From: Greg Kroah-Hartman Date: Mon, 16 Nov 2020 16:25:14 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.4.244~47 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9aa6ac6fe0e9653c5b08dbffdc02ac6aa9405476;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: btrfs-fix-potential-overflow-in-cluster_pages_for_defrag-on-32bit-arch.patch ext4-correctly-report-not-supported-for-usr-grp-jquota-when-config_quota.patch ext4-unlock-xattr_sem-properly-in-ext4_inline_data_truncate.patch futex-don-t-enable-irqs-unconditionally-in-put_pi_state.patch mei-protect-mei_cl_mtu-from-null-dereference.patch ocfs2-initialize-ip_next_orphan.patch thunderbolt-add-the-missed-ida_simple_remove-in-ring_request_msix.patch uio-fix-use-after-free-in-uio_unregister_device.patch usb-cdc-acm-add-disable_echo-for-renesas-usb-download-mode.patch --- diff --git a/queue-4.14/btrfs-fix-potential-overflow-in-cluster_pages_for_defrag-on-32bit-arch.patch b/queue-4.14/btrfs-fix-potential-overflow-in-cluster_pages_for_defrag-on-32bit-arch.patch new file mode 100644 index 00000000000..c1b5c377282 --- /dev/null +++ b/queue-4.14/btrfs-fix-potential-overflow-in-cluster_pages_for_defrag-on-32bit-arch.patch @@ -0,0 +1,66 @@ +From a1fbc6750e212c5675a4e48d7f51d44607eb8756 Mon Sep 17 00:00:00 2001 +From: "Matthew Wilcox (Oracle)" +Date: Sun, 4 Oct 2020 19:04:26 +0100 +Subject: btrfs: fix potential overflow in cluster_pages_for_defrag on 32bit arch + +From: Matthew Wilcox (Oracle) + +commit a1fbc6750e212c5675a4e48d7f51d44607eb8756 upstream. + +On 32-bit systems, this shift will overflow for files larger than 4GB as +start_index is unsigned long while the calls to btrfs_delalloc_*_space +expect u64. + +CC: stable@vger.kernel.org # 4.4+ +Fixes: df480633b891 ("btrfs: extent-tree: Switch to new delalloc space reserve and release") +Reviewed-by: Josef Bacik +Signed-off-by: Matthew Wilcox (Oracle) +Reviewed-by: David Sterba +[ define the variable instead of repeating the shift ] +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + + + +diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c +index 63394b450afc..4e3b71ec7492 100644 +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -1255,6 +1255,7 @@ static int cluster_pages_for_defrag(struct inode *inode, + u64 page_start; + u64 page_end; + u64 page_cnt; ++ u64 start = (u64)start_index << PAGE_SHIFT; + int ret; + int i; + int i_done; +@@ -1271,8 +1272,7 @@ static int cluster_pages_for_defrag(struct inode *inode, + page_cnt = min_t(u64, (u64)num_pages, (u64)file_end - start_index + 1); + + ret = btrfs_delalloc_reserve_space(inode, &data_reserved, +- start_index << PAGE_SHIFT, +- page_cnt << PAGE_SHIFT); ++ start, page_cnt << PAGE_SHIFT); + if (ret) + return ret; + i_done = 0; +@@ -1361,8 +1361,7 @@ static int cluster_pages_for_defrag(struct inode *inode, + btrfs_mod_outstanding_extents(BTRFS_I(inode), 1); + spin_unlock(&BTRFS_I(inode)->lock); + btrfs_delalloc_release_space(inode, data_reserved, +- start_index << PAGE_SHIFT, +- (page_cnt - i_done) << PAGE_SHIFT, true); ++ start, (page_cnt - i_done) << PAGE_SHIFT, true); + } + + +@@ -1389,8 +1388,7 @@ static int cluster_pages_for_defrag(struct inode *inode, + put_page(pages[i]); + } + btrfs_delalloc_release_space(inode, data_reserved, +- start_index << PAGE_SHIFT, +- page_cnt << PAGE_SHIFT, true); ++ start, page_cnt << PAGE_SHIFT, true); + btrfs_delalloc_release_extents(BTRFS_I(inode), page_cnt << PAGE_SHIFT); + extent_changeset_free(data_reserved); + return ret; diff --git