--- /dev/null
+From 2acf25f13ebe8beb40e97a1bbe76f36277c64f1e Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Sat, 1 Feb 2020 09:05:30 +0100
+Subject: ALSA: dummy: Fix PCM format loop in proc output
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 2acf25f13ebe8beb40e97a1bbe76f36277c64f1e upstream.
+
+The loop termination for iterating over all formats should contain
+SNDRV_PCM_FORMAT_LAST, not less than it.
+
+Fixes: 9b151fec139d ("ALSA: dummy - Add debug proc file")
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200201080530.22390-3-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/drivers/dummy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/drivers/dummy.c
++++ b/sound/drivers/dummy.c
+@@ -929,7 +929,7 @@ static void print_formats(struct snd_dum
+ {
+ int i;
+
+- for (i = 0; i < SNDRV_PCM_FORMAT_LAST; i++) {
++ for (i = 0; i <= SNDRV_PCM_FORMAT_LAST; i++) {
+ if (dummy->pcm_hw.formats & (1ULL << i))
+ snd_iprintf(buffer, " %s", snd_pcm_format_name(i));
+ }
--- /dev/null
+From f8e5f90b3a53bb75f05124ed19156388379a337d Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Sat, 1 Feb 2020 09:05:28 +0100
+Subject: ALSA: usb-audio: Fix endianess in descriptor validation
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit f8e5f90b3a53bb75f05124ed19156388379a337d upstream.
+
+I overlooked that some fields are words and need the converts from
+LE in the recently added USB descriptor validation code.
+This patch fixes those with the proper macro usages.
+
+Fixes: 57f8770620e9 ("ALSA: usb-audio: More validations of descriptor units")
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200201080530.22390-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/validate.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/sound/usb/validate.c
++++ b/sound/usb/validate.c
+@@ -110,7 +110,7 @@ static bool validate_processing_unit(con
+ default:
+ if (v->type == UAC1_EXTENSION_UNIT)
+ return true; /* OK */
+- switch (d->wProcessType) {
++ switch (le16_to_cpu(d->wProcessType)) {
+ case UAC_PROCESS_UP_DOWNMIX:
+ case UAC_PROCESS_DOLBY_PROLOGIC:
+ if (d->bLength < len + 1) /* bNrModes */
+@@ -125,7 +125,7 @@ static bool validate_processing_unit(con
+ case UAC_VERSION_2:
+ if (v->type == UAC2_EXTENSION_UNIT_V2)
+ return true; /* OK */
+- switch (d->wProcessType) {
++ switch (le16_to_cpu(d->wProcessType)) {
+ case UAC2_PROCESS_UP_DOWNMIX:
+ case UAC2_PROCESS_DOLBY_PROLOCIC: /* SiC! */
+ if (d->bLength < len + 1) /* bNrModes */
+@@ -142,7 +142,7 @@ static bool validate_processing_unit(con
+ len += 2; /* wClusterDescrID */
+ break;
+ }
+- switch (d->wProcessType) {
++ switch (le16_to_cpu(d->wProcessType)) {
+ case UAC3_PROCESS_UP_DOWNMIX:
+ if (d->bLength < len + 1) /* bNrModes */
+ return false;
--- /dev/null
+From 4282dc057d750c6a7dd92953564b15c26b54c22c Mon Sep 17 00:00:00 2001
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Sat, 14 Dec 2019 19:51:14 -0600
+Subject: brcmfmac: Fix memory leak in brcmf_usbdev_qinit
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+commit 4282dc057d750c6a7dd92953564b15c26b54c22c upstream.
+
+In the implementation of brcmf_usbdev_qinit() the allocated memory for
+reqs is leaking if usb_alloc_urb() fails. Release reqs in the error
+handling path.
+
+Fixes: 71bb244ba2fd ("brcm80211: fmac: add USB support for bcm43235/6/8 chipsets")
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
+@@ -441,6 +441,7 @@ fail:
+ usb_free_urb(req->urb);
+ list_del(q->next);
+ }
++ kfree(reqs);
+ return NULL;
+
+ }
--- /dev/null
+From 889b331724c82c11e15ba0a60979cf7bded0a26c Mon Sep 17 00:00:00 2001
+From: Lu Shuaibing <shuaibinglu@126.com>
+Date: Mon, 3 Feb 2020 17:34:46 -0800
+Subject: ipc/msg.c: consolidate all xxxctl_down() functions
+
+From: Lu Shuaibing <shuaibinglu@126.com>
+
+commit 889b331724c82c11e15ba0a60979cf7bded0a26c upstream.
+
+A use of uninitialized memory in msgctl_down() because msqid64 in
+ksys_msgctl hasn't been initialized. The local | msqid64 | is created in
+ksys_msgctl() and then passed into msgctl_down(). Along the way msqid64
+is never initialized before msgctl_down() checks msqid64->msg_qbytes.
