1. 10 Dec, 2019 40 commits
    • Ben Hutchings's avatar
      Linux 3.16.79 · 9f8f7f94
      Ben Hutchings authored
      9f8f7f94
    • Johan Hovold's avatar
      can: peak_usb: fix slab info leak · f1361518
      Johan Hovold authored
      commit f7a1337f upstream.
      
      Fix a small slab info leak due to a failure to clear the command buffer
      at allocation.
      
      The first 16 bytes of the command buffer are always sent to the device
      in pcan_usb_send_cmd() even though only the first two may have been
      initialised in case no argument payload is provided (e.g. when waiting
      for a response).
      
      Fixes: bb478555
      
       ("can: usb: PEAK-System Technik USB adapters driver core")
      Reported-by: syzbot+863724e7128e14b26732@syzkaller.appspotmail.com
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f1361518
    • Tomas Bortoli's avatar
      media: ttusb-dec: Fix info-leak in ttusb_dec_send_command() · 89577bea
      Tomas Bortoli authored
      commit a10feaf8
      
       upstream.
      
      The function at issue does not always initialize each byte allocated
      for 'b' and can therefore leak uninitialized memory to a USB device in
      the call to usb_bulk_msg()
      
      Use kzalloc() instead of kmalloc()
      Signed-off-by: default avatarTomas Bortoli <tomasbortoli@gmail.com>
      Reported-by: syzbot+0522702e9d67142379f1@syzkaller.appspotmail.com
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      89577bea
    • Alan Stern's avatar
      HID: Fix assumption that devices have inputs · f703c175
      Alan Stern authored
      commit d9d4b1e4
      
       upstream.
      
      The syzbot fuzzer found a slab-out-of-bounds write bug in the hid-gaff
      driver.  The problem is caused by the driver's assumption that the
      device must have an input report.  While this will be true for all
      normal HID input devices, a suitably malicious device can violate the
      assumption.
      
      The same assumption is present in over a dozen other HID drivers.
      This patch fixes them by checking that the list of hid_inputs for the
      hid_device is nonempty before allowing it to be used.
      
      Reported-and-tested-by: syzbot+403741a091bf41d4ae79@syzkaller.appspotmail.com
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      [bwh: Backported to 3.16:
       - Drop changes in hid-logitech-hidpp, hid-microsoft
       - Adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f703c175
    • Johan Hovold's avatar
      USB: iowarrior: fix use-after-free on disconnect · bc5b704c
      Johan Hovold authored
      commit edc4746f upstream.
      
      A recent fix addressing a deadlock on disconnect introduced a new bug
      by moving the present flag out of the critical section protected by the
      driver-data mutex. This could lead to a racing release() freeing the
      driver data before disconnect() is done with it.
      
      Due to insufficient locking a related use-after-free could be triggered
      also before the above mentioned commit. Specifically, the driver needs
      to hold the driver-data mutex also while checking the opened flag at
      disconnect().
      
      Fixes: c468a8aa ("usb: iowarrior: fix deadlock on disconnect")
      Fixes: 946b960d
      
       ("USB: add driver for iowarrior devices.")
      Reported-by: syzbot+0761012cebf7bdb38137@syzkaller.appspotmail.com
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Link: https://lore.kernel.org/r/20191009104846.5925-2-johan@kernel.org
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      bc5b704c
    • Oliver Neukum's avatar
      usb: iowarrior: fix deadlock on disconnect · 59671090
      Oliver Neukum authored
      commit c468a8aa upstream.
      
      We have to drop the mutex before we close() upon disconnect()
      as close() needs the lock. This is safe to do by dropping the
      mutex as intfdata is already set to NULL, so open() will fail.
      
      Fixes: 03f36e88
      
       ("USB: open disconnect race in iowarrior")
      Reported-by: syzbot+a64a382964bf6c71a9c0@syzkaller.appspotmail.com
      Signed-off-by: default avatarOliver Neukum <oneukum@suse.com>
      Link: https://lore.kernel.org/r/20190808092728.23417-1-oneukum@suse.com
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      59671090
    • Hillf Danton's avatar
      HID: hiddev: avoid opening a disconnected device · daec20c7
      Hillf Danton authored
      commit 9c09b214 upstream.
      
      syzbot found the following crash on:
      
      HEAD commit:    e96407b4 usb-fuzzer: main usb gadget fuzzer driver
      git tree:       https://github.com/google/kasan.git usb-fuzzer
      console output: https://syzkaller.appspot.com/x/log.txt?x=147ac20c600000
      kernel config:  https://syzkaller.appspot.com/x/.config?x=792eb47789f57810
      dashboard link: https://syzkaller.appspot.com/bug?extid=62a1e04fd3ec2abf099e
      
      
      compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
      
      ==================================================================
      BUG: KASAN: use-after-free in __lock_acquire+0x302a/0x3b50
      kernel/locking/lockdep.c:3753
      Read of size 8 at addr ffff8881cf591a08 by task syz-executor.1/26260
      
      CPU: 1 PID: 26260 Comm: syz-executor.1 Not tainted 5.3.0-rc2+ #24
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      Call Trace:
        __dump_stack lib/dump_stack.c:77 [inline]
        dump_stack+0xca/0x13e lib/dump_stack.c:113
        print_address_description+0x6a/0x32c mm/kasan/report.c:351
        __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
        kasan_report+0xe/0x12 mm/kasan/common.c:612
        __lock_acquire+0x302a/0x3b50 kernel/locking/lockdep.c:3753
        lock_acquire+0x127/0x320 kernel/locking/lockdep.c:4412
        __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
        _raw_spin_lock_irqsave+0x32/0x50 kernel/locking/spinlock.c:159
        hiddev_release+0x82/0x520 drivers/hid/usbhid/hiddev.c:221
        __fput+0x2d7/0x840 fs/file_table.c:280
        task_work_run+0x13f/0x1c0 kernel/task_work.c:113
        exit_task_work include/linux/task_work.h:22 [inline]
        do_exit+0x8ef/0x2c50 kernel/exit.c:878
        do_group_exit+0x125/0x340 kernel/exit.c:982
        get_signal+0x466/0x23d0 kernel/signal.c:2728
        do_signal+0x88/0x14e0 arch/x86/kernel/signal.c:815
        exit_to_usermode_loop+0x1a2/0x200 arch/x86/entry/common.c:159
        prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
        syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
        do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x459829
      Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
      48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
      ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007f75b2a6ccf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
      RAX: fffffffffffffe00 RBX: 000000000075c078 RCX: 0000000000459829
      RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000075c078
      RBP: 000000000075c070 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 000000000075c07c
      R13: 00007ffcdfe1023f R14: 00007f75b2a6d9c0 R15: 000000000075c07c
      
