One of the more common cases of allocation size calculations is finding
the size of a structure that has a zero-sized array at the end, along
with memory for some number of elements for that array. For example:
struct pcpu_alloc_info {
...
struct pcpu_group_info groups[];
};
Make use of the struct_size() helper instead of an open-coded version
in order to avoid any potential type mistakes.
So, replace the following form:
sizeof(*ai) + nr_groups * sizeof(ai->groups[0])
with:
struct_size(ai, groups, nr_groups)
This code was detected with the help of Coccinelle.
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Dennis Zhou <dennis@kernel.org>
Make sure that attribute methods are not called after the item
has been removed from the tree. To do so, we
* at the point of no return in removals, grab ->frag_sem
exclusive and mark the fragment dead.
* call the methods of attributes with ->frag_sem taken
shared and only after having verified that the fragment is still
alive.
The main benefit is for method instances - they are
guaranteed that the objects they are accessing *and* all ancestors
are still there. Another win is that we don't need to bother
with extra refcount on config_item when opening a file -
the item will be alive for as long as it stays in the tree, and
we won't touch it/attributes/any associated data after it's
been removed from the tree.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Christoph Hellwig <hch@lst.de>
1. Minor fixup in plat and mach code (S3C platforms),
2. Enable exynos-chipid driver to provide SoC related information,
3. Extend the patterns for Samsung maintainer entries to cover all
important files.
-----BEGIN PGP SIGNATURE-----
iQJEBAABCgAuFiEE3dJiKD0RGyM7briowTdm5oaLg9cFAl1v9dkQHGtyemtAa2Vy
bmVsLm9yZwAKCRDBN2bmhouD157/D/9+CFtxnIzEOBUwkyEpHQYBINj8+Y1zGrSW
xKDWSSQ0oGAt/0wnCz/7g08YMKy0XPP9fsUOGK6iqNmKQfw9Q3dIGxftLjnK1Pbl
iiV81Xx2sJdOWhd0QEjcfjboSSZK622XnmdEdnCuRYnP5HUMvL0gK6QF9GCrhGUI
KmpBbDk4DF/31gDvwLOoASo4hNhgm0hLK7uEKdzLHpA48jlN8lEq3Vc6c11ARdHj
J0Mnfdq1bBO1XQh0nk3yE/GXrJrGv6mb9bNkZGE7AJM8bENdTiLqe60vfomqHoCP
XDyRbcgp9lHvE1wm7U5/U9UWOJNBUmFOpZ4RRalmUn2qol2hfU6NxTHeEwfgKiHj
vYU/dDgJ17BHqrjLBDYnTHVhBStuNZvtPW0CZwSvuoP1pMT/pmHMskj3ZBHwJALb
uaW0JxmlLNaMw9WSfvHhZHRV7ZFM52n6IEWtzkH1JcOHWJJPkeLYK0FcCyYPgeSt
Y4Upc7lcxk5YMn0iGRcNYSWK5KFXItyRD9oBHJ4Oeubh0UEhEqfI+TEEIOfGYyXX
VOiOqOuekW5l2OOQvEhG0lK9rbxRfFR5d8qhQSin0AN/sW5h9GepHSqU3WavPV1T
5DtWVZVx/U5fXkqd6om71/b5mNjSfGL1Pq3peXNmQy0AA1UXYIjG6PnGUfY9YNuI
mzQq6ufXcg==
=S0YI
-----END PGP SIGNATURE-----
Merge tag 'samsung-soc-5.4-2' of git://git.kernel.org/pub/scm/linux/kernel/git/krzk/linux into arm/soc
Samsung mach/soc changes for v5.4
1. Minor fixup in plat and mach code (S3C platforms),
2. Enable exynos-chipid driver to provide SoC related information,
3. Extend the patterns for Samsung maintainer entries to cover all
important files.
