1. 08 Aug, 2019 2 commits
  2. 05 Aug, 2019 1 commit
    • Suzuki K Poulose's avatar
      usb: yurex: Fix use-after-free in yurex_delete · fc05481b
      Suzuki K Poulose authored
      syzbot reported the following crash [0]:
      
      BUG: KASAN: use-after-free in usb_free_coherent+0x79/0x80
      drivers/usb/core/usb.c:928
      Read of size 8 at addr ffff8881b18599c8 by task syz-executor.4/16007
      
      CPU: 0 PID: 16007 Comm: syz-executor.4 Not tainted 5.3.0-rc2+ #23
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      Call Trace:
        __dump_stack lib/dump_stack.c:77 [inline]
        dump_stack+0xca/0x13e lib/dump_stack.c:113
        print_address_description+0x6a/0x32c mm/kasan/report.c:351
        __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
        kasan_report+0xe/0x12 mm/kasan/common.c:612
        usb_free_coherent+0x79/0x80 drivers/usb/core/usb.c:928
        yurex_delete+0x138/0x330 drivers/usb/misc/yurex.c:100
        kref_put include/linux/kref.h:65 [inline]
        yurex_release+0x66/0x90 drivers/usb/misc/yurex.c:392
        __fput+0x2d7/0x840 fs/file_table.c:280
        task_work_run+0x13f/0x1c0 kernel/task_work.c:113
        tracehook_notify_resume include/linux/tracehook.h:188 [inline]
        exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
        prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
        syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
        do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x413511
      Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48
      83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48
      89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
      RSP: 002b:00007ffc424ea2e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
      RAX: 0000000000000000 RBX: 0000000000000007 RCX: 0000000000413511
      RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000006
      RBP: 0000000000000001 R08: 0000000029a2fc22 R09: 0000000029a2fc26
      R10: 00007ffc424ea3c0 R11: 0000000000000293 R12: 000000000075c9a0
      R13: 000000000075c9a0 R14: 0000000000761938 R15: ffffffffffffffff
      
      Allocated by task 2776:
        save_stack+0x1b/0x80 mm/kasan/common.c:69
        set_track mm/kasan/common.c:77 [inline]
        __kasan_kmalloc mm/kasan/common.c:487 [inline]
        __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:460
        kmalloc include/linux/slab.h:552 [inline]
        kzalloc include/linux/slab.h:748 [inline]
        usb_alloc_dev+0x51/0xf95 drivers/usb/core/usb.c:583
        hub_port_connect drivers/usb/core/hub.c:5004 [inline]
        hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
        port_event drivers/usb/core/hub.c:5359 [inline]
        hub_event+0x15c0/0x3640 drivers/usb/core/hub.c:5441
        process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
        worker_thread+0x96/0xe20 kernel/workqueue.c:2415
        kthread+0x318/0x420 kernel/kthread.c:255
        ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
      
      Freed by task 16007:
        save_stack+0x1b/0x80 mm/kasan/common.c:69
        set_track mm/kasan/common.c:77 [inline]
        __kasan_slab_free+0x130/0x180 mm/kasan/common.c:449
        slab_free_hook mm/slub.c:1423 [inline]
        slab_free_freelist_hook mm/slub.c:1470 [inline]
        slab_free mm/slub.c:3012 [inline]
        kfree+0xe4/0x2f0 mm/slub.c:3953
        device_release+0x71/0x200 drivers/base/core.c:1064
        kobject_cleanup lib/kobject.c:693 [inline]
        kobject_release lib/kobject.c:722 [inline]
        kref_put include/linux/kref.h:65 [inline]
        kobject_put+0x171/0x280 lib/kobject.c:739
        put_device+0x1b/0x30 drivers/base/core.c:2213
        usb_put_dev+0x1f/0x30 drivers/usb/core/usb.c:725
        yurex_delete+0x40/0x330 drivers/usb/misc/yurex.c:95
        kref_put include/linux/kref.h:65 [inline]
        yurex_release+0x66/0x90 drivers/usb/misc/yurex.c:392
        __fput+0x2d7/0x840 fs/file_table.c:280
        task_work_run+0x13f/0x1c0 kernel/task_work.c:113
        tracehook_notify_resume include/linux/tracehook.h:188 [inline]
        exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
        prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
        syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
        do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      The buggy address belongs to the object at ffff8881b1859980
        which belongs to the cache kmalloc-2k of size 2048
      The buggy address is located 72 bytes inside of
        2048-byte region [ffff8881b1859980, ffff8881b185a180)
      The buggy address belongs to the page:
      page:ffffea0006c61600 refcount:1 mapcount:0 mapping:ffff8881da00c000
      index:0x0 compound_mapcount: 0
      flags: 0x200000000010200(slab|head)
      raw: 0200000000010200 0000000000000000 0000000100000001 ffff8881da00c000
      raw: 0000000000000000 00000000000f000f 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
        ffff8881b1859880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
        ffff8881b1859900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      > ffff8881b1859980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                     ^
        ffff8881b1859a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
        ffff8881b1859a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ==================================================================
      