      Allocated by task 104:
        save_stack+0x1b/0x80 mm/kasan/common.c:69
        set_track mm/kasan/common.c:77 [inline]
        __kasan_kmalloc mm/kasan/common.c:487 [inline]
        __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:460
        kmalloc include/linux/slab.h:552 [inline]
        kzalloc include/linux/slab.h:748 [inline]
        hiddev_connect+0x242/0x5b0 drivers/hid/usbhid/hiddev.c:900
        hid_connect+0x239/0xbb0 drivers/hid/hid-core.c:1882
        hid_hw_start drivers/hid/hid-core.c:1981 [inline]
        hid_hw_start+0xa2/0x130 drivers/hid/hid-core.c:1972
        appleir_probe+0x13e/0x1a0 drivers/hid/hid-appleir.c:308
        hid_device_probe+0x2be/0x3f0 drivers/hid/hid-core.c:2209
        really_probe+0x281/0x650 drivers/base/dd.c:548
        driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709
        __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816
        bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
        __device_attach+0x217/0x360 drivers/base/dd.c:882
        bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
        device_add+0xae6/0x16f0 drivers/base/core.c:2114
        hid_add_device+0x33c/0x990 drivers/hid/hid-core.c:2365
        usbhid_probe+0xa81/0xfa0 drivers/hid/usbhid/hid-core.c:1386
        usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361
        really_probe+0x281/0x650 drivers/base/dd.c:548
        driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709
        __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816
        bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
        __device_attach+0x217/0x360 drivers/base/dd.c:882
        bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
        device_add+0xae6/0x16f0 drivers/base/core.c:2114
        usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023
        generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
        usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266
        really_probe+0x281/0x650 drivers/base/dd.c:548
        driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709
        __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816
        bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
        __device_attach+0x217/0x360 drivers/base/dd.c:882
        bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
        device_add+0xae6/0x16f0 drivers/base/core.c:2114
        usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536
        hub_port_connect drivers/usb/core/hub.c:5098 [inline]
        hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
        port_event drivers/usb/core/hub.c:5359 [inline]
        hub_event+0x1b5c/0x3640 drivers/usb/core/hub.c:5441
        process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
        worker_thread+0x96/0xe20 kernel/workqueue.c:2415
        kthread+0x318/0x420 kernel/kthread.c:255
        ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
      
      Freed by task 104:
        save_stack+0x1b/0x80 mm/kasan/common.c:69
        set_track mm/kasan/common.c:77 [inline]
        __kasan_slab_free+0x130/0x180 mm/kasan/common.c:449
        slab_free_hook mm/slub.c:1423 [inline]
        slab_free_freelist_hook mm/slub.c:1470 [inline]
        slab_free mm/slub.c:3012 [inline]
        kfree+0xe4/0x2f0 mm/slub.c:3953
        hiddev_connect.cold+0x45/0x5c drivers/hid/usbhid/hiddev.c:914
        hid_connect+0x239/0xbb0 drivers/hid/hid-core.c:1882
        hid_hw_start drivers/hid/hid-core.c:1981 [inline]
        hid_hw_start+0xa2/0x130 drivers/hid/hid-core.c:1972
        appleir_probe+0x13e/0x1a0 drivers/hid/hid-appleir.c:308
        hid_device_probe+0x2be/0x3f0 drivers/hid/hid-core.c:2209
        really_probe+0x281/0x650 drivers/base/dd.c:548
        driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709
        __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816
        bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
        __device_attach+0x217/0x360 drivers/base/dd.c:882
        bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
        device_add+0xae6/0x16f0 drivers/base/core.c:2114
        hid_add_device+0x33c/0x990 drivers/hid/hid-core.c:2365
        usbhid_probe+0xa81/0xfa0 drivers/hid/usbhid/hid-core.c:1386
        usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361
        really_probe+0x281/0x650 drivers/base/dd.c:548
        driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709
        __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816
        bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
        __device_attach+0x217/0x360 drivers/base/dd.c:882
        bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
        device_add+0xae6/0x16f0 drivers/base/core.c:2114
        usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023
        generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
        usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266
        really_probe+0x281/0x650 drivers/base/dd.c:548
        driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709
        __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816
        bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
        __device_attach+0x217/0x360 drivers/base/dd.c:882
        bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
        device_add+0xae6/0x16f0 drivers/base/core.c:2114
        usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536
        hub_port_connect drivers/usb/core/hub.c:5098 [inline]
        hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
        port_event drivers/usb/core/hub.c:5359 [inline]
        hub_event+0x1b5c/0x3640 drivers/usb/core/hub.c:5441
        process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
        worker_thread+0x96/0xe20 kernel/workqueue.c:2415
        kthread+0x318/0x420 kernel/kthread.c:255
        ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
      
      The buggy address belongs to the object at ffff8881cf591900
        which belongs to the cache kmalloc-512 of size 512
      The buggy address is located 264 bytes inside of
        512-byte region [ffff8881cf591900, ffff8881cf591b00)
      The buggy address belongs to the page:
      page:ffffea00073d6400 refcount:1 mapcount:0 mapping:ffff8881da002500
      index:0x0 compound_mapcount: 0
      flags: 0x200000000010200(slab|head)
      raw: 0200000000010200 0000000000000000 0000000100000001 ffff8881da002500
      raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
        ffff8881cf591900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
        ffff8881cf591980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      > ffff8881cf591a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                             ^
        ffff8881cf591a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
        ffff8881cf591b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      ==================================================================
      
      In order to avoid opening a disconnected device, we need to check exist
      again after acquiring the existance lock, and bail out if necessary.
      Reported-by: default avatarsyzbot <syzbot+62a1e04fd3ec2abf099e@syzkaller.appspotmail.com>
      Cc: Andrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarHillf Danton <hdanton@sina.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      daec20c7
    • Hillf Danton's avatar
      HID: hiddev: do cleanup in failure of opening a device · a2133df2
      Hillf Danton authored
      commit 6d4472d7
      
       upstream.
      
