The syzbot fuzzer found a race between uevent callbacks and gadget
driver unregistration that can cause a use-after-free bug:
---------------------------------------------------------------
BUG: KASAN: use-after-free in usb_udc_uevent+0x11f/0x130
drivers/usb/gadget/udc/core.c:1732
Read of size 8 at addr ffff888078ce2050 by task udevd/2968
CPU: 1 PID: 2968 Comm: udevd Not tainted 5.19.0-rc4-next-20220628-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
06/29/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:317 [inline]
print_report.cold+0x2ba/0x719 mm/kasan/report.c:433
kasan_report+0xbe/0x1f0 mm/kasan/report.c:495
usb_udc_uevent+0x11f/0x130 drivers/usb/gadget/udc/core.c:1732
dev_uevent+0x290/0x770 drivers/base/core.c:2424
---------------------------------------------------------------
The bug occurs because usb_udc_uevent() dereferences udc->driver but
does so without acquiring the udc_lock mutex, which protects this
field. If the gadget driver is unbound from the udc concurrently with
uevent processing, the driver structure may be accessed after it has
been deallocated.
To prevent the race, we make sure that the routine holds the mutex
around the racing accesses.
Link: <https://lore.kernel.org/all/0000000000004de90405a719c951@google.com>
CC: stable@vger.kernel.org # fc274c1e99
Reported-and-tested-by: syzbot+b0de012ceb1e2a97891b@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/YtlrnhHyrHsSky9m@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Usb core introduce the mechanism of giveback of URB in tasklet context to
reduce hardware interrupt handling time. On some test situation(such as
FIO with 4KB block size), when tasklet callback function called to
giveback URB, interrupt handler add URB node to the bh->head list also.
If check bh->head list again after finish all URB giveback of local_list,
then it may introduce a "dynamic balance" between giveback URB and add URB
to bh->head list. This tasklet callback function may not exit for a long
time, which will cause other tasklet function calls to be delayed. Some
real-time applications(such as KB and Mouse) will see noticeable lag.
In order to prevent the tasklet function from occupying the cpu for a long
time at a time, new URBS will not be added to the local_list even though
the bh->head list is not empty. But also need to ensure the left URB
giveback to be processed in time, so add a member high_prio for structure
giveback_urb_bh to prioritize tasklet and schelule this tasklet again if
bh->head list is not empty.
At the same time, we are able to prioritize tasklet through structure
member high_prio. So, replace the local high_prio_bh variable with this
structure member in usb_hcd_giveback_urb.
Fixes: 94dfd7edfd ("USB: HCD: support giveback of URB in tasklet context")
Cc: stable <stable@kernel.org>
Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Weitao Wang <WeitaoWang-oc@zhaoxin.com>
Link: https://lore.kernel.org/r/20220726074918.5114-1-WeitaoWang-oc@zhaoxin.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This is a minor bug which means that certain error messages are not
printed.
The devm_gpiod_get_optional() function can return either error pointers
or NULL. It returns error pointers if there is an allocation failure,
or a similar issue. It returns NULL if no GPIO was assigned to the
requested function. Print an error in either case.
The gpiod_to_irq() function never returns zero. It either returns
a positive IRQ number or a negative error code.
Fixes: fe6d8a9c8e ("usb: typec: anx7411: Add Analogix PD ANX7411 support")
Reviewed-by: Xin Ji <xji@analogixsemi.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/YtpDs8VsWIbl/Smd@kili
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
There is no need to store the result of the & operation back to the
variable var. The store is redundant, replace &= with just &.
Cleans up clang scan warning:
drivers/usb/phy/phy-keystone.c:62:5: warning: Although the value stored to
'val' is used in the enclosing expression, the value is never actually read
from 'val' [deadcode.DeadStores]
Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
Link: https://lore.kernel.org/r/20220715225657.353828-1-colin.i.king@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Wenjia Zhang says:
====================
net/smc: updates 2022-07-25
please apply the following patches to netdev's net-next tree.
These patches do some preparation to make ISM available for uses beyond
SMC-D, and a bunch of cleanups.
v2: add "Reviewed-by: Tony Lu <tonylu@linux.alibaba.com>"
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Previously, the smc and smc_diag modules were automatically loaded as
dependencies of the ism module whenever an ISM device was present.
With the pending rework of the ISM API, the smc module will no longer
automatically be loaded in presence of an ISM device. Usage of an AF_SMC
socket will still trigger loading of the smc modules, but usage of a
netlink socket will not.
