Sync with -rc3 to solve conflict #112

ojeda · 2021-03-15T23:28:55Z

This solves a conflict that appears when syncing with -rc3.

Function _rtl92e_wx_set_scan calls memcpy without checking the length. A user could control that length and trigger a buffer overflow. Fix by checking the length is within the maximum allowed size. Reviewed-by: Dan Carpenter <[email protected]> Signed-off-by: Lee Gibson <[email protected]> Cc: stable <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>

Function r8712_sitesurvey_cmd calls memcpy without checking the length. A user could control that length and trigger a buffer overflow. Fix by checking the length is within the maximum allowed size. Signed-off-by: Lee Gibson <[email protected]> Link: https://lore.kernel.org/r/[email protected] Cc: stable <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

The user can specify a "req->essid_len" of up to 255 but if it's over IW_ESSID_MAX_SIZE (32) that can lead to memory corruption. Fixes: 13a9930 ("staging: ks7010: add driver from Nanonote extra-repository") Signed-off-by: Dan Carpenter <[email protected]> Cc: stable <[email protected]> Link: https://lore.kernel.org/r/YD4fS8+HmM/Qmrw6@mwanda Signed-off-by: Greg Kroah-Hartman <[email protected]>

The Change-Of-State (COS) subdevice supports Comedi asynchronous commands to read 16-bit change-of-state values. However, the interrupt handler is calling `comedi_buf_write_samples()` with the address of a 32-bit integer `&s->state`. On bigendian architectures, it will copy 2 bytes from the wrong end of the 32-bit integer. Fix it by transferring the value via a 16-bit integer. Fixes: 6bb45f2 ("staging: comedi: addi_apci_1032: use comedi_buf_write_samples()") Cc: <[email protected]> # 3.19+ Signed-off-by: Ian Abbott <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>

The digital input subdevice supports Comedi asynchronous commands that read interrupt status information. This uses 16-bit Comedi samples (of which only the bottom 8 bits contain status information). However, the interrupt handler is calling `comedi_buf_write_samples()` with the address of a 32-bit variable `unsigned int status`. On a bigendian machine, this will copy 2 bytes from the wrong end of the variable. Fix it by changing the type of the variable to `unsigned short`. Fixes: a8c66b6 ("staging: comedi: addi_apci_1500: rewrite the subdevice support functions") Cc: <[email protected]> #4.0+ Signed-off-by: Ian Abbott <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>

The analog input subdevice supports Comedi asynchronous commands that use Comedi's 16-bit sample format. However, the calls to `comedi_buf_write_samples()` are passing the address of a 32-bit integer variable. On bigendian machines, this will copy 2 bytes from the wrong end of the 32-bit value. Fix it by changing the type of the variables holding the sample value to `unsigned short`. The type of the `val` parameter of `pci1710_ai_read_sample()` is changed to `unsigned short *` accordingly. The type of the `val` variable in `pci1710_ai_insn_read()` is also changed to `unsigned short` since its address is passed to `pci1710_ai_read_sample()`. Fixes: a9c3a01 ("staging: comedi: adv_pci1710: use comedi_buf_write_samples()") Cc: <[email protected]> # 4.0+ Signed-off-by: Ian Abbott <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>

The analog input subdevice supports Comedi asynchronous commands that use Comedi's 16-bit sample format. However, the call to `comedi_buf_write_samples()` is passing the address of a 32-bit integer variable. On bigendian machines, this will copy 2 bytes from the wrong end of the 32-bit value. Fix it by changing the type of the variable holding the sample value to `unsigned short`. Fixes: d1d24cb ("staging: comedi: das6402: read analog input samples in interrupt handler") Cc: <[email protected]> # 3.19+ Signed-off-by: Ian Abbott <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>

The analog input subdevice supports Comedi asynchronous commands that use Comedi's 16-bit sample format. However, the call to `comedi_buf_write_samples()` is passing the address of a 32-bit integer variable. On bigendian machines, this will copy 2 bytes from the wrong end of the 32-bit value. Fix it by changing the type of the variable holding the sample value to `unsigned short`. Fixes: ad9eb43 ("staging: comedi: das800: use comedi_buf_write_samples()") Cc: <[email protected]> # 3.19+ Signed-off-by: Ian Abbott <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>

The analog input subdevice supports Comedi asynchronous commands that use Comedi's 16-bit sample format. However, the call to `comedi_buf_write_samples()` is passing the address of a 32-bit integer variable. On bigendian machines, this will copy 2 bytes from the wrong end of the 32-bit value. Fix it by changing the type of the variable holding the sample value to `unsigned short`. [Note: the bug was introduced in commit 1700529 ("staging: comedi: dmm32at: use comedi_buf_write_samples()") but the patch applies better to the later (but in the same kernel release) commit 0c0eada ("staging: comedi: dmm32at: introduce dmm32_ai_get_sample()").] Fixes: 0c0eada ("staging: comedi: dmm32at: introduce dmm32_ai_get_sample()") Cc: <[email protected]> # 3.19+ Signed-off-by: Ian Abbott <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>

