April 2025 - Linux-stable-mirror

[PATCH v2 RESEND] HID: wacom: fix shift OOB in kfifo allocation for zero pktlen

by Qasim Ijaz

During wacom_parse_and_register() the code calls wacom_devm_kfifo_alloc to allocate a fifo. During this operation it passes kfifo_alloc a fifo_size of 0. Kfifo attempts to round the size passed to it to the next power of 2 via roundup_pow_of_two (queue-type data structures do this to maintain efficiency of operations). However during this phase a problem arises when the roundup_pow_of_two() function utilises a shift exponent of fls_long(n-1), where n is the fifo_size. Since n is 0 in this case and n is also an unsigned long, doing n-1 causes unsigned integer wrap-around to occur making the fifo_size 4294967295. So the code effectively does fls_long(4294967295) which results in 64. Returning back to roundup_pow_of_two(), the code utilises a shift exponent of 64. When a shift exponent of 64 is used on a 64-bit type such as 1UL it results in a shift-out-of-bounds. The root cause of the issue seems to stem from insufficient validation of wacom_compute_pktlen(), since in this case the fifo_size comes from wacom_wac->features.pktlen. During wacom_parse_and_register() the wacom_compute_pktlen() function sets the pktlen as 0. To fix this, we should handle cases where wacom_compute_pktlen() results in 0. Reported-by: syzbot <syzbot+d5204cbbdd921f1f7cad(a)syzkaller.appspotmail.com> Closes: https://syzkaller.appspot.com/bug?extid=d5204cbbdd921f1f7cad Fixes: 5e013ad20689 ("HID: wacom: Remove static WACOM_PKGLEN_MAX limit") Tested-by: Qasim Ijaz <qasdev00(a)gmail.com> Reviewed-by: Jason Gerecke <jason.gerecke(a)wacom.com> Cc: stable(a)vger.kernel.org Signed-off-by: Qasim Ijaz <qasdev00(a)gmail.com> --- v2: - Added Fixes tag as suggested by Jason Gerecke drivers/hid/wacom_sys.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c index 97393a3083ca..9b2f3dbca467 100644 --- a/drivers/hid/wacom_sys.c +++ b/drivers/hid/wacom_sys.c @@ -2361,6 +2361,8 @@ static int wacom_parse_and_register(struct wacom *wacom, bool wireless) unsigned int connect_mask = HID_CONNECT_HIDRAW; features->pktlen = wacom_compute_pktlen(hdev); + if (!features->pktlen) + return -ENODEV; if (!devres_open_group(&hdev->dev, wacom, GFP_KERNEL)) return -ENOMEM; -- 2.39.5

7 months

2
1
0 0

Potential Linux Crash: WARNING in release_bp_slot in linux6.12.24(longterm maintenance)

