dwc_otg: prevent OOPSes during device disconnects #334
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 2 commits
July 18, 2013 16:32
The dwc_otg_urb_enqueue function is thread-unsafe. In particular the access of urb->hcpriv, usb_hcd_link_urb_to_ep, dwc_otg_urb->qtd and friends does not occur within a critical section and so if a device was unplugged during activity there was a high chance that the usbcore hub_thread would try to disable the endpoint with partially- formed entries in the URB queue. This would result in BUG() or null pointer dereferences. Fix so that access of urb->hcpriv, enqueuing to the hardware and adding to usbcore endpoint URB lists is contained within a single critical section.
popcornmix
added a commit
that referenced
this pull request
Jul 19, 2013
dwc_otg: prevent OOPSes during device disconnects
chinasaur
pushed a commit
to chinasaur/firmware
that referenced
this pull request
Aug 3, 2014
See: raspberrypi/linux#334 firmware: camera: Code to support RGB888 output from camera component firmware: camera: Tuning change to crosstalk to eliminate 'maze' like artifacts in lens flares. This will reduce overall sharpness a bit, but the improvement to the lens flared areas is very marked. See: http://www.raspberrypi.org/phpBB3/viewtopic.php?f=43&t=47352
popcornmix
pushed a commit
that referenced
this pull request
Oct 8, 2014
Corrects the following checkpatch gripes:
WARNING: quoted string split across lines
#95: FILE: drivers/mfd/ab3100-core.c:95:
+ "write error (write register) "
+ "%d bytes transferred (expected 2)\n",
WARNING: quoted string split across lines
#139: FILE: drivers/mfd/ab3100-core.c:139:
+ "write error (write test register) "
+ "%d bytes transferred (expected 2)\n",
WARNING: quoted string split across lines
#175: FILE: drivers/mfd/ab3100-core.c:175:
+ "write error (send register address) "
+ "%d bytes transferred (expected 1)\n",
WARNING: quoted string split across lines
#193: FILE: drivers/mfd/ab3100-core.c:193:
+ "write error (read register) "
+ "%d bytes transferred (expected 1)\n",
WARNING: quoted string split across lines
#241: FILE: drivers/mfd/ab3100-core.c:241:
+ "write error (send first register address) "
+ "%d bytes transferred (expected 1)\n",
WARNING: quoted string split across lines
#256: FILE: drivers/mfd/ab3100-core.c:256:
+ "write error (read register page) "
+ "%d bytes transferred (expected %d)\n",
WARNING: quoted string split across lines
#299: FILE: drivers/mfd/ab3100-core.c:299:
+ "write error (maskset send address) "
+ "%d bytes transferred (expected 1)\n",
WARNING: quoted string split across lines
#314: FILE: drivers/mfd/ab3100-core.c:314:
+ "write error (maskset read register) "
+ "%d bytes transferred (expected 1)\n",
WARNING: quoted string split across lines
#334: FILE: drivers/mfd/ab3100-core.c:334:
+ "write error (write register) "
+ "%d bytes transferred (expected 2)\n",
WARNING: please, no spaces at the start of a line
#374: FILE: drivers/mfd/ab3100-core.c:374:
+ return blocking_notifier_chain_unregister(&ab3100->event_subscribers,$
WARNING: Prefer seq_puts to seq_printf
#458: FILE: drivers/mfd/ab3100-core.c:458:
+ seq_printf(s, "AB3100 registers:\n");
WARNING: quoted string split across lines
#564: FILE: drivers/mfd/ab3100-core.c:564:
+ "debug write reg[0x%02x] with 0x%02x, "
+ "after readback: 0x%02x\n",
WARNING: quoted string split across lines
#723: FILE: drivers/mfd/ab3100-core.c:723:
+ "AB3100 P1E variant detected, "
+ "forcing chip to 32KHz\n");
WARNING: quoted string split across lines
#882: FILE: drivers/mfd/ab3100-core.c:882:
+ "could not communicate with the AB3100 analog "
+ "baseband chip\n");
WARNING: quoted string split across lines
#906: FILE: drivers/mfd/ab3100-core.c:906:
+ dev_err(&client->dev, "accepting it anyway. Please update "
+ "the driver.\n");
total: 0 errors, 15 warnings, 999 lines checked