The analog input subdevice supports Comedi asynchronous commands that use Comedi's 16-bit sample format. However, the calls to `comedi_buf_write_samples()` are passing the address of a 32-bit integer variable. On bigendian machines, this will copy 2 bytes from the wrong end of the 32-bit value. Fix it by changing the type of the variable holding the sample value to `unsigned short`. Fixes: de88924 ("staging: comedi: me4000: use comedi_buf_write_samples()") Cc: <[email protected]> # 3.19+ Signed-off-by: Ian Abbott <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>

The analog input subdevice supports Comedi asynchronous commands that use Comedi's 16-bit sample format. However, the call to `comedi_buf_write_samples()` is passing the address of a 32-bit integer variable. On bigendian machines, this will copy 2 bytes from the wrong end of the 32-bit value. Fix it by changing the type of the variable holding the sample value to `unsigned short`. Fixes: 1f44c03 ("staging: comedi: pcl711: use comedi_buf_write_samples()") Cc: <[email protected]> # 3.19+ Signed-off-by: Ian Abbott <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>

The analog input subdevice supports Comedi asynchronous commands that use Comedi's 16-bit sample format. However, the call to `comedi_buf_write_samples()` is passing the address of a 32-bit integer parameter. On bigendian machines, this will copy 2 bytes from the wrong end of the 32-bit value. Fix it by changing the type of the parameter holding the sample value to `unsigned short`. [Note: the bug was introduced in commit edf4537 ("staging: comedi: pcl818: use comedi_buf_write_samples()") but the patch applies better to commit d615416 ("staging: comedi: pcl818: introduce pcl818_ai_write_sample()").] Fixes: d615416 ("staging: comedi: pcl818: introduce pcl818_ai_write_sample()") Cc: <[email protected]> # 4.0+ Signed-off-by: Ian Abbott <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>

The Amplicon PC36AT/PCI236 common driver has an "interrupt" subdevice that supports Comedi asynchronous commands, placing a value in the Comedi buffer for each interrupt. The subdevice uses Comedi's 16-bit sample format but the interrupt handler is calling `comedi_buf_write_samples()` with the address of a 32-bit integer `&s->state`. On bigendian machines, this will copy 2 bytes from the wrong end of the 32-bit integer. This isn't really a problem since `s->state` will always be 0 for this subdevice, but clean it up by using a 16-bit variable initialized to 0 to pass the value. Signed-off-by: Ian Abbott <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>

The comedi_parport driver has an "interrupt" subdevice that supports Comedi asynchronous commands, placing a value in the Comedi buffer for each interrupt. The subdevice uses Comedi's 16-bit sample format but the interrupt handler is calling `comedi_buf_write_samples()` with the address of a 32-bit integer `&s->state`. On bigendian machines, this will copy 2 bytes from the wrong end of the 32-bit integer. This isn't really a problem since `s->state` will always be 0 for this subdevice, but clean it up by using a 16-bit variable initialized to 0 to pass the value. Signed-off-by: Ian Abbott <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>

The ni_6527 driver has an "interrupt" subdevice that supports Comedi asynchronous commands, placing a value in the Comedi buffer for each interrupt. The subdevice uses Comedi's 16-bit sample format but the interrupt handler is calling `comedi_buf_write_samples()` with the address of a 32-bit integer `&s->state`. On bigendian machines, this will copy 2 bytes from the wrong end of the 32-bit integer. This isn't really a problem since `s->state` will always be 0 for this subdevice, but clean it up by using a 16-bit variable initialized to 0 to pass the value. Signed-off-by: Ian Abbott <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>

The ni_65xx driver has an "interrupt" subdevice that supports Comedi asynchronous commands, placing a value in the Comedi buffer for each interrupt. The subdevice uses Comedi's 16-bit sample format but the interrupt handler is calling `comedi_buf_write_samples()` with the address of a 32-bit integer `&s->state`. On bigendian machines, this will copy 2 bytes from the wrong end of the 32-bit integer. This isn't really a problem since `s->state` will always be 0 for this subdevice, but clean it up by using a 16-bit variable initialized to 0 to pass the value. Signed-off-by: Ian Abbott <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>

The pcl726 driver has an "interrupt" subdevice that supports Comedi asynchronous commands, placing a value in the Comedi buffer for each interrupt. The subdevice uses Comedi's 16-bit sample format but the interrupt handler is calling `comedi_buf_write_samples()` with the address of a 32-bit integer `&s->state`. On bigendian machines, this will copy 2 bytes from the wrong end of the 32-bit integer. This isn't really a problem since `s->state` will always be 0 for this subdevice, but clean it up by using a 16-bit variable initialized to 0 to pass the value. Signed-off-by: Ian Abbott <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>

