From 045a933310a3bd9b3128df82427b0c7536b84309 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 15 Nov 2020 09:34:31 -0500 Subject: [PATCH] Fixes for 4.4 Signed-off-by: Sasha Levin --- ...ory-fix-inconsistent-format-argument.patch | 38 ++++++ ...rm-srbm-soft-reset-always-on-sdma-re.patch | 63 +++++++++ ...ive-vs.-read-only-file-system-in-gfs.patch | 49 +++++++ ...s-later-in-gfs2_clear_rgrpd-to-fix-u.patch | 39 ++++++ ...se-interrupt-remapping-table-limit-t.patch | 53 ++++++++ .../mac80211-always-wind-down-sta-state.patch | 64 +++++++++ ...use-of-skb-payload-instead-of-header.patch | 124 ++++++++++++++++++ queue-4.4/series | 8 ++ ...u_udc-fix-potential-crashes-in-probe.patch | 51 +++++++ 9 files changed, 489 insertions(+) create mode 100644 queue-4.4/cfg80211-regulatory-fix-inconsistent-format-argument.patch create mode 100644 queue-4.4/drm-amdgpu-perform-srbm-soft-reset-always-on-sdma-re.patch create mode 100644 queue-4.4/gfs2-check-for-live-vs.-read-only-file-system-in-gfs.patch create mode 100644 queue-4.4/gfs2-free-rd_bits-later-in-gfs2_clear_rgrpd-to-fix-u.patch create mode 100644 queue-4.4/iommu-amd-increase-interrupt-remapping-table-limit-t.patch create mode 100644 queue-4.4/mac80211-always-wind-down-sta-state.patch create mode 100644 queue-4.4/mac80211-fix-use-of-skb-payload-instead-of-header.patch create mode 100644 queue-4.4/usb-gadget-goku_udc-fix-potential-crashes-in-probe.patch diff --git a/queue-4.4/cfg80211-regulatory-fix-inconsistent-format-argument.patch b/queue-4.4/cfg80211-regulatory-fix-inconsistent-format-argument.patch new file mode 100644 index 00000000000..0ccfbc0dde1 --- /dev/null +++ b/queue-4.4/cfg80211-regulatory-fix-inconsistent-format-argument.patch @@ -0,0 +1,38 @@ +From 625de8529e09fa51198f0a3f4e27606b450c4ff6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Oct 2020 15:02:15 +0800 +Subject: cfg80211: regulatory: Fix inconsistent format argument + +From: Ye Bin + +[ Upstream commit db18d20d1cb0fde16d518fb5ccd38679f174bc04 ] + +Fix follow warning: +[net/wireless/reg.c:3619]: (warning) %d in format string (no. 2) +requires 'int' but the argument type is 'unsigned int'. + +Reported-by: Hulk Robot +Signed-off-by: Ye Bin +Link: https://lore.kernel.org/r/20201009070215.63695-1-yebin10@huawei.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/reg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/wireless/reg.c b/net/wireless/reg.c +index 474923175b108..dcbf5cd44bb37 100644 +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -2775,7 +2775,7 @@ static void print_rd_rules(const struct ieee80211_regdomain *rd) + power_rule = ®_rule->power_rule; + + if (reg_rule->flags & NL80211_RRF_AUTO_BW) +- snprintf(bw, sizeof(bw), "%d KHz, %d KHz AUTO", ++ snprintf(bw, sizeof(bw), "%d KHz, %u KHz AUTO", + freq_range->max_bandwidth_khz, + reg_get_max_bandwidth(rd, reg_rule)); + else +-- +2.27.0 + diff --git a/queue-4.4/drm-amdgpu-perform-srbm-soft-reset-always-on-sdma-re.patch b/queue-4.4/drm-amdgpu-perform-srbm-soft-reset-always-on-sdma-re.patch new file mode 100644 index 00000000000..8677ee05a9a --- /dev/null +++ b/queue-4.4/drm-amdgpu-perform-srbm-soft-reset-always-on-sdma-re.patch @@ -0,0 +1,63 @@ +From 7b8f70f2d5ccfec67ffcec171bed6f5b6f9e07b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Oct 2020 15:29:59 +0800 +Subject: drm/amdgpu: perform srbm soft reset always on SDMA resume + +From: Evan Quan + +[ Upstream commit 253475c455eb5f8da34faa1af92709e7bb414624 ] + +This can address the random SDMA hang after pci config reset +seen on Hawaii. + +Signed-off-by: Evan Quan +Tested-by: Sandeep Raghuraman +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/cik_sdma.c | 27 ++++++++++++--------------- + 1 file changed, 12 insertions(+), 15 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/cik_sdma.c b/drivers/gpu/drm/amd/amdgpu/cik_sdma.c +index c568293cb6c1a..f1745c5cdf7b3 100644 +--- a/drivers/gpu/drm/amd/amdgpu/cik_sdma.c ++++ b/drivers/gpu/drm/amd/amdgpu/cik_sdma.c +@@ -1118,22 +1118,19 @@ static int cik_sdma_soft_reset(void *handle) + { + u32 srbm_soft_reset = 0; + struct amdgpu_device *adev = (struct amdgpu_device *)handle; +- u32 tmp = RREG32(mmSRBM_STATUS2); ++ u32 tmp; + +- if (tmp & SRBM_STATUS2__SDMA_BUSY_MASK) { +- /* sdma0 */ +- tmp = RREG32(mmSDMA0_F32_CNTL + SDMA0_REGISTER_OFFSET); +- tmp |= SDMA0_F32_CNTL__HALT_MASK; +- WREG32(mmSDMA0_F32_CNTL + SDMA0_REGISTER_OFFSET, tmp); +- srbm_soft_reset |= SRBM_SOFT_RESET__SOFT_RESET_SDMA_MASK; +- } +- if (tmp & SRBM_STATUS2__SDMA1_BUSY_MASK) { +- /* sdma1 */ +- tmp = RREG32(mmSDMA0_F32_CNTL + SDMA1_REGISTER_OFFSET); +- tmp |= SDMA0_F32_CNTL__HALT_MASK; +- WREG32(mmSDMA0_F32_CNTL + SDMA1_REGISTER_OFFSET, tmp); +- srbm_soft_reset |= SRBM_SOFT_RESET__SOFT_RESET_SDMA1_MASK; +- } ++ /* sdma0 */ ++ tmp = RREG32(mmSDMA0_F32_CNTL + SDMA0_REGISTER_OFFSET); ++ tmp |= SDMA0_F32_CNTL__HALT_MASK; ++ WREG32(mmSDMA0_F32_CNTL + SDMA0_REGISTER_OFFSET, tmp); ++ srbm_soft_reset |= SRBM_SOFT_RESET__SOFT_RESET_SDMA_MASK; ++ ++ /* sdma1 */ ++ tmp = RREG32(mmSDMA0_F32_CNTL + SDMA1_REGISTER_OFFSET); ++ tmp |= SDMA0_F32_CNTL__HALT_MASK; ++ WREG32(mmSDMA0_F32_CNTL + SDMA1_REGISTER_OFFSET, tmp); ++ srbm_soft_reset |= SRBM_SOFT_RESET__SOFT_RESET_SDMA1_MASK; + + if (srbm_soft_reset) { + cik_sdma_print_status((void *)adev); +-- +2.27.0 + diff --git a/queue-4.4/gfs2-check-for-live-vs.-read-only-file-system-in-gfs.patch b/queue-4.4/gfs2-check-for-live-vs.-read-only-file-system-in-gfs.patch new file mode 100644 index 00000000000..bfc28ceaf18 --- /dev/null +++ b/queue-4.4/gfs2-check-for-live-vs.-read-only-file-system-in-gfs.patch @@ -0,0 +1,49 @@ +From 19a94873ee6e30153b8103ff0d89a1000895274a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Oct 2020 13:42:18 -0500 +Subject: gfs2: check for live vs. read-only file system in gfs2_fitrim + +From: Bob Peterson + +[ Upstream commit c5c68724696e7d2f8db58a5fce3673208d35c485 ] + +Before this patch, gfs2_fitrim was not properly checking for a "live" file +system. If the file system had something to trim and the file system +was read-only (or spectator) it would start the trim, but when it starts +the transaction, gfs2_trans_begin returns -EROFS (read-only file system) +and it errors out. However, if the file system was already trimmed so +there's no work to do, it never called gfs2_trans_begin. That code is +bypassed so it never returns the error. Instead, it returns a good +return code with 0 work. All this makes for inconsistent behavior: +The same fstrim command can return -EROFS in one case and 0 in another. +This tripped up xfstests generic/537 which reports the error as: + + +fstrim with unrecovered metadata just ate your filesystem + +This patch adds a check for a "live" (iow, active journal, iow, RW) +file system, and if not, returns the error properly. + +Signed-off-by: Bob Peterson +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/rgrp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/gfs2/rgrp.c b/fs/gfs2/rgrp.c +index 99dcbdc1ff3a4..faa5e0e2c4493 100644 +--- a/fs/gfs2/rgrp.c ++++ b/fs/gfs2/rgrp.c +@@ -1388,6 +1388,9 @@ int gfs2_fitrim(struct file *filp, void __user *argp) + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; + ++ if (!test_bit(SDF_JOURNAL_LIVE, &sdp->sd_flags)) ++ return -EROFS; ++ + if (!blk_queue_discard(q)) + return -EOPNOTSUPP; + +-- +2.27.0 + diff --git a/queue-4.4/gfs2-free-rd_bits-later-in-gfs2_clear_rgrpd-to-fix-u.patch b/queue-4.4/gfs2-free-rd_bits-later-in-gfs2_clear_rgrpd-to-fix-u.patch new file mode 100644 index 00000000000..035d370d454 --- /dev/null +++ b/queue-4.4/gfs2-free-rd_bits-later-in-gfs2_clear_rgrpd-to-fix-u.patch @@ -0,0 +1,39 @@ +From 2e8523571900a0c2d456cd47d593cc7273a7dbc7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Oct 2020 10:10:01 -0500 +Subject: gfs2: Free rd_bits later in gfs2_clear_rgrpd to fix use-after-free + +From: Bob Peterson + +[ Upstream commit d0f17d3883f1e3f085d38572c2ea8edbd5150172 ] + +Function gfs2_clear_rgrpd calls kfree(rgd->rd_bits) before calling +return_all_reservations, but return_all_reservations still dereferences +rgd->rd_bits in __rs_deltree. Fix that by moving the call to kfree below the +call to return_all_reservations. + +Signed-off-by: Bob Peterson +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/rgrp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/gfs2/rgrp.c b/fs/gfs2/rgrp.c +index 2736e9cfc2ee9..99dcbdc1ff3a4 100644 +--- a/fs/gfs2/rgrp.c ++++ b/fs/gfs2/rgrp.c +@@ -747,9 +747,9 @@ void gfs2_clear_rgrpd(struct gfs2_sbd *sdp) + } + + gfs2_free_clones(rgd); ++ return_all_reservations(rgd); + kfree(rgd->rd_bits); + rgd->rd_bits = NULL; +- return_all_reservations(rgd); + kmem_cache_free(gfs2_rgrpd_cachep, rgd); + } + } +-- +2.27.0 + diff --git a/queue-4.4/iommu-amd-increase-interrupt-remapping-table-limit-t.patch b/queue-4.4/iommu-amd-increase-interrupt-remapping-table-limit-t.patch new file mode 100644 index 00000000000..4973c5e6605 --- /dev/null +++ b/queue-4.4/iommu-amd-increase-interrupt-remapping-table-limit-t.patch @@ -0,0 +1,53 @@ +From 762d992fe70584120b5913c86a1eee0c3d7222a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Oct 2020 02:50:02 +0000 +Subject: iommu/amd: Increase interrupt remapping table limit to 512 entries + +From: Suravee Suthikulpanit + +[ Upstream commit 73db2fc595f358460ce32bcaa3be1f0cce4a2db1 ] + +Certain device drivers allocate IO queues on a per-cpu basis. +On AMD EPYC platform, which can support up-to 256 cpu threads, +this can exceed the current MAX_IRQ_PER_TABLE limit of 256, +and result in the error message: + + AMD-Vi: Failed to allocate IRTE + +This has been observed with certain NVME devices. + +AMD IOMMU hardware can actually support upto 512 interrupt +remapping table entries. Therefore, update the driver to +match the hardware limit. + +Please note that this also increases the size of interrupt remapping +table to 8KB per device when using the 128-bit IRTE format. + +Signed-off-by: Suravee Suthikulpanit +Link: https://lore.kernel.org/r/20201015025002.87997-1-suravee.suthikulpanit@amd.