Re: [PATCH RESEND] irq: export irq_check_status_bit symbol
On 1/5/21 10:57 PM, Yun Levi wrote: Because of the missing export symbol for irq_chekc_status_bit, Building arm_spe_pmu.ko is a failure on the modpost step. Below is an error message I saw: ERROR:modpost: "irq_check_status_bit" [drivers/perf/arm_spe_pmu.ko] undefined! make[4]: *** [scripts/Makefile.modpost:111: Module.symvers] Error 1 make[4]: *** Deleting file 'Module.symvers' make[3]: *** [Makefile:1396: modules] Error 2 make[2]: *** [debian/rules:7: build-arch] Error 2 dpkg-buildpackage: error: debian/rules binary subprocess returned exit status 2 make[1]: *** [scripts/Makefile.package:83: bindeb-pkg] Error 2 Signed-off-by: Levi Yun --- kernel/irq/manage.c | 1 + 1 file changed, 1 insertion(+) diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c index ab8567f32501..dec3f73e8db9 100644 --- a/kernel/irq/manage.c +++ b/kernel/irq/manage.c @@ -2859,3 +2859,4 @@ bool irq_check_status_bit(unsigned int irq, unsigned int bitmask) rcu_read_unlock(); return res; } +EXPORT_SYMBOL_GPL(irq_check_status_bit); -- 2.27.0 Hi, I ran into this issue while compiling 5.11-rc4 for my RPi 4B. Applying this patch fixed the breakage. Thanks for the fix! Tested-by: Brooke Basile Best, Brooke Basile
[PATCH] ath9k: revert "ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs()"
A bug in USB/IP previously caused all syzkaller USB fuzzing instances to return false positives when testing crash reproducers. This patch reverts changes made in commit 03fb92a432ea which, due to this bug, returned false positives when tested and introduced new regressions. Fixes: 03fb92a432ea ("ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs()") Signed-off-by: Brooke Basile --- drivers/net/wireless/ath/ath9k/hif_usb.c | 19 --- 1 file changed, 19 deletions(-) diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c index 860da13bfb6a..38f07420f4f9 100644 --- a/drivers/net/wireless/ath/ath9k/hif_usb.c +++ b/drivers/net/wireless/ath/ath9k/hif_usb.c @@ -449,19 +449,10 @@ static void hif_usb_stop(void *hif_handle) spin_unlock_irqrestore(_dev->tx.tx_lock, flags); /* The pending URBs have to be canceled. */ - spin_lock_irqsave(_dev->tx.tx_lock, flags); list_for_each_entry_safe(tx_buf, tx_buf_tmp, _dev->tx.tx_pending, list) { - usb_get_urb(tx_buf->urb); - spin_unlock_irqrestore(_dev->tx.tx_lock, flags); usb_kill_urb(tx_buf->urb); - list_del(_buf->list); - usb_free_urb(tx_buf->urb); - kfree(tx_buf->buf); - kfree(tx_buf); - spin_lock_irqsave(_dev->tx.tx_lock, flags); } - spin_unlock_irqrestore(_dev->tx.tx_lock, flags); usb_kill_anchored_urbs(_dev->mgmt_submitted); } @@ -771,37 +762,27 @@ static void ath9k_hif_usb_dealloc_tx_urbs(struct hif_device_usb *hif_dev) struct tx_buf *tx_buf = NULL, *tx_buf_tmp = NULL; unsigned long flags; - spin_lock_irqsave(_dev->tx.tx_lock, flags); list_for_each_entry_safe(tx_buf, tx_buf_tmp, _dev->tx.tx_buf, list) { - usb_get_urb(tx_buf->urb); - spin_unlock_irqrestore(_dev->tx.tx_lock, flags); usb_kill_urb(tx_buf->urb); list_del(_buf->list); usb_free_urb(tx_buf->urb); kfree(tx_buf->buf); kfree(tx_buf); - spin_lock_irqsave(_dev->tx.tx_lock, flags); } - spin_unlock_irqrestore(_dev->tx.tx_lock, flags); spin_lock_irqsave(_dev->tx.tx_lock, flags); hif_dev->tx.flags |= HIF_USB_TX_FLUSH; spin_unlock_irqrestore(_dev->tx.tx_lock, flags); - spin_lock_irqsave(_dev->tx.tx_lock, flags); list_for_each_entry_safe(tx_buf, tx_buf_tmp, _dev->tx.tx_pending, list) { - usb_get_urb(tx_buf->urb); - spin_unlock_irqrestore(_dev->tx.tx_lock, flags); usb_kill_urb(tx_buf->urb); list_del(_buf->list); usb_free_urb(tx_buf->urb); kfree(tx_buf->buf); kfree(tx_buf); - spin_lock_irqsave(_dev->tx.tx_lock, flags); } - spin_unlock_irqrestore(_dev->tx.tx_lock, flags); usb_kill_anchored_urbs(_dev->mgmt_submitted); } -- 2.28.0
