March 2021 - Linux-stable-mirror

[PATCH v7 01/17] media: v4l2-ioctl: Fix check_ext_ctrls

by Ricardo Ribalda

Drivers that do not use the ctrl-framework use this function instead. Fix the following issues: - Do not check for multiple classes when getting the DEF_VAL. - Return -EINVAL for request_api calls - Default value cannot be changed, return EINVAL as soon as possible. - Return the right error_idx [If an error is found when validating the list of controls passed with VIDIOC_G_EXT_CTRLS, then error_idx shall be set to ctrls->count to indicate to userspace that no actual hardware was touched. It would have been much nicer of course if error_idx could point to the control index that failed the validation, but sadly that's not how the API was designed.] Fixes v4l2-compliance: Control ioctls (Input 0): warn: v4l2-test-controls.cpp(834): error_idx should be equal to count warn: v4l2-test-controls.cpp(855): error_idx should be equal to count fail: v4l2-test-controls.cpp(813): doioctl(node, VIDIOC_G_EXT_CTRLS, &ctrls) test VIDIOC_G/S/TRY_EXT_CTRLS: FAIL Buffer ioctls (Input 0): fail: v4l2-test-buffers.cpp(1994): ret != EINVAL && ret != EBADR && ret != ENOTTY test Requests: FAIL Cc: stable(a)vger.kernel.org Fixes: 6fa6f831f095 ("media: v4l2-ctrls: add core request support") Suggested-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Reviewed-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Ricardo Ribalda <ribalda(a)chromium.org> --- drivers/media/v4l2-core/v4l2-ioctl.c | 59 ++++++++++++++++++---------- 1 file changed, 38 insertions(+), 21 deletions(-) diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c index 31d1342e61e8..ccd21b4d9c72 100644 --- a/drivers/media/v4l2-core/v4l2-ioctl.c +++ b/drivers/media/v4l2-core/v4l2-ioctl.c @@ -908,7 +908,7 @@ static void v4l_print_default(const void *arg, bool write_only) pr_cont("driver-specific ioctl\n"); } -static int check_ext_ctrls(struct v4l2_ext_controls *c, int allow_priv) +static bool check_ext_ctrls(struct v4l2_ext_controls *c, unsigned long ioctl) { __u32 i; @@ -917,23 +917,40 @@ static int check_ext_ctrls(struct v4l2_ext_controls *c, int allow_priv) for (i = 0; i < c->count; i++) c->controls[i].reserved2[0] = 0; - /* V4L2_CID_PRIVATE_BASE cannot be used as control class - when using extended controls. - Only when passed in through VIDIOC_G_CTRL and VIDIOC_S_CTRL - is it allowed for backwards compatibility. - */ - if (!allow_priv && c->which == V4L2_CID_PRIVATE_BASE) - return 0; - if (!c->which) - return 1; + switch (c->which) { + case V4L2_CID_PRIVATE_BASE: + /* + * V4L2_CID_PRIVATE_BASE cannot be used as control class + * when using extended controls. + * Only when passed in through VIDIOC_G_CTRL and VIDIOC_S_CTRL + * is it allowed for backwards compatibility. + */ + if (ioctl == VIDIOC_G_CTRL || ioctl == VIDIOC_S_CROP) + return false; + break; + case V4L2_CTRL_WHICH_DEF_VAL: + /* Default value cannot be changed */ + if (ioctl == VIDIOC_S_EXT_CTRLS || + ioctl == VIDIOC_TRY_EXT_CTRLS) { + c->error_idx = c->count; + return false; + } + return true; + case V4L2_CTRL_WHICH_CUR_VAL: + return true; + case V4L2_CTRL_WHICH_REQUEST_VAL: + c->error_idx = c->count; + return false; + } + /* Check that all controls are from the same control class. */ for (i = 0; i < c->count; i++) { if (V4L2_CTRL_ID2WHICH(c->controls[i].id) != c->which) { - c->error_idx = i; - return 0; + c->error_idx = ioctl == VIDIOC_TRY_EXT_CTRLS ? i : c->count; + return false; } } - return 1; + return true; } static int check_fmt(struct file *file, enum v4l2_buf_type type) @@ -2229,7 +2246,7 @@ static int v4l_g_ctrl(const struct v4l2_ioctl_ops *ops, ctrls.controls = &ctrl; ctrl.id = p->id; ctrl.value = p->value; - if (check_ext_ctrls(&ctrls, 1)) { + if (check_ext_ctrls(&ctrls, VIDIOC_G_CTRL)) { int ret = ops->vidioc_g_ext_ctrls(file, fh, &ctrls); if (ret == 0) @@ -2263,7 +2280,7 @@ static int v4l_s_ctrl(const struct v4l2_ioctl_ops *ops, ctrls.controls = &ctrl; ctrl.id = p->id; ctrl.value = p->value; - if (check_ext_ctrls(&ctrls, 1)) + if (check_ext_ctrls(&ctrls, VIDIOC_S_CTRL)) return ops->vidioc_s_ext_ctrls(file, fh, &ctrls); return -EINVAL; } @@ -2285,8 +2302,8 @@ static int v4l_g_ext_ctrls(const struct v4l2_ioctl_ops *ops, vfd, vfd->v4l2_dev->mdev, p); if (ops->vidioc_g_ext_ctrls == NULL) return -ENOTTY; - return check_ext_ctrls(p, 0) ? ops->vidioc_g_ext_ctrls(file, fh, p) : - -EINVAL; + return check_ext_ctrls(p, VIDIOC_G_EXT_CTRLS) ? + ops->vidioc_g_ext_ctrls(file, fh, p) : -EINVAL; } static int v4l_s_ext_ctrls(const struct v4l2_ioctl_ops *ops, @@ -2306,8 +2323,8 @@ static int v4l_s_ext_ctrls(const struct v4l2_ioctl_ops *ops, vfd, vfd->v4l2_dev->mdev, p); if (ops->vidioc_s_ext_ctrls == NULL) return -ENOTTY; - return check_ext_ctrls(p, 0) ? ops->vidioc_s_ext_ctrls(file, fh, p) : - -EINVAL; + return check_ext_ctrls(p, VIDIOC_S_EXT_CTRLS) ? + ops->vidioc_s_ext_ctrls(file, fh, p) : -EINVAL; } static int v4l_try_ext_ctrls(const struct v4l2_ioctl_ops *ops, @@ -2327,8 +2344,8 @@ static int v4l_try_ext_ctrls(const struct v4l2_ioctl_ops *ops, vfd, vfd->v4l2_dev->mdev, p); if (ops->vidioc_try_ext_ctrls == NULL) return -ENOTTY; - return check_ext_ctrls(p, 0) ? ops->vidioc_try_ext_ctrls(file, fh, p) : - -EINVAL; + return check_ext_ctrls(p, VIDIOC_TRY_EXT_CTRLS) ? + ops->vidioc_try_ext_ctrls(file, fh, p) : -EINVAL; } /* -- 2.31.0.rc2.261.g7f71774620-goog