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd_iommu_types.h | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/iommu/amd_iommu_types.h b/drivers/iommu/amd_iommu_types.h +index 695d4e235438c..90832bf00538e 100644 +--- a/drivers/iommu/amd_iommu_types.h ++++ b/drivers/iommu/amd_iommu_types.h +@@ -351,7 +351,11 @@ extern bool amd_iommu_np_cache; + /* Only true if all IOMMUs support device IOTLBs */ + extern bool amd_iommu_iotlb_sup; + +-#define MAX_IRQS_PER_TABLE 256 ++/* ++ * AMD IOMMU hardware only support 512 IRTEs despite ++ * the architectural limitation of 2048 entries. ++ */ ++#define MAX_IRQS_PER_TABLE 512 + #define IRQ_TABLE_ALIGNMENT 128 + + struct irq_remap_table { +-- +2.27.0 + diff --git a/queue-4.4/mac80211-always-wind-down-sta-state.patch b/queue-4.4/mac80211-always-wind-down-sta-state.patch new file mode 100644 index 00000000000..b0e2347b305 --- /dev/null +++ b/queue-4.4/mac80211-always-wind-down-sta-state.patch @@ -0,0 +1,64 @@ +From 2e39c206d0aa7ccf9288a5787c71fc83589cd499 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Oct 2020 14:17:11 +0200 +Subject: mac80211: always wind down STA state + +From: Johannes Berg + +[ Upstream commit dcd479e10a0510522a5d88b29b8f79ea3467d501 ] + +When (for example) an IBSS station is pre-moved to AUTHORIZED +before it's inserted, and then the insertion fails, we don't +clean up the fast RX/TX states that might already have been +created, since we don't go through all the state transitions +again on the way down. + +Do that, if it hasn't been done already, when the station is +freed. I considered only freeing the fast TX/RX state there, +but we might add more state so it's more robust to wind down +the state properly. + +Note that we warn if the station was ever inserted, it should +have been properly cleaned up in that case, and the driver +will probably not like things happening out of order. + +Reported-by: syzbot+2e293dbd67de2836ba42@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20201009141710.7223b322a955.I95bd08b9ad0e039c034927cce0b75beea38e059b@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/sta_info.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c +index bbddab248c489..6f7c3f6a5027b 100644 +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -242,6 +242,24 @@ struct sta_info *sta_info_get_by_idx(struct ieee80211_sub_if_data *sdata, + */ + void sta_info_free(struct ieee80211_local *local, struct sta_info *sta) + { ++ /* ++ * If we had used sta_info_pre_move_state() then we might not ++ * have gone through the state transitions down again, so do ++ * it here now (and warn if it's inserted). ++ * ++ * This will clear state such as fast TX/RX that may have been ++ * allocated during state transitions. ++ */ ++ while (sta->sta_state > IEEE80211_STA_NONE) { ++ int ret; ++ ++ WARN_ON_ONCE(test_sta_flag(sta, WLAN_STA_INSERTED)); ++ ++ ret = sta_info_move_state(sta, sta->sta_state - 1); ++ if (WARN_ONCE(ret, "sta_info_move_state() returned %d\n", ret)) ++ break; ++ } ++ + if (sta->rate_ctrl) + rate_control_free_sta(sta); + +-- +2.27.0 + diff --git a/queue-4.4/mac80211-fix-use-of-skb-payload-instead-of-header.patch b/queue-4.4/mac80211-fix-use-of-skb-payload-instead-of-header.patch new file mode 100644 index 00000000000..59eaff8334b --- /dev/null +++ b/queue-4.4/mac80211-fix-use-of-skb-payload-instead-of-header.patch @@ -0,0 +1,124 @@ +From 9cd6bcba1edf61d1b2473a526f61d4d7c7fce3ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Oct 2020 13:25:41 +0200 +Subject: mac80211: fix use of skb payload instead of header + +From: Johannes Berg + +[ Upstream commit 14f46c1e5108696ec1e5a129e838ecedf108c7bf ] + +When ieee80211_skb_resize() is called from ieee80211_build_hdr() +the