      Undo what we did for opening before releasing the memory slice.
      Reported-by: default avatarsyzbot <syzbot+62a1e04fd3ec2abf099e@syzkaller.appspotmail.com>
      Cc: Andrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarHillf Danton <hdanton@sina.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a2133df2
    • Oliver Neukum's avatar
      Input: ff-memless - kill timer in destroy() · 8145f218
      Oliver Neukum authored
      commit fa3a5a18
      
       upstream.
      
      No timer must be left running when the device goes away.
      Signed-off-by: default avatarOliver Neukum <oneukum@suse.com>
      Reported-and-tested-by: syzbot+b6c55daa701fc389e286@syzkaller.appspotmail.com
      Link: https://lore.kernel.org/r/1573726121.17351.3.camel@suse.com
      
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      8145f218
    • Johan Hovold's avatar
      USB: adutux: fix use-after-free on disconnect · 22cbb8fb
      Johan Hovold authored
      commit 44efc269 upstream.
      
      The driver was clearing its struct usb_device pointer, which it used as
      an inverted disconnected flag, before deregistering the character device
      and without serialising against racing release().
      
      This could lead to a use-after-free if a racing release() callback
      observes the cleared pointer and frees the driver data before
      disconnect() is finished with it.
      
      This could also lead to NULL-pointer dereferences in a racing open().
      
      Fixes: f08812d5
      
       ("USB: FIx locks and urb->status in adutux (updated)")
      Reported-by: syzbot+0243cb250a51eeefb8cc@syzkaller.appspotmail.com
      Tested-by: syzbot+0243cb250a51eeefb8cc@syzkaller.appspotmail.com
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Link: https://lore.kernel.org/r/20190925092913.8608-1-johan@kernel.org
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      22cbb8fb
    • Colin Ian King's avatar
      USB: adutux: remove redundant variable minor · 669ddcc7
      Colin Ian King authored
      commit 8444efc4
      
       upstream.
      
      Variable minor is being assigned but never read, hence it is redundant
      and can be removed. Cleans up clang warning:
      
      drivers/usb/misc/adutux.c:770:2: warning: Value stored to 'minor' is
      never read
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.16 so that commit 44efc269
      
       "USB: adutux: fix
       use-after-free on disconnect" applies cleanly]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      669ddcc7
    • Paolo Bonzini's avatar
      KVM: x86: fix out-of-bounds write in KVM_GET_EMULATED_CPUID (CVE-2019-19332) · 21377f88
      Paolo Bonzini authored
      commit 433f4ba1 upstream.
      
      The bounds check was present in KVM_GET_SUPPORTED_CPUID but not
      KVM_GET_EMULATED_CPUID.
      
      Reported-by: syzbot+e3f4897236c4eeb8af4f@syzkaller.appspotmail.com
      Fixes: 84cffe49
      
       ("kvm: Emulate MOVBE", 2013-10-29)
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      21377f88
    • YueHaibing's avatar
      appletalk: Set error code if register_snap_client failed · 77251fec
      YueHaibing authored
      commit c93ad133 upstream.
      
      If register_snap_client fails in atalk_init,
      error code should be set, otherwise it will
      triggers NULL pointer dereference while unloading
      module.
      
      Fixes: 9804501f
      
       ("appletalk: Fix potential NULL pointer dereference in unregister_snap_client")
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      77251fec
    • YueHaibing's avatar
      appletalk: Fix potential NULL pointer dereference in unregister_snap_client · 15518949
      YueHaibing authored
      commit 9804501f
      
       upstream.
      
      register_snap_client may return NULL, all the callers
      check it, but only print a warning. This will result in
      NULL pointer dereference in unregister_snap_client and other
      places.
      
      It has always been used like this since v2.6
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      15518949
    • Navid Emamdoost's avatar
      scsi: bfa: release allocated memory in case of error · 0669f62b
      Navid Emamdoost authored
      commit 0e62395d upstream.
      
      In bfad_im_get_stats if bfa_port_get_stats fails, allocated memory needs to
      be released.
      
      Link: https://lore.kernel.org/r/20190910234417.22151-1-navid.emamdoost@gmail.com
      
      Signed-off-by: default avatarNavid Emamdoost <navid.emamdoost@gmail.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      0669f62b
    • Navid Emamdoost's avatar
      crypto: user - fix memory leak in crypto_report · 52373b48
      Navid Emamdoost authored
      commit ffdde593 upstream.
      
      In crypto_report, a new skb is created via nlmsg_new(). This skb should
      be released if crypto_report_alg() fails.
      
      Fixes: a38f7907
      
       ("crypto: Add userspace configuration API")
      Signed-off-by: default avatarNavid Emamdoost <navid.emamdoost@gmail.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      [bwh: Backported to 3.16: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      52373b48
    • Herbert Xu's avatar
      crypto: user - Fix crypto_alg_match race · ea8e4f79
      Herbert Xu authored
      commit 016baaa1
      
       upstream.
      
      The function crypto_alg_match returns an algorithm without taking
      any references on it.  This means that the algorithm can be freed
      at any time, therefore all users of crypto_alg_match are buggy.
      