by ffhgfv

Hello, I found a potential bug titled " WARNING in release_bp_slot " with modified syzkaller in the Linux6.12.24(longterm maintenance, last updated on April 20, 2025). If you fix this issue, please add the following tag to the commit: Reported-by: Jianzhou Zhao <xnxc22xnxc22(a)qq.com>, xingwei lee <xrivendell7(a)gmail.com>,Penglei Jiang <superman.xpt(a)gmail.com> The commit of the kernel is : b6efa8ce222e58cfe2bbaa4e3329818c2b4bd74e kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=55f8591b98dd132 compiler: gcc version 11.4.0 The reproduction program written in C language is at the end. ------------[ cut here ]----------------------------------------- TITLE: WARNING in release_bp_slot ------------[ cut here ]------------ loop2: detected capacity change from 0 to 64 ------------[ cut here ]------------ WARNING: CPU: 1 PID: 38650 at kernel/events/hw_breakpoint.c:614 __release_bp_slot kernel/events/hw_breakpoint.c:614 [inline] WARNING: CPU: 1 PID: 38650 at kernel/events/hw_breakpoint.c:614 __release_bp_slot kernel/events/hw_breakpoint.c:607 [inline] WARNING: CPU: 1 PID: 38650 at kernel/events/hw_breakpoint.c:614 release_bp_slot+0x6b/0x90 kernel/events/hw_breakpoint.c:621 Modules linked in: CPU: 1 UID: 0 PID: 38650 Comm: syz.2.3497 Not tainted 6.12.24 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:__release_bp_slot kernel/events/hw_breakpoint.c:614 [inline] RIP: 0010:__release_bp_slot kernel/events/hw_breakpoint.c:607 [inline] RIP: 0010:release_bp_slot+0x6b/0x90 kernel/events/hw_breakpoint.c:621 Code: e8 8a c1 ff ff 31 ff 89 c5 89 c6 e8 7f 95 ce ff 85 ed 75 10 e8 86 9a ce ff 4c 89 e7 5d 41 5c e9 7b b7 ff ff e8 76 9a ce ff 90 <0f> 0b 90 e8 6d 9a ce ff 4c 89 e7 5d 41 5c e9 62 b7 ff ff e8 3d c3 RSP: 0018:ffffc90006effc58 EFLAGS: 00010206 RAX: 0000000000000300 RBX: ffff888027788620 RCX: ffffc90010ce2000 RDX: 0000000000080000 RSI: ffffffff81bd948a RDI: 0000000000000005 RBP: 00000000fffffffe R08: 0000000000000001 R09: ffff88804cc82fd8 R10: 00000000fffffffe R11: 0000000000000000 R12: ffff88804cc83928 R13: ffff8880277886b8 R14: ffff888027788b98 R15: 00000000ffffffa1 FS: 00007ff310df6640(0000) GS:ffff88807ee00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f2000b85150 CR3: 000000007ce38000 CR4: 0000000000752ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 80000000 Call Trace: <task> __free_event+0x1d9/0x870 kernel/events/core.c:5330 perf_event_alloc.part.0+0x1225/0x3620 kernel/events/core.c:12437 perf_event_alloc kernel/events/core.c:12749 [inline] __do_sys_perf_event_open+0x4c9/0x2c40 kernel/events/core.c:12847 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff312fad5ad Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ff310df5f98 EFLAGS: 00000246 ORIG_RAX: 000000000000012a RAX: ffffffffffffffda RBX: 00007ff3131e5fa0 RCX: 00007ff312fad5ad RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00002000000004c0 RBP: 00007ff313046d56 R08: 000000000000000a R09: 0000000000000000 R10: ffffffffffffffff R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007ff3131e5fa0 R15: 00007ff310dd6000 </task> ================================================================== The following is the poc： -------------------------------------------------------------------------------------- #define _GNU_SOURCE #include <endian.h> #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys syscall.h=""> #include <sys types.h=""> #include <unistd.h> #define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \ *(type*)(addr) = \ htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \ (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } *(uint32_t*)0x2000000004c0 = 5; *(uint32_t*)0x2000000004c4 = 0x80; *(uint8_t*)0x2000000004c8 = 8; *(uint8_t*)0x2000000004c9 = 0xaf; *(uint8_t*)0x2000000004ca = 0; *(uint8_t*)0x2000000004cb = 8; *(uint32_t*)0x2000000004cc = 0; *(uint64_t*)0x2000000004d0 = 4; *(uint64_t*)0x2000000004d8 = 0x402; *(uint64_t*)0x2000000004e0 = 0xc; STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 0, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 1, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 2, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 3, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 4, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 5, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 6, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 7, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 8, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 9, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 10, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 11, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 12, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 13, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 14, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 15, 2); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 17, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 18, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 19, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 20, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 21, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 22, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 23, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 24, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 25, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 26, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 27, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 28, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 29, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 30, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 31, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 32, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 33, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 34, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 35, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 36, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 37, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 38, 26); *(uint32_t*)0x2000000004f0 = 2; *(uint32_t*)0x2000000004f4 = 2; *(uint64_t*)0x2000000004f8 = 0x8000; *(uint64_t*)0x200000000500 = 2; *(uint64_t*)0x200000000508 = 0x100001; *(uint64_t*)0x200000000510 = 0x839; *(uint32_t*)0x200000000518 = 8; *(uint32_t*)0x20000000051c = 7; *(uint64_t*)0x200000000520 = 0x8000000000000000; *(uint32_t*)0x200000000528 = 0x5e4; *(uint16_t*)0x20000000052c = 0xfefd; *(uint16_t*)0x20000000052e = 0; *(uint32_t*)0x200000000530 = 0x10000004; *(uint32_t*)0x200000000534 = 0; *(uint64_t*)0x200000000538 = 0x40000000000002; syscall(__NR_perf_event_open, /*attr=*/0x2000000004c0ul, /*pid=*/0, /*cpu=*/0ul, /*group=*/(intptr_t)-1, /*flags=PERF_FLAG_FD_CLOEXEC|PERF_FLAG_FD_OUTPUT*/ 0xaul); return 0; } I hope it helps. Best regards Jianzhou Zhao</unistd.h></sys></sys></string.h></stdlib.h></stdio.h></stdint.h></endian.h></superman.xpt(a)gmail.com></xrivendell7(a)gmail.com></xnxc22xnxc22(a)qq.com>

