Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v5.4.50 2020-06-30T19:37:11+00:00 2020-06-30T19:37:11+00:00 Dan Carpenter dan.carpenter@oracle.com 2020-06-03T10:19:58+00:00 urn:sha1:60bdb51d44faf3723aa037e501eb84d500fb4dfd commit b65a2d8c8614386f7e8d38ea150749f8a862f431 upstream. The "ie_len" variable is in the 0-255 range and it comes from the network. If it's over NDIS_802_11_LENGTH_RATES_EX (16) then that will lead to memory corruption. Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: stable <stable@vger.kernel.org> Link: https://lore.kernel.org/r/20200603101958.GA1845750@mwanda Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-06-24T15:50:24+00:00 Matej Dujava mdujava@kocurkovo.cz 2020-04-30T20:09:24+00:00 urn:sha1:4d30daf901aa7942f5e803023a4d3176a1e2f1bc [ Upstream commit fa90133377f4a7f15a937df6ad55133bb57c5665 ] Switch statement does not contain all cases: 8, 16, 24, 32. This patch will add missing one (24) Fixes: 81dee67e215b ("staging: sm750fb: add sm750 to staging") Signed-off-by: Matej Dujava <mdujava@kocurkovo.cz> Link: https://lore.kernel.org/r/1588277366-19354-2-git-send-email-mdujava@kocurkovo.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-06-24T15:50:23+00:00 Oscar Carter oscar.carter@gmx.com 2020-05-04T15:09:11+00:00 urn:sha1:2428682e3f6cb6a5bb2855500669746639a0c98d [ Upstream commit a4338ed2e1cf724563956ec5f91deeaabfedbe23 ] Increase by one the size of wid_list array as index variable can reach a value of 5. If this happens, an out-of-bounds access is performed. Also, use a #define instead of a hard-coded literal for the new array size. Addresses-Coverity-ID: 1451981 ("Out-of-bounds access") Fixes: f5a3cb90b802d ("staging: wilc1000: add passive scan support") Acked-by: Ajay Singh <ajay.kathat@microchip.com> Signed-off-by: Oscar Carter <oscar.carter@gmx.com> Link: https://lore.kernel.org/r/20200504150911.4470-1-oscar.carter@gmx.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-06-24T15:50:21+00:00 Xiyu Yang xiyuyang19@fudan.edu.cn 2020-04-23T05:15:40+00:00 urn:sha1:3468bca1ea441680aeba27e38b4360d2bf9a1706 [ Upstream commit e3436ce60cf5f5eaedda2b8c622f69feb97595e2 ] gasket_sysfs_register_store() invokes get_mapping(), which returns a reference of the specified gasket_sysfs_mapping object to "mapping" with increased refcnt. When gasket_sysfs_register_store() returns, local variable "mapping" becomes invalid, so the refcount should be decreased to keep refcount balanced. The reference counting issue happens in one exception handling path of gasket_sysfs_register_store(). When gasket_dev is NULL, the function forgets to decrease the refcnt increased by get_mapping(), causing a refcnt leak. Fix this issue by calling put_mapping() when gasket_dev is NULL. Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn> Signed-off-by: Xin Tan <tanxin.ctf@gmail.com> Link: https://lore.kernel.org/r/1587618941-13718-1-git-send-email-xiyuyang19@fudan.edu.cn Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-06-24T15:50:21+00:00 Xiyu Yang xiyuyang19@fudan.edu.cn 2020-04-23T05:14:55+00:00 urn:sha1:b3b4dcdc2bb49047762fcc14db0b1967622b5188 [ Upstream commit 57a66838e1494cd881b7f4e110ec685736e8e3ca ] gasket_sysfs_put_attr() invokes get_mapping(), which returns a reference of the specified gasket_sysfs_mapping object to "mapping" with increased refcnt. When gasket_sysfs_put_attr() returns, local variable "mapping" becomes invalid, so the refcount should be decreased to keep refcount balanced. The reference counting issue happens in one path of gasket_sysfs_put_attr(). When mapping attribute is unknown, the function forgets to decrease the refcnt increased by get_mapping(), causing a refcnt leak. Fix this issue by calling put_mapping() when put attribute fails due to unknown attribute. Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn> Signed-off-by: Xin Tan <tanxin.ctf@gmail.com> Link: https://lore.kernel.org/r/1587618895-13660-1-git-send-email-xiyuyang19@fudan.edu.cn Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-06-24T15:50:20+00:00 Chen Zhou chenzhou10@huawei.com 2020-04-01T03:00:17+00:00 urn:sha1:7bf3a213f79ec013aa8e9f7e1b99fe7d7891bc05 [ Upstream commit 9bb086e5ba9495ac150fbbcc5c8c2bccc06261dd ] In gb_lights_light_config(), 'light->name' is allocated by kstrndup(). It returns NULL when fails, add check for it. Signed-off-by: Chen Zhou <chenzhou10@huawei.com> Acked-by: Rui Miguel Silva <rmfrfs@gmail.com> Link: https://lore.kernel.org/r/20200401030017.100274-1-chenzhou10@huawei.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-06-22T07:31:18+00:00 Samuel Holland samuel@sholland.org 2020-05-09T20:06:42+00:00 urn:sha1:80462f7c296d350557b1b320f3de6dfb6145f305 commit a8876c22eab9a871834f85de83e98bbf7e6e264d upstream. Previously, the output format was programmed as part of the ioctl() handler. However, this has two problems: 1) If there are multiple active streams with different output formats, the hardware will use whichever format was set last for both streams. Similarly, an ioctl() done in an inactive context will wrongly affect other active contexts. 2) The registers are written while the device is not actively streaming. To enable runtime PM tied to the streaming state, all hardware access needs to be moved inside cedrus_device_run(). The call to cedrus_dst_format_set() is now placed just before the codec-specific callback that programs the hardware. Cc: <stable@vger.kernel.org> Fixes: 50e761516f2b ("media: platform: Add Cedrus VPU decoder driver") Suggested-by: Jernej Skrabec <jernej.skrabec@siol.net> Suggested-by: Paul Kocialkowski <paul.kocialkowski@bootlin.com> Signed-off-by: Samuel Holland <samuel@sholland.org> Tested-by: Jernej Skrabec <jernej.skrabec@siol.net> Reviewed-by: Jernej Skrabec <jernej.skrabec@siol.net> Reviewed-by: Ezequiel Garcia <ezequiel@collabora.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-06-22T07:31:09+00:00 Ulf Hansson ulf.hansson@linaro.org 2020-04-14T16:14:13+00:00 urn:sha1:3d6143663f21d6a4f77bca405b26212e443ce176 [ Upstream commit a389087ee9f195fcf2f31cd771e9ec5f02c16650 ] Using a fixed 1s timeout for all commands is a bit problematic. For some commands it means waiting longer than needed for the timeout to expire, which may not a big issue, but still. For other commands, like for an erase (CMD38) that uses a R1B response, may require longer timeouts than 1s. In these cases, we may end up treating the command as it failed, while it just needed some more time to complete successfully. Fix the problem by respecting the cmd->busy_timeout, which is provided by the mmc core. Cc: Rui Miguel Silva <rmfrfs@gmail.com> Cc: Johan Hovold <johan@kernel.org> Cc: Alex Elder <elder@kernel.org> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: greybus-dev@lists.linaro.org Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> Acked-by: Rui Miguel Silva <rmfrfs@gmail.com> Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Link: https://lore.kernel.org/r/20200414161413.3036-20-ulf.hansson@linaro.org Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-06-22T07:30:57+00:00 Bingbu Cao bingbu.cao@intel.com 2020-03-26T14:54:37+00:00 urn:sha1:42c22e4834c265073a89b1eeee1131a1b19dfe22 [ Upstream commit 33e3c349b2bf1235be458df09fb8d237141486c4 ] Currently concurrent stream off operations on ImgU nodes are not synchronized, leading to use-after-free bugs (as reported by KASAN). [ 250.090724] BUG: KASAN: use-after-free in ipu3_dmamap_free+0xc5/0x116 [ipu3_imgu] [ 250.090726] Read of size 8 at addr ffff888127b29bc0 by task yavta/18836 [ 250.090731] Hardware name: HP Soraka/Soraka, BIOS Google_Soraka.10431.17.0 03/22/2018 [ 250.090732] Call Trace: [ 250.090735] dump_stack+0x6a/0xb1 [ 250.090739] print_address_description+0x8e/0x279 [ 250.090743] ? ipu3_dmamap_free+0xc5/0x116 [ipu3_imgu] [ 250.090746] kasan_report+0x260/0x28a [ 250.090750] ipu3_dmamap_free+0xc5/0x116 [ipu3_imgu] [ 250.090754] ipu3_css_pool_cleanup+0x24/0x37 [ipu3_imgu] [ 250.090759] ipu3_css_pipeline_cleanup+0x61/0xb9 [ipu3_imgu] [ 250.090763] ipu3_css_stop_streaming+0x1f2/0x321 [ipu3_imgu] [ 250.090768] imgu_s_stream+0x94/0x443 [ipu3_imgu] [ 250.090772] ? ipu3_vb2_buf_queue+0x280/0x280 [ipu3_imgu] [ 250.090775] ? vb2_dma_sg_unmap_dmabuf+0x16/0x6f [videobuf2_dma_sg] [ 250.090778] ? vb2_buffer_in_use+0x36/0x58 [videobuf2_common] [ 250.090782] ipu3_vb2_stop_streaming+0xf9/0x135 [ipu3_imgu] Implemented a lock to synchronize imgu stream on / off operations and the modification of streaming flag (in struct imgu_device), to prevent these issues. Reported-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Suggested-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Rajmohan Mani <rajmohan.mani@intel.com> Signed-off-by: Bingbu Cao <bingbu.cao@intel.com> Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-06-22T07:30:57+00:00 Christoph Hellwig hch@lst.de 2020-06-02T04:50:23+00:00 urn:sha1:76ecfcfefe3b38cb5cf8dc1b751a6a0d51c5554a [ Upstream commit 5bf9917452112694b2c774465ee4dbe441c84b77 ] vm_map_ram can keep mappings around after the vm_unmap_ram. Using that with non-PAGE_KERNEL mappings can lead to all kinds of aliasing issues. Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org> Cc: Christian Borntraeger <borntraeger@de.ibm.com> Cc: Christophe Leroy <christophe.leroy@c-s.fr> Cc: Daniel Vetter <daniel.vetter@ffwll.ch> Cc: David Airlie <airlied@linux.ie> Cc: Gao Xiang <xiang@kernel.org> Cc: Haiyang Zhang <haiyangz@microsoft.com> Cc: Johannes Weiner <hannes@cmpxchg.org> Cc: "K. Y. Srinivasan" <kys@microsoft.com> Cc: Laura Abbott <labbott@redhat.com> Cc: Mark Rutland <mark.rutland@arm.com> Cc: Michael Kelley <mikelley@microsoft.com> Cc: Minchan Kim <minchan@kernel.org> Cc: Nitin Gupta <ngupta@vflare.org> Cc: Robin Murphy <robin.murphy@arm.com> Cc: Sakari Ailus <sakari.ailus@linux.intel.com> Cc: Stephen Hemminger <sthemmin@microsoft.com> Cc: Sumit Semwal <sumit.semwal@linaro.org> Cc: Wei Liu <wei.liu@kernel.org> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> Cc: Catalin Marinas <catalin.marinas@arm.com> Cc: Heiko Carstens <heiko.carstens@de.ibm.com> Cc: Paul Mackerras <paulus@ozlabs.org> Cc: Vasily Gorbik <gor@linux.ibm.com> Cc: Will Deacon <will@kernel.org> Link: http://lkml.kernel.org/r/20200414131348.444715-4-hch@lst.de Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>