      This patch fixes this by taking a reference count on the algorithm
      to prevent such races.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      ea8e4f79
    • Navid Emamdoost's avatar
      mwifiex: pcie: Fix memory leak in mwifiex_pcie_init_evt_ring · 914927c7
      Navid Emamdoost authored
      commit d10dcb61 upstream.
      
      In mwifiex_pcie_init_evt_ring, a new skb is allocated which should be
      released if mwifiex_map_pci_memory() fails. The release for skb and
      card->evtbd_ring_vbase is added.
      
      Fixes: 0732484b
      
       ("mwifiex: separate ring initialization and ring creation routines")
      Signed-off-by: default avatarNavid Emamdoost <navid.emamdoost@gmail.com>
      Acked-by: default avatarGanapathi Bhat <gbhat@marvell.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      [bwh: Backported to 3.16: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      914927c7
    • Navid Emamdoost's avatar
      mwifiex: pcie: Fix memory leak in mwifiex_pcie_alloc_cmdrsp_buf · f0eed3b1
      Navid Emamdoost authored
      commit db8fd2cd upstream.
      
      In mwifiex_pcie_alloc_cmdrsp_buf, a new skb is allocated which should be
      released if mwifiex_map_pci_memory() fails. The release is added.
      
      Fixes: fc331460
      
       ("mwifiex: use pci_alloc/free_consistent APIs for PCIe")
      Signed-off-by: default avatarNavid Emamdoost <navid.emamdoost@gmail.com>
      Acked-by: default avatarGanapathi Bhat <gbhat@marvell.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      [bwh: Backported to 3.16: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f0eed3b1
    • Navid Emamdoost's avatar
      can: gs_usb: gs_can_open(): prevent memory leak · f26d9804
      Navid Emamdoost authored
      commit fb5be6a7 upstream.
      
      In gs_can_open() if usb_submit_urb() fails the allocated urb should be
      released.
      
      Fixes: d08e973a
      
       ("can: gs_usb: Added support for the GS_USB CAN devices")
      Signed-off-by: default avatarNavid Emamdoost <navid.emamdoost@gmail.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f26d9804
    • Navid Emamdoost's avatar
      wimax: i2400: Fix memory leak in i2400m_op_rfkill_sw_toggle · 311edf19
      Navid Emamdoost authored
      commit 6f3ef5c2 upstream.
      
      In the implementation of i2400m_op_rfkill_sw_toggle() the allocated
      buffer for cmd should be released before returning. The
      documentation for i2400m_msg_to_dev() says when it returns the buffer
      can be reused. Meaning cmd should be released in either case. Move
      kfree(cmd) before return to be reached by all execution paths.
      
      Fixes: 2507e6ab
      
       ("wimax: i2400: fix memory leak")
      Signed-off-by: default avatarNavid Emamdoost <navid.emamdoost@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      311edf19
    • Navid Emamdoost's avatar
      wimax: i2400: fix memory leak · 50e479c1
      Navid Emamdoost authored
      commit 2507e6ab
      
       upstream.
      
      In i2400m_op_rfkill_sw_toggle cmd buffer should be released along with
      skb response.
      Signed-off-by: default avatarNavid Emamdoost <navid.emamdoost@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      50e479c1
    • Johannes Berg's avatar
      nl80211: validate beacon head · 9eec2aca
      Johannes Berg authored
      commit f88eb7c0 upstream.
      
      We currently don't validate the beacon head, i.e. the header,
      fixed part and elements that are to go in front of the TIM
      element. This means that the variable elements there can be
      malformed, e.g. have a length exceeding the buffer size, but
      most downstream code from this assumes that this has already
      been checked.
      
      Add the necessary checks to the netlink policy.
      
      Fixes: ed1b6cc7 ("cfg80211/nl80211: add beacon settings")
      Link: https://lore.kernel.org/r/1569009255-I7ac7fbe9436e9d8733439eab8acbbd35e55c74ef@changeid
      
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9eec2aca
    • Johannes Berg's avatar
      cfg80211: add and use strongly typed element iteration macros · 48ed745e
      Johannes Berg authored
      commit 0f3b07f0
      
       upstream.
      
      Rather than always iterating elements from frames with pure
      u8 pointers, add a type "struct element" that encapsulates
      the id/datalen/data format of them.
      
      Then, add the element iteration macros
       * for_each_element
       * for_each_element_id
       * for_each_element_extid
      
      which take, as their first 'argument', such a structure and
      iterate through a given u8 array interpreting it as elements.
      
      While at it and since we'll need it, also add
       * for_each_subelement
       * for_each_subelement_id
       * for_each_subelement_extid
      
      which instead of taking data/length just take an outer element
      and use its data/datalen.
      
      Also add for_each_element_completed() to determine if any of
      the loops above completed, i.e. it was able to parse all of
      the elements successfully and no data remained.
      
      Use for_each_element_id() in cfg80211_find_ie_match() as the
      first user of this.
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      48ed745e
    • Oliver Neukum's avatar
      media: b2c2-flexcop-usb: add sanity checking · 470a2d36
      Oliver Neukum authored
      commit 1b976fc6
      
       upstream.
      
      The driver needs an isochronous endpoint to be present. It will
      oops in its absence. Add checking for it.
      
      Reported-by: syzbot+d93dff37e6a89431c158@syzkaller.appspotmail.com
      Signed-off-by: default avatarOliver Neukum <oneukum@suse.com>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      470a2d36
    • Martijn Coenen's avatar
      ANDROID: binder: remove waitqueue when thread exits. · 3a593dd8
      Martijn Coenen authored
      commit f5cb779b
      
       upstream.
      
      binder_poll() passes the thread->wait waitqueue that
      can be slept on for work. When a thread that uses
      epoll explicitly exits using BINDER_THREAD_EXIT,
      the waitqueue is freed, but it is never removed
      from the corresponding epoll data structure. When
      the process subsequently exits, the epoll cleanup
      code tries to access the waitlist, which results in
      a use-after-free.
      
