Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v5.6.17 2020-04-29T14:34:55+00:00 2020-04-29T14:34:55+00:00 Udipto Goswami ugoswami@codeaurora.org 2020-04-02T04:45:21+00:00 urn:sha1:308293dd89c456f9590f219376d48d2f4d31b75d commit 1c2e54fbf1da5e5445a0ab132c862b02ccd8d230 upstream. For userspace functions using OS Descriptors, if a function also supplies Extended Property descriptors currently the counts and lengths stored in the ms_os_descs_ext_prop_{count,name_len,data_len} variables are not getting reset to 0 during an unbind or when the epfiles are closed. If the same function is re-bound and the descriptors are re-written, this results in those count/length variables to monotonically increase causing the VLA allocation in _ffs_func_bind() to grow larger and larger at each bind/unbind cycle and eventually fail to allocate. Fix this by clearing the ms_os_descs_ext_prop count & lengths to 0 in ffs_data_reset(). Fixes: f0175ab51993 ("usb: gadget: f_fs: OS descriptors support") Cc: stable@vger.kernel.org Signed-off-by: Udipto Goswami <ugoswami@codeaurora.org> Signed-off-by: Sriharsha Allenki <sallenki@codeaurora.org> Reviewed-by: Manu Gautam <mgautam@codeaurora.org> Link: https://lore.kernel.org/r/20200402044521.9312-1-sallenki@codeaurora.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-04-17T14:13:24+00:00 Sriharsha Allenki sallenki@codeaurora.org 2020-03-26T11:56:20+00:00 urn:sha1:08aebe0723a4ed04379259c487068b46083a9c9d commit f63ec55ff904b2f2e126884fcad93175f16ab4bb upstream. In AIO case, the request is freed up if ep_queue fails. However, io_data->req still has the reference to this freed request. In the case of this failure if there is aio_cancel call on this io_data it will lead to an invalid dequeue operation and a potential use after free issue. Fix this by setting the io_data->req to NULL when the request is freed as part of queue failure. Fixes: 2e4c7553cd6f ("usb: gadget: f_fs: add aio support") Signed-off-by: Sriharsha Allenki <sallenki@codeaurora.org> CC: stable <stable@vger.kernel.org> Reviewed-by: Peter Chen <peter.chen@nxp.com> Link: https://lore.kernel.org/r/20200326115620.12571-1-sallenki@codeaurora.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-02-11T06:45:45+00:00 Lars-Peter Clausen lars@metafoo.de 2020-01-16T13:29:01+00:00 urn:sha1:43d565727a3a6fd24e37c7c2116475106af71806 ffs_aio_cancel() can be called from both interrupt and thread context. Make sure that the current IRQ state is saved and restored by using spin_{un,}lock_irq{save,restore}(). Otherwise undefined behavior might occur. Acked-by: Michal Nazarewicz <mina86@mina86.com> Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com> Signed-off-by: Felipe Balbi <balbi@kernel.org> 2020-02-08T21:26:41+00:00 Linus Torvalds torvalds@linux-foundation.org 2020-02-08T21:26:41+00:00 urn:sha1:c9d35ee049b40f1d73e890bf88dd55f83b1e9be8 Pull vfs file system parameter updates from Al Viro: "Saner fs_parser.c guts and data structures. The system-wide registry of syntax types (string/enum/int32/oct32/.../etc.) is gone and so is the horror switch() in fs_parse() that would have to grow another case every time something got added to that system-wide registry. New syntax types can be added by filesystems easily now, and their namespace is that of functions - not of system-wide enum members. IOW, they can be shared or kept private and if some turn out to be widely useful, we can make them common library helpers, etc., without having to do anything whatsoever to fs_parse() itself. And we already get that kind of requests - the thing that finally pushed me into doing that was "oh, and let's add one for timeouts - things like 15s or 2h". If some filesystem really wants that, let them do it. Without somebody having to play gatekeeper for the variants blessed by direct support in fs_parse(), TYVM. Quite a bit of boilerplate is gone. And IMO the data structures make a lot more sense now. -200LoC, while we are at it" * 'merge.nfs-fs_parse.1' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (25 commits) tmpfs: switch to use of invalfc() cgroup1: switch to use of errorfc() et.al. procfs: switch to use of invalfc() hugetlbfs: switch to use of invalfc() cramfs: switch to use of errofc() et.al. gfs2: switch to use of errorfc() et.al. fuse: switch to use errorfc() et.al. ceph: use errorfc() and friends instead of spelling the prefix out prefix-handling analogues of errorf() and friends turn fs_param_is_... into functions fs_parse: handle optional arguments sanely fs_parse: fold fs_parameter_desc/fs_parameter_spec fs_parser: remove fs_parameter_description name field add prefix to fs_context->log ceph_parse_param(), ceph_parse_mon_ips(): switch to passing fc_log new primitive: __fs_parse() switch rbd and libceph to p_log-based primitives struct p_log, variants of warnf() et.al. taking that one instead teach logfc() to handle prefices, give it saner calling conventions get rid of cg_invalf() ... 