1. 26 Sep, 2018 17 commits
  2. 19 Sep, 2018 23 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.4.157 · d9560919
      Greg Kroah-Hartman authored
      d9560919
    • Linus Torvalds's avatar
      mm: get rid of vmacache_flush_all() entirely · 88d69184
      Linus Torvalds authored
      commit 7a9cdebd upstream.
      
      Jann Horn points out that the vmacache_flush_all() function is not only
      potentially expensive, it's buggy too.  It also happens to be entirely
      unnecessary, because the sequence number overflow case can be avoided by
      simply making the sequence number be 64-bit.  That doesn't even grow the
      data structures in question, because the other adjacent fields are
      already 64-bit.
      
      So simplify the whole thing by just making the sequence number overflow
      case go away entirely, which gets rid of all the complications and makes
      the code faster too.  Win-win.
      
      [ Oleg Nesterov points out that the VMACACHE_FULL_FLUSHES statistics
        also just goes away entirely with this ]
      Reported-by: default avatarJann Horn <jannh@google.com>
      Suggested-by: default avatarWill Deacon <will.deacon@arm.com>
      Acked-by: default avatarDavidlohr Bueso <dave@stgolabs.net>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: stable@kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      88d69184
    • Andi Kleen's avatar
      x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ · e29c75d4
      Andi Kleen authored
      [upstream cc51e542 for 4.4.
      Note there might be still a trivial conflict with the backport
      for b0a182f8, but should
      be easy to resolve]
      
      On Nehalem and newer core CPUs the CPU cache internally uses 44 bits
      physical address space. The L1TF workaround is limited by this internal
      cache address width, and needs to have one bit free there for the
      mitigation to work.
      
      Older client systems report only 36bit physical address space so the range
      check decides that L1TF is not mitigated for a 36bit phys/32GB system with
      some memory holes.
      
      But since these actually have the larger internal cache width this warning
      is bogus because it would only really be needed if the system had more than
      43bits of memory.
      
      Add a new internal x86_cache_bits field. Normally it is the same as the
      physical bits field reported by CPUID, but for Nehalem and newerforce it to
      be at least 44bits.
      
      Change the L1TF memory size warning to use the new cache_bits field to
      avoid bogus warnings and remove the bogus comment about memory size.
      
      Fixes: 17dbca11 ("x86/speculation/l1tf: Add sysfs reporting for l1tf")
      Reported-by: default avatarGeorge Anchev <studio@anchev.net>
      Reported-by: default avatarChristopher Snowhill <kode54@gmail.com>
      Signed-off-by: default avatarAndi Kleen <ak@linux.intel.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: x86@kernel.org
      Cc: linux-kernel@vger.kernel.org
      Cc: Michael Hocko <mhocko@suse.com>
      Cc: vbabka@suse.cz
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/20180824170351.34874-1-andi@firstfloor.orgSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e29c75d4
    • Ian Kent's avatar
      autofs: fix autofs_sbi() does not check super block type · 4bdac252
      Ian Kent authored
      commit 0633da48 upstream.
      
      autofs_sbi() does not check the superblock magic number to verify it has
      been given an autofs super block.
      
      Backport Note: autofs4 has been renamed to autofs upstream. As a result
      the upstream patch does not apply cleanly onto 4.14.y.
      
      Link: http://lkml.kernel.org/r/153475422934.17131.7563724552005298277.stgit@pluto.themaw.net
      Reported-by: <syzbot+87c3c541582e56943277@syzkaller.appspotmail.com>
      Signed-off-by: default avatarIan Kent <raven@themaw.net>
      Reviewed-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarZubin Mithra <zsm@chromium.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4bdac252
    • Wei Yongjun's avatar
      mtd: ubi: wl: Fix error return code in ubi_wl_init() · da7d5af6
      Wei Yongjun authored
      commit 7233982a upstream.
      
      Fix to return error code -ENOMEM from the kmem_cache_alloc() error
      handling case instead of 0, as done elsewhere in this function.
      