* tag 'samsung-soc-5.4-2' of git://git.kernel.org/pub/scm/linux/kernel/git/krzk/linux:
MAINTAINERS: Extend patterns for Samsung SoC, Security Subsystem and clock drivers
ARM: s3c64xx: squash samsung_usb_phy.h into setup-usb-phy.c
ARM: exynos: Enable exynos-chipid driver
ARM: samsung: Include GPIO driver header
Link: https://lore.kernel.org/r/20190904175002.10487-5-krzk@kernel.org
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
1. Enable AHCI platform driver on exynos defconfig for Exynos5250-based
Arndale board,
2. Make Max77802 PMIC regulator driver a built-in on multi_v7 defconfig
as it is essential early during boot.
-----BEGIN PGP SIGNATURE-----
iQJEBAABCgAuFiEE3dJiKD0RGyM7briowTdm5oaLg9cFAl1v8nQQHGtyemtAa2Vy
bmVsLm9yZwAKCRDBN2bmhouD1zOsEACX50cfEVX8m+wBb+6FXrLui+g1YYY042yn
ZpF2A7vElWxRXrYP1dwotnSGd1QBapZA3xhcJ4jX2Q9OoK6HwXSo1JvZ64MKzY1g
yIAF4JC2j06o9asH3zkBcx/rRAgWcBxigwsvHIy1VyxnZ9ZJooCFQvC6QAb697aY
2qWh58ka1QDvEGL5pNCR+U1n/I0r9HFBREhGLW4uIFdVjIvCU+dvsAPcdNibHvTE
kuEzxRQXdsXtCtL6fZ1svm/O37SGHr6pmrTLyNXna0oZFCUty1X+B9mRDK6Zch1Z
kGqrf+FzDmF6duVQXUCkRKXxo25Or7yBLnPjO1zY34kKRE/jh3tLQK3MPiz6E2Py
Bo7ZHnElDTckiJw6aSG+m/VcBIVoFkXrAD3R43BvE4XcFrjZFRvlYuLzRVTpMnHr
iV8zHLFCYq8VRGKiRfWfa1M8B8ynepw1NLsDkP3H+CvirV2LMIKRscCMg/+DFgDO
ENvoIKv4wnukmx8FYMNjYoGiBa6to4jq0VW0aGvIgrEHxUALz09PydKOlN9DtgCp
x+te+0SEJTNdvu9y1KeuJClpgOCbLPQ/J2Ma9NJVMRHZuoWbtth9QmeCJxjw2JOJ
VV3noq6I6k/cddXCJ88S5/DzGEVjk37KeRd0du+2LlcfJ0MJkMgoVYzcVTm5LsGG
WSNZDOdHYw==
=30RN
-----END PGP SIGNATURE-----
Merge tag 'samsung-defconfig-5.4' of git://git.kernel.org/pub/scm/linux/kernel/git/krzk/linux into arm/defconfig
Samsung defconfig changes for v5.4
1. Enable AHCI platform driver on exynos defconfig for Exynos5250-based
Arndale board,
2. Make Max77802 PMIC regulator driver a built-in on multi_v7 defconfig
as it is essential early during boot.
* tag 'samsung-defconfig-5.4' of git://git.kernel.org/pub/scm/linux/kernel/git/krzk/linux:
ARM: multi_v7_defconfig: Make MAX77802 regulator driver built-in
ARM: exynos_defconfig: Enable AHCI-platform SATA driver
Link: https://lore.kernel.org/r/20190904175002.10487-2-krzk@kernel.org
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
There were bugs in the DSI transfer (read and write) function
as it was only tested with displays ever needing a single byte
to be written. Fixed it up and tested so we can now write
messages of up to 16 bytes and read up to 4 bytes from the
display.
Tested with a Sony ACX424AKP display: this display now self-
identifies and can control backlight in command mode.