      Prevent this by using POLLFREE when the thread exits.
      Signed-off-by: default avatarMartijn Coenen <maco@android.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      [backport BINDER_LOOPER_STATE_POLL logic as well]
      Signed-off-by: default avatarMattias Nissler <mnissler@chromium.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.16: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      3a593dd8
    • Chris Brandt's avatar
      i2c: riic: Clear NACK in tend isr · a7fd3ecd
      Chris Brandt authored
      commit a71e2ac1 upstream.
      
      The NACKF flag should be cleared in INTRIICNAKI interrupt processing as
      description in HW manual.
      
      This issue shows up quickly when PREEMPT_RT is applied and a device is
      probed that is not plugged in (like a touchscreen controller). The result
      is endless interrupts that halt system boot.
      
      Fixes: 310c18a4
      
       ("i2c: riic: add driver")
      Reported-by: default avatarChien Nguyen <chien.nguyen.eb@rvc.renesas.com>
      Signed-off-by: default avatarChris Brandt <chris.brandt@renesas.com>
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a7fd3ecd
    • Pavel Shilovsky's avatar
      CIFS: Fix oplock handling for SMB 2.1+ protocols · 9abbb201
      Pavel Shilovsky authored
      commit a016e279
      
       upstream.
      
      There may be situations when a server negotiates SMB 2.1
      protocol version or higher but responds to a CREATE request
      with an oplock rather than a lease.
      
      Currently the client doesn't handle such a case correctly:
      when another CREATE comes in the server sends an oplock
      break to the initial CREATE and the client doesn't send
      an ack back due to a wrong caching level being set (READ
      instead of RWH). Missing an oplock break ack makes the
      server wait until the break times out which dramatically
      increases the latency of the second CREATE.
      
      Fix this by properly detecting oplocks when using SMB 2.1
      protocol version and higher.
      Signed-off-by: default avatarPavel Shilovsky <pshilov@microsoft.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      Reviewed-by: default avatarRonnie Sahlberg <lsahlber@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9abbb201
    • Vasily Averin's avatar
      fuse: fix missing unlock_page in fuse_writepage() · 7a92de36
      Vasily Averin authored
      commit d5880c7a
      
       upstream.
      
      unlock_page() was missing in case of an already in-flight write against the
      same page.
      Signed-off-by: default avatarVasily Averin <vvs@virtuozzo.com>
      Fixes: ff17be08
      
       ("fuse: writepage: skip already in flight")
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      7a92de36
    • Murphy Zhou's avatar
      CIFS: fix max ea value size · b4e46ee8
      Murphy Zhou authored
      commit 63d37fb4
      
       upstream.
      
      It should not be larger then the slab max buf size. If user
      specifies a larger size, it passes this check and goes
      straightly to SMB2_set_info_init performing an insecure memcpy.
      Signed-off-by: default avatarMurphy Zhou <jencce.kernel@gmail.com>
      Reviewed-by: default avatarAurelien Aptel <aaptel@suse.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b4e46ee8
    • Wei Wang's avatar
      thermal: Fix deadlock in thermal thermal_zone_device_check · a0cab4f0
      Wei Wang authored
      commit 163b00cd upstream.
      
      1851799e ("thermal: Fix use-after-free when unregistering thermal zone
      device") changed cancel_delayed_work to cancel_delayed_work_sync to avoid
      a use-after-free issue. However, cancel_delayed_work_sync could be called
      insides the WQ causing deadlock.
      
      [54109.642398] c0   1162 kworker/u17:1   D    0 11030      2 0x00000000
      [54109.642437] c0   1162 Workqueue: thermal_passive_wq thermal_zone_device_check
      [54109.642447] c0   1162 Call trace:
      [54109.642456] c0   1162  __switch_to+0x138/0x158
      [54109.642467] c0   1162  __schedule+0xba4/0x1434
      [54109.642480] c0   1162  schedule_timeout+0xa0/0xb28
      [54109.642492] c0   1162  wait_for_common+0x138/0x2e8
      [54109.642511] c0   1162  flush_work+0x348/0x40c
      [54109.642522] c0   1162  __cancel_work_timer+0x180/0x218
      [54109.642544] c0   1162  handle_thermal_trip+0x2c4/0x5a4
      [54109.642553] c0   1162  thermal_zone_device_update+0x1b4/0x25c
      [54109.642563] c0   1162  thermal_zone_device_check+0x18/0x24
      [54109.642574] c0   1162  process_one_work+0x3cc/0x69c
      [54109.642583] c0   1162  worker_thread+0x49c/0x7c0
      [54109.642593] c0   1162  kthread+0x17c/0x1b0
      [54109.642602] c0   1162  ret_from_fork+0x10/0x18
      [54109.643051] c0   1162 kworker/u17:2   D    0 16245      2 0x00000000
      [54109.643067] c0   1162 Workqueue: thermal_passive_wq thermal_zone_device_check
      [54109.643077] c0   1162 Call trace:
      [54109.643085] c0   1162  __switch_to+0x138/0x158
      [54109.643095] c0   1162  __schedule+0xba4/0x1434
      [54109.643104] c0   1162  schedule_timeout+0xa0/0xb28
      [54109.643114] c0   1162  wait_for_common+0x138/0x2e8
      [54109.643122] c0   1162  flush_work+0x348/0x40c
      [54109.643131] c0   1162  __cancel_work_timer+0x180/0x218
      [54109.643141] c0   1162  handle_thermal_trip+0x2c4/0x5a4
      [54109.643150] c0   1162  thermal_zone_device_update+0x1b4/0x25c
      [54109.643159] c0   1162  thermal_zone_device_check+0x18/0x24
      [54109.643167] c0   1162  process_one_work+0x3cc/0x69c
      [54109.643177] c0   1162  worker_thread+0x49c/0x7c0
      [54109.643186] c0   1162  kthread+0x17c/0x1b0
      [54109.643195] c0   1162  ret_from_fork+0x10/0x18
      [54109.644500] c0   1162 cat             D    0  7766      1 0x00000001
      [54109.644515] c0   1162 Call trace:
      [54109.644524] c0   1162  __switch_to+0x138/0x158
      [54109.644536] c0   1162  __schedule+0xba4/0x1434
      [54109.644546] c0   1162  schedule_preempt_disabled+0x80/0xb0
      [54109.644555] c0   1162  __mutex_lock+0x3a8/0x7f0
      [54109.644563] c0   1162  __mutex_lock_slowpath+0x14/0x20
      [54109.644575] c0   1162  thermal_zone_get_temp+0x84/0x360
      [54109.644586] c0   1162  temp_show+0x30/0x78
      [54109.644609] c0   1162  dev_attr_show+0x5c/0xf0
      [54109.644628] c0   1162  sysfs_kf_seq_show+0xcc/0x1a4
      [54109.644636] c0   1162  kernfs_seq_show+0x48/0x88
      [54109.644656] c0   1162  seq_read+0x1f4/0x73c
      [54109.644664] c0   1162  kernfs_fop_read+0x84/0x318
      [54109.644683] c0   1162  __vfs_read+0x50/0x1bc
      [54109.644692] c0   1162  vfs_read+0xa4/0x140
      [54109.644701] c0   1162  SyS_read+0xbc/0x144
      [54109.644708] c0   1162  el0_svc_naked+0x34/0x38
      [54109.845800] c0   1162 D 720.000s 1->7766->7766 cat [panic]
      