7 months

2
1
0 0

[PATCH v1] HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse()

by Terry Junge

Update struct hid_descriptor to better reflect the mandatory and optional parts of the HID Descriptor as per USB HID 1.11 specification. Note: the kernel currently does not parse any optional HID class descriptors, only the mandatory report descriptor. Update all references to member element desc[0] to rpt_desc. Add test to verify bLength and bNumDescriptors values are valid. Replace the for loop with direct access to the mandatory HID class descriptor member for the report descriptor. This eliminates the possibility of getting an out-of-bounds fault. Add a warning message if the HID descriptor contains any unsupported optional HID class descriptors. Reported-by: syzbot+c52569baf0c843f35495(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=c52569baf0c843f35495 Fixes: f043bfc98c19 ("HID: usbhid: fix out-of-bounds bug") Cc: stable(a)vger.kernel.org Signed-off-by: Terry Junge <linuxhid(a)cosmicgizmosystems.com> --- v1: Remove unnecessary for loop searching for the report descriptor size. base-commit: 58c9bf3363e596d744f56616d407278ef5f97f5a P.S. This is an alternative to the solution proposed by Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> Link: https://lore.kernel.org/all/20250131151600.410242-1-n.zhandarovich@fintech.… include/linux/hid.h | 3 ++- drivers/usb/gadget/function/f_hid.c | 12 ++++++------ drivers/hid/hid-hyperv.c | 4 ++-- drivers/hid/usbhid/hid-core.c | 25 ++++++++++++++----------- 4 files changed, 24 insertions(+), 20 deletions(-) diff --git a/include/linux/hid.h b/include/linux/hid.h index cdc0dc13c87f..7abc8c74bdd5 100644 --- a/include/linux/hid.h +++ b/include/linux/hid.h @@ -738,8 +738,9 @@ struct hid_descriptor { __le16 bcdHID; __u8 bCountryCode; __u8 bNumDescriptors; + struct hid_class_descriptor rpt_desc; - struct hid_class_descriptor desc[1]; + struct hid_class_descriptor opt_descs[]; } __attribute__ ((packed)); #define HID_DEVICE(b, g, ven, prod) \ diff --git a/drivers/usb/gadget/function/f_hid.c b/drivers/usb/gadget/function/f_hid.c index 740311c4fa24..c7a05f842745 100644 --- a/drivers/usb/gadget/function/f_hid.c +++ b/drivers/usb/gadget/function/f_hid.c @@ -144,8 +144,8 @@ static struct hid_descriptor hidg_desc = { .bcdHID = cpu_to_le16(0x0101), .bCountryCode = 0x00, .bNumDescriptors = 0x1, - /*.desc[0].bDescriptorType = DYNAMIC */ - /*.desc[0].wDescriptorLenght = DYNAMIC */ + /*.rpt_desc.bDescriptorType = DYNAMIC */ + /*.rpt_desc.wDescriptorLength = DYNAMIC */ }; /* Super-Speed Support */ @@ -939,8 +939,8 @@ static int hidg_setup(struct usb_function *f, struct hid_descriptor hidg_desc_copy = hidg_desc; VDBG(cdev, "USB_REQ_GET_DESCRIPTOR: HID\n"); - hidg_desc_copy.desc[0].bDescriptorType = HID_DT_REPORT; - hidg_desc_copy.desc[0].wDescriptorLength = + hidg_desc_copy.rpt_desc.bDescriptorType = HID_DT_REPORT; + hidg_desc_copy.rpt_desc.wDescriptorLength = cpu_to_le16(hidg->report_desc_length); length = min_t(unsigned short, length, @@ -1210,8 +1210,8 @@ static int hidg_bind(struct usb_configuration *c, struct usb_function *f) * We