From: Greg Kroah-Hartman Date: Thu, 6 Feb 2020 15:26:58 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.19.103~135 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e25d9d3c2d6545696838eaaf24bf8a699e0e5cac;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: alsa-dummy-fix-pcm-format-loop-in-proc-output.patch alsa-usb-audio-fix-endianess-in-descriptor-validation.patch brcmfmac-fix-memory-leak-in-brcmf_usbdev_qinit.patch ipc-msg.c-consolidate-all-xxxctl_down-functions.patch media-uvcvideo-avoid-cyclic-entity-chains-due-to-malformed-usb-descriptors.patch mfd-dln2-more-sanity-checking-for-endpoints.patch rcu-avoid-data-race-in-rcu_gp_fqs_check_wake.patch tracing-fix-sched-switch-start-stop-refcount-racy-updates.patch usb-gadget-f_ecm-use-atomic_t-to-track-in-flight-request.patch usb-gadget-f_ncm-use-atomic_t-to-track-in-flight-request.patch usb-gadget-legacy-set-max_speed-to-super-speed.patch usb-typec-tcpci-mask-event-interrupts-when-remove-driver.patch --- diff --git a/queue-4.19/alsa-dummy-fix-pcm-format-loop-in-proc-output.patch b/queue-4.19/alsa-dummy-fix-pcm-format-loop-in-proc-output.patch new file mode 100644 index 00000000000..50663d2eac8 --- /dev/null +++ b/queue-4.19/alsa-dummy-fix-pcm-format-loop-in-proc-output.patch @@ -0,0 +1,33 @@ +From 2acf25f13ebe8beb40e97a1bbe76f36277c64f1e Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sat, 1 Feb 2020 09:05:30 +0100 +Subject: ALSA: dummy: Fix PCM format loop in proc output + +From: Takashi Iwai + +commit 2acf25f13ebe8beb40e97a1bbe76f36277c64f1e upstream. + +The loop termination for iterating over all formats should contain +SNDRV_PCM_FORMAT_LAST, not less than it. + +Fixes: 9b151fec139d ("ALSA: dummy - Add debug proc file") +Cc: +Link: https://lore.kernel.org/r/20200201080530.22390-3-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/drivers/dummy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/drivers/dummy.c ++++ b/sound/drivers/dummy.c +@@ -929,7 +929,7 @@ static void print_formats(struct snd_dum + { + int i; + +- for (i = 0; i < SNDRV_PCM_FORMAT_LAST; i++) { ++ for (i = 0; i <= SNDRV_PCM_FORMAT_LAST; i++) { + if (dummy->pcm_hw.formats & (1ULL << i)) + snd_iprintf(buffer, " %s", snd_pcm_format_name(i)); + } diff --git a/queue-4.19/alsa-usb-audio-fix-endianess-in-descriptor-validation.patch b/queue-4.19/alsa-usb-audio-fix-endianess-in-descriptor-validation.patch new file mode 100644 index 00000000000..13884136779 --- /dev/null +++ b/queue-4.19/alsa-usb-audio-fix-endianess-in-descriptor-validation.patch @@ -0,0 +1,52 @@ +From f8e5f90b3a53bb75f05124ed19156388379a337d Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sat, 1 Feb 2020 09:05:28 +0100 +Subject: ALSA: usb-audio: Fix endianess in descriptor validation + +From: Takashi Iwai + +commit f8e5f90b3a53bb75f05124ed19156388379a337d upstream. + +I overlooked that some fields are words and need the converts from +LE in the recently added USB descriptor validation code. +This patch fixes those with the proper macro usages. + +Fixes: 57f8770620e9 ("ALSA: usb-audio: More validations of descriptor units") +Cc: +Link: https://lore.kernel.org/r/20200201080530.22390-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/validate.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/sound/usb/validate.c ++++ b/sound/usb/validate.c +@@ -110,7 +110,7 @@ static bool validate_processing_unit(con + default: + if (v->type == UAC1_EXTENSION_UNIT) + return true; /* OK */ +- switch (d->wProcessType) { ++ switch (le16_to_cpu(d->wProcessType)) { + case UAC_PROCESS_UP_DOWNMIX: + case UAC_PROCESS_DOLBY_PROLOGIC: + if (d->bLength < len + 1) /* bNrModes */ +@@ -125,7 +125,7 @@ static bool validate_processing_unit(con + case UAC_VERSION_2: + if (v->type == UAC2_EXTENSION_UNIT_V2) + return true; /* OK */ +- switch (d->wProcessType) { ++ switch (le16_to_cpu(d->wProcessType)) { + case UAC2_PROCESS_UP_DOWNMIX: + case UAC2_PROCESS_DOLBY_PROLOCIC: /* SiC! */ + if (d->bLength < len + 1) /* bNrModes */ +@@ -142,7 +142,7 @@ static bool validate_processing_unit(con + len += 2; /* wClusterDescrID */ + break; + } +- switch (d->wProcessType) { ++ switch (le16_to_cpu(d->wProcessType)) { + case UAC3_PROCESS_UP_DOWNMIX: + if (d->bLength < len + 1) /* bNrModes */ + return false; diff --git a/queue-4.19/brcmfmac-fix-memory-leak-in-brcmf_usbdev_qinit.patch