernel/entry.S | 105 +----- arch/s390/kernel/mcount.S | 14 arch/s390/kernel/module.c | 15 arch/s390/kernel/nospec-branch.c | 123 ++++++- arch/s390/kernel/nospec-sysfs.c | 21 + arch/s390/kernel/reipl.S | 7 arch/s390/kernel/setup.c | 3 arch/s390/kernel/swsusp.S | 10 arch/s390/lib/mem.S | 19 - arch/s390/net/bpf_jit.S | 16 - arch/s390/net/bpf_jit_comp.c | 63 +++- arch/sparc/kernel/vio.c | 2 arch/x86/kernel/machine_kexec_32.c | 6 arch/x86/kernel/machine_kexec_64.c | 5 drivers/block/loop.c | 71 ++-- drivers/bluetooth/btusb.c | 13 drivers/clk/clk.c | 3 drivers/clk/hisilicon/crg-hi3516cv300.c | 2 drivers/clk/meson/axg.c | 7 drivers/clk/rockchip/clk-mmc-phase.c | 23 + drivers/clk/rockchip/clk-rk3228.c | 2 drivers/clk/samsung/clk-exynos3250.c | 4 drivers/clk/samsung/clk-exynos5250.c | 8 drivers/clk/samsung/clk-exynos5260.c | 2 drivers/clk/samsung/clk-exynos5433.c | 12 drivers/clk/samsung/clk-exynos7.c | 2 drivers/clk/samsung/clk-s3c2410.c | 16 - drivers/clk/tegra/clk-pll.c | 2 drivers/crypto/atmel-aes.c | 2 drivers/crypto/ccp/ccp-debugfs.c | 7 drivers/crypto/inside-secure/safexcel.c | 12 drivers/crypto/inside-secure/safexcel_cipher.c | 2 drivers/crypto/inside-secure/safexcel_hash.c | 38 +- drivers/crypto/sunxi-ss/sun4i-ss-core.c | 1 drivers/media/common/videobuf2/videobuf2-vmalloc.c | 2 drivers/media/dvb-frontends/lgdt3306a.c | 10 drivers/media/i2c/adv748x/adv748x-hdmi.c | 3 drivers/media/i2c/ov5645.c | 5 drivers/media/pci/cx23885/cx23885-cards.c | 4 drivers/media/pci/cx23885/cx23885-core.c | 10 drivers/media/pci/cx25821/cx25821-core.c | 7 drivers/media/platform/s3c-camif/camif-capture.c | 7 drivers/media/platform/vivid/vivid-ctrls.c | 2 drivers/media/platform/vsp1/vsp1_drm.c | 9 drivers/media/usb/em28xx/em28xx-cards.c | 22 + drivers/media/usb/em28xx/em28xx.h | 2 drivers/net/dsa/bcm_sf2_cfp.c | 36 +- drivers/net/ethernet/3com/3c59x.c | 104 +++--- drivers/net/ethernet/chelsio/cxgb4/cudbg_entity.h | 28 - drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c | 88 +---- drivers/net/ethernet/mellanox/mlx4/main.c | 4 drivers/net/ethernet/qlogic/qed/qed_ll2.c | 61 +++ drivers/net/tun.c | 27 - drivers/net/vmxnet3/vmxnet3_drv.c | 72 +++- drivers/net/vmxnet3/vmxnet3_int.h | 8 drivers/rtc/hctosys.c | 5 drivers/rtc/rtc-goldfish.c | 2 drivers/rtc/rtc-m41t80.c | 18 - drivers/rtc/rtc-rk808.c | 14 drivers/rtc/rtc-rp5c01.c | 12 drivers/rtc/rtc-snvs.c | 15 drivers/rtc/rtc-tx4939.c | 6 drivers/s390/scsi/zfcp_dbf.c | 23 + drivers/s390/scsi/zfcp_ext.h | 5 drivers/s390/scsi/zfcp_scsi.c | 14 drivers/scsi/aacraid/commsup.c | 4 drivers/scsi/aacraid/linit.c | 1 drivers/scsi/lpfc/lpfc_attr.c | 5 drivers/scsi/lpfc/lpfc_hbadisc.c | 5 drivers/scsi/lpfc/lpfc_nportdisc.c | 15 drivers/scsi/lpfc/lpfc_nvme.c | 28 - drivers/scsi/lpfc/lpfc_nvme.h | 2 drivers/scsi/lpfc/lpfc_sli.c | 2 drivers/scsi/mvsas/mv_94xx.c | 23 - drivers/scsi/scsi_devinfo.c | 1 drivers/scsi/scsi_lib.c | 11 drivers/scsi/sg.c | 2 drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c | 16 - drivers/staging/ks7010/ks_hostif.c | 31 - drivers/staging/ks7010/ks_hostif.h | 1 drivers/staging/lustre/lustre/include/obd.h | 2 drivers/staging/lustre/lustre/lmv/lmv_obd.c | 2 drivers/staging/lustre/lustre/osc/osc_cache.c | 2 drivers/staging/rtl8192u/r8192U_core.c | 2 drivers/staging/vc04_services/bcm2835-audio/bcm2835.c | 54 +-- drivers/tty/serial/8250/8250_port.c | 3 drivers/tty/serial/altera_uart.c | 12 drivers/tty/serial/arc_uart.c | 5 drivers/tty/serial/fsl_lpuart.c | 4 drivers/tty/serial/imx.c | 6 drivers/tty/serial/mvebu-uart.c | 2 drivers/tty/serial/mxs-auart.c | 4 drivers/tty/serial/samsung.c | 4 drivers/tty/serial/sh-sci.c | 4 drivers/tty/serial/xilinx_uartps.c | 2 drivers/usb/dwc2/core.h | 2 drivers/usb/dwc2/hcd.c | 32 +- drivers/usb/dwc3/Makefile | 2 drivers/usb/dwc3/core.c | 13 drivers/usb/dwc3/core.h | 2 drivers/usb/gadget/composite.c | 40 +- drivers/usb/gadget/function/f_fs.c | 6 drivers/usb/gadget/udc/goku_udc.h | 2 drivers/usb/host/xhci-mem.c | 2 drivers/usb/host/xhci.c | 14 drivers/usb/usbip/Kconfig | 2 fs/ext2/inode.c | 10 fs/hfsplus/super.c | 1 include/linux/mlx5/driver.h | 12 include/linux/usb/composite.h | 3 include/scsi/scsi.h | 2 include/uapi/linux/nl80211.h | 2 net/core/dev.c | 2 net/core/sock.c | 2 net/dsa/dsa2.c | 9 net/ipv4/ip_output.c | 3 net/ipv4/tcp_output.c | 7 net/ipv6/ip6_gre.c | 281 ++++++++++++++---- net/ipv6/ip6_output.c | 3 net/packet/af_packet.c | 4 net/sched/act_vlan.c | 2 net/sched/sch_red.c | 5 net/sched/sch_tbf.c | 5 net/smc/smc_pnet.c | 71 ++-- net/wireless/core.c | 3 sound/soc/rockchip/Kconfig | 3 sound/soc/samsung/i2s.c | 13 sound/soc/samsung/odroid.c | 11 sound/soc/soc-topology.c | 3 sound/usb/quirks.c | 29 + 154 files changed, 2355 insertions(+), 845 deletions(-) Akinobu Mita (1): media: ov5645: add missing of_node_put() in error path Al Viro (1): ext2: fix a block leak Alexander Potapenko (1): scsi: sg: allocate with __GFP_ZERO in sg_build_indirect() Alexandre Belloni (4): rtc: hctosys: Ensure system time doesn't overflow time_t rtc: rk808: fix possible race condition rtc: m41t80: fix race conditions rtc: rp5c01: fix possible race condition Amritha Nambiar (1): net: Fix a bug in removing queues from XPS map Andrzej Hajda (6): clk: samsung: s3c2410: Fix PLL rates clk: samsung: exynos7: Fix PLL rates clk: samsung: exynos5260: Fix PLL rates clk: samsung: exynos5433: Fix PLL rates clk: samsung: exynos5250: Fix PLL rates clk: samsung: exynos3250: Fix PLL rates Antoine Tenart (8): crypto: inside-secure - move the digest to the request context crypto: inside-secure - wait for the request to complete if in the backlog crypto: atmel-aes - fix the keys zeroing on errors crypto: inside-secure - do not process request if no command was issued crypto: inside-secure - fix the cache_len computation crypto: inside-secure - fix the extra cache computation crypto: inside-secure - do not overwrite the threshold value crypto: inside-secure - fix the invalidation step during cra_exit Arnd Bergmann (2): clk: hisilicon: mark wdt_mux_p[] as const media: s3c-camif: fix out-of-bounds array access Arvind Yadav (1): sparc: vio: use put_device() instead of kfree() Ben Hutchings (1): usbip: Correct maximum value of CONFIG_USBIP_VHCI_HC_PORTS Brad Love (6): media: lgdt3306a: Fix module count mismatch on usb unplug media: em28xx: USB bulk packet size fix media: cx23885: Override 888 ImpactVCBe crystal frequency media: cx23885: Set subdev host data to clk_freq pointer media: lgdt3306a: Fix a double kfree on i2c device remove media: em28xx: Add Hauppauge SoloHD/DualHD bulk models Bryan O'Donoghue (1): rtc: snvs: Fix usage of snvs_rtc_enable Chris Dickens (1): usb: gadget: composite: fix incorrect handling of OS desc requests Christoph Hellwig (1): 3c59x: convert to generic DMA API Colin Ian King (3): staging: rtl8192u: return -ENOMEM on failed allocation of priv->oldaddr media: cx25821: prevent out-of-bounds read on array card rtc: tx4939: avoid unintended sign extension on a 24 bit shift Dave Carroll (1): scsi: aacraid: Insure command thread is not recursively stopped Davide Caratti (1): net/sched: fix refcnt leak in the error path of tcf_vlan_init() Douglas Gilbert (1): scsi: core: Make SCSI Status CONDITION MET equivalent to GOOD Eric Biggers (1): net/smc: check for missing nlattrs in SMC_PNETID messages Eric Dumazet (2): sock_diag: fix use-after-free read in __sk_free tcp: purge write queue in tcp_connect_init() Ezequiel Garcia (1): ASoC: rockchip: rk3288-hdmi-analog: Select needed codecs Felipe Balbi (1): usb: dwc3: Makefile: fix link error on randconfig Florian Fainelli (4): net: dsa: bcm_sf2: Fix RX_CLS_LOC_ANY overwrite for last rule net: dsa: Do not register devlink for unused ports net: dsa: bcm_sf2: Fix IPv6 rules and chain ID net: dsa: bcm_sf2: Fix IPv6 rule half deletion Gabriel Matni (1): serial: mvebu-uart: fix tx lost characters Geert Uytterhoeven (7): serial: xuartps: Fix out-of-bounds access through DT alias serial: sh-sci: Fix out-of-bounds access through DT alias serial: samsung: Fix out-of-bounds access through serial port index serial: mxs-auart: Fix out-of-bounds access through serial port index serial: imx: Fix out-of-bounds access through serial port index serial: fsl_lpuart: Fix out-of-bounds access through DT alias serial: arc_uart: Fix out-of-bounds access through DT alias Greg Kroah-Hartman (1): Linux 4.16.12 Grigor Tovmasyan (1): usb: dwc2: Fix interval type issue Hans Verkuil (1): media: vivid: fix incorrect capabilities for radio Ioana Radulescu (2): staging: fsl-dpaa2/eth: Fix incorrect kfree staging: fsl-dpaa2/eth: Fix incorrect casts James Hogan (1): rtc: goldfish: Add missing MODULE_LICENSE James Smart (6): scsi: lpfc: Fix NVME Initiator FirstBurst scsi: lpfc: Fix issue_lip if link is disabled scsi: lpfc: Fix nonrecovery of NVME controller after cable swap. scsi: lpfc: Fix soft lockup in lpfc worker thread during LIP testing scsi: lpfc: Fix IO failure during hba reset testing with nvme io. scsi: lpfc: Fix frequency of Release WQE CQEs Jason Wang (2): tun: fix use after free for ptr_ring tuntap: fix use after free during release Jens Remus (1): scsi: zfcp: fix infinite iteration on ERP ready list Jerome Brunet (1): clk: meson: axg: add the fractional part of the fixed_pll Johannes Berg (1): cfg80211: limit wiphy names to 128 bytes Kieran Bingham (1): media: i2c: adv748x: fix HDMI field heights Kirill Marinushkin (1): staging: bcm2835-audio: Release resources on module_exit() Kumar Sanghvi (1): cxgb4: Correct ntuple mask validation for hash filters Larry Finger (1): Bluetooth: btusb: Add device ID for RTL8822BE Lars-Peter Clausen (2): usb: gadget: ffs: Let setup() return USB_GADGET_DELAYED_STATUS usb: gadget: ffs: Execute copy_to_user() with USER_DS set Laurent Pinchart (1): media: v4l: vsp1: Fix display stalls when requesting too many inputs Marcel Ziswiler (1): clk: tegra: Fix pll_u rate configuration Martin Schwidefsky (15): s390: move nobp parameter functions to nospec-branch.c s390: add automatic detection of the spectre defense s390: report spectre mitigation via syslog s390: add sysfs attributes for spectre s390: add assembler macros for CPU alternatives s390: correct nospec auto detection init order s390: correct module section names for expoline code revert s390: move expoline assembler macros to a header s390/crc32-vx: use expoline for indirect branches s390/lib: use expoline for indirect branches s390/ftrace: use expoline for indirect branches s390/kernel: use expoline for indirect branches s390: move spectre sysfs attribute code s390: extend expoline to BC instructions s390: use expoline thunks in the BPF JIT Masami Hiramatsu (1): media: vb2: Fix videobuf2 to map correct area Mathias Nyman (2): xhci: zero usb device slot_id member when disabling and freeing a xhci slot xhci: Show what USB release number the xHC supports from protocol capablity Mauricio Faria de Oliveira (2): powerpc/pseries: Fix clearing of security feature flags powerpc: Move default security feature flags Michael Ellerman (11): powerpc/rfi-flush: Always enable fallback flush on pseries powerpc: Add security feature flags for Spectre/Meltdown powerpc/pseries: Add new H_GET_CPU_CHARACTERISTICS flags