1. 31 Jul, 2020 16 commits
  2. 29 Jul, 2020 24 commits
    • Greg Kroah-Hartman's avatar
      205a42ce
    • Mark O'Donovan's avatar
      ath9k: Fix regression with Atheros 9271 · f3c15454
      Mark O'Donovan authored
      commit 92f53e2f upstream.
      
      This fix allows ath9k_htc modules to connect to WLAN once again.
      
      Fixes: 2bbcaaee ("ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb")
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=208251Signed-off-by: default avatarMark O'Donovan <shiftee@posteo.net>
      Reported-by: default avatarRoman Mamedov <rm@romanrm.net>
      Tested-by: default avatarViktor Jägersküpper <viktor_jaegerskuepper@freenet.de>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Link: https://lore.kernel.org/r/20200711043324.8079-1-shiftee@posteo.netSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f3c15454
    • Qiujun Huang's avatar
      ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb · 654ae85f
      Qiujun Huang authored
      commit 2bbcaaee upstream.
      
      In ath9k_hif_usb_rx_cb interface number is assumed to be 0.
      usb_ifnum_to_if(urb->dev, 0)
      But it isn't always true.
      
      The case reported by syzbot:
      https://lore.kernel.org/linux-usb/000000000000666c9c05a1c05d12@google.com
      usb 2-1: new high-speed USB device number 2 using dummy_hcd
      usb 2-1: config 1 has an invalid interface number: 2 but max is 0
      usb 2-1: config 1 has no interface number 0
      usb 2-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice=
      1.08
      usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
      general protection fault, probably for non-canonical address
      0xdffffc0000000015: 0000 [#1] SMP KASAN
      KASAN: null-ptr-deref in range [0x00000000000000a8-0x00000000000000af]
      CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc5-syzkaller #0
      
      Call Trace
      __usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650
      usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716
      dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
      call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
      expire_timers kernel/time/timer.c:1449 [inline]
      __run_timers kernel/time/timer.c:1773 [inline]
      __run_timers kernel/time/timer.c:1740 [inline]
      run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
      __do_softirq+0x21e/0x950 kernel/softirq.c:292
      invoke_softirq kernel/softirq.c:373 [inline]
      irq_exit+0x178/0x1a0 kernel/softirq.c:413
      exiting_irq arch/x86/include/asm/apic.h:546 [inline]
      smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
      apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
      
      Reported-and-tested-by: syzbot+40d5d2e8a4680952f042@syzkaller.appspotmail.com
      Signed-off-by: default avatarQiujun Huang <hqjagain@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Link: https://lore.kernel.org/r/20200404041838.10426-6-hqjagain@gmail.com
      Cc: Viktor Jägersküpper <viktor_jaegerskuepper@freenet.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      654ae85f
    • Mikulas Patocka's avatar
      dm integrity: fix integrity recalculation that is improperly skipped · cab7ef00
      Mikulas Patocka authored
      commit 5df96f2b upstream.
      
      Commit adc0daad ("dm: report suspended
      device during destroy") broke integrity recalculation.
      
      The problem is dm_suspended() returns true not only during suspend,
      but also during resume. So this race condition could occur:
      1. dm_integrity_resume calls queue_work(ic->recalc_wq, &ic->recalc_work)
      2. integrity_recalc (&ic->recalc_work) preempts the current thread
      3. integrity_recalc calls if (unlikely(dm_suspended(ic->ti))) goto unlock_ret;
      4. integrity_recalc exits and no recalculating is done.
      
      To fix this race condition, add a function dm_post_suspending that is
      only true during the postsuspend phase and use it instead of
      dm_suspended().
      
      Signed-off-by: Mikulas Patocka <mpatocka redhat com>
      Fixes: adc0daad ("dm: report suspended device during destroy")
      Cc: stable vger kernel org # v4.18+
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cab7ef00
    • Geert Uytterhoeven's avatar
      ASoC: qcom: Drop HAS_DMA dependency to fix link failure · 0d034bb3
      Geert Uytterhoeven authored
      commit b6aa06de upstream.
      
      When building on allyesconfig kernel for a NO_DMA=y platform (e.g.
      Sun-3), CONFIG_SND_SOC_QCOM_COMMON=y, but CONFIG_SND_SOC_QDSP6_AFE=n,
      leading to a link failure:
      
          sound/soc/qcom/common.o: In function `qcom_snd_parse_of':
          common.c:(.text+0x2e2): undefined reference to `q6afe_is_rx_port'
      
      While SND_SOC_QDSP6 depends on HAS_DMA, SND_SOC_MSM8996 and SND_SOC_SDM845
      don't, so the following warning is seen:
      
          WARNING: unmet direct dependencies detected for SND_SOC_QDSP6
            Depends on [n]: SOUND [=y] && !UML && SND [=y] && SND_SOC [=y] && QCOM_APR [=y] && HAS_DMA [=n]
            Selected by [y]:
            - SND_SOC_MSM8996 [=y] && SOUND [=y] && !UML && SND [=y] && SND_SOC [=y] && QCOM_APR [=y]
            - SND_SOC_SDM845 [=y] && SOUND [=y] && !UML && SND [=y] && SND_SOC [=y] && QCOM_APR [=y] && CROS_EC [=y] && I2C [=y] && SOUNDWIRE [=y]
      
      Until recently, this warning was harmless (from a compile-testing
      point-of-view), but the new user of q6afe_is_rx_port() turned this into
      a hard failure.
      