+
+KUMSAN(KernelUninitializedMemorySantizer, a new error detection tool)
+reports:
+
+==================================================================
+BUG: KUMSAN: use of uninitialized memory in msgctl_down+0x94/0x300
+Read of size 8 at addr ffff88806bb97eb8 by task syz-executor707/2022
+
+CPU: 0 PID: 2022 Comm: syz-executor707 Not tainted 5.2.0-rc4+ #63
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
+Call Trace:
+ dump_stack+0x75/0xae
+ __kumsan_report+0x17c/0x3e6
+ kumsan_report+0xe/0x20
+ msgctl_down+0x94/0x300
+ ksys_msgctl.constprop.14+0xef/0x260
+ do_syscall_64+0x7e/0x1f0
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x4400e9
+Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007ffd869e0598 EFLAGS: 00000246 ORIG_RAX: 0000000000000047
+RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004400e9
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
+RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
+R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000401970
+R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000
+
+The buggy address belongs to the page:
+page:ffffea0001aee5c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
+flags: 0x100000000000000()
+raw: 0100000000000000 0000000000000000 ffffffff01ae0101 0000000000000000
+raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
+page dumped because: kumsan: bad access detected
+==================================================================
+
+Syzkaller reproducer:
+msgctl$IPC_RMID(0x0, 0x0)
+
+C reproducer:
+// autogenerated by syzkaller (https://github.com/google/syzkaller)
+
+int main(void)
+{
+ syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
+ syscall(__NR_msgctl, 0, 0, 0);
+ return 0;
+}
+
+[natechancellor@gmail.com: adjust indentation in ksys_msgctl]
+ Link: https://github.com/ClangBuiltLinux/linux/issues/829
+ Link: http://lkml.kernel.org/r/20191218032932.37479-1-natechancellor@gmail.com
+Link: http://lkml.kernel.org/r/20190613014044.24234-1-shuaibinglu@126.com
+Signed-off-by: Lu Shuaibing <shuaibinglu@126.com>
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Suggested-by: Arnd Bergmann <arnd@arndb.de>
+Cc: Davidlohr Bueso <dave@stgolabs.net>
+Cc: Manfred Spraul <manfred@colorfullife.com>
+Cc: NeilBrown <neilb@suse.com>
+From: Andrew Morton <akpm@linux-foundation.org>
+Subject: ipc/msg.c: consolidate all xxxctl_down() functions
+
+Each line here overflows 80 cols by exactly one character. Delete one tab
+per line to fix.
+
+Cc: Shaohua Li <shli@fb.com>
+Cc: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ ipc/msg.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+--- a/ipc/msg.c
++++ b/ipc/msg.c
+@@ -377,7 +377,7 @@ copy_msqid_from_user(struct msqid64_ds *
+ * NOTE: no locks must be held, the rwsem is taken inside this function.
+ */
+ static int msgctl_down(struct ipc_namespace *ns, int msqid, int cmd,
+- struct msqid64_ds *msqid64)
++ struct ipc64_perm *perm, int msg_qbytes)
+ {
+ struct kern_ipc_perm *ipcp;
+ struct msg_queue *msq;
+@@ -387,7 +387,7 @@ static int msgctl_down(struct ipc_namesp
+ rcu_read_lock();
+
+ ipcp = ipcctl_obtain_check(ns, &msg_ids(ns), msqid, cmd,
+- &msqid64->msg_perm, msqid64->msg_qbytes);
++ perm, msg_qbytes);
+ if (IS_ERR(ipcp)) {
+ err = PTR_ERR(ipcp);
+ goto out_unlock1;
+@@ -409,18 +409,18 @@ static int msgctl_down(struct ipc_namesp
+ {
+ DEFINE_WAKE_Q(wake_q);
+
+- if (msqid64->msg_qbytes > ns->msg_ctlmnb &&
++ if (msg_qbytes > ns->msg_ctlmnb &&
+ !capable(CAP_SYS_RESOURCE)) {
+ err = -EPERM;
+ goto out_unlock1;
+ }
+
+ ipc_lock_object(&msq->q_perm);
+- err = ipc_update_perm(&msqid64->msg_perm, ipcp);
++ err = ipc_update_perm(perm, ipcp);
+ if (err)
+ goto out_unlock0;
+
+- msq->q_qbytes = msqid64->msg_qbytes;
++ msq->q_qbytes = msg_qbytes;
+
+ msq->q_ctime = ktime_get_real_seconds();
+ /*
+@@ -603,9 +603,10 @@ long ksys_msgctl(int msqid, int cmd, str
+ case IPC_SET:
+ if (copy_msqid_from_user(&msqid64, buf, version))
+ return -EFAULT;
+- /* fallthru */
++ return msgctl_down(ns, msqid, cmd, &msqid64.msg_perm,
++ msqid64.msg_qbytes);
+ case IPC_RMID:
+- return msgctl_down(ns, msqid, cmd, &msqid64);
++ return msgctl_down(ns, msqid, cmd, NULL, 0);
+ default:
+ return -EINVAL;
+ }
+@@ -724,9 +725,9 @@ long compat_ksys_msgctl(int msqid, int c
+ case IPC_SET:
+ if (copy_compat_msqid_from_user(&msqid64, uptr, version))
+ return -EFAULT;
+- /* fallthru */
++ return msgctl_down(ns, msqid, cmd, &msqid64.msg_perm, msqid64.msg_qbytes);
+ case IPC_RMID:
+- return msgctl_down(ns, msqid, cmd, &msqid64);
++ return msgctl_down(ns, msqid, cmd, NULL, 0);
+ default:
+ return -EINVAL;
+ }
--- /dev/null
+From 68035c80e129c4cfec659aac4180354530b26527 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will@kernel.org>
+Date: Fri, 8 Nov 2019 16:48:38 +0100
+Subject: media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors
+
+From: Will Deacon <will@kernel.org>
+
+commit 68035c80e129c4cfec659aac4180354530b26527 upstream.