b/queue-4.19/brcmfmac-fix-memory-leak-in-brcmf_usbdev_qinit.patch new file mode 100644 index 00000000000..f8f768de88b --- /dev/null +++ b/queue-4.19/brcmfmac-fix-memory-leak-in-brcmf_usbdev_qinit.patch @@ -0,0 +1,32 @@ +From 4282dc057d750c6a7dd92953564b15c26b54c22c Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost +Date: Sat, 14 Dec 2019 19:51:14 -0600 +Subject: brcmfmac: Fix memory leak in brcmf_usbdev_qinit + +From: Navid Emamdoost + +commit 4282dc057d750c6a7dd92953564b15c26b54c22c upstream. + +In the implementation of brcmf_usbdev_qinit() the allocated memory for +reqs is leaking if usb_alloc_urb() fails. Release reqs in the error +handling path. + +Fixes: 71bb244ba2fd ("brcm80211: fmac: add USB support for bcm43235/6/8 chipsets") +Signed-off-by: Navid Emamdoost +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c +@@ -441,6 +441,7 @@ fail: + usb_free_urb(req->urb); + list_del(q->next); + } ++ kfree(reqs); + return NULL; + + } diff --git a/queue-4.19/ipc-msg.c-consolidate-all-xxxctl_down-functions.patch b/queue-4.19/ipc-msg.c-consolidate-all-xxxctl_down-functions.patch new file mode 100644 index 00000000000..02546e40e7c --- /dev/null +++ b/queue-4.19/ipc-msg.c-consolidate-all-xxxctl_down-functions.patch @@ -0,0 +1,154 @@ +From 889b331724c82c11e15ba0a60979cf7bded0a26c Mon Sep 17 00:00:00 2001 +From: Lu Shuaibing +Date: Mon, 3 Feb 2020 17:34:46 -0800 +Subject: ipc/msg.c: consolidate all xxxctl_down() functions + +From: Lu Shuaibing + +commit 889b331724c82c11e15ba0a60979cf7bded0a26c upstream. + +A use of uninitialized memory in msgctl_down() because msqid64 in +ksys_msgctl hasn't been initialized. The local | msqid64 | is created in +ksys_msgctl() and then passed into msgctl_down(). Along the way msqid64 +is never initialized before msgctl_down() checks msqid64->msg_qbytes. + +KUMSAN(KernelUninitializedMemorySantizer, a new error detection tool) +reports: + +================================================================== +BUG: KUMSAN: use of uninitialized memory in msgctl_down+0x94/0x300 +Read of size 8 at addr ffff88806bb97eb8 by task syz-executor707/2022 + +CPU: 0 PID: 2022 Comm: syz-executor707 Not tainted 5.2.0-rc4+ #63 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 +Call Trace: + dump_stack+0x75/0xae + __kumsan_report+0x17c/0x3e6 + kumsan_report+0xe/0x20 + msgctl_down+0x94/0x300 + ksys_msgctl.constprop.14+0xef/0x260 + do_syscall_64+0x7e/0x1f0 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x4400e9 +Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007ffd869e0598 EFLAGS: 00000246 ORIG_RAX: 0000000000000047 +RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004400e9 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 +R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000401970 +R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000 + +The buggy address belongs to the page: +page:ffffea0001aee5c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 +flags: 0x100000000000000() +raw: 0100000000000000 0000000000000000 ffffffff01ae0101 0000000000000000 +raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 +page dumped because: kumsan: bad access detected +================================================================== + +Syzkaller reproducer: +msgctl$IPC_RMID(0x0, 0x0) + +C reproducer: +// autogenerated by syzkaller (https://github.com/google/syzkaller) + +int main(void) +{ + syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); + syscall(__NR_msgctl, 0, 0, 0); + return 0; +} + +[natechancellor@gmail.com: adjust indentation in ksys_msgctl] + Link: https://github.com/ClangBuiltLinux/linux/issues/829 + Link: http://lkml.kernel.org/r/20191218032932.37479-1-natechancellor@gmail.com +Link: http://lkml.kernel.org/r/20190613014044.24234-1-shuaibinglu@126.com +Signed-off-by: Lu Shuaibing +Signed-off-by: Nathan Chancellor +Suggested-by: Arnd Bergmann +Cc: Davidlohr Bueso +Cc: Manfred Spraul +Cc: NeilBrown +From: Andrew Morton +Subject: ipc/msg.c: consolidate all xxxctl_down() functions + +Each line here overflows 80 cols by exactly one character. Delete one tab +per line to fix. + +Cc: Shaohua Li +Cc: Jens Axboe +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + ipc/msg.