This is addressed by setting the correct module aliases.
Signed-off-by: Stefan Raspl <raspl@linux.ibm.com>
Signed-off-by: Wenjia Zhang < wenjia@linux.ibm.com>
Reviewed-by: Tony Lu <tonylu@linux.alibaba.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Reworked signature of the function to retrieve the system EID: No plausible
reason to use a double pointer. And neither to pass in the device as an
argument, as this identifier is by definition per system, not per device.
Plus some minor consistency edits.
Signed-off-by: Stefan Raspl <raspl@linux.ibm.com>
Signed-off-by: Wenjia Zhang < wenjia@linux.ibm.com>
Reviewed-by: Tony Lu <tonylu@linux.alibaba.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
We try using cancel_delayed_work_sync() to prevent the work from
enabling NAPI. This is insufficient since we don't disable the source
of the refill work scheduling. This means an NAPI poll callback after
cancel_delayed_work_sync() can schedule the refill work then can
re-enable the NAPI that leads to use-after-free [1].
Since the work can enable NAPI, we can't simply disable NAPI before
calling cancel_delayed_work_sync(). So fix this by introducing a
dedicated boolean to control whether or not the work could be
scheduled from NAPI.
[1]
==================================================================
BUG: KASAN: use-after-free in refill_work+0x43/0xd4
Read of size 2 at addr ffff88810562c92e by task kworker/2:1/42
CPU: 2 PID: 42 Comm: kworker/2:1 Not tainted 5.19.0-rc1+ #480
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
Workqueue: events refill_work
Call Trace:
<TASK>
dump_stack_lvl+0x34/0x44
print_report.cold+0xbb/0x6ac
? _printk+0xad/0xde
? refill_work+0x43/0xd4
kasan_report+0xa8/0x130
? refill_work+0x43/0xd4
refill_work+0x43/0xd4
process_one_work+0x43d/0x780
worker_thread+0x2a0/0x6f0
? process_one_work+0x780/0x780
kthread+0x167/0x1a0
? kthread_exit+0x50/0x50
ret_from_fork+0x22/0x30
</TASK>
...
Fixes: b2baed69e6 ("virtio_net: set/cancel work on ndo_open/ndo_stop")
Signed-off-by: Jason Wang <jasowang@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Along with saying "Please install Qt5 ...", tell exactly which
parts of Qt5 are needed. This is useful when parts of Qt5 are
installed but some of the required pieces are missing, and it
eliminates the need for the user to find the shell script and
the line in it that provide that information.
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Since commit 269a535ca9 ("modpost: generate vmlinux.symvers and
reuse it for the second modpost"), modpost only parses relocatable
files (ET_REL).
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
scripts/checkstack.pl lacks support for the riscv architecture. Add
support to detect "addi sp,sp,-FRAME_SIZE" stack frame generation instruction
Signed-off-by: Wadim Mueller <wafgo01@gmail.com>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
The cc-option macro creates the temporary directory, .tmp_$$$$.
Shell expands '$$' into its process ID. '$$$$' results in repeated PID.
In Makefile, '$$$$' is correct (see TMPOUT in scripts/Malefile.compiler)
because '$$' is an escape sequence of '$'. Make expands '$$$$' into '$$',
then shell expands it into the process ID.
This does not apply to Kconfig because Kconfig requires variable
references to be enclosed by curly braces, like ${variable}.
The '$' that is not followed by '{' loses its effect.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Tested-by: Nicolas Schier <nicolas@fjasle.eu>
Remove two dated config leak ignore entries from scripts/headers_install.sh:
arch/alpha/include/uapi/asm/setup.h does no more leak any CONFIG_* symbol to
user-space any more since commit 3cb8b1537f ("alpha: Move setup.h out of
uapi").
Same holds for include/uapi/asm-generic/fcntl.h since commit 306f7cc1e9
("uapi: always define F_GETLK64/F_SETLK64/F_SETLKW64 in fcntl.h").
Signed-off-by: Nicolas Schier <nicolas@fjasle.eu>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
If the directory path given to INSTALL_MOD_PATH contains % or :,
the module_install fails.
% is used in pattern rules, and : as the separator of dependencies.
Bail out with a clearer error message.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Reviewed-by: Nicolas Schier <n.schier@avm.de>
If the directory path given to KBUILD_EXTMOD (or M=) contains % or :,
the module fails to build.
% is used in pattern rules, and : as the separator of dependencies.