We need to cap len at IW_ESSID_MAX_SIZE (32) to avoid memory corruption. This can be controlled by the user via the ioctl. Fixes: 5f53d8c ("Staging: add rtl8192SU wireless usb driver") Signed-off-by: Dan Carpenter <[email protected]> Cc: stable <[email protected]> Link: https://lore.kernel.org/r/YEHoAWMOSZBUw91F@mwanda Signed-off-by: Greg Kroah-Hartman <[email protected]>

…on_data() The "ie_len" is a value in the 1-255 range that comes from the user. We have to cap it to ensure that it's not too large or it could lead to memory corruption. Fixes: 9a7fe54 ("staging: r8188eu: Add source files for new driver - part 1") Signed-off-by: Dan Carpenter <[email protected]> Cc: stable <[email protected]> Link: https://lore.kernel.org/r/YEHyQCrFZKTXyT7J@mwanda Signed-off-by: Greg Kroah-Hartman <[email protected]>

This code has a check to prevent read overflow but it needs another check to prevent writing beyond the end of the ->ssid[] array. Fixes: a2c60d4 ("staging: r8188eu: Add files for new driver - part 16") Signed-off-by: Dan Carpenter <[email protected]> Cc: stable <[email protected]> Link: https://lore.kernel.org/r/YEHymwsnHewzoam7@mwanda Signed-off-by: Greg Kroah-Hartman <[email protected]>

This reverts commit 314fd52. It turns .h files into non-stand-alone when building, which might cause problems in the long-run. Reported-by: Jérôme Pouiller <[email protected]> Cc: Muhammad Usama Anjum <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

ttyname is allocated before the mutex is taken, so it must not be unlocked in the error path. Fixes: fd4a641 ("leds: trigger: implement a tty trigger") Reported-by: Pavel Machek <[email protected]> Acked-by: Pavel Machek <[email protected]> Signed-off-by: Uwe Kleine-König <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>

led_set_brightness() involves scheduling a workqueue. As here the led's brightness setting is done in context of the trigger's workqueue this is unjustified overhead and it's more sensible to use led_set_brightness_sync(). Fixes: fd4a641 ("leds: trigger: implement a tty trigger") Reported-by: Pavel Machek <[email protected]> Acked-by: Pavel Machek <[email protected]> Signed-off-by: Uwe Kleine-König <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>

This reverts commit fce3c5c. FIFO is triggered 4 intervals after receiving a byte, it's good when we don't care about the time of reception, but are only interested in the presence of any activity on the line. Unfortunately, this method is not suitable for all tasks, for example, the RS-485 protocol will not work properly, since the state machine must track the request-response time and after the timeout expires, a decision is made that the device on the line is not responding. Signed-off-by: Alexander Shiyan <[email protected]> Link: https://lore.kernel.org/r/[email protected] Fixes: fce3c5c ("serial: max310x: rework RX interrupt handling") Cc: Thomas Petazzoni <[email protected]> Cc: stable <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

This reverts commit 33d4ae9. Pierre-Louis writes: Our SOF/audio CI shows an across-the-board regression when we try v5.12-rc1, specifically on pause/resume tests with an interactive terminal running 'aplay -i' commands managed by expect to simulate the user pressing the space bar to pause/unpause. It turns out the processes are not longer killed and the audio devices remain busy (see publicly available test results listed below). git bisect points to commit 33d4ae9 ("drivers:tty:pty: Fix a race causing data loss on close"). Reverting the patch fixes the issue on all test devices. Further analysis with Corey Minyard points to a problem where a slave tty will not get a SIGHUP when the master is closed. So revert this for now: Reported-by: Pierre-Louis Bossart <[email protected]> Link: https://lore.kernel.org/r/[email protected] Cc: Corey Minyard <[email protected]> Cc: Jiri Slaby <[email protected]> Cc: Mark Brown <[email protected]>, Fixes: 33d4ae9 ("drivers:tty:pty: Fix a race causing data loss on close") Signed-off-by: Greg Kroah-Hartman <[email protected]>

The CDC ACM driver is false matching the Goodix Fingerprint device against the USB_CDC_ACM_PROTO_AT_V25TER. The Goodix Fingerprint device is a biometrics sensor that should be handled in user-space. libfprint has some support for Goodix fingerprint sensors, although not for this particular one. It is possible that the vendor allocates a PID per OEM (Lenovo, Dell etc). If this happens to be the case then more devices from the same vendor could potentially match the ACM modem module table. Signed-off-by: Yorick de Wid <[email protected]> Cc: stable <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>

It enables USB Host support for sc8180x ACPI boot, both the standalone one and the one behind URS (USB Role Switch). And they share the the same dwc3_acpi_pdata with sdm845. Signed-off-by: Shawn Guo <[email protected]> Link: https://lore.kernel.org/r/[email protected] Cc: stable <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

If the string is invalid, this should return -EINVAL instead of 0. Fixes: 73517cf ("usb: gadget: add RNDIS configfs options for class/subclass/protocol") Cc: stable <[email protected]> Acked-by: Lorenzo Colitti <[email protected]> Signed-off-by: Dan Carpenter <[email protected]> Link: https://lore.kernel.org/r/YCqZ3P53yyIg5cn7@mwanda Signed-off-by: Greg Kroah-Hartman <[email protected]>