      Fixes: f78e5623 ("ubi: fastmap: Erase outdated anchor PEBs during
      attach")
      Signed-off-by: default avatarWei Yongjun <weiyongjun1@huawei.com>
      Reviewed-by: default avatarBoris Brezillon <boris.brezillon@free-electrons.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      da7d5af6
    • Ondrej Mosnacek's avatar
      crypto: vmx - Fix sleep-in-atomic bugs · f1b13e97
      Ondrej Mosnacek authored
      commit 0522236d upstream.
      
      This patch fixes sleep-in-atomic bugs in AES-CBC and AES-XTS VMX
      implementations. The problem is that the blkcipher_* functions should
      not be called in atomic context.
      
      The bugs can be reproduced via the AF_ALG interface by trying to
      encrypt/decrypt sufficiently large buffers (at least 64 KiB) using the
      VMX implementations of 'cbc(aes)' or 'xts(aes)'. Such operations then
      trigger BUG in crypto_yield():
      
      [  891.863680] BUG: sleeping function called from invalid context at include/crypto/algapi.h:424
      [  891.864622] in_atomic(): 1, irqs_disabled(): 0, pid: 12347, name: kcapi-enc
      [  891.864739] 1 lock held by kcapi-enc/12347:
      [  891.864811]  #0: 00000000f5d42c46 (sk_lock-AF_ALG){+.+.}, at: skcipher_recvmsg+0x50/0x530
      [  891.865076] CPU: 5 PID: 12347 Comm: kcapi-enc Not tainted 4.19.0-0.rc0.git3.1.fc30.ppc64le #1
      [  891.865251] Call Trace:
      [  891.865340] [c0000003387578c0] [c000000000d67ea4] dump_stack+0xe8/0x164 (unreliable)
      [  891.865511] [c000000338757910] [c000000000172a58] ___might_sleep+0x2f8/0x310
      [  891.865679] [c000000338757990] [c0000000006bff74] blkcipher_walk_done+0x374/0x4a0
      [  891.865825] [c0000003387579e0] [d000000007e73e70] p8_aes_cbc_encrypt+0x1c8/0x260 [vmx_crypto]
      [  891.865993] [c000000338757ad0] [c0000000006c0ee0] skcipher_encrypt_blkcipher+0x60/0x80
      [  891.866128] [c000000338757b10] [c0000000006ec504] skcipher_recvmsg+0x424/0x530
      [  891.866283] [c000000338757bd0] [c000000000b00654] sock_recvmsg+0x74/0xa0
      [  891.866403] [c000000338757c10] [c000000000b00f64] ___sys_recvmsg+0xf4/0x2f0
      [  891.866515] [c000000338757d90] [c000000000b02bb8] __sys_recvmsg+0x68/0xe0
      [  891.866631] [c000000338757e30] [c00000000000bbe4] system_call+0x5c/0x70
      
      Fixes: 8c755ace ("crypto: vmx - Adding CBC routines for VMX module")
      Fixes: c07f5d3d ("crypto: vmx - Adding support for XTS")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarOndrej Mosnacek <omosnace@redhat.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f1b13e97
    • Peter Chen's avatar
      ethernet: ti: davinci_emac: add missing of_node_put after calling of_parse_phandle · 21de2732
      Peter Chen authored
      commit 5817f977 upstream.
      
      of_node_put needs to be called when the device node which is got
      from of_parse_phandle has finished using.
      Signed-off-by: default avatarPeter Chen <peter.chen@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSZ Lin (林上智) <sz.lin@moxa.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      21de2732
    • Johan Hovold's avatar
      net: ethernet: ti: cpsw: fix mdio device reference leak · b3179842
      Johan Hovold authored
      commit 86e1d5ad upstream.
      
      Make sure to drop the reference taken by of_find_device_by_node() when
      looking up an mdio device from a phy_id property during probe.
      
      Fixes: 549985ee ("cpsw: simplify the setup of the register
      pointers")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSZ Lin (林上智) <sz.lin@moxa.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b3179842
    • David Rivshin's avatar
      drivers: net: cpsw: fix parsing of phy-handle DT property in dual_emac config · d02c8708
      David Rivshin authored
      commit 552165bc upstream.
      