      A quick look at the yurex_delete() shows that we drop the reference
      to the usb_device before releasing any buffers associated with the
      device. Delay the reference drop until we have finished the cleanup.
      
      [0] https://lore.kernel.org/lkml/0000000000003f86d8058f0bd671@google.com/
      
      Fixes: 6bc235a2 ("USB: add driver for Meywa-Denki & Kayac YUREX")
      Cc: Jiri Kosina <jkosina@suse.cz>
      Cc: Tomoki Sekiyama <tomoki.sekiyama@gmail.com>
      Cc: Oliver Neukum <oneukum@suse.com>
      Cc: andreyknvl@google.com
      Cc: gregkh@linuxfoundation.org
      Cc: Alan Stern <stern@rowland.harvard.edu>
      Cc: syzkaller-bugs@googlegroups.com
      Cc: dtor@chromium.org
      Reported-by: syzbot+d1fedb1c1fdb07fca507@syzkaller.appspotmail.com
      Signed-off-by: default avatarSuzuki K Poulose <suzuki.poulose@arm.com>
      Cc: stable <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20190805111528.6758-1-suzuki.poulose@arm.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fc05481b
  3. 25 Jul, 2019 2 commits
  4. 21 Jun, 2019 1 commit
  5. 20 Jun, 2019 1 commit
  6. 14 Jun, 2019 1 commit
    • Mauro Carvalho Chehab's avatar
      docs: kbuild: convert docs to ReST and rename to *.rst · cd238eff
      Mauro Carvalho Chehab authored
      The kbuild documentation clearly shows that the documents
      there are written at different times: some use markdown,
      some use their own peculiar logic to split sections.
      
      Convert everything to ReST without affecting too much
      the author's style and avoiding adding uneeded markups.
      
      The conversion is actually:
        - add blank lines and identation in order to identify paragraphs;
        - fix tables markups;
        - add some lists markups;
        - mark literal blocks;
        - adjust title markups.
      
      At its new index.rst, let's add a :orphan: while this is not linked to
      the main index.rst file, in order to avoid build warnings.
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarJonathan Corbet <corbet@lwn.net>
      cd238eff
  7. 10 Jun, 2019 1 commit
  8. 03 Jun, 2019 1 commit
  9. 21 May, 2019 4 commits
  10. 06 May, 2019 1 commit
    • Kirill Smelkov's avatar
      *: convert stream-like files from nonseekable_open -> stream_open · c5bf68fe
      Kirill Smelkov authored
      Using scripts/coccinelle/api/stream_open.cocci added in 10dce8af
      ("fs: stream_open - opener for stream-like files so that read and write
      can run simultaneously without deadlock"), search and convert to
      stream_open all in-kernel nonseekable_open users for which read and
      write actually do not depend on ppos and where there is no other methods
      in file_operations which assume @offset access.
      
      I've verified each generated change manually - that it is correct to convert -
      and each other nonseekable_open instance left - that it is either not correct
      to convert there, or that it is not converted due to current stream_open.cocci
      limitations. The script also does not convert files that should be valid to
      convert, but that currently have .llseek = noop_llseek or generic_file_llseek
      for unknown reason despite file being opened with nonseekable_open (e.g.
      drivers/input/mousedev.c)
      