+
+Way back in 2017, fuzzing the 4.14-rc2 USB stack with syzkaller kicked
+up the following WARNING from the UVC chain scanning code:
+
+ | list_add double add: new=ffff880069084010, prev=ffff880069084010,
+ | next=ffff880067d22298.
+ | ------------[ cut here ]------------
+ | WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0
+ | Modules linked in:
+ | CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted
+ | 4.14.0-rc2-42613-g1488251d1a98 #238
+ | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+ | Workqueue: usb_hub_wq hub_event
+ | task: ffff88006b01ca40 task.stack: ffff880064358000
+ | RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29
+ | RSP: 0018:ffff88006435ddd0 EFLAGS: 00010286
+ | RAX: 0000000000000058 RBX: ffff880067d22298 RCX: 0000000000000000
+ | RDX: 0000000000000058 RSI: ffffffff85a58800 RDI: ffffed000c86bbac
+ | RBP: ffff88006435dde8 R08: 1ffff1000c86ba52 R09: 0000000000000000
+ | R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069084010
+ | R13: ffff880067d22298 R14: ffff880069084010 R15: ffff880067d222a0
+ | FS: 0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000
+ | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ | CR2: 0000000020004ff2 CR3: 000000006b447000 CR4: 00000000000006e0
+ | Call Trace:
+ | __list_add ./include/linux/list.h:59
+ | list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92
+ | uvc_scan_chain_forward.isra.8+0x373/0x416
+ | drivers/media/usb/uvc/uvc_driver.c:1471
+ | uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585
+ | uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769
+ | uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104
+
+Looking into the output from usbmon, the interesting part is the
+following data packet:
+
+ ffff880069c63e00 30710169 C Ci:1:002:0 0 143 = 09028f00 01030080
+ 00090403 00000e01 00000924 03000103 7c003328 010204db
+
+If we drop the lead configuration and interface descriptors, we're left
+with an output terminal descriptor describing a generic display:
+
+ /* Output terminal descriptor */
+ buf[0] 09
+ buf[1] 24
+ buf[2] 03 /* UVC_VC_OUTPUT_TERMINAL */
+ buf[3] 00 /* ID */
+ buf[4] 01 /* type == 0x0301 (UVC_OTT_DISPLAY) */
+ buf[5] 03
+ buf[6] 7c
+ buf[7] 00 /* source ID refers to self! */
+ buf[8] 33
+
+The problem with this descriptor is that it is self-referential: the
+source ID of 0 matches itself! This causes the 'struct uvc_entity'
+representing the display to be added to its chain list twice during
+'uvc_scan_chain()': once via 'uvc_scan_chain_entity()' when it is
+processed directly from the 'dev->entities' list and then again
+immediately afterwards when trying to follow the source ID in
+'uvc_scan_chain_forward()'
+
+Add a check before adding an entity to a chain list to ensure that the
+entity is not already part of a chain.