      As the QDSP6 driver itself builds fine if NO_DMA=y, and it depends on
      QCOM_APR (which in turns depends on ARCH_QCOM || COMPILE_TEST), it is
      safe to increase compile testing coverage.  Hence fix the link failure
      by dropping the HAS_DMA dependency of SND_SOC_QDSP6.
      
      Fixes: a2120089 ("ASoC: qcom: common: set correct directions for dailinks")
      Fixes: 6b1687bf ("ASoC: qcom: add sdm845 sound card support")
      Fixes: a6f933f6 ("ASoC: qcom: apq8096: Add db820c machine driver")
      Signed-off-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Link: https://lore.kernel.org/r/20200629122443.21736-1-geert@linux-m68k.orgSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0d034bb3
    • Hans de Goede's avatar
      ASoC: rt5670: Add new gpio1_is_ext_spk_en quirk and enable it on the Lenovo Miix 2 10 · 2005c828
      Hans de Goede authored
      commit 85ca6b17 upstream.
      
      The Lenovo Miix 2 10 has a keyboard dock with extra speakers in the dock.
      Rather then the ACL5672's GPIO1 pin being used as IRQ to the CPU, it is
      actually used to enable the amplifier for these speakers
      (the IRQ to the CPU comes directly from the jack-detect switch).
      
      Add a quirk for having an ext speaker-amplifier enable pin on GPIO1
      and replace the Lenovo Miix 2 10's dmi_system_id table entry's wrong
      GPIO_DEV quirk (which needs to be renamed to GPIO1_IS_IRQ) with the
      new RT5670_GPIO1_IS_EXT_SPK_EN quirk, so that we enable the external
      speaker-amplifier as necessary.
      
      Also update the ident field for the dmi_system_id table entry, the
      Miix models are not Thinkpads.
      
      Fixes: 67e03ff3 ("ASoC: codecs: rt5670: add Thinkpad Tablet 10 quirk")
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1786723
      Link: https://lore.kernel.org/r/20200628155231.71089-4-hdegoede@redhat.comSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2005c828
    • Joerg Roedel's avatar
      x86, vmlinux.lds: Page-align end of ..page_aligned sections · 159bcd54
      Joerg Roedel authored
      commit de2b41be upstream.
      
      On x86-32 the idt_table with 256 entries needs only 2048 bytes. It is
      page-aligned, but the end of the .bss..page_aligned section is not
      guaranteed to be page-aligned.
      
      As a result, objects from other .bss sections may end up on the same 4k
      page as the idt_table, and will accidentially get mapped read-only during
      boot, causing unexpected page-faults when the kernel writes to them.
      
      This could be worked around by making the objects in the page aligned
      sections page sized, but that's wrong.
      
      Explicit sections which store only page aligned objects have an implicit
      guarantee that the object is alone in the page in which it is placed. That
      works for all objects except the last one. That's inconsistent.
      
      Enforcing page sized objects for these sections would wreckage memory
      sanitizers, because the object becomes artificially larger than it should
      be and out of bound access becomes legit.
      
      Align the end of the .bss..page_aligned and .data..page_aligned section on
      page-size so all objects places in these sections are guaranteed to have
      their own page.
      
      [ tglx: Amended changelog ]
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarKees Cook <keescook@chromium.org>
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/20200721093448.10417-1-joro@8bytes.orgSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      159bcd54
    • John David Anglin's avatar
      parisc: Add atomic64_set_release() define to avoid CPU soft lockups · 69f77566
      John David Anglin authored
      commit be6577af upstream.
      
      Stalls are quite frequent with recent kernels. I enabled
      CONFIG_SOFTLOCKUP_DETECTOR and I caught the following stall:
      
      watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [cc1:22803]
      CPU: 0 PID: 22803 Comm: cc1 Not tainted 5.6.17+ #3
      Hardware name: 9000/800/rp3440
       IAOQ[0]: d_alloc_parallel+0x384/0x688
       IAOQ[1]: d_alloc_parallel+0x388/0x688
       RP(r2): d_alloc_parallel+0x134/0x688
      Backtrace:
       [<000000004036974c>] __lookup_slow+0xa4/0x200
       [<0000000040369fc8>] walk_component+0x288/0x458
       [<000000004036a9a0>] path_lookupat+0x88/0x198
       [<000000004036e748>] filename_lookup+0xa0/0x168
       [<000000004036e95c>] user_path_at_empty+0x64/0x80
       [<000000004035d93c>] vfs_statx+0x104/0x158
       [<000000004035dfcc>] __do_sys_lstat64+0x44/0x80
       [<000000004035e5a0>] sys_lstat64+0x20/0x38
       [<0000000040180054>] syscall_exit+0x0/0x14
      