Re: [PATCH] wireless: ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs()
On 9/21/20 9:05 AM, Kalle Valo wrote: Brooke Basile wrote: Calls to usb_kill_anchored_urbs() after usb_kill_urb() on multiprocessor systems create a race condition in which usb_kill_anchored_urbs() deallocates the URB before the completer callback is called in usb_kill_urb(), resulting in a use-after-free. To fix this, add proper lock protection to usb_kill_urb() calls that can possibly run concurrently with usb_kill_anchored_urbs(). Reported-by: syzbot+89bd486af9427a9fc...@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?id=cabffad18eb74197f84871802fd2c5117b61febf Signed-off-by: Brooke Basile Signed-off-by: Kalle Valo Patch applied to ath-next branch of ath.git, thanks. 03fb92a432ea ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs() Thank you! :) Best, Brooke Basile
Re: [PATCH] wireless: ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs()
On 9/11/20 3:14 AM, Brooke Basile wrote: Calls to usb_kill_anchored_urbs() after usb_kill_urb() on multiprocessor systems create a race condition in which usb_kill_anchored_urbs() deallocates the URB before the completer callback is called in usb_kill_urb(), resulting in a use-after-free. To fix this, add proper lock protection to usb_kill_urb() calls that can possibly run concurrently with usb_kill_anchored_urbs(). Reported-by: syzbot+89bd486af9427a9fc...@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?id=cabffad18eb74197f84871802fd2c5117b61febf Signed-off-by: Brooke Basile --- drivers/net/wireless/ath/ath9k/hif_usb.c | 19 +++ 1 file changed, 19 insertions(+) diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c index 3f563e02d17d..2ed98aaed6fb 100644 --- a/drivers/net/wireless/ath/ath9k/hif_usb.c +++ b/drivers/net/wireless/ath/ath9k/hif_usb.c @@ -449,10 +449,19 @@ static void hif_usb_stop(void *hif_handle) spin_unlock_irqrestore(_dev->tx.tx_lock, flags); /* The pending URBs have to be canceled. */ + spin_lock_irqsave(_dev->tx.tx_lock, flags); list_for_each_entry_safe(tx_buf, tx_buf_tmp, _dev->tx.tx_pending, list) { + usb_get_urb(tx_buf->urb); + spin_unlock_irqrestore(_dev->tx.tx_lock, flags); usb_kill_urb(tx_buf->urb); + list_del(_buf->list); + usb_free_urb(tx_buf->urb); + kfree(tx_buf->buf); + kfree(tx_buf); + spin_lock_irqsave(_dev->tx.tx_lock, flags); } + spin_unlock_irqrestore(_dev->tx.tx_lock, flags); usb_kill_anchored_urbs(_dev->mgmt_submitted); } @@ -762,27 +771,37 @@ static void ath9k_hif_usb_dealloc_tx_urbs(struct hif_device_usb *hif_dev) struct tx_buf *tx_buf = NULL, *tx_buf_tmp = NULL; unsigned long flags; + spin_lock_irqsave(_dev->tx.tx_lock, flags); list_for_each_entry_safe(tx_buf, tx_buf_tmp, _dev->tx.tx_buf, list) { + usb_get_urb(tx_buf->urb); + spin_unlock_irqrestore(_dev->tx.tx_lock, flags); usb_kill_urb(tx_buf->urb); list_del(_buf->list); usb_free_urb(tx_buf->urb); kfree(tx_buf->buf); kfree(tx_buf); + spin_lock_irqsave(_dev->tx.tx_lock, flags); } + spin_unlock_irqrestore(_dev->tx.tx_lock, flags); spin_lock_irqsave(_dev->tx.tx_lock, flags); hif_dev->tx.flags |= HIF_USB_TX_FLUSH; spin_unlock_irqrestore(_dev->tx.tx_lock, flags); + spin_lock_irqsave(_dev->tx.tx_lock, flags); list_for_each_entry_safe(tx_buf, tx_buf_tmp, _dev->tx.tx_pending, list) { + usb_get_urb(tx_buf->urb); + spin_unlock_irqrestore(_dev->tx.tx_lock, flags); usb_kill_urb(tx_buf->urb); list_del(_buf->list); usb_free_urb(tx_buf->urb); kfree(tx_buf->buf); kfree(tx_buf); + spin_lock_irqsave(_dev->tx.tx_lock, flags); } + spin_unlock_irqrestore(_dev->tx.tx_lock, flags); usb_kill_anchored_urbs(_dev->mgmt_submitted); } -- 2.28.0 Hi, Just wanted to check on the status of this patch, if there's anything wrong I'm happy to make it right. Sorry to bother! Best, Brooke Basile