      Commit 9e42f715 ("drivers: net: cpsw: add
      phy-handle parsing") saved the "phy-handle" phandle into a new cpsw_priv
      field. However, phy connections are per-slave, so the phy_node field should
      be in cpsw_slave_data rather than cpsw_priv.
      
      This would go unnoticed in a single emac configuration. But in dual_emac
      mode, the last "phy-handle" property parsed for either slave would be used
      by both of them, causing them both to refer to the same phy_device.
      
      Fixes: 9e42f715 ("drivers: net: cpsw: add phy-handle parsing")
      Signed-off-by: default avatarDavid Rivshin <drivshin@allworx.com>
      Tested-by: default avatarNicolas Chauvet <kwizart@gmail.com>
      Tested-by: default avatarAndrew Goodbody <andrew.goodbody@cambrionix.com>
      Reviewed-by: default avatarMugunthan V N <mugunthanvnm@ti.com>
      Reviewed-by: default avatarGrygorii Strashko <grygorii.strashko@ti.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSZ Lin (林上智) <sz.lin@moxa.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d02c8708
    • Eric Dumazet's avatar
      netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user · f9845426
      Eric Dumazet authored
      commit e466af75 upstream.
      
      syzkaller reports an out of bound read in strlcpy(), triggered
      by xt_copy_counters_from_user()
      
      Fix this by using memcpy(), then forcing a zero byte at the last position
      of the destination, as Florian did for the non COMPAT code.
      
      Fixes: d7591f0c ("netfilter: x_tables: introduce and use xt_copy_counters_from_user")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Willem de Bruijn <willemb@google.com>
      Acked-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Cc: Greg Hackmann <ghackmann@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f9845426
    • Nadav Amit's avatar
      vmw_balloon: include asm/io.h · a3b92ee6
      Nadav Amit authored
      Fix a build error due to missing virt_to_phys()
      Reported-by: default avatarkbuild test robot <lkp@intel.com>
      Fixes: f0a1bf29 ("vmw_balloon: fix inflation with batching")
      Cc: stable@vger.kernel.org
      Cc: Xavier Deguillard <xdeguillard@vmware.com>
      Signed-off-by: default avatarNadav Amit <namit@vmware.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a3b92ee6
    • Mathias Nyman's avatar
      xhci: Fix use-after-free in xhci_free_virt_device · c72a42d3
      Mathias Nyman authored
      commit 44a182b9 upstream.
      
      KASAN found a use-after-free in xhci_free_virt_device+0x33b/0x38e
      where xhci_free_virt_device() sets slot id to 0 if udev exists:
      if (dev->udev && dev->udev->slot_id)
      	dev->udev->slot_id = 0;
      
      dev->udev will be true even if udev is freed because dev->udev is
      not set to NULL.
      
      set dev->udev pointer to NULL in xhci_free_dev()
      
      The original patch went to stable so this fix needs to be applied
      there as well.
      
      Fixes: a400efe4 ("xhci: zero usb device slot_id member when disabling and freeing a xhci slot")
      Cc: <stable@vger.kernel.org>
      Reported-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Reviewed-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Tested-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarMatthias Kaehlcke <mka@chromium.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c72a42d3
    • Parav Pandit's avatar
      RDMA/cma: Do not ignore net namespace for unbound cm_id · ff75cdad
      Parav Pandit authored
      [ Upstream commit 643d213a ]
      
      Currently if the cm_id is not bound to any netdevice, than for such cm_id,
      net namespace is ignored; which is incorrect.
      
      Regardless of cm_id bound to a netdevice or not, net namespace must
      match. When a cm_id is bound to a netdevice, in such case net namespace
      and netdevice both must match.
      
