* [PATCH AUTOSEL 5.4 02/21] usb: cdns3 fix use-after-free at workaround 2
[not found] <20220814153531.2379705-1-sashal@kernel.org>
@ 2022-08-14 15:35 ` Sasha Levin
2022-08-14 15:35 ` [PATCH AUTOSEL 5.4 03/21] usb: gadget: uvc: call uvc uvcg_warn on completed status instead of uvcg_info Sasha Levin
` (3 subsequent siblings)
4 siblings, 0 replies; 5+ messages in thread
From: Sasha Levin @ 2022-08-14 15:35 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Frank Li, Faqiang Zhu, Greg Kroah-Hartman, Sasha Levin, pawell,
peter.chen, linux-usb
From: Frank Li <Frank.Li@nxp.com>
[ Upstream commit 7d602f30149a117eea260208b1661bc404c21dfd ]
BUG: KFENCE: use-after-free read in __list_del_entry_valid+0x10/0xac
cdns3_wa2_remove_old_request()
{
...
kfree(priv_req->request.buf);
cdns3_gadget_ep_free_request(&priv_ep->endpoint, &priv_req->request);
list_del_init(&priv_req->list);
^^^ use after free
...
}
cdns3_gadget_ep_free_request() free the space pointed by priv_req,
but priv_req is used in the following list_del_init().
This patch move list_del_init() before cdns3_gadget_ep_free_request().
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Faqiang Zhu <faqiang.zhu@nxp.com>
Link: https://lore.kernel.org/r/20220608190430.2814358-1-Frank.Li@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/cdns3/gadget.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/cdns3/gadget.c b/drivers/usb/cdns3/gadget.c
index 296f2ee1b680..a9399f2b3930 100644
--- a/drivers/usb/cdns3/gadget.c
+++ b/drivers/usb/cdns3/gadget.c
@@ -549,9 +549,9 @@ static void cdns3_wa2_remove_old_request(struct cdns3_endpoint *priv_ep)
trace_cdns3_wa2(priv_ep, "removes eldest request");
kfree(priv_req->request.buf);
+ list_del_init(&priv_req->list);
cdns3_gadget_ep_free_request(&priv_ep->endpoint,
&priv_req->request);
- list_del_init(&priv_req->list);
--priv_ep->wa2_counter;
if (!chain)
--
2.35.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH AUTOSEL 5.4 03/21] usb: gadget: uvc: call uvc uvcg_warn on completed status instead of uvcg_info
[not found] <20220814153531.2379705-1-sashal@kernel.org>
2022-08-14 15:35 ` [PATCH AUTOSEL 5.4 02/21] usb: cdns3 fix use-after-free at workaround 2 Sasha Levin
@ 2022-08-14 15:35 ` Sasha Levin
2022-08-14 15:35 ` [PATCH AUTOSEL 5.4 06/21] usb: host: ohci-ppc-of: Fix refcount leak bug Sasha Levin
` (2 subsequent siblings)
4 siblings, 0 replies; 5+ messages in thread
From: Sasha Levin @ 2022-08-14 15:35 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Michael Grzeschik, Laurent Pinchart, Greg Kroah-Hartman,
Sasha Levin, balbi, linux-usb
From: Michael Grzeschik <m.grzeschik@pengutronix.de>
[ Upstream commit a725d0f6dfc5d3739d6499f30ec865305ba3544d ]
Likewise to the uvcvideo hostside driver, this patch is changing the
usb_request message of an non zero completion handler call from dev_info
to dev_warn.
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Link: https://lore.kernel.org/r/20220529223848.105914-4-m.grzeschik@pengutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/gadget/function/uvc_video.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c
index 5c042f380708..f9fad639a489 100644
--- a/drivers/usb/gadget/function/uvc_video.c
+++ b/drivers/usb/gadget/function/uvc_video.c
@@ -191,7 +191,7 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req)
goto requeue;
default:
- uvcg_info(&video->uvc->func,
+ uvcg_warn(&video->uvc->func,
"VS request completed with status %d.\n",
req->status);
uvcg_queue_cancel(queue, 0);
--
2.35.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH AUTOSEL 5.4 06/21] usb: host: ohci-ppc-of: Fix refcount leak bug
[not found] <20220814153531.2379705-1-sashal@kernel.org>
2022-08-14 15:35 ` [PATCH AUTOSEL 5.4 02/21] usb: cdns3 fix use-after-free at workaround 2 Sasha Levin
2022-08-14 15:35 ` [PATCH AUTOSEL 5.4 03/21] usb: gadget: uvc: call uvc uvcg_warn on completed status instead of uvcg_info Sasha Levin
@ 2022-08-14 15:35 ` Sasha Levin
2022-08-14 15:35 ` [PATCH AUTOSEL 5.4 07/21] usb: renesas: " Sasha Levin
2022-08-14 15:35 ` [PATCH AUTOSEL 5.4 11/21] gadgetfs: ep_io - wait until IRQ finishes Sasha Levin
4 siblings, 0 replies; 5+ messages in thread
From: Sasha Levin @ 2022-08-14 15:35 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Liang He, Alan Stern, Greg Kroah-Hartman, Sasha Levin, linux-usb
From: Liang He <windhl@126.com>
[ Upstream commit 40a959d7042bb7711e404ad2318b30e9f92c6b9b ]
In ohci_hcd_ppc_of_probe(), of_find_compatible_node() will return
a node pointer with refcount incremented. We should use of_node_put()
when it is not used anymore.