…audio slot As per UAC2 Audio Data Formats spec (2.3.1.1 USB Packets), if the sampling rate is a constant, the allowable variation of number of audio slots per virtual frame is +/- 1 audio slot. It means that endpoint should be able to accept/send +1 audio slot. Previous endpoint max_packet_size calculation code was adding sometimes +1 audio slot due to DIV_ROUND_UP behaviour which was rounding up to closest integer. However this doesn't work if the numbers are divisible. It had no any impact with Linux hosts which ignore this issue, but in case of more strict Windows it caused rejected enumeration Thus always add +1 audio slot to endpoint's max packet size Fixes: 913e4a9 ("usb: gadget: f_uac2: finalize wMaxPacketSize according to bandwidth") Cc: Peter Chen <[email protected]> Cc: <[email protected]> #v4.3+ Signed-off-by: Ruslan Bilovol <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>

There is missing playback stop/cleanup in case of gadget's ->disable callback that happens on events like USB host resetting or gadget disconnection Fixes: 0591bc2 ("usb: gadget: add f_uac1 variant based on a new u_audio api") Cc: <[email protected]> # 4.13+ Signed-off-by: Ruslan Bilovol <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>

writeback_store's return value is overwritten by submit_bio_wait's return value. Thus, writeback_store will return zero since there was no IO error. In the end, write syscall from userspace will see the zero as return value, which could make the process stall to keep trying the write until it will succeed. Link: https://lkml.kernel.org/r/[email protected] Fixes: 3b82a05("drivers/block/zram/zram_drv.c: fix error return codes not being returned in writeback_store") Signed-off-by: Minchan Kim <[email protected]> Cc: Sergey Senozhatsky <[email protected]> Cc: Colin Ian King <[email protected]> Cc: John Dias <[email protected]> Cc: <[email protected]> Signed-off-by: Andrew Morton <[email protected]> Signed-off-by: Linus Torvalds <[email protected]>

commit 0d83596 ("zram: support page writeback") introduced two problems. It overwrites writeback_store's return value as kstrtol's return value, which makes return value zero so user could see zero as return value of write syscall even though it wrote data successfully. It also breaks index value in the loop in that it doesn't increase the index any longer. It means it can write only first starting block index so user couldn't write all idle pages in the zram so lose memory saving chance. This patch fixes those issues. Link: https://lkml.kernel.org/r/[email protected] Fixes: 0d83596("zram: support page writeback") Signed-off-by: Minchan Kim <[email protected]> Reported-by: Amos Bianchi <[email protected]> Cc: Sergey Senozhatsky <[email protected]> Cc: John Dias <[email protected]> Cc: <[email protected]> Signed-off-by: Andrew Morton <[email protected]> Signed-off-by: Linus Torvalds <[email protected]>

…x/kernel/git/masahiroy/linux-kbuild Pull Kbuild fixes from Masahiro Yamada: - avoid 'make image_name' invoking syncconfig - fix a couple of bugs in scripts/dummy-tools - fix LLD_VENDOR and locale issues in scripts/ld-version.sh - rebuild GCC plugins when the compiler is upgraded - allow LTO to be enabled with KASAN_HW_TAGS - allow LTO to be enabled without LLVM=1 * tag 'kbuild-fixes-v5.12-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild: kbuild: fix ld-version.sh to not be affected by locale kbuild: remove meaningless parameter to $(call if_changed_rule,dtc) kbuild: remove LLVM=1 test from HAS_LTO_CLANG kbuild: remove unneeded -O option to dtc kbuild: dummy-tools: adjust to scripts/cc-version.sh kbuild: Allow LTO to be selected with KASAN_HW_TAGS kbuild: dummy-tools: support MPROFILE_KERNEL checks for ppc kbuild: rebuild GCC plugins when the compiler is upgraded kbuild: Fix ld-version.sh script if LLD was built with LLD_VENDOR kbuild: dummy-tools: fix inverted tests for gcc kbuild: add image_name to no-sync-config-targets

…kernel/git/xiang/erofs Pull erofs fix from Gao Xiang: "Fix an urgent regression introduced by commit baa2c7c ("block: set .bi_max_vecs as actual allocated vector number"), which could cause unexpected hung since linux 5.12-rc1. Resolve it by avoiding using bio->bi_max_vecs completely" * tag 'erofs-for-5.12-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs: erofs: fix bio->bi_max_vecs behavior change