3 years, 9 months

2
1
0 0

[PATCH v4 0/1] s390/vfio-ap: fix circular lockdep when starting

by Tony Krowiak

*Commit f21916ec4826 ("s390/vfio-ap: clean up vfio_ap resources when KVM pointer invalidated") introduced a change that results in a circular lockdep when a Secure Execution guest that is configured with crypto devices is started. The problem resulted due to the fact that the patch moved the setting of the guest's AP masks within the protection of the matrix_dev->lock when the vfio_ap driver is notified that the KVM pointer has been set. Since it is not critical that setting/clearing of the guest's AP masks be done under the matrix_dev->lock when the driver is notified, the masks will not be updated under the matrix_dev->lock. The lock is necessary for the setting/unsetting of the KVM pointer, however, so that will remain in place. The dependency chain for the circular lockdep resolved by this patch is (in reverse order): 2: vfio_ap_mdev_group_notifier: kvm->lock matrix_dev->lock 1: handle_pqap: matrix_dev->lock kvm_vcpu_ioctl: vcpu->mutex 0: kvm_s390_cpus_to_pv: vcpu->mutex kvm_vm_ioctl: kvm->lock Please note: ----------- * If checkpatch is run against this patch series, you may get a "WARNING: Unknown commit id 'f21916ec4826', maybe rebased or not pulled?" message. The commit 'f21916ec4826', however, is definitely in the master branch on top of which this patch series was built, so I'm not sure why this message is being output by checkpatch. * All acks granted from previous review of this patch have been removed due to the fact that this patch introduces non-trivial changes (see change log below). Change log v3=> v4: ------------------ * In vfio_ap_mdev_set_kvm() function, moved the setting of matrix_mdev->kvm_busy just prior to unlocking matrix_dev->lock. * Reset queues regardless of regardless of the value of matrix_mdev->kvm in response to the VFIO_DEVICE_RESET ioctl. Change log v2=> v3: ------------------ * Added two fields - 'bool kvm_busy' and 'wait_queue_head_t wait_for_kvm' to struct ap_matrix_mdev. The former indicates that the KVM pointer is in the process of being updated and the second allows a function that needs access to the KVM pointer to wait until it is no longer being updated. Resolves problem of synchronization between the functions that change the KVM pointer value and the functions that required access to it. Change log v1=> v2: ------------------ * No longer holding the matrix_dev->lock prior to setting/clearing the masks supplying the AP configuration to a KVM guest. * Make all updates to the data in the matrix mdev that is used to manage AP resources used by the KVM guest in the vfio_ap_mdev_set_kvm() function instead of the group notifier callback. * Check for the matrix mdev's KVM pointer in the vfio_ap_mdev_unset_kvm() function instead of the vfio_ap_mdev_release() function. Tony Krowiak (1): s390/vfio-ap: fix circular lockdep when setting/clearing crypto masks drivers/s390/crypto/vfio_ap_ops.c | 309 ++++++++++++++++++-------- drivers/s390/crypto/vfio_ap_private.h | 2 + 2 files changed, 215 insertions(+), 96 deletions(-) -- 2.21.3

3 years, 9 months

2
6
0 0

[PATCH net] netsec: restore phy power state after controller reset

by Mian Yousaf Kaukab

Since commit 8e850f25b581 ("net: socionext: Stop PHY before resetting netsec") netsec_netdev_init() power downs phy before resetting the controller. However, the state is not restored once the reset is complete. As a result it is not possible to bring up network on a platform with Broadcom BCM5482 phy. Fix the issue by restoring phy power state after controller reset is complete. Fixes: 8e850f25b581 ("net: socionext: Stop PHY before resetting netsec") Cc: stable(a)vger.kernel.org Signed-off-by: Mian Yousaf Kaukab <ykaukab(a)suse.de> --- drivers/net/ethernet/socionext/netsec.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/socionext/netsec.c b/drivers/net/ethernet/socionext/netsec.c index 3c53051bdacf..200785e703c8 100644 --- a/drivers/net/ethernet/socionext/netsec.c +++ b/drivers/net/ethernet/socionext/netsec.c @@ -1715,14 +1715,17 @@ static int netsec_netdev_init(struct net_device *ndev) goto err1; /* set phy power down */ - data = netsec_phy_read(priv->mii_bus, priv->phy_addr, MII_BMCR) | - BMCR_PDOWN; - netsec_phy_write(priv->mii_bus, priv->phy_addr, MII_BMCR, data); + data = netsec_phy_read(priv->mii_bus, priv->phy_addr, MII_BMCR); + netsec_phy_write(priv->mii_bus, priv->phy_addr, MII_BMCR, + data | BMCR_PDOWN); ret = netsec_reset_hardware(priv, true); if (ret) goto err2; + /* Restore phy power state */ + netsec_phy_write(priv->mii_bus, priv->phy_addr, MII_BMCR, data); + spin_lock_init(&priv->desc_ring[NETSEC_RING_TX].lock); spin_lock_init(&priv->desc_ring[NETSEC_RING_RX].lock); -- 2.26.2