a/queue-4.14/ext4-correctly-report-not-supported-for-usr-grp-jquota-when-config_quota.patch b/queue-4.14/ext4-correctly-report-not-supported-for-usr-grp-jquota-when-config_quota.patch new file mode 100644 index 00000000000..4ab51d59f02 --- /dev/null +++ b/queue-4.14/ext4-correctly-report-not-supported-for-usr-grp-jquota-when-config_quota.patch @@ -0,0 +1,46 @@ +From 174fe5ba2d1ea0d6c5ab2a7d4aa058d6d497ae4d Mon Sep 17 00:00:00 2001 +From: Kaixu Xia +Date: Thu, 29 Oct 2020 23:46:36 +0800 +Subject: ext4: correctly report "not supported" for {usr,grp}jquota when !CONFIG_QUOTA + +From: Kaixu Xia + +commit 174fe5ba2d1ea0d6c5ab2a7d4aa058d6d497ae4d upstream. + +The macro MOPT_Q is used to indicates the mount option is related to +quota stuff and is defined to be MOPT_NOSUPPORT when CONFIG_QUOTA is +disabled. Normally the quota options are handled explicitly, so it +didn't matter that the MOPT_STRING flag was missing, even though the +usrjquota and grpjquota mount options take a string argument. It's +important that's present in the !CONFIG_QUOTA case, since without +MOPT_STRING, the mount option matcher will match usrjquota= followed +by an integer, and will otherwise skip the table entry, and so "mount +option not supported" error message is never reported. + +[ Fixed up the commit description to better explain why the fix + works. --TYT ] + +Fixes: 26092bf52478 ("ext4: use a table-driven handler for mount options") +Signed-off-by: Kaixu Xia +Link: https://lore.kernel.org/r/1603986396-28917-1-git-send-email-kaixuxia@tencent.com +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/super.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -1679,8 +1679,8 @@ static const struct mount_opts { + {Opt_noquota, (EXT4_MOUNT_QUOTA | EXT4_MOUNT_USRQUOTA | + EXT4_MOUNT_GRPQUOTA | EXT4_MOUNT_PRJQUOTA), + MOPT_CLEAR | MOPT_Q}, +- {Opt_usrjquota, 0, MOPT_Q}, +- {Opt_grpjquota, 0, MOPT_Q}, ++ {Opt_usrjquota, 0, MOPT_Q | MOPT_STRING}, ++ {Opt_grpjquota, 0, MOPT_Q | MOPT_STRING}, + {Opt_offusrjquota, 0, MOPT_Q}, + {Opt_offgrpjquota, 0, MOPT_Q}, + {Opt_jqfmt_vfsold, QFMT_VFS_OLD, MOPT_QFMT}, diff --git a/queue-4.14/ext4-unlock-xattr_sem-properly-in-ext4_inline_data_truncate.patch b/queue-4.14/ext4-unlock-xattr_sem-properly-in-ext4_inline_data_truncate.patch new file mode 100644 index 00000000000..9f00fe2798a --- /dev/null +++ b/queue-4.14/ext4-unlock-xattr_sem-properly-in-ext4_inline_data_truncate.patch @@ -0,0 +1,36 @@ +From 7067b2619017d51e71686ca9756b454de0e5826a Mon Sep 17 00:00:00 2001 +From: Joseph Qi +Date: Tue, 3 Nov 2020 10:29:02 +0800 +Subject: ext4: unlock xattr_sem properly in ext4_inline_data_truncate() + +From: Joseph Qi + +commit 7067b2619017d51e71686ca9756b454de0e5826a upstream. + +It takes xattr_sem to check inline data again but without unlock it +in case not have. So unlock it before return. + +Fixes: aef1c8513c1f ("ext4: let ext4_truncate handle inline data correctly") +Reported-by: Dan Carpenter +Cc: Tao Ma +Signed-off-by: Joseph Qi +Reviewed-by: Andreas Dilger +Link: https://lore.kernel.org/r/1604370542-124630-1-git-send-email-joseph.qi@linux.alibaba.com +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/inline.