[PATCH] wireless: ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs()
Calls to usb_kill_anchored_urbs() after usb_kill_urb() on multiprocessor systems create a race condition in which usb_kill_anchored_urbs() deallocates the URB before the completer callback is called in usb_kill_urb(), resulting in a use-after-free. To fix this, add proper lock protection to usb_kill_urb() calls that can possibly run concurrently with usb_kill_anchored_urbs(). Reported-by: syzbot+89bd486af9427a9fc...@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?id=cabffad18eb74197f84871802fd2c5117b61febf Signed-off-by: Brooke Basile --- drivers/net/wireless/ath/ath9k/hif_usb.c | 19 +++ 1 file changed, 19 insertions(+) diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c index 3f563e02d17d..2ed98aaed6fb 100644 --- a/drivers/net/wireless/ath/ath9k/hif_usb.c +++ b/drivers/net/wireless/ath/ath9k/hif_usb.c @@ -449,10 +449,19 @@ static void hif_usb_stop(void *hif_handle) spin_unlock_irqrestore(_dev->tx.tx_lock, flags); /* The pending URBs have to be canceled. */ + spin_lock_irqsave(_dev->tx.tx_lock, flags); list_for_each_entry_safe(tx_buf, tx_buf_tmp, _dev->tx.tx_pending, list) { + usb_get_urb(tx_buf->urb); + spin_unlock_irqrestore(_dev->tx.tx_lock, flags); usb_kill_urb(tx_buf->urb); + list_del(_buf->list); + usb_free_urb(tx_buf->urb); + kfree(tx_buf->buf); + kfree(tx_buf); + spin_lock_irqsave(_dev->tx.tx_lock, flags); } + spin_unlock_irqrestore(_dev->tx.tx_lock, flags); usb_kill_anchored_urbs(_dev->mgmt_submitted); } @@ -762,27 +771,37 @@ static void ath9k_hif_usb_dealloc_tx_urbs(struct hif_device_usb *hif_dev) struct tx_buf *tx_buf = NULL, *tx_buf_tmp = NULL; unsigned long flags; + spin_lock_irqsave(_dev->tx.tx_lock, flags); list_for_each_entry_safe(tx_buf, tx_buf_tmp, _dev->tx.tx_buf, list) { + usb_get_urb(tx_buf->urb); + spin_unlock_irqrestore(_dev->tx.tx_lock, flags); usb_kill_urb(tx_buf->urb); list_del(_buf->list); usb_free_urb(tx_buf->urb); kfree(tx_buf->buf); kfree(tx_buf); + spin_lock_irqsave(_dev->tx.tx_lock, flags); } + spin_unlock_irqrestore(_dev->tx.tx_lock, flags); spin_lock_irqsave(_dev->tx.tx_lock, flags); hif_dev->tx.flags |= HIF_USB_TX_FLUSH; spin_unlock_irqrestore(_dev->tx.tx_lock, flags); + spin_lock_irqsave(_dev->tx.tx_lock, flags); list_for_each_entry_safe(tx_buf, tx_buf_tmp, _dev->tx.tx_pending, list) { + usb_get_urb(tx_buf->urb); + spin_unlock_irqrestore(_dev->tx.tx_lock, flags); usb_kill_urb(tx_buf->urb); list_del(_buf->list); usb_free_urb(tx_buf->urb); kfree(tx_buf->buf); kfree(tx_buf); + spin_lock_irqsave(_dev->tx.tx_lock, flags); } + spin_unlock_irqrestore(_dev->tx.tx_lock, flags); usb_kill_anchored_urbs(_dev->mgmt_submitted); } -- 2.28.0
Re: KASAN: use-after-free Write in rtl_fw_do_work
On 8/31/20 7:56 PM, Hillf Danton wrote: On Mon, 31 Aug 2020 15:15:13 -0400 Brooke Basile wrote: On 8/31/20 9:30 AM, Hillf Danton wrote: Mon, 31 Aug 2020 04:48:15 -0700 syzbot found the following issue on: HEAD commit:3ed8e1c2 usb: typec: tcpm: Migrate workqueue to RT priorit.. git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing console output: https://syzkaller.appspot.com/x/log.txt?x=111f901590 kernel config: https://syzkaller.appspot.com/x/.config?x=ccafc70ac3d5f49c dashboard link: https://syzkaller.appspot.com/bug?extid=dc3cab055dff074f2d7f compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=148a00c990 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+dc3cab055dff074f2...