+
+Link: https://lore.kernel.org/linux-media/CAAeHK+z+Si69jUR+N-SjN9q4O+o5KFiNManqEa-PjUta7EOb7A@mail.gmail.com/
+
+Cc: <stable@vger.kernel.org>
+Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver")
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/uvc/uvc_driver.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/media/usb/uvc/uvc_driver.c
++++ b/drivers/media/usb/uvc/uvc_driver.c
+@@ -1482,6 +1482,11 @@ static int uvc_scan_chain_forward(struct
+ break;
+ if (forward == prev)
+ continue;
++ if (forward->chain.next || forward->chain.prev) {
++ uvc_trace(UVC_TRACE_DESCR, "Found reference to "
++ "entity %d already in chain.\n", forward->id);
++ return -EINVAL;
++ }
+
+ switch (UVC_ENTITY_TYPE(forward)) {
+ case UVC_VC_EXTENSION_UNIT:
+@@ -1563,6 +1568,13 @@ static int uvc_scan_chain_backward(struc
+ return -1;
+ }
+
++ if (term->chain.next || term->chain.prev) {
++ uvc_trace(UVC_TRACE_DESCR, "Found reference to "
++ "entity %d already in chain.\n",
++ term->id);
++ return -EINVAL;
++ }
++
+ if (uvc_trace_param & UVC_TRACE_PROBE)
+ printk(KERN_CONT " %d", term->id);
+
--- /dev/null
+From 2b8bd606b1e60ca28c765f69c1eedd7d2a2e9dca Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 21 Nov 2019 11:28:10 +0100
+Subject: mfd: dln2: More sanity checking for endpoints
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 2b8bd606b1e60ca28c765f69c1eedd7d2a2e9dca upstream.
+
+It is not enough to check for the number of endpoints.
+The types must also be correct.
+
+Reported-and-tested-by: syzbot+48a2851be24583b864dc@syzkaller.appspotmail.com
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mfd/dln2.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/mfd/dln2.c
++++ b/drivers/mfd/dln2.c
+@@ -725,6 +725,8 @@ static int dln2_probe(struct usb_interfa
+ const struct usb_device_id *usb_id)
+ {
+ struct usb_host_interface *hostif = interface->cur_altsetting;
++ struct usb_endpoint_descriptor *epin;
++ struct usb_endpoint_descriptor *epout;
+ struct device *dev = &interface->dev;
+ struct dln2_dev *dln2;
+ int ret;
+@@ -734,12 +736,19 @@ static int dln2_probe(struct usb_interfa
+ hostif->desc.bNumEndpoints < 2)
+ return -ENODEV;
+
++ epin = &hostif->endpoint[0].desc;
++ epout = &hostif->endpoint[1].desc;
++ if (!usb_endpoint_is_bulk_out(epout))
++ return -ENODEV;
++ if (!usb_endpoint_is_bulk_in(epin))
++ return -ENODEV;
++
+ dln2 = kzalloc(sizeof(*dln2), GFP_KERNEL);
+ if (!dln2)
+ return -ENOMEM;
+
+- dln2->ep_out = hostif->endpoint[0].desc.bEndpointAddress;
+- dln2->ep_in = hostif->endpoint[1].desc.bEndpointAddress;
++ dln2->ep_out = epout->bEndpointAddress;
++ dln2->ep_in = epin->bEndpointAddress;
+ dln2->usb_dev = usb_get_dev(interface_to_usbdev(interface));
+ dln2->interface = interface;
+ usb_set_intfdata(interface, dln2);
--- /dev/null
+From 6935c3983b246d5fbfebd3b891c825e65c118f2d Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 9 Oct 2019 14:21:54 -0700
+Subject: rcu: Avoid data-race in rcu_gp_fqs_check_wake()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 6935c3983b246d5fbfebd3b891c825e65c118f2d upstream.
+
+The rcu_gp_fqs_check_wake() function uses rcu_preempt_blocked_readers_cgp()
+to read ->gp_tasks while other cpus might overwrite this field.