      The code was stuck in this loop in d_alloc_parallel:
      
          4037d414:   0e 00 10 dc     ldd 0(r16),ret0
          4037d418:   c7 fc 5f ed     bb,< ret0,1f,4037d414 <d_alloc_parallel+0x384>
          4037d41c:   08 00 02 40     nop
      
      This is the inner loop of bit_spin_lock which is called by hlist_bl_unlock in
      d_alloc_parallel:
      
      static inline void bit_spin_lock(int bitnum, unsigned long *addr)
      {
              /*
               * Assuming the lock is uncontended, this never enters
               * the body of the outer loop. If it is contended, then
               * within the inner loop a non-atomic test is used to
               * busywait with less bus contention for a good time to
               * attempt to acquire the lock bit.
               */
              preempt_disable();
      #if defined(CONFIG_SMP) || defined(CONFIG_DEBUG_SPINLOCK)
              while (unlikely(test_and_set_bit_lock(bitnum, addr))) {
                      preempt_enable();
                      do {
                              cpu_relax();
                      } while (test_bit(bitnum, addr));
                      preempt_disable();
              }
      #endif
              __acquire(bitlock);
      }
      
      After consideration, I realized that we must be losing bit unlocks.
      Then, I noticed that we missed defining atomic64_set_release().
      Adding this define fixes the stalls in bit operations.
      Signed-off-by: default avatarDave Anglin <dave.anglin@bell.net>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      69f77566
    • Qiu Wenbo's avatar
      drm/amd/powerplay: fix a crash when overclocking Vega M · c24131ef
      Qiu Wenbo authored
      commit 88bb16ad upstream.
      
      Avoid kernel crash when vddci_control is SMU7_VOLTAGE_CONTROL_NONE and
      vddci_voltage_table is empty. It has been tested on Intel Hades Canyon
      (i7-8809G).
      
      Bug: https://bugzilla.kernel.org/show_bug.cgi?id=208489
      Fixes: ac7822b0 ("drm/amd/powerplay: add smumgr support for VEGAM (v2)")
      Reviewed-by: default avatarEvan Quan <evan.quan@amd.com>
      Signed-off-by: default avatarQiu Wenbo <qiuwenbo@phytium.com.cn>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c24131ef
    • Paweł Gronowski's avatar
      drm/amdgpu: Fix NULL dereference in dpm sysfs handlers · 9468cf97
      Paweł Gronowski authored
      commit 38e0c89a upstream.
      
      NULL dereference occurs when string that is not ended with space or
      newline is written to some dpm sysfs interface (for example pp_dpm_sclk).
      This happens because strsep replaces the tmp with NULL if the delimiter
      is not present in string, which is then dereferenced by tmp[0].
      
      Reproduction example:
      sudo sh -c 'echo -n 1 > /sys/class/drm/card0/device/pp_dpm_sclk'
      Signed-off-by: default avatarPaweł Gronowski <me@woland.xyz>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9468cf97
    • Michael J. Ruhl's avatar
      io-mapping: indicate mapping failure · 4daa4031
      Michael J. Ruhl authored
      commit e0b3e0b1 upstream.
      
      The !ATOMIC_IOMAP version of io_maping_init_wc will always return
      success, even when the ioremap fails.
      
      Since the ATOMIC_IOMAP version returns NULL when the init fails, and
      callers check for a NULL return on error this is unexpected.
      
      During a device probe, where the ioremap failed, a crash can look like
      this:
      
          BUG: unable to handle page fault for address: 0000000000210000
           #PF: supervisor write access in kernel mode
           #PF: error_code(0x0002) - not-present page
           Oops: 0002 [#1] PREEMPT SMP
           CPU: 0 PID: 177 Comm:
           RIP: 0010:fill_page_dma [i915]
             gen8_ppgtt_create [i915]
             i915_ppgtt_create [i915]
             intel_gt_init [i915]
             i915_gem_init [i915]
             i915_driver_probe [i915]
             pci_device_probe
             really_probe
             driver_probe_device
      
      The remap failure occurred much earlier in the probe.  If it had been
      propagated, the driver would have exited with an error.
      
      Return NULL on ioremap failure.
      
      [akpm@linux-foundation.org: detect ioremap_wc() errors earlier]
      
      Fixes: cafaf14a ("io-mapping: Always create a struct to hold metadata about the io-mapping")
      Signed-off-by: default avatarMichael J. Ruhl <michael.j.ruhl@intel.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Reviewed-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Cc: Mike Rapoport <rppt@linux.ibm.com>
      Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
      Cc: Chris Wilson <chris@chris-wilson.co.uk>
      Cc: Daniel Vetter <daniel@ffwll.ch>
      Cc: <stable@vger.kernel.org>
      Link: http://lkml.kernel.org/r/20200721171936.81563-1-michael.j.ruhl@intel.comSigned-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4daa4031
    • Muchun Song's avatar
      mm: memcg/slab: fix memory leak at non-root kmem_cache destroy · d87ddcdb
      Muchun Song authored
      commit d38a2b7a upstream.
      