powerpc/pseries: Set or clear security feature flags powerpc/powernv: Set or clear security feature flags powerpc/64s: Move cpu_show_meltdown() powerpc/64s: Enhance the information in cpu_show_meltdown() powerpc/powernv: Use the security flags in pnv_setup_rfi_flush() powerpc/pseries: Use the security flags in pseries_setup_rfi_flush() powerpc/64s: Wire up cpu_show_spectre_v1() powerpc/64s: Wire up cpu_show_spectre_v2() Michal Kalderon (3): qed: LL2 flush isles when connection is closed qed: Fix possibility of list corruption during rmmod flows qed: Fix LL2 race during connection terminate Minas Harutyunyan (2): usb: dwc2: hcd: Fix host channel halt flow usb: dwc2: host: Fix transaction errors in host mode NeilBrown (2): staging: lustre: fix bug in osc_enter_cache_try staging: lustre: lmv: correctly iput lmo_root Nicholas Piggin (1): powerpc/64s: Add support for a store forwarding barrier at kernel entry/exit Nobutaka Okabe (1): ALSA: usb-audio: Add native DSD support for Luxman DA-06 Omar Sandoval (2): loop: don't call into filesystem while holding lo_ctl_mutex loop: fix LOOP_GET_STATUS lock imbalance Paolo Abeni (1): net: sched: red: avoid hashing NULL child Peter Robinson (1): crypto: sunxi-ss - Add MODULE_ALIAS to sun4i-ss Petr Machata (7): net: ip6_gre: Request headroom in __gre6_xmit() net: ip6_gre: Fix headroom request in ip6erspan_tunnel_xmit() net: ip6_gre: Split up ip6gre_tnl_link_config() net: ip6_gre: Split up ip6gre_tnl_change() net: ip6_gre: Split up ip6gre_newlink() net: ip6_gre: Split up ip6gre_changelink() net: ip6_gre: Fix ip6erspan hlen calculation Quytelda Kahja (1): staging: ks7010: Use constants from ieee80211_eid instead of literal ints. Rahul Lakkireddy (1): cxgb4: fix offset in collecting TX rate limit info Ranjani Sridharan (1): ASoC: topology: create TLV data for dapm widgets Saeed Mahameed (1): net/mlx5: Fix build break when CONFIG_SMP=n Sebastian Andrzej Siewior (1): crypto: ccp - don't disable interrupts while setting up debugfs Shawn Lin (3): clk: rockchip: Fix wrong parent for SDMMC phase clock for rk3228 clk: Don't show the incorrect clock phase clk: rockchip: Prevent calculating mmc phase if clock rate is zero Sylwester Nawrocki (2): ASoC: samsung: odroid: Fix 32000 sample rate handling ASoC: samsung: i2s: Ensure the RCLK rate is properly determined Tarick Bedeir (1): net/mlx4_core: Fix error handling in mlx4_init_port_info. Tedd Ho-Jeong An (1): Bluetooth: btusb: Add support for Intel Bluetooth device 22560 [8087:0026] Tetsuo Handa (2): hfsplus: stop workqueue when fill_super() failed x86/kexec: Avoid double free_page() upon do_kexec_load() failure Thinh Nguyen (2): usb: dwc3: Add SoftReset PHY synchonization delay usb: dwc3: Update DWC_usb31 GTXFIFOSIZ reg fields Uwe Kleine-König (1): serial: altera: ensure port->regshift is honored consistently Vicente Bergas (1): Bluetooth: btusb: Add USB ID 7392:a611 for Edimax EW-7611ULB Vignesh R (1): serial: 8250: Don't service RX FIFO if interrupts are disabled Wilfried Weissmann (1): scsi: mvsas: fix wrong endianness of sgpio api Willem de Bruijn (2): net: test tailroom before appending to linear skb packet: in packet_snd start writing at link layer allocation William Tu (1): net: ip6_gre: fix tunnel metadata device sharing. Wolfram Sang (1): usb: gadget: udc: change comparison to bitshift when dealing with a mask Xose Vazquez Perez (1): scsi: devinfo: add HP DISK-SUBSYSTEM device, for HP XP arrays Yixun Lan (1): clk: meson: axg: fix the od shift of the sys_pll hpreg(a)vmware.com (2): vmxnet3: set the DMA mask before the first DMA map operation vmxnet3: use DMA memory barriers where required

6 years, 7 months

1
1
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror May 2018