can use hidg_desc struct here but we should not relay * that its content won't change after returning from this function. */ - hidg_desc.desc[0].bDescriptorType = HID_DT_REPORT; - hidg_desc.desc[0].wDescriptorLength = + hidg_desc.rpt_desc.bDescriptorType = HID_DT_REPORT; + hidg_desc.rpt_desc.wDescriptorLength = cpu_to_le16(hidg->report_desc_length); hidg_hs_in_ep_desc.bEndpointAddress = diff --git a/drivers/hid/hid-hyperv.c b/drivers/hid/hid-hyperv.c index 0fb210e40a41..9eafff0b6ea4 100644 --- a/drivers/hid/hid-hyperv.c +++ b/drivers/hid/hid-hyperv.c @@ -192,7 +192,7 @@ static void mousevsc_on_receive_device_info(struct mousevsc_dev *input_device, goto cleanup; input_device->report_desc_size = le16_to_cpu( - desc->desc[0].wDescriptorLength); + desc->rpt_desc.wDescriptorLength); if (input_device->report_desc_size == 0) { input_device->dev_info_status = -EINVAL; goto cleanup; @@ -210,7 +210,7 @@ static void mousevsc_on_receive_device_info(struct mousevsc_dev *input_device, memcpy(input_device->report_desc, ((unsigned char *)desc) + desc->bLength, - le16_to_cpu(desc->desc[0].wDescriptorLength)); + le16_to_cpu(desc->rpt_desc.wDescriptorLength)); /* Send the ack */ memset(&ack, 0, sizeof(struct mousevsc_prt_msg)); diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c index a6eb6fe6130d..e668143b559d 100644 --- a/drivers/hid/usbhid/hid-core.c +++ b/drivers/hid/usbhid/hid-core.c @@ -983,12 +983,11 @@ static int usbhid_parse(struct hid_device *hid) struct usb_host_interface *interface = intf->cur_altsetting; struct usb_device *dev = interface_to_usbdev (intf); struct hid_descriptor *hdesc; + struct hid_class_descriptor *hcdesc; u32 quirks = 0; unsigned int rsize = 0; char *rdesc; - int ret, n; - int num_descriptors; - size_t offset = offsetof(struct hid_descriptor, desc); + int ret; quirks = hid_lookup_quirk(hid); @@ -1010,20 +1009,19 @@ static int usbhid_parse(struct hid_device *hid) return -ENODEV; } - if (hdesc->bLength < sizeof(struct hid_descriptor)) { - dbg_hid("hid descriptor is too short\n"); + if (!hdesc->bNumDescriptors || + hdesc->bLength != sizeof(*hdesc) + + (hdesc->bNumDescriptors - 1) * sizeof(*hcdesc)) { + dbg_hid("hid descriptor invalid, bLen=%hhu bNum=%hhu\n", + hdesc->bLength, hdesc->bNumDescriptors); return -EINVAL; } hid->version = le16_to_cpu(hdesc->bcdHID); hid->country = hdesc->bCountryCode; - num_descriptors = min_t(int, hdesc->bNumDescriptors, - (hdesc->bLength - offset) / sizeof(struct hid_class_descriptor)); - - for (n = 0; n < num_descriptors; n++) - if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT) - rsize = le16_to_cpu(hdesc->desc[n].wDescriptorLength); + if (hdesc->rpt_desc.bDescriptorType == HID_DT_REPORT) + rsize = le16_to_cpu(hdesc->rpt_desc.wDescriptorLength); if (!rsize || rsize > HID_MAX_DESCRIPTOR_SIZE) { dbg_hid("weird size of report descriptor (%u)\n", rsize); @@ -1051,6 +1049,11 @@ static int usbhid_parse(struct hid_device *hid) goto err; } + if (hdesc->bNumDescriptors > 1) + hid_warn(intf, + "%hhu unsupported optional hid class descriptors\n", + hdesc->bNumDescriptors - 1); + hid->quirks |= quirks; return 0; -- 2.43.0