      If the kmem_cache refcount is greater than one, we should not mark the
      root kmem_cache as dying.  If we mark the root kmem_cache dying
      incorrectly, the non-root kmem_cache can never be destroyed.  It
      resulted in memory leak when memcg was destroyed.  We can use the
      following steps to reproduce.
      
        1) Use kmem_cache_create() to create a new kmem_cache named A.
        2) Coincidentally, the kmem_cache A is an alias for kmem_cache B,
           so the refcount of B is just increased.
        3) Use kmem_cache_destroy() to destroy the kmem_cache A, just
           decrease the B's refcount but mark the B as dying.
        4) Create a new memory cgroup and alloc memory from the kmem_cache
           B. It leads to create a non-root kmem_cache for allocating memory.
        5) When destroy the memory cgroup created in the step 4), the
           non-root kmem_cache can never be destroyed.
      
      If we repeat steps 4) and 5), this will cause a lot of memory leak.  So
      only when refcount reach zero, we mark the root kmem_cache as dying.
      
      Fixes: 92ee383f ("mm: fix race between kmem_cache destroy, create and deactivate")
      Signed-off-by: default avatarMuchun Song <songmuchun@bytedance.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Reviewed-by: default avatarShakeel Butt <shakeelb@google.com>
      Acked-by: default avatarRoman Gushchin <guro@fb.com>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Cc: Christoph Lameter <cl@linux.com>
      Cc: Pekka Enberg <penberg@kernel.org>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
      Cc: Shakeel Butt <shakeelb@google.com>
      Cc: <stable@vger.kernel.org>
      Link: http://lkml.kernel.org/r/20200716165103.83462-1-songmuchun@bytedance.comSigned-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      d87ddcdb
    • Roman Gushchin's avatar
      mm: memcg/slab: synchronize access to kmem_cache dying flag using a spinlock · 763b04c6
      Roman Gushchin authored
      [ Upstream commit 63b02ef7 ]
      
      Currently the memcg_params.dying flag and the corresponding workqueue used
      for the asynchronous deactivation of kmem_caches is synchronized using the
      slab_mutex.
      
      It makes impossible to check this flag from the irq context, which will be
      required in order to implement asynchronous release of kmem_caches.
      
      So let's switch over to the irq-save flavor of the spinlock-based
      synchronization.
      
      Link: http://lkml.kernel.org/r/20190611231813.3148843-8-guro@fb.comSigned-off-by: default avatarRoman Gushchin <guro@fb.com>
      Acked-by: default avatarVladimir Davydov <vdavydov.dev@gmail.com>
      Reviewed-by: default avatarShakeel Butt <shakeelb@google.com>
      Cc: Christoph Lameter <cl@linux.com>
      Cc: Johannes Weiner <hannes@cmpxchg.org>
      Cc: Michal Hocko <mhocko@suse.com>
      Cc: Waiman Long <longman@redhat.com>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
      Cc: Pekka Enberg <penberg@kernel.org>
      Cc: Andrei Vagin <avagin@gmail.com>
      Cc: Qian Cai <cai@lca.pw>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      763b04c6
    • Hugh Dickins's avatar
      mm/memcg: fix refcount error while moving and swapping · 91404e91
      Hugh Dickins authored
      commit 8d22a935 upstream.
      
      It was hard to keep a test running, moving tasks between memcgs with
      move_charge_at_immigrate, while swapping: mem_cgroup_id_get_many()'s
      refcount is discovered to be 0 (supposedly impossible), so it is then
      forced to REFCOUNT_SATURATED, and after thousands of warnings in quick
      succession, the test is at last put out of misery by being OOM killed.
      
      This is because of the way moved_swap accounting was saved up until the
      task move gets completed in __mem_cgroup_clear_mc(), deferred from when
      mem_cgroup_move_swap_account() actually exchanged old and new ids.
      Concurrent activity can free up swap quicker than the task is scanned,
      bringing id refcount down 0 (which should only be possible when
      offlining).
      
      Just skip that optimization: do that part of the accounting immediately.
      
      Fixes: 615d66c3 ("mm: memcontrol: fix memcg id ref counter on swap charge move")
      Signed-off-by: default avatarHugh Dickins <hughd@google.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Reviewed-by: default avatarAlex Shi <alex.shi@linux.alibaba.com>
      Cc: Johannes Weiner <hannes@cmpxchg.org>
      Cc: Alex Shi <alex.shi@linux.alibaba.com>
      Cc: Shakeel Butt <shakeelb@google.com>
      Cc: Michal Hocko <mhocko@suse.com>
      Cc: <stable@vger.kernel.org>
      Link: http://lkml.kernel.org/r/alpine.LSU.2.11.2007071431050.4726@eggly.anvilsSigned-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      91404e91
    • Fangrui Song's avatar
      Makefile: Fix GCC_TOOLCHAIN_DIR prefix for Clang cross compilation · 69c12275
      Fangrui Song authored
      commit ca9b31f6 upstream.
      