@syzkaller.appspotmail.com usb 1-1: Direct firmware load for rtlwifi/rtl8192cufw_TMSC.bin failed with error -2 usb 1-1: Direct firmware load for rtlwifi/rtl8192cufw.bin failed with error -2 rtlwifi: Loading alternative firmware rtlwifi/rtl8192cufw.bin rtlwifi: Selected firmware is not available == BUG: KASAN: use-after-free in rtl_fw_do_work.cold+0x68/0x6a drivers/net/wireless/realtek/rtlwifi/core.c:93 Write of size 4 at addr 8881c9c2ff30 by task kworker/1:5/3063 CPU: 1 PID: 3063 Comm: kworker/1:5 Not tainted 5.9.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events request_firmware_work_func Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xf6/0x16e lib/dump_stack.c:118 print_address_description.constprop.0+0x1c/0x210 mm/kasan/report.c:383 __kasan_report mm/kasan/report.c:513 [inline] kasan_report.cold+0x37/0x7c mm/kasan/report.c:530 rtl_fw_do_work.cold+0x68/0x6a drivers/net/wireless/realtek/rtlwifi/core.c:93 request_firmware_work_func+0x126/0x250 drivers/base/firmware_loader/main.c:1001 process_one_work+0x94c/0x15f0 kernel/workqueue.c:2269 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415 kthread+0x392/0x470 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 The buggy address belongs to the page: page:8323bb9d refcount:0 mapcount:0 mapping: index:0x0 pfn:0x1c9c2f flags: 0x200() raw: 0200 ea0007270bc8 raw: page dumped because: kasan: bad access detected Memory state around the buggy address: 8881c9c2fe00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 8881c9c2fe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 8881c9c2ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ 8881c9c2ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 8881c9c3: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff == While probing pci for instance, wait for kworker to finish its work in the err branches. --- a/drivers/net/wireless/realtek/rtlwifi/core.c +++ b/drivers/net/wireless/realtek/rtlwifi/core.c @@ -78,7 +78,6 @@ static void rtl_fw_do_work(const struct RT_TRACE(rtlpriv, COMP_ERR, DBG_LOUD, "Firmware callback routine entered!\n"); - complete(>firmware_loading_complete); if (!firmware) { if (rtlpriv->cfg->alt_fw_name) { err = request_firmware(, @@ -91,13 +90,12 @@ static void rtl_fw_do_work(const struct } pr_err("Selected firmware is not available\n"); rtlpriv->max_fw_size = 0; - return; + goto out; } found_alt: if (firmware->size > rtlpriv->max_fw_size) { pr_err("Firmware is too big!\n"); - release_firmware(firmware); - return; + goto release; } if (!is_wow) { memcpy(rtlpriv->rtlhal.pfirmware, firmware->data, @@ -108,7 +106,11 @@ found_alt: firmware->size); rtlpriv->rtlhal.wowlan_fwsize = firmware->size; } + +release: release_firmware(firmware); +out: + complete(>firmware_loading_complete); } void rtl_fw_cb(const struct firmware *firmware, void *context) --- a/drivers/net/wireless/realtek/rtlwifi/pci.c +++ b/drivers/net/wireless/realtek/rtlwifi/pci.c @@ -2161,6 +2161,7 @@ int rtl_pci_probe(struct pci_dev *pdev, struct rtl_pci *rtlpci; unsigned long pmem_start, pmem_len, pmem_flags; int err; + bool wait_kworker = false; err = pci_enable_device(pdev); if (err) { @@ -2272,6 +2273,7 @@ int rtl_pci_probe(struct pci
Re: KASAN: use-after-free Write in rtl_fw_do_work
cfg->ops->init_sw_leds(hw); /*aspm */ @@ -2327,7 +2329,8 @@ fail2: pci_iounmap(pdev, (void __iomem *)rtlpriv->io.pci_mem_start); pci_release_regions(pdev); - complete(>firmware_loading_complete); + if (wait_kworker == true) + wait_for_completion(>firmware_loading_complete); fail1: if (hw) Hi, It looks like this is probably a duplicate related to this patch: https://syzkaller.appspot.com/bug?id=1f05ed98df706bb64aeee4dccc5ab48cd7542643 Best, Brooke Basile
Re: [GIT PULL] USB fixes for 5.9-rc3