+
+We need READ_ONCE()/WRITE_ONCE() pairs to avoid compiler
+tricks and KCSAN splats like the following :
+
+BUG: KCSAN: data-race in rcu_gp_fqs_check_wake / rcu_preempt_deferred_qs_irqrestore
+
+write to 0xffffffff85a7f190 of 8 bytes by task 7317 on cpu 0:
+ rcu_preempt_deferred_qs_irqrestore+0x43d/0x580 kernel/rcu/tree_plugin.h:507
+ rcu_read_unlock_special+0xec/0x370 kernel/rcu/tree_plugin.h:659
+ __rcu_read_unlock+0xcf/0xe0 kernel/rcu/tree_plugin.h:394
+ rcu_read_unlock include/linux/rcupdate.h:645 [inline]
+ __ip_queue_xmit+0x3b0/0xa40 net/ipv4/ip_output.c:533
+ ip_queue_xmit+0x45/0x60 include/net/ip.h:236
+ __tcp_transmit_skb+0xdeb/0x1cd0 net/ipv4/tcp_output.c:1158
+ __tcp_send_ack+0x246/0x300 net/ipv4/tcp_output.c:3685
+ tcp_send_ack+0x34/0x40 net/ipv4/tcp_output.c:3691
+ tcp_cleanup_rbuf+0x130/0x360 net/ipv4/tcp.c:1575
+ tcp_recvmsg+0x633/0x1a30 net/ipv4/tcp.c:2179
+ inet_recvmsg+0xbb/0x250 net/ipv4/af_inet.c:838
+ sock_recvmsg_nosec net/socket.c:871 [inline]
+ sock_recvmsg net/socket.c:889 [inline]
+ sock_recvmsg+0x92/0xb0 net/socket.c:885
+ sock_read_iter+0x15f/0x1e0 net/socket.c:967
+ call_read_iter include/linux/fs.h:1864 [inline]
+ new_sync_read+0x389/0x4f0 fs/read_write.c:414
+
+read to 0xffffffff85a7f190 of 8 bytes by task 10 on cpu 1:
+ rcu_gp_fqs_check_wake kernel/rcu/tree.c:1556 [inline]
+ rcu_gp_fqs_check_wake+0x93/0xd0 kernel/rcu/tree.c:1546
+ rcu_gp_fqs_loop+0x36c/0x580 kernel/rcu/tree.c:1611
+ rcu_gp_kthread+0x143/0x220 kernel/rcu/tree.c:1768
+ kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 10 Comm: rcu_preempt Not tainted 5.3.0+ #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+[ paulmck: Added another READ_ONCE() for RCU CPU stall warnings. ]
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/rcu/tree_plugin.h | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/kernel/rcu/tree_plugin.h
++++ b/kernel/rcu/tree_plugin.h
+@@ -267,7 +267,7 @@ static void rcu_preempt_ctxt_queue(struc
+ * blocked tasks.
+ */
+ if (!rnp->gp_tasks && (blkd_state & RCU_GP_BLKD)) {
+- rnp->gp_tasks = &t->rcu_node_entry;
++ WRITE_ONCE(rnp->gp_tasks, &t->rcu_node_entry);
+ WARN_ON_ONCE(rnp->completedqs == rnp->gp_seq);
+ }
+ if (!rnp->exp_tasks && (blkd_state & RCU_EXP_BLKD))
+@@ -392,7 +392,7 @@ static void rcu_preempt_note_context_swi
+ */
+ static int rcu_preempt_blocked_readers_cgp(struct rcu_node *rnp)
+ {
+- return rnp->gp_tasks != NULL;
++ return READ_ONCE(rnp->gp_tasks) != NULL;
+ }
+
+ /*
+@@ -557,7 +557,7 @@ static void rcu_read_unlock_special(stru
+ trace_rcu_unlock_preempted_task(TPS("rcu_preempt"),
+ rnp->gp_seq, t->pid);
+ if (&t->rcu_node_entry == rnp->gp_tasks)
+- rnp->gp_tasks = np;
++ WRITE_ONCE(rnp->gp_tasks, np);
+ if (&t->rcu_node_entry == rnp->exp_tasks)
+ rnp->exp_tasks = np;
+ if (IS_ENABLED(CONFIG_RCU_BOOST)) {
+@@ -716,7 +716,7 @@ rcu_preempt_check_blocked_tasks(struct r
+ dump_blkd_tasks(rsp, rnp, 10);
+ if (rcu_preempt_has_tasks(rnp) &&
+ (rnp->qsmaskinit || rnp->wait_blkd_tasks)) {
+- rnp->gp_tasks = rnp->blkd_tasks.next;
++ WRITE_ONCE(rnp->gp_tasks, rnp->blkd_tasks.next);
+ t = container_of(rnp->gp_tasks, struct task_struct,
+ rcu_node_entry);
+ trace_rcu_unlock_preempted_task(TPS("rcu_preempt-GPS"),
+@@ -883,7 +883,8 @@ dump_blkd_tasks(struct rcu_state *rsp, s
+ pr_info("%s: %d:%d ->qsmask %#lx ->qsmaskinit %#lx ->qsmaskinitnext %#lx\n",
+ __func__, rnp1->grplo, rnp1->grphi, rnp1->qsmask, rnp1->qsmaskinit, rnp1->qsmaskinitnext);
+ pr_info("%s: ->gp_tasks %p ->boost_tasks %p ->exp_tasks %p\n",
+- __func__, rnp->gp_tasks, rnp->boost_tasks, rnp->exp_tasks);