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -1895,6 +1895,7 @@ int ext4_inline_data_truncate(struct ino + + ext4_write_lock_xattr(inode, &no_expand); + if (!ext4_has_inline_data(inode)) { ++ ext4_write_unlock_xattr(inode, &no_expand); + *has_inline = 0; + ext4_journal_stop(handle); + return 0; diff --git a/queue-4.14/futex-don-t-enable-irqs-unconditionally-in-put_pi_state.patch b/queue-4.14/futex-don-t-enable-irqs-unconditionally-in-put_pi_state.patch new file mode 100644 index 00000000000..fd9ca110def --- /dev/null +++ b/queue-4.14/futex-don-t-enable-irqs-unconditionally-in-put_pi_state.patch @@ -0,0 +1,49 @@ +From 1e106aa3509b86738769775969822ffc1ec21bf4 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 6 Nov 2020 11:52:05 +0300 +Subject: futex: Don't enable IRQs unconditionally in put_pi_state() + +From: Dan Carpenter + +commit 1e106aa3509b86738769775969822ffc1ec21bf4 upstream. + +The exit_pi_state_list() function calls put_pi_state() with IRQs disabled +and is not expecting that IRQs will be enabled inside the function. + +Use the _irqsave() variant so that IRQs are restored to the original state +instead of being enabled unconditionally. + +Fixes: 153fbd1226fb ("futex: Fix more put_pi_state() vs. exit_pi_state_list() races") +Signed-off-by: Dan Carpenter +Signed-off-by: Thomas Gleixner +Acked-by: Peter Zijlstra (Intel) +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20201106085205.GA1159983@mwanda +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/futex.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -862,8 +862,9 @@ static void put_pi_state(struct futex_pi + */ + if (pi_state->owner) { + struct task_struct *owner; ++ unsigned long flags; + +- raw_spin_lock_irq(&pi_state->pi_mutex.wait_lock); ++ raw_spin_lock_irqsave(&pi_state->pi_mutex.wait_lock, flags); + owner = pi_state->owner; + if (owner) { + raw_spin_lock(&owner->pi_lock); +@@ -871,7 +872,7 @@ static void put_pi_state(struct futex_pi + raw_spin_unlock(&owner->pi_lock); + } + rt_mutex_proxy_unlock(&pi_state->pi_mutex, owner); +- raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock); ++ raw_spin_unlock_irqrestore(&pi_state->pi_mutex.wait_lock, flags); + } + + if (current->pi_state_cache) { diff --git a/queue-4.14/mei-protect-mei_cl_mtu-from-null-dereference.patch b/queue-4.14/mei-protect-mei_cl_mtu-from-null-dereference.patch new file mode 100644 index 00000000000..ccaf070f0f2 --- /dev/null +++ b/queue-4.14/mei-protect-mei_cl_mtu-from-null-dereference.patch @@ -0,0 +1,41 @@ +From bcbc0b2e275f0a797de11a10eff495b4571863fc Mon Sep 17 00:00:00 2001 +From: Alexander Usyskin +Date: Thu, 29 Oct 2020 11:54:42 +0200 +Subject: mei: protect mei_cl_mtu from null dereference + +From: Alexander Usyskin + +commit bcbc0b2e275f0a797de11a10eff495b4571863fc upstream. + +A receive callback is queued while the client is still connected +but can still be called after the client was disconnected. Upon +disconnect cl->me_cl is set to NULL, hence we need to check +that ME client is not-NULL in mei_cl_mtu to avoid +null dereference. + +Cc: +Signed-off-by: Alexander Usyskin +Signed-off-by: Tomas Winkler +Link: https://lore.kernel.org/r/20201029095444.957924-2-tomas.winkler@intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/mei/client.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/misc/mei/client.h ++++ b/drivers/misc/mei/client.h +@@ -138,11 +138,11 @@ static inline u8 mei_cl_me_id(const stru + * + * @cl: host client + * +- * Return: mtu ++ * Return: mtu or 0 if client is not connected + */ + static inline size_t mei_cl_mtu(const struct mei_cl *cl) + { +- return cl->me_cl->props.max_msg_length; ++ return cl->me_cl ? cl->me_cl->props.max_msg_length : 0; + } + + /** diff --git a/queue-4.14/ocfs2-initialize-ip_next_orphan.patch b/queue-4.14/ocfs2-initialize-ip_next_orphan.patch new file mode 100644 index 