      Among cases converted 14 were potentially vulnerable to read vs write deadlock
      (see details in 10dce8af):
      
      	drivers/char/pcmcia/cm4000_cs.c:1685:7-23: ERROR: cm4000_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
      	drivers/gnss/core.c:45:1-17: ERROR: gnss_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
      	drivers/hid/uhid.c:635:1-17: ERROR: uhid_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
      	drivers/infiniband/core/user_mad.c:988:1-17: ERROR: umad_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
      	drivers/input/evdev.c:527:1-17: ERROR: evdev_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
      	drivers/input/misc/uinput.c:401:1-17: ERROR: uinput_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
      	drivers/isdn/capi/capi.c:963:8-24: ERROR: capi_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
      	drivers/leds/uleds.c:77:1-17: ERROR: uleds_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
      	drivers/media/rc/lirc_dev.c:198:1-17: ERROR: lirc_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
      	drivers/s390/char/fs3270.c:488:1-17: ERROR: fs3270_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
      	drivers/usb/misc/ldusb.c:310:1-17: ERROR: ld_usb_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
      	drivers/xen/evtchn.c:667:8-24: ERROR: evtchn_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
      	net/batman-adv/icmp_socket.c:80:1-17: ERROR: batadv_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
      	net/rfkill/core.c:1146:8-24: ERROR: rfkill_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix.
      
      and the rest were just safe to convert to stream_open because their read and
      write do not use ppos at all and corresponding file_operations do not
      have methods that assume @offset file access(*):
      
