Fuzzing uncovered race condition between sysfs code paths in usbip
drivers. Device connect/disconnect code paths initiated through
sysfs interface are prone to races if disconnect happens during
connect and vice versa.
This problem is common to all drivers while it can be reproduced easily
in vhci_hcd. Add a sysfs_lock to usbip_device struct to protect the paths.
Use this in vhci_hcd to protect sysfs paths. For a complete fix, usip_host
and usip-vudc drivers and the event handler will have to use this lock to
protect the paths. These changes will be done in subsequent patches.
Cc: stable@vger.kernel.org
Reported-and-tested-by: syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Link: https://lore.kernel.org/r/b6568f7beae702bbc236a545d3c020106ca75eac.1616807117.git.skhan@linuxfoundation.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEDaZUZmFxRG/wNThrSFkpgVDWcbsFAmBnsXkACgkQSFkpgVDW
cbvHhwf/Qz/B3QY+D4nedwuwJJNk021/9cjkQ6X7whvh4c1qAgmw3j73WrbSVsyd
m45atawjE7uKsBTouh6fJoHId5uNKE6zpHtjMP6WDC1xcrHqMXW3WLyCxf84i5OC
RWRVmGs/DHDAamVrpUGpcEulp6Ih+TvzlRUsRzHLc3BRxfphq6CYg0XhRKJMK/7r
YvpkhtwmqVppyrgUr8Xm2e++qMZWwHHBmBo+rf8/BkctKaLlJotuXTioUH68JchO
iYtPl/QmsFNIB7ewVZFAjjIKqyqzcmY9tXlCcg6mLn05fOQzIcic9h0y9ArbAd/+
VmlDUNw0F8+4ix5MCdLuCdrhYxJYrw==
=OrtC
-----END PGP SIGNATURE-----
Merge tag 'v5.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/peter.chen/usb into usb-linus
Peter writes:
Fixes one issue with dequeuing requests after disabling endpoint for cdnsp udc driver
* tag 'v5.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/peter.chen/usb:
usb: cdnsp: Fixes issue with dequeuing requests after disabling endpoint
Add GDBIO implementation for the xtensa semihosting interface. It offers
less functions than the simcall interface, so make some semihosting
functions optional and return error when implementation is not
available.
Add Kconfig menu to select semihosting implementation and add simcall and
GDBIO choices there.
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Disconnect existing ISS simcall implementation from the semihosting
interface to allow for alternative implementations selectable at
configure time.
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Commit a9f2fc628e ("xtensa: cleanup MMU setup and kernel layout macros")
removed the use of a2 in the beginning of the initialize_mmu macro, but
left the register load that is no longer used. Remove it as well.
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
pgprot_noncached assumes that cache bypass attribute is represented as
zero. This may not always be true. Fix pgprot_noncached definition by
adding _PAGE_CA_BYPASS to the result.
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Functions coherent_kvaddr, clear_page_alias and copy_page_alias use
physical address 0 as a special value that means 'this page is in the
KSEG mapping and its existing virtual address has the same color as the
virtual address of its future mapping, so don't map it to the
TLBTEMP_BASE area'.
Simplify this logic and drop special handling of low memory pages/pages
with coherent mapping and always use TLBTEMP_BASE area.
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Many architectures duplicate similar shell scripts.
This commit converts xtensa to use scripts/syscallhdr.sh.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Message-Id: <20210301153656.363839-3-masahiroy@kernel.org>
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Many architectures duplicate similar shell scripts.
This commit converts xtensa to use scripts/syscalltbl.sh.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Message-Id: <20210301153656.363839-2-masahiroy@kernel.org>
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
arch/xtensa/kernel/syscalls/syscalltbl.sh fills missing syscall numbers
with sys_ni_syscall.
So, the generated arch/xtensa/include/generated/asm/syscall_table.h
has no hole.
Hence, the line:
[0 ... __NR_syscalls - 1] = (syscall_t)&sys_ni_syscall,
is meaningless.
The number of generated __SYSCALL() macros is the same as __NR_syscalls
(this is 442 as of v5.11).
Hence, the array size, [__NR_syscalls] is unneeded.
The designated initializer, '[nr] =', is also unneeded.
This file does not need to know __NR_syscalls. Drop the unneeded
<asm/unistd.h> include directive.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Message-Id: <20210301153656.363839-1-masahiroy@kernel.org>
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
No one uses these as environment variables.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Message-Id: <20210313122342.69995-2-masahiroy@kernel.org>
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Move the definition of CONFIG_CPU_*_ENDIAN to Kconfig, the best place
for CONFIG options.