      When CROSS_COMPILE is set (e.g. aarch64-linux-gnu-), if
      $(CROSS_COMPILE)elfedit is found at /usr/bin/aarch64-linux-gnu-elfedit,
      GCC_TOOLCHAIN_DIR will be set to /usr/bin/.  --prefix= will be set to
      /usr/bin/ and Clang as of 11 will search for both
      $(prefix)aarch64-linux-gnu-$needle and $(prefix)$needle.
      
      GCC searchs for $(prefix)aarch64-linux-gnu/$version/$needle,
      $(prefix)aarch64-linux-gnu/$needle and $(prefix)$needle. In practice,
      $(prefix)aarch64-linux-gnu/$needle rarely contains executables.
      
      To better model how GCC's -B/--prefix takes in effect in practice, newer
      Clang (since
      https://github.com/llvm/llvm-project/commit/3452a0d8c17f7166f479706b293caf6ac76ffd90)
      only searches for $(prefix)$needle. Currently it will find /usr/bin/as
      instead of /usr/bin/aarch64-linux-gnu-as.
      
      Set --prefix= to $(GCC_TOOLCHAIN_DIR)$(notdir $(CROSS_COMPILE))
      (/usr/bin/aarch64-linux-gnu-) so that newer Clang can find the
      appropriate cross compiling GNU as (when -no-integrated-as is in
      effect).
      
      Cc: stable@vger.kernel.org
      Reported-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: default avatarFangrui Song <maskray@google.com>
      Reviewed-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Tested-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Tested-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      Link: https://github.com/ClangBuiltLinux/linux/issues/1099Reviewed-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: default avatarMasahiro Yamada <masahiroy@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      69c12275
    • Tetsuo Handa's avatar
      vt: Reject zero-sized screen buffer size. · 74752b81
      Tetsuo Handa authored
      commit ce684552 upstream.
      
      syzbot is reporting general protection fault in do_con_write() [1] caused
      by vc->vc_screenbuf == ZERO_SIZE_PTR caused by vc->vc_screenbuf_size == 0
      caused by vc->vc_cols == vc->vc_rows == vc->vc_size_row == 0 caused by
      fb_set_var() from ioctl(FBIOPUT_VSCREENINFO) on /dev/fb0 , for
      gotoxy(vc, 0, 0) from reset_terminal() from vc_init() from vc_allocate()
       from con_install() from tty_init_dev() from tty_open() on such console
      causes vc->vc_pos == 0x10000000e due to
      ((unsigned long) ZERO_SIZE_PTR) + -1U * 0 + (-1U << 1).
      
      I don't think that a console with 0 column or 0 row makes sense. And it
      seems that vc_do_resize() does not intend to allow resizing a console to
      0 column or 0 row due to
      
        new_cols = (cols ? cols : vc->vc_cols);
        new_rows = (lines ? lines : vc->vc_rows);
      
      exception.
      
      Theoretically, cols and rows can be any range as long as
      0 < cols * rows * 2 <= KMALLOC_MAX_SIZE is satisfied (e.g.
      cols == 1048576 && rows == 2 is possible) because of
      
        vc->vc_size_row = vc->vc_cols << 1;
        vc->vc_screenbuf_size = vc->vc_rows * vc->vc_size_row;
      
      in visual_init() and kzalloc(vc->vc_screenbuf_size) in vc_allocate().
      
      Since we can detect cols == 0 or rows == 0 via screenbuf_size = 0 in
      visual_init(), we can reject kzalloc(0). Then, vc_allocate() will return
      an error, and con_write() will not be called on a console with 0 column
      or 0 row.
      
      We need to make sure that integer overflow in visual_init() won't happen.
      Since vc_do_resize() restricts cols <= 32767 and rows <= 32767, applying
      1 <= cols <= 32767 and 1 <= rows <= 32767 restrictions to vc_allocate()
      will be practically fine.
      
      This patch does not touch con_init(), for returning -EINVAL there
      does not help when we are not returning -ENOMEM.
      
      [1] https://syzkaller.appspot.com/bug?extid=017265e8553724e514e8Reported-and-tested-by: default avatarsyzbot <syzbot+017265e8553724e514e8@syzkaller.appspotmail.com>
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Cc: stable <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20200712111013.11881-1-penguin-kernel@I-love.SAKURA.ne.jpSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      74752b81
    • Tetsuo Handa's avatar
      fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins. · dd58bd1b
      Tetsuo Handa authored
      commit 033724d6 upstream.
      
      syzbot is reporting general protection fault in bitfill_aligned() [1]
      caused by integer underflow in bit_clear_margins(). The cause of this
      problem is when and how do_vc_resize() updates vc->vc_{cols,rows}.
      
      If vc_do_resize() fails (e.g. kzalloc() fails) when var.xres or var.yres
      is going to shrink, vc->vc_{cols,rows} will not be updated. This allows
      bit_clear_margins() to see info->var.xres < (vc->vc_cols * cw) or
      info->var.yres < (vc->vc_rows * ch). Unexpectedly large rw or bh will
      try to overrun the __iomem region and causes general protection fault.
      