      	arch/powerpc/platforms/52xx/mpc52xx_gpt.c:631:8-24: WARNING: mpc52xx_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	arch/powerpc/platforms/cell/spufs/file.c:591:8-24: WARNING: spufs_ibox_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
      	arch/powerpc/platforms/cell/spufs/file.c:591:8-24: WARNING: spufs_ibox_stat_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
      	arch/powerpc/platforms/cell/spufs/file.c:591:8-24: WARNING: spufs_mbox_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
      	arch/powerpc/platforms/cell/spufs/file.c:591:8-24: WARNING: spufs_mbox_stat_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
      	arch/powerpc/platforms/cell/spufs/file.c:591:8-24: WARNING: spufs_wbox_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	arch/powerpc/platforms/cell/spufs/file.c:591:8-24: WARNING: spufs_wbox_stat_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
      	arch/um/drivers/harddog_kern.c:88:8-24: WARNING: harddog_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	arch/x86/kernel/cpu/microcode/core.c:430:33-49: WARNING: microcode_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/char/ds1620.c:215:8-24: WARNING: ds1620_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/char/dtlk.c:301:1-17: WARNING: dtlk_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/char/ipmi/ipmi_watchdog.c:840:9-25: WARNING: ipmi_wdog_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/char/pcmcia/scr24x_cs.c:95:8-24: WARNING: scr24x_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/char/tb0219.c:246:9-25: WARNING: tb0219_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/firewire/nosy.c:306:8-24: WARNING: nosy_ops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/hwmon/fschmd.c:840:8-24: WARNING: watchdog_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/hwmon/w83793.c:1344:8-24: WARNING: watchdog_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/infiniband/core/ucma.c:1747:8-24: WARNING: ucma_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/infiniband/core/ucm.c:1178:8-24: WARNING: ucm_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/infiniband/core/uverbs_main.c:1086:8-24: WARNING: uverbs_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/input/joydev.c:282:1-17: WARNING: joydev_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/pci/switch/switchtec.c:393:1-17: WARNING: switchtec_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/platform/chrome/cros_ec_debugfs.c:135:8-24: WARNING: cros_ec_console_log_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/rtc/rtc-ds1374.c:470:9-25: WARNING: ds1374_wdt_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/rtc/rtc-m41t80.c:805:9-25: WARNING: wdt_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/s390/char/tape_char.c:293:2-18: WARNING: tape_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/s390/char/zcore.c:194:8-24: WARNING: zcore_reipl_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/s390/crypto/zcrypt_api.c:528:8-24: WARNING: zcrypt_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/spi/spidev.c:594:1-17: WARNING: spidev_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/staging/pi433/pi433_if.c:974:1-17: WARNING: pi433_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/acquirewdt.c:203:8-24: WARNING: acq_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/advantechwdt.c:202:8-24: WARNING: advwdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/alim1535_wdt.c:252:8-24: WARNING: ali_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/alim7101_wdt.c:217:8-24: WARNING: wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/ar7_wdt.c:166:8-24: WARNING: ar7_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/at91rm9200_wdt.c:113:8-24: WARNING: at91wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/ath79_wdt.c:135:8-24: WARNING: ath79_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/bcm63xx_wdt.c:119:8-24: WARNING: bcm63xx_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/cpu5wdt.c:143:8-24: WARNING: cpu5wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/cpwd.c:397:8-24: WARNING: cpwd_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/eurotechwdt.c:319:8-24: WARNING: eurwdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/f71808e_wdt.c:528:8-24: WARNING: watchdog_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/gef_wdt.c:232:8-24: WARNING: gef_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/geodewdt.c:95:8-24: WARNING: geodewdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/ib700wdt.c:241:8-24: WARNING: ibwdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/ibmasr.c:326:8-24: WARNING: asr_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/indydog.c:80:8-24: WARNING: indydog_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/intel_scu_watchdog.c:307:8-24: WARNING: intel_scu_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/iop_wdt.c:104:8-24: WARNING: iop_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/it8712f_wdt.c:330:8-24: WARNING: it8712f_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/ixp4xx_wdt.c:68:8-24: WARNING: ixp4xx_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/ks8695_wdt.c:145:8-24: WARNING: ks8695wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/m54xx_wdt.c:88:8-24: WARNING: m54xx_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/machzwd.c:336:8-24: WARNING: zf_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/mixcomwd.c:153:8-24: WARNING: mixcomwd_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/mtx-1_wdt.c:121:8-24: WARNING: mtx1_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/mv64x60_wdt.c:136:8-24: WARNING: mv64x60_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/nuc900_wdt.c:134:8-24: WARNING: nuc900wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/nv_tco.c:164:8-24: WARNING: nv_tco_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/pc87413_wdt.c:289:8-24: WARNING: pc87413_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/pcwd.c:698:8-24: WARNING: pcwd_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/pcwd.c:737:8-24: WARNING: pcwd_temp_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/pcwd_pci.c:581:8-24: WARNING: pcipcwd_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/pcwd_pci.c:623:8-24: WARNING: pcipcwd_temp_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/pcwd_usb.c:488:8-24: WARNING: usb_pcwd_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/pcwd_usb.c:527:8-24: WARNING: usb_pcwd_temperature_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/pika_wdt.c:121:8-24: WARNING: pikawdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/pnx833x_wdt.c:119:8-24: WARNING: pnx833x_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/rc32434_wdt.c:153:8-24: WARNING: rc32434_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/rdc321x_wdt.c:145:8-24: WARNING: rdc321x_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/riowd.c:79:1-17: WARNING: riowd_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/sa1100_wdt.c:62:8-24: WARNING: sa1100dog_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/sbc60xxwdt.c:211:8-24: WARNING: wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/sbc7240_wdt.c:139:8-24: WARNING: wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/sbc8360.c:274:8-24: WARNING: sbc8360_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/sbc_epx_c3.c:81:8-24: WARNING: epx_c3_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/sbc_fitpc2_wdt.c:78:8-24: WARNING: fitpc2_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/sb_wdog.c:108:1-17: WARNING: sbwdog_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/sc1200wdt.c:181:8-24: WARNING: sc1200wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/sc520_wdt.c:261:8-24: WARNING: wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/sch311x_wdt.c:319:8-24: WARNING: sch311x_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/scx200_wdt.c:105:8-24: WARNING: scx200_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/smsc37b787_wdt.c:369:8-24: WARNING: wb_smsc_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/w83877f_wdt.c:227:8-24: WARNING: wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/w83977f_wdt.c:301:8-24: WARNING: wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/wafer5823wdt.c:200:8-24: WARNING: wafwdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/watchdog_dev.c:828:8-24: WARNING: watchdog_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/wdrtas.c:379:8-24: WARNING: wdrtas_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/wdrtas.c:445:8-24: WARNING: wdrtas_temp_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/wdt285.c:104:1-17: WARNING: watchdog_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/wdt977.c:276:8-24: WARNING: wdt977_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/wdt.c:424:8-24: WARNING: wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/wdt.c:484:8-24: WARNING: wdt_temp_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/wdt_pci.c:464:8-24: WARNING: wdtpci_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open.
      	drivers/watchdog/wdt_pci.c:527:8-24: WARNING: wdtpci_temp_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
      	net/batman-adv/log.c:105:1-17: WARNING: batadv_log_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
      	sound/core/control.c:57:7-23: WARNING: snd_ctl_f_ops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
      	sound/core/rawmidi.c:385:7-23: WARNING: snd_rawmidi_f_ops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
      	sound/core/seq/seq_clientmgr.c:310:7-23: WARNING: snd_seq_f_ops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open.
      	sound/core/timer.c:1428:7-23: WARNING: snd_timer_f_ops: .read() has stream semantic; safe to change nonseekable_open -> stream_open.
      