I slightly simplified the test code. You can use the -P option to suppress
linemarker generation. The grep command is unneeded.
$ echo __XTENSA_EB__ | xtensa-linux-gcc -E -
# 1 "<stdin>"
# 1 "<built-in>"
# 1 "<command-line>"
# 1 "<stdin>"
1
$ echo __XTENSA_EB__ | xtensa-linux-gcc -E -P -
1
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Message-Id: <20210313122342.69995-1-masahiroy@kernel.org>
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
There is a spelling mistake in the Kconfig help text. Fix it.
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Message-Id: <20201217172427.58009-1-colin.king@canonical.com>
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
The dummy implementation was missing static inline triggering the following
compile warning on llvm.
In file included from arch/x86/kvm/svm/sev.c:17:
>> include/linux/misc_cgroup.h:98:15: warning: no previous prototype for function 'misc_cg_res_total_usage' [-Wmissing-prototypes]
unsigned long misc_cg_res_total_usage(enum misc_res_type type)
^
include/linux/misc_cgroup.h:98:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
unsigned long misc_cg_res_total_usage(enum misc_res_type type)
^
static
1 warning generated.
Add it.
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: kernel test robot <lkp@intel.com>
For each device, the nosy driver allocates a pcilynx structure.
A use-after-free might happen in the following scenario:
1. Open nosy device for the first time and call ioctl with command
NOSY_IOC_START, then a new client A will be malloced and added to
doubly linked list.
2. Open nosy device for the second time and call ioctl with command
NOSY_IOC_START, then a new client B will be malloced and added to
doubly linked list.
3. Call ioctl with command NOSY_IOC_START for client A, then client A
will be readded to the doubly linked list. Now the doubly linked
list is messed up.
4. Close the first nosy device and nosy_release will be called. In
nosy_release, client A will be unlinked and freed.
5. Close the second nosy device, and client A will be referenced,
resulting in UAF.
The root cause of this bug is that the element in the doubly linked list
is reentered into the list.
Fix this bug by adding a check before inserting a client. If a client
is already in the linked list, don't insert it.
The following KASAN report reveals it:
BUG: KASAN: use-after-free in nosy_release+0x1ea/0x210
Write of size 8 at addr ffff888102ad7360 by task poc
CPU: 3 PID: 337 Comm: poc Not tainted 5.12.0-rc5+ #6
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Call Trace:
nosy_release+0x1ea/0x210
__fput+0x1e2/0x840
task_work_run+0xe8/0x180
exit_to_user_mode_prepare+0x114/0x120
syscall_exit_to_user_mode+0x1d/0x40
entry_SYSCALL_64_after_hwframe+0x44/0xae
Allocated by task 337:
nosy_open+0x154/0x4d0
misc_open+0x2ec/0x410
chrdev_open+0x20d/0x5a0
do_dentry_open+0x40f/0xe80
path_openat+0x1cf9/0x37b0
do_filp_open+0x16d/0x390
do_sys_openat2+0x11d/0x360
__x64_sys_open+0xfd/0x1a0
do_syscall_64+0x33/0x40
entry_SYSCALL_64_after_hwframe+0x44/0xae
Freed by task 337:
kfree+0x8f/0x210
nosy_release+0x158/0x210
__fput+0x1e2/0x840
task_work_run+0xe8/0x180
exit_to_user_mode_prepare+0x114/0x120
syscall_exit_to_user_mode+0x1d/0x40
entry_SYSCALL_64_after_hwframe+0x44/0xae
The buggy address belongs to the object at ffff888102ad7300 which belongs to the cache kmalloc-128 of size 128
The buggy address is located 96 bytes inside of 128-byte region [ffff888102ad7300, ffff888102ad7380)
[ Modified to use 'list_empty()' inside proper lock - Linus ]
Link: https://lore.kernel.org/lkml/1617433116-5930-1-git-send-email-zheyuma97@gmail.com/
Reported-and-tested-by: 马哲宇 (Zheyu Ma) <zheyuma97@gmail.com>
Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Cc: Greg Kroah-Hartman <greg@kroah.com>
Cc: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
When register failed, clk will be freed, it will generate dangling pointer
problem in later reference. it should return directly.
Signed-off-by: Jian Dong <dongjian@yulong.com>
Signed-off-by: Abel Vesa <abel.vesa@nxp.com>
- The sys2_pll_50m should be one of the clock sels of PCIE_AUX clock.
Change the sys2_pll_500m to sys2_pll_50m.