      Fixes: 1851799e
      
       ("thermal: Fix use-after-free when unregistering thermal zone device")
      Signed-off-by: default avatarWei Wang <wvw@google.com>
      Signed-off-by: default avatarZhang Rui <rui.zhang@intel.com>
      Cc: Ido Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a0cab4f0
    • Ido Schimmel's avatar
      thermal: Fix use-after-free when unregistering thermal zone device · 376f90e0
      Ido Schimmel authored
      commit 1851799e upstream.
      
      thermal_zone_device_unregister() cancels the delayed work that polls the
      thermal zone, but it does not wait for it to finish. This is racy with
      respect to the freeing of the thermal zone device, which can result in a
      use-after-free [1].
      
      Fix this by waiting for the delayed work to finish before freeing the
      thermal zone device. Note that thermal_zone_device_set_polling() is
      never invoked from an atomic context, so it is safe to call
      cancel_delayed_work_sync() that can block.
      
      [1]
      [  +0.002221] ==================================================================
      [  +0.000064] BUG: KASAN: use-after-free in __mutex_lock+0x1076/0x11c0
      [  +0.000016] Read of size 8 at addr ffff8881e48e0450 by task kworker/1:0/17
      
      [  +0.000023] CPU: 1 PID: 17 Comm: kworker/1:0 Not tainted 5.2.0-rc6-custom-02495-g8e73ca3be4af #1701
      [  +0.000010] Hardware name: Mellanox Technologies Ltd. MSN2100-CB2FO/SA001017, BIOS 5.6.5 06/07/2016
      [  +0.000016] Workqueue: events_freezable_power_ thermal_zone_device_check
      [  +0.000012] Call Trace:
      [  +0.000021]  dump_stack+0xa9/0x10e
      [  +0.000020]  print_address_description.cold.2+0x9/0x25e
      [  +0.000018]  __kasan_report.cold.3+0x78/0x9d
      [  +0.000016]  kasan_report+0xe/0x20
      [  +0.000016]  __mutex_lock+0x1076/0x11c0
      [  +0.000014]  step_wise_throttle+0x72/0x150
      [  +0.000018]  handle_thermal_trip+0x167/0x760
      [  +0.000019]  thermal_zone_device_update+0x19e/0x5f0
      [  +0.000019]  process_one_work+0x969/0x16f0
      [  +0.000017]  worker_thread+0x91/0xc40
      [  +0.000014]  kthread+0x33d/0x400
      [  +0.000015]  ret_from_fork+0x3a/0x50
      
      [  +0.000020] Allocated by task 1:
      [  +0.000015]  save_stack+0x19/0x80
      [  +0.000015]  __kasan_kmalloc.constprop.4+0xc1/0xd0
      [  +0.000014]  kmem_cache_alloc_trace+0x152/0x320
      [  +0.000015]  thermal_zone_device_register+0x1b4/0x13a0
      [  +0.000015]  mlxsw_thermal_init+0xc92/0x23d0
      [  +0.000014]  __mlxsw_core_bus_device_register+0x659/0x11b0
      [  +0.000013]  mlxsw_core_bus_device_register+0x3d/0x90
      [  +0.000013]  mlxsw_pci_probe+0x355/0x4b0
      [  +0.000014]  local_pci_probe+0xc3/0x150
      [  +0.000013]  pci_device_probe+0x280/0x410
      [  +0.000013]  really_probe+0x26a/0xbb0
      [  +0.000013]  driver_probe_device+0x208/0x2e0
      [  +0.000013]  device_driver_attach+0xfe/0x140
      [  +0.000013]  __driver_attach+0x110/0x310
      [  +0.000013]  bus_for_each_dev+0x14b/0x1d0
      [  +0.000013]  driver_register+0x1c0/0x400
      [  +0.000015]  mlxsw_sp_module_init+0x5d/0xd3
      [  +0.000014]  do_one_initcall+0x239/0x4dd
      [  +0.000013]  kernel_init_freeable+0x42b/0x4e8
      [  +0.000012]  kernel_init+0x11/0x18b
      [  +0.000013]  ret_from_fork+0x3a/0x50
      