7 months

4
4
0 0

[PATCH v3] arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2

by Wojciech Dubowik

Define vqmmc regulator-gpio for usdhc2 with vin-supply coming from LDO5. Without this definition LDO5 will be powered down, disabling SD card after bootup. This has been introduced in commit f5aab0438ef1 ("regulator: pca9450: Fix enable register for LDO5"). Fixes: f5aab0438ef1 ("regulator: pca9450: Fix enable register for LDO5") Cc: stable(a)vger.kernel.org Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik(a)mt.com> --- v1 -> v2: https://lore.kernel.org/all/20250417112012.785420-1-Wojciech.Dubowik@mt.com/ - define gpio regulator for LDO5 vin controlled by vselect signal v2 -> v3: https://lore.kernel.org/all/20250422130127.GA238494@francesco-nb/ - specify vselect as gpio --- .../boot/dts/freescale/imx8mm-verdin.dtsi | 25 +++++++++++++++---- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi b/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi index 7251ad3a0017..b46566f3ce20 100644 --- a/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi +++ b/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi @@ -144,6 +144,19 @@ reg_usdhc2_vmmc: regulator-usdhc2 { startup-delay-us = <20000>; }; + reg_usdhc2_vqmmc: regulator-usdhc2-vqmmc { + compatible = "regulator-gpio"; + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_usdhc2_vsel>; + gpios = <&gpio1 4 GPIO_ACTIVE_HIGH>; + regulator-max-microvolt = <3300000>; + regulator-min-microvolt = <1800000>; + states = <1800000 0x1>, + <3300000 0x0>; + regulator-name = "PMIC_USDHC_VSELECT"; + vin-supply = <&reg_nvcc_sd>; + }; + reserved-memory { #address-cells = <2>; #size-cells = <2>; @@ -269,7 +282,7 @@ &gpio1 { "SODIMM_19", "", "", - "", + "PMIC_USDHC_VSELECT", "", "", "", @@ -785,6 +798,7 @@ &usdhc2 { pinctrl-2 = <&pinctrl_usdhc2_200mhz>, <&pinctrl_usdhc2_cd>; pinctrl-3 = <&pinctrl_usdhc2_sleep>, <&pinctrl_usdhc2_cd_sleep>; vmmc-supply = <&reg_usdhc2_vmmc>; + vqmmc-supply = <&reg_usdhc2_vqmmc>; }; &wdog1 { @@ -1206,13 +1220,17 @@ pinctrl_usdhc2_pwr_en: usdhc2pwrengrp { <MX8MM_IOMUXC_NAND_CLE_GPIO3_IO5 0x6>; /* SODIMM 76 */ }; + pinctrl_usdhc2_vsel: usdhc2vselgrp { + fsl,pins = + <MX8MM_IOMUXC_GPIO1_IO04_GPIO1_IO4 0x10>; /* PMIC_USDHC_VSELECT */ + }; + /* * Note: Due to ERR050080 we use discrete external on-module resistors pulling-up to the * on-module +V3.3_1.8_SD (LDO5) rail and explicitly disable the internal pull-ups here. */ pinctrl_usdhc2: usdhc2grp { fsl,pins = - <MX8MM_IOMUXC_GPIO1_IO04_USDHC2_VSELECT 0x10>, <MX8MM_IOMUXC_SD2_CLK_USDHC2_CLK 0x90>, /* SODIMM 78 */ <MX8MM_IOMUXC_SD2_CMD_USDHC2_CMD 0x90>, /* SODIMM 74 */ <MX8MM_IOMUXC_SD2_DATA0_USDHC2_DATA0 0x90>, /* SODIMM 80 */ @@ -1223,7 +1241,6 @@ pinctrl_usdhc2: usdhc2grp { pinctrl_usdhc2_100mhz: usdhc2-100mhzgrp { fsl,pins = - <MX8MM_IOMUXC_GPIO1_IO04_USDHC2_VSELECT 0x10>, <MX8MM_IOMUXC_SD2_CLK_USDHC2_CLK 0x94>, <MX8MM_IOMUXC_SD2_CMD_USDHC2_CMD 0x94>, <MX8MM_IOMUXC_SD2_DATA0_USDHC2_DATA0 0x94>, @@ -1234,7 +1251,6 @@ pinctrl_usdhc2_100mhz: usdhc2-100mhzgrp { pinctrl_usdhc2_200mhz: usdhc2-200mhzgrp { fsl,pins = - <MX8MM_IOMUXC_GPIO1_IO04_USDHC2_VSELECT 0x10>, <MX8MM_IOMUXC_SD2_CLK_USDHC2_CLK 0x96>, <MX8MM_IOMUXC_SD2_CMD_USDHC2_CMD 0x96>, <MX8MM_IOMUXC_SD2_DATA0_USDHC2_DATA0 0x96>, @@ -1246,7 +1262,6 @@ pinctrl_usdhc2_200mhz: usdhc2-200mhzgrp { /* Avoid backfeeding with removed card power */ pinctrl_usdhc2_sleep: usdhc2slpgrp { fsl,pins = - <MX8MM_IOMUXC_GPIO1_IO04_USDHC2_VSELECT 0x0>, <MX8MM_IOMUXC_SD2_CLK_USDHC2_CLK 0x0>, <MX8MM_IOMUXC_SD2_CMD_USDHC2_CMD 0x0>, <MX8MM_IOMUXC_SD2_DATA0_USDHC2_DATA0 0x0>, -- 2.47.2