2020-02-07T19:48:37+00:00 Al Viro viro@zeniv.linux.org.uk 2019-09-07T11:23:15+00:00 urn:sha1:d7167b149943e38ad610191ecbb0800c78bbced9 The former contains nothing but a pointer to an array of the latter... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2020-02-07T19:48:36+00:00 Eric Sandeen sandeen@sandeen.net 2019-12-06T16:45:01+00:00 urn:sha1:96cafb9ccb153f6a82ff2c9bde68916d9d65501e Unused now. Signed-off-by: Eric Sandeen <sandeen@redhat.com> Acked-by: David Howells <dhowells@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2020-01-15T09:39:22+00:00 Peter Chen peter.chen@nxp.com 2019-12-12T08:35:03+00:00 urn:sha1:d2450c6937018d40d4111fe830fa48d4ddceb8d0 The UDC core uses req->num_sgs to judge if scatter buffer list is used. Eg: usb_gadget_map_request_by_dev. For f_fs sync io mode, the request is re-used for each request, so if the 1st request->length > PAGE_SIZE, and the 2nd request->length is <= PAGE_SIZE, the f_fs uses the 1st req->num_sgs for the 2nd request, it causes the UDC core get the wrong req->num_sgs value (The 2nd request doesn't use sg). For f_fs async io mode, it is not harm to initialize req->num_sgs as 0 either, in case, the UDC driver doesn't zeroed request structure. Cc: Jun Li <jun.li@nxp.com> Cc: stable <stable@vger.kernel.org> Fixes: 772a7a724f69 ("usb: gadget: f_fs: Allow scatter-gather buffers") Signed-off-by: Peter Chen <peter.chen@nxp.com> Signed-off-by: Felipe Balbi <balbi@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-12-09T18:36:44+00:00 Pankaj Bharadiya pankaj.laxminarayan.bharadiya@intel.com 2019-12-09T18:31:43+00:00 urn:sha1:c593642c8be046915ca3a4a300243a68077cd207 Replace all the occurrences of FIELD_SIZEOF() with sizeof_field() except at places where these are defined. Later patches will remove the unused definition of FIELD_SIZEOF(). This patch is generated using following script: EXCLUDE_FILES="include/linux/stddef.h|include/linux/kernel.h" git grep -l -e "\bFIELD_SIZEOF\b" | while read file; do if [[ "$file" =~ $EXCLUDE_FILES ]]; then continue fi sed -i -e 's/\bFIELD_SIZEOF\b/sizeof_field/g' $file; done Signed-off-by: Pankaj Bharadiya <pankaj.laxminarayan.bharadiya@intel.com> Link: https://lore.kernel.org/r/20190924105839.110713-3-pankaj.laxminarayan.bharadiya@intel.com Co-developed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: David Miller <davem@davemloft.net> # for net 2019-10-23T15:23:44+00:00 Arnd Bergmann arnd@arndb.de 2018-09-11T15:28:08+00:00 urn:sha1:01b8bca81e181ccca475e1fdb92ebb00d9d9b547 A handful of drivers all have a trivial wrapper around their ioctl handler, but don't call the compat_ptr() conversion function at the moment. In practice this does not matter, since none of them are used on the s390 architecture and for all other architectures, compat_ptr() does not do anything, but using the new compat_ptr_ioctl() helper makes it more correct in theory, and simplifies the code. I checked that all ioctl handlers in these files are compatible and take either pointer arguments or no argument. Acked-by: Al Viro <viro@zeniv.linux.org.uk> Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Acked-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com> Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com> Signed-off-by: Arnd Bergmann <arnd@arndb.de> 2019-09-19T02:35:43+00:00 David Howells dhowells@redhat.com 2019-03-20T23:31:05+00:00 urn:sha1:dec90f61f125568088a6ada61832b366c1670e9f Convert the functionfs filesystem to the new internal mount API as the old one will be obsoleted and removed. This allows greater flexibility in communication of mount parameters between userspace, the VFS and the filesystem. See Documentation/filesystems/mount_api.txt for more information. Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com> Acked-by: Michal Nazarewicz <mina86@mina86.com> cc: linux-usb@vger.kernel.org Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>