      One can also recheck/review the patch via generating it with explanation comments included via
      
      	$ make coccicheck MODE=patch COCCI=scripts/coccinelle/api/stream_open.cocci SPFLAGS="-D explain"
      
      (*) This second group also contains cases with read/write deadlocks that
      stream_open.cocci don't yet detect, but which are still valid to convert to
      stream_open since ppos is not used. For example drivers/pci/switch/switchtec.c
      calls wait_for_completion_interruptible() in its .read, but stream_open.cocci
      currently detects only "wait_event*" as blocking.
      
      Cc: Michael Kerrisk <mtk.manpages@gmail.com>
      Cc: Yongzhi Pan <panyongzhi@gmail.com>
      Cc: Jonathan Corbet <corbet@lwn.net>
      Cc: David Vrabel <david.vrabel@citrix.com>
      Cc: Juergen Gross <jgross@suse.com>
      Cc: Miklos Szeredi <miklos@szeredi.hu>
      Cc: Tejun Heo <tj@kernel.org>
      Cc: Kirill Tkhai <ktkhai@virtuozzo.com>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Julia Lawall <Julia.Lawall@lip6.fr>
      Cc: Nikolaus Rath <Nikolaus@rath.org>
      Cc: Han-Wen Nienhuys <hanwen@google.com>
      Cc: Anatolij Gustschin <agust@denx.de>
      Cc: Jeff Dike <jdike@addtoit.com>
      Cc: Richard Weinberger <richard@nod.at>
      Cc: Anton Ivanov <anton.ivanov@cambridgegreys.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: "James R. Van Zandt" <jrv@vanzandt.mv.com>
      Cc: Corey Minyard <minyard@acm.org>
      Cc: Harald Welte <laforge@gnumonks.org>
      Acked-by: Lubomir Rintel <lkundrak@v3.sk> [scr24x_cs]
      Cc: Stefan Richter <stefanr@s5r6.in-berlin.de>
      Cc: Johan Hovold <johan@kernel.org>
      Cc: David Herrmann <dh.herrmann@googlemail.com>
      Cc: Jiri Kosina <jikos@kernel.org>
      Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
      Cc: Jean Delvare <jdelvare@suse.com>
      Acked-by: Guenter Roeck <linux@roeck-us.net>	[watchdog/* hwmon/*]
      Cc: Rudolf Marek <r.marek@assembler.cz>
      Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>
      Cc: Karsten Keil <isdn@linux-pingi.de>
      Cc: Jacek Anaszewski <jacek.anaszewski@gmail.com>
      Cc: Pavel Machek <pavel@ucw.cz>
      Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
      Cc: Kurt Schwemmer <kurt.schwemmer@microsemi.com>
      Acked-by: Logan Gunthorpe <logang@deltatee.com> [drivers/pci/switch/switchtec]
      Acked-by: Bjorn Helgaas <bhelgaas@google.com> [drivers/pci/switch/switchtec]
      Cc: Benson Leung <bleung@chromium.org>
      Acked-by: Enric Balletbo i Serra <enric.balletbo@collabora.com> [platform/chrome]
      Cc: Alessandro Zummo <a.zummo@towertech.it>
      Acked-by: Alexandre Belloni <alexandre.belloni@bootlin.com> [rtc/*]
      Cc: Mark Brown <broonie@kernel.org>
      Cc: Wim Van Sebroeck <wim@linux-watchdog.org>
      Cc: Florian Fainelli <f.fainelli@gmail.com>
      Cc: bcm-kernel-feedback-list@broadcom.com
      Cc: Wan ZongShun <mcuos.com@gmail.com>
      Cc: Zwane Mwaikambo <zwanem@gmail.com>
      Cc: Marek Lindner <mareklindner@neomailbox.ch>
      Cc: Simon Wunderlich <sw@simonwunderlich.de>
      Cc: Antonio Quartulli <a@unstable.cc>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Johannes Berg <johannes@sipsolutions.net>
      Cc: Jaroslav Kysela <perex@perex.cz>
      Cc: Takashi Iwai <tiwai@suse.com>
      Signed-off-by: default avatarKirill Smelkov <kirr@nexedi.com>
      c5bf68fe
  11. 02 May, 2019 2 commits
  12. 27 Apr, 2019 1 commit
  13. 25 Apr, 2019 2 commits
    • Alan Stern's avatar
      USB: yurex: Fix protection fault after device removal · ef61eb43
      Alan Stern authored
      The syzkaller USB fuzzer found a general-protection-fault bug in the
      yurex driver.  The fault occurs when a device has been unplugged; the
      driver's interrupt-URB handler logs an error message referring to the
      device by name, after the device has been unregistered and its name
      deallocated.
      