Reported-by: kbuild test robot <lkp@intel.com>
Fixes: 5fc537bfd0 ("drm/mcde: Add new driver for ST-Ericsson MCDE")
Reviewed-by: Stephan Gerhold <stephan@gerhold.net>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20190903170804.17053-1-linus.walleij@linaro.org
This patch add support for perf callchain sampling on riscv platforms.
The return address of leaf function is retrieved from pt_regs as
it is not saved in the outmost frame.
Signed-off-by: Mao Han <han_mao@c-sky.com>
Cc: Paul Walmsley <paul.walmsley@sifive.com>
Cc: Greentime Hu <green.hu@gmail.com>
Cc: Palmer Dabbelt <palmer@sifive.com>
Cc: linux-riscv <linux-riscv@lists.infradead.org>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Guo Ren <guoren@kernel.org>
Tested-by: Greentime Hu <greentime.hu@sifive.com>
[paul.walmsley@sifive.com: fixed some 'checkpatch.pl --strict' issues;
fixed patch description spelling]
Signed-off-by: Paul Walmsley <paul.walmsley@sifive.com>
TISCI protocol supports for enabling the device either with exclusive
permissions for the requesting host or with sharing across the hosts.
There are certain devices which are exclusive to Linux context and
there are certain devices that are shared across different host contexts.
So add support for getting this information from DT by increasing
the power-domain cells to 2.
For keeping the DT backward compatibility intact, defaulting the
device permissions to set the exclusive flag set. In this case the
power-domain-cells is 1.
Reviewed-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Lokesh Vutla <lokeshvutla@ti.com>
Signed-off-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
TISCI protocol supports for enabling the device either with exclusive
permissions for the requesting host or with sharing across the hosts.
There are certain devices which are exclusive to Linux context and
there are certain devices that are shared across different host contexts.
So add support for getting this information from DT by increasing
the power-domain cells to 2.
Acked-by: Tero Kristo <t-kristo@ti.com>
Acked-by: Rob Herring <robh@kernel.org>
Reviewed-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Lokesh Vutla <lokeshvutla@ti.com>
Signed-off-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Sysfw provides an option for requesting exclusive access for a
device using the flags MSG_FLAG_DEVICE_EXCLUSIVE. If this flag is
not used, the device is meant to be shared across hosts. Once a device
is requested from a host with this flag set, any request to this
device from a different host will be nacked by sysfw. Current tisci
driver enables this flag for every device requests. But this may not
be true for all the devices. So provide a separate commands in driver
for exclusive and shared device requests.
Reviewed-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Lokesh Vutla <lokeshvutla@ti.com>
Signed-off-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Because s_vfs_rename_mutex is not cluster-wide, multiple nodes can
reverse the roles of which directories are "old" and which are "new" for
the purposes of rename. This can cause deadlocks where two nodes end up
waiting for each other.
There can be several layers of directory dependencies across many nodes.
This patch fixes the problem by acquiring all gfs2_rename's inode glocks
asychronously and waiting for all glocks to be acquired. That way all
inodes are locked regardless of the order.
The timeout value for multiple asynchronous glocks is calculated to be
the total of the individual wait times for each glock times two.
Since gfs2_exchange is very similar to gfs2_rename, both functions are
patched in the same way.
A new async glock wait queue, sd_async_glock_wait, keeps a list of
waiters for these events. If gfs2's holder_wake function detects an
async holder, it wakes up any waiters for the event. The waiter only
tests whether any of its requests are still pending.
Since the glocks are sent to dlm asychronously, the wait function needs
to check to see which glocks, if any, were granted.
If a glock is granted by dlm (and therefore held), its minimum hold time
is checked and adjusted as necessary, as other glock grants do.
If the event times out, all glocks held thus far must be dequeued to
resolve any existing deadlocks. Then, if there are any outstanding
locking requests, we need to loop around and wait for dlm to respond to
those requests too. After we release all requests, we return -ESTALE to
the caller (vfs rename) which loops around and retries the request.