3 years, 9 months

2
1
0 0

[GIT PULL] vhost: cleanups and fixes

by Michael S. Tsirkin

The following changes since commit 16c10bede8b3d8594279752bf53153491f3f944f: virtio-input: add multi-touch support (2021-02-23 07:52:59 -0500) are available in the Git repository at: https://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost.git tags/for_linus for you to fetch changes up to 0bde59c1723a29e294765c96dbe5c7fb639c2f96: vhost-vdpa: set v->config_ctx to NULL if eventfd_ctx_fdget() fails (2021-03-14 18:10:07 -0400) ---------------------------------------------------------------- virtio: fixes, cleanups Some fixes and cleanups all over the place. Signed-off-by: Michael S. Tsirkin <mst(a)redhat.com> ---------------------------------------------------------------- Gautam Dawar (1): vhost_vdpa: fix the missing irq_bypass_unregister_producer() invocation Jason Wang (1): vdpa: set the virtqueue num during register Laurent Vivier (1): vhost: Fix vhost_vq_reset() Parav Pandit (1): vdpa_sim: Skip typecasting from void* Stefano Garzarella (2): vhost-vdpa: fix use-after-free of v->config_ctx vhost-vdpa: set v->config_ctx to NULL if eventfd_ctx_fdget() fails Tang Bin (1): virtio-mmio: Use to_virtio_mmio_device() to simply code Xianting Tian (1): virtio: remove export for virtio_config_{enable, disable} drivers/vdpa/ifcvf/ifcvf_main.c | 5 ++--- drivers/vdpa/mlx5/net/mlx5_vnet.c | 4 ++-- drivers/vdpa/vdpa.c | 18 ++++++++++-------- drivers/vdpa/vdpa_sim/vdpa_sim.c | 2 +- drivers/vdpa/vdpa_sim/vdpa_sim_net.c | 5 ++--- drivers/vhost/vdpa.c | 20 +++++++++++--------- drivers/vhost/vhost.c | 2 +- drivers/virtio/virtio.c | 6 ++---- drivers/virtio/virtio_mmio.c | 3 +-- include/linux/vdpa.h | 10 +++++----- include/linux/virtio.h | 2 -- 11 files changed, 37 insertions(+), 40 deletions(-)

3 years, 9 months

2
1
0 0

[PATCH] platform/chrome: cros_ec_dev - Fix security issue

by Gwendal Grignou

commit 5d749d0bbe811c10d9048cde6dfebc761713abfd upstream. Prevent memory scribble by checking that ioctl buffer size parameters are sane. Without this check, on 32 bits system, if .insize = 0xffffffff - 20 and .outsize the amount to scribble, we would overflow, allocate a small amounts and be able to write outside of the malloc'ed area. Adding a hard limit allows argument checking of the ioctl. With the current EC, it is expected .insize and .outsize to be at around 512 bytes or less. Signed-off-by: Olof Johansson <olof(a)lixom.net> Signed-off-by: Gwendal Grignou <gwendal(a)chromium.org> --- drivers/platform/chrome/cros_ec_dev.c | 4 ++++ drivers/platform/chrome/cros_ec_proto.c | 4 ++-- include/linux/mfd/cros_ec.h | 6 ++++-- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/drivers/platform/chrome/cros_ec_dev.c b/drivers/platform/chrome/cros_ec_dev.c index 2b331d5b9e799..e16d82bb36a9d 100644 --- a/drivers/platform/chrome/cros_ec_dev.c +++ b/drivers/platform/chrome/cros_ec_dev.c @@ -137,6 +137,10 @@ static long ec_device_ioctl_xcmd(struct cros_ec_dev *ec, void __user *arg) if (copy_from_user(&u_cmd, arg, sizeof(u_cmd))) return -EFAULT; + if ((u_cmd.outsize > EC_MAX_MSG_BYTES) || + (u_cmd.insize > EC_MAX_MSG_BYTES)) + return -EINVAL; + s_cmd = kmalloc(sizeof(*s_cmd) + max(u_cmd.outsize, u_cmd.insize), GFP_KERNEL); if (!s_cmd) diff --git a/drivers/platform/chrome/cros_ec_proto.c b/drivers/platform/chrome/cros_ec_proto.c index 5c285f2b3a650..d20190c8f0c06 100644 --- a/drivers/platform/chrome/cros_ec_proto.c +++ b/drivers/platform/chrome/cros_ec_proto.c @@ -311,8 +311,8 @@ int cros_ec_query_all(struct cros_ec_device *ec_dev) ec_dev->max_response = EC_PROTO2_MAX_PARAM_SIZE; ec_dev->max_passthru = 0; ec_dev->pkt_xfer = NULL; - ec_dev->din_size = EC_MSG_BYTES; - ec_dev->dout_size = EC_MSG_BYTES; + ec_dev->din_size = EC_PROTO2_MSG_BYTES; + ec_dev->dout_size = EC_PROTO2_MSG_BYTES; } else { /* * It's possible for a test to occur too early when diff --git a/include/linux/mfd/cros_ec.h b/include/linux/mfd/cros_ec.h index 3ab3cede28eac..93c14e9df6309 100644 --- a/include/linux/mfd/cros_ec.h +++ b/include/linux/mfd/cros_ec.h @@ -50,9 +50,11 @@ enum { EC_MSG_TX_TRAILER_BYTES, EC_MSG_RX_PROTO_BYTES = 3, - /* Max length of messages */ - EC_MSG_BYTES = EC_PROTO2_MAX_PARAM_SIZE + + /* Max length of messages for proto 2*/ + EC_PROTO2_MSG_BYTES = EC_PROTO2_MAX_PARAM_SIZE + EC_MSG_TX_PROTO_BYTES, + + EC_MAX_MSG_BYTES = 64 * 1024, }; /* -- 2.31.0.rc2.261.g7f71774620-goog