Bail out with a clearer error message.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Reviewed-by: Nicolas Schier <n.schier@avm.de>
Presumably, _target_os is defined even if the --target flag does not
specify it, but it is better to make it explicit.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Cross-building (bin)rpm-pkg fails on several architectures.
For example, 'make ARCH=arm binrpm-pkg' fails like follows:
sh ./scripts/package/mkspec prebuilt > ./binkernel.spec
rpmbuild --define "_builddir ." --target \
arm -bb ./binkernel.spec
Building target platforms: arm
Building for target arm
warning: line 19: It's not recommended to have unversioned Obsoletes: Obsoletes: kernel-headers
Executing(%install): /bin/sh -e /var/tmp/rpm-tmp.0S8t2F
+ umask 022
+ cd .
+ mkdir -p /home/masahiro/rpmbuild/BUILDROOT/kernel-5.19.0_rc6-19.%{_arch}/boot
+ make -f ./Makefile image_name
+ cp arch/arm/boot/zImage /home/masahiro/rpmbuild/BUILDROOT/kernel-5.19.0_rc6-19.%{_arch}/boot/vmlinuz-5.19.0-rc6
+ make -f ./Makefile INSTALL_MOD_PATH=/home/masahiro/rpmbuild/BUILDROOT/kernel-5.19.0_rc6-19.%{_arch} modules_install
make[3]: *** No rule to make target '/home/masahiro/rpmbuild/BUILDROOT/kernel-5.19.0_rc6-19.arch/arm/crypto/aes-arm-bs.ko{_arch}/lib/modules/5.19.0-rc6/kernel/%', needed by '__modinst'. Stop.
make[2]: *** [Makefile:1768: modules_install] Error 2
error: Bad exit status from /var/tmp/rpm-tmp.0S8t2F (%install)
By default, 'buildroot' contains %{_arch} (see /usr/lib/rpm/macros).
_arch is generally defined in /usr/lib/rpm/platforms/*/macros, where
the platform sub-directory is specified by --target= option for cross
builds.
If the given arch does not exist, %{_arch} is not expanded.
In the example above, --target=arm is passed to rpmbuild, but
/usr/lib/rpm/platforms/arm-linux/ does not exist.
The '%' character in the path confuses GNU make and rpmbuild.
The same occurs for such architectures as csky, microblaze, nios2, etc.
Define _arch if it has not been defined.
Reported-by: Jason Self <jason@bluehome.net>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
When passed -print-file-name=plugin, the dummy gcc script creates a
temporary directory that is never cleaned up. To avoid cluttering
$TMPDIR, instead use a static directory included in the source tree.
Fixes: 76426e2388 ("kbuild: add dummy toolchains to enable all cc-option etc. in Kconfig")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
This reverts commit 4d10c223ba.
Commit 37744feebc ("sh: remove sh5 support") removed the sh64 support
entirely.
Note:
.cranges was only used for sh64 ever.
Commit 211dc24b8744 ("Remove sh5 and sh64 support") in binutils-gdb
already removed the relevant code.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
CONFIG_KALLSYMS_ALL is required for kernel live patching which is a
common use case that is enabled in some major distros. Update the
Kconfig help text to reflect that.
While at it, s/e.g./i.e./ to match the text intention.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
The difference in most compilers between `-O3` and `-O2` is mostly down
to whether loops with statically determinable trip counts are fully
unrolled vs unrolled to a multiple of SIMD width.
This patch is effectively a revert of
commit 15f5db60a1 ("kbuild,arc: add
CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE_O3 for ARC") without re-adding
ARCH_CFLAGS
Ever since
commit cfdbc2e16e ("ARC: Build system: Makefiles, Kconfig, Linker
script")
ARC has been built with -O3, though the reason for doing so was not
specified in inline comments or the commit message. This commit does not
re-add -O3 to arch/arc/Makefile.
Folks looking to experiment with `-O3` (or any compiler flag for that
matter) may pass them along to the command line invocation of make:
$ make KCFLAGS=-O3
Code that looks to re-add an explicit Kconfig option for `-O3` should
provide:
1. A rigorous and reproducible performance profile of a reasonable
userspace workload that demonstrates a hot loop in the kernel that
would benefit from `-O3` over `-O2`.
2. Disassembly of said loop body before and after.
3. Provides stats on terms of increase in file size.
Link: https://lore.kernel.org/linux-kbuild/CA+55aFz2sNBbZyg-_i8_Ldr2e8o9dfvdSfHHuRzVtP2VMAUWPg@mail.gmail.com/
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Replace a pipeline of echo and sed with printf to decrease process forks.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
The afe_priv->dai_priv[] is allocated when platform driver probe(), if it
failed, the ASoC platform driver probe() will return fail first.