      Also, vc_resize(vc, 0, 0) does not set vc->vc_{cols,rows} = 0 due to
      
        new_cols = (cols ? cols : vc->vc_cols);
        new_rows = (lines ? lines : vc->vc_rows);
      
      exception. Since cols and lines are calculated as
      
        cols = FBCON_SWAP(ops->rotate, info->var.xres, info->var.yres);
        rows = FBCON_SWAP(ops->rotate, info->var.yres, info->var.xres);
        cols /= vc->vc_font.width;
        rows /= vc->vc_font.height;
        vc_resize(vc, cols, rows);
      
      in fbcon_modechanged(), var.xres < vc->vc_font.width makes cols = 0
      and var.yres < vc->vc_font.height makes rows = 0. This means that
      
        const int fd = open("/dev/fb0", O_ACCMODE);
        struct fb_var_screeninfo var = { };
        ioctl(fd, FBIOGET_VSCREENINFO, &var);
        var.xres = var.yres = 1;
        ioctl(fd, FBIOPUT_VSCREENINFO, &var);
      
      easily reproduces integer underflow bug explained above.
      
      Of course, callers of vc_resize() are not handling vc_do_resize() failure
      is bad. But we can't avoid vc_resize(vc, 0, 0) which returns 0. Therefore,
      as a band-aid workaround, this patch checks integer underflow in
      "struct fbcon_ops"->clear_margins call, assuming that
      vc->vc_cols * vc->vc_font.width and vc->vc_rows * vc->vc_font.heigh do not
      cause integer overflow.
      
      [1] https://syzkaller.appspot.com/bug?id=a565882df74fa76f10d3a6fec4be31098dbb37c6Reported-and-tested-by: default avatarsyzbot <syzbot+e5fd3e65515b48c02a30@syzkaller.appspotmail.com>
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Acked-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Cc: stable <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20200715015102.3814-1-penguin-kernel@I-love.SAKURA.ne.jpSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dd58bd1b
    • Serge Semin's avatar
      serial: 8250_mtk: Fix high-speed baud rates clamping · 5ccfaf38
      Serge Semin authored
      commit 551e553f upstream.
      
      Commit 7b668c06 ("serial: 8250: Fix max baud limit in generic 8250
      port") fixed limits of a baud rate setting for a generic 8250 port.
      In other words since that commit the baud rate has been permitted to be
      within [uartclk / 16 / UART_DIV_MAX; uartclk / 16], which is absolutely
      normal for a standard 8250 UART port. But there are custom 8250 ports,
      which provide extended baud rate limits. In particular the Mediatek 8250
      port can work with baud rates up to "uartclk" speed.
      
      Normally that and any other peculiarity is supposed to be handled in a
      custom set_termios() callback implemented in the vendor-specific
      8250-port glue-driver. Currently that is how it's done for the most of
      the vendor-specific 8250 ports, but for some reason for Mediatek a
      solution has been spread out to both the glue-driver and to the generic
      8250-port code. Due to that a bug has been introduced, which permitted the
      extended baud rate limit for all even for standard 8250-ports. The bug
      has been fixed by the commit 7b668c06 ("serial: 8250: Fix max baud
      limit in generic 8250 port") by narrowing the baud rates limit back down to
      the normal bounds. Unfortunately by doing so we also broke the
      Mediatek-specific extended bauds feature.
      
      A fix of the problem described above is twofold. First since we can't get
      back the extended baud rate limits feature to the generic set_termios()
      function and that method supports only a standard baud rates range, the
      requested baud rate must be locally stored before calling it and then
      restored back to the new termios structure after the generic set_termios()
      finished its magic business. By doing so we still use the
      serial8250_do_set_termios() method to set the LCR/MCR/FCR/etc. registers,
      while the extended baud rate setting procedure will be performed later in
      the custom Mediatek-specific set_termios() callback. Second since a true
      baud rate is now fully calculated in the custom set_termios() method we
      need to locally update the port timeout by calling the
      uart_update_timeout() function. After the fixes described above are
      implemented in the 8250_mtk.c driver, the Mediatek 8250-port should
      get back to normally working with extended baud rates.
      
      Link: https://lore.kernel.org/linux-serial/20200701211337.3027448-1-danielwinkler@google.com
      
      Fixes: 7b668c06 ("serial: 8250: Fix max baud limit in generic 8250 port")
      Reported-by: default avatarDaniel Winkler <danielwinkler@google.com>
      Signed-off-by: default avatarSerge Semin <Sergey.Semin@baikalelectronics.ru>
      Cc: stable <stable@vger.kernel.org>
      Tested-by: default avatarClaire Chang <tientzu@chromium.org>
      Link: https://lore.kernel.org/r/20200714124113.20918-1-Sergey.Semin@baikalelectronics.ruSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5ccfaf38
    • Yang Yingliang's avatar
      serial: 8250: fix null-ptr-deref in serial8250_start_tx() · c358255f
      Yang Yingliang authored
      commit f4c23a14 upstream.
      