Node1 Node2
--------- ---------
1. Enqueue A Enqueue B
2. Enqueue B Enqueue A
3. A granted
6. B granted
7. Wait for B
8. Wait for A
9. A times out (since Node 1 holds A)
10. Dequeue B (since it was granted)
11. Wait for all requests from DLM
12. B Granted (since Node2 released it in step 10)
13. Rename
14. Dequeue A
15. DLM Grants A
16. Dequeue A (due to the timeout and since we
no longer have B held for our task).
17. Dequeue B
18. Return -ESTALE to vfs
19. VFS retries the operation, goto step 1.
This release-all-locks / acquire-all-locks may slow rename / exchange
down as both nodes struggle in the same way and do the same thing.
However, this will only happen when there is contention for the same
inodes, which ought to be rare.
Signed-off-by: Bob Peterson <rpeterso@redhat.com>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
This patch moves the code that updates glock minimum hold
time to a separate function. This will be called by a future
patch.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Bob Peterson <rpeterso@redhat.com>
Before this patch, gfs2_rename added a holder for the rgrp glock to
its array of holders, ghs. There's nothing wrong with that, but this
patch separates it into a separate holder. This is done to ensure
it's always locked last as per the proper glock lock ordering,
and also to pave the way for a future patch in which we will
lock the non-rgrp glocks asynchronously.
Signed-off-by: Bob Peterson <rpeterso@redhat.com>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
The brelse() function tests whether its argument is NULL and then
returns immediately. Thus the test around the call is not needed.
This issue was detected by using the Coccinelle software.
[The same applies to brelse() in gfs2_dir_no_add (which Coccinelle
apparently missed), so fix that as well.]
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
A few patches to enable the V3 SoC and fix the i2s clock for the H6.
-----BEGIN PGP SIGNATURE-----
iHUEABYIAB0WIQRcEzekXsqa64kGDp7j7w1vZxhRxQUCXV/4KAAKCRDj7w1vZxhR
xZxLAP4rYe6+3IudHSM+x7cqAJrtfOFFS+IBOYeNckIY0Hy8XgD/e6mGyYDk7dr8
VCmWuG8nD2u9XAVaxo07ouiOwzEpBgw=
=D+Jq
-----END PGP SIGNATURE-----
Merge tag 'sunxi-clk-for-5.4-1' of https://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux into clk-allwinner
Pull Allwinner clock changes from Maxime Ripard:
A few patches to enable the V3 SoC and fix the i2s clock for the H6.
* tag 'sunxi-clk-for-5.4-1' of https://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux:
clk: sunxi-ng: h6: Allow I2S to change parent rate
clk: sunxi-ng: v3s: add Allwinner V3 support
clk: sunxi-ng: v3s: add missing clock slices for MMC2 module clocks
dt-bindings: clk: sunxi-ccu: add compatible string for V3 CCU
clk: sunxi-ng: v3s: add the missing PLL_DDR1
Current sample time values are over estimated, this patches applies
values closer to the ones defined in the data-sheets.