++ __func__, READ_ONCE(rnp->gp_tasks), rnp->boost_tasks,
++ rnp->exp_tasks);
+ pr_info("%s: ->blkd_tasks", __func__);
+ i = 0;
+ list_for_each(lhp, &rnp->blkd_tasks) {
rxrpc-fix-insufficient-receive-notification-generation.patch
rxrpc-fix-missing-active-use-pinning-of-rxrpc_local-object.patch
rxrpc-fix-null-pointer-deref-due-to-call-conn-being-cleared-on-disconnect.patch
+media-uvcvideo-avoid-cyclic-entity-chains-due-to-malformed-usb-descriptors.patch
+mfd-dln2-more-sanity-checking-for-endpoints.patch
+ipc-msg.c-consolidate-all-xxxctl_down-functions.patch
+tracing-fix-sched-switch-start-stop-refcount-racy-updates.patch
+rcu-avoid-data-race-in-rcu_gp_fqs_check_wake.patch
+brcmfmac-fix-memory-leak-in-brcmf_usbdev_qinit.patch
+usb-typec-tcpci-mask-event-interrupts-when-remove-driver.patch
+usb-gadget-legacy-set-max_speed-to-super-speed.patch
+usb-gadget-f_ncm-use-atomic_t-to-track-in-flight-request.patch
+usb-gadget-f_ecm-use-atomic_t-to-track-in-flight-request.patch
+alsa-usb-audio-fix-endianess-in-descriptor-validation.patch
+alsa-dummy-fix-pcm-format-loop-in-proc-output.patch
--- /dev/null
+From 64ae572bc7d0060429e40e1c8d803ce5eb31a0d6 Mon Sep 17 00:00:00 2001
+From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Date: Sat, 17 Aug 2019 10:12:08 -0400
+Subject: tracing: Fix sched switch start/stop refcount racy updates
+
+From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+
+commit 64ae572bc7d0060429e40e1c8d803ce5eb31a0d6 upstream.
+
+Reading the sched_cmdline_ref and sched_tgid_ref initial state within
+tracing_start_sched_switch without holding the sched_register_mutex is
+racy against concurrent updates, which can lead to tracepoint probes
+being registered more than once (and thus trigger warnings within
+tracepoint.c).
+
+[ May be the fix for this bug ]
+Link: https://lore.kernel.org/r/000000000000ab6f84056c786b93@google.com
+
+Link: http://lkml.kernel.org/r/20190817141208.15226-1-mathieu.desnoyers@efficios.com
+
+Cc: stable@vger.kernel.org
+CC: Steven Rostedt (VMware) <rostedt@goodmis.org>
+CC: Joel Fernandes (Google) <joel@joelfernandes.org>
+CC: Peter Zijlstra <peterz@infradead.org>
+CC: Thomas Gleixner <tglx@linutronix.de>
+CC: Paul E. McKenney <paulmck@linux.ibm.com>
+Reported-by: syzbot+774fddf07b7ab29a1e55@syzkaller.appspotmail.com
+Fixes: d914ba37d7145 ("tracing: Add support for recording tgid of tasks")
+Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_sched_switch.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/trace_sched_switch.c
++++ b/kernel/trace/trace_sched_switch.c
+@@ -89,8 +89,10 @@ static void tracing_sched_unregister(voi
+
+ static void tracing_start_sched_switch(int ops)
+ {
+- bool sched_register = (!sched_cmdline_ref && !sched_tgid_ref);
++ bool sched_register;
++
+ mutex_lock(&sched_register_mutex);
++ sched_register = (!sched_cmdline_ref && !sched_tgid_ref);
+
+ switch (ops) {
+ case RECORD_CMDLINE:
--- /dev/null
+From d710562e01c48d59be3f60d58b7a85958b39aeda Mon Sep 17 00:00:00 2001
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Date: Thu, 9 Jan 2020 13:17:22 +0000
+Subject: usb: gadget: f_ecm: Use atomic_t to track in-flight request
+
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+
+commit d710562e01c48d59be3f60d58b7a85958b39aeda upstream.
+
+Currently ecm->notify_req is used to flag when a request is in-flight.
+ecm->notify_req is set to NULL and when a request completes it is
+subsequently reset.
+
+This is fundamentally buggy in that the unbind logic of the ECM driver will
+unconditionally free ecm->notify_req leading to a NULL pointer dereference.