3 years, 9 months

3
5
0 0

[PATCH v1] usb: typec: tcpm: Skip sink_cap query only when VDM sm is busy

by Badhri Jagan Sridharan

When port partner responds "Not supported" to the DiscIdentity command, VDM state machine can remain in NVDM_STATE_ERR_TMOUT and this causes querying sink cap to be skipped indefinitely. Hence check for vdm_sm_running instead of checking for VDM_STATE_DONE. Fixes: 8dc4bd073663f ("usb: typec: tcpm: Add support for Sink Fast Role SWAP(FRS)") Signed-off-by: Badhri Jagan Sridharan <badhri(a)google.com> --- drivers/usb/typec/tcpm/tcpm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c index 11d0c40bc47d..39e068d60755 100644 --- a/drivers/usb/typec/tcpm/tcpm.c +++ b/drivers/usb/typec/tcpm/tcpm.c @@ -5219,7 +5219,7 @@ static void tcpm_enable_frs_work(struct kthread_work *work) goto unlock; /* Send when the state machine is idle */ - if (port->state != SNK_READY || port->vdm_state != VDM_STATE_DONE || port->send_discover) + if (port->state != SNK_READY || port->vdm_sm_running || port->send_discover) goto resched; port->upcoming_state = GET_SINK_CAP; -- 2.31.0.rc2.261.g7f71774620-goog

3 years, 9 months

3
2
0 0

FAILED: patch "[PATCH] KVM: arm64: nvhe: Save the SPE context early" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From b96b0c5de685df82019e16826a282d53d86d112c Mon Sep 17 00:00:00 2001 From: Suzuki K Poulose <suzuki.poulose(a)arm.com> Date: Fri, 5 Mar 2021 18:52:47 +0000 Subject: [PATCH] KVM: arm64: nvhe: Save the SPE context early The nVHE KVM hyp drains and disables the SPE buffer, before entering the guest, as the EL1&0 translation regime is going to be loaded with that of the guest. But this operation is performed way too late, because : - The owning translation regime of the SPE buffer is transferred to EL2. (MDCR_EL2_E2PB == 0) - The guest Stage1 is loaded. Thus the flush could use the host EL1 virtual address, but use the EL2 translations instead of host EL1, for writing out any cached data. Fix this by moving the SPE buffer handling early enough. The restore path is doing the right thing. Fixes: 014c4c77aad7 ("KVM: arm64: Improve debug register save/restore flow") Cc: stable(a)vger.kernel.org Cc: Christoffer Dall <christoffer.dall(a)arm.com> Cc: Marc Zyngier <maz(a)kernel.org> Cc: Will Deacon <will(a)kernel.org> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Mark Rutland <mark.rutland(a)arm.com> Cc: Alexandru Elisei <alexandru.elisei(a)arm.com> Reviewed-by: Alexandru Elisei <alexandru.elisei(a)arm.com> Signed-off-by: Suzuki K Poulose <suzuki.poulose(a)arm.com> Signed-off-by: Marc Zyngier <maz(a)kernel.org> Link: https://lore.kernel.org/r/20210302120345.3102874-1-suzuki.poulose@arm.com Message-Id: <20210305185254.3730990-2-maz(a)kernel.org> Signed-off-by: Paolo Bonzini <pbonzini(a)redhat.com> diff --git a/arch/arm64/include/asm/kvm_hyp.h b/arch/arm64/include/asm/kvm_hyp.h index c0450828378b..385bd7dd3d39 100644 --- a/arch/arm64/include/asm/kvm_hyp.h +++ b/arch/arm64/include/asm/kvm_hyp.h @@ -83,6 +83,11 @@ void sysreg_restore_guest_state_vhe(struct kvm_cpu_context *ctxt); void __debug_switch_to_guest(struct kvm_vcpu *vcpu); void __debug_switch_to_host(struct kvm_vcpu *vcpu); +#ifdef __KVM_NVHE_HYPERVISOR__ +void __debug_save_host_buffers_nvhe(struct kvm_vcpu *vcpu); +void __debug_restore_host_buffers_nvhe(struct kvm_vcpu *vcpu); +#endif + void __fpsimd_save_state(struct user_fpsimd_state *fp_regs); void __fpsimd_restore_state(struct user_fpsimd_state *fp_regs); diff --git a/arch/arm64/kvm/hyp/nvhe/debug-sr.c b/arch/arm64/kvm/hyp/nvhe/debug-sr.c index 91a711aa8382..f401724f12ef 100644 --- a/arch/arm64/kvm/hyp/nvhe/debug-sr.c +++ b/arch/arm64/kvm/hyp/nvhe/debug-sr.c @@ -58,16 +58,24 @@ static void __debug_restore_spe(u64 pmscr_el1) write_sysreg_s(pmscr_el1, SYS_PMSCR_EL1); } -void __debug_switch_to_guest(struct kvm_vcpu *vcpu) +void __debug_save_host_buffers_nvhe(struct kvm_vcpu *vcpu) { /* Disable and flush SPE data generation */ __debug_save_spe(&vcpu->arch.host_debug_state.pmscr_el1); +} + +void __debug_switch_to_guest(struct kvm_vcpu *vcpu) +{ __debug_switch_to_guest_common(vcpu); } -void __debug_switch_to_host(struct kvm_vcpu *vcpu) +void __debug_restore_host_buffers_nvhe(struct kvm_vcpu *vcpu) { __debug_restore_spe(vcpu->arch.host_debug_state.pmscr_el1); +} + +void __debug_switch_to_host(struct kvm_vcpu *vcpu) +{ __debug_switch_to_host_common(vcpu); } diff --git a/arch/arm64/kvm/hyp/nvhe/switch.c b/arch/arm64/kvm/hyp/nvhe/switch.c index f3d0e9eca56c..59aa1045fdaf 100644 --- a/arch/arm64/kvm/hyp/nvhe/switch.c +++ b/arch/arm64/kvm/hyp/nvhe/switch.c @@ -192,6 +192,14 @@ int __kvm_vcpu_run(struct kvm_vcpu *vcpu) pmu_switch_needed = __pmu_switch_to_guest(host_ctxt); __sysreg_save_state_nvhe(host_ctxt); + /* + * We must flush and disable the SPE buffer for nVHE, as + * the translation regime(EL1&0) is going to be loaded with + * that of the guest. And we must do this before we change the + * translation regime to EL2 (via MDCR_EL2_E2PB == 0) and + * before we load guest Stage1. + */ + __debug_save_host_buffers_nvhe(vcpu); __adjust_pc(vcpu); @@ -234,11 +242,12 @@ int __kvm_vcpu_run(struct kvm_vcpu *vcpu) if (vcpu->arch.flags & KVM_ARM64_FP_ENABLED) __fpsimd_save_fpexc32(vcpu); + __debug_switch_to_host(vcpu); /* * This must come after restoring the host sysregs, since a non-VHE * system may enable SPE here and make use of the TTBRs. */ - __debug_switch_to_host(vcpu); + __debug_restore_host_buffers_nvhe(vcpu); if (pmu_switch_needed) __pmu_switch_to_host(host_ctxt);