00000000000..049b44c3cde --- /dev/null +++ b/queue-4.14/ocfs2-initialize-ip_next_orphan.patch @@ -0,0 +1,93 @@ +From f5785283dd64867a711ca1fb1f5bb172f252ecdf Mon Sep 17 00:00:00 2001 +From: Wengang Wang +Date: Fri, 13 Nov 2020 22:52:23 -0800 +Subject: ocfs2: initialize ip_next_orphan + +From: Wengang Wang + +commit f5785283dd64867a711ca1fb1f5bb172f252ecdf upstream. + +Though problem if found on a lower 4.1.12 kernel, I think upstream has +same issue. + +In one node in the cluster, there is the following callback trace: + + # cat /proc/21473/stack + __ocfs2_cluster_lock.isra.36+0x336/0x9e0 [ocfs2] + ocfs2_inode_lock_full_nested+0x121/0x520 [ocfs2] + ocfs2_evict_inode+0x152/0x820 [ocfs2] + evict+0xae/0x1a0 + iput+0x1c6/0x230 + ocfs2_orphan_filldir+0x5d/0x100 [ocfs2] + ocfs2_dir_foreach_blk+0x490/0x4f0 [ocfs2] + ocfs2_dir_foreach+0x29/0x30 [ocfs2] + ocfs2_recover_orphans+0x1b6/0x9a0 [ocfs2] + ocfs2_complete_recovery+0x1de/0x5c0 [ocfs2] + process_one_work+0x169/0x4a0 + worker_thread+0x5b/0x560 + kthread+0xcb/0xf0 + ret_from_fork+0x61/0x90 + +The above stack is not reasonable, the final iput shouldn't happen in +ocfs2_orphan_filldir() function. Looking at the code, + + 2067 /* Skip inodes which are already added to recover list, since dio may + 2068 * happen concurrently with unlink/rename */ + 2069 if (OCFS2_I(iter)->ip_next_orphan) { + 2070 iput(iter); + 2071 return 0; + 2072 } + 2073 + +The logic thinks the inode is already in recover list on seeing +ip_next_orphan is non-NULL, so it skip this inode after dropping a +reference which incremented in ocfs2_iget(). + +While, if the inode is already in recover list, it should have another +reference and the iput() at line 2070 should not be the final iput +(dropping the last reference). So I don't think the inode is really in +the recover list (no vmcore to confirm). + +Note that ocfs2_queue_orphans(), though not shown up in the call back +trace, is holding cluster lock on the orphan directory when looking up +for unlinked inodes. The on disk inode eviction could involve a lot of +IOs which may need long time to finish. That means this node could hold +the cluster lock for very long time, that can lead to the lock requests +(from other nodes) to the orhpan directory hang for long time. + +Looking at more on ip_next_orphan, I found it's not initialized when +allocating a new ocfs2_inode_info structure. + +This causes te reflink operations from some nodes hang for very long +time waiting for the cluster lock on the orphan directory. + +Fix: initialize ip_next_orphan as NULL. + +Signed-off-by: Wengang Wang +Signed-off-by: Andrew Morton +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: +Link: https://lkml.kernel.org/r/20201109171746.27884-1-wen.gang.wang@oracle.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ocfs2/super.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/ocfs2/super.c ++++ b/fs/ocfs2/super.c +@@ -1733,6 +1733,7 @@ static void ocfs2_inode_init_once(void * + + oi->ip_blkno = 0ULL; + oi->ip_clusters = 0; ++ oi->ip_next_orphan = NULL; + + ocfs2_resv_init_once(&oi->ip_la_data_resv); + diff --git a/queue-4.14/series b/queue-4.14/series index c9e7d1d300c..5e7cf052e8c 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -41,3 +41,12 @@ xfs-fix-a-missing-unlock-on-error-in-xfs_fs_map_bloc.patch of-address-fix-of_node-memory-leak-in-of_dma_is_cohe.patch cosa-add-missing-kfree-in-error-path-of-cosa_write.patch perf-fix-get_recursion_context.patch +ext4-correctly-report-not-supported-for-usr-grp-jquota-when-config_quota.patch +ext4-unlock-xattr_sem-properly-in-ext4_inline_data_truncate.patch +thunderbolt-add-the-missed-ida_simple_remove-in-ring_request_msix.patch +uio-fix-use-after-free-in-uio_unregister_device.patch +usb-cdc-acm-add-disable_echo-for-renesas-usb-download-mode.patch +mei-protect-mei_cl_mtu-from-null-dereference.patch +futex-don-t-enable-irqs-unconditionally-in-put_pi_state.patch +ocfs2-initialize-ip_next_orphan.patch +btrfs-fix-potential-overflow-in-cluster_pages_for_defrag-on-32bit-arch.patch diff --git a/queue-4.14/thunderbolt-add-the-missed-ida_simple_remove-in-ring_request_msix.patch b/queue-4.14/thunderbolt-add-the-missed-ida_simple_remove-in-ring_request_msix.patch new file mode 100644 index 00000000000..06a98a1c23b --- /dev/null +++ b/queue-4.14/thunderbolt-add-the-missed-ida_simple_remove-in-ring_request_msix.patch @@ -0,0 +1,53 @@ +From 7342ca34d931a357d408aaa25fadd031e46af137 Mon Sep 17 00:00:00 2001 +From: Jing Xiangfeng +Date: Thu, 15 Oct 2020 16:40:53 +0800 +Subject: thunderbolt: Add the missed ida_simple_remove() in ring_request_msix() + +From: Jing Xiangfeng + +commit 7342ca34d931a357d408aaa25fadd031e46af137 upstream. + +ring_request_msix() misses to call ida_simple_remove() in an error path. +Add a label 'err_ida_remove' and jump to it. + +Fixes: 046bee1f9ab8 ("thunderbolt: Add MSI-X support") +Cc: stable@vger.kernel.org +Signed-off-by: Jing Xiangfeng +Reviewed-by: Andy Shevchenko +Signed-off-by: Mika Westerberg +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/thunderbolt/nhi.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +--- a/drivers/thunderbolt/nhi.c ++++ b/drivers/thunderbolt/nhi.c +@@ -315,12 +315,23 @@ static int ring_request_msix(struct tb_r + + ring->vector = ret; + +- ring->irq = pci_irq_vector(ring->nhi->pdev, ring->vector); +- if (ring->irq < 0) +- return ring->irq; ++ ret = pci_irq_vector(ring->nhi->pdev, ring->vector); ++ if (ret < 0) ++ goto err_ida_remove; ++ ++ ring->irq = ret; + + irqflags = no_suspend ? IRQF_NO_SUSPEND : 0; +- return request_irq(ring->irq, ring_msix, irqflags, "thunderbolt", ring); ++ ret = request_irq(ring->irq, ring_msix, irqflags, "thunderbolt", ring); ++ if (ret) ++ goto err_ida_remove; ++ ++ return 0; ++ ++err_ida_remove: ++ ida_simple_remove(&nhi->msix_ida, ring->vector); ++ ++ return ret; + } + + static void ring_release_msix(struct tb_ring *ring) diff --git a/queue-4.14/uio-fix-use-after-free-in-uio_unregister_device.patch b/queue-4.14/uio-fix-use-after-free-in-uio_unregister_device.patch new file mode 100644 index 00000000000..62e142c614d --- /dev/null +++ b/queue-4.14/uio-fix-use-after-free-in-uio_unregister_device.patch @@ -0,0 +1,172 @@ +From 092561f06702dd4fdd7fb74dd3a838f1818529b7 Mon Sep 17 00:00:00 2001 +From: Shin'ichiro Kawasaki +Date: Mon, 2 Nov 2020 21:28:19 +0900 +Subject: uio: Fix use-after-free in uio_unregister_device() + +From: Shin'ichiro Kawasaki + +commit 092561f06702dd4fdd7fb74dd3a838f1818529b7 upstream. + +Commit 8fd0e2a6df26 ("uio: free uio id after uio file node is freed") +triggered KASAN use-after-free failure at deletion of TCM-user +backstores [1]. + +In uio_unregister_device(), struct uio_device *idev is passed to +uio_free_minor() to refer idev->minor. However, before uio_free_minor() +call, idev is already freed by uio_device_release() during call to +device_unregister(). + +To avoid reference to idev->minor after idev free, keep idev->minor +value in a local variable. Also modify uio_free_minor() argument