Therefore, this is excessive judgment, and the condition will never be
established.
Bug report: https://www.spinics.net/lists/alsa-devel/msg145609.html
This is a semi-automatic email about new static checker warnings.
The patch ae92dcbee8: "ASoC: mediatek: mt8186: support tdm in
platform driver" from May 23, 2022, leads to the following Smatch
complaint:
sound/soc/mediatek/mt8186/mt8186-dai-tdm.c:424 mtk_dai_tdm_hw_params()
warn: variable dereferenced before check 'tdm_priv' (see line 406)
sound/soc/mediatek/mt8186/mt8186-dai-tdm.c
405 struct mtk_afe_tdm_priv *tdm_priv = afe_priv->dai_priv[tdm_id];
406 unsigned int tdm_mode = tdm_priv->tdm_mode;
^^^^^^^^^^^^^^^^^^^
Lot's of dereferences
407 unsigned int data_mode = tdm_priv->data_mode;
408 unsigned int rate = params_rate(params);
409 unsigned int channels = params_channels(params);
410 snd_pcm_format_t format = params_format(params);
411 unsigned int bit_width =
412 snd_pcm_format_physical_width(format);
413 unsigned int tdm_channels = (data_mode == TDM_DATA_ONE_PIN) ?
414 get_tdm_ch_per_sdata(tdm_mode, channels) : 2;
415 unsigned int lrck_width =
416 get_tdm_lrck_width(format, tdm_mode);
417 unsigned int tdm_con = 0;
418 bool slave_mode = tdm_priv->slave_mode;
419 bool lrck_inv = tdm_priv->lck_invert;
420 bool bck_inv = tdm_priv->bck_invert;
421 unsigned int tran_rate;
422 unsigned int tran_relatch_rate;
423
424 if (!tdm_priv) {
^^^^^^^^^
Checked too late
425 dev_err(afe->dev, "%s(), tdm_priv == NULL", __func__);
426 return -EINVAL;
Fixes: ae92dcbee8 ("ASoC: mediatek: mt8186: support tdm in platform driver")
Signed-off-by: Jiaxin Yu <jiaxin.yu@mediatek.com>
Link: https://lore.kernel.org/r/20220726154220.28141-1-jiaxin.yu@mediatek.com
Signed-off-by: Mark Brown <broonie@kernel.org>
IBS support has been enhanced with two new features in upcoming uarch:
1. DataSrc extension and
2. L3 miss filtering.
Additional set of bits has been introduced in IBS registers to use these
features. Define these new bits into arch/x86/ header.
[ bp: Massage commit message. ]
Signed-off-by: Ravi Bangoria <ravi.bangoria@amd.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Acked-by: Ian Rogers <irogers@google.com>
Link: https://lore.kernel.org/r/20220604044519.594-7-ravi.bangoria@amd.com
With GCC 12, corenet64_smp_defconfig leads to the following build errors:
CC arch/powerpc/kernel/irq.o
{standard input}: Assembler messages:
{standard input}:3616: Error: unrecognized opcode: `wrteei'
{standard input}:5689: Error: unrecognized opcode: `wrteei'
CC arch/powerpc/kernel/pmc.o
{standard input}: Assembler messages:
{standard input}:42: Error: unrecognized opcode: `mfpmr'
{standard input}:53: Error: unrecognized opcode: `mtpmr'
CC arch/powerpc/kernel/io.o
{standard input}: Assembler messages:
{standard input}:376: Error: unrecognized opcode: `mbar'
...
CC arch/powerpc/mm/nohash/book3e_hugetlbpage.o
{standard input}: Assembler messages:
{standard input}:291: Error: unrecognized opcode: `tlbsx'
{standard input}:482: Error: unrecognized opcode: `tlbwe'
{standard input}:608: Error: unrecognized opcode: `lbarx'
{standard input}:608: Error: unrecognized opcode: `stbcx.'
-mpcu=powerpc64 cannot be used anymore for book3e, it must be a booke CPU.
But then we get:
CC arch/powerpc/lib/xor_vmx.o
cc1: error: AltiVec not supported in this target
Altivec is not supported with -mcpu=e5500 so don't allow selection
of altivec when e5500 is selected.
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/77255a5a957967723b84d0356d9e5fb21569f4e8.1657549153.git.christophe.leroy@csgroup.eu