      This problem is caused by the fact that the interrupt URB isn't
      cancelled until the driver's private data structure is released, which
      can happen long after the device is gone.  The cure is to make sure
      that the interrupt URB is killed before yurex_disconnect() returns;
      this is exactly the sort of thing that usb_poison_urb() was meant for.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-and-tested-by: syzbot+2eb9121678bdb36e6d57@syzkaller.appspotmail.com
      CC: <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ef61eb43
    • Serge Semin's avatar
      usb: usb251xb: Lock i2c-bus segment the hub resides · 6e3c8beb
      Serge Semin authored
      SMBus slave configuration is activated by CFG_SEL[1:0]=0x1 pins
      state. This is the mode the hub is supposed to be to let this driver
      work correctly. But a race condition might happen right after reset
      is cleared due to CFG_SEL[0] pin being multiplexed with SMBus SCL
      function. In case if the reset pin is handled by a i2c GPIO expander,
      which is also placed at the same i2c-bus segment as the usb251x
      SMB-interface connected to, then the hub reset clearance might
      cause the CFG_SEL[0] being latched in unpredictable state. So
      sometimes the hub configuration mode might be 0x1 (as expected),
      but sometimes being 0x0, which doesn't imply to have the hub SMBus-slave
      interface activated and consequently causes this driver failure.
      
      In order to fix the problem we must make sure the GPIO-reset chip doesn't
      reside the same i2c-bus segment as the SMBus-interface of the hub. If
      it doesn't, we can safely block the segment for the time the reset is
      cleared to prevent anyone generating a traffic at the i2c-bus SCL lane
      connected to the CFG_SEL[0] pin. But if it does, nothing we can do, so
      just return an error. If we locked the i2c-bus segment and tried to
      communicate with the GPIO-expander, it would cause a deadlock. If we didn't
      lock the i2c-bus segment, it would randomly cause the CFG_SEL[0] bit flip.
      Signed-off-by: default avatarSerge Semin <fancer.lancer@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6e3c8beb
  14. 19 Apr, 2019 1 commit
  15. 03 Apr, 2019 1 commit
  16. 26 Mar, 2019 1 commit
  17. 19 Mar, 2019 1 commit
  18. 13 Feb, 2019 1 commit
  19. 25 Jan, 2019 7 commits
  20. 22 Jan, 2019 1 commit
  21. 18 Jan, 2019 1 commit
  22. 05 Dec, 2018 3 commits
  23. 07 Nov, 2018 1 commit
  24. 18 Oct, 2018 1 commit
    • Mattias Jacobsson's avatar
      USB: misc: appledisplay: fix backlight update_status return code · 09015855
      Mattias Jacobsson authored
      Upon success the update_status handler returns a positive number
      corresponding to the number of bytes transferred by usb_control_msg.
      However the return code of the update_status handler should indicate if
      an error occurred(negative) or how many bytes of the user's input to sysfs
      that was consumed. Return code zero indicates all bytes were consumed.
      
      The bug can for example result in the update_status handler being called
      twice, the second time with only the "unconsumed" part of the user's input
      to sysfs. Effectively setting an incorrect brightness.
      
      Change the update_status handler to return zero for all successful
      transactions and forward usb_control_msg's error code upon failure.
      Signed-off-by: default avatarMattias Jacobsson <2pi@mok.nu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      09015855
  25. 10 Sep, 2018 1 commit