to +receive the value. + +[1] +BUG: KASAN: use-after-free in uio_unregister_device+0x166/0x190 +Read of size 4 at addr ffff888105196508 by task targetcli/49158 + +CPU: 3 PID: 49158 Comm: targetcli Not tainted 5.10.0-rc1 #1 +Hardware name: Supermicro Super Server/X10SRL-F, BIOS 2.0 12/17/2015 +Call Trace: + dump_stack+0xae/0xe5 + ? uio_unregister_device+0x166/0x190 + print_address_description.constprop.0+0x1c/0x210 + ? uio_unregister_device+0x166/0x190 + ? uio_unregister_device+0x166/0x190 + kasan_report.cold+0x37/0x7c + ? kobject_put+0x80/0x410 + ? uio_unregister_device+0x166/0x190 + uio_unregister_device+0x166/0x190 + tcmu_destroy_device+0x1c4/0x280 [target_core_user] + ? tcmu_release+0x90/0x90 [target_core_user] + ? __mutex_unlock_slowpath+0xd6/0x5d0 + target_free_device+0xf3/0x2e0 [target_core_mod] + config_item_cleanup+0xea/0x210 + configfs_rmdir+0x651/0x860 + ? detach_groups.isra.0+0x380/0x380 + vfs_rmdir.part.0+0xec/0x3a0 + ? __lookup_hash+0x20/0x150 + do_rmdir+0x252/0x320 + ? do_file_open_root+0x420/0x420 + ? strncpy_from_user+0xbc/0x2f0 + ? getname_flags.part.0+0x8e/0x450 + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x7f9e2bfc91fb +Code: 73 01 c3 48 8b 0d 9d ec 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 54 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6d ec 0c 00 f7 d8 64 89 01 48 +RSP: 002b:00007ffdd2baafe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000054 +RAX: ffffffffffffffda RBX: 00007f9e2beb44a0 RCX: 00007f9e2bfc91fb +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007f9e1c20be90 +RBP: 00007ffdd2bab000 R08: 0000000000000000 R09: 00007f9e2bdf2440 +R10: 00007ffdd2baaf37 R11: 0000000000000246 R12: 00000000ffffff9c +R13: 000055f9abb7e390 R14: 000055f9abcf9558 R15: 00007f9e2be7a780 + +Allocated by task 34735: + kasan_save_stack+0x1b/0x40 + __kasan_kmalloc.constprop.0+0xc2/0xd0 + __uio_register_device+0xeb/0xd40 + tcmu_configure_device+0x5a0/0xbc0 [target_core_user] + target_configure_device+0x12f/0x760 [target_core_mod] + target_dev_enable_store+0x32/0x50 [target_core_mod] + configfs_write_file+0x2bb/0x450 + vfs_write+0x1ce/0x610 + ksys_write+0xe9/0x1b0 + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Freed by task 49158: + kasan_save_stack+0x1b/0x40 + kasan_set_track+0x1c/0x30 + kasan_set_free_info+0x1b/0x30 + __kasan_slab_free+0x110/0x150 + slab_free_freelist_hook+0x5a/0x170 + kfree+0xc6/0x560 + device_release+0x9b/0x210 + kobject_put+0x13e/0x410 + uio_unregister_device+0xf9/0x190 + tcmu_destroy_device+0x1c4/0x280 [target_core_user] + target_free_device+0xf3/0x2e0 [target_core_mod] + config_item_cleanup+0xea/0x210 + configfs_rmdir+0x651/0x860 + vfs_rmdir.part.0+0xec/0x3a0 + do_rmdir+0x252/0x320 + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +The buggy address belongs to the object at ffff888105196000 + which belongs to the cache kmalloc-2k of size 2048 +The buggy address is located 1288 bytes inside of + 2048-byte region [ffff888105196000, ffff888105196800) +The buggy address belongs to the page: +page:0000000098e6ca81 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105190 +head:0000000098e6ca81 order:3 compound_mapcount:0 compound_pincount:0 +flags: 0x17ffffc0010200(slab|head) +raw: 0017ffffc0010200 dead000000000100 dead000000000122 ffff888100043040 +raw: 0000000000000000 0000000000080008 00000001ffffffff ffff88810eb55c01 +page dumped because: kasan: bad access detected +page->mem_cgroup:ffff88810eb55c01 + +Memory state around the buggy address: + ffff888105196400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff888105196480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff888105196500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff888105196580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff888105196600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +Fixes: 8fd0e2a6df26 ("uio: free uio id after uio file node is freed") +Cc: stable +Signed-off-by: Shin'ichiro Kawasaki +Link: https://lore.kernel.org/r/20201102122819.2346270-1-shinichiro.kawasaki@wdc.