…/git/gregkh/usb Pull USB fixes from Greg KH: "Here are a small number of USB fixes for 5.12-rc3 to resolve a bunch of reported issues: - usbip fixups for issues found by syzbot - xhci driver fixes and quirk additions - gadget driver fixes - dwc3 QCOM driver fix - usb-serial new ids and fixes - usblp fix for a long-time issue - cdc-acm quirk addition - other tiny fixes for reported problems All of these have been in linux-next for a while with no reported issues" * tag 'usb-5.12-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (25 commits) xhci: Fix repeated xhci wake after suspend due to uncleared internal wake state usb: xhci: Fix ASMedia ASM1042A and ASM3242 DMA addressing xhci: Improve detection of device initiated wake signal. usb: xhci: do not perform Soft Retry for some xHCI hosts usbip: fix vudc usbip_sockfd_store races leading to gpf usbip: fix vhci_hcd attach_store() races leading to gpf usbip: fix stub_dev usbip_sockfd_store() races leading to gpf usbip: fix vudc to check for stream socket usbip: fix vhci_hcd to check for stream socket usbip: fix stub_dev to check for stream socket usb: dwc3: qcom: Add missing DWC3 OF node refcount decrement USB: usblp: fix a hang in poll() if disconnected USB: gadget: udc: s3c2410_udc: fix return value check in s3c2410_udc_probe() usb: renesas_usbhs: Clear PIPECFG for re-enabling pipe with other EPNUM usb: dwc3: qcom: Honor wakeup enabled/disabled state usb: gadget: f_uac1: stop playback on function disable usb: gadget: f_uac2: always increase endpoint max_packet_size by one audio slot USB: gadget: u_ether: Fix a configfs return code usb: dwc3: qcom: add ACPI device id for sc8180x Goodix Fingerprint device is not a modem ...

…/git/gregkh/tty Pull tty/serial fixes from Greg KH: "Here are some small tty and serial driver fixes to resolve some reported problems: - led tty trigger fixes based on review and were acked by the led maintainer - revert a max310x serial driver patch as it was causing problems - revert a pty change as it was also causing problems All of these have been in linux-next for a while with no reported problems" * tag 'tty-5.12-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: Revert "drivers:tty:pty: Fix a race causing data loss on close" Revert "serial: max310x: rework RX interrupt handling" leds: trigger/tty: Use led_set_brightness_sync() from workqueue leds: trigger: Fix error path to not unlock the unlocked mutex

…rnel/git/gregkh/staging Pull staging driver fixes from Greg KH: "Here are some small staging driver fixes for reported problems. They include: - wfx header file cleanup patch reverted as it could cause problems - comedi driver endian fixes - buffer overflow problems for staging wifi drivers - build dependency issue for rtl8192e driver All have been in linux-next for a while with no reported problems" * tag 'staging-5.12-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: (23 commits) Revert "staging: wfx: remove unused included header files" staging: rtl8188eu: prevent ->ssid overflow in rtw_wx_set_scan() staging: rtl8188eu: fix potential memory corruption in rtw_check_beacon_data() staging: rtl8192u: fix ->ssid overflow in r8192_wx_set_scan() staging: comedi: pcl726: Use 16-bit 0 for interrupt data staging: comedi: ni_65xx: Use 16-bit 0 for interrupt data staging: comedi: ni_6527: Use 16-bit 0 for interrupt data staging: comedi: comedi_parport: Use 16-bit 0 for interrupt data staging: comedi: amplc_pc236_common: Use 16-bit 0 for interrupt data staging: comedi: pcl818: Fix endian problem for AI command data staging: comedi: pcl711: Fix endian problem for AI command data staging: comedi: me4000: Fix endian problem for AI command data staging: comedi: dmm32at: Fix endian problem for AI command data staging: comedi: das800: Fix endian problem for AI command data staging: comedi: das6402: Fix endian problem for AI command data staging: comedi: adv_pci1710: Fix endian problem for AI command data staging: comedi: addi_apci_1500: Fix endian problem for command sample staging: comedi: addi_apci_1032: Fix endian problem for COS sample staging: ks7010: prevent buffer overflow in ks_wlan_set_scan() staging: rtl8712: Fix possible buffer overflow in r8712_sitesurvey_cmd ...

…kernel/git/gregkh/char-misc Pull char/misc driver fixes from Greg KH: "Here are some small misc/char driver fixes to resolve some reported problems: - habanalabs driver fixes - Acrn build fixes (reported many times) - pvpanic module table export fix All of these have been in linux-next for a while with no reported issues" * tag 'char-misc-5.12-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: misc/pvpanic: Export module FDT device table misc: fastrpc: restrict user apps from sending kernel RPC messages virt: acrn: Correct type casting of argument of copy_from_user() virt: acrn: Use EPOLLIN instead of POLLIN virt: acrn: Use vfs_poll() instead of f_op->poll() virt: acrn: Make remove_cpu sysfs invisible with !CONFIG_HOTPLUG_CPU cpu/hotplug: Fix build error of using {add,remove}_cpu() with !CONFIG_SMP habanalabs: fix debugfs address translation habanalabs: Disable file operations after device is removed habanalabs: Call put_pid() when releasing control device drivers: habanalabs: remove unused dentry pointer for debugfs files habanalabs: mark hl_eq_inc_ptr() as static