On 8/26/20 12:17 PM, Marek Szyprowski wrote: Hi Andy, On 26.08.2020 17:53, Andy Shevchenko wrote: On Wed, Aug 26, 2020 at 6:36 PM Greg KH wrote: On Wed, Aug 26, 2020 at 05:02:38PM +0200, Marek Szyprowski wrote: On 26.08.2020 15:43, Greg KH wrote: Brooke Basile (2): USB: gadget: u_f: add overflow checks to VLA macros Sorry, but the above patch breaks USB Ethernet Gadget operation. It also didn't get the proper testing in linux-next (next-20200826 is the first one with this patch). This is how it explodes on Samsung Exynos (ARM 32bit) based board with g_ether module loaded: Odd, for a "normal" descriptor, the logic should have remained the same as without this patch. Brooke, any ideas? I have an idea. Does below fix this? Yep, that's it. I've also moved offset assignment in the first part after size_t size = array_size(n, sizeof(type)); Feel free to add: Reported-by: Marek Szyprowski Tested-by: Marek Szyprowski Thanks! Best regards Ah, I see. My apologies, I don't know how I was able to miss something like this when building/testing... Thank you for testing and reporting the issue. Best, Brooke Basile
Re: [PATCH] block: rnbd: rnbd-srv: silence uninitialized variable warning
On 8/18/20 1:29 AM, Nathan Chancellor wrote: I don't think this is a proper fix since the root cause of the warning appears to be that we are ignoring the return value of rnbd_bio_map_kern. Should we not set err to that value like this (completely untested)? Cheers, Nathan diff --git a/drivers/block/rnbd/rnbd-srv.c b/drivers/block/rnbd/rnbd-srv.c index 0fb94843a495..1b71cb2a885d 100644 --- a/drivers/block/rnbd/rnbd-srv.c +++ b/drivers/block/rnbd/rnbd-srv.c @@ -148,7 +148,8 @@ static int process_rdma(struct rtrs_srv *sess, /* Generate bio with pages pointing to the rdma buffer */ bio = rnbd_bio_map_kern(data, sess_dev->rnbd_dev->ibd_bio_set, datalen, GFP_KERNEL); if (IS_ERR(bio)) { - rnbd_srv_err(sess_dev, "Failed to generate bio, err: %ld\n", PTR_ERR(bio)); + err = PTR_ERR(bio); + rnbd_srv_err(sess_dev, "Failed to generate bio, err: %ld\n", err); goto sess_dev_put; } Ah, I see what you mean. Thanks for the fix! Best, Brooke Basile
[PATCH] block: rnbd: rnbd-srv: silence uninitialized variable warning
Clang warns: drivers/block/rnbd/rnbd-srv.c:150:6: warning: variable 'err' is used uninitialized whenever 'if' condition is true [-Wsometimes-uninitialized] if (IS_ERR(bio)) { ^~~ drivers/block/rnbd/rnbd-srv.c:177:9: note: uninitialized use occurs here return err; ^~~ drivers/block/rnbd/rnbd-srv.c:126:9: note: initialize the variable 'err' to silence this warning int err; ^ = 0 Silence this by replacing `err` with `ret`, returning ret = 0 upon success. Signed-off-by: Brooke Basile --- drivers/block/rnbd/rnbd-srv.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/block/rnbd/rnbd-srv.c b/drivers/block/rnbd/rnbd-srv.c index 0fb94843a495..f515d1a048a9 100644 --- a/drivers/block/rnbd/rnbd-srv.c +++ b/drivers/block/rnbd/rnbd-srv.c @@ -123,10 +123,10 @@ static int process_rdma(struct rtrs_srv *sess, struct rnbd_io_private *priv; struct rnbd_srv_sess_dev *sess_dev; u32 dev_id; - int err; struct rnbd_dev_blk_io *io; struct bio *bio; short prio; + int ret = 0; priv = kmalloc(sizeof(*priv), GFP_KERNEL); if (!priv) @@ -138,7 +138,7 @@ static int process_rdma(struct rtrs_srv *sess, if (IS_ERR(sess_dev)) { pr_err_ratelimited("Got I/O request on session %s for unknown device id %d\n", srv_sess->sessname, dev_id); - err = -ENOTCONN; + ret = -ENOTCONN; goto err; } @@ -168,13 +168,13 @@ static int process_rdma(struct rtrs_srv *sess, submit_bio(bio); - return 0; + return ret; sess_dev_put: rnbd_put_sess_dev(sess_dev); err: kfree(priv); - return err; + return ret; } static void destroy_device(struct rnbd_srv_dev *dev) -- 2.28.0
Re: [PATCH v2] vt: Reject zero-sized screen buffer size.