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +--- a/ipc/msg.c ++++ b/ipc/msg.c +@@ -377,7 +377,7 @@ copy_msqid_from_user(struct msqid64_ds * + * NOTE: no locks must be held, the rwsem is taken inside this function. + */ + static int msgctl_down(struct ipc_namespace *ns, int msqid, int cmd, +- struct msqid64_ds *msqid64) ++ struct ipc64_perm *perm, int msg_qbytes) + { + struct kern_ipc_perm *ipcp; + struct msg_queue *msq; +@@ -387,7 +387,7 @@ static int msgctl_down(struct ipc_namesp + rcu_read_lock(); + + ipcp = ipcctl_obtain_check(ns, &msg_ids(ns), msqid, cmd, +- &msqid64->msg_perm, msqid64->msg_qbytes); ++ perm, msg_qbytes); + if (IS_ERR(ipcp)) { + err = PTR_ERR(ipcp); + goto out_unlock1; +@@ -409,18 +409,18 @@ static int msgctl_down(struct ipc_namesp + { + DEFINE_WAKE_Q(wake_q); + +- if (msqid64->msg_qbytes > ns->msg_ctlmnb && ++ if (msg_qbytes > ns->msg_ctlmnb && + !capable(CAP_SYS_RESOURCE)) { + err = -EPERM; + goto out_unlock1; + } + + ipc_lock_object(&msq->q_perm); +- err = ipc_update_perm(&msqid64->msg_perm, ipcp); ++ err = ipc_update_perm(perm, ipcp); + if (err) + goto out_unlock0; + +- msq->q_qbytes = msqid64->msg_qbytes; ++ msq->q_qbytes = msg_qbytes; + + msq->q_ctime = ktime_get_real_seconds(); + /* +@@ -603,9 +603,10 @@ long ksys_msgctl(int msqid, int cmd, str + case IPC_SET: + if (copy_msqid_from_user(&msqid64, buf, version)) + return -EFAULT; +- /* fallthru */ ++ return msgctl_down(ns, msqid, cmd, &msqid64.msg_perm, ++ msqid64.msg_qbytes); + case IPC_RMID: +- return msgctl_down(ns, msqid, cmd, &msqid64); ++ return msgctl_down(ns, msqid, cmd, NULL, 0); + default: + return -EINVAL; + } +@@ -724,9 +725,9 @@ long compat_ksys_msgctl(int msqid, int c + case IPC_SET: + if (copy_compat_msqid_from_user(&msqid64, uptr, version)) + return -EFAULT; +- /* fallthru */ ++ return msgctl_down(ns, msqid, cmd, &msqid64.msg_perm, msqid64.msg_qbytes); + case IPC_RMID: +- return msgctl_down(ns, msqid, cmd, &msqid64); ++ return msgctl_down(ns, msqid, cmd, NULL, 0); + default: + return -EINVAL; + } diff --git a/queue-4.19/media-uvcvideo-avoid-cyclic-entity-chains-due-to-malformed-usb-descriptors.patch b/queue-4.19/media-uvcvideo-avoid-cyclic-entity-chains-due-to-malformed-usb-descriptors.patch new file mode 100644 index 00000000000..6bf80ddb52d --- /dev/null +++ b/queue-4.19/media-uvcvideo-avoid-cyclic-entity-chains-due-to-malformed-usb-descriptors.patch @@ -0,0 +1,114 @@ +From 68035c80e129c4cfec659aac4180354530b26527 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Fri, 8 Nov 2019 16:48:38 +0100 +Subject: media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors + +From: Will Deacon + +commit 68035c80e129c4cfec659aac4180354530b26527 upstream. + +Way back in 2017, fuzzing the 4.14-rc2 USB stack with syzkaller kicked +up the following WARNING from the UVC chain scanning code: + + | list_add double add: new=ffff880069084010, prev=ffff880069084010, + | next=ffff880067d22298. + | ------------[ cut here ]------------ + | WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0 + | Modules linked in: + | CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted + | 4.14.0-rc2-42613-g1488251d1a98 #238 + | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 + | Workqueue: usb_hub_wq hub_event + | task: ffff88006b01ca40 task.stack: ffff880064358000 + | RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29 + | RSP: 0018:ffff88006435ddd0 EFLAGS: 00010286 + | RAX: 0000000000000058 RBX: ffff880067d22298 RCX: 0000000000000000 + | RDX: 0000000000000058 RSI: ffffffff85a58800 RDI: ffffed000c86bbac + | RBP: ffff88006435dde8 R08: 1ffff1000c86ba52 R09: 0000000000000000 + | R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069084010 + | R13: ffff880067d22298 R14: ffff880069084010 R15: ffff880067d222a0 + | FS: 0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000 + | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + | CR2: 0000000020004ff2 CR3: 000000006b447000 CR4: 00000000000006e0 + | Call Trace: + | __list_add ./include/linux/list.h:59 + | list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92 + | uvc_scan_chain_forward.isra.8+0x373/0x416 + | drivers/media/usb/uvc/uvc_driver.c:1471 + | uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585 + | uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769 + | uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104 + +Looking into the