      Fixes: 4c21b5bc ("IB/cma: Add net_dev and private data checks to RDMA CM")
      Signed-off-by: default avatarParav Pandit <parav@mellanox.com>
      Reviewed-by: default avatarDaniel Jurgens <danielj@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ff75cdad
    • Paul Burton's avatar
      MIPS: WARN_ON invalid DMA cache maintenance, not BUG_ON · d04f1b44
      Paul Burton authored
      [ Upstream commit d4da0e97 ]
      
      If a driver causes DMA cache maintenance with a zero length then we
      currently BUG and kill the kernel. As this is a scenario that we may
      well be able to recover from, WARN & return in the condition instead.
      Signed-off-by: default avatarPaul Burton <paul.burton@mips.com>
      Acked-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Patchwork: https://patchwork.linux-mips.org/patch/14623/
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: linux-mips@linux-mips.org
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d04f1b44
    • Chao Yu's avatar
      f2fs: fix to do sanity check with {sit,nat}_ver_bitmap_bytesize · e498af87
      Chao Yu authored
      [ Upstream commit c77ec61c ]
      
      This patch adds to do sanity check with {sit,nat}_ver_bitmap_bytesize
      during mount, in order to avoid accessing across cache boundary with
      this abnormal bitmap size.
      
      - Overview
      buffer overrun in build_sit_info() when mounting a crafted f2fs image
      
      - Reproduce
      
      - Kernel message
      [  548.580867] F2FS-fs (loop0): Invalid log blocks per segment (8201)
      
      [  548.580877] F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock
      [  548.584979] ==================================================================
      [  548.586568] BUG: KASAN: use-after-free in kmemdup+0x36/0x50
      [  548.587715] Read of size 64 at addr ffff8801e9c265ff by task mount/1295
      
      [  548.589428] CPU: 1 PID: 1295 Comm: mount Not tainted 4.18.0-rc1+ #4
      [  548.589432] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  548.589438] Call Trace:
      [  548.589474]  dump_stack+0x7b/0xb5
      [  548.589487]  print_address_description+0x70/0x290
      [  548.589492]  kasan_report+0x291/0x390
      [  548.589496]  ? kmemdup+0x36/0x50
      [  548.589509]  check_memory_region+0x139/0x190
      [  548.589514]  memcpy+0x23/0x50
      [  548.589518]  kmemdup+0x36/0x50
      [  548.589545]  f2fs_build_segment_manager+0x8fa/0x3410
      [  548.589551]  ? __asan_loadN+0xf/0x20
      [  548.589560]  ? f2fs_sanity_check_ckpt+0x1be/0x240
      [  548.589566]  ? f2fs_flush_sit_entries+0x10c0/0x10c0
      [  548.589587]  ? __put_user_ns+0x40/0x40
      [  548.589604]  ? find_next_bit+0x57/0x90
      [  548.589610]  f2fs_fill_super+0x194b/0x2b40
      [  548.589617]  ? f2fs_commit_super+0x1b0/0x1b0
      [  548.589637]  ? set_blocksize+0x90/0x140
      [  548.589651]  mount_bdev+0x1c5/0x210
      [  548.589655]  ? f2fs_commit_super+0x1b0/0x1b0
      [  548.589667]  f2fs_mount+0x15/0x20
      [  548.589672]  mount_fs+0x60/0x1a0
      [  548.589683]  ? alloc_vfsmnt+0x309/0x360
      [  548.589688]  vfs_kern_mount+0x6b/0x1a0
      [  548.589699]  do_mount+0x34a/0x18c0
      [  548.589710]  ? lockref_put_or_lock+0xcf/0x160
      [  548.589716]  ? copy_mount_string+0x20/0x20
      [  548.589728]  ? memcg_kmem_put_cache+0x1b/0xa0
      [  548.589734]  ? kasan_check_write+0x14/0x20
      [  548.589740]  ? _copy_from_user+0x6a/0x90
      [  548.589744]  ? memdup_user+0x42/0x60
      [  548.589750]  ksys_mount+0x83/0xd0
      [  548.589755]  __x64_sys_mount+0x67/0x80
      [  548.589781]  do_syscall_64+0x78/0x170
      [  548.589797]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  548.589820] RIP: 0033:0x7f76fc331b9a
      [  548.589821] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48
      [  548.589880] RSP: 002b:00007ffd4f0a0e48 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
      [  548.589890] RAX: ffffffffffffffda RBX: 000000000146c030 RCX: 00007f76fc331b9a
      [  548.589892] RDX: 000000000146c210 RSI: 000000000146df30 RDI: 0000000001474ec0
      [  548.589895] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
      [  548.589897] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000000001474ec0
      [  548.589900] R13: 000000000146c210 R14: 0000000000000000 R15: 0000000000000003
      