3 years, 9 months

4
3
0 0

[PATCH] scsi: ses: Fix crash caused by kfree an invalid pointer

by Ding Hui

We can get a crash when disconnecting the iSCSI session, the call trace like this: [ffff00002a00fb70] kfree at ffff00000830e224 [ffff00002a00fba0] ses_intf_remove at ffff000001f200e4 [ffff00002a00fbd0] device_del at ffff0000086b6a98 [ffff00002a00fc50] device_unregister at ffff0000086b6d58 [ffff00002a00fc70] __scsi_remove_device at ffff00000870608c [ffff00002a00fca0] scsi_remove_device at ffff000008706134 [ffff00002a00fcc0] __scsi_remove_target at ffff0000087062e4 [ffff00002a00fd10] scsi_remove_target at ffff0000087064c0 [ffff00002a00fd70] __iscsi_unbind_session at ffff000001c872c4 [ffff00002a00fdb0] process_one_work at ffff00000810f35c [ffff00002a00fe00] worker_thread at ffff00000810f648 [ffff00002a00fe70] kthread at ffff000008116e98 In ses_intf_add, components count could be 0, and kcalloc 0 size scomp, but not saved in edev->component[i].scratch In this situation, edev->component[0].scratch is an invalid pointer, when kfree it in ses_intf_remove_enclosure, a crash like above would happen The call trace also could be other random cases when kfree cannot catch the invalid pointer We should not use edev->component[] array when the components count is 0 We also need check index when use edev->component[] array in ses_enclosure_data_process Tested-by: Zeng Zhicong <timmyzeng(a)163.com> Cc: stable <stable(a)vger.kernel.org> # 2.6.25+ Signed-off-by: Ding Hui <dinghui(a)sangfor.com.cn> --- drivers/scsi/ses.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c index c2afba2a5414..f5ef0a91f0eb 100644 --- a/drivers/scsi/ses.c +++ b/drivers/scsi/ses.c @@ -477,9 +477,6 @@ static int ses_enclosure_find_by_addr(struct enclosure_device *edev, int i; struct ses_component *scomp; - if (!edev->component[0].scratch) - return 0; - for (i = 0; i < edev->components; i++) { scomp = edev->component[i].scratch; if (scomp->addr != efd->addr) @@ -565,8 +562,10 @@ static void ses_enclosure_data_process(struct enclosure_device *edev, components++, type_ptr[0], name); - else + else if (components < edev->components) ecomp = &edev->component[components++]; + else + ecomp = ERR_PTR(-EINVAL); if (!IS_ERR(ecomp)) { if (addl_desc_ptr) @@ -731,9 +730,11 @@ static int ses_intf_add(struct device *cdev, buf = NULL; } page2_not_supported: - scomp = kcalloc(components, sizeof(struct ses_component), GFP_KERNEL); - if (!scomp) - goto err_free; + if (components > 0) { + scomp = kcalloc(components, sizeof(struct ses_component), GFP_KERNEL); + if (!scomp) + goto err_free; + } edev = enclosure_register(cdev->parent, dev_name(&sdev->sdev_gendev), components, &ses_enclosure_callbacks); @@ -813,7 +814,8 @@ static void ses_intf_remove_enclosure(struct scsi_device *sdev) kfree(ses_dev->page2); kfree(ses_dev); - kfree(edev->component[0].scratch); + if (edev->components > 0) + kfree(edev->component[0].scratch); put_device(&edev->edev); enclosure_unregister(edev); -- 2.17.1