Signed-off-by: Iker Perez del Palomar Sustatxa <iker.perez@codethink.co.uk>
[groeck: resolved conflicts; use default conversion times]
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
* Add g12a reset support to the axg audio clock controller
* Add sm1 support to the g12a clock controller
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE9OFZrhjz9W1fG7cb5vwPHDfy2oUFAl1jxq4ACgkQ5vwPHDfy
2oXwfQ/9HgN3LLChG0KHM/Dq95jHQnlsDbsjEZ7nFg24TiRMzXzg78pKBCLeC61g
BaszZ+3SDiTslokxvgxUWsSGkIPC8hk/wmLb1cD0v1aNwvFQF2gorGr7WivhJWca
JbWdcJ1kjDSoxmJLXWKZCjsqaeGfPSMHGEQqxW1+P9tW5qt0X4ZMhwaKwZZZWKrf
Px/toZUoHcxhc1rGC5wsEa37ROZwmcWcPYtf2+7woW/qN5cxK8z5wX2JvOyqIRoW
RpfwTYn8vJRDbGbhi0N7uwGwkKpF6IW3UPnH6LkXfUhywN7JvvO2GcIiAs2kxHEf
gpJZxzF8cf6NQU+FZLHbwcHgu4Alq+GErgiN/XL47XC8u8wtCQawWh+MkIDdjLcw
nzFohHAFsMfzF/fREvKfMs53hpH+VgFLEgx0bs7WHJlnnjb8eFbcokgsp2y6+ETe
R9nnqXAUkzcuoPaW0qfkDMuCI7MKxZOK1nnFMpXjwI3/V7n9G8NpE3ha7YcZHsNv
8DNaDCz566OY1PmwfviF4dJ6EkOeZ2BcBZagLnRFPt1cQtvSsAQvoJgPyMcNdGId
6LknQ/q1Uj9NwSnM34dXwNOInd7ZZp77OnviwSKourPZ45B+/ToMH0QQcbGHoR/8
n2z4LM7lQQQEtinZEU6G3yK6amKA32jJkGSW39DpIAcKAETwPbw=
=o2no
-----END PGP SIGNATURE-----
Merge tag 'clk-meson-v5.4-2' of https://github.com/BayLibre/clk-meson into clk-meson
Pull second set of Amlogic clk driver updates from Jerome Brunet:
- Add g12a reset support to the axg audio clock controller
- Add sm1 support to the g12a clock controller
* tag 'clk-meson-v5.4-2' of https://github.com/BayLibre/clk-meson:
clk: meson: g12a: add support for SM1 CPU 1, 2 & 3 clocks
clk: meson: g12a: add support for SM1 DynamIQ Shared Unit clock
clk: meson: g12a: add support for SM1 GP1 PLL
dt-bindings: clk: meson: add sm1 periph clock controller bindings
clk: meson: axg-audio: add g12a reset support
dt-bindings: clock: meson: add resets to the audio clock controller
Thadeu Lima de Souza Cascardo reported that 'chrt' broke on recent kernels:
$ chrt -p $$
chrt: failed to get pid 26306's policy: Argument list too long
and he has root-caused the bug to the following commit increasing sched_attr
size and breaking sched_read_attr() into returning -EFBIG:
a509a7cd79 ("sched/uclamp: Extend sched_setattr() to support utilization clamping")
The other, bigger bug is that the whole sched_getattr() and sched_read_attr()
logic of checking non-zero bits in new ABI components is arguably broken,
and pretty much any extension of the ABI will spuriously break the ABI.
That's way too fragile.
Instead implement the perf syscall's extensible ABI instead, which we
already implement on the sched_setattr() side:
- if user-attributes have the same size as kernel attributes then the
logic is unchanged.
- if user-attributes are larger than the kernel knows about then simply
skip the extra bits, but set attr->size to the (smaller) kernel size
so that tooling can (in principle) handle older kernel as well.
- if user-attributes are smaller than the kernel knows about then just
copy whatever user-space can accept.
Also clean up the whole logic:
- Simplify the code flow - there's no need for 'ret' for example.
- Standardize on 'kattr/uattr' and 'ksize/usize' naming to make sure we
always know which side we are dealing with.
- Why is it called 'read' when what it does is to copy to user? This
code is so far away from VFS read() semantics that the naming is
actively confusing. Name it sched_attr_copy_to_user() instead, which
mirrors other copy_to_user() functionality.
- Move the attr->size assignment from the head of sched_getattr() to the
sched_attr_copy_to_user() function. Nothing else within the kernel
should care about the size of the structure.
With these fixes the sched_getattr() syscall now nicely supports an
extensible ABI in both a forward and backward compatible fashion, and
will also fix the chrt bug.
As an added bonus the bogus -EFBIG return is removed as well, which as
Thadeu noted should have been -E2BIG to begin with.