      [  548.590242] The buggy address belongs to the page:
      [  548.591243] page:ffffea0007a70980 count:0 mapcount:0 mapping:0000000000000000 index:0x0
      [  548.592886] flags: 0x2ffff0000000000()
      [  548.593665] raw: 02ffff0000000000 dead000000000100 dead000000000200 0000000000000000
      [  548.595258] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
      [  548.603713] page dumped because: kasan: bad access detected
      
      [  548.605203] Memory state around the buggy address:
      [  548.606198]  ffff8801e9c26480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      [  548.607676]  ffff8801e9c26500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      [  548.609157] >ffff8801e9c26580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      [  548.610629]                                                                 ^
      [  548.612088]  ffff8801e9c26600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      [  548.613674]  ffff8801e9c26680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      [  548.615141] ==================================================================
      [  548.616613] Disabling lock debugging due to kernel taint
      [  548.622871] WARNING: CPU: 1 PID: 1295 at mm/page_alloc.c:4065 __alloc_pages_slowpath+0xe4a/0x1420
      [  548.622878] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
      [  548.623217] CPU: 1 PID: 1295 Comm: mount Tainted: G    B             4.18.0-rc1+ #4
      [  548.623219] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  548.623226] RIP: 0010:__alloc_pages_slowpath+0xe4a/0x1420
      [  548.623227] Code: ff ff 01 89 85 c8 fe ff ff e9 91 fc ff ff 41 89 c5 e9 5c fc ff ff 0f 0b 89 f8 25 ff ff f7 ff 89 85 8c fe ff ff e9 d5 f2 ff ff <0f> 0b e9 65 f2 ff ff 65 8b 05 38 81 d2 47 f6 c4 01 74 1c 65 48 8b
      [  548.623281] RSP: 0018:ffff8801f28c7678 EFLAGS: 00010246
      [  548.623284] RAX: 0000000000000000 RBX: 00000000006040c0 RCX: ffffffffb82f73b7
      [  548.623287] RDX: 1ffff1003e518eeb RSI: 000000000000000c RDI: 0000000000000000
      [  548.623290] RBP: ffff8801f28c7880 R08: 0000000000000000 R09: ffffed0047fff2c5
      [  548.623292] R10: 0000000000000001 R11: ffffed0047fff2c4 R12: ffff8801e88de040
      [  548.623295] R13: 00000000006040c0 R14: 000000000000000c R15: ffff8801f28c7938
      [  548.623299] FS:  00007f76fca51840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
      [  548.623302] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  548.623304] CR2: 00007f19b9171760 CR3: 00000001ed952000 CR4: 00000000000006e0
      [  548.623317] Call Trace:
      [  548.623325]  ? kasan_check_read+0x11/0x20
      [  548.623330]  ? __zone_watermark_ok+0x92/0x240
      [  548.623336]  ? get_page_from_freelist+0x1c3/0x1d90
      [  548.623347]  ? _raw_spin_lock_irqsave+0x2a/0x60
      [  548.623353]  ? warn_alloc+0x250/0x250
      [  548.623358]  ? save_stack+0x46/0xd0