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/uio/uio.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/uio/uio.c ++++ b/drivers/uio/uio.c +@@ -414,10 +414,10 @@ static int uio_get_minor(struct uio_devi + return retval; + } + +-static void uio_free_minor(struct uio_device *idev) ++static void uio_free_minor(unsigned long minor) + { + mutex_lock(&minor_lock); +- idr_remove(&uio_idr, idev->minor); ++ idr_remove(&uio_idr, minor); + mutex_unlock(&minor_lock); + } + +@@ -989,7 +989,7 @@ err_request_irq: + err_uio_dev_add_attributes: + device_del(&idev->dev); + err_device_create: +- uio_free_minor(idev); ++ uio_free_minor(idev->minor); + put_device(&idev->dev); + return ret; + } +@@ -1003,11 +1003,13 @@ EXPORT_SYMBOL_GPL(__uio_register_device) + void uio_unregister_device(struct uio_info *info) + { + struct uio_device *idev; ++ unsigned long minor; + + if (!info || !info->uio_dev) + return; + + idev = info->uio_dev; ++ minor = idev->minor; + + mutex_lock(&idev->info_lock); + uio_dev_del_attributes(idev); +@@ -1020,7 +1022,7 @@ void uio_unregister_device(struct uio_in + + device_unregister(&idev->dev); + +- uio_free_minor(idev); ++ uio_free_minor(minor); + + return; + } diff --git a/queue-4.14/usb-cdc-acm-add-disable_echo-for-renesas-usb-download-mode.patch b/queue-4.14/usb-cdc-acm-add-disable_echo-for-renesas-usb-download-mode.patch new file mode 100644 index 00000000000..0439247424c --- /dev/null +++ b/queue-4.14/usb-cdc-acm-add-disable_echo-for-renesas-usb-download-mode.patch @@ -0,0 +1,41 @@ +From 6d853c9e4104b4fc8d55dc9cd3b99712aa347174 Mon Sep 17 00:00:00 2001 +From: Chris Brandt +Date: Wed, 11 Nov 2020 08:12:09 -0500 +Subject: usb: cdc-acm: Add DISABLE_ECHO for Renesas USB Download mode + +From: Chris Brandt + +commit 6d853c9e4104b4fc8d55dc9cd3b99712aa347174 upstream. + +Renesas R-Car and RZ/G SoCs have a firmware download mode over USB. +However, on reset a banner string is transmitted out which is not expected +to be echoed back and will corrupt the protocol. + +Cc: stable +Acked-by: Oliver Neukum +Signed-off-by: Chris Brandt +Link: https://lore.kernel.org/r/20201111131209.3977903-1-chris.brandt@renesas.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/class/cdc-acm.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1751,6 +1751,15 @@ static const struct usb_device_id acm_id + { USB_DEVICE(0x0870, 0x0001), /* Metricom GS Modem */ + .driver_info = NO_UNION_NORMAL, /* has no union descriptor */ + }, ++ { USB_DEVICE(0x045b, 0x023c), /* Renesas USB Download mode */ ++ .driver_info = DISABLE_ECHO, /* Don't echo banner */ ++ }, ++ { USB_DEVICE(0x045b, 0x0248), /* Renesas USB Download mode */ ++ .driver_info = DISABLE_ECHO, /* Don't echo banner */ ++ }, ++ { USB_DEVICE(0x045b, 0x024D), /* Renesas USB Download mode */ ++ .driver_info = DISABLE_ECHO, /* Don't echo banner */ ++ }, + { USB_DEVICE(0x0e8d, 0x0003), /* FIREFLY, MediaTek Inc; andrey.arapov@gmail.com */ + .driver_info = NO_UNION_NORMAL, /* has no union descriptor */ + },