7 months

4
12
0 0

[PATCH 5.10.y] perf: Fix perf_pending_task() UaF

by Xiangyu Chen

From: Peter Zijlstra <peterz(a)infradead.org> [ Upstream commit 517e6a301f34613bff24a8e35b5455884f2d83d8 ] Per syzbot it is possible for perf_pending_task() to run after the event is free()'d. There are two related but distinct cases: - the task_work was already queued before destroying the event; - destroying the event itself queues the task_work. The first cannot be solved using task_work_cancel() since perf_release() itself might be called from a task_work (____fput), which means the current->task_works list is already empty and task_work_cancel() won't be able to find the perf_pending_task() entry. The simplest alternative is extending the perf_event lifetime to cover the task_work. The second is just silly, queueing a task_work while you know the event is going away makes no sense and is easily avoided by re-arranging how the event is marked STATE_DEAD and ensuring it goes through STATE_OFF on the way down. Reported-by: syzbot+9228d6098455bb209ec8(a)syzkaller.appspotmail.com Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Tested-by: Marco Elver <elver(a)google.com> [ Discard the changes in event_sched_out() due to 5.10 don't have the commit: 97ba62b27867 ("perf: Add support for SIGTRAP on perf events") and commit: ca6c21327c6a ("perf: Fix missing SIGTRAPs") ] Signed-off-by: Xiangyu Chen <xiangyu.chen(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Verified the build test. --- kernel/events/core.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/kernel/events/core.c b/kernel/events/core.c index 8f19d6ab039e..798c839a00b3 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -2419,6 +2419,7 @@ group_sched_out(struct perf_event *group_event, } #define DETACH_GROUP 0x01UL +#define DETACH_DEAD 0x04UL /* * Cross CPU call to remove a performance event @@ -2439,10 +2440,18 @@ __perf_remove_from_context(struct perf_event *event, update_cgrp_time_from_cpuctx(cpuctx, false); } + /* + * Ensure event_sched_out() switches to OFF, at the very least + * this avoids raising perf_pending_task() at this time. + */ + if (flags & DETACH_DEAD) + event->pending_disable = 1; event_sched_out(event, cpuctx, ctx); if (flags & DETACH_GROUP) perf_group_detach(event); list_del_event(event, ctx); + if (flags & DETACH_DEAD) + event->state = PERF_EVENT_STATE_DEAD; if (!ctx->nr_events && ctx->is_active) { if (ctx == &cpuctx->ctx) @@ -5111,9 +5120,7 @@ int perf_event_release_kernel(struct perf_event *event) ctx = perf_event_ctx_lock(event); WARN_ON_ONCE(ctx->parent_ctx); - perf_remove_from_context(event, DETACH_GROUP); - raw_spin_lock_irq(&ctx->lock); /* * Mark this event as STATE_DEAD, there is no external reference to it * anymore. @@ -5125,8 +5132,7 @@ int perf_event_release_kernel(struct perf_event *event) * Thus this guarantees that we will in fact observe and kill _ALL_ * child events. */ - event->state = PERF_EVENT_STATE_DEAD; - raw_spin_unlock_irq(&ctx->lock); + perf_remove_from_context(event, DETACH_GROUP|DETACH_DEAD); perf_event_ctx_unlock(event, ctx); @@ -6533,6 +6539,8 @@ static void perf_pending_event(struct irq_work *entry) if (rctx >= 0) perf_swevent_put_recursion_context(rctx); + + put_event(event); } /* -- 2.34.1