- Correct one misspell of the imx8mq_pcie1_ctrl_sels definition, from
"sys2_pll_250m" to "sys2_pll_333m".
Signed-off-by: Richard Zhu <hongxing.zhu@nxp.com>
Signed-off-by: Abel Vesa <abel.vesa@nxp.com>
In the i.MX8MP PCIe design, the PCIe PHY REF clock comes from external
OSC or internal system PLL. It is configured in the IOMUX_GPR14 register
directly, and can't be contolled by CCM at all.
Remove the PCIE PHY clock from clock driver to clean up codes.
There is only one PCIe in i.MX8MP, remove the none exist second PCIe
related clocks.
Remove the none exsits clocks IDs together.
Signed-off-by: Richard Zhu <hongxing.zhu@nxp.com>
Reviewed-by: Jason Liu <jason.hui.liu@nxp.com>
Signed-off-by: Abel Vesa <abel.vesa@nxp.com>
Most if not all i.MX SoC's call a function which enables all UARTS.
This is a problem for users who need to re-parent the clock source,
because any attempt to change the parent results in an busy error
due to the fact that the clocks have been enabled already.
clk: failed to reparent uart1 to sys_pll1_80m: -16
Instead of pre-initializing all UARTS, scan the device tree to see
which UART clocks are associated to stdout, and only enable those
UART clocks if it's needed early. This will move initialization of
the remaining clocks until after the parenting of the clocks.
When the clocks are shutdown, this mechanism will also disable any
clocks that were pre-initialized.
Fixes: 9461f7b33d ("clk: fix CLK_SET_RATE_GATE with clock rate protection")
Suggested-by: Aisheng Dong <aisheng.dong@nxp.com>
Signed-off-by: Adam Ford <aford173@gmail.com>
Reviewed-by: Abel Vesa <abel.vesa@nxp.com>
Tested-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Signed-off-by: Abel Vesa <abel.vesa@nxp.com>
Move rmtfs memory region so that it does not overlap with system
RAM (kernel data) when KAsan is enabled. This puts rmtfs right
after mba_mem which is not supposed to increase beyond 0x94600000
Reviewed-by: Stephen Boyd <swboyd@chromium.org>
Signed-off-by: Sujit Kautkar <sujitka@chromium.org>
Link: https://lore.kernel.org/r/20210330014610.1451198-1-sujitka@chromium.org
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
This is a trgodor variant, required to have sound node variable
for coachz specific platform.
Tested-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Srinivasa Rao Mandadapu <srivasam@codeaurora.org>
Reviewed-by: Stephen Boyd <swboyd@chromium.org>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Link: https://lore.kernel.org/r/20210314061054.19451-3-srivasam@codeaurora.org
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Add dai link for supporting lpass I2S driver, which is used
for audio capture and playback.
Add lpass-cpu node with pin controls and i2s primary
and secondary dai-links.
Tested-by: Douglas Anderson <dianders@chromium.org>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Reviewed-by: Stephen Boyd <swboyd@chromium.org>
Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Signed-off-by: Ajit Pandey <ajitp@codeaurora.org>
Signed-off-by: V Sujith Kumar Reddy <vsujithk@codeaurora.org>
Signed-off-by: Srinivasa Rao Mandadapu <srivasam@codeaurora.org>
Link: https://lore.kernel.org/r/20210314061054.19451-2-srivasam@codeaurora.org
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
RNG (Random Number Generator) in SM8350 features PRNG EE (Execution
Environment), hence add devicetree support for it.
Reviewed-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Robert Foss <robert.foss@linaro.org>
Link: https://lore.kernel.org/r/20210401101536.1014560-1-robert.foss@linaro.org
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Add regulator devices for SC7280 as RPMh regulators. This ensures
that consumers are able to modify the physical state of PMIC
regulators.
Reviewed-by: Matthias Kaehlcke <mka@chromium.org>
Signed-off-by: satya priya <skakit@codeaurora.org>
Link: https://lore.kernel.org/r/1617192339-3760-4-git-send-email-skakit@codeaurora.org
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Secure Encrypted Virtualization (SEV) and Secure Encrypted
Virtualization - Encrypted State (SEV-ES) ASIDs are used to encrypt KVMs
on AMD platform. These ASIDs are available in the limited quantities on
a host.
Register their capacity and usage to the misc controller for tracking
via cgroups.
Signed-off-by: Vipin Sharma <vipinsh@google.com>
Reviewed-by: David Rientjes <rientjes@google.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Documentation of miscellaneous cgroup controller. This new controller is
used to track and limit the usage of scalar resources.