      [  548.623361]  ? kasan_kmalloc+0xad/0xe0
      [  548.623366]  ? __isolate_free_page+0x2a0/0x2a0
      [  548.623370]  ? mount_fs+0x60/0x1a0
      [  548.623374]  ? vfs_kern_mount+0x6b/0x1a0
      [  548.623378]  ? do_mount+0x34a/0x18c0
      [  548.623383]  ? ksys_mount+0x83/0xd0
      [  548.623387]  ? __x64_sys_mount+0x67/0x80
      [  548.623391]  ? do_syscall_64+0x78/0x170
      [  548.623396]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  548.623401]  __alloc_pages_nodemask+0x3c5/0x400
      [  548.623407]  ? __alloc_pages_slowpath+0x1420/0x1420
      [  548.623412]  ? __mutex_lock_slowpath+0x20/0x20
      [  548.623417]  ? kvmalloc_node+0x31/0x80
      [  548.623424]  alloc_pages_current+0x75/0x110
      [  548.623436]  kmalloc_order+0x24/0x60
      [  548.623442]  kmalloc_order_trace+0x24/0xb0
      [  548.623448]  __kmalloc_track_caller+0x207/0x220
      [  548.623455]  ? f2fs_build_node_manager+0x399/0xbb0
      [  548.623460]  kmemdup+0x20/0x50
      [  548.623465]  f2fs_build_node_manager+0x399/0xbb0
      [  548.623470]  f2fs_fill_super+0x195e/0x2b40
      [  548.623477]  ? f2fs_commit_super+0x1b0/0x1b0
      [  548.623481]  ? set_blocksize+0x90/0x140
      [  548.623486]  mount_bdev+0x1c5/0x210
      [  548.623489]  ? f2fs_commit_super+0x1b0/0x1b0
      [  548.623495]  f2fs_mount+0x15/0x20
      [  548.623498]  mount_fs+0x60/0x1a0
      [  548.623503]  ? alloc_vfsmnt+0x309/0x360
      [  548.623508]  vfs_kern_mount+0x6b/0x1a0
      [  548.623513]  do_mount+0x34a/0x18c0
      [  548.623518]  ? lockref_put_or_lock+0xcf/0x160
      [  548.623523]  ? copy_mount_string+0x20/0x20
      [  548.623528]  ? memcg_kmem_put_cache+0x1b/0xa0
      [  548.623533]  ? kasan_check_write+0x14/0x20
      [  548.623537]  ? _copy_from_user+0x6a/0x90
      [  548.623542]  ? memdup_user+0x42/0x60
      [  548.623547]  ksys_mount+0x83/0xd0
      [  548.623552]  __x64_sys_mount+0x67/0x80
      [  548.623557]  do_syscall_64+0x78/0x170
      [  548.623562]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  548.623566] RIP: 0033:0x7f76fc331b9a
      [  548.623567] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48
      [  548.623632] RSP: 002b:00007ffd4f0a0e48 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
      [  548.623636] RAX: ffffffffffffffda RBX: 000000000146c030 RCX: 00007f76fc331b9a
      [  548.623639] RDX: 000000000146c210 RSI: 000000000146df30 RDI: 0000000001474ec0
      [  548.623641] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
      [  548.623643] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000000001474ec0
      [  548.623646] R13: 000000000146c210 R14: 0000000000000000 R15: 0000000000000003
      [  548.623650] ---[ end trace 4ce02f25ff7d3df5 ]---
      [  548.623656] F2FS-fs (loop0): Failed to initialize F2FS node manager
      [  548.627936] F2FS-fs (loop0): Invalid log blocks per segment (8201)
      