+
+Fixes: da741b8c56d6 ("usb ethernet gadget: split CDC Ethernet function")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_ecm.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_ecm.c
++++ b/drivers/usb/gadget/function/f_ecm.c
+@@ -52,6 +52,7 @@ struct f_ecm {
+ struct usb_ep *notify;
+ struct usb_request *notify_req;
+ u8 notify_state;
++ atomic_t notify_count;
+ bool is_open;
+
+ /* FIXME is_open needs some irq-ish locking
+@@ -380,7 +381,7 @@ static void ecm_do_notify(struct f_ecm *
+ int status;
+
+ /* notification already in flight? */
+- if (!req)
++ if (atomic_read(&ecm->notify_count))
+ return;
+
+ event = req->buf;
+@@ -420,10 +421,10 @@ static void ecm_do_notify(struct f_ecm *
+ event->bmRequestType = 0xA1;
+ event->wIndex = cpu_to_le16(ecm->ctrl_id);
+
+- ecm->notify_req = NULL;
++ atomic_inc(&ecm->notify_count);
+ status = usb_ep_queue(ecm->notify, req, GFP_ATOMIC);
+ if (status < 0) {
+- ecm->notify_req = req;
++ atomic_dec(&ecm->notify_count);
+ DBG(cdev, "notify --> %d\n", status);
+ }
+ }
+@@ -448,17 +449,19 @@ static void ecm_notify_complete(struct u
+ switch (req->status) {
+ case 0:
+ /* no fault */
++ atomic_dec(&ecm->notify_count);
+ break;
+ case -ECONNRESET:
+ case -ESHUTDOWN:
++ atomic_set(&ecm->notify_count, 0);
+ ecm->notify_state = ECM_NOTIFY_NONE;
+ break;
+ default:
+ DBG(cdev, "event %02x --> %d\n",
+ event->bNotificationType, req->status);
++ atomic_dec(&ecm->notify_count);
+ break;
+ }
+- ecm->notify_req = req;
+ ecm_do_notify(ecm);
+ }
+
+@@ -907,6 +910,11 @@ static void ecm_unbind(struct usb_config
+
+ usb_free_all_descriptors(f);
+
++ if (atomic_read(&ecm->notify_count)) {
++ usb_ep_dequeue(ecm->notify, ecm->notify_req);
++ atomic_set(&ecm->notify_count, 0);
++ }
++
+ kfree(ecm->notify_req->buf);
+ usb_ep_free_request(ecm->notify, ecm->notify_req);
+ }
--- /dev/null
+From 5b24c28cfe136597dc3913e1c00b119307a20c7e Mon Sep 17 00:00:00 2001
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Date: Thu, 9 Jan 2020 13:17:21 +0000
+Subject: usb: gadget: f_ncm: Use atomic_t to track in-flight request
+
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+
+commit 5b24c28cfe136597dc3913e1c00b119307a20c7e upstream.
+
+Currently ncm->notify_req is used to flag when a request is in-flight.
+ncm->notify_req is set to NULL and when a request completes it is
+subsequently reset.
+
+This is fundamentally buggy in that the unbind logic of the NCM driver will
+unconditionally free ncm->notify_req leading to a NULL pointer dereference.
+
+Fixes: 40d133d7f542 ("usb: gadget: f_ncm: convert to new function interface with backward compatibility")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_ncm.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_ncm.c
++++ b/drivers/usb/gadget/function/f_ncm.c
+@@ -54,6 +54,7 @@ struct f_ncm {
+ struct usb_ep *notify;
+ struct usb_request *notify_req;
+ u8 notify_state;
++ atomic_t notify_count;
+ bool is_open;
+
+ const struct ndp_parser_opts *parser_opts;
+@@ -547,7 +548,7 @@ static void ncm_do_notify(struct f_ncm *
+ int status;
+
+ /* notification already in flight? */
+- if (!req)
++ if (atomic_read(&ncm->notify_count))
+ return;
+
+ event = req->buf;
+@@ -587,7 +588,8 @@ static void ncm_do_notify(struct f_ncm *
+ event->bmRequestType = 0xA1;
+ event->wIndex = cpu_to_le16(ncm->ctrl_id);
+
+- ncm->notify_req = NULL;
++ atomic_inc(&ncm->notify_count);
++
+ /*
+ * In double buffering if there is a space in FIFO,
+ * completion callback can be called right after the call,
+@@ -597,7 +599,7 @@ static void ncm_do_notify(struct f_ncm *
+ status = usb_ep_queue(ncm->notify, req, GFP_ATOMIC);
+ spin_lock(&ncm->lock);
+ if (status < 0) {
+- ncm->notify_req = req;
++ atomic_dec(&ncm->notify_count);
+ DBG(cdev, "notify --> %d\n", status);
+ }
+ }
+@@ -632,17 +634,19 @@ static void ncm_notify_complete(struct u
+ case 0:
+ VDBG(cdev, "Notification %02x sent\n",
+ event->bNotificationType);
++ atomic_dec(&ncm->notify_count);
+ break;
+ case -ECONNRESET:
+ case -ESHUTDOWN:
++ atomic_set(&ncm->notify_count, 0);
+ ncm->notify_state = NCM_NOTIFY_NONE;
+ break;
+ default:
+ DBG(cdev, "event %02x --> %d\n",
+ event->bNotificationType, req->status);
++ atomic_dec(&ncm->notify_count);
+ break;
+ }
+- ncm->notify_req = req;
+ ncm_do_notify(ncm);
+ spin_unlock(&ncm->lock);
+ }
+@@ -1612,6 +1616,11 @@ static void ncm_unbind(struct usb_config
+ ncm_string_defs[0].id = 0;
+ usb_free_all_descriptors(f);
+
++ if (atomic_read(&ncm->notify_count)) {
++ usb_ep_dequeue(ncm->notify, ncm->notify_req);
++ atomic_set(&ncm->notify_count, 0);
++ }
++
+ kfree(ncm->notify_req->buf);
+ usb_ep_free_request(ncm->notify, ncm->notify_req);
+ }
--- /dev/null
+From 463f67aec2837f981b0a0ce8617721ff59685c00 Mon Sep 17 00:00:00 2001
+From: Roger Quadros <rogerq@ti.com>
+Date: Mon, 23 Dec 2019 08:47:35 +0200
+Subject: usb: gadget: legacy: set max_speed to super-speed
+
+From: Roger Quadros <rogerq@ti.com>
+
+commit 463f67aec2837f981b0a0ce8617721ff59685c00 upstream.