>vc_{cols,rows,screenbuf_size} are sane here. */ vc->vc_screenbuf = kzalloc(vc->vc_screenbuf_size, GFP_NOWAIT); vc_init(vc, vc->vc_rows, vc->vc_cols, currcons || !vc->vc_sw->con_save_screen); Hi, Looks like this patch also fixes this bug reported by syzbot: https://syzkaller.appspot.com/bug?id=dc5c6b1ae4952a5d72d0e82de0eeeb9e5f767efc There's a lot of other bugs that were reported by syzbot that also touch this code, so I just wanted to give a heads up in case you weren't already aware of them. It seems like this patch could be a fix for all of them. Here are the links to those other bugs: https://syzkaller.appspot.com/bug?id=3e2ad4922b18026c1579f50900747401842acdff https://syzkaller.appspot.com/bug?id=7329638ab83b70fc8fab07e14c4b2fcdc73af21d https://syzkaller.appspot.com/bug?id=01703eb07363bd1f9757bc4a54994455fc9db9dc https://syzkaller.appspot.com/bug?id=7a04be77a06aae337077e00f0ecdb2239dfc2fc3 https://syzkaller.appspot.com/bug?id=ff1543b5ade351b9d6c4ef51c805d89422a8271d Best, Brooke Basile
[PATCH v2] staging: rtl8188eu: Replace function name with __func__
Fix the following checkpatch warning: WARNING: Prefer using '"%s...", __func__' to using 'rtw_get_bcn_info', this function's name, in a string Signed-off-by: Brooke Basile --- Changes in v2: - This should fix the previous issue that caused the patch to fail to apply. drivers/staging/rtl8188eu/core/rtw_ieee80211.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/staging/rtl8188eu/core/rtw_ieee80211.c b/drivers/staging/rtl8188eu/core/rtw_ieee80211.c index 3316059238e0..b80273611fb8 100644 --- a/drivers/staging/rtl8188eu/core/rtw_ieee80211.c +++ b/drivers/staging/rtl8188eu/core/rtw_ieee80211.c @@ -987,10 +987,10 @@ void rtw_get_bcn_info(struct wlan_network *pnetwork) if (bencrypt) pnetwork->BcnInfo.encryp_protocol = ENCRYP_PROTOCOL_WEP; } - RT_TRACE(_module_rtl871x_mlme_c_, _drv_info_, ("rtw_get_bcn_info: pnetwork->encryp_protocol is %x\n", - pnetwork->BcnInfo.encryp_protocol)); - RT_TRACE(_module_rtl871x_mlme_c_, _drv_info_, ("rtw_get_bcn_info: pnetwork->encryp_protocol is %x\n", - pnetwork->BcnInfo.encryp_protocol)); + RT_TRACE(_module_rtl871x_mlme_c_, _drv_info_, ("%s: pnetwork->encryp_protocol is %x\n", + __func__, pnetwork->BcnInfo.encryp_protocol)); + RT_TRACE(_module_rtl871x_mlme_c_, _drv_info_, ("%s: pnetwork->encryp_protocol is %x\n", + __func__, pnetwork->BcnInfo.encryp_protocol)); rtw_get_cipher_info(pnetwork); /* get bwmode and ch_offset */ -- 2.27.0
[PATCH 4/4] staging: rtl8188eu: Replace function name with __func__
Fix the following checkpatch warning: WARNING: Prefer using '"%s...", __func__' to using 'rtw_get_bcn_info', this function's name, in a string Signed-off-by: Brooke Basile --- drivers/staging/rtl8188eu/core/rtw_ieee80211.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/staging/rtl8188eu/core/rtw_ieee80211.c b/drivers/staging/rtl8188eu/core/rtw_ieee80211.c index bf6b2fe9735f..0c43c0dcf95c 100644 --- a/drivers/staging/rtl8188eu/core/rtw_ieee80211.c +++ b/drivers/staging/rtl8188eu/core/rtw_ieee80211.c @@ -986,10 +986,10 @@ void rtw_get_bcn_info(struct wlan_network *pnetwork) if (bencrypt) pnetwork->BcnInfo.encryp_protocol = ENCRYP_PROTOCOL_WEP; } - RT_TRACE(_module_rtl871x_mlme_c_, _drv_info_, ("rtw_get_bcn_info: pnetwork->encryp_protocol is %x\n", -pnetwork->BcnInfo.encryp_protocol)); - RT_TRACE(_module_rtl871x_mlme_c_, _drv_info_, ("rtw_get_bcn_info: pnetwork->encryp_protocol is %x\n", -pnetwork->BcnInfo.encryp_protocol)); + RT_TRACE(_module_rtl871x_mlme_c_, _drv_info_, ("%s: pnetwork->encryp_protocol is %x\n", +__func__, pnetwork->BcnInfo.encryp_protocol)); + RT_TRACE(_module_rtl871x_mlme_c_, _drv_info_, ("%s: pnetwork->encryp_protocol is %x\n", +__func__, pnetwork->BcnInfo.encryp_protocol)); rtw_get_cipher_info(pnetwork); /* get bwmode and ch_offset */ -- 2.27.0