…x/kernel/git/maz/arm-platforms into irq/urgent Pull irqchip fixes from Marc Zyngier: - More compatible strings for the Ingenic irqchip (introducing the JZ4760B SoC) - Select GENERIC_IRQ_MULTI_HANDLER on the ARM ep93xx platform - Drop all GENERIC_IRQ_MULTI_HANDLER selections from the irqchip Kconfig, now relying on the architecture to get it right - Drop the debugfs_file field from struct irq_domain, now that debugfs can track things on its own

Merge misc fixes from Andrew Morton: "28 patches. Subsystems affected by this series: mm (memblock, pagealloc, hugetlb, highmem, kfence, oom-kill, madvise, kasan, userfaultfd, memcg, and zram), core-kernel, kconfig, fork, binfmt, MAINTAINERS, kbuild, and ia64" * emailed patches from Andrew Morton <[email protected]>: (28 commits) zram: fix broken page writeback zram: fix return value on writeback_store mm/memcg: set memcg when splitting page mm/memcg: rename mem_cgroup_split_huge_fixup to split_page_memcg and add nr_pages argument ia64: fix ptrace(PTRACE_SYSCALL_INFO_EXIT) sign ia64: fix ia64_syscall_get_set_arguments() for break-based syscalls mm/userfaultfd: fix memory corruption due to writeprotect kasan: fix KASAN_STACK dependency for HW_TAGS kasan, mm: fix crash with HW_TAGS and DEBUG_PAGEALLOC mm/madvise: replace ptrace attach requirement for process_madvise include/linux/sched/mm.h: use rcu_dereference in in_vfork() kfence: fix reports if constant function prefixes exist kfence, slab: fix cache_alloc_debugcheck_after() for bulk allocations kfence: fix printk format for ptrdiff_t linux/compiler-clang.h: define HAVE_BUILTIN_BSWAP* MAINTAINERS: exclude uapi directories in API/ABI section binfmt_misc: fix possible deadlock in bm_register_write mm/highmem.c: fix zero_user_segments() with start > end hugetlb: do early cow when page pinned on src mm mm: use is_cow_mapping() across tree where proper ...

Pull KVM fixes from Paolo Bonzini: "More fixes for ARM and x86" * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: KVM: LAPIC: Advancing the timer expiration on guest initiated write KVM: x86/mmu: Skip !MMU-present SPTEs when removing SP in exclusive mode KVM: kvmclock: Fix vCPUs > 64 can't be online/hotpluged kvm: x86: annotate RCU pointers KVM: arm64: Fix exclusive limit for IPA size KVM: arm64: Reject VM creation when the default IPA size is unsupported KVM: arm64: Ensure I-cache isolation between vcpus of a same VM KVM: arm64: Don't use cbz/adr with external symbols KVM: arm64: Fix range alignment when walking page tables KVM: arm64: Workaround firmware wrongly advertising GICv2-on-v3 compatibility KVM: arm64: Rename __vgic_v3_get_ich_vtr_el2() to __vgic_v3_get_gic_config() KVM: arm64: Don't access PMSELR_EL0/PMUSERENR_EL0 when no PMU is available KVM: arm64: Turn kvm_arm_support_pmu_v3() into a static key KVM: arm64: Fix nVHE hyp panic host context restore KVM: arm64: Avoid corrupting vCPU context register in guest exit KVM: arm64: nvhe: Save the SPE context early kvm: x86: use NULL instead of using plain integer as pointer KVM: SVM: Connect 'npt' module param to KVM's internal 'npt_enabled' KVM: x86: Ensure deadline timer has truly expired before posting its IRQ

…el/git/powerpc/linux Pull powerpc fixes from Michael Ellerman: "Some more powerpc fixes for 5.12: - Fix wrong instruction encoding for lis in ppc_function_entry(), which could potentially lead to missed kprobes. - Fix SET_FULL_REGS on 32-bit and 64e, which prevented ptrace of non-volatile GPRs immediately after exec. - Clean up a missed SRR specifier in the recent interrupt rework. - Don't treat unrecoverable_exception() as an interrupt handler, it's called from other handlers so shouldn't do the interrupt entry/exit accounting itself. - Fix build errors caused by missing declarations for [en/dis]able_kernel_vsx(). Thanks to Christophe Leroy, Daniel Axtens, Geert Uytterhoeven, Jiri Olsa, Naveen N. Rao, and Nicholas Piggin" * tag 'powerpc-5.12-3' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: powerpc/traps: unrecoverable_exception() is not an interrupt handler powerpc: Fix missing declaration of [en/dis]able_kernel_vsx() powerpc/64s/exception: Clean up a missed SRR specifier powerpc: Fix inverted SET_FULL_REGS bitop powerpc/64s: Use symbolic macros for function entry encoding powerpc/64s: Fix instruction encoding for lis in ppc_function_entry()