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
neuschaefer
pushed a commit
to neuschaefer/raspi-binary-firmware
that referenced
this pull request
Feb 27, 2017
See: raspberrypi/linux#334 firmware: camera: Code to support RGB888 output from camera component firmware: camera: Tuning change to crosstalk to eliminate 'maze' like artifacts in lens flares. This will reduce overall sharpness a bit, but the improvement to the lens flared areas is very marked. See: http://www.raspberrypi.org/phpBB3/viewtopic.php?f=43&t=47352
JakubVanek
pushed a commit
to JakubVanek/rpilinux
that referenced
this pull request
Jan 10, 2021
the following syzkaller reproducer:
r0 = socket$inet_mptcp(0x2, 0x1, 0x106)
bind$inet(r0, &(0x7f0000000080)={0x2, 0x4e24, @multicast2}, 0x10)
connect$inet(r0, &(0x7f0000000480)={0x2, 0x4e24, @Local}, 0x10)
sendto$inet(r0, &(0x7f0000000100)="f6", 0xffffffe7, 0xc000, 0x0, 0x0)
systematically triggers the following warning:
WARNING: CPU: 2 PID: 8618 at net/core/stream.c:208 sk_stream_kill_queues+0x3fa/0x580
Modules linked in:
CPU: 2 PID: 8618 Comm: syz-executor Not tainted 5.10.0+ raspberrypi#334
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/04
RIP: 0010:sk_stream_kill_queues+0x3fa/0x580
Code: df 48 c1 ea 03 0f b6 04 02 84 c0 74 04 3c 03 7e 40 8b ab 20 02 00 00 e9 64 ff ff ff e8 df f0 81 2
RSP: 0018:ffffc9000290fcb0 EFLAGS: 00010293
RAX: ffff888011cb8000 RBX: 0000000000000000 RCX: ffffffff86eecf0e
RDX: 0000000000000000 RSI: ffffffff86eecf6a RDI: 0000000000000005
RBP: 0000000000000e28 R08: ffff888011cb8000 R09: fffffbfff1f48139
R10: ffffffff8fa409c7 R11: fffffbfff1f48138 R12: ffff8880215e6220
R13: ffffffff8fa409c0 R14: ffffc9000290fd30 R15: 1ffff92000521fa2
FS: 00007f41c78f4800(0000) GS:ffff88802d000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f95c803d088 CR3: 0000000025ed2000 CR4: 00000000000006f0
Call Trace:
__mptcp_destroy_sock+0x4f5/0x8e0
mptcp_close+0x5e2/0x7f0
inet_release+0x12b/0x270
__sock_release+0xc8/0x270
sock_close+0x18/0x20
__fput+0x272/0x8e0
task_work_run+0xe0/0x1a0
exit_to_user_mode_prepare+0x1df/0x200
syscall_exit_to_user_mode+0x19/0x50
entry_SYSCALL_64_after_hwframe+0x44/0xa9
userspace programs provide arbitrarily high values of 'len' in sendmsg():
this is causing integer overflow of 'amount'. Cap forward allocation to 1
megabyte: higher values are not really useful.
Suggested-by: Paolo Abeni <pabeni@redhat.com>
Fixes: e93da92 ("mptcp: implement wmem reservation")
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Link: https://lore.kernel.org/r/3334d00d8b2faecafdfab9aa593efcbf61442756.1608584474.git.dcaratti@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
popcornmix
pushed a commit
that referenced
this pull request
Jul 16, 2024
Add a test case which replaces an active ingress qdisc while keeping the miniq in-tact during the transition period to the new clsact qdisc. # ./vmtest.sh -- ./test_progs -t tc_link [...] ./test_progs -t tc_link [ 3.412871] bpf_testmod: loading out-of-tree module taints kernel. [ 3.413343] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel #332 tc_links_after:OK #333 tc_links_append:OK #334 tc_links_basic:OK #335 tc_links_before:OK #336 tc_links_chain_classic:OK #337 tc_links_chain_mixed:OK #338 tc_links_dev_chain0:OK #339 tc_links_dev_cleanup:OK #340 tc_links_dev_mixed:OK #341 tc_links_ingress:OK #342 tc_links_invalid:OK #343 tc_links_prepend:OK #344 tc_links_replace:OK #345 tc_links_revision:OK Summary: 14/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Cc: Martin KaFai Lau <martin.lau@kernel.org> Link: https://lore.kernel.org/r/20240708133130.11609-2-daniel@iogearbox.net Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
popcornmix
pushed a commit
that referenced
this pull request
Jul 25, 2024