[PATCH 3/4] staging: rtl8188eu: Fix indentation
Fix the following checkpatch warning: WARNING: suspect code indent for conditional statements (16, 32) Signed-off-by: Brooke Basile --- .../staging/rtl8188eu/core/rtw_ieee80211.c| 30 +-- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/drivers/staging/rtl8188eu/core/rtw_ieee80211.c b/drivers/staging/rtl8188eu/core/rtw_ieee80211.c index 44a25d29f1d3..bf6b2fe9735f 100644 --- a/drivers/staging/rtl8188eu/core/rtw_ieee80211.c +++ b/drivers/staging/rtl8188eu/core/rtw_ieee80211.c @@ -494,23 +494,23 @@ void rtw_get_sec_ie(u8 *in_ie, uint in_len, u8 *rsn_ie, u16 *rsn_len, u8 *wpa_ie authmode = in_ie[cnt]; if ((authmode == _WPA_IE_ID_) && (!memcmp(_ie[cnt + 2], _oui[0], 4))) { - RT_TRACE(_module_rtl871x_mlme_c_, _drv_info_, -("\n rtw_get_wpa_ie: sec_idx =%d in_ie[cnt+1]+2 =%d\n", -sec_idx, in_ie[cnt + 1] + 2)); - - if (wpa_ie) { - memcpy(wpa_ie, _ie[cnt], in_ie[cnt + 1] + 2); - - for (i = 0; i < (in_ie[cnt + 1] + 2); i += 8) { - RT_TRACE(_module_rtl871x_mlme_c_, _drv_info_, -("\n %2x,%2x,%2x,%2x,%2x,%2x,%2x,%2x\n", -wpa_ie[i], wpa_ie[i + 1], wpa_ie[i + 2], wpa_ie[i + 3], wpa_ie[i + 4], -wpa_ie[i + 5], wpa_ie[i + 6], wpa_ie[i + 7])); - } + RT_TRACE(_module_rtl871x_mlme_c_, _drv_info_, +("\n rtw_get_wpa_ie: sec_idx =%d in_ie[cnt+1]+2 =%d\n", +sec_idx, in_ie[cnt + 1] + 2)); + + if (wpa_ie) { + memcpy(wpa_ie, _ie[cnt], in_ie[cnt + 1] + 2); + + for (i = 0; i < (in_ie[cnt + 1] + 2); i += 8) { + RT_TRACE(_module_rtl871x_mlme_c_, _drv_info_, +("\n %2x,%2x,%2x,%2x,%2x,%2x,%2x,%2x\n", +wpa_ie[i], wpa_ie[i + 1], wpa_ie[i + 2], wpa_ie[i + 3], wpa_ie[i + 4], +wpa_ie[i + 5], wpa_ie[i + 6], wpa_ie[i + 7])); } + } - *wpa_len = in_ie[cnt + 1] + 2; - cnt += in_ie[cnt + 1] + 2; /* get next */ + *wpa_len = in_ie[cnt + 1] + 2; + cnt += in_ie[cnt + 1] + 2; /* get next */ } else { if (authmode == _WPA2_IE_ID_) { RT_TRACE(_module_rtl871x_mlme_c_, _drv_info_, -- 2.27.0
[PATCH 1/4] staging: rtl8188eu: Fix comment formatting
Fix the following checkpatch warnings: WARNING: Block comments use * on subsequent lines WARNING: Block comments use a trailing */ on a separate line Signed-off-by: Brooke Basile --- .../staging/rtl8188eu/core/rtw_ieee80211.c| 26 --- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/drivers/staging/rtl8188eu/core/rtw_ieee80211.c b/drivers/staging/rtl8188eu/core/rtw_ieee80211.c index caf600eba03b..a27dce7f30b3 100644 --- a/drivers/staging/rtl8188eu/core/rtw_ieee80211.c +++ b/drivers/staging/rtl8188eu/core/rtw_ieee80211.c @@ -139,9 +139,11 @@ u8 *rtw_set_ie return pbuf + len + 2; } -/* -index: the information element id index, limit is the limit for search --*/ +/* + * + * index: the information element id index, limit is the limit for search + * + */ u8 *rtw_get_ie(u8 *pbuf, int index, uint *len, int limit) { int tmp, i; @@ -680,9 +682,11 @@ static int rtw_ieee802_11_parse_vendor_specific(u8 *pos, uint elen, { unsigned int oui; - /* first 3 bytes in vendor specific information element are the IEEE + /* +* first 3 bytes in vendor specific information element are the IEEE * OUI of the vendor. The following byte is used a vendor specific -* sub-type. */ +* sub-type. +*/ if (elen < 