      [  +0.000015] Freed by task 581:
      [  +0.000013]  save_stack+0x19/0x80
      [  +0.000014]  __kasan_slab_free+0x125/0x170
      [  +0.000013]  kfree+0xf3/0x310
      [  +0.000013]  thermal_release+0xc7/0xf0
      [  +0.000014]  device_release+0x77/0x200
      [  +0.000014]  kobject_put+0x1a8/0x4c0
      [  +0.000014]  device_unregister+0x38/0xc0
      [  +0.000014]  thermal_zone_device_unregister+0x54e/0x6a0
      [  +0.000014]  mlxsw_thermal_fini+0x184/0x35a
      [  +0.000014]  mlxsw_core_bus_device_unregister+0x10a/0x640
      [  +0.000013]  mlxsw_devlink_core_bus_device_reload+0x92/0x210
      [  +0.000015]  devlink_nl_cmd_reload+0x113/0x1f0
      [  +0.000014]  genl_family_rcv_msg+0x700/0xee0
      [  +0.000013]  genl_rcv_msg+0xca/0x170
      [  +0.000013]  netlink_rcv_skb+0x137/0x3a0
      [  +0.000012]  genl_rcv+0x29/0x40
      [  +0.000013]  netlink_unicast+0x49b/0x660
      [  +0.000013]  netlink_sendmsg+0x755/0xc90
      [  +0.000013]  __sys_sendto+0x3de/0x430
      [  +0.000013]  __x64_sys_sendto+0xe2/0x1b0
      [  +0.000013]  do_syscall_64+0xa4/0x4d0
      [  +0.000013]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      [  +0.000017] The buggy address belongs to the object at ffff8881e48e0008
                     which belongs to the cache kmalloc-2k of size 2048
      [  +0.000012] The buggy address is located 1096 bytes inside of
                     2048-byte region [ffff8881e48e0008, ffff8881e48e0808)
      [  +0.000007] The buggy address belongs to the page:
      [  +0.000012] page:ffffea0007923800 refcount:1 mapcount:0 mapping:ffff88823680d0c0 index:0x0 compound_mapcount: 0
      [  +0.000020] flags: 0x200000000010200(slab|head)
      [  +0.000019] raw: 0200000000010200 ffffea0007682008 ffffea00076ab808 ffff88823680d0c0
      [  +0.000016] raw: 0000000000000000 00000000000d000d 00000001ffffffff 0000000000000000
      [  +0.000007] page dumped because: kasan: bad access detected
      
      [  +0.000012] Memory state around the buggy address:
      [  +0.000012]  ffff8881e48e0300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  +0.000012]  ffff8881e48e0380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  +0.000012] >ffff8881e48e0400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  +0.000008]                                                  ^
      [  +0.000012]  ffff8881e48e0480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  +0.000012]  ffff8881e48e0500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  +0.000007] ==================================================================
      
      Fixes: b1569e99
      
       ("ACPI: move thermal trip handling to generic thermal layer")
      Reported-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Acked-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarZhang Rui <rui.zhang@intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      376f90e0
    • Vasily Gorbik's avatar
      s390/cio: exclude subchannels with no parent from pseudo check · dcc73d39
      Vasily Gorbik authored
      commit ab575884
      
       upstream.
      
      ccw console is created early in start_kernel and used before css is
      initialized or ccw console subchannel is registered. Until then console
      subchannel does not have a parent. For that reason assume subchannels
      with no parent are not pseudo subchannels. This fixes the following
      kasan finding:
      
      BUG: KASAN: global-out-of-bounds in sch_is_pseudo_sch+0x8e/0x98
      Read of size 8 at addr 00000000000005e8 by task swapper/0/0
      
      CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.3.0-rc8-07370-g6ac43dd12538 #2
      Hardware name: IBM 2964 NC9 702 (z/VM 6.4.0)
      Call Trace:
      ([<000000000012cd76>] show_stack+0x14e/0x1e0)
       [<0000000001f7fb44>] dump_stack+0x1a4/0x1f8
       [<00000000007d7afc>] print_address_description+0x64/0x3c8
       [<00000000007d75f6>] __kasan_report+0x14e/0x180
       [<00000000018a2986>] sch_is_pseudo_sch+0x8e/0x98
       [<000000000189b950>] cio_enable_subchannel+0x1d0/0x510
       [<00000000018cac7c>] ccw_device_recognition+0x12c/0x188
       [<0000000002ceb1a8>] ccw_device_enable_console+0x138/0x340
       [<0000000002cf1cbe>] con3215_init+0x25e/0x300
       [<0000000002c8770a>] console_init+0x68a/0x9b8
       [<0000000002c6a3d6>] start_kernel+0x4fe/0x728
       [<0000000000100070>] startup_continue+0x70/0xd0
      Reviewed-by: default avatarSebastian Ott <sebott@linux.ibm.com>
      Signed-off-by: default avatarVasily Gorbik <gor@linux.ibm.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      dcc73d39
    • Vasily Gorbik's avatar
      s390/cio: avoid calling strlen on null pointer · d736d3ad
      Vasily Gorbik authored
      commit ea298e6e
      
       upstream.
      
      Fix the following kasan finding:
      BUG: KASAN: global-out-of-bounds in ccwgroup_create_dev+0x850/0x1140
      Read of size 1 at addr 0000000000000000 by task systemd-udevd.r/561
      
      CPU: 30 PID: 561 Comm: systemd-udevd.r Tainted: G    B
      Hardware name: IBM 3906 M04 704 (LPAR)
      Call Trace:
      ([<0000000231b3db7e>] show_stack+0x14e/0x1a8)
       [<0000000233826410>] dump_stack+0x1d0/0x218
       [<000000023216fac4>] print_address_description+0x64/0x380
       [<000000023216f5a8>] __kasan_report+0x138/0x168
       [<00000002331b8378>] ccwgroup_create_dev+0x850/0x1140
       [<00000002332b618a>] group_store+0x3a/0x50
       [<00000002323ac706>] kernfs_fop_write+0x246/0x3b8
       [<00000002321d409a>] vfs_write+0x132/0x450
       [<00000002321d47da>] ksys_write+0x122/0x208
       [<0000000233877102>] system_call+0x2a6/0x2c8
      