3 years, 9 months

3
5
0 0

[PATCH 4.14 00/95] 4.14.226-rc1 review

by gregkh＠linuxfoundation.org

From: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> This is the start of the stable review cycle for the 4.14.226 release. There are 95 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 17 Mar 2021 13:57:24 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.226-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.14.226-rc1 Juergen Gross <jgross(a)suse.com> xen/events: avoid handling the same event on two cpus at the same time Juergen Gross <jgross(a)suse.com> xen/events: don't unmask an event channel when an eoi is pending Juergen Gross <jgross(a)suse.com> xen/events: reset affinity of 2-level event when tearing it down Navid Emamdoost <navid.emamdoost(a)gmail.com> iio: imu: adis16400: release allocated memory on failure Marc Zyngier <maz(a)kernel.org> KVM: arm64: Fix exclusive limit for IPA size Boyang Yu <byu(a)arista.com> hwmon: (lm90) Fix max6658 sporadic wrong temperature reading Lior Ribak <liorribak(a)gmail.com> binfmt_misc: fix possible deadlock in bm_register_write Naveen N. Rao <naveen.n.rao(a)linux.vnet.ibm.com> powerpc/64s: Fix instruction encoding for lis in ppc_function_entry() Alexey Dobriyan <adobriyan(a)gmail.com> prctl: fix PR_SET_MM_AUXV kernel stack leak Matthew Wilcox (Oracle) <willy(a)infradead.org> include/linux/sched/mm.h: use rcu_dereference in in_vfork() Arnd Bergmann <arnd(a)arndb.de> stop_machine: mark helpers __always_inline Daiyue Zhang <zhangdaiyue1(a)huawei.com> configfs: fix a use-after-free in __configfs_open_file Jia-Ju Bai <baijiaju1990(a)gmail.com> block: rsxx: fix error return code of rsxx_pci_probe() Ondrej Mosnacek <omosnace(a)redhat.com> NFSv4.2: fix return value of _nfs4_get_security_label() Sergey Shtylyov <s.shtylyov(a)omprussia.ru> sh_eth: fix TRSCER mask for R7S72100 Ian Abbott <abbotti(a)mev.co.uk> staging: comedi: pcl818: Fix endian problem for AI command data Ian Abbott <abbotti(a)mev.co.uk> staging: comedi: pcl711: Fix endian problem for AI command data Ian Abbott <abbotti(a)mev.co.uk> staging: comedi: me4000: Fix endian problem for AI command data Ian Abbott <abbotti(a)mev.co.uk> staging: comedi: dmm32at: Fix endian problem for AI command data Ian Abbott <abbotti(a)mev.co.uk> staging: comedi: das800: Fix endian problem for AI command data Ian Abbott <abbotti(a)mev.co.uk> staging: comedi: das6402: Fix endian problem for AI command data Ian Abbott <abbotti(a)mev.co.uk> staging: comedi: adv_pci1710: Fix endian problem for AI command data Ian Abbott <abbotti(a)mev.co.uk> staging: comedi: addi_apci_1500: Fix endian problem for command sample Ian Abbott <abbotti(a)mev.co.uk> staging: comedi: addi_apci_1032: Fix endian problem for COS sample Lee Gibson <leegib(a)gmail.com> staging: rtl8192e: Fix possible buffer overflow in _rtl92e_wx_set_scan Lee Gibson <leegib(a)gmail.com> staging: rtl8712: Fix possible buffer overflow in r8712_sitesurvey_cmd Dan Carpenter <dan.carpenter(a)oracle.com> staging: ks7010: prevent buffer overflow in ks_wlan_set_scan() Dan Carpenter <dan.carpenter(a)oracle.com> staging: rtl8188eu: fix potential memory corruption in rtw_check_beacon_data() Dan Carpenter <dan.carpenter(a)oracle.com> staging: rtl8712: unterminated string leads to read overflow Dan Carpenter <dan.carpenter(a)oracle.com> staging: rtl8188eu: prevent ->ssid overflow in rtw_wx_set_scan() Dan Carpenter <dan.carpenter(a)oracle.com> staging: rtl8192u: fix ->ssid overflow in r8192_wx_set_scan() Shuah Khan <skhan(a)linuxfoundation.org> usbip: fix vhci_hcd attach_store() races leading to gpf Shuah Khan <skhan(a)linuxfoundation.org> usbip: fix stub_dev usbip_sockfd_store() races leading to gpf Shuah Khan <skhan(a)linuxfoundation.org> usbip: fix vudc to check for stream socket Shuah Khan <skhan(a)linuxfoundation.org> usbip: fix vhci_hcd to check for stream socket Shuah Khan <skhan(a)linuxfoundation.org> usbip: fix stub_dev to check for stream socket Sebastian Reichel <sebastian.reichel(a)collabora.com> USB: serial: cp210x: add some more GE USB IDs Karan Singhal <karan.singhal(a)acuitybrands.com> USB: serial: cp210x: add ID for Acuity Brands nLight Air Adapter Niv Sardi <xaiki(a)evilgiggle.com> USB: serial: ch341: add new Product ID Pavel Skripkin <paskripkin(a)gmail.com> USB: serial: io_edgeport: fix memory leak in edge_startup Forest Crossman <cyrozap(a)gmail.com> usb: xhci: Fix ASMedia ASM1042A and ASM3242 DMA addressing Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Improve detection of device initiated wake signal. Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> usb: renesas_usbhs: Clear PIPECFG for re-enabling pipe with other EPNUM Ruslan Bilovol <ruslan.bilovol(a)gmail.com> usb: gadget: f_uac1: stop playback on function disable Ruslan Bilovol <ruslan.bilovol(a)gmail.com> usb: gadget: f_uac2: always increase endpoint max_packet_size by one audio slot Dan Carpenter <dan.carpenter(a)oracle.com> USB: gadget: u_ether: Fix a configfs return code Yorick de Wid <ydewid(a)gmail.com> Goodix Fingerprint device is not a modem Adrian Hunter <adrian.hunter(a)intel.com> mmc: core: Fix partition switch time for eMMC Stefan Haberland <sth(a)linux.ibm.com> s390/dasd: fix hanging IO request during DASD driver unbind Stefan Haberland <sth(a)linux.ibm.com> s390/dasd: fix hanging DASD driver unbind Eric W. Biederman <ebiederm(a)xmission.com> Revert 95ebabde382c ("capabilities: Don't allow writing ambiguous v3 file capabilities") Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Fix "cannot get freq eq" errors on Dell AE515 sound bar Takashi Iwai <tiwai(a)suse.de> ALSA: hda: Avoid spurious unsol event handling during S3/S4 Takashi Iwai <tiwai(a)suse.de> ALSA: hda: Drop the BATCH workaround for AMD controllers Takashi Iwai <tiwai(a)suse.de> ALSA: hda/hdmi: Cancel pending works before suspend Mike Christie <michael.christie(a)oracle.com> scsi: libiscsi: Fix iscsi_prep_scsi_cmd_pdu() error handling Heiko Carstens <hca(a)linux.ibm.com> s390/smp: __smp_rescan_cpus() - move cpumask away from stack Krzysztof Wilczyński <kw(a)linux.com> PCI: mediatek: Add missing of_node_put() to fix reference leak Martin Kaiser <martin(a)kaiser.cx> PCI: xgene-msi: Fix race in installing chained irq handler Athira Rajeev <atrajeev(a)linux.vnet.ibm.com> powerpc/perf: Record counter overflow always if SAMPLE_IP is unset Nicholas Piggin <npiggin(a)gmail.com> powerpc: improve handling of unrecoverable system reset Chaotian Jing <chaotian.jing(a)mediatek.com> mmc: mediatek: fix race condition between msdc_request_timeout and irq Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> mmc: mxs-mmc: Fix a resource leak in an error handling path in 'mxs_mmc_probe()' Steven J. Magnani <magnani(a)ieee.org> udf: fix silent AED tagLocation corruption Guangbin Huang <huangguangbin2(a)huawei.com> net: phy: fix save wrong speed and duplex problem if autoneg is on Maxim Mikityanskiy <maxtram95(a)gmail.com> media: usbtv: Fix deadlock on suspend Eric Farman <farman(a)linux.ibm.com> s390/cio: return -EFAULT if copy_to_user() fails Artem Lapkin <art(a)khadas.com> drm: meson_drv add shutdown function Daniel Vetter <daniel.vetter(a)ffwll.ch> drm/compat: Clear bounce structures Wang Qing <wangqing(a)vivo.com> s390/cio: return -EFAULT if copy_to_user() fails again Ian Rogers <irogers(a)google.com> perf traceevent: Ensure read cmdlines are null terminated. Joakim Zhang <qiangqing.zhang(a)nxp.com> net: stmmac: stop each tx channel independently Paul Cercueil <paul(a)crapouillou.net> net: davicom: Fix regulator not turned off on driver removal Paul Cercueil <paul(a)crapouillou.net> net: davicom: Fix regulator not turned off on failed probe Xie He <xie.he.0141(a)gmail.com> net: lapbether: Remove netif_start_queue / netif_stop_queue Paul Moore <paul(a)paul-moore.com> cipso,calipso: resolve a number of problems with the DOI refcounts Daniele Palmas <dnlplm(a)gmail.com> net: usb: qmi_wwan: allow qmimux add/del with master up Maximilian Heyne <mheyne(a)amazon.de> net: sched: avoid duplicates in classes dump Ong Boon Leong <boon.leong.ong(a)intel.com> net: stmmac: fix incorrect DMA channel intr enable setting of EQoS v4.10 Kevin(Yudong) Yang <yyd(a)google.com> net/mlx4_en: update moderation when config reset Sergey Shtylyov <s.shtylyov(a)omprussia.ru> sh_eth: fix TRSCER mask for SH771x Linus Torvalds <torvalds(a)linux-foundation.org> Revert "mm, slub: consider rest of partial list if acquire_slab() fails" Joe Lawrence <joe.lawrence(a)redhat.com> scripts/recordmcount.{c,pl}: support -ffunction-sections .text.* section names Paulo Alcantara <pc(a)cjr.nz> cifs: return proper error code in statfs(2) Vasily Averin <vvs(a)virtuozzo.com> netfilter: x_tables: gpf inside xt_find_revision() Joakim Zhang <qiangqing.zhang(a)nxp.com> can: flexcan: enable RX FIFO after FRZ/HALT valid Joakim Zhang <qiangqing.zhang(a)nxp.com> can: flexcan: assert FRZ bit in flexcan_chip_freeze() Oleksij Rempel <o.rempel(a)pengutronix.de> can: skb: can_skb_set_owner(): fix ref counting if socket was closed before setting skb ownership Balazs Nemeth <bnemeth(a)redhat.com> net: avoid infinite loop in mpls_gso_segment when mpls_hlen == 0 Balazs Nemeth <bnemeth(a)redhat.com> net: check if protocol extracted by virtio_net_hdr_set_proto is correct Maxim Mikityanskiy <maximmi(a)mellanox.com> net: Introduce parse_protocol header_ops callback Daniel Borkmann <daniel(a)iogearbox.net> net: Fix gro aggregation for udp encaps with zero csum Felix Fietkau <nbd(a)nbd.name> ath9k: fix transmitting to stations in dynamic SMPS mode Jakub Kicinski <kuba(a)kernel.org> ethernet: alx: fix order of calls on resume Dmitry V. Levin <ldv(a)altlinux.org> uapi: nfnetlink_cthelper.h: fix userspace compilation error ------------- Diffstat: Makefile | 4 +- arch/powerpc/include/asm/code-patching.h | 2 +- arch/powerpc/kernel/traps.c | 5 +- arch/powerpc/perf/core-book3s.c | 19 +++- arch/s390/kernel/smp.c | 2 +- drivers/block/rsxx/core.c | 1 + drivers/gpu/drm/drm_ioc32.c | 11 ++ drivers/gpu/drm/meson/meson_drv.c | 11 ++ drivers/hwmon/lm90.c | 42 ++++++- drivers/iio/imu/adis_buffer.c | 5 +- drivers/media/usb/usbtv/usbtv-audio.c | 2 +- drivers/mmc/core/mmc.c | 15 ++- drivers/mmc/host/mtk-sd.c | 18 +-- drivers/mmc/host/mxs-mmc.c | 2 +- drivers/net/can/flexcan.c | 12 +- drivers/net/ethernet/atheros/alx/main.c | 7 +- drivers/net/ethernet/davicom/dm9000.c | 21 +++- drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 2 +- drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 2 + drivers/net/ethernet/mellanox/mlx4/mlx4_en.h | 1 + drivers/net/ethernet/renesas/sh_eth.c | 5 + drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c | 19 +++- drivers/net/ethernet/stmicro/stmmac/dwmac4_lib.c | 4 - drivers/net/phy/phy.c | 7 +- drivers/net/usb/qmi_wwan.c | 14 --- drivers/net/wan/lapbether.c | 3 - drivers/net/wireless/ath/ath9k/ath9k.h | 3 +- drivers/net/wireless/ath/ath9k/xmit.c | 6 + drivers/pci/host/pci-xgene-msi.c | 10 +- drivers/pci/host/pcie-mediatek.c | 7 +- drivers/s390/block/dasd.c | 6 +- drivers/s390/cio/vfio_ccw_ops.c | 6 +- drivers/scsi/libiscsi.c | 11 +- drivers/staging/comedi/drivers/addi_apci_1032.c | 4 +- drivers/staging/comedi/drivers/addi_apci_1500.c | 18 +-- drivers/staging/comedi/drivers/adv_pci1710.c | 10 +- drivers/staging/comedi/drivers/das6402.c | 2 +- drivers/staging/comedi/drivers/das800.c | 2 +- drivers/staging/comedi/drivers/dmm32at.c | 2 +- drivers/staging/comedi/drivers/me4000.c | 2 +- drivers/staging/comedi/drivers/pcl711.c | 2 +- drivers/staging/comedi/drivers/pcl818.c | 2 +- drivers/staging/ks7010/ks_wlan_net.c | 6 +- drivers/staging/rtl8188eu/core/rtw_ap.c | 5 + drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 6 +- drivers/staging/rtl8192e/rtl8192e/rtl_wx.c | 7 +- drivers/staging/rtl8192u/r8192U_wx.c | 6 +- drivers/staging/rtl8712/rtl871x_cmd.c | 6 +- drivers/staging/rtl8712/rtl871x_ioctl_linux.c | 2 +- drivers/usb/class/cdc-acm.c | 5 + drivers/usb/gadget/function/f_uac1.c | 1 + drivers/usb/gadget/function/f_uac2.c | 2 +- drivers/usb/gadget/function/u_ether_configfs.h | 5 +- drivers/usb/host/xhci-pci.c | 8 +- drivers/usb/host/xhci.c | 16 ++- drivers/usb/renesas_usbhs/pipe.c | 2 + drivers/usb/serial/ch341.c | 1 + drivers/usb/serial/cp210x.c | 3 + drivers/usb/serial/io_edgeport.c | 26 +++-- drivers/usb/usbip/stub_dev.c | 42 +++++-- drivers/usb/usbip/vhci_sysfs.c | 39 ++++++- drivers/usb/usbip/vudc_sysfs.c | 10 ++ drivers/xen/events/events_2l.c | 22 ++-- drivers/xen/events/events_base.c | 132 ++++++++++++++++------ drivers/xen/events/events_fifo.c | 7 -- drivers/xen/events/events_internal.h | 22 ++-- fs/binfmt_misc.c | 29 +++-- fs/cifs/cifsfs.c | 2 +- fs/configfs/file.c | 6 +- fs/nfs/nfs4proc.c | 2 +- fs/udf/inode.c | 9 +- include/linux/can/skb.h | 8 +- include/linux/netdevice.h | 10 ++ include/linux/sched/mm.h | 3 +- include/linux/stop_machine.h | 11 +- include/linux/virtio_net.h | 7 +- include/uapi/linux/netfilter/nfnetlink_cthelper.h | 2 +- kernel/sys.c | 2 +- mm/slub.c | 2 +- net/ipv4/cipso_ipv4.c | 11 +- net/ipv4/udp_offload.c | 2 +- net/ipv6/calipso.c | 14 +-- net/mpls/mpls_gso.c | 3 + net/netfilter/x_tables.c | 6 +- net/netlabel/netlabel_cipso_v4.c | 3 + net/sched/sch_api.c | 8 +- scripts/recordmcount.c | 2 +- scripts/recordmcount.pl | 13 +++ security/commoncap.c | 12 +- sound/pci/hda/hda_bind.c | 4 + sound/pci/hda/hda_controller.c | 7 -- sound/pci/hda/patch_hdmi.c | 13 +++ sound/usb/quirks.c | 1 + tools/perf/util/trace-event-read.c | 1 + virt/kvm/arm/mmu.c | 2 +- 95 files changed, 616 insertions(+), 289 deletions(-)

3 years, 9 months

7
105
0 0

[linux-stable-rc CI] Test report for 4.14.226/x86

by hulkrobot＠huawei.com

Kernel repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git Branch: linux-4.14.y Arch: x86 Version: 4.14.226 Commit: cb83ddcd5332fcc3efd52ba994976efc4dd6061e Compiler: gcc version 7.3.0 (GCC) -------------------------------------------------------------------- Failed cases : ltp test_robind07 ltp test_robind13 ltp test_robind14 ltp test_robind15 -------------------------------------------------------------------- Testcase Result Summary: total_num: 4714 succeed_num: 4710 failed_num: 4 timeout_num: 0 -------------------------------------------------------------------- Tested-by: Hulk Robot <hulkrobot(a)huawei.com>

3 years, 9 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror March 2021