+
+These interfaces do support super-speed so let's not
+limit maximum speed to high-speed.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Roger Quadros <rogerq@ti.com>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/legacy/cdc2.c | 2 +-
+ drivers/usb/gadget/legacy/g_ffs.c | 2 +-
+ drivers/usb/gadget/legacy/multi.c | 2 +-
+ drivers/usb/gadget/legacy/ncm.c | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/gadget/legacy/cdc2.c
++++ b/drivers/usb/gadget/legacy/cdc2.c
+@@ -225,7 +225,7 @@ static struct usb_composite_driver cdc_d
+ .name = "g_cdc",
+ .dev = &device_desc,
+ .strings = dev_strings,
+- .max_speed = USB_SPEED_HIGH,
++ .max_speed = USB_SPEED_SUPER,
+ .bind = cdc_bind,
+ .unbind = cdc_unbind,
+ };
+--- a/drivers/usb/gadget/legacy/g_ffs.c
++++ b/drivers/usb/gadget/legacy/g_ffs.c
+@@ -149,7 +149,7 @@ static struct usb_composite_driver gfs_d
+ .name = DRIVER_NAME,
+ .dev = &gfs_dev_desc,
+ .strings = gfs_dev_strings,
+- .max_speed = USB_SPEED_HIGH,
++ .max_speed = USB_SPEED_SUPER,
+ .bind = gfs_bind,
+ .unbind = gfs_unbind,
+ };
+--- a/drivers/usb/gadget/legacy/multi.c
++++ b/drivers/usb/gadget/legacy/multi.c
+@@ -482,7 +482,7 @@ static struct usb_composite_driver multi
+ .name = "g_multi",
+ .dev = &device_desc,
+ .strings = dev_strings,
+- .max_speed = USB_SPEED_HIGH,
++ .max_speed = USB_SPEED_SUPER,
+ .bind = multi_bind,
+ .unbind = multi_unbind,
+ .needs_serial = 1,
+--- a/drivers/usb/gadget/legacy/ncm.c
++++ b/drivers/usb/gadget/legacy/ncm.c
+@@ -197,7 +197,7 @@ static struct usb_composite_driver ncm_d
+ .name = "g_ncm",
+ .dev = &device_desc,
+ .strings = dev_strings,
+- .max_speed = USB_SPEED_HIGH,
++ .max_speed = USB_SPEED_SUPER,
+ .bind = gncm_bind,
+ .unbind = gncm_unbind,
+ };
--- /dev/null
+From 3ba76256fc4e2a0d7fb26cc95459041ea0e88972 Mon Sep 17 00:00:00 2001
+From: Jun Li <jun.li@nxp.com>
+Date: Mon, 20 Jan 2020 06:43:19 +0000
+Subject: usb: typec: tcpci: mask event interrupts when remove driver
+
+From: Jun Li <jun.li@nxp.com>
+
+commit 3ba76256fc4e2a0d7fb26cc95459041ea0e88972 upstream.
+
+This is to prevent any possible events generated while unregister
+tpcm port.
+
+Fixes: 74e656d6b055 ("staging: typec: Type-C Port Controller Interface driver (tcpci)")
+Signed-off-by: Li Jun <jun.li@nxp.com>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/1579502333-4145-1-git-send-email-jun.li@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/typec/tcpci.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/usb/typec/tcpci.c
++++ b/drivers/usb/typec/tcpci.c
+@@ -581,6 +581,12 @@ static int tcpci_probe(struct i2c_client
+ static int tcpci_remove(struct i2c_client *client)
+ {
+ struct tcpci_chip *chip = i2c_get_clientdata(client);
++ int err;
++
++ /* Disable chip interrupts before unregistering port */
++ err = tcpci_write16(chip->tcpci, TCPC_ALERT_MASK, 0);
++ if (err < 0)
++ return err;
+
+ tcpci_unregister_port(chip->tcpci);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