7 months

3
5
0 0

[PATCH v2 RESEND] media: imx: fix a potential memory leak in imx_media_csc_scaler_device_init()

by Haoxiang Li

Add video_device_release() in label 'err_m2m' to release the memory allocated by video_device_alloc() and prevent potential memory leaks. Remove the reduntant code in label 'err_m2m'. Fixes: a8ef0488cc59 ("media: imx: add csc/scaler mem2mem device") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <haoxiang_li2024(a)163.com> Reviewed-by: Dan Carpenter <dan.carpenter(a)linaro.org> --- Changes in v2: - Remove the reduntant code. Thanks, Dan! --- drivers/staging/media/imx/imx-media-csc-scaler.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/media/imx/imx-media-csc-scaler.c b/drivers/staging/media/imx/imx-media-csc-scaler.c index e5e08c6f79f2..19fd31cb9bb0 100644 --- a/drivers/staging/media/imx/imx-media-csc-scaler.c +++ b/drivers/staging/media/imx/imx-media-csc-scaler.c @@ -912,7 +912,7 @@ imx_media_csc_scaler_device_init(struct imx_media_dev *md) return &priv->vdev; err_m2m: - video_set_drvdata(vfd, NULL); + video_device_release(vfd); err_vfd: kfree(priv); return ERR_PTR(ret); -- 2.25.1

7 months

1
0
0 0

[PATCH 2/2] drm/dp: Add handling for partially read under I2-readC-over-AUX

by Wayne Lin

[Why] There is no handling for I2C-read-over-AUX when receive reply of I2C_ACK|AUX_ACK followed by the total number of data bytes Fewer than LEN + 1 [How] Refer to DP v2.1: 2.11.7.1.6.3 & 2.11.7.1.6.4, repeat the identical I2C-read-over-AUX transaction with the updated LEN value equal to the original LEN value minus the total number of data bytes received so far. Fixes: 68ec2a2a2481 ("drm/dp: Use I2C_WRITE_STATUS_UPDATE to drain partial I2C_WRITE requests") Cc: Ville Syrjälä <ville.syrjala(a)linux.intel.com> Cc: Jani Nikula <jani.nikula(a)intel.com> Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Harry Wentland <harry.wentland(a)amd.com> Cc: stable(a)vger.kernel.org Signed-off-by: Wayne Lin <Wayne.Lin(a)amd.com> --- drivers/gpu/drm/display/drm_dp_helper.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/display/drm_dp_helper.c b/drivers/gpu/drm/display/drm_dp_helper.c index 28f0708c3b27..938214a980a9 100644 --- a/drivers/gpu/drm/display/drm_dp_helper.c +++ b/drivers/gpu/drm/display/drm_dp_helper.c @@ -1812,10 +1812,11 @@ static int drm_dp_i2c_do_msg(struct drm_dp_aux *aux, struct drm_dp_aux_msg *msg) drm_dbg_kms(aux->drm_dev, "%s: I2C partially ack (result=%d, size=%zu)\n", aux->name, ret, msg->size); - if (!(msg->request & DP_AUX_I2C_READ)) { - usleep_range(AUX_RETRY_INTERVAL, AUX_RETRY_INTERVAL + 100); + usleep_range(AUX_RETRY_INTERVAL, AUX_RETRY_INTERVAL + 100); + if (msg->request & DP_AUX_I2C_READ) + msg->size -= ret; + else drm_dp_i2c_msg_write_status_update(msg); - } continue; } -- 2.43.0

7 months

1
0
0 0

[PATCH RESEND] scsi: esas2r: Add check for alloc_ordered_workqueue()

by Haoxiang Li

Add check for the return value of alloc_ordered_workqueue() in esas2r_init_adapter() to catch potential exception. Fixes: 4cb1b41a5ee4 ("scsi: esas2r: Simplify an alloc_ordered_workqueue() invocation") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <haoxiang_li2024(a)163.com> --- drivers/scsi/esas2r/esas2r_init.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/scsi/esas2r/esas2r_init.c b/drivers/scsi/esas2r/esas2r_init.c index 04a07fe57be2..9c0225a1f208 100644 --- a/drivers/scsi/esas2r/esas2r_init.c +++ b/drivers/scsi/esas2r/esas2r_init.c @@ -313,6 +313,11 @@ int esas2r_init_adapter(struct Scsi_Host *host, struct pci_dev *pcid, esas2r_fw_event_off(a); a->fw_event_q = alloc_ordered_workqueue("esas2r/%d", WQ_MEM_RECLAIM, a->index); + if (!a->fw_event_q) { + esas2r_log(ESAS2R_LOG_CRIT, "failed to create work queue\n"); + esas2r_kill_adapter(index); + return 0; + } init_waitqueue_head(&a->buffered_ioctl_waiter); init_waitqueue_head(&a->nvram_waiter); -- 2.25.1