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Liang He <windhl@126.com>
Link: https://lore.kernel.org/r/20220617034637.4003115-1-windhl@126.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/host/ohci-ppc-of.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/usb/host/ohci-ppc-of.c b/drivers/usb/host/ohci-ppc-of.c
index 45f7cceb6df3..98e46725999e 100644
--- a/drivers/usb/host/ohci-ppc-of.c
+++ b/drivers/usb/host/ohci-ppc-of.c
@@ -169,6 +169,7 @@ static int ohci_hcd_ppc_of_probe(struct platform_device *op)
release_mem_region(res.start, 0x4);
} else
pr_debug("%s: cannot get ehci offset from fdt\n", __FILE__);
+ of_node_put(np);
}
irq_dispose_mapping(irq);
--
2.35.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH AUTOSEL 5.4 07/21] usb: renesas: Fix refcount leak bug
[not found] <20220814153531.2379705-1-sashal@kernel.org>
` (2 preceding siblings ...)
2022-08-14 15:35 ` [PATCH AUTOSEL 5.4 06/21] usb: host: ohci-ppc-of: Fix refcount leak bug Sasha Levin
@ 2022-08-14 15:35 ` Sasha Levin
2022-08-14 15:35 ` [PATCH AUTOSEL 5.4 11/21] gadgetfs: ep_io - wait until IRQ finishes Sasha Levin
4 siblings, 0 replies; 5+ messages in thread
From: Sasha Levin @ 2022-08-14 15:35 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Liang He, Greg Kroah-Hartman, Sasha Levin, linux-usb
From: Liang He <windhl@126.com>
[ Upstream commit 9d6d5303c39b8bc182475b22f45504106a07f086 ]
In usbhs_rza1_hardware_init(), of_find_node_by_name() will return
a node pointer with refcount incremented. We should use of_node_put()
when it is not used anymore.
Signed-off-by: Liang He <windhl@126.com>
Link: https://lore.kernel.org/r/20220618023205.4056548-1-windhl@126.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/renesas_usbhs/rza.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/usb/renesas_usbhs/rza.c b/drivers/usb/renesas_usbhs/rza.c
index 24de64edb674..2d77edefb4b3 100644
--- a/drivers/usb/renesas_usbhs/rza.c
+++ b/drivers/usb/renesas_usbhs/rza.c
@@ -23,6 +23,10 @@ static int usbhs_rza1_hardware_init(struct platform_device *pdev)
extal_clk = of_find_node_by_name(NULL, "extal");
of_property_read_u32(usb_x1_clk, "clock-frequency", &freq_usb);
of_property_read_u32(extal_clk, "clock-frequency", &freq_extal);
+
+ of_node_put(usb_x1_clk);
+ of_node_put(extal_clk);
+
if (freq_usb == 0) {
if (freq_extal == 12000000) {
/* Select 12MHz XTAL */
--
2.35.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH AUTOSEL 5.4 11/21] gadgetfs: ep_io - wait until IRQ finishes
[not found] <20220814153531.2379705-1-sashal@kernel.org>
` (3 preceding siblings ...)
2022-08-14 15:35 ` [PATCH AUTOSEL 5.4 07/21] usb: renesas: " Sasha Levin
@ 2022-08-14 15:35 ` Sasha Levin
4 siblings, 0 replies; 5+ messages in thread
From: Sasha Levin @ 2022-08-14 15:35 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Jozef Martiniak, Greg Kroah-Hartman, Sasha Levin, balbi, stern,
hbh25y, axboe, rdunlap, mingo, linux-usb
From: Jozef Martiniak <jomajm@gmail.com>
[ Upstream commit 04cb742d4d8f30dc2e83b46ac317eec09191c68e ]
after usb_ep_queue() if wait_for_completion_interruptible() is
interrupted we need to wait until IRQ gets finished.
Otherwise complete() from epio_complete() can corrupt stack.
Signed-off-by: Jozef Martiniak <jomajm@gmail.com>
Link: https://lore.kernel.org/r/20220708070645.6130-1-jomajm@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/gadget/legacy/inode.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c
index 9cd80ad075bd..97c73d610eeb 100644
--- a/drivers/usb/gadget/legacy/inode.c
+++ b/drivers/usb/gadget/legacy/inode.c
@@ -362,6 +362,7 @@ ep_io (struct ep_data *epdata, void *buf, unsigned len)
spin_unlock_irq (&epdata->dev->lock);
DBG (epdata->dev, "endpoint gone\n");
+ wait_for_completion(&done);
epdata->status = -ENODEV;
}
}
--
2.35.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-08-14 15:52 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20220814153531.2379705-1-sashal@kernel.org>
2022-08-14 15:35 ` [PATCH AUTOSEL 5.4 02/21] usb: cdns3 fix use-after-free at workaround 2 Sasha Levin
2022-08-14 15:35 ` [PATCH AUTOSEL 5.4 03/21] usb: gadget: uvc: call uvc uvcg_warn on completed status instead of uvcg_info Sasha Levin
2022-08-14 15:35 ` [PATCH AUTOSEL 5.4 06/21] usb: host: ohci-ppc-of: Fix refcount leak bug Sasha Levin
2022-08-14 15:35 ` [PATCH AUTOSEL 5.4 07/21] usb: renesas: " Sasha Levin
2022-08-14 15:35 ` [PATCH AUTOSEL 5.4 11/21] gadgetfs: ep_io - wait until IRQ finishes Sasha Levin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).