output from usbmon, the interesting part is the +following data packet: + + ffff880069c63e00 30710169 C Ci:1:002:0 0 143 = 09028f00 01030080 + 00090403 00000e01 00000924 03000103 7c003328 010204db + +If we drop the lead configuration and interface descriptors, we're left +with an output terminal descriptor describing a generic display: + + /* Output terminal descriptor */ + buf[0] 09 + buf[1] 24 + buf[2] 03 /* UVC_VC_OUTPUT_TERMINAL */ + buf[3] 00 /* ID */ + buf[4] 01 /* type == 0x0301 (UVC_OTT_DISPLAY) */ + buf[5] 03 + buf[6] 7c + buf[7] 00 /* source ID refers to self! */ + buf[8] 33 + +The problem with this descriptor is that it is self-referential: the +source ID of 0 matches itself! This causes the 'struct uvc_entity' +representing the display to be added to its chain list twice during +'uvc_scan_chain()': once via 'uvc_scan_chain_entity()' when it is +processed directly from the 'dev->entities' list and then again +immediately afterwards when trying to follow the source ID in +'uvc_scan_chain_forward()' + +Add a check before adding an entity to a chain list to ensure that the +entity is not already part of a chain. + +Link: https://lore.kernel.org/linux-media/CAAeHK+z+Si69jUR+N-SjN9q4O+o5KFiNManqEa-PjUta7EOb7A@mail.gmail.com/ + +Cc: +Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver") +Reported-by: Andrey Konovalov +Signed-off-by: Will Deacon +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/uvc/uvc_driver.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -1482,6 +1482,11 @@ static int uvc_scan_chain_forward(struct + break; + if (forward == prev) + continue; ++ if (forward->chain.next || forward->chain.prev) { ++ uvc_trace(UVC_TRACE_DESCR, "Found reference to " ++ "entity %d already in chain.\n", forward->id); ++ return -EINVAL; ++ } + + switch (UVC_ENTITY_TYPE(forward)) { + case UVC_VC_EXTENSION_UNIT: +@@ -1563,6 +1568,13 @@ static int uvc_scan_chain_backward(struc + return -1; + } + ++ if (term->chain.next || term->chain.prev) { ++ uvc_trace(UVC_TRACE_DESCR, "Found reference to " ++ "entity %d already in chain.\n", ++ term->id); ++ return -EINVAL; ++ } ++ + if (uvc_trace_param & UVC_TRACE_PROBE) + printk(KERN_CONT " %d", term->id); + diff --git a/queue-4.19/mfd-dln2-more-sanity-checking-for-endpoints.patch b/queue-4.19/mfd-dln2-more-sanity-checking-for-endpoints.patch new file mode 100644 index 00000000000..5dc3e7604b1 --- /dev/null +++ b/queue-4.19/mfd-dln2-more-sanity-checking-for-endpoints.patch @@ -0,0 +1,55 @@ +From 2b8bd606b1e60ca28c765f69c1eedd7d2a2e9dca Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 21 Nov 2019 11:28:10 +0100 +Subject: mfd: dln2: More sanity checking for endpoints + +From: Oliver Neukum + +commit 2b8bd606b1e60ca28c765f69c1eedd7d2a2e9dca upstream. + +It is not enough to check for the number of endpoints. +The types must also be correct. + +Reported-and-tested-by: syzbot+48a2851be24583b864dc@syzkaller.appspotmail.com +Signed-off-by: Oliver Neukum +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mfd/dln2.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/mfd/dln2.c ++++ b/drivers/mfd/dln2.c +@@ -725,6 +725,8 @@ static int dln2_probe(struct usb_interfa + const struct usb_device_id *usb_id) + { + struct usb_host_interface *hostif = interface->cur_altsetting; ++ struct usb_endpoint_descriptor *epin; ++ struct usb_endpoint_descriptor *epout; + struct device *dev = &interface->dev; + struct dln2_dev *dln2; + int ret; +@@ -734,12 +736,19 @@ static int dln2_probe(struct usb_interfa + hostif->desc.bNumEndpoints < 2) + return -ENODEV; + ++ epin = &hostif->endpoint[0].desc; ++ epout = &hostif->endpoint[1].desc; ++ if (!usb_endpoint_is_bulk_out(epout)) ++ return -ENODEV; ++ if (!usb_endpoint_is_bulk_in(epin)) ++ return -ENODEV; ++ + dln2 = kzalloc(sizeof(*dln2), GFP_KERNEL); + if (!dln2) + return -ENOMEM; + +- dln2->ep_out = hostif->endpoint[0].desc.bEndpointAddress; +- dln2->ep_in = hostif->endpoint[1].desc.bEndpointAddress; ++ dln2->ep_out = epout->bEndpointAddress; ++ dln2->ep_in = epin->bEndpointAddress; + dln2->usb_dev = usb_get_dev(interface_to_usbdev(interface)); + dln2->interface = interface; + usb_set_intfdata(interface, dln2); diff --git a/queue-4.19/rcu-avoid-data-race-in-rcu_gp_fqs_check_wake.patch b/queue-4.19/rcu-avoid-data-race-in-rcu_gp_fqs_check_wake.patch