      I got null-ptr-deref in serial8250_start_tx():
      
      [   78.114630] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
      [   78.123778] Mem abort info:
      [   78.126560]   ESR = 0x86000007
      [   78.129603]   EC = 0x21: IABT (current EL), IL = 32 bits
      [   78.134891]   SET = 0, FnV = 0
      [   78.137933]   EA = 0, S1PTW = 0
      [   78.141064] user pgtable: 64k pages, 48-bit VAs, pgdp=00000027d41a8600
      [   78.147562] [0000000000000000] pgd=00000027893f0003, p4d=00000027893f0003, pud=00000027893f0003, pmd=00000027c9a20003, pte=0000000000000000
      [   78.160029] Internal error: Oops: 86000007 [#1] SMP
      [   78.164886] Modules linked in: sunrpc vfat fat aes_ce_blk crypto_simd cryptd aes_ce_cipher crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce ses enclosure sg sbsa_gwdt ipmi_ssif spi_dw_mmio sch_fq_codel vhost_net tun vhost vhost_iotlb tap ip_tables ext4 mbcache jbd2 ahci hisi_sas_v3_hw libahci hisi_sas_main libsas hns3 scsi_transport_sas hclge libata megaraid_sas ipmi_si hnae3 ipmi_devintf ipmi_msghandler br_netfilter bridge stp llc nvme nvme_core xt_sctp sctp libcrc32c dm_mod nbd
      [   78.207383] CPU: 11 PID: 23258 Comm: null-ptr Not tainted 5.8.0-rc6+ #48
      [   78.214056] Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 CS V3.B210.01 03/12/2020
      [   78.222888] pstate: 80400089 (Nzcv daIf +PAN -UAO BTYPE=--)
      [   78.228435] pc : 0x0
      [   78.230618] lr : serial8250_start_tx+0x160/0x260
      [   78.235215] sp : ffff800062eefb80
      [   78.238517] x29: ffff800062eefb80 x28: 0000000000000fff
      [   78.243807] x27: ffff800062eefd80 x26: ffff202fd83b3000
      [   78.249098] x25: ffff800062eefd80 x24: ffff202fd83b3000
      [   78.254388] x23: ffff002fc5e50be8 x22: 0000000000000002
      [   78.259679] x21: 0000000000000001 x20: 0000000000000000
      [   78.264969] x19: ffffa688827eecc8 x18: 0000000000000000
      [   78.270259] x17: 0000000000000000 x16: 0000000000000000
      [   78.275550] x15: ffffa68881bc67a8 x14: 00000000000002e6
      [   78.280841] x13: ffffa68881bc67a8 x12: 000000000000c539
      [   78.286131] x11: d37a6f4de9bd37a7 x10: ffffa68881cccff0
      [   78.291421] x9 : ffffa68881bc6000 x8 : ffffa688819daa88
      [   78.296711] x7 : ffffa688822a0f20 x6 : ffffa688819e0000
      [   78.302002] x5 : ffff800062eef9d0 x4 : ffffa68881e707a8
      [   78.307292] x3 : 0000000000000000 x2 : 0000000000000002
      [   78.312582] x1 : 0000000000000001 x0 : ffffa688827eecc8
      [   78.317873] Call trace:
      [   78.320312]  0x0
      [   78.322147]  __uart_start.isra.9+0x64/0x78
      [   78.326229]  uart_start+0xb8/0x1c8
      [   78.329620]  uart_flush_chars+0x24/0x30
      [   78.333442]  n_tty_receive_buf_common+0x7b0/0xc30
      [   78.338128]  n_tty_receive_buf+0x44/0x2c8
      [   78.342122]  tty_ioctl+0x348/0x11f8
      [   78.345599]  ksys_ioctl+0xd8/0xf8
      [   78.348903]  __arm64_sys_ioctl+0x2c/0xc8
      [   78.352812]  el0_svc_common.constprop.2+0x88/0x1b0
      [   78.357583]  do_el0_svc+0x44/0xd0
      [   78.360887]  el0_sync_handler+0x14c/0x1d0
      [   78.364880]  el0_sync+0x140/0x180
      [   78.368185] Code: bad PC value
      
      SERIAL_PORT_DFNS is not defined on each arch, if it's not defined,
      serial8250_set_defaults() won't be called in serial8250_isa_init_ports(),
      so the p->serial_in pointer won't be initialized, and it leads a null-ptr-deref.
      Fix this problem by calling serial8250_set_defaults() after init uart port.
      Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
      Cc: stable <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20200721143852.4058352-1-yangyingliang@huawei.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c358255f
    • Ian Abbott's avatar
      staging: comedi: addi_apci_1564: check INSN_CONFIG_DIGITAL_TRIG shift · f96ab42f
      Ian Abbott authored
      commit 926234f1 upstream.
      
      The `INSN_CONFIG` comedi instruction with sub-instruction code
      `INSN_CONFIG_DIGITAL_TRIG` includes a base channel in `data[3]`. This is
      used as a right shift amount for other bitmask values without being
      checked.  Shift amounts greater than or equal to 32 will result in
      undefined behavior.  Add code to deal with this.
      