…linux/kernel/git/tip/tip Pull x86 fixes from Borislav Petkov: - A couple of SEV-ES fixes and robustifications: verify usermode stack pointer in NMI is not coming from the syscall gap, correctly track IRQ states in the #VC handler and access user insn bytes atomically in same handler as latter cannot sleep. - Balance 32-bit fast syscall exit path to do the proper work on exit and thus not confuse audit and ptrace frameworks. - Two fixes for the ORC unwinder going "off the rails" into KASAN redzones and when ORC data is missing. * tag 'x86_urgent_for_v5.12_rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/sev-es: Use __copy_from_user_inatomic() x86/sev-es: Correctly track IRQ states in runtime #VC handler x86/sev-es: Check regs->sp is trusted before adjusting #VC IST stack x86/sev-es: Introduce ip_within_syscall_gap() helper x86/entry: Fix entry/exit mismatch on failed fast 32-bit syscalls x86/unwind/orc: Silence warnings caused by missing ORC data x86/unwind/orc: Disable KASAN checking in the ORC unwinder, part 2

…linux/kernel/git/tip/tip Pull EFI fix from Ard Biesheuvel via Borislav Petkov: "Fix an oversight in the handling of EFI_RT_PROPERTIES_TABLE, which was added v5.10, but failed to take the SetVirtualAddressMap() RT service into account" * tag 'efi-urgent-for-v5.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: efi: stub: omit SetVirtualAddressMap() if marked unsupported in RT_PROP table

…/linux/kernel/git/tip/tip Pull perf fixes from Borislav Petkov: - Make sure PMU internal buffers are flushed for per-CPU events too and properly handle PID/TID for large PEBS. - Handle the case properly when there's no PMU and therefore return an empty list of perf MSRs for VMX to switch instead of reading random garbage from the stack. * tag 'perf_urgent_for_v5.12-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/perf: Use RET0 as default for guest_get_msrs to handle "no PMU" case perf/x86/intel: Set PERF_ATTACH_SCHED_CB for large PEBS and LBR perf/core: Flush PMU internal buffers for per-CPU events

…/linux/kernel/git/tip/tip Pull locking fixes from Thomas Gleixner: "A couple of locking fixes: - A fix for the static_call mechanism so it handles unaligned addresses correctly. - Make u64_stats_init() a macro so every instance gets a seperate lockdep key. - Make seqcount_latch_init() a macro as well to preserve the static variable which is used for the lockdep key" * tag 'locking-urgent-2021-03-14' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: seqlock,lockdep: Fix seqcount_latch_init() u64_stats,lockdep: Fix u64_stats_init() vs lockdep static_call: Fix the module key fixup

…/linux/kernel/git/tip/tip Pull objtool fix from Thomas Gleixner: "A single objtool fix to handle the PUSHF/POPF validation correctly for the paravirt changes which modified arch_local_irq_restore not to use popf" * tag 'objtool-urgent-2021-03-14' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: objtool,x86: Fix uaccess PUSHF/POPF validation

…inux/kernel/git/tip/tip Pull scheduler fixes from Thomas Gleixner: "A set of scheduler updates: - Prevent a NULL pointer dereference in the migration_stop_cpu() mechanims - Prevent self concurrency of affine_move_task() - Small fixes and cleanups related to task migration/affinity setting - Ensure that sync_runqueues_membarrier_state() is invoked on the current CPU when it is in the cpu mask" * tag 'sched-urgent-2021-03-14' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: sched/membarrier: fix missing local execution of ipi_sync_rq_state() sched: Simplify set_affinity_pending refcounts sched: Fix affine_move_task() self-concurrency sched: Optimize migration_cpu_stop() sched: Collate affine_move_task() stoppers sched: Simplify migration_cpu_stop() sched: Fix migration_cpu_stop() requeueing

…linux/kernel/git/tip/tip Pull timer fix from Thomas Gleixner: "A single fix in for hrtimers to prevent an interrupt storm caused by the lack of reevaluation of the timers which expire in softirq context under certain circumstances, e.g. when the clock was set" * tag 'timers-urgent-2021-03-14' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: hrtimer: Update softirq_expires_next correctly after __hrtimer_get_next_event()

…ux/kernel/git/tip/tip Pull irq fixes from Thomas Gleixner: "A set of irqchip updates: - Make the GENERIC_IRQ_MULTI_HANDLER configuration correct - Add a missing DT compatible string for the Ingenic driver - Remove the pointless debugfs_file pointer from struct irqdomain" * tag 'irq-urgent-2021-03-14' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: irqchip/ingenic: Add support for the JZ4760 dt-bindings/irq: Add compatible string for the JZ4760B irqchip: Do not blindly select CONFIG_GENERIC_IRQ_MULTI_HANDLER ARM: ep93xx: Select GENERIC_IRQ_MULTI_HANDLER directly irqdomain: Remove debugfs_file from struct irq_domain

