Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v5.4 2019-11-21T19:48:17Z 2019-11-21T19:48:17Z Oliver Neukum oneukum@suse.com 2019-11-21T10:37:10Z urn:sha1:5f9f0b11f0816b35867f2cf71e54d95f53f03902 If starting the transfer of a command suceeds but the transfer for the reply fails, it is not enough to initiate killing the transfer for the command may still be running. You need to wait for the killing to finish before you can reuse URB and buffer. Reported-and-tested-by: syzbot+711468aa5c3a1eabf863@syzkaller.appspotmail.com Signed-off-by: Oliver Neukum <oneukum@suse.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2019-11-12T05:40:55Z Stephan Gerhold stephan@gerhold.net 2019-11-10T16:19:15Z urn:sha1:a71a29f50de1ef97ab55c151a1598eb12dde379d I2C communication errors (-EREMOTEIO) during the IRQ handler of nxp-nci result in a NULL pointer dereference at the moment: BUG: kernel NULL pointer dereference, address: 0000000000000000 Oops: 0002 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 355 Comm: irq/137-nxp-nci Not tainted 5.4.0-rc6 #1 RIP: 0010:skb_queue_tail+0x25/0x50 Call Trace: nci_recv_frame+0x36/0x90 [nci] nxp_nci_i2c_irq_thread_fn+0xd1/0x285 [nxp_nci_i2c] ? preempt_count_add+0x68/0xa0 ? irq_forced_thread_fn+0x80/0x80 irq_thread_fn+0x20/0x60 irq_thread+0xee/0x180 ? wake_threads_waitq+0x30/0x30 kthread+0xfb/0x130 ? irq_thread_check_affinity+0xd0/0xd0 ? kthread_park+0x90/0x90 ret_from_fork+0x1f/0x40 Afterward the kernel must be rebooted to work properly again. This happens because it attempts to call nci_recv_frame() with skb == NULL. However, unlike nxp_nci_fw_recv_frame(), nci_recv_frame() does not have any NULL checks for skb, causing the NULL pointer dereference. Change the code to call only nxp_nci_fw_recv_frame() in case of an error. Make sure to log it so it is obvious that a communication error occurred. The error above then becomes: nxp-nci_i2c i2c-NXP1001:00: NFC: Read failed with error -121 nci: __nci_request: wait_for_completion_interruptible_timeout failed 0 nxp-nci_i2c i2c-NXP1001:00: NFC: Read failed with error -121 Fixes: 6be88670fc59 ("NFC: nxp-nci_i2c: Add I2C support to NXP NCI driver") Signed-off-by: Stephan Gerhold <stephan@gerhold.net> Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2019-11-07T05:48:29Z Pan Bian bianpan2016@163.com 2019-11-07T01:33:20Z urn:sha1:99a8efbb6e30b72ac98cecf81103f847abffb1e5 The variable nfcid_skb is not changed in the callee nfc_hci_get_param() if error occurs. Consequently, the freed variable nfcid_skb will be freed again, resulting in a double free bug. Set nfcid_skb to NULL after releasing it to fix the bug. Signed-off-by: Pan Bian <bianpan2016@163.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2019-11-06T02:31:45Z Pan Bian bianpan2016@163.com 2019-11-05T08:34:07Z urn:sha1:517ce4e93368938b204451285e53014549804868 The address of fw_vsc_cfg is on stack. Releasing it with devm_kfree() is incorrect, which may result in a system crash or other security impacts. The expected object to free is *fw_vsc_cfg. Signed-off-by: Pan Bian <bianpan2016@163.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2019-10-08T23:52:26Z Johan Hovold johan@kernel.org 2019-10-07T16:40:59Z urn:sha1:6af3aa57a0984e061f61308fe181a9a12359fecc The driver would fail to deregister and its class device and free related resources on late probe errors. Reported-by: syzbot+cb035c75c03dbe34b796@syzkaller.appspotmail.com Fixes: 32ecc75ded72 ("NFC: pn533: change order operations in dev registation") Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> 2019-09-27T18:31:18Z Colin Ian King colin.king@canonical.com 2019-09-26T11:13:06Z urn:sha1:6ba5bbba95f789d76ce3bf440ee02fdaf52ec486 The return statement is indented incorrectly, add in a missing tab and remove an extraneous space after the return Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2019-09-15T12:17:27Z David S. Miller davem@davemloft.net 2019-09-15T12:17:27Z urn:sha1:aa2eaa8c272a3211dec07ce9c6c863a7e355c10e Minor overlapping changes in the btusb and ixgbe drivers. Signed-off-by: David S. Miller <davem@davemloft.net> 2019-09-11T14:07:07Z Colin Ian King colin.king@canonical.com 2019-09-11T10:38:48Z urn:sha1:90aa11f1bc5dbb0c392775ed63ced23a3873bcd2 There is a spelling mistake in a dev_err message. Fix it. Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2019-08-07T01:44:57Z David S. Miller davem@davemloft.net 2019-08-07T01:44:57Z urn:sha1:13dfb3fa494361ea9a5950f27c9cd8b06d28c04f Just minor overlapping changes in the conflicts here. Signed-off-by: David S. Miller <davem@davemloft.net> 2019-08-05T17:25:48Z Johan Hovold johan@kernel.org 2019-08-05T10:00:55Z urn:sha1:c3953a3c2d3175d2f9f0304c9a1ba89e7743c5e4 Fix two reset-gpio sanity checks which were never converted to use gpio_is_valid(), and make sure to use -EINVAL to indicate a missing reset line also for the UART-driver module parameter and for the USB driver. This specifically prevents the UART and USB drivers from incidentally trying to request and use gpio 0, and also avoids triggering a WARN() in gpio_to_desc() during probe when no valid reset line has been specified. Fixes: e33a3f84f88f ("NFC: nfcmrvl: allow gpio 0 for reset signalling") Reported-by: syzbot+cf35b76f35e068a1107f@syzkaller.appspotmail.com Tested-by: syzbot+cf35b76f35e068a1107f@syzkaller.appspotmail.com Signed-off-by: Johan Hovold <johan@kernel.org>