      Triggered by:
      openat(AT_FDCWD, "/sys/bus/ccwgroup/drivers/qeth/group",
      		O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC, 0666) = 16
      write(16, "0.0.bd00,0.0.bd01,0.0.bd02", 26) = 26
      
      The problem is that __get_next_id in ccwgroup_create_dev might set "buf"
      buffer pointer to NULL and explicit check for that is required.
      Reviewed-by: default avatarSebastian Ott <sebott@linux.ibm.com>
      Signed-off-by: default avatarVasily Gorbik <gor@linux.ibm.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d736d3ad
    • Vasily Gorbik's avatar
      s390/topology: avoid firing events before kobjs are created · 846903f2
      Vasily Gorbik authored
      commit f3122a79
      
       upstream.
      
      arch_update_cpu_topology is first called from:
      kernel_init_freeable->sched_init_smp->sched_init_domains
      
      even before cpus has been registered in:
      kernel_init_freeable->do_one_initcall->s390_smp_init
      
      Do not trigger kobject_uevent change events until cpu devices are
      actually created. Fixes the following kasan findings:
      
      BUG: KASAN: global-out-of-bounds in kobject_uevent_env+0xb40/0xee0
      Read of size 8 at addr 0000000000000020 by task swapper/0/1
      
      BUG: KASAN: global-out-of-bounds in kobject_uevent_env+0xb36/0xee0
      Read of size 8 at addr 0000000000000018 by task swapper/0/1
      
      CPU: 0 PID: 1 Comm: swapper/0 Tainted: G    B
      Hardware name: IBM 3906 M04 704 (LPAR)
      Call Trace:
      ([<0000000143c6db7e>] show_stack+0x14e/0x1a8)
       [<0000000145956498>] dump_stack+0x1d0/0x218
       [<000000014429fb4c>] print_address_description+0x64/0x380
       [<000000014429f630>] __kasan_report+0x138/0x168
       [<0000000145960b96>] kobject_uevent_env+0xb36/0xee0
       [<0000000143c7c47c>] arch_update_cpu_topology+0x104/0x108
       [<0000000143df9e22>] sched_init_domains+0x62/0xe8
       [<000000014644c94a>] sched_init_smp+0x3a/0xc0
       [<0000000146433a20>] kernel_init_freeable+0x558/0x958
       [<000000014599002a>] kernel_init+0x22/0x160
       [<00000001459a71d4>] ret_from_fork+0x28/0x30
       [<00000001459a71dc>] kernel_thread_starter+0x0/0x10
      Reviewed-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: default avatarVasily Gorbik <gor@linux.ibm.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      846903f2
    • Peter Mamonov's avatar
      net/phy: fix DP83865 10 Mbps HDX loopback disable function · 183fb1de
      Peter Mamonov authored
      commit e47488b2 upstream.
      
      According to the DP83865 datasheet "the 10 Mbps HDX loopback can be
      disabled in the expanded memory register 0x1C0.1". The driver erroneously
      used bit 0 instead of bit 1.
      
      Fixes: 4621bf12
      
       ("phy: Add file missed in previous commit.")
      Signed-off-by: default avatarPeter Mamonov <pmamonov@gmail.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      183fb1de
    • Eric Dumazet's avatar
      sch_netem: fix a divide by zero in tabledist() · cf83b40c
      Eric Dumazet authored
      commit b41d936b upstream.
      
      syzbot managed to crash the kernel in tabledist() loading
      an empty distribution table.
      
      	t = dist->table[rnd % dist->size];
      
      Simply return an error when such load is attempted.
      
      Fixes: 1da177e4
      
       ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      cf83b40c
    • Shih-Yuan Lee (FourDollars)'s avatar
      ALSA: hda - Add laptop imic fixup for ASUS M9V laptop · ca63b17b
      Shih-Yuan Lee (FourDollars) authored
      commit 7b485d17
      
       upstream.
      
      The same fixup to enable laptop imic is needed for ASUS M9V with AD1986A
      codec like another HP machine.
      Signed-off-by: default avatarShih-Yuan Lee (FourDollars) <fourdollars@debian.org>
      Link: https://lore.kernel.org/r/20190920134052.GA8035@localhost
      
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      ca63b17b
    • Laurent Vivier's avatar
      hwrng: core - don't wait on add_early_randomness() · 0e0b9c1b
      Laurent Vivier authored
      commit 78887832
      
       upstream.
      
      add_early_randomness() is called by hwrng_register() when the
      hardware is added. If this hardware and its module are present
      at boot, and if there is no data available the boot hangs until
      data are available and can't be interrupted.
      
      For instance, in the case of virtio-rng, in some cases the host can be
      not able to provide enough entropy for all the guests.
      
      We can have two easy ways to reproduce the problem but they rely on
      misconfiguration of the hypervisor or the egd daemon:
      
      - if virtio-rng device is configured to connect to the egd daemon of the
      host but when the virtio-rng driver asks for data the daemon is not
      connected,
      
      - if virtio-rng device is configured to connect to the egd daemon of the
      host but the egd daemon doesn't provide data.
      
      The guest kernel will hang at boot until the virtio-rng driver provides
      enough data.
      
      To avoid that, call rng_get_data() in non-blocking mode (wait=0)
      from add_early_randomness().
      Signed-off-by: default avatarLaurent Vivier <lvivier@redhat.com>
      Fixes: d9e79726
      
       ("hwrng: add randomness to system from rng...")
      Reviewed-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      0e0b9c1b
    • David Howells's avatar
      hypfs: Fix error number left in struct pointer member · fa4fb29a
      David Howells authored
      commit b54c64f7 upstream.
      
      In hypfs_fill_super(), if hypfs_create_update_file() fails,
      sbi->update_file is left holding an error number.  This is passed to
      hypfs_kill_super() which doesn't check for this.
      
      Fix this by not setting sbi->update_value until after we've checked for
      error.
      
      Fixes: 24bbb1fa
      
       ("[PATCH] s390_hypfs filesystem")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
      cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      cc: linux-s390@vger.kernel.org
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      fa4fb29a