Signed-off-by: Vipin Sharma <vipinsh@google.com>
Reviewed-by: David Rientjes <rientjes@google.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
The Miscellaneous cgroup provides the resource limiting and tracking
mechanism for the scalar resources which cannot be abstracted like the
other cgroup resources. Controller is enabled by the CONFIG_CGROUP_MISC
config option.
A resource can be added to the controller via enum misc_res_type{} in
the include/linux/misc_cgroup.h file and the corresponding name via
misc_res_name[] in the kernel/cgroup/misc.c file. Provider of the
resource must set its capacity prior to using the resource by calling
misc_cg_set_capacity().
Once a capacity is set then the resource usage can be updated using
charge and uncharge APIs. All of the APIs to interact with misc
controller are in include/linux/misc_cgroup.h.
Miscellaneous controller provides 3 interface files. If two misc
resources (res_a and res_b) are registered then:
misc.capacity
A read-only flat-keyed file shown only in the root cgroup. It shows
miscellaneous scalar resources available on the platform along with
their quantities::
$ cat misc.capacity
res_a 50
res_b 10
misc.current
A read-only flat-keyed file shown in the non-root cgroups. It shows
the current usage of the resources in the cgroup and its children::
$ cat misc.current
res_a 3
res_b 0
misc.max
A read-write flat-keyed file shown in the non root cgroups. Allowed
maximum usage of the resources in the cgroup and its children.::
$ cat misc.max
res_a max
res_b 4
Limit can be set by::
# echo res_a 1 > misc.max
Limit can be set to max by::
# echo res_a max > misc.max
Limits can be set more than the capacity value in the misc.capacity
file.
Signed-off-by: Vipin Sharma <vipinsh@google.com>
Reviewed-by: David Rientjes <rientjes@google.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
84;0;0c84;0;0c
There are two workqueue-specific watchdog timestamps:
+ @wq_watchdog_touched_cpu (per-CPU) updated by
touch_softlockup_watchdog()
+ @wq_watchdog_touched (global) updated by
touch_all_softlockup_watchdogs()
watchdog_timer_fn() checks only the global @wq_watchdog_touched for
unbound workqueues. As a result, unbound workqueues are not aware
of touch_softlockup_watchdog(). The watchdog might report a stall
even when the unbound workqueues are blocked by a known slow code.
Solution:
touch_softlockup_watchdog() must touch also the global @wq_watchdog_touched
timestamp.
The global timestamp can no longer be used for bound workqueues because
it is now updated from all CPUs. Instead, bound workqueues have to check
only @wq_watchdog_touched_cpu and these timestamps have to be updated for
all CPUs in touch_all_softlockup_watchdogs().
Beware:
The change might cause the opposite problem. An unbound workqueue
might get blocked on CPU A because of a real softlockup. The workqueue
watchdog would miss it when the timestamp got touched on CPU B.
It is acceptable because softlockups are detected by softlockup
watchdog. The workqueue watchdog is there to detect stalls where
a work never finishes, for example, because of dependencies of works
queued into the same workqueue.
V3:
- Modify the commit message clearly according to Petr's suggestion.
Signed-off-by: Wang Qing <wangqing@vivo.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
The debug_work_activate() is called on the premise that
the work can be inserted, because if wq be in WQ_DRAINING
status, insert work may be failed.
Fixes: e41e704bc4 ("workqueue: improve destroy_workqueue() debuggability")
Signed-off-by: Zqiang <qiang.zhang@windriver.com>
Reviewed-by: Lai Jiangshan <jiangshanlai@gmail.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
The Maxim fuel gauge datasheets describe the interrupt line as active
low with a requirement of acknowledge from the CPU. The falling edge
interrupt will mostly work but it's not correct.
Fixes: da8d46992e ("ARM: dts: qcom: msm8974-klte: Add fuel gauge")
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Acked-By: Iskren Chernev <iskren.chernev@gmail.com>
Tested-By: Iskren Chernev <iskren.chernev@gmail.com>
Link: https://lore.kernel.org/r/20210303182816.137255-2-krzk@kernel.org
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
The Maxim fuel gauge datasheets describe the interrupt line as active
low with a requirement of acknowledge from the CPU. The falling edge
interrupt will mostly work but it's not correct.
Fixes: 45dfa741df ("ARM: dts: qcom: msm8974-lge-nexus5: Add fuel gauge")
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Acked-by: Iskren Chernev <iskren.chernev@gmail.com>
Link: https://lore.kernel.org/r/20210303182816.137255-1-krzk@kernel.org
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