skb has no 802.11 header yet, in fact it consist only of the +payload as the ethernet frame is removed. As such, we're using +the payload data for ieee80211_is_mgmt(), which is of course +completely wrong. This didn't really hurt us because these are +always data frames, so we could only have added more tailroom +than we needed if we determined it was a management frame and +sdata->crypto_tx_tailroom_needed_cnt was false. + +However, syzbot found that of course there need not be any payload, +so we're using at best uninitialized memory for the check. + +Fix this to pass explicitly the kind of frame that we have instead +of checking there, by replacing the "bool may_encrypt" argument +with an argument that can carry the three possible states - it's +not going to be encrypted, it's a management frame, or it's a data +frame (and then we check sdata->crypto_tx_tailroom_needed_cnt). + +Reported-by: syzbot+32fd1a1bfe355e93f1e2@syzkaller.appspotmail.com +Signed-off-by: Johannes Berg +Link: https://lore.kernel.org/r/20201009132538.e1fd7f802947.I799b288466ea2815f9d4c84349fae697dca2f189@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/tx.c | 35 +++++++++++++++++++++++------------ + 1 file changed, 23 insertions(+), 12 deletions(-) + +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index 98c34c3adf392..4466413c5eecc 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -1594,19 +1594,24 @@ static bool ieee80211_tx(struct ieee80211_sub_if_data *sdata, + + /* device xmit handlers */ + ++enum ieee80211_encrypt { ++ ENCRYPT_NO, ++ ENCRYPT_MGMT, ++ ENCRYPT_DATA, ++}; ++ + static int ieee80211_skb_resize(struct ieee80211_sub_if_data *sdata, + struct sk_buff *skb, +- int head_need, bool may_encrypt) ++ int head_need, ++ enum ieee80211_encrypt encrypt) + { + struct ieee80211_local *local = sdata->local; +- struct ieee80211_hdr *hdr; + bool enc_tailroom; + int tail_need = 0; + +- hdr = (struct ieee80211_hdr *) skb->data; +- enc_tailroom = may_encrypt && +- (sdata->crypto_tx_tailroom_needed_cnt || +- ieee80211_is_mgmt(hdr->frame_control)); ++ enc_tailroom = encrypt == ENCRYPT_MGMT || ++ (encrypt == ENCRYPT_DATA && ++ sdata->crypto_tx_tailroom_needed_cnt); + + if (enc_tailroom) { + tail_need = IEEE80211_ENCRYPT_TAILROOM; +@@ -1639,21 +1644,27 @@ void ieee80211_xmit(struct ieee80211_sub_if_data *sdata, + struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); + struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; + int headroom; +- bool may_encrypt; ++ enum ieee80211_encrypt encrypt; + +- may_encrypt = !(info->flags & IEEE80211_TX_INTFL_DONT_ENCRYPT); ++ if (info->flags & IEEE80211_TX_INTFL_DONT_ENCRYPT) ++ encrypt = ENCRYPT_NO; ++ else if (ieee80211_is_mgmt(hdr->frame_control)) ++ encrypt = ENCRYPT_MGMT; ++ else ++ encrypt = ENCRYPT_DATA; + + headroom = local->tx_headroom; +- if (may_encrypt) ++ if (encrypt != ENCRYPT_NO) + headroom += sdata->encrypt_headroom; + headroom -= skb_headroom(skb); + headroom = max_t(int, 0, headroom); + +- if (ieee80211_skb_resize(sdata, skb, headroom, may_encrypt)) { ++ if (ieee80211_skb_resize(sdata, skb, headroom, encrypt)) { + ieee80211_free_txskb(&local->hw, skb); + return; + } + ++ /* reload after potential resize */ + hdr = (struct ieee80211_hdr *) skb->data; + info->control.vif = &sdata->vif; + +@@ -2346,7 +2357,7 @@ static struct sk_buff *ieee80211_build_hdr(struct ieee80211_sub_if_data *sdata, + head_need += sdata->encrypt_headroom; + head_need += local->tx_headroom; + head_need = max_t(int, 0, head_need); +- if (ieee80211_skb_resize(sdata, skb, head_need, true)) { ++ if (ieee80211_skb_resize(sdata, skb, head_need, ENCRYPT_DATA)) { + ieee80211_free_txskb(&local->hw, skb); + skb = NULL; + return ERR_PTR(-ENOMEM); +@@ -2756,7 +2767,7 @@ static bool ieee80211_xmit_fast(struct ieee80211_sub_if_data *sdata, + if (unlikely(ieee80211_skb_resize(sdata, skb, + max_t(int, extra_head + hw_headroom - + skb_headroom(skb), 0), +- false))) { ++ ENCRYPT_NO))) { + kfree_skb(skb); + return true; + } +-- +2.27.0 + diff --git a/queue-4.4/series b/queue-4.4/series index 1701664dde0..0786a2bf97c 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -17,3 +17,11 @@ i40e-wrong-truncation-from-u16-to-u8.patch i40e-fix-of-memory-leak-and-integer-truncation-in-i4.patch geneve-add-transport-ports-in-route-lookup-for-genev.patch ath9k_htc-use-appropriate-rs_datalen-type.patch +usb-gadget-goku_udc-fix-potential-crashes-in-probe.patch +gfs2-free-rd_bits-later-in-gfs2_clear_rgrpd-to-fix-u.patch +gfs2-check-for-live-vs.-read-only-file-system-in-gfs.patch +drm-amdgpu-perform-srbm-soft-reset-always-on-sdma-re.patch +mac80211-fix-use-of-skb-payload-instead-of-header.patch +mac80211-always-wind-down-sta-state.patch +cfg80211-regulatory-fix-inconsistent-format-argument.patch +iommu-amd-increase-interrupt-remapping-table-limit-t.patch diff --git a/queue-4.4/usb-gadget-goku_udc-fix-potential-crashes-in-probe.patch b/queue-4.4/usb-gadget-goku_udc-fix-potential-crashes-in-probe.patch new file mode 100644 index 00000000000..e235fa85eab --- /dev/null +++ b/queue-4.4/usb-gadget-goku_udc-fix-potential-crashes-in-probe.patch @@ -0,0 +1,51 @@ +From 1407b7f75ecc290d1a6ef2440de67cf5461e3d6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Oct 2020 18:01:55 +0300 +Subject: usb: gadget: goku_udc: fix potential crashes in probe + +From: Evgeny Novikov + +[ Upstream commit 0d66e04875c5aae876cf3d4f4be7978fa2b00523 ] + +goku_probe() goes to error label "err" and invokes goku_remove() +in case of failures of pci_enable_device(), pci_resource_start() +and ioremap(). goku_remove() gets a device from +pci_get_drvdata(pdev) and works with it without any checks, in +particular it dereferences a corresponding pointer. But +goku_probe() did not set this device yet. So, one can expect +various crashes. The patch moves setting the device just after +allocation of memory for it. + +Found by Linux Driver Verification project (linuxtesting.org). + +Reported-by: Pavel Andrianov +Signed-off-by: Evgeny Novikov +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/goku_udc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/udc/goku_udc.c b/drivers/usb/gadget/udc/goku_udc.c +index 1fdfec14a3ba1..5d4616061309e 100644 +--- a/drivers/usb/gadget/udc/goku_udc.c ++++ b/drivers/usb/gadget/udc/goku_udc.c +@@ -1773,6 +1773,7 @@ static int goku_probe(struct pci_dev *pdev, const struct pci_device_id *id) + goto err; + } + ++ pci_set_drvdata(pdev, dev); + spin_lock_init(&dev->lock); + dev->pdev = pdev; + dev->gadget.ops = &goku_ops; +@@ -1806,7 +1807,6 @@ static int goku_probe(struct pci_dev *pdev, const struct pci_device_id *id) + } + dev->regs = (struct goku_udc_regs __iomem *) base; + +- pci_set_drvdata(pdev, dev); + INFO(dev, "%s\n", driver_desc); + INFO(dev, "version: " DRIVER_VERSION " %s\n", dmastr()); + INFO(dev, "irq %d, pci mem %p\n", pdev->irq, base); +-- +2.27.0 + -- 2.47.3