new file mode 100644 index 00000000000..b64a8ecfdd9 --- /dev/null +++ b/queue-4.19/rcu-avoid-data-race-in-rcu_gp_fqs_check_wake.patch @@ -0,0 +1,107 @@ +From 6935c3983b246d5fbfebd3b891c825e65c118f2d Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 9 Oct 2019 14:21:54 -0700 +Subject: rcu: Avoid data-race in rcu_gp_fqs_check_wake() + +From: Eric Dumazet + +commit 6935c3983b246d5fbfebd3b891c825e65c118f2d upstream. + +The rcu_gp_fqs_check_wake() function uses rcu_preempt_blocked_readers_cgp() +to read ->gp_tasks while other cpus might overwrite this field. + +We need READ_ONCE()/WRITE_ONCE() pairs to avoid compiler +tricks and KCSAN splats like the following : + +BUG: KCSAN: data-race in rcu_gp_fqs_check_wake / rcu_preempt_deferred_qs_irqrestore + +write to 0xffffffff85a7f190 of 8 bytes by task 7317 on cpu 0: + rcu_preempt_deferred_qs_irqrestore+0x43d/0x580 kernel/rcu/tree_plugin.h:507 + rcu_read_unlock_special+0xec/0x370 kernel/rcu/tree_plugin.h:659 + __rcu_read_unlock+0xcf/0xe0 kernel/rcu/tree_plugin.h:394 + rcu_read_unlock include/linux/rcupdate.h:645 [inline] + __ip_queue_xmit+0x3b0/0xa40 net/ipv4/ip_output.c:533 + ip_queue_xmit+0x45/0x60 include/net/ip.h:236 + __tcp_transmit_skb+0xdeb/0x1cd0 net/ipv4/tcp_output.c:1158 + __tcp_send_ack+0x246/0x300 net/ipv4/tcp_output.c:3685 + tcp_send_ack+0x34/0x40 net/ipv4/tcp_output.c:3691 + tcp_cleanup_rbuf+0x130/0x360 net/ipv4/tcp.c:1575 + tcp_recvmsg+0x633/0x1a30 net/ipv4/tcp.c:2179 + inet_recvmsg+0xbb/0x250 net/ipv4/af_inet.c:838 + sock_recvmsg_nosec net/socket.c:871 [inline] + sock_recvmsg net/socket.c:889 [inline] + sock_recvmsg+0x92/0xb0 net/socket.c:885 + sock_read_iter+0x15f/0x1e0 net/socket.c:967 + call_read_iter include/linux/fs.h:1864 [inline] + new_sync_read+0x389/0x4f0 fs/read_write.c:414 + +read to 0xffffffff85a7f190 of 8 bytes by task 10 on cpu 1: + rcu_gp_fqs_check_wake kernel/rcu/tree.c:1556 [inline] + rcu_gp_fqs_check_wake+0x93/0xd0 kernel/rcu/tree.c:1546 + rcu_gp_fqs_loop+0x36c/0x580 kernel/rcu/tree.c:1611 + rcu_gp_kthread+0x143/0x220 kernel/rcu/tree.c:1768 + kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 10 Comm: rcu_preempt Not tainted 5.3.0+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Signed-off-by: Eric Dumazet +Reported-by: syzbot +[ paulmck: Added another READ_ONCE() for RCU CPU stall warnings. ] +Signed-off-by: Paul E. McKenney +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/rcu/tree_plugin.h | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/kernel/rcu/tree_plugin.h ++++ b/kernel/rcu/tree_plugin.h +@@ -267,7 +267,7 @@ static void rcu_preempt_ctxt_queue(struc + * blocked tasks. + */ + if (!rnp->gp_tasks && (blkd_state & RCU_GP_BLKD)) { +- rnp->gp_tasks = &t->rcu_node_entry; ++ WRITE_ONCE(rnp->gp_tasks, &t->rcu_node_entry); + WARN_ON_ONCE(rnp->completedqs == rnp->gp_seq); + } + if (!rnp->exp_tasks && (blkd_state & RCU_EXP_BLKD)) +@@ -392,7 +392,7 @@ static void rcu_preempt_note_context_swi + */ + static int rcu_preempt_blocked_readers_cgp(struct rcu_node *rnp) + { +- return rnp->gp_tasks != NULL; ++ return READ_ONCE(rnp->gp_tasks) != NULL; + } + + /* +@@ -557,7 +557,7 @@ static void rcu_read_unlock_special(stru + trace_rcu_unlock_preempted_task(TPS("rcu_preempt"), + rnp->gp_seq, t->pid); + if (&t->rcu_node_entry == rnp->gp_tasks) +- rnp->gp_tasks = np; ++ WRITE_ONCE(rnp->gp_tasks, np); + if (&t->rcu_node_entry == rnp->exp_tasks) + rnp->exp_tasks = np; + if (IS_ENABLED(CONFIG_RCU_BOOST)) { +@@ -716,7 +716,7 @@ rcu_preempt_check_blocked_tasks(struct r + dump_blkd_tasks(rsp, rnp, 10); + if (rcu_preempt_has_tasks(rnp) && + (rnp->qsmaskinit || rnp->wait_blkd_tasks)) { +- rnp->gp_tasks = rnp->blkd_tasks.next; ++ WRITE_ONCE(rnp->gp_tasks, rnp->blkd_tasks.next); + t = container_of(rnp->gp_tasks, struct task_struct, + rcu_node_entry); + trace_rcu_unlock_preempted_task(TPS("rcu_preempt-GPS"), +@@ -883,7 +883,8 @@ dump_blkd_tasks(struct rcu_state *rsp, s + pr_info("%s: %d:%d ->qsmask %#lx ->qsmaskinit %#lx ->qsmaskinitnext %#lx\n", + __func__, rnp1->grplo, rnp1->grphi, rnp1->qsmask, rnp1->qsmaskinit, rnp1->qsmaskinitnext); + pr_info("%s: ->gp_tasks %p ->boost_tasks %p ->exp_tasks %p\n", +- __func__, rnp->gp_tasks, rnp->boost_tasks, rnp->exp_tasks); ++ __func__, READ_ONCE(rnp->gp_tasks), rnp->boost_tasks, ++ rnp->exp_tasks); + pr_info("%s: ->blkd_tasks", __func__); + i = 0; + list_for_each(lhp, &rnp->blkd_tasks) { diff --git a/queue-4.19/series b/queue-4.19/series index 00052393b79..2689f664baa 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -23,3 +23,15 @@ rxrpc-fix-use-after-free-in-rxrpc_put_local.patch rxrpc-fix-insufficient-receive-notification-generation.patch rxrpc-fix-missing-active-use-pinning-of-rxrpc_local-object.patch rxrpc-fix-null-pointer-deref-due-to-call-conn-being-cleared-on-disconnect.patch +media-uvcvideo-avoid-cyclic-entity-chains-due-to-malformed-usb-descriptors.patch +mfd-dln2-more-sanity-checking-for-endpoints.patch +ipc-msg.c-consolidate-all-xxxctl_down-functions.patch +tracing-fix-sched-switch-start-stop-refcount-racy-updates.patch +rcu-avoid-data-race-in-rcu_gp_fqs_check_wake.patch +brcmfmac-fix-memory-leak-in-brcmf_usbdev_qinit.patch +usb-typec-tcpci-mask-event-interrupts-when-remove-driver.patch +usb-gadget-legacy-set-max_speed-to-super-speed.patch +usb-gadget-f_ncm-use-atomic_t-to-track-in-flight-request.patch +usb-gadget-f_ecm-use-atomic_t-to-track-in-flight-request.patch +alsa-usb-audio-fix-endianess-in-descriptor-validation.patch +alsa-dummy-fix-pcm-format-loop-in-proc-output.patch diff --git a/queue-4.19/tracing-fix-sched-switch-start-stop-refcount-racy-updates.patch b/queue-4.19/tracing-fix-sched-switch-start-stop-refcount-racy-updates.patch new file mode 100644 index 00000000000..04381128afa --- /dev/null +++ b/queue-4.19/tracing-fix-sched-switch-start-stop-refcount-racy-updates.patch @@ -0,0 +1,50 @@ +From 64ae572bc7d0060429e40e1c8d803ce5eb31a0d6 Mon Sep 17 00:00:00 2001 +From: Mathieu Desnoyers +Date: Sat, 17 Aug 2019 10:12:08 -0400 +Subject: tracing: Fix sched switch start/stop refcount racy updates + +From: Mathieu Desnoyers + +commit 64ae572bc7d0060429e40e1c8d803ce5eb31a0d6 upstream. + +Reading the sched_cmdline_ref and sched_tgid_ref initial state within +tracing_start_sched_switch without holding the sched_register_mutex is +racy against concurrent updates, which can lead to tracepoint probes +being registered more than once (and thus trigger warnings within +tracepoint.c). + +[ May be the fix for this bug ] +Link: https://lore.kernel.org/r/000000000000ab6f84056c786b93@google.com + +Link: http://lkml.kernel.org/r/20190817141208.15226-1-mathieu.desnoyers@efficios.com + +Cc: stable@vger.kernel.org +CC: Steven Rostedt (VMware) +CC: Joel Fernandes (Google) +CC: Peter Zijlstra +CC: Thomas Gleixner +CC: Paul E. McKenney +Reported-by: syzbot+774fddf07b7ab29a1e55@syzkaller.appspotmail.com +Fixes: d914ba37d7145 ("tracing: Add support for recording tgid of tasks") +Signed-off-by: Mathieu Desnoyers +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_sched_switch.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/kernel/trace/trace_sched_switch.c ++++ b/kernel/trace/trace_sched_switch.c +@@ -89,8 +89,10 @@ static void tracing_sched_unregister(voi + + static void tracing_start_sched_switch(int ops) + { +- bool sched_register = (!sched_cmdline_ref && !sched_tgid_ref); ++ bool sched_register; ++ + mutex_lock(&sched_register_mutex); ++ sched_register = (!sched_cmdline_ref && !sched_tgid_ref); + + switch (ops) { + case RECORD_CMDLINE: diff --git a/queue-4.19/usb-gadget-f_ecm-use-atomic_t-to-track-in-flight-request.patch b/queue-4.19/usb-gadget-f_ecm-use-atomic_t-to-track-in-flight-request.patch new file mode 100644 index 00000000000..7be7263132a --- /dev/null +++ b/queue-4.19/usb-gadget-f_ecm-use-atomic_t-to-track-in-flight-request.patch @@ -0,0 +1,91 @@ +From d710562e01c48d59be3f60d58b7a85958b39aeda Mon Sep 17 00:00:00 2001 +From: Bryan O'Donoghue +Date: Thu, 9 Jan 2020 13:17:22 +0000 +Subject: usb: gadget: f_ecm: Use atomic_t to track in-flight request + +From: Bryan O'Donoghue + +commit d710562e01c48d59be3f60d58b7a85958b39aeda upstream. + +Currently ecm->notify_req is used to flag when a request is in-flight. +ecm->notify_req is set to NULL and when a request completes it is +subsequently reset. + +This is fundamentally buggy in that the unbind logic of the ECM driver will +unconditionally free ecm->notify_req leading to a NULL pointer dereference. + +Fixes: da741b8c56d6 ("usb ethernet gadget: split CDC Ethernet function") +Cc: stable +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_ecm.