Doing a prctl(PR_SET_MM, PR_SET_MM_AUXV, addr, 1); will copy 1 byte from userspace to (quite big) on-stack array and then stash everything to mm->saved_auxv. AT_NULL terminator will be inserted at the very end. /proc/*/auxv handler will find that AT_NULL terminator and copy original stack contents to userspace. This devious scheme requires CAP_SYS_RESOURCE. Signed-off-by: Alexey Dobriyan <[email protected]> Signed-off-by: Linus Torvalds <[email protected]>

Linux 5.12-rc3 Signed-off-by: Miguel Ojeda <[email protected]>

alex

Review process:

~/p/linux ❯❯❯ git diff v5.12-rc2 rust -- > current.diff
~/p/linux ❯❯❯ git diff v5.12-rc3 rust/rust-sync -- > next.diff
~/p/linux ❯❯❯ diff -u current.diff next.diff | pygmentize -ldiff | less -R

ojeda · 2021-03-15T23:46:09Z

The failure looks like the huge stack test, so it should be OK.

ojeda · 2021-03-16T00:35:42Z

Review process:

~/p/linux ❯❯❯ git diff v5.12-rc2 rust -- > current.diff
~/p/linux ❯❯❯ git diff v5.12-rc3 rust/rust-sync -- > next.diff
~/p/linux ❯❯❯ diff -u current.diff next.diff | pygmentize -ldiff | less -R

+1 A diff of diffs :-) VS Code, Vim etc. also work to quickly take a look.

I usually take a look at the combined diff (e.g. git show da1e5d82da).

Related: there is also the somewhat new git range-diff which is quite useful when dealing with versions of patch series (i.e. diff of 2 ranges).

With latest upstream llvm18, the following test cases failed: $ ./test_progs -j #13/2 bpf_cookie/multi_kprobe_link_api:FAIL #13/3 bpf_cookie/multi_kprobe_attach_api:FAIL #13 bpf_cookie:FAIL #77 fentry_fexit:FAIL #78/1 fentry_test/fentry:FAIL #78 fentry_test:FAIL #82/1 fexit_test/fexit:FAIL #82 fexit_test:FAIL #112/1 kprobe_multi_test/skel_api:FAIL #112/2 kprobe_multi_test/link_api_addrs:FAIL [...] #112 kprobe_multi_test:FAIL #356/17 test_global_funcs/global_func17:FAIL #356 test_global_funcs:FAIL Further analysis shows llvm upstream patch [1] is responsible for the above failures. For example, for function bpf_fentry_test7() in net/bpf/test_run.c, without [1], the asm code is: 0000000000000400 <bpf_fentry_test7>: 400: f3 0f 1e fa endbr64 404: e8 00 00 00 00 callq 0x409 <bpf_fentry_test7+0x9> 409: 48 89 f8 movq %rdi, %rax 40c: c3 retq 40d: 0f 1f 00 nopl (%rax) ... and with [1], the asm code is: 0000000000005d20 <bpf_fentry_test7.specialized.1>: 5d20: e8 00 00 00 00 callq 0x5d25 <bpf_fentry_test7.specialized.1+0x5> 5d25: c3 retq ... and <bpf_fentry_test7.specialized.1> is called instead of <bpf_fentry_test7> and this caused test failures for #13/#77 etc. except #356. For test case #356/17, with [1] (progs/test_global_func17.c)), the main prog looks like: 0000000000000000 <global_func17>: 0: b4 00 00 00 2a 00 00 00 w0 = 0x2a 1: 95 00 00 00 00 00 00 00 exit ... which passed verification while the test itself expects a verification failure. Let us add 'barrier_var' style asm code in both places to prevent function specialization which caused selftests failure. [1] llvm/llvm-project#72903 Signed-off-by: Yonghong Song <[email protected]> Signed-off-by: Daniel Borkmann <[email protected]> Link: https://lore.kernel.org/bpf/[email protected]

lgtux and others added 30 commits March 10, 2021 09:23

minchank and others added 23 commits March 13, 2021 11:27

Linux 5.12-rc3

1e28eed

Merge tag 'v5.12-rc3' into rust-sync

da1e5d8

Linux 5.12-rc3 Signed-off-by: Miguel Ojeda <[email protected]>

alex approved these changes Mar 15, 2021

View reviewed changes

ojeda merged commit a116223 into rust Mar 16, 2021

ojeda deleted the rust-sync branch March 16, 2021 00:11

adamrk mentioned this pull request Mar 16, 2021

__rust_probestack test in rust_example.rs is causing a stack overflow #111

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Sync with -rc3 to solve conflict #112

Sync with -rc3 to solve conflict #112

ojeda commented Mar 15, 2021

alex left a comment

ojeda commented Mar 15, 2021

ojeda commented Mar 16, 2021

Sync with -rc3 to solve conflict #112

Sync with -rc3 to solve conflict #112

Conversation

ojeda commented Mar 15, 2021

alex left a comment

Choose a reason for hiding this comment

ojeda commented Mar 15, 2021

ojeda commented Mar 16, 2021