Reported-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Tested-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
Tested-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Cc: Arnaldo Carvalho de Melo <acme@infradead.org>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Patrick Bellasi <patrick.bellasi@arm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: a509a7cd79 ("sched/uclamp: Extend sched_setattr() to support utilization clamping")
Link: https://lkml.kernel.org/r/20190904075532.GA26751@gmail.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Tested with kmscube and some glmark2* tests on arndale board.
Signed-off-by: Guillaume Gardet <guillaume.gardet@arm.com>
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Tested with kmscube and some glmark2* tests on Chromebook snow.
Frequency adapts with load.
Signed-off-by: Guillaume Gardet <guillaume.gardet@arm.com>
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Required to have GPU voltage scaling working properly.
Signed-off-by: Guillaume Gardet <guillaume.gardet@arm.com>
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
kfree has taken the null check in account. hence it is unnecessary to add the
null check before kfree the object. Just remove it.
Reported-by: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: zhong jiang <zhongjiang@huawei.com>
Link: https://lore.kernel.org/r/1567591408-24268-1-git-send-email-zhongjiang@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
These two error paths need to unlock before we can return.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/20190904095908.GA7007@mwanda
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
inode_smack::smk_lock is taken during smack_d_instantiate(), which is
called during a filesystem transaction when creating a file on ext4.
Therefore to avoid a deadlock, all code that takes this lock must use
GFP_NOFS, to prevent memory reclaim from waiting for the filesystem
transaction to complete.
Reported-by: syzbot+0eefc1e06a77d327a056@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
In smack_socket_sock_rcv_skb(), there is an if statement
on line 3920 to check whether skb is NULL:
if (skb && skb->secmark != 0)
This check indicates skb can be NULL in some cases.
But on lines 3931 and 3932, skb is used:
ad.a.u.net->netif = skb->skb_iif;
ipv6_skb_to_auditdata(skb, &ad.a, NULL);
Thus, possible null-pointer dereferences may occur when skb is NULL.
To fix these possible bugs, an if statement is added to check skb.
These bugs are found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
There is a logic bug in the current smack_bprm_set_creds():
If LSM_UNSAFE_PTRACE is set, but the ptrace state is deemed to be
acceptable (e.g. because the ptracer detached in the meantime), the other
->unsafe flags aren't checked. As far as I can tell, this means that
something like the following could work (but I haven't tested it):
- task A: create task B with fork()
- task B: set NO_NEW_PRIVS
- task B: install a seccomp filter that makes open() return 0 under some
conditions
- task B: replace fd 0 with a malicious library
- task A: attach to task B with PTRACE_ATTACH
- task B: execve() a file with an SMACK64EXEC extended attribute
- task A: while task B is still in the middle of execve(), exit (which
destroys the ptrace relationship)
Make sure that if any flags other than LSM_UNSAFE_PTRACE are set in
bprm->unsafe, we reject the execve().
Cc: stable@vger.kernel.org
Fixes: 5663884caa ("Smack: unify all ptrace accesses in the smack")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Use devm_platform_ioremap_resource() to simplify the code a bit.
This is detected by coccinelle.
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Link: https://lore.kernel.org/r/20190904135918.25352-37-yuehaibing@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Use devm_platform_ioremap_resource() to simplify the code a bit.
This is detected by coccinelle.