      Fixes: 1e15687e ("staging: comedi: addi_apci_1564: add Change-of-State interrupt subdevice and required functions")
      Cc: <stable@vger.kernel.org> #3.17+
      Signed-off-by: default avatarIan Abbott <abbotti@mev.co.uk>
      Link: https://lore.kernel.org/r/20200717145257.112660-4-abbotti@mev.co.ukSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f96ab42f
    • Ian Abbott's avatar
      staging: comedi: addi_apci_1500: check INSN_CONFIG_DIGITAL_TRIG shift · 3027b255
      Ian Abbott authored
      commit fc846e9d upstream.
      
      The `INSN_CONFIG` comedi instruction with sub-instruction code
      `INSN_CONFIG_DIGITAL_TRIG` includes a base channel in `data[3]`. This is
      used as a right shift amount for other bitmask values without being
      checked.  Shift amounts greater than or equal to 32 will result in
      undefined behavior.  Add code to deal with this, adjusting the checks
      for invalid channels so that enabled channel bits that would have been
      lost by shifting are also checked for validity.  Only channels 0 to 15
      are valid.
      
      Fixes: a8c66b68 ("staging: comedi: addi_apci_1500: rewrite the subdevice support functions")
      Cc: <stable@vger.kernel.org> #4.0+: ef75e14a: staging: comedi: verify array index is correct before using it
      Cc: <stable@vger.kernel.org> #4.0+
      Signed-off-by: default avatarIan Abbott <abbotti@mev.co.uk>
      Link: https://lore.kernel.org/r/20200717145257.112660-5-abbotti@mev.co.ukSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3027b255
    • Ian Abbott's avatar
      staging: comedi: ni_6527: fix INSN_CONFIG_DIGITAL_TRIG support · 8f6e8ce1
      Ian Abbott authored
      commit f07804ec upstream.
      
      `ni6527_intr_insn_config()` processes `INSN_CONFIG` comedi instructions
      for the "interrupt" subdevice.  When `data[0]` is
      `INSN_CONFIG_DIGITAL_TRIG` it is configuring the digital trigger.  When
      `data[2]` is `COMEDI_DIGITAL_TRIG_ENABLE_EDGES` it is configuring rising
      and falling edge detection for the digital trigger, using a base channel
      number (or shift amount) in `data[3]`, a rising edge bitmask in
      `data[4]` and falling edge bitmask in `data[5]`.
      
      If the base channel number (shift amount) is greater than or equal to
      the number of channels (24) of the digital input subdevice, there are no
      changes to the rising and falling edges, so the mask of channels to be
      changed can be set to 0, otherwise the mask of channels to be changed,
      and the rising and falling edge bitmasks are shifted by the base channel
      number before calling `ni6527_set_edge_detection()` to change the
      appropriate registers.  Unfortunately, the code is comparing the base
      channel (shift amount) to the interrupt subdevice's number of channels
      (1) instead of the digital input subdevice's number of channels (24).
      Fix it by comparing to 32 because all shift amounts for an `unsigned
      int` must be less than that and everything from bit 24 upwards is
      ignored by `ni6527_set_edge_detection()` anyway.
      
      Fixes: 110f9e68 ("staging: comedi: ni_6527: support INSN_CONFIG_DIGITAL_TRIG")
      Cc: <stable@vger.kernel.org> # 3.17+
      Signed-off-by: default avatarIan Abbott <abbotti@mev.co.uk>
      Link: https://lore.kernel.org/r/20200717145257.112660-2-abbotti@mev.co.ukSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8f6e8ce1
    • Ian Abbott's avatar
      staging: comedi: addi_apci_1032: check INSN_CONFIG_DIGITAL_TRIG shift · 97ab1fd6
      Ian Abbott authored
      commit 0bd0db42 upstream.
      
      The `INSN_CONFIG` comedi instruction with sub-instruction code
      `INSN_CONFIG_DIGITAL_TRIG` includes a base channel in `data[3]`. This is
      used as a right shift amount for other bitmask values without being
      checked.  Shift amounts greater than or equal to 32 will result in
      undefined behavior.  Add code to deal with this.
      
      Fixes: 33cdce62 ("staging: comedi: addi_apci_1032: conform to new INSN_CONFIG_DIGITAL_TRIG")
      Cc: <stable@vger.kernel.org> #3.8+
      Signed-off-by: default avatarIan Abbott <abbotti@mev.co.uk>
      Link: https://lore.kernel.org/r/20200717145257.112660-3-abbotti@mev.co.ukSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      97ab1fd6
    • Rustam Kovhaev's avatar
      staging: wlan-ng: properly check endpoint types · d7d38ab3
      Rustam Kovhaev authored
      commit faaff976 upstream.
      
      As syzkaller detected, wlan-ng driver does not do sanity check of
      endpoints in prism2sta_probe_usb(), add check for xfer direction and type
      
      Reported-and-tested-by: syzbot+c2a1fa67c02faa0de723@syzkaller.appspotmail.com
      Link: https://syzkaller.appspot.com/bug?extid=c2a1fa67c02faa0de723Signed-off-by: default avatarRustam Kovhaev <rkovhaev@gmail.com>
      Cc: stable <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20200722161052.999754-1-rkovhaev@gmail.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d7d38ab3