      [  548.627940] F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock
      [  548.635835] F2FS-fs (loop0): Failed to initialize F2FS node manager
      
      - Location
      https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/f2fs/segment.c#L3578
      
      	sit_i->sit_bitmap = kmemdup(src_bitmap, bitmap_size, GFP_KERNEL);
      
      Buffer overrun happens when doing memcpy. I suspect there is missing (inconsistent) checks on bitmap_size.
      
      Reported by Wen Xu (wen.xu@gatech.edu) from SSLab, Gatech.
      Reported-by: default avatarWen Xu <wen.xu@gatech.edu>
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e498af87
    • Zumeng Chen's avatar
      mfd: ti_am335x_tscadc: Fix struct clk memory leak · ab140bd2
      Zumeng Chen authored
      [ Upstream commit c2b1509c ]
      
      Use devm_elk_get() to let Linux manage struct clk memory to avoid the following
      memory leakage report:
      
      unreferenced object 0xdd75efc0 (size 64):
        comm "systemd-udevd", pid 186, jiffies 4294945126 (age 1195.750s)
        hex dump (first 32 bytes):
          61 64 63 5f 74 73 63 5f 66 63 6b 00 00 00 00 00  adc_tsc_fck.....
          00 00 00 00 92 03 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<c0a15260>] kmemleak_alloc+0x40/0x74
          [<c0287a10>] __kmalloc_track_caller+0x198/0x388
          [<c0255610>] kstrdup+0x40/0x5c
          [<c025565c>] kstrdup_const+0x30/0x3c
          [<c0636630>] __clk_create_clk+0x60/0xac
          [<c0630918>] clk_get_sys+0x74/0x144
          [<c0630cdc>] clk_get+0x5c/0x68
          [<bf0ac540>] ti_tscadc_probe+0x260/0x468 [ti_am335x_tscadc]
          [<c06f3c0c>] platform_drv_probe+0x60/0xac
          [<c06f1abc>] driver_probe_device+0x214/0x2dc
          [<c06f1c18>] __driver_attach+0x94/0xc0
          [<c06efe2c>] bus_for_each_dev+0x90/0xa0
          [<c06f1470>] driver_attach+0x28/0x30
          [<c06f1030>] bus_add_driver+0x184/0x1ec
          [<c06f2b74>] driver_register+0xb0/0xf0
          [<c06f3b4c>] __platform_driver_register+0x40/0x54
      Signed-off-by: default avatarZumeng Chen <zumeng.chen@gmail.com>
      Signed-off-by: default avatarLee Jones <lee.jones@linaro.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ab140bd2
    • Geert Uytterhoeven's avatar
      iommu/ipmmu-vmsa: Fix allocation in atomic context · 22fa0358
      Geert Uytterhoeven authored
      [ Upstream commit 46583e8c ]
      
      When attaching a device to an IOMMU group with
      CONFIG_DEBUG_ATOMIC_SLEEP=y:
      
          BUG: sleeping function called from invalid context at mm/slab.h:421
          in_atomic(): 1, irqs_disabled(): 128, pid: 61, name: kworker/1:1
          ...
          Call trace:
           ...
           arm_lpae_alloc_pgtable+0x114/0x184
           arm_64_lpae_alloc_pgtable_s1+0x2c/0x128
           arm_32_lpae_alloc_pgtable_s1+0x40/0x6c
           alloc_io_pgtable_ops+0x60/0x88
           ipmmu_attach_device+0x140/0x334
      
      ipmmu_attach_device() takes a spinlock, while arm_lpae_alloc_pgtable()
      allocates memory using GFP_KERNEL.  Originally, the ipmmu-vmsa driver
      had its own custom page table allocation implementation using
      GFP_ATOMIC, hence the spinlock was fine.
      
      Fix this by replacing the spinlock by a mutex, like the arm-smmu driver
      does.
      
      Fixes: f20ed39f ("iommu/ipmmu-vmsa: Use the ARM LPAE page table allocator")
      Signed-off-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Reviewed-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      22fa0358
    • Mauricio Faria de Oliveira's avatar
      partitions/aix: fix usage of uninitialized lv_info and lvname structures · a169d7c8
      Mauricio Faria de Oliveira authored
      [ Upstream commit 14cb2c8a ]
      
      The if-block that sets a successful return value in aix_partition()
      uses 'lvip[].pps_per_lv' and 'n[].name' potentially uninitialized.
      
      For example, if 'numlvs' is zero or alloc_lvn() fails, neither is
      initialized, but are used anyway if alloc_pvd() succeeds after it.
      
      So, make the alloc_pvd() call conditional on their initialization.
      
      This has been hit when attaching an apparently corrupted/stressed
      AIX LUN, misleading the kernel to pr_warn() invalid data and hang.
      