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Link: https://lore.kernel.org/r/20190904135918.25352-36-yuehaibing@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
The syzbot fuzzer provoked a slab-out-of-bounds error in the USB core:
BUG: KASAN: slab-out-of-bounds in memcmp+0xa6/0xb0 lib/string.c:904
Read of size 1 at addr ffff8881d175bed6 by task kworker/0:3/2746
CPU: 0 PID: 2746 Comm: kworker/0:3 Not tainted 5.3.0-rc5+ #28
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
print_address_description+0x6a/0x32c mm/kasan/report.c:351
__kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
kasan_report+0xe/0x12 mm/kasan/common.c:612
memcmp+0xa6/0xb0 lib/string.c:904
memcmp include/linux/string.h:400 [inline]
descriptors_changed drivers/usb/core/hub.c:5579 [inline]
usb_reset_and_verify_device+0x564/0x1300 drivers/usb/core/hub.c:5729
usb_reset_device+0x4c1/0x920 drivers/usb/core/hub.c:5898
rt2x00usb_probe+0x53/0x7af
drivers/net/wireless/ralink/rt2x00/rt2x00usb.c:806
The error occurs when the descriptors_changed() routine (called during
a device reset) attempts to compare the old and new BOS and capability
descriptors. The length it uses for the comparison is the
wTotalLength value stored in BOS descriptor, but this value is not
necessarily the same as the length actually allocated for the
descriptors. If it is larger the routine will call memcmp() with a
length that is too big, thus reading beyond the end of the allocated
region and leading to this fault.
The kernel reads the BOS descriptor twice: first to get the total
length of all the capability descriptors, and second to read it along
with all those other descriptors. A malicious (or very faulty) device
may send different values for the BOS descriptor fields each time.
The memory area will be allocated using the wTotalLength value read
the first time, but stored within it will be the value read the second
time.
To prevent this possibility from causing any errors, this patch
modifies the BOS descriptor after it has been read the second time:
It sets the wTotalLength field to the actual length of the descriptors
that were read in and validated. Then the memcpy() call, or any other
code using these descriptors, will be able to rely on wTotalLength
being valid.
Reported-and-tested-by: syzbot+35f4d916c623118d576e@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.1909041154260.1722-100000@iolanthe.rowland.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Use devm_platform_ioremap_resource() to simplify the code a bit.
This is detected by coccinelle.
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Link: https://lore.kernel.org/r/20190904135918.25352-35-yuehaibing@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Use devm_platform_ioremap_resource() to simplify the code a bit.
This is detected by coccinelle.
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Link: https://lore.kernel.org/r/20190904135918.25352-34-yuehaibing@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Use devm_platform_ioremap_resource() to simplify the code a bit.
This is detected by coccinelle.
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Link: https://lore.kernel.org/r/20190904135918.25352-33-yuehaibing@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Use devm_platform_ioremap_resource() to simplify the code a bit.
This is detected by coccinelle.
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Link: https://lore.kernel.org/r/20190904135918.25352-32-yuehaibing@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Use devm_platform_ioremap_resource() to simplify the code a bit.
This is detected by coccinelle.
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Link: https://lore.kernel.org/r/20190904135918.25352-31-yuehaibing@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Use devm_platform_ioremap_resource() to simplify the code a bit.
This is detected by coccinelle.
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Link: https://lore.kernel.org/r/20190904135918.25352-30-yuehaibing@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Use devm_platform_ioremap_resource() to simplify the code a bit.
This is detected by coccinelle.
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Link: https://lore.kernel.org/r/20190904135918.25352-29-yuehaibing@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Use devm_platform_ioremap_resource() to simplify the code a bit.
This is detected by coccinelle.
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Link: https://lore.kernel.org/r/20190904135918.25352-28-yuehaibing@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Use devm_platform_ioremap_resource() to simplify the code a bit.
This is detected by coccinelle.
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Link: https://lore.kernel.org/r/20190904135918.25352-27-yuehaibing@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Use devm_platform_ioremap_resource() to simplify the code a bit.
This is detected by coccinelle.
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Link: https://lore.kernel.org/r/20190904135918.25352-26-yuehaibing@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Use devm_platform_ioremap_resource() to simplify the code a bit.
This is detected by coccinelle.
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Link: https://lore.kernel.org/r/20190904135918.25352-25-yuehaibing@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Use devm_platform_ioremap_resource() to simplify the code a bit.
This is detected by coccinelle.
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Link: https://lore.kernel.org/r/20190904135918.25352-24-yuehaibing@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