4) { if (show_errors) { DBG_88E("short vendor specific information element ignored (len=%lu)\n", @@ -694,12 +698,16 @@ static int rtw_ieee802_11_parse_vendor_specific(u8 *pos, uint elen, oui = RTW_GET_BE24(pos); switch (oui) { case OUI_MICROSOFT: - /* Microsoft/Wi-Fi information elements are further typed and -* subtyped */ + /* +* Microsoft/Wi-Fi information elements are further typed and +* subtyped +*/ switch (pos[3]) { case 1: - /* Microsoft OUI (00:50:F2) with OUI Type 1: -* real WPA information element */ + /* +* Microsoft OUI (00:50:F2) with OUI Type 1: +* real WPA information element +*/ elems->wpa_ie = pos; elems->wpa_ie_len = elen; break; -- 2.27.0
[PATCH 2/4] staging: rtl8188eu: Fix strings split across lines
Fix the following checkpatch warning: WARNING: quoted string split across lines Signed-off-by: Brooke Basile --- drivers/staging/rtl8188eu/core/rtw_ieee80211.c | 12 ++-- 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/drivers/staging/rtl8188eu/core/rtw_ieee80211.c b/drivers/staging/rtl8188eu/core/rtw_ieee80211.c index a27dce7f30b3..44a25d29f1d3 100644 --- a/drivers/staging/rtl8188eu/core/rtw_ieee80211.c +++ b/drivers/staging/rtl8188eu/core/rtw_ieee80211.c @@ -381,8 +381,8 @@ int rtw_parse_wpa_ie(u8 *wpa_ie, int wpa_ie_len, int *group_cipher, int *pairwis left -= 2; if (count == 0 || left < count * WPA_SELECTOR_LEN) { - RT_TRACE(_module_rtl871x_mlme_c_, _drv_err_, ("%s: ie count botch (pairwise), " - "count %u left %u", __func__, count, left)); + RT_TRACE(_module_rtl871x_mlme_c_, _drv_err_, ("%s: ie count botch (pairwise), count %u left %u", + __func__, count, left)); return _FAIL; } @@ -448,8 +448,8 @@ int rtw_parse_wpa2_ie(u8 *rsn_ie, int rsn_ie_len, int *group_cipher, int *pairwi left -= 2; if (count == 0 || left < count * RSN_SELECTOR_LEN) { - RT_TRACE(_module_rtl871x_mlme_c_, _drv_err_, ("%s: ie count botch (pairwise), " -"count %u left %u", __func__, count, left)); + RT_TRACE(_module_rtl871x_mlme_c_, _drv_err_, ("%s: ie count botch (pairwise), count %u left %u", + __func__, count, left)); return _FAIL; } @@ -943,8 +943,8 @@ static int rtw_get_cipher_info(struct wlan_network *pnetwork) pnetwork->BcnInfo.pairwise_cipher = pairwise_cipher; pnetwork->BcnInfo.group_cipher = group_cipher; pnetwork->BcnInfo.is_8021x = is8021x; - RT_TRACE(_module_rtl871x_mlme_c_, _drv_info_, ("%s: pnetwork->pairwise_cipher: %d," - "pnetwork->group_cipher is %d, is_8021x is %d", __func__, pnetwork->BcnInfo.pairwise_cipher, + RT_TRACE(_module_rtl871x_mlme_c_, _drv_info_, ("%s: pnetwork->pairwise_cipher: %d, pnetwork->group_cipher is %d, is_8021x is %d", + __func__, pnetwork->BcnInfo.pairwise_cipher, pnetwork->BcnInfo.group_cipher, pnetwork->BcnInfo.is_8021x)); ret = _SUCCESS; } -- 2.27.0
[PATCH] staging: gasket: Convert symbolic permission to octal
Fixing checkpatch WARNING: Symbolic permissions 'S_IRUGO' are not preferred. Consider using octal permissions '0444'. Signed-off-by: Brooke Basile --- drivers/staging/gasket/gasket_sysfs.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/gasket/gasket_sysfs.h b/drivers/staging/gasket/gasket_sysfs.h index ab5aa351d555..eb0fd3b0490f 100644 --- a/drivers/staging/gasket/gasket_sysfs.h +++ b/drivers/staging/gasket/gasket_sysfs.h @@ -71,7 +71,7 @@ struct gasket_sysfs_attribute { #define GASKET_SYSFS_RO(_name, _show_function, _attr_type) \ { \ - .attr = __ATTR(_name, S_IRUGO, _show_function, NULL), \ + .attr = __ATTR(_name, 0444, _show_function, NULL), \ .data.attr_type = _attr_type \ } -- 2.27.0