          [...] partition (null) (11 pp's found) is not contiguous
          [...] partition (null) (2 pp's found) is not contiguous
          [...] partition (null) (3 pp's found) is not contiguous
          [...] partition (null) (64 pp's found) is not contiguous
      
      Fixes: 6ceea22b ("partitions: add aix lvm partition support files")
      Signed-off-by: default avatarMauricio Faria de Oliveira <mfo@canonical.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a169d7c8
    • Mauricio Faria de Oliveira's avatar
      partitions/aix: append null character to print data from disk · 77d3c98f
      Mauricio Faria de Oliveira authored
      [ Upstream commit d43fdae7 ]
      
      Even if properly initialized, the lvname array (i.e., strings)
      is read from disk, and might contain corrupt data (e.g., lack
      the null terminating character for strings).
      
      So, make sure the partition name string used in pr_warn() has
      the null terminating character.
      
      Fixes: 6ceea22b ("partitions: add aix lvm partition support files")
      Suggested-by: default avatarDaniel J. Axtens <daniel.axtens@canonical.com>
      Signed-off-by: default avatarMauricio Faria de Oliveira <mfo@canonical.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      77d3c98f
    • Nick Dyer's avatar
      Input: atmel_mxt_ts - only use first T9 instance · af39fa73
      Nick Dyer authored
      [ Upstream commit 36f5d9ef ]
      
      The driver only registers one input device, which uses the screen
      parameters from the first T9 instance. The first T63 instance also uses
      those parameters.
      
      It is incorrect to send input reports from the second instances of these
      objects if they are enabled: the input scaling will be wrong and the
      positions will be mashed together.
      
      This also causes problems on Android if the number of slots exceeds 32.
      
      In the future, this could be handled by looking for enabled touch object
      instances and creating an input device for each one.
      Signed-off-by: default avatarNick Dyer <nick.dyer@itdev.co.uk>
      Acked-by: default avatarBenson Leung <bleung@chromium.org>
      Acked-by: default avatarYufeng Shen <miletus@chromium.org>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      af39fa73
    • Petr Machata's avatar
      net: dcb: For wild-card lookups, use priority -1, not 0 · bde99d93
      Petr Machata authored
      [ Upstream commit 08193d1a ]
      
      The function dcb_app_lookup walks the list of specified DCB APP entries,
      looking for one that matches a given criteria: ifindex, selector,
      protocol ID and optionally also priority. The "don't care" value for
      priority is set to 0, because that priority has not been allowed under
      CEE regime, which predates the IEEE standardization.
      
      Under IEEE, 0 is a valid priority number. But because dcb_app_lookup
      considers zero a wild card, attempts to add an APP entry with priority 0
      fail when other entries exist for a given ifindex / selector / PID
      triplet.
      
      Fix by changing the wild-card value to -1.
      Signed-off-by: default avatarPetr Machata <petrm@mellanox.com>
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bde99d93
    • Nicholas Mc Guire's avatar
      MIPS: Octeon: add missing of_node_put() · 7ffa0928
      Nicholas Mc Guire authored
      [ Upstream commit b1259519 ]
      
      The call to of_find_node_by_name returns a node pointer with refcount
      incremented thus it must be explicitly decremented here after the last
      usage.
      Signed-off-by: default avatarNicholas Mc Guire <hofrat@osadl.org>
      Signed-off-by: default avatarPaul Burton <paul.burton@mips.com>
      Patchwork: https://patchwork.linux-mips.org/patch/19558/
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: James Hogan <jhogan@kernel.org>
      Cc: linux-mips@linux-mips.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7ffa0928
    • Yelena Krivosheev's avatar
      net: mvneta: fix mtu change on port without link · 3d7d5919
      Yelena Krivosheev authored
      [ Upstream commit 8466baf7 ]
      
      It is incorrect to enable TX/RX queues (call by mvneta_port_up()) for
      port without link. Indeed MTU change for interface without link causes TX
      queues to stuck.
      
      Fixes: c5aff182 ("net: mvneta: driver for Marvell Armada 370/XP
      network unit")
      Signed-off-by: default avatarYelena Krivosheev <yelena@marvell.com>
      [gregory.clement: adding Fixes tags and rewording commit log]
      Signed-off-by: default avatarGregory CLEMENT <gregory.clement@bootlin.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3d7d5919