7 months

1
0
0 0

[PATCH RESEND] drm/xe: Add check for alloc_ordered_workqueue()

by Haoxiang Li

Add check for the return value of alloc_ordered_workqueue() in xe_gt_alloc() to catch potential exception. Fixes: e2d84e5b2205 ("drm/xe: Mark GT work queue with WQ_MEM_RECLAIM") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <haoxiang_li2024(a)163.com> Reviewed-by: Lucas De Marchi <lucas.demarchi(a)intel.com> --- drivers/gpu/drm/xe/xe_gt.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/gpu/drm/xe/xe_gt.c b/drivers/gpu/drm/xe/xe_gt.c index 10a9e3c72b36..1f50f26fb657 100644 --- a/drivers/gpu/drm/xe/xe_gt.c +++ b/drivers/gpu/drm/xe/xe_gt.c @@ -81,6 +81,8 @@ struct xe_gt *xe_gt_alloc(struct xe_tile *tile) gt->tile = tile; gt->ordered_wq = alloc_ordered_workqueue("gt-ordered-wq", WQ_MEM_RECLAIM); + if (!gt->ordered_wq) + return ERR_PTR(-ENOMEM); err = drmm_add_action_or_reset(&gt_to_xe(gt)->drm, gt_fini, gt); if (err) -- 2.25.1

7 months

1
0
0 0

[PATCH v2 1/1] iommu: Allow attaching static domains in iommu_attach_device_pasid()

by Lu Baolu

The idxd driver attaches the default domain to a PASID of the device to perform kernel DMA using that PASID. The domain is attached to the device's PASID through iommu_attach_device_pasid(), which checks if the domain->owner matches the iommu_ops retrieved from the device. If they do not match, it returns a failure. if (ops != domain->owner || pasid == IOMMU_NO_PASID) return -EINVAL; The static identity domain implemented by the intel iommu driver doesn't specify the domain owner. Therefore, kernel DMA with PASID doesn't work for the idxd driver if the device translation mode is set to passthrough. Generally the owner field of static domains are not set because they are already part of iommu ops. Add a helper domain_iommu_ops_compatible() that checks if a domain is compatible with the device's iommu ops. This helper explicitly allows the static blocked and identity domains associated with the device's iommu_ops to be considered compatible. Fixes: 2031c469f816 ("iommu/vt-d: Add support for static identity domain") Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220031 Cc: stable(a)vger.kernel.org Suggested-by: Jason Gunthorpe <jgg(a)nvidia.com> Link: https://lore.kernel.org/linux-iommu/20250422191554.GC1213339@ziepe.ca/ Signed-off-by: Lu Baolu <baolu.lu(a)linux.intel.com> --- drivers/iommu/iommu.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) Change log: -v2: - Make the solution generic for all static domains as suggested by Jason. -v1: https://lore.kernel.org/linux-iommu/20250422075422.2084548-1-baolu.lu@linux… diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c index 4f91a740c15f..abda40ec377a 100644 --- a/drivers/iommu/iommu.c +++ b/drivers/iommu/iommu.c @@ -3402,6 +3402,19 @@ static void __iommu_remove_group_pasid(struct iommu_group *group, iommu_remove_dev_pasid(device->dev, pasid, domain); } +static bool domain_iommu_ops_compatible(const struct iommu_ops *ops, + struct iommu_domain *domain) +{ + if (domain->owner == ops) + return true; + + /* For static domains, owner isn't set. */ + if (domain == ops->blocked_domain || domain == ops->identity_domain) + return true; + + return false; +} + /* * iommu_attach_device_pasid() - Attach a domain to pasid of device * @domain: the iommu domain. @@ -3435,7 +3448,8 @@ int iommu_attach_device_pasid(struct iommu_domain *domain, !ops->blocked_domain->ops->set_dev_pasid) return -EOPNOTSUPP; - if (ops != domain->owner || pasid == IOMMU_NO_PASID) + if (!domain_iommu_ops_compatible(ops, domain) || + pasid == IOMMU_NO_PASID) return -EINVAL; mutex_lock(&group->mutex); -- 2.43.0

7 months

5
4
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror April 2025