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/usb/gadget/function/f_ecm.c ++++ b/drivers/usb/gadget/function/f_ecm.c +@@ -52,6 +52,7 @@ struct f_ecm { + struct usb_ep *notify; + struct usb_request *notify_req; + u8 notify_state; ++ atomic_t notify_count; + bool is_open; + + /* FIXME is_open needs some irq-ish locking +@@ -380,7 +381,7 @@ static void ecm_do_notify(struct f_ecm * + int status; + + /* notification already in flight? */ +- if (!req) ++ if (atomic_read(&ecm->notify_count)) + return; + + event = req->buf; +@@ -420,10 +421,10 @@ static void ecm_do_notify(struct f_ecm * + event->bmRequestType = 0xA1; + event->wIndex = cpu_to_le16(ecm->ctrl_id); + +- ecm->notify_req = NULL; ++ atomic_inc(&ecm->notify_count); + status = usb_ep_queue(ecm->notify, req, GFP_ATOMIC); + if (status < 0) { +- ecm->notify_req = req; ++ atomic_dec(&ecm->notify_count); + DBG(cdev, "notify --> %d\n", status); + } + } +@@ -448,17 +449,19 @@ static void ecm_notify_complete(struct u + switch (req->status) { + case 0: + /* no fault */ ++ atomic_dec(&ecm->notify_count); + break; + case -ECONNRESET: + case -ESHUTDOWN: ++ atomic_set(&ecm->notify_count, 0); + ecm->notify_state = ECM_NOTIFY_NONE; + break; + default: + DBG(cdev, "event %02x --> %d\n", + event->bNotificationType, req->status); ++ atomic_dec(&ecm->notify_count); + break; + } +- ecm->notify_req = req; + ecm_do_notify(ecm); + } + +@@ -907,6 +910,11 @@ static void ecm_unbind(struct usb_config + + usb_free_all_descriptors(f); + ++ if (atomic_read(&ecm->notify_count)) { ++ usb_ep_dequeue(ecm->notify, ecm->notify_req); ++ atomic_set(&ecm->notify_count, 0); ++ } ++ + kfree(ecm->notify_req->buf); + usb_ep_free_request(ecm->notify, ecm->notify_req); + } diff --git a/queue-4.19/usb-gadget-f_ncm-use-atomic_t-to-track-in-flight-request.patch b/queue-4.19/usb-gadget-f_ncm-use-atomic_t-to-track-in-flight-request.patch new file mode 100644 index 00000000000..a28e2bf1f95 --- /dev/null +++ b/queue-4.19/usb-gadget-f_ncm-use-atomic_t-to-track-in-flight-request.patch @@ -0,0 +1,97 @@ +From 5b24c28cfe136597dc3913e1c00b119307a20c7e Mon Sep 17 00:00:00 2001 +From: Bryan O'Donoghue +Date: Thu, 9 Jan 2020 13:17:21 +0000 +Subject: usb: gadget: f_ncm: Use atomic_t to track in-flight request + +From: Bryan O'Donoghue + +commit 5b24c28cfe136597dc3913e1c00b119307a20c7e upstream. + +Currently ncm->notify_req is used to flag when a request is in-flight. +ncm->notify_req is set to NULL and when a request completes it is +subsequently reset. + +This is fundamentally buggy in that the unbind logic of the NCM driver will +unconditionally free ncm->notify_req leading to a NULL pointer dereference. + +Fixes: 40d133d7f542 ("usb: gadget: f_ncm: convert to new function interface with backward compatibility") +Cc: stable +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_ncm.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +--- a/drivers/usb/gadget/function/f_ncm.c ++++ b/drivers/usb/gadget/function/f_ncm.c +@@ -54,6 +54,7 @@ struct f_ncm { + struct usb_ep *notify; + struct usb_request *notify_req; + u8 notify_state; ++ atomic_t notify_count; + bool is_open; + + const struct ndp_parser_opts *parser_opts; +@@ -547,7 +548,7 @@ static void ncm_do_notify(struct f_ncm * + int status; + + /* notification already in flight? */ +- if (!req) ++ if (atomic_read(&ncm->notify_count)) + return; + + event = req->buf; +@@ -587,7 +588,8 @@ static void ncm_do_notify(struct f_ncm * + event->bmRequestType = 0xA1; + event->wIndex = cpu_to_le16(ncm->ctrl_id); + +- ncm->notify_req = NULL; ++ atomic_inc(&ncm->notify_count); ++ + /* + * In double buffering if there is a space in FIFO, + * completion callback can be called right after the call, +@@ -597,7 +599,7 @@ static void ncm_do_notify(struct f_ncm * + status = usb_ep_queue(ncm->notify, req, GFP_ATOMIC); + spin_lock(&ncm->lock); + if (status < 0) { +- ncm->notify_req = req; ++ atomic_dec(&ncm->notify_count); + DBG(cdev, "notify --> %d\n", status); + } + } +@@ -632,17 +634,19 @@ static void ncm_notify_complete(struct u + case 0: + VDBG(cdev, "Notification %02x sent\n", + event->bNotificationType); ++ atomic_dec(&ncm->notify_count); + break; + case -ECONNRESET: + case -ESHUTDOWN: ++ atomic_set(&ncm->notify_count, 0); + ncm->notify_state = NCM_NOTIFY_NONE; + break; + default: + DBG(cdev, "event %02x --> %d\n", + event->bNotificationType, req->status); ++ atomic_dec(&ncm->notify_count); + break; + } +- ncm->notify_req = req; + ncm_do_notify(ncm); + spin_unlock(&ncm->lock); + } +@@ -1612,6 +1616,11 @@ static void ncm_unbind(struct usb_config + ncm_string_defs[0].id = 0; + usb_free_all_descriptors(f); + ++ if (atomic_read(&ncm->notify_count)) { ++ usb_ep_dequeue(ncm->notify, ncm->notify_req); ++ atomic_set(&ncm->notify_count, 0); ++ } ++ + kfree(ncm->notify_req->buf); + usb_ep_free_request(ncm->notify, ncm->notify_req); + } diff --git a/queue-4.19/usb-gadget-legacy-set-max_speed-to-super-speed.patch b/queue-4.19/usb-gadget-legacy-set-max_speed-to-super-speed.patch new file mode 100644 index 00000000000..8a8f5753bf8 --- /dev/null +++ b/queue-4.19/usb-gadget-legacy-set-max_speed-to-super-speed.patch @@ -0,0 +1,68 @@ +From 463f67aec2837f981b0a0ce8617721ff59685c00 Mon Sep 17 00:00:00 2001 +From: Roger Quadros +Date: Mon, 23 Dec 2019 08:47:35 +0200 +Subject: usb: gadget: legacy: set max_speed to super-speed + +From: Roger Quadros + +commit 463f67aec2837f981b0a0ce8617721ff59685c00 upstream. + +These interfaces do support super-speed so let's not +limit maximum speed to high-speed. + +Cc: +Signed-off-by: Roger Quadros +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/legacy/cdc2.c | 2 +- + drivers/usb/gadget/legacy/g_ffs.c | 2 +- + drivers/usb/gadget/legacy/multi.c | 2 +- + drivers/usb/gadget/legacy/ncm.c | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/usb/gadget/legacy/cdc2.c ++++ b/drivers/usb/gadget/legacy/cdc2.c +@@ -225,7 +225,7 @@ static struct usb_composite_driver cdc_d + .name = "g_cdc", + .dev = &device_desc, + .strings = dev_strings, +- .max_speed = USB_SPEED_HIGH, ++ .max_speed = USB_SPEED_SUPER, + .bind = cdc_bind, + .unbind = cdc_unbind, + }; +--- a/drivers/usb/gadget/legacy/g_ffs.c ++++ b/drivers/usb/gadget/legacy/g_ffs.c +@@ -149,7 +149,7 @@ static struct usb_composite_driver gfs_d + .name = DRIVER_NAME, + .dev = &gfs_dev_desc, + .strings = gfs_dev_strings, +- .max_speed = USB_SPEED_HIGH, ++ .max_speed = USB_SPEED_SUPER, + .bind = gfs_bind, + .unbind = gfs_unbind, + }; +--- a/drivers/usb/gadget/legacy/multi.c ++++ b/drivers/usb/gadget/legacy/multi.c +@@ -482,7 +482,7 @@ static struct usb_composite_driver multi + .name = "g_multi", + .dev = &device_desc, + .strings = dev_strings, +- .max_speed = USB_SPEED_HIGH, ++ .max_speed = USB_SPEED_SUPER, + .bind = multi_bind, + .unbind = multi_unbind, + .needs_serial = 1, +--- a/drivers/usb/gadget/legacy/ncm.c ++++ b/drivers/usb/gadget/legacy/ncm.c +@@ -197,7 +197,7 @@ static struct usb_composite_driver ncm_d + .name = "g_ncm", + .dev = &device_desc, + .strings = dev_strings, +- .max_speed = USB_SPEED_HIGH, ++ .max_speed = USB_SPEED_SUPER, + .bind = gncm_bind, + .unbind = gncm_unbind, + }; diff --git a/queue-4.19/usb-typec-tcpci-mask-event-interrupts-when-remove-driver.patch b/queue-4.19/usb-typec-tcpci-mask-event-interrupts-when-remove-driver.patch new file mode 100644 index 00000000000..cb18ace7b5d --- /dev/null +++ b/queue-4.19/usb-typec-tcpci-mask-event-interrupts-when-remove-driver.patch @@ -0,0 +1,38 @@ +From 3ba76256fc4e2a0d7fb26cc95459041ea0e88972 Mon Sep 17 00:00:00 2001 +From: Jun Li +Date: Mon, 20 Jan 2020 06:43:19 +0000 +Subject: usb: typec: tcpci: mask event interrupts when remove driver + +From: Jun Li + +commit 3ba76256fc4e2a0d7fb26cc95459041ea0e88972 upstream. + +This is to prevent any possible events generated while unregister +tpcm port. + +Fixes: 74e656d6b055 ("staging: typec: Type-C Port Controller Interface driver (tcpci)") +Signed-off-by: Li Jun +Reviewed-by: Heikki Krogerus +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/1579502333-4145-1-git-send-email-jun.li@nxp.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/typec/tcpci.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/usb/typec/tcpci.c ++++ b/drivers/usb/typec/tcpci.c +@@ -581,6 +581,12 @@ static int tcpci_probe(struct i2c_client + static int tcpci_remove(struct i2c_client *client) + { + struct tcpci_chip *chip = i2c_get_clientdata(client); ++ int err; ++ ++ /* Disable chip interrupts before unregistering port */ ++ err = tcpci_write16(chip->tcpci, TCPC_ALERT_MASK, 0); ++ if (err < 0) ++ return err; + + tcpci_unregister_port(chip->tcpci); +