[ Upstream commit 5f1d18d ] Add a test case which replaces an active ingress qdisc while keeping the miniq in-tact during the transition period to the new clsact qdisc. # ./vmtest.sh -- ./test_progs -t tc_link [...] ./test_progs -t tc_link [ 3.412871] bpf_testmod: loading out-of-tree module taints kernel. [ 3.413343] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel #332 tc_links_after:OK #333 tc_links_append:OK #334 tc_links_basic:OK #335 tc_links_before:OK #336 tc_links_chain_classic:OK #337 tc_links_chain_mixed:OK #338 tc_links_dev_chain0:OK #339 tc_links_dev_cleanup:OK #340 tc_links_dev_mixed:OK #341 tc_links_ingress:OK #342 tc_links_invalid:OK #343 tc_links_prepend:OK #344 tc_links_replace:OK #345 tc_links_revision:OK Summary: 14/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Cc: Martin KaFai Lau <martin.lau@kernel.org> Link: https://lore.kernel.org/r/20240708133130.11609-2-daniel@iogearbox.net Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
popcornmix
pushed a commit
that referenced
this pull request
Jul 25, 2024
[ Upstream commit 5f1d18d ] Add a test case which replaces an active ingress qdisc while keeping the miniq in-tact during the transition period to the new clsact qdisc. # ./vmtest.sh -- ./test_progs -t tc_link [...] ./test_progs -t tc_link [ 3.412871] bpf_testmod: loading out-of-tree module taints kernel. [ 3.413343] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel #332 tc_links_after:OK #333 tc_links_append:OK #334 tc_links_basic:OK #335 tc_links_before:OK #336 tc_links_chain_classic:OK #337 tc_links_chain_mixed:OK #338 tc_links_dev_chain0:OK #339 tc_links_dev_cleanup:OK #340 tc_links_dev_mixed:OK #341 tc_links_ingress:OK #342 tc_links_invalid:OK #343 tc_links_prepend:OK #344 tc_links_replace:OK #345 tc_links_revision:OK Summary: 14/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Cc: Martin KaFai Lau <martin.lau@kernel.org> Link: https://lore.kernel.org/r/20240708133130.11609-2-daniel@iogearbox.net Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
popcornmix
pushed a commit
that referenced
this pull request
Oct 21, 2024
Currently, there is no terminator entry for exynosautov920_cmu_of_match, hence facing below KASAN warning, BUG: KASAN: global-out-of-bounds in of_match_node+0x120/0x13c Read of size 1 at addr ffffffe31cc9e628 by task swapper/0/1 CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.11.0+ #334 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x94/0xec show_stack+0x18/0x24 dump_stack_lvl+0x90/0xd0 print_report+0x1f4/0x5b4 kasan_report+0xc8/0x110 __asan_report_load1_noabort+0x20/0x2c of_match_node+0x120/0x13c of_match_device+0x70/0xb4 platform_match+0xa0/0x25c __device_attach_driver+0x7c/0x2d4 bus_for_each_drv+0x100/0x188 __device_attach+0x174/0x364 device_initial_probe+0x14/0x20 bus_probe_device+0x128/0x158 device_add+0xb3c/0x10fc of_device_add+0xdc/0x150 of_platform_device_create_pdata+0x120/0x20c of_platform_bus_create+0x2bc/0x620 of_platform_populate+0x58/0x108 of_platform_default_populate_init+0x100/0x120 do_one_initcall+0x110/0x788 kernel_init_freeable+0x44c/0x61c kernel_init+0x24/0x1e4 ret_from_fork+0x10/0x20 The buggy address belongs to the variable: exynosautov920_cmu_of_match+0xc8/0x2c80 Add a dummy terminator entry at the end to assist of_match_node() in traversing up to the terminator entry without accessing an out-of-boundary index. Fixes: 485e13f ("clk: samsung: add top clock support for ExynosAuto v920 SoC") Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com> Acked-by: Mark Rutland <mark.rutland@arm.com> Link: https://lore.kernel.org/r/20240927102104.3268790-1-ruanjinjie@huawei.com [krzk: drop trailing comma] Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Typical device that used to cause this was a wifi dongle or similar that needed a firmware download - unplugging it during the download was very